The launch of a new form of encryption involving the use of what has been highlighted as an unbreakable system has ironically come at a time when the Ministry of Defence begins its investigation into the loss of an un-encrypted computer hard drive containing the personal data of up to 1.7 million people who had made enquiries about joining the armed forces.
The encryption of data is without doubt an essential component in the protection of all our sensitive information and in light of what seems an ever steady flow of headlines informing us of yet another breach of security and data loss, it is perhaps prudent to focus on how sensitive data is being managed and what can be done to make improvements in our own business.
A number of key areas can be identified in relation to the management of data and whilst they may seem obvious, clearly to some, putting them into practice is a different matter:
- Human error plays a large part in data loss and there is almost an inevitability that if data is taken out of the office using some form of portable device, eventually, the laptop will be left on a train or the memory stick will slip out of a pocket onto the backseat of a taxi or get left in the front seat pouch on an airline. It is essential that we ensure that adequate measures are taken to protect sensitive data against not just theft but simple human error. It is extremely important that data is encrypted especially where this information is stored on a mobile device such as a laptop or a memory stick. Encryption, whilst not a perfect defence, will provide some protection and will slow down the extraction of the data.
- In July 2008 the Ministry of Defence revealed that a total of 121 memory sticks and 747 laptops had been lost or stolen in the previous four years. Ideally there should be strict policies in place preventing the removal of devices from the office and laptops and memory sticks should be locked up securely at night at the office premises. But just as important - always question whether you really need to take all of that information out of the office - or could you simply download the one page you need to read that night? Don't lose sight of the fact that whilst it's just a tiny memory stick there could be hundreds if not thousands of pages of sensitive company data contained on it - do you really need to have access to it all when you are out of the office?
- Employees need to be made aware of their responsibilities in relation to the handling of sensitive information. Training of employees and the implementation of clear security polices and procedures should go hand in hand. In addition question whether all employees should have the same access as others and restrict access on a need to know basis.
- Extra care needs to be taken where sensitive information is to be held outside business premises by independent contractors. Where you make the decision to outsource, remember your company will remain responsible for what happens with that data. Put in place the appropriate contractual provisions to ensure that the organisation you choose will put in place the appropriate security measures, but don't just leave it to contractual provisions, make spot checks to ensure they are following the procedures you have set down.
- Finally, ask whether you need to keep storing data on mobile devices. Once you have used the data for your presentation to the board, or forwarded it to another company for processing, does it really need to remain on a memory stick or can it be removed - is putting it in a drawer or leaving it in a briefcase (or a handbag) really good practice......
Advanced technology, such as the unbreakable encryption revealed at a scientific conference in Vienna last week, is a major step forward in terms of protecting data that is lost or stolen. That said, asking ourselves some fundamental questions about our own practices are likely to be just as important in preventing data loss.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
