Nine laptops were stolen at the Middlesbrough Council’s Children, Families, and Learning Department.  The computers were being used by social workers and psychologists.  It could potentially affect a total of 256 children, and the information goes as far back as 18 months.

Was there any security in place for the laptops?  The answer is yes, and plenty of it.  To begin with, the laptops were secured in a locked drawer, in a locked room, in a locked building.  From a physical standpoint, there is not much else that they could have done unless we’re talking about a bank or a military fort —although I would’ve suggested that the building’s windows be secured as well.  The thieves were able to get to equipment by smashing a window.

As an added security precaution, the council confirmed that “all the laptops were password protected with some encryption.”  Password protection is almost useless, as mentioned often times in past posts of this blog.  Encryption on individual files, as opposed to protecting the entire hard disk, is not problematic, generally speaking.  After all, it makes sense to secure only those documents that are deemed important; however, the average computer user must understand that using a particular software application, such as Microsoft Word, generates temporary files that may include sensitive data (it would depend on what type of information was being typed, obviously).  Depending on the situation, the temporary file may not be deleted.  Naturally, a security‑conscious person would encrypt the file one was working on; however, who would think of encrypting a temporary file?  One wouldn’t even begin to think of looking for such a thing, much less protecting it.

By the way, the term “temporary file” refers to any extra files that are created automatically by the application that you’re using in addition to the file you are using.  These temporary files sometimes act as backups that are created on the fly: Let’s say you’re one of those people who don’t regularly save your work.  In the event that your computer crashes, the software is able to pull up the latest temporary file that was created, saving you from having to start work from square one.  A life saver, that temporary file.  However, this implies, of course, that the data was saved by the computer somewhere on your hard drive.  But again, who thinks of encrypting such a file?  No one.  The mere concept sounds ridiculous.

The department’s case is one of those instances where people do most everything correctly, and yet they get screwed in the end.  (Well, possibly might get screwed in the end.  The investigation is still ongoing, but preliminary findings seem to indicate that there was no data breach—meaning that the file encryption they’ve got going might have been protection enough.)  What I would like to suggest to the council is to take the extra, final step and encrypt all their computers.  Not just select files, but the whole disk.  This way, the staff does not have to wonder whether they’ve remembered to encrypt sensitive files, and resources don’t have to be spent on hiring a forensic IT team to corroborate the staff's memories.  By encrypting the entire hard drive on a computer using encryption services like AlertBoot, the council can concentrate on other stuff such as securing the premises, since a data breach is a highly unlikely scenario.