When I first read about several recent data loss incidences in Hong Kong, the feeling was one of shock and disbelief. It was not so much the incidents themselves that shocked me, but the fact that they happened within such a short time period within the same organisation.
In April 2007, a USB flash drive was lost at Hong Kongs Pamela Youde Nethersole Eastern Hospital (PYNEH), affecting 43 patients. A digital camera was lost at the same hospital three months later, affecting three patients.
The same hospital was in the news again in November 2007, when a USB flash drive containing some 700 patients data was lost. Another USB flash drive incident occurred there again in March 2008, with 150 patients data lost.
PYNEH was not the only local hospital to be hit by such security incidences. USB flash drives were also lost at United Christian Hospital and Prince of Wales Hospital in October 2007 and May 2008 respectively.
Immigration department incidents
Earlier this year, a newly-hired employee at Hong Kongs immigration department reportedly took confidential information home to work on it and copied it on his computer. When he connected to the internet, the files could be downloaded by other users through a file-sharing programme called Foxy.
According to news reports, the files included department watch lists, individuals names and travel records.
Within the same year, news reports indicated a second similar incident. This time, 11 Word documents with private information believed to be from the immigration department were found available for download on Foxy. The files included documentation about immigration offence cases.
Both incidences reflect the fact that even government departments are not immune to security threats. Even with significant efforts to prevent breaches, human negligence remains a major risk factor for organisations.
Weak security link
Such incidences also reflect the inadequacy of technology alone to ensure information security. If employees could conveniently save confidential information onto mobile devices and bring them home, what happens when these devices fall into the wrong hands?
Unless the data is encrypted and security policies strictly enforced throughout the organisation, such security incidences are bound to frequently repeat themselves. Even with established encryption policies within the company, partnering organisations may choose to ignore these, leaving shared in-transit data vulnerable to hackers.
Another issue is the extent to which the organisation is willing to enforce security policies given limited budgets for IT investments. The issue is not about eradicating security threats completely, which most companies have come to acknowledge as an impossible task. Rather, the approach is to determine the tolerated risk level and manage it, depending on the operating environment of the business.
Sign up for CIO Asia eNewsletters.