By Phil Muncaster

Information security has been all over the news ever since the HMRC scandal broke. It has forced public and private sector CIOs or their equivalents to re-examine their strategies for securing their data assets. One of the common accusations levelled at especially public sector organisations in the wake of HMRC and the following data loss incidents at Ministries of Defence, Justice, Transport and the rest, is that there is a culture of indifference to the value of data.

There's no doubt this argument has some merit. If these institutions are run from the top down by managers who pay only lip service to the numerous policies, procedures, technologies and balances that have been installed to prevent data loss, then those incidents will probably keep occurring. Cultural change of course is most difficult to effect, and will be a slow and laborious process, prompting some security experts to predict more data breaches ahead for the government in the meantime. But maybe the cultural malaise argument is a little simplistic.

People argue that you can have all the technological measures in the world in place to prevent breaches but they won't be successful unless the people and process issues support them. Now this is true, but it could be argued that the IT system is actually more important than this. It's certainly the view of Nigel Jones, director of government-backed body the Cyber Security Knowledge Transfer Network, that training and education of end users is not going to solve the problem on its own.

It all comes down to system design. They need to be architected in such a way as to have security requirements written in from the start, and systems need to be designed with the end user in mind at all times, he told me. The Cyber Security KTN has actually done some important work in this area in the form of its special interest groups (SIGs). Its privacy engineering SIG produced guidelines for firms on how to design privacy into all stages of a project, how to dispose of data safely and other issues. The secure software development SIG, meanwhile, looked to make available best practices in designing security into software products from the ground up.

There's no easy solution to the problem of data security. But going back to the basic system design and looking more closely at the technology that underpins it may help us get there a little quicker.