North Yorkshire County Council has lost or had stolen seven laptops in the past year, as well as two BlackBerries and 35 cell phones. The good news is that five of the laptops and the BlackBerries were fully encrypted using disk encryption software, presumably something similar to AlertBoot. The remaining two laptops that were not encrypted did not have any sensitive data on it.
The bad news, however, is that countless USB memory sticks have been lost as well. Granted, they wouldn’t be “countless” if the council knew how many they had to begin with.
County councilor Steve Shaw-Wright had this to say about the encrypted laptops:
“to say it’s okay because the data lost is not sensitive, or it’s fully encrypted is not good enough - if a laptop is stolen with lots of names and addresses on and it gets into the hands of a conman, then that is serious.”
At first, I thought he didn’t quite understand how hard disk encryption works. If your computer’s hard disk drive is fully encrypted, it is good enough, although one must ensure that the password used to secure the data is strong enough, and that it’s not on a sticky-note affixed to the laptop. (Your front door can’t protect your belongings if you constantly leave your keys in the lock, right?)
Upon further reflection, it seems to me he’s pointing out a mode of thinking that I’ve often berated myself. For example, if a stolen laptop contains a list of names and addresses, it’s assumed this is not a big deal because the same information is available publicly, like in the white pages (we’ll assume that there are no unlisted numbers for people seeking privacy).
However, it’s not the same situation because there can be additional information that eventually leads to that data’s exploitation. If there’s a document showing five year revenue projections for XYZ, Inc., now you know those people are somehow associated with XYZ, something that is not apparent from the white pages.
And that extra information can be enough for successful social engineering, which is just another word for committing fraud. So, the councilor was right regarding “sensitive data” or the lack thereof.
But, Mr. Shaw-Wright is wrong regarding encryption. Consider this: a computer is kept in a locked closet. Someone breaks into the closet and steals the computer. The data, residing on the computer, is stolen as well.
You could have stronger locks and thicker walls, but at some point someone -- authorized employee or otherwise -- will access the computer. Access means there’s a hole, and that means the possibility of theft is there.
What measures can you have in case something is stolen? Encryption. Because encryption resides in the same space as the data, it’s the ultimate form of protection for your data (this doesn’t mean it can do much for the computer itself, mind you). Clearly, if encryption trumps doors, walls, and locks, it must be good enough. I mean, how else can you secure your data? What options have you got left?
I guess you’ve got not having the device stolen to begin with. I don’t consider wishful thinking to be a critical component of good data security practices.
Related Articles:http://www.thenorthernecho.co.uk/news/local/northyorks/3999585.North_Yorkshire_County_Council_s_computer_security_under_scrutiny/http://www.thepress.co.uk/news/3997346.North_Yorkshire_County_Council_loses_seven_laptops/