The missing USB data stick fiasco at Elections Ontario
has more than a few IT experts scratching their heads.
If an interim forensic investigation report is accurate, the department had more than adequate security policies but staff were seemingly hard of hearing.
So how does an organization get its message through?
Henry Kim, associate professor of decision technologies (which includes IT and business intelligence) at York University’s Schulich School of Business speculates there was a “perfect storm” of errors that added up.
Kim believes it’s likely the unencrypted USB sticks were merely accidentally thrown out rather than stolen, he said in an interview Wednesday.
If not, he added, it looks like the bureaucrats didn’t understand that they were handling sensitive data, or on how to encrypt data.
The two USB drives with personal data on more than 2 million Ontario voters was supposed to be locked up each night in a temporary facility Elections Ontario had leased in Toronto, but one night they weren’t.
“If I really thought it was life and death, I’d have it (the USB drives) around my neck,” Kim said.
It’s not thought that education was a problem. According to an interim report from a forensic investigation company, staff at the temporary facility were told the USB drives had to be encrypted. However, the report said the encryption software on the drives wasn’t touched.
Also, staff didn’t regularly password protect the files on the laptops they were using as ordered.
It raises the question of how to motivate staff to follow security orders.
An academic article last year in the journal Information and Management tackled the issue by wondering if employees comply with security policies out of fear of punishment – which most academics believe -- or the inborn desire to follow company rules out of a sense of duty or morality.
The article, by Jai-Yeol Son of the Yonsei University School of Business in South Korea, described a Web-based questionnaire put to 602 full time employees in the U.S. who knew of their organizations’ security policies.
Respondents were asked whether they agreed or disagreed with 22 statements such as “violating information systems security policies is seldom justified,” and “someone who violates the policies hurts the organization,” and whether they comply with anti-virus, email, network and other corporate policies.