News recently broke of an extraordinary breach of national security following the discovery of highly sensitive cabinet documents in two old filing cabinets bought at a second-hand shop in Canberra.
These documents contained classified and top secret information covering details of five federal government cabinet meetings over a decade.
While the Prime Minister’s Department has secured the return of the documents, the federal police have launched an investigation into the matter. It’s clear the event was the result of human error, with Malcolm Turnbull telling ABC News the security breach was “a shocking failure”. The head of the Department of the Prime Minister and Cabinet, Martin Parkinson, has stated it was his agency that lost the files.
Many studies show this ‘human factor’ in data breaches is not a new phenomenon. However, mitigating the risk of the ‘human factor’ is sometimes more of a challenge, than installing a software solution to monitor the network for intrusion by hackers.
This incident serves as a reminder for leaders in government agencies and the private sector, of the importance of an Information and Records Management Policy.
The Information and Records Management Policy can be managed by a range of areas including ICT, Knowledgement Management or Communications. However, documentation remains the backbone of any robust ICT security strategy. Your policies and procedures underpin all other actions. Embedding policies and procedures in your organisation’s ethos as part of a security strategy, is key to avoiding or at least minimising, the risk of data breaches.
Senior leaders in every Australian business and government-funded body could ask 3 key questions:
- Does our organisation have a relevant and up to date Information and Records Management Policy?
- Are there relevant and up to date procedures underpinning this policy?
- Are the policy and related procedures embedded in our organisation’s culture?
Security policies and procedures designed to protect information and data, should be embedded in culture in the same way as Occupational Health and Safety and other HR policies are now.
Engagement with ICT by senior leaders to provide organisation-wide support is the best way to implement a solid ICT security strategy. When you have the documentation firmly in place, you’re able to follow with awareness and training activities. Employees, contractors, and vendors play an essential role in managing risk.
The information and cyber security landscape is constantly evolving. And while we continue to combat security threats with better technologies and software, you can still be sure of one thing: human error. Senior business leaders need to ask themselves what they’re doing to tackle this.
If security of your information and records is a concern, we can assist. We have considerable expertise in the development of policies and procedures and offer workplace awareness programs.