The missing USB data stick fiasco at Elections Ontario has more than a few IT experts scratching their heads.
If an interim forensic investigation report is accurate, the department had more than adequate security policies but staff were seemingly hard of hearing.
So how does an organization get its message through?
Henry Kim, associate professor of decision technologies (which includes IT and business intelligence) at York University’s Schulich School of Business speculates there was a “perfect storm” of errors that added up.
The two USB drives with personal data on more than 2 million Ontario voters was supposed to be locked up each night in a temporary facility Elections Ontario had leased in Toronto, but one night they weren’t.
“If I really thought it was life and death, I’d have it (the USB drives) around my neck,” Kim said.
It’s not thought that education was a problem. According to an interim report from a forensic investigation company, staff at the temporary facility were told the USB drives had to be encrypted. However, the report said the encryption software on the drives wasn’t touched.
Also, staff didn’t regularly password protect the files on the laptops they were using as ordered.
It raises the question of how to motivate staff to follow security orders.
An academic article last year in the journal Information and Management tackled the issue by wondering if employees comply with security policies out of fear of punishment – which most academics believe — or the inborn desire to follow company rules out of a sense of duty or morality.
The article, by Jai-Yeol Son of the Yonsei University School of Business in South Korea, described a Web-based questionnaire put to 602 full time employees in the U.S. who knew of their organizations’ security policies.
Respondents were asked whether they agreed or disagreed with 22 statements such as “violating information systems security policies is seldom justified,” and “someone who violates the policies hurts the organization,” and whether they comply with anti-virus, email, network and other corporate policies.
The idea was to find out whether fear of consequences (or getting a reward for being good) or respect motivates them.
The results suggest that – at least of the people surveyed – employees are more likely want to follow security rules, as opposed to being afraid of being caught and punished.
That suggests that announcing increased penalties for breaking a security policy may not always be the best way to alert staff to stick to the rules.
Meanwhile, the forensic investigation firm that looked into the Elections Ontario data stick loss has recommended management conduct a thorough risk assessment and security review “to enhance the profile of security within the organization.
That review should include enhanced training programs to reinforce the importance of securing data and the steps to be taken of a loss of private information is suspected.
Elections Ontario’s technical services staff should also be trained on how to keep electronic data safe, the report adds.
The department – which reports to the speaker of the legislature — should also look at whether it needs to appoint a security officer.
Finally, the report says there should be periodic audits in the department by an outside expert to ensure security measures are being followed and are up to date.