The theft of a laptop computer from the home of a
Nationwide employee has raised questions about how much data staff
need to carry on mobile devices and what IT directors can do to
protect sensitive information.
The theft, which occurred over the summer, only came to light
this month. A spokesman for the building society said customer data
on the password-protected laptop was used for market research.
Phil Cracknell, UK president of the Information Systems Security
Association, said that even with a password-protected laptop, it
was still possible to remove a drive and install it on another
machine to get at the data. The best way to secure data on a laptop
is to deploy hard drive encryption, he said.
Another option is for IT security chiefs to determine what data
end-users need to carry with them.
David Lacey, a founding member of IT security user group the
Jericho Forum, said, "There is a trend today for criminals to
infiltrate organisations or to work with people on the inside. This
is a growing problembecause all this data is easy to make money out
of."
For certain tasks there should be no need for an end-user to
carry customer data on a laptop.
Lacey, former chief information security officer at Royal Mail,
said, "If you are doing market research, one would have thought
that you do not need to know names and addresses."
To perform tasks such as trend and market analysis it is often
not necessary to identify individual customers. "If you deal with
sensitive personal data, it can be made anonymous by separating the
names from the personal information so you cannot identify any
individual," Lacey said.
Such a technique is not new to IT departments.
Graham Titterington, principal analyst at Ovum, said, "The
'anonymisation' or 'randomisation' of data has been used in
software testing for years."
Beyond making the information anonymous, he suggested that one
way that an organisation could protect its data against theft would
be to use digital rights management - the technique the recording
industry has adopted to prevent MP3 and CD-based music from being
pirated.
David Lacey's security blog
www.computerweekly.com/blogs/david_lacey
Comment on this article:
computer.weekly@rbi.co.uk