When it comes to data security, one of the best ways of receiving catcalls is by having "robust security measures" in place and not using them. Like signing up for laptop encryption software from AlertBoot and not using it, which I've seen happen before.
According to thesun.co.uk, Scottish Ambulance Service experienced a data breach. A laptop computer with 600 patient records was stolen from their headquarters. The computer was not encrypted. Furthermore, "robust security measures were in place but had not been followed." However, it was password-protected and, as a spokesperson pointed out, "the laptop is password protected and would be difficult to access without specialist IT skills." What is one to make of a statement such as these? Well, to begin with, they've been wasting their resources. Robust security measures that are in place but are not followed? Worthless. But it happens, as I've found out personally. Occasionally, I will talk to some of our clients who've signed up for AlertBoot endpoint encryption and, a year later, they still haven't encrypted their laptops. They think that the username and password prompt--part of their pre-boot authorization screen--is the encryption. They never took the 10 minutes it takes to make sure their computers' hard drives are protected. Which brings me to the following. Relying on password-protection? Worthless. Regardless of what the spokesperson has said, defeating password-protection is not as hard as it sounds. I wouldn't go as far as saying that specialist IT skills are required to do so. Or, perhaps the spokeperson's definition of a specialist differs from mine. For example, our building supervisor knows exactly where to kick the boiler in order to get it working. I guess you could say he's a specialist in boilers...although I wouldn't say so. Likewise, bypassing password-protection requires this level of "specialization": if you can unscrew stuff with a precision driver, you're golden.
According to thesun.co.uk, Scottish Ambulance Service experienced a data breach. A laptop computer with 600 patient records was stolen from their headquarters.
The computer was not encrypted. Furthermore, "robust security measures were in place but had not been followed." However, it was password-protected and, as a spokesperson pointed out, "the laptop is password protected and would be difficult to access without specialist IT skills."
What is one to make of a statement such as these? Well, to begin with, they've been wasting their resources. Robust security measures that are in place but are not followed? Worthless. But it happens, as I've found out personally.
Occasionally, I will talk to some of our clients who've signed up for AlertBoot endpoint encryption and, a year later, they still haven't encrypted their laptops. They think that the username and password prompt--part of their pre-boot authorization screen--is the encryption. They never took the 10 minutes it takes to make sure their computers' hard drives are protected.
Which brings me to the following. Relying on password-protection? Worthless. Regardless of what the spokesperson has said, defeating password-protection is not as hard as it sounds. I wouldn't go as far as saying that specialist IT skills are required to do so.
Or, perhaps the spokeperson's definition of a specialist differs from mine. For example, our building supervisor knows exactly where to kick the boiler in order to get it working. I guess you could say he's a specialist in boilers...although I wouldn't say so. Likewise, bypassing password-protection requires this level of "specialization": if you can unscrew stuff with a precision driver, you're golden.
Whenever a people's information is breached in the UK, the ICO steps in. I'm pretty sure they'll do so in this case as well. If you've been keeping track of their Underwritings, you'll know that the ICO pretty much requires that laptops be protected with encryption software. (Which is weird because, the last time I checked, they'll only suggest the use of encryption in their guidelines on how to prevent a breach. I guess things are different once you've lost data.) Why encryption? Because, unlike password-protection, it's actually designed to protect your data.
Whenever a people's information is breached in the UK, the ICO steps in. I'm pretty sure they'll do so in this case as well. If you've been keeping track of their Underwritings, you'll know that the ICO pretty much requires that laptops be protected with encryption software.
(Which is weird because, the last time I checked, they'll only suggest the use of encryption in their guidelines on how to prevent a breach. I guess things are different once you've lost data.)
Why encryption? Because, unlike password-protection, it's actually designed to protect your data.
Related Articles and Sites:http://www.thesun.co.uk/scotsol/homepage/news/2738339/Records-on-600-patients-pinched.htmlhttp://www.phiprivacy.net/?p=1495