Endpoint Protection

Listening to the local radio this morning I heard the story that the BBC has been forgetful with its laptops and mobile phones. Apparently, as reported by the Guardian and various other sites following a Freedom of Information request, that the BBC over two years has misplaced 146 laptops, 65 mobile phones and 17 blackberry devices. It is unknown if these devices were lost or stolen but the main complaint seems to be the cost to the tune of about £240,000. Although about 10% has been recovered this should not be the primary concern.

The primary worry should be the data on those laptops - If we assume that they contained 250Gbyte disks and that on average each disk would be 50% full then that means over 18Tbytes of data in total not including the mobile phones and blackberrys. I accept that a lot of the data is applications and internet related stuff but the implication is there. There is no indication if the data was encrypted or if any of the data was personal or in anyway potentially damaging to the organisations or employees. Perhaps a further FOI request should be made to further clarify.

If the BBC is capaable of losing this amount of information then consider all the organisations of similar size losing similar amounts of information to understand the scale of loss.

The case for DLP is clear. Keep those comments coming!!

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

On the 12th December, it was widely reported that another laptopn was taken from MOD Headquarters in central London. This would not normally cause worry as all laptops are encrypted. However, the encryption key was also taken so exposing the information to the thief. It is not known if there is any exposure whilst investigations proceed. However, news items referred to the laptop as a ’secret data laptop’ which gives an indication. It was only in July thsi year (as reported in this blog) that 658 laptops have been stolen from the MOD in the last four years.

Below is one report on the story but the BBC also have reported it

http://www.pressassociation.com/component/pafeeds/2009/12/12/secret_data_laptop_stolen_from_mod_headquarters?camefrom=regional

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

The BBC reports that a man from New Zealand found that his MP3 player which he bought from a shop in Oklahoma contained sensitive information about military personnel. The data contained names and telephone numbers of soldiers including details of pregnant personnel and even some mission information.

The data is thought to date back to 2005 and isnt thought to compromise national security. There were also similar breaches in Afghanistan in 2006 where shops outside the main US base had stolen flash drives containing sensitive data.

In the current climate of data mobility, some level of encryption and security policy is becoming vital to protecting sensitive data.