2014 was again fraught with news stories of information being lost and the associated security risks that may arise from the loss. While public concern continues to rise about the security and privacy of electronic information from potential cyberattacks, key information challenges for 2015 should not be restricted to cybersecurity. The need to address information complacency is a key information management challenge for 2015.
Data Breaches in 2014
In November 2014 it was reported that “a fifth of data security breaches across the NHS are down to paper records being lost or stolen” and “digital errors can be tracked far more rigidly, than paper ones — a suggestion that there may be far more errors we, and the NHS, do not know about” (http://www.wired.co.uk/news/archive/2014-11/25/nhs-patient-security-breaches). Table 1 provides examples of data breaches that occurred through non-electronic means.
Information Lost By | Example |
Physical computers being stolen | http://www.crn.com/slide-shows/security/300075201/top-10-data-breaches-of-2014-that-got-lost-in-the-noise.htm/pgno/0/4 |
Memory stick being lost | http://www.bbc.co.uk/news/uk-england-tyne-26040450http://www.bankinfosecurity.com/did-regulator-cause-data-breach-a-7685/op-1 |
Email attachment sent to wrong person | http://www.paloaltoonline.com/news/2014/06/12/member-information-accidentally-released-at-stanford-credit-union |
Paper records not securely destroyed | http://www.ydr.com/local/ci_25980746/private-medical-records-found-at-public-dumpster-manchester |
Table 1: Examples of Non-Electronic Data Breaches 2014
The examples of information security breaches in Table 1 demonstrate that information security risks are not limited to the realm of cybersecurity. This is further supported by data published by the UK’s Information Commissioner’s Office (ICO) shown in Table 2. Of the 428 data breaches reported to the ICO in the second quarter of 2014, only 5.6% are the result of computer hacking, the majority of incidents are caused by a general lack of care in how information is handled.
Type of Incident | Percentage |
Data posted/faxed to incorrect recipient | 17 |
Loss/theft of paperwork | 14 |
Data sent by email to incorrect recipient | 12 |
Principle 1 – Principle 6 or Principle 8 failure | 8.6 |
Loss/theft of unencrypted device | 5.8 |
Insecure web-page (including hacking) | 5.6 |
Insecure disposal of paperwork | 5.6 |
Failure to redact data | 4.7 |
Verbal disclosure | 1.6 |
Information uploaded to web-page | 1 |
Insecure disposal of hardware | 0.5 |
Other principle 7 failure | 22 |
Table 2: UK Data Breaches (source: ico.org.uk)
Information Complacency Threatens Information Security
The data suggests complacency in the handling of information. As attention is continually directed to the threat of attacks on electronic data through, for example, phishing, spoofing and hacking, information is being lost through non-electronic means. Carelessness, thoughtlessness and lack of attention to the information being handled remains a major threat to information security in organizations.
Causes of Information Complacency
Information complacency may be caused by the information technology creating a distance between the person handling the data and the individual to whom the data relate. This lack of relationship can perhaps devalue the data to mere numbers and letters being handled, neglecting the value of the information that the data represent. We can create, change and circulate text in seconds using information technology and this speed of creation has perhaps resulted in a devaluing of information and also perhaps does not give us time to stop and think about our actions.
How to Address Information Complacency
Addressing information complacency is a key information management challenge for 2015 that requires organizations to:
- Review information management policies.
- Ensure information management policies are actioned and not merely documented.
- Ensure all staff are trained in information management.
- Define security procedures for the creation, circulation and destruction of non-electronic information.
- Develop a culture of individual information responsibility.
Everyone in the organization needs to understand their responsibilities towards information, to eradicate information complacency and improve information security.
Further Reading:
Information security is discussed in Chapter 5, providing guidance on how to address information complacency. Information responsibility is discussed in Chapter 16.
Please use the following to reference this blog post in your own work:
Cox, S. A., (2015), ‘Information Complacency is a Key Information Management Challenge for 2015’, 23 January 2015, http://www.managinginformation.org/information-compacency-is-a-key-information-management-challenge-for-2015/, [Date accessed: dd:mm:yy]