Nationwide laptop theft offers data safety lessons
The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.
The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.



From forensic cyber to encryption: InfoSec17
Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
The theft, which occurred over the summer, only came to light this month. A spokesman for the building society said customer data on the password-protected laptop was used for market research.
Phil Cracknell, UK president of the Information Systems Security Association, said that even with a password-protected laptop, it was still possible to remove a drive and install it on another machine to get at the data. The best way to secure data on a laptop is to deploy hard drive encryption, he said.
Another option is for IT security chiefs to determine what data end-users need to carry with them.
David Lacey, a founding member of IT security user group the Jericho Forum, said, "There is a trend today for criminals to infiltrate organisations or to work with people on the inside. This is a growing problembecause all this data is easy to make money out of."
For certain tasks there should be no need for an end-user to carry customer data on a laptop.
Lacey, former chief information security officer at Royal Mail, said, "If you are doing market research, one would have thought that you do not need to know names and addresses."
To perform tasks such as trend and market analysis it is often not necessary to identify individual customers. "If you deal with sensitive personal data, it can be made anonymous by separating the names from the personal information so you cannot identify any individual," Lacey said.
Such a technique is not new to IT departments.
Graham Titterington, principal analyst at Ovum, said, "The 'anonymisation' or 'randomisation' of data has been used in software testing for years."
Beyond making the information anonymous, he suggested that one way that an organisation could protect its data against theft would be to use digital rights management - the technique the recording industry has adopted to prevent MP3 and CD-based music from being pirated.
David Lacey's security blog
www.computerweekly.com/blogs/david_lacey
Comment on this article: computer.weekly@rbi.co.ukRead more on IT risk management
-
Why businesses must think like criminals to protect their data
-
Security Think Tank: Use awareness, education and controls to halt cryptojacking
-
Security Think Tank: Awareness is a good starting point to counter fileless malware
-
Security Think Tank: Human, procedural and technical response to fileless malware
Start the conversation
0 comments