Endpoint Protection

St Albans City and District Council is the latest organisation to lose four laptops with personal data on over 14,000 voters. Files contained names, addresses, dates of birth, signatures, postal vote forms and statements which is all the information required to obtain a bank account.

Councillors were recently debating the loss and how the laptops could be stolen from the actual offices. Even though the data was protected, the portable devices were not physically secured. This goes against council policy of portable devices being physically as well as logically protected.

It also begs the question as to why personal data was held on portable devices. Such data should only be accessed on central resources and users prevented from copying to local devices.  We shall see what lessons will be learned and then forgotten til the next time.

The council needs to develop an information classification with associated policies on protection. A simple Data Loss Prevention product would have prevented the personal data from being copied in the first place but, had it been copied then the data would have been encrypted. It is noted that one of the laptops was left for months on an unused desk with no one knowing that held all this data. This is why an information audit and classification is required to start to get some control.

This story has been widely reported so use these links for more detail (such as there is)!!

http://www.stalbansreview.co.uk/news/4760711.St_Albans_councillors_debate_laptop_theft/

http://news.bbc.co.uk/1/hi/england/beds/bucks/herts/8363514.stm

http://www.stalbansreview.co.uk/news/4743799.St_Albans_council_worker_claims___Laptop_was_ignored_for_months_/

It is clear from meeting customers that the technology fix continues with security - the belief that a product will solve all the security problems in an organisation. This misguided expectation is exploited by vendors who sell every flavour and permutation for each identified security flaw. This results in customers wasting a lot of money on shelfware (software that is never installed and sits on the shelf) or problems trying to effectively deploy the product with no clear idea of configuration or threat.

However, simple consideration before buying a product fix could be to consider what are the security policies that an organisation shouid reasonably implement which would then save time and money. With protection of information, it is vital to define the policies that are reasonable and actionable to do the job. Once the policies have been set, agreed and communicated then the tool can be matched to the policy.

So many clients buy a product that they cannot effectively use as there are no existing policies defining what the product should do. It takes time to get the product reflecting the policies. From experience, one should start with strategic policies that, at a high level, define the overarching rules of the organisation. These can then be broken down into tactical policies. From the tactical policies, the standard operating procedures can be defined and written.

In summary, product purchase is used as an excuse for ‘ doing something’ wiht security but with no organisational framework defining its use.