Perhaps I am being a little naive but I would of thought all MOD laptops would be deployed with hard disk encryption, but apparently not so, as the MOD laptop stolen last week from a parked car in Birmingham didn’t have any hard disk or file level encryption, despite holding masses of private data. This MOD laptop held 600,000 records of military personnel, personal data including passport numbers, national insurance numbers, drivers' licence details, family details, doctors' addresses and bank details, which is probably why we know about this breach, I'm sure the MOD would rather this incident to be kept out of the public eye.
Organisations which use thousands of laptops in the field (should) accept and understand that a certain percentage of laptops will be stolen. Sure you can try to reduce the numbers stolen and the risk by educating users, but it inevitable that a minor quantity of laptops will be stolen, it's the way of the world. This is nothing new either, the theft of laptops has been common place since their introduction 20 years ago. Most large organisations in the private sector understand this and the risk of data breach associated with such laptop thefts, and as a matter of course enforce the encryption all of their laptop hard disks across the board. And the cost of buying the software to properly encrypt laptop hard disks and secure the information held on them? Well it, is around £20 to £50 per laptop, which is around 5% of the cost the laptop, so there’s really is no excuse for these types breaches today.
The other question I have with this particular breach, is why is there so much sensitive data being held in a laptop in the first place, it’s probably laziness or incompetence, but nether-the-less no one should or need to be walking around with that amount of information on a laptop, hard disk encrypted or not.
On the back of the MOD breach news story, I noticed yet another government agency, namely the Department of Work and Pensions (DWP) disclosed another data breach, in that hundreds of documents containing sensitive personal data of citizens were found on a public roundabout in Devon. It appears this is not the first time this has happened as well. And on the same day the Stockport Primary Care Trust released that they lost 4,000 patient records.
It appears to be a growing trend to announce data breaches on the back of bigger breaches, I’m sure there are press officers just sitting there reading news reports, “oh there goes a seriously big breach, quickly release our breach, they won’t notice”…
5 comments:
any word on what HD encryption is approved for use for all those govt agencies? or are they still stuck trying to decide on which solution to pick?
Whilst i agree with the sentiment, the reality of encrypting laptops in a very large organisation such as the MoD to the appropriate standard is somewhat more involved that applying a £20-50 piece of software.
In MoD this would require a CAPS approved product, which somewhat limits the choice. Key material would then need managing according to the correct standards, which is not an easy or cheap process in a distributed environment, particularly in the typical "road-warrior" scenario that many Laptops and PDA's are used in.
The actual cost of supporting a large environment of encrypted laptops is many,many times more expensive than you imply.
As in all security matters, the correct approach is to manage risk appropriately. If the risk justifies the investment and additional effort then it's worth doing, but only where there is a significant risk determined by business need.
Encrypting all laptops in an estate without exception totally ignores this principle and should be seen as little more than an ill-considered knee-jerk. IMHO, something we, in the security community should be arguing against, not for.
£20-£50? free:
http://www.truecrypt.org/
Hey man this is really a nice post i like it very much....
Excellent post, thanks mate!!
Post a Comment