Endpoint Protection

Listening to the local radio this morning I heard the story that the BBC has been forgetful with its laptops and mobile phones. Apparently, as reported by the Guardian and various other sites following a Freedom of Information request, that the BBC over two years has misplaced 146 laptops, 65 mobile phones and 17 blackberry devices. It is unknown if these devices were lost or stolen but the main complaint seems to be the cost to the tune of about £240,000. Although about 10% has been recovered this should not be the primary concern.

The primary worry should be the data on those laptops - If we assume that they contained 250Gbyte disks and that on average each disk would be 50% full then that means over 18Tbytes of data in total not including the mobile phones and blackberrys. I accept that a lot of the data is applications and internet related stuff but the implication is there. There is no indication if the data was encrypted or if any of the data was personal or in anyway potentially damaging to the organisations or employees. Perhaps a further FOI request should be made to further clarify.

If the BBC is capaable of losing this amount of information then consider all the organisations of similar size losing similar amounts of information to understand the scale of loss.

The case for DLP is clear. Keep those comments coming!!

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

It is clear from meeting customers that the technology fix continues with security - the belief that a product will solve all the security problems in an organisation. This misguided expectation is exploited by vendors who sell every flavour and permutation for each identified security flaw. This results in customers wasting a lot of money on shelfware (software that is never installed and sits on the shelf) or problems trying to effectively deploy the product with no clear idea of configuration or threat.

However, simple consideration before buying a product fix could be to consider what are the security policies that an organisation shouid reasonably implement which would then save time and money. With protection of information, it is vital to define the policies that are reasonable and actionable to do the job. Once the policies have been set, agreed and communicated then the tool can be matched to the policy.

So many clients buy a product that they cannot effectively use as there are no existing policies defining what the product should do. It takes time to get the product reflecting the policies. From experience, one should start with strategic policies that, at a high level, define the overarching rules of the organisation. These can then be broken down into tactical policies. From the tactical policies, the standard operating procedures can be defined and written.

In summary, product purchase is used as an excuse for ‘ doing something’ wiht security but with no organisational framework defining its use.