Now I do realize that I run the risk of sounding like a broken record with this post but I think it will underscore a point as well as provide a basis for further posts on proactive security.
I subscribe to the Data Loss Digest put out by DataLossDB.org. While I don’t always have time to peruse it daily, I do go back and look through the messages from time to time. I was doing so today when two news stories jumped out at me as good examples to use here on the blog. While both of these stories dealt with data breaches and the way that they were handled. They also speak to how being proactive can help when disaster strikes.
Our first story is about a missing hard drive that may contain the names, addresses, passport numbers, dates of birth and driving license details of 100,000 individuals who are employees of the UK Ministry of Defense. This number constitutes about half of the UK’s armed forces. See:
EDS loses unencrypted Armed-Forces Data and
Lost MoD drive hadn’t required encryption says EDS
In an interview on BBC Radio 5’s “Drive” program, the managing director of EDS (Defense) in the UK, Sir Robert Fry told the BBS’s Anita Anand:
“The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defense work, when it sits inside a secure site.”
Now I have no doubt that what Sir Fry told the reporter is true but that is little comfort to the 100,000 individuals who’s information has gone missing.
Compare this story to the loss of a laptop containing the personal details of 100,000 National Rail and British Transport Police pension program. That laptop was stolen from a public place from a Deloitte employee.
See: Pension Data was on Stolen Laptop
Now the first quote that you see from Deloitte was that there was a “very low risk” of the details being accessed. “Yeah, right” was my first impression but as you read on the article goes on:
“In a statement, the company said the laptop was protected by a number of security measures, including start-up and operating system passwords and data encryption.
It said the theft had happened despite employees being issued with guidelines to pay close attention to their laptops in public places.”
For the sake of full disclosure I must admit that I am a Deloitte Alumnus. As one, I can report that the company’s statement is true. Our laptops were encrypted and they do put in place quite a few security measures to protect their client’s data over and above what I’ve found as normal in many companies. In fact during my time there I was very impressed with the lengths they went to in order to protect their own as well as client data.
My point wasn’t to praise Deloitte however. It was to point out that while both cases involved a data breach they can be interpreted in two different ways. On one hand you have a company that is trying to justify why certain security measures weren’t taken and on the other hand you have a company that is telling you that they had instituted multiple security measures that are intended to safeguard the information even though it has left the companies control.
If I read these stories and try to put myself in the place of one of the individuals whose information was lost I come away with two different feelings. On one hand I read the article and don’t feel any better that my information has been lost, in fact I feel worse – I’ve just been given the “pass the blame” answer. On the other hand I feel better about the loss (not that I’m happy, just mollified) because it appears as if prudent security measures have been taken to secure the information on the laptop.
Taking a proactive stance on managing the risk to information and implementing sound security measures is just good business. What executive wants to be put on the spot by reporters having to answer questions as to why something wasn’t done? Isn’t it a much better place to be in to inform every one of the efforts that a company has taken to go above and beyond in protecting its customer’s data? In today’s tough economic times it is a prudent company that takes proactive measures to maintain the competitive edge when the inevitable happens.
Entries (RSS)