The BBC is reporting that the Northern Ireland Executive are shopping for new computers:

Thousands of ‘ultra-secure’ computers costing £6m are to be bought by the NI executive following a series of embarrassing losses of personal data. About 4,000 high-security laptops and 10,000 new desktop computers are being bought. The BBC has also learned the Civil Service is to launch a secure system which may do away with sending people’s details through the post. Discs containing the details of 6,000 NI drivers went missing in December.

The NI executive has apparantly failed to realise that they can’t just buy security – it’s a process not a product. Despite the contrary pleadings of the industry, you can’t just sprinkle security products on your business (or government) like magic fairy dust and expect it to work – a holistic approach is required. How much are they planning to spend on threat analysis, risk assessment, data classification and protective marking, policy, processes and operating procedures, user training, admin training, testing, audits, etc? The report doesn’t say.

“We are not being complacent – the genie is out of the bottle and we have to be seen to be doing something”

Translation: “We have been complacent and we’re spending £6m to buy a better reputation for security than we probably deserve”.

Wouldn’t it be better if public bodies pro-actively secured our data as a matter of course, rather than papering over systemic failures only when forced to “do something” by embarassing headlines?

I predict another BBC article two years from now saying that the NI executive has lost another large batch of citizens’ private information despite having spent £6m on ‘ultra secure’ hardware.

Hat tip: Glyn