Yet another laptop theft story in the newspapers. This time a case of three stolen laptops containing payroll and pension details of more than 15,000 Met Police officers. Following on from the recent Nationwide incident it’s clear that the UK Media have this theme firmly in their sights. It’s nothing new of course. Thousands of laptops are lost or stolen in the UK every day. But the problem is growing with increasing numbers of laptops with larger amounts of data being carried to and from work and between meetings. And there is now a higher probability that sensitive data might be compromised with the growing interest of organised crime in new sources of information to support identity theft.
Sensitive personal and business data should always be encrypted – both in transmission and storage. There is no excuse for not doing this today. The technology is available and affordable. But you can’t change the habits of an organisation overnight. Lots of HR, Marketing and Finance personnel have been downloading sensitive personal data into unprotected spreadsheets on their PCs for many years. It’s a legacy from a less dangerous age, when we all operated in secure office environments and criminals were less inclined to steal PCs for the data they contained. But the business environment and the security threat have changed substantially, so we should aim to close down these vulnerabilities as quickly as possible.
So what should CISOs be doing to mitigate the risks? Here are some suggestions.
Firstly, introduce encryption facilities for all users handling sensitive personal data. But make sure it is underpinned by professional key management. Otherwise you may be introducing a denial-of-service problem. Because the keys will get lost or corrupted from time to time.
Secondly, introduce a risk assessment process into the reporting process for laptop losses and thefts. In the absence of any security advice, most IT helpdesks will simply replace the lost laptop with a new one. You need to establish if there was any sensitive data on the laptop or any suspicious circumstances surrounding the loss, and, if so, to conduct a damage assessment as quickly as possible.
Thirdly, monitor and analyse where and how laptops are being lost or stolen. Then intervene with appropriate policies, controls and education. It’s amazing the difference this can make. You might find that there is a spate of thefts associated with a particular building, or a make of company car, or a hotel frequented by staff. With targeted warnings and controls you can prevent many future losses. During my time in Royal Mail Group we drove down laptop losses dramatically, almost eliminating the problem for months at a time.
Finally, take special action to remind staff to look after their laptops during the run up to Christmas period, when many staff are distracted and may well leave their laptops unattended in pubs, trains or offices.
Good laptop security is not difficult, it’s just a matter of simple common sense and prudent countermeasures.