Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

Stolen MoD laptop contained unencrypted data on hundreds of thousands.

22 January, 2008
The British Ministry of Defence is licking its wounds after the Government has launched an enquiry into how the most secure organisation in the United Kingdom can lose unencrypted data on civilians stored on a laptop stolen from an unattended vehicle.
Since the theft, a Government ruling has been released throughout the civil service which states that no unencrypted laptops containing personal data should be taken outside secured offices. The author should have thought about this more carefully; if this data isn't needed outside secured offices, why store it on the laptop at all? It should be left on the server, encrypted. This is a typical case of poor endpoint security, something which can be solved easily and relatively inexpensively using commercially available software for dozens of companies. The technology is available but our highest security Government organisation chooses not to use it, preferring instead to distributed half-cocked e-mails that send out the wrong message.

Securing data this sensitive requires a solid, systematic approach that is foolproof. Given the high levels of publicity of the recent data breeches concerning HMRC, the DVLC and two previous MoD laptop thefts, the Naval Officer who had his laptop stolen two weeks ago clearly either had his head in the sand or was negligent in the extreme but the focus of attention shouldn't be placed on his head. The system he was operating in allowed him to place unencrypted, sensitive data on his laptop and therein lies the problem. In light of this knowledge, any further breaches that come to light involving public-body originated data should fall squarely on the shoulders of the department involved and not the individual responsible for the loss.

Reaction to this loss has been strong and varied. The Government's opposition are once again using it as a means of discrediting the proposed National ID card system. Our opposition based parliamentary system has been in place for over a thousand years and long may it remain as the seat of constitutional and accountable government but it has its faults, one of which is the capability it offers to members of parliament to twist truths and offer them as facts in attempts to gain advantage. The good thing about biometric data is that it is completely useless to thieves and therefore immune to the effects of identity theft. Having your life on a chip is misguided, reactionary rubbish, on the contrary it protects your identity because the mathematically encoded identity data that is held there represent selected parameters which can only be used for comparison with similar parameters generated by algorithms which measure pre-defined aspects of facial, fingerprint or iris features, you can't use it to generate an identity.


In other reactions to the MoD laptop theft news, Tom de Jong of Safeboot calls for the establishment of data security culture in public sector employees in light of the fact that a staggering 347 laptop thefts have occurred in the last three years relating to MoD employees.

Jamie Cowper of PGP reflects this reaction by stating that although it is clear that encryption technology and strategies need to be implemented in the public sector, this will take time and money and in order to prevent further losses in the interim, there needs to be proactive employee involvement which recognises the seriousness of such breaches and prevents further occurrences.

The UK public sector is a large employer in the UK and Alan Bentley of Lumension Security recognises this when he states that education is the key rather than policy implementation because without employee awareness, policies will continue to fail.

William Pound of Absolute Software offers a three tier approach to loss prevention including education to make sure that employees don't make seemingly obvious errors of judgement such as leaving a laptop in a vulnerable vehicle, prevention such as encryption and DLP and detection such as laptop tracking to enable the recovery of stolen assets.
Bookmark and Share