Was the Elections Ontario data loss a ‘perfect storm’?

The missing USB data stick fiasco at Elections Ontario has more than a few IT experts scratching their heads.

If an interim forensic investigation report is accurate, the department had more than adequate security policies but staff were seemingly hard of hearing.

So how does an organization get its message through?

Henry Kim, associate professor of decision technologies (which includes IT and business intelligence) at York University’s Schulich School of Business speculates there was a “perfect storm” of errors that added up.

Kim believes it’s likely the unencrypted USB sticks were merely accidentally thrown out rather than stolen, he said in an interview Wednesday.
 
RELATED CONTENT

If not, he added, it looks like the bureaucrats didn’t understand that they were handling sensitive data, or on how to encrypt data.

The two USB drives with personal data on more than 2 million Ontario voters was supposed to be locked up each night in a temporary facility Elections Ontario had leased in Toronto, but one night they weren’t.

“If I really thought it was life and death, I’d have it (the USB drives) around my neck,” Kim said.

It’s not thought that education was a problem. According to an interim report from a forensic investigation company, staff at the temporary facility were told the USB drives had to be encrypted. However, the report said the encryption software on the drives wasn’t touched.

Also, staff didn’t regularly password protect the files on the laptops they were using as ordered.

It raises the question of how to motivate staff to follow security orders.

An academic article last year in the journal Information and Management tackled the issue by wondering if employees comply with security policies out of fear of punishment – which most academics believe — or the inborn desire to follow company rules out of a sense of duty or morality.

The article, by Jai-Yeol Son of the Yonsei University School of Business in South Korea, described a Web-based questionnaire put to 602 full time employees in the U.S. who knew of their organizations’ security policies.

Respondents were asked whether they agreed or disagreed with 22 statements such as “violating information systems security policies is seldom justified,” and “someone who violates the policies hurts the organization,” and whether they comply with anti-virus, email, network and other corporate policies.

The idea was to find out whether fear of consequences (or getting a reward for being good) or respect motivates them.

The results suggest that – at least of the people surveyed – employees are more likely want to follow security rules, as opposed to being afraid of being caught and punished.

That suggests that announcing increased penalties for breaking a security policy may not always be the best way to alert staff to stick to the rules.

Meanwhile, the forensic investigation firm that looked into the Elections Ontario data stick loss has recommended management conduct a thorough risk assessment and security review “to enhance the profile of security within the organization.

That review should include enhanced training programs to reinforce the importance of securing data and the steps to be taken of a loss of private information is suspected.

Elections Ontario’s technical services staff should also be trained on how to keep electronic data safe, the report adds.

The department – which reports to the speaker of the legislature — should also look at whether it needs to appoint a security officer.

Finally, the report says there should be periodic audits in the department by an outside expert to ensure security measures are being followed and are up to date.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now