Cyber security strategies are, of course, focused on digital information. However, a recent discovery of government filing cabinets by a second-hand purchaser emphasises the need for a holistic approach to information security.
Reams of confidential cabinet papers were recently discovered by an unwitting buyer of two locked filing cabinets purchased at a second-hand shop stocking ex-government furniture. It is not clear how the documents came to be in the possession of the ABC, but the broadcaster was publishing details of the material for days before the government realised what had happened.
In an attempt to secure the proverbial horse after it has bolted, ASIO officers delivered a safe to the Canberra and Brisbane offices of the ABC on Thursday morning. Apparently the safes are intended to secure the confidential cabinet papers while the government and the national broadcaster have a debate about use of the information, and potentially even democracy itself.
Who will have access to the safes sitting in the ABC offices? Who knows. The point is that the Australian Federal Government, which in 2016 committed to invest $230 million to enhance Australia’s cyber security capability, now has egg on its face because, presumably, a public servant overseeing an office cleanup has unwittingly sold state secrets to a local second-hand furniture dealer. In a strong culture of information security, reinforced by training, the likelihood of this happening would be much lower.
Information security, like any security, is all about the weakest link. It is hard to think of a more fitting example than this week’s events.
The lesson is clear: every organisation needs to take a holistic approach to information security. Mandatory data breach reporting will come into effect on 22 February 2018. You may have invested considerably in IT system security. But have you considered the physical security of your business? How easily can people access your premises? Where are hard copy documents stored? How are they disposed of? Can employees take them home? Is someone snapping photos over your shoulder on a plane while you read?
Any investment in cyber security may be wasted if physical information security is not held to the same standard by your officers, employees and contractors. Clean Up Australia estimated in 2014 that every Australian office worker uses approximately 10,000 sheets of A4 paper per year. Where does it all go?