SlideShare ist ein Scribd-Unternehmen logo

The Politics of IT Security: Laptop Theft in the Public Sector

LapSafe Products
LapSafe Products

In today’s fast-paced world where quick access to information is key, laptops, netbooks and tablets have become vital tools for public sector professionals. The use of mobile IT can increase flexibility and opportunities for remote working, but these desirable and costly devices are increasingly becoming the targets for organised and opportunistic theft. In 2011 alone, the Information Commissioner’s Office (ICO) has reported 22 laptops lost or stolen from public sector organisations and has fined some of the bodies responsible a total of £150,000. This white paper examines IT security within the public sector, including the problem of repeated laptop thefts, and offers practical advice for professionals to help them keep their mobile electronic devices safe.

Technologie
1 von 7
Downloaden Sie, um offline zu lesen
The Politics of IT Security Laptop Theft in the Public Sector Page 1
Introduction In today’s fast-paced world where quick access to information is key, laptops, netbooks and tablets have become vital tools for public sector professionals. The use of mobile IT can increase flexibility and opportunities for remote working, but these desirable and costly devices are increasingly becoming the targets for organised and opportunistic theft. In 2011 alone, the Information Commissioner’s Office (ICO) has reported 22 laptops lost or stolen from public sector organisations and has fined some of the bodies responsible a total of £150,000. This white paper examines IT security within the public sector, including the problem of repeated laptop thefts, and offers practical advice for professionals to help them keep their mobile electronic devices safe. The facts In order to be able to fix a problem, it is necessary to understand it first. Although simply spouting statistics will not make laptop theft disappear, examining relevant data can help to put the sector’s problem into context and emphasis the need for preventative action. So, what are the facts? • In a recent report by the Ponemon Institute, the public sector experienced the third highest rate of laptop loss out of the 12 industries surveyed. • The NHS has been responsible for almost a third of all data security breaches reported to the Information Commissioner’s Office (ICO) since 2007, according to research by IT consultancy Hytec. • Between 1998 and 2008, 1,052 laptops were reported lost or stolen from Government departments. Remarkably, this figure does not include several departments, for example the Home Office, Foreign Office, Department for Transport and Department for Business, meaning that the number could actually be much higher. • In 2010, a total of 25 laptops were lost or stolen from the Home Office. To put this into context, the Ponemon Institute estimates that the average cost of one lost laptop is €35,284. • Laptops containing sensitive and confidential data are the most likely to be stolen, according to the Ponemon Institute. Laptop theft is clearly a very real and increasingly common issue for the public sector, but why should its professionals take IT security seriously? Cause for concern According to the Billion Euro Lost Laptop Problem, from the Ponemon Institute, only two per cent of the cost of a lost laptop is due to actually replacing the device. In fact, a staggering 80 per cent of the cost ensuing from a stolen machine will be incurred as a result of data breaches. Crooks that steal laptops from the public sector often do so because the information stored on the machines is worth more than their resell value. As a result, the consequences of laptop theft within the public sector can be much more serious than simply causing inconvenience to staff. If a laptop containing sensitive information about a council’s vulnerable clients, or confidential Government projects, falls into the wrong hands, the upshot could be devastating. Not only could deadlines be disrupted if desktop files or software is lost, but, if confidential Government files were leaked to the press, the ensuing public uproar could significantly damage a Page 2 1
party’s or politician’s reputation. Even more worryingly, client and public safety could be severely compromised if sensitive personal details were passed on to blackmailers. What is more, laptop theft can be incredibly costly. Amongst other components, when the financial impact of lost productiv- ity, data breaches and forensics are taken into account, the Ponemon Institute estimates that the average cost of a missing laptop is a colossal €35,284. Moreover, not only will an organisation have to source equipment to replace stolen laptops, but councils, and other public sector authorities could face hefty fines. Since April 2010, the ICO has the authority to issue monetary penalties of up to £500,000 to those in serious breach of the Data Protection Act. As a result, the public purse may have to foot the bill for lapses in IT security at a time of economic hardship. In fact, this is exactly what happened in February 2011, when Ealing and Hounslow Councils were fined a total of £150,000 by the body, following the loss of two unencrypted laptops, containing the details of around 1,700 people. Public sector professionals, no matter what their job title, have a duty of care towards their clients and constituents to ensure their safety and protect their funding. In the case of processing personal information, this includes securing laptops, and the electronic data stored on them. Laptop theft and the law In fact, those that work in the public sector also have a legal obligation regarding IT security. In the UK, anyone that processes personal information, for example, someone that holds records detailing a person’s eth- nicity, political opinions or information about their health, must comply with the eight principles of the Data Protection Act. This legislation is designed to ensure that personal information is: • Fairly and lawfully processed • Processed for limited purposes • Adequate, relevant and not excessive • Accurate and up to date • Not kept for longer than is necessary • Processed in line with a person’s rights • Secure • Not transferred to other countries without adequate protection. In terms of laptop and mobile IT security, the seventh principal of the Data Protection Act is particularly important: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Consequently, organisations that hold or process personal data are legally required to secure and take steps to prevent the ‘accidental loss’ of personal information stored electronically. Organisations that breach this, or any other, principal in the Data Protection Act can incur substantial financial penalties from the ICO, meaning that councils, government departments and other public sector professionals could be penalised for the loss of unencrypted laptops. Page 3 2
Preventing laptop theft IT theft can be costly, and potentially dangerous, but there are simple steps that those in the public sector can take to reduce the risk of it occurring. 1. Staff should take care to avoid accidentally advertising IT assets to thieves by refraining from discussing electronic devices on their organisation’s website, social networking sites or informing the local press when a lot of new equipment has been purchased. 2. When new equipment is bought, its packaging should be flattened, turned inside out and crushed before it is put outside with the rubbish, to avoid notifying potential thieves to a delivery. 3. IT equipment should never be left unattended, and laptops and PCs should be secured to a desk using a lockdown system or fixed to furniture, such as a radiator, with security cables when in use. Security cables slot into a laptop’s universal security slot and can be used to secure devices to any solid or fixed object. The cables are constructed of high-tensile steel and fitted with anti-drill locks to make it difficult for a thief to remove a laptop. Lightweight and portable, the cables are designed so that employees can carry them with them when working remotely or seeing clients and are a must-have security device for professionals that are constantly on the move. Laptop lockdowns secure machines in a highly visible way for theft deterrent. The devices lock laptops to desks in the open or closed position, enabling users to carry on working on the machines. Hindsight is a wonderful thing. Although it may be easy to criticise the mistakes of others, it is essential that we learn from them to stop the small mistakes, with potentially devastating consequences, from happening time and time again. Case Study: NHS North Central London In June 2011, an unencrypted laptop, containing the details of more than 8 million patients, was reported lost or stolen from a storeroom at the London Health Programmes, part of NHS North Central London. The laptop was one of 20 missing from the authority and contained details of cancer, HIV, mental illness and abortions that could be used by blackmailers. Although, reportedly, the data did not include patient names, it was feared that postcodes and information on gender, age and ethnic origins, that could potentially identify individuals, were also held on the laptop. At the time of writing, the theft was believed to represent the largest ever data breach in NHS history. Although NHS North Central London followed a procedure of deleting any sensitive electronic information once it had been processed, this policy was rendered useless because the laptop was taken before the data could be removed by staff. If the laptop was encrypted, the important data held on the machine would have been rendered largely useless to thieves. The Trust would have also been wise to invest in a purpose built cabinet constructed of reinforced steel to store their mobile IT in overnight, rather than locking them in a storeroom. Such cabinets are designed to resist crowbars and lock-picks and can also charge mobile IT devices if desired. Page 4 3
4. Encryption software should always be installed onto mobile IT devices, even if the authority it belongs to follows the policy of deleting information once it has been processed. If a thief steals a laptop before its contents can be destroyed, its information could still be accessed for illegal purposes. Encryption can protect patient records by scrambling data to make it difficult for unauthorised personnel to determine its meaning, often rendering it useless to thieves. 5. Although encryption is vital to protect data, it should not be relied upon alone. Some thieves will not stop at anything, not least encryptions, to access important information, and those that steal laptops from the NHS often do so because the data that they contain far exceeds their resell value. 6. Simply locking laptops in storage rooms will not keep them safe. Laptops and tablets are best protected in a secured lockable cabinet that can be bolted to the wall or floor. This cabinet should be constructed of reinforced steel, not wood or plastic, and be designed to resist crowbars, cutting equipment and lock-pickers. 7. It should be compulsory for staff to follow laptop and mobile IT security measures by incorporating procedures, and penalties for breaching these procedures, into your company handbook and employee contracts. An IT security policy should be issued to all staff, and employees should be required to sign this document to confirm their compliance. 8. Staff need to be made fully aware of their duties regarding laptop security, and this includes regularly explaining relevant policies through company communication channels, such as emails and newsletters, and offering adequate training. A manager should also be appointed to make sure that this tuition is being given, and that the security policies are being followed. 9. External IT technicians should always present ID before they are taken to service computers, and staff should ensure that they sign in and out. 10. When travelling with laptops on public transport, staff should avoid storing their laptops in luggage compartments, where devices could be taken by other passengers. Instead, laptops should be kept on laps or between feet. 11. Ensure that visitors are accompanied when they walk around the building and insist that all guests sign in and out. Case Study: West Sussex Council In July 2010, West Sussex County Council was criticised for the theft of an unencrypted laptop, containing the details of an unknown number of children. The laptop was stolen from the house of a council employee and was believed to be part of a group of 2,300 unencrypted laptops in use by the body. The Information Commissioner’s Office (ICO) condemned the council because the member of staff responsible for the loss had received no formal training in data protection or IT security. The case of West Sussex Council highlights the importance of regular and effective IT security training for all members of staff within an organisation. Not only should such training cover how public sector professionals can protect their laptops whilst in the workplace, but guidance should be given to staff about how to secure machines when working remotely. This includes securing laptops in the home and during transportation. Page 4 5
12. When out and about, staff should carry their laptops in anonymous bags or cases in order not to alert thieves to its contents. 13. Ideally, laptops and other mobile devices should never be left unattended in a vehicle because concealed areas like the boot or glove box will be the first places that thieves look. Laptops should always be accompanied by their owners and should never be left in a car overnight. It is far better to secure a laptop to furniture inside a building using a security cable. 15. Laptop theft should be reported to the police as soon as possible; the quicker the police are aware that confidential information has gone missing, the more likely it is that equipment will be recovered and that public sector organisations will not have to seek a replacement. In following the above guidelines, public sector professionals can take easy steps to mitigate IT security breaches within their organisations, protect client safety and avoid costly fines. Case Study: Hull and East Yorkshire Hospitals NHS Trust In February 2011, the Information Commissioner’s Office (ICO) served Ealing Council and Hounslow Council with monetary penalties totalling £150,000, following the theft of two unencrypted laptops. The ICO ruled that the councils had breached the Data Protection Act when the machines, containing details of around 1,700 individuals, were stolen from an employee’s home. Ealing Council provides out of hours service for both of the councils and uses laptops to record information about a variety of individuals. Although the stolen machines were password protected, they were unencrypted, despite each council having a policy in place that required this software to be installed on to all staff laptops. Ealing Council was fined £80,000 for breaching its own policy on data encryption after the ICO ruled that there were insufficient checks by the body to ensure that staff were complying with the security procedures in place. By contrast, Hounslow Council received a penalty of £70,000 for failing to have a contract in place with Ealing Council and neglecting to monitor the behaviour of its partner regarding laptop security. Unfortunately, these London councils could have avoided incurring such hefty fines, and risking client safety, by simply encrypting their data. In this case, the fact that the organisations acted in spite of their own policies and failed to encrypt data appears to be because employees were not aware of their obligations regarding IT security. To prevent this situation from happening in the future, public organisations need to maximise internal communications systems, for example emails and company newsletters, to explain to staff what they need to do to keep their IT safe. This communication should be regular and be supported by frequent training to ensure that all personnel understand the policy that they must follow. Public sector organisations should also ensure that these policies are outlined in the employee handbook and that there are appropriate disciplinary procedures in place to emphasise the seriousness of staff compliance. Page 6 5
Conclusion With a workforce frequently on the move, laptops are an invaluable tool throughout the public sector, provided the correct security measures are in place for their use. If a computer is not encrypted and physically secured, there can be devastat- ing consequences, not to mention hefty fines, if its data falls into the wrong hands. Putting IT security into practice does not have to be time consuming or costly, but it is essential. It is hoped that this white paper will help to emphasise the importance of employing physical security solutions for mobile IT and will go some way towards preventing future cases of laptop theft from the public sector. Appendix The Politics of IT Security white paper has been compiled using information from the following sources: ‘More than 1,000 government laptops lost or stolen, new figures show’, The Guardian, 4 March 2008, http://www.guardian. co.uk/politics/2008/mar/04/2 ‘West Sussex council criticised over laptop theft’, BBC, 8 July 2010, http://www.bbc.co.uk/news/10561538 ‘Councils fined for unencrypted laptop theft’, The Information Commissioner’s Office (ICO), 8 February 2011, http://www. ico.gov.uk/news/latest_news/2011.aspx ‘Missing: Laptop with 8.6million medical records’, The Sun, 15 June 2011 http://www.thesun.co.uk/sol/homepage/news/3637704/Missing-Laptop-with-86million-medical-records.html ‘NHS on Amber alert’, Risk-uk.com http://www.risk-uk.com/newsdetail.php?newsID=327 The Billion Euro Lost Laptop Problem, The Ponemon Institute and Intel, April 2011 http://antitheft.intel.com/Libraries/Documents/The_Billion_Euro_Lost_Laptop_Problem.sflb.ashx‘ ‘Lost, stolen and recovered mobiles, laptops and removable media’, The Home Office, 23 May 2011, http://www.homeof- fice.gov.uk/publications/about-us/transparency/lost-mobiles-laptops-media/ ‘Data Protection Act 1998’, Legislation, http://www.legislation.gov.uk/ukpga/1998/29/section/9A Resources Readers of The Politics of IT Security might also find these resources helpful: ‘Is your IT in safe hands?’, Government Technology, July 2011 http://www.governmenttechnology.co.uk/features2/ item/2580-is-your-it-in-safe-hands ‘ICT Security Tips For Public Sector Professionals’, Egovmonitor.com, 28 June 2011 http://www.egovmonitor.com/ node/42549 ‘NHS should physically lock-down their laptops’, PublicService.co.uk, 16 June 2011http://www.publicservice.co.uk/fea- ture_story.asp?id=16782 Page 6 7

Empfohlen

Ch 19. social and economic effects of it
Ch 19. social and economic effects of itCh 19. social and economic effects of it
Ch 19. social and economic effects of itKhan Yousafzai
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringPotato
 
Wipo smes ge_08_topic07
Wipo smes ge_08_topic07Wipo smes ge_08_topic07
Wipo smes ge_08_topic07AbdurrahmanADandalam1
 
What is data privacy?
What is data privacy?What is data privacy?
What is data privacy?Quick Heal Technologies Ltd.
 
Societal impacts PART2
Societal impacts PART2Societal impacts PART2
Societal impacts PART2AVISHITYAGI
 
Internal social media: risks and added value
Internal social media: risks and added valueInternal social media: risks and added value
Internal social media: risks and added valueProf. Jacques Folon (Ph.D)
 
Societal Impact of Information Technology
Societal Impact of Information TechnologySocietal Impact of Information Technology
Societal Impact of Information Technologyvethics
 
19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 Timothy Holborn
 

Empfohlen

Ch 19. social and economic effects of it
Ch 19. social and economic effects of itCh 19. social and economic effects of it
Ch 19. social and economic effects of itKhan Yousafzai
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringPotato
 
Wipo smes ge_08_topic07
Wipo smes ge_08_topic07Wipo smes ge_08_topic07
Wipo smes ge_08_topic07AbdurrahmanADandalam1
 
What is data privacy?
What is data privacy?What is data privacy?
What is data privacy?Quick Heal Technologies Ltd.
 
Societal impacts PART2
Societal impacts PART2Societal impacts PART2
Societal impacts PART2AVISHITYAGI
 
Internal social media: risks and added value
Internal social media: risks and added valueInternal social media: risks and added value
Internal social media: risks and added valueProf. Jacques Folon (Ph.D)
 
Societal Impact of Information Technology
Societal Impact of Information TechnologySocietal Impact of Information Technology
Societal Impact of Information Technologyvethics
 
19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 19 July 2012 - Loc-poi overview v2
19 July 2012 - Loc-poi overview v2 Timothy Holborn
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 
Important Issues in Global E-commerce
Important Issues in Global E-commerce Important Issues in Global E-commerce
Important Issues in Global E-commerce Dr. Prashant Vats
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
Cybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetCybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetProf. (Dr.) Tabrez Ahmad
 
George konstantakis iot and product design
George konstantakis iot and product designGeorge konstantakis iot and product design
George konstantakis iot and product design360mnbsu
 
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...Timothy Holborn
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsJan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsTimothy Holborn
 
Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Larry Levine
 
It security & crimes
It security & crimesIt security & crimes
It security & crimesleodgard erasmus
 
March 2013 Australian Centre Liberal Arts
March 2013 Australian Centre Liberal Arts March 2013 Australian Centre Liberal Arts
March 2013 Australian Centre Liberal Arts Timothy Holborn
 
National ICT & Education Strategy July 2016
National ICT & Education Strategy July 2016National ICT & Education Strategy July 2016
National ICT & Education Strategy July 2016Guy Huntington
 
Cyber law by pravin ghosekar
Cyber law by pravin ghosekarCyber law by pravin ghosekar
Cyber law by pravin ghosekarPravinGhosekar
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing rightblogzilla
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
Unit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceUnit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceTushar Rajput
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
A guide to using iPads in the classroom
A guide to using iPads in the classroomA guide to using iPads in the classroom
A guide to using iPads in the classroomLapSafe Products
 
A guide to games-based learning
A guide to games-based learningA guide to games-based learning
A guide to games-based learningLapSafe Products
 
A guide to ICT security in schools
A guide to ICT security in schoolsA guide to ICT security in schools
A guide to ICT security in schoolsLapSafe Products
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 
Important Issues in Global E-commerce
Important Issues in Global E-commerce Important Issues in Global E-commerce
Important Issues in Global E-commerce Dr. Prashant Vats
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obamaLilian Edwards
 
Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
George konstantakis iot and product design
George konstantakis iot and product designGeorge konstantakis iot and product design
George konstantakis iot and product design360mnbsu
 
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...Timothy Holborn
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsJan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsTimothy Holborn
 
Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Larry Levine
 
March 2013 Australian Centre Liberal Arts
March 2013 Australian Centre Liberal Arts March 2013 Australian Centre Liberal Arts
March 2013 Australian Centre Liberal Arts Timothy Holborn
 
National ICT & Education Strategy July 2016
National ICT & Education Strategy July 2016National ICT & Education Strategy July 2016
National ICT & Education Strategy July 2016Guy Huntington
 
Cyber law by pravin ghosekar
Cyber law by pravin ghosekarCyber law by pravin ghosekar
Cyber law by pravin ghosekarPravinGhosekar
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing rightblogzilla
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
Unit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceUnit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceTushar Rajput
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 

Was ist angesagt? (19)

Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Important Issues in Global E-commerce
Important Issues in Global E-commerce Important Issues in Global E-commerce
Important Issues in Global E-commerce
 
The death of data protection sans obama
The death of data protection sans obamaThe death of data protection sans obama
The death of data protection sans obama
 
Cybertorts
CybertortsCybertorts
Cybertorts
 
Cybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetCybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. Internet
 
George konstantakis iot and product design
George konstantakis iot and product designGeorge konstantakis iot and product design
George konstantakis iot and product design
 
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...feb 2018 - Sub22 - The impact of new and emerging information and communicati...
feb 2018 - Sub22 - The impact of new and emerging information and communicati...
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsJan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
 
Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?Print Security? Are Businesses Complacent?
Print Security? Are Businesses Complacent?
 
It security & crimes
It security & crimesIt security & crimes
It security & crimes
 
March 2013 Australian Centre Liberal Arts
March 2013 Australian Centre Liberal Arts March 2013 Australian Centre Liberal Arts
March 2013 Australian Centre Liberal Arts
 
National ICT & Education Strategy July 2016
National ICT & Education Strategy July 2016National ICT & Education Strategy July 2016
National ICT & Education Strategy July 2016
 
Cyber law by pravin ghosekar
Cyber law by pravin ghosekarCyber law by pravin ghosekar
Cyber law by pravin ghosekar
 
Getting the social side of pervasive computing right
Getting the social side of pervasive computing rightGetting the social side of pervasive computing right
Getting the social side of pervasive computing right
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
 
Unit 2 Regulation of Cyberspace
Unit 2 Regulation of CyberspaceUnit 2 Regulation of Cyberspace
Unit 2 Regulation of Cyberspace
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking Sphere
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 

Andere mochten auch

A guide to using iPads in the classroom
A guide to using iPads in the classroomA guide to using iPads in the classroom
A guide to using iPads in the classroomLapSafe Products
 
A guide to games-based learning
A guide to games-based learningA guide to games-based learning
A guide to games-based learningLapSafe Products
 
A guide to ICT security in schools
A guide to ICT security in schoolsA guide to ICT security in schools
A guide to ICT security in schoolsLapSafe Products
 
Campus Laptop Security 2010
Campus Laptop Security 2010Campus Laptop Security 2010
Campus Laptop Security 2010stoptheft
 
A guide to simple school science experiments
A guide to simple school science experiments A guide to simple school science experiments
A guide to simple school science experiments LapSafe Products
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 

Andere mochten auch (7)

A guide to using iPads in the classroom
A guide to using iPads in the classroomA guide to using iPads in the classroom
A guide to using iPads in the classroom
 
A guide to games-based learning
A guide to games-based learningA guide to games-based learning
A guide to games-based learning
 
A guide to ICT security in schools
A guide to ICT security in schoolsA guide to ICT security in schools
A guide to ICT security in schools
 
Campus Laptop Security 2010
Campus Laptop Security 2010Campus Laptop Security 2010
Campus Laptop Security 2010
 
Laptop physical security
Laptop physical securityLaptop physical security
Laptop physical security
 
A guide to simple school science experiments
A guide to simple school science experiments A guide to simple school science experiments
A guide to simple school science experiments
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 

Ähnlich wie The Politics of IT Security: Laptop Theft in the Public Sector

The Health of IT Security - laptop theft within the health sector
The Health of IT Security - laptop theft within the health sectorThe Health of IT Security - laptop theft within the health sector
The Health of IT Security - laptop theft within the health sectorLapSafe Products
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecuritycrazyivan389
 
Ethical, Legal and Social issues IoT
Ethical, Legal and Social issues IoTEthical, Legal and Social issues IoT
Ethical, Legal and Social issues IoTLuckeylama
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfEarlvonDeiparine1
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 febmharbpavia
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper FinalLarry Taylor Ph.D.
 
Living in the IT Era - Lesson 8.pptx
Living in the IT Era - Lesson 8.pptxLiving in the IT Era - Lesson 8.pptx
Living in the IT Era - Lesson 8.pptxFroilan Cantillo
 
Webinar - Security 2.0: A new way to deal with today’s security challenges in...
Webinar - Security 2.0: A new way to deal with today’s security challenges in...Webinar - Security 2.0: A new way to deal with today’s security challenges in...
Webinar - Security 2.0: A new way to deal with today’s security challenges in...Quiver
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Internet Of Things Introduction
Internet Of Things Introduction Internet Of Things Introduction
Internet Of Things Introduction AARYAN GUPTA
 
The internet of things..perspectives for the Nigerian legal system
The internet of things..perspectives for the Nigerian legal systemThe internet of things..perspectives for the Nigerian legal system
The internet of things..perspectives for the Nigerian legal systemSimon Aderinlola
 
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesTelcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesJohn Davis
 
White Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyWhite Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyEricsson
 
The Internet Of Things ( Iot And The Internet
The Internet Of Things ( Iot And The InternetThe Internet Of Things ( Iot And The Internet
The Internet Of Things ( Iot And The InternetMichelle Singh
 

Ähnlich wie The Politics of IT Security: Laptop Theft in the Public Sector (20)

The Health of IT Security - laptop theft within the health sector
The Health of IT Security - laptop theft within the health sectorThe Health of IT Security - laptop theft within the health sector
The Health of IT Security - laptop theft within the health sector
 
PC213.L3.pdf
PC213.L3.pdfPC213.L3.pdf
PC213.L3.pdf
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurity
 
Ethical, Legal and Social issues IoT
Ethical, Legal and Social issues IoTEthical, Legal and Social issues IoT
Ethical, Legal and Social issues IoT
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdf
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through Cooperation
 
Final cyber risk report 24 feb
Final cyber risk report 24 febFinal cyber risk report 24 feb
Final cyber risk report 24 feb
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final
 
Living in the IT Era - Lesson 8.pptx
Living in the IT Era - Lesson 8.pptxLiving in the IT Era - Lesson 8.pptx
Living in the IT Era - Lesson 8.pptx
 
Webinar - Security 2.0: A new way to deal with today’s security challenges in...
Webinar - Security 2.0: A new way to deal with today’s security challenges in...Webinar - Security 2.0: A new way to deal with today’s security challenges in...
Webinar - Security 2.0: A new way to deal with today’s security challenges in...
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1
 
Internet Of Things Introduction
Internet Of Things Introduction Internet Of Things Introduction
Internet Of Things Introduction
 
The internet of things..perspectives for the Nigerian legal system
The internet of things..perspectives for the Nigerian legal systemThe internet of things..perspectives for the Nigerian legal system
The internet of things..perspectives for the Nigerian legal system
 
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure RulesTelcos and ISPs Prepare For New Data Breach Disclosure Rules
Telcos and ISPs Prepare For New Data Breach Disclosure Rules
 
IE_ERS_CyberAnalysisReport
IE_ERS_CyberAnalysisReportIE_ERS_CyberAnalysisReport
IE_ERS_CyberAnalysisReport
 
B017531518
B017531518B017531518
B017531518
 
White Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyWhite Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked Society
 
MIS.pptx
MIS.pptxMIS.pptx
MIS.pptx
 
RESEARCH PAPER
RESEARCH PAPERRESEARCH PAPER
RESEARCH PAPER
 
The Internet Of Things ( Iot And The Internet
The Internet Of Things ( Iot And The InternetThe Internet Of Things ( Iot And The Internet
The Internet Of Things ( Iot And The Internet
 

Kürzlich hochgeladen

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Kürzlich hochgeladen (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

The Politics of IT Security: Laptop Theft in the Public Sector

  • 1. The Politics of IT Security Laptop Theft in the Public Sector Page 1
  • 2. Introduction In today’s fast-paced world where quick access to information is key, laptops, netbooks and tablets have become vital tools for public sector professionals. The use of mobile IT can increase flexibility and opportunities for remote working, but these desirable and costly devices are increasingly becoming the targets for organised and opportunistic theft. In 2011 alone, the Information Commissioner’s Office (ICO) has reported 22 laptops lost or stolen from public sector organisations and has fined some of the bodies responsible a total of £150,000. This white paper examines IT security within the public sector, including the problem of repeated laptop thefts, and offers practical advice for professionals to help them keep their mobile electronic devices safe. The facts In order to be able to fix a problem, it is necessary to understand it first. Although simply spouting statistics will not make laptop theft disappear, examining relevant data can help to put the sector’s problem into context and emphasis the need for preventative action. So, what are the facts? • In a recent report by the Ponemon Institute, the public sector experienced the third highest rate of laptop loss out of the 12 industries surveyed. • The NHS has been responsible for almost a third of all data security breaches reported to the Information Commissioner’s Office (ICO) since 2007, according to research by IT consultancy Hytec. • Between 1998 and 2008, 1,052 laptops were reported lost or stolen from Government departments. Remarkably, this figure does not include several departments, for example the Home Office, Foreign Office, Department for Transport and Department for Business, meaning that the number could actually be much higher. • In 2010, a total of 25 laptops were lost or stolen from the Home Office. To put this into context, the Ponemon Institute estimates that the average cost of one lost laptop is €35,284. • Laptops containing sensitive and confidential data are the most likely to be stolen, according to the Ponemon Institute. Laptop theft is clearly a very real and increasingly common issue for the public sector, but why should its professionals take IT security seriously? Cause for concern According to the Billion Euro Lost Laptop Problem, from the Ponemon Institute, only two per cent of the cost of a lost laptop is due to actually replacing the device. In fact, a staggering 80 per cent of the cost ensuing from a stolen machine will be incurred as a result of data breaches. Crooks that steal laptops from the public sector often do so because the information stored on the machines is worth more than their resell value. As a result, the consequences of laptop theft within the public sector can be much more serious than simply causing inconvenience to staff. If a laptop containing sensitive information about a council’s vulnerable clients, or confidential Government projects, falls into the wrong hands, the upshot could be devastating. Not only could deadlines be disrupted if desktop files or software is lost, but, if confidential Government files were leaked to the press, the ensuing public uproar could significantly damage a Page 2 1
  • 3. party’s or politician’s reputation. Even more worryingly, client and public safety could be severely compromised if sensitive personal details were passed on to blackmailers. What is more, laptop theft can be incredibly costly. Amongst other components, when the financial impact of lost productiv- ity, data breaches and forensics are taken into account, the Ponemon Institute estimates that the average cost of a missing laptop is a colossal €35,284. Moreover, not only will an organisation have to source equipment to replace stolen laptops, but councils, and other public sector authorities could face hefty fines. Since April 2010, the ICO has the authority to issue monetary penalties of up to £500,000 to those in serious breach of the Data Protection Act. As a result, the public purse may have to foot the bill for lapses in IT security at a time of economic hardship. In fact, this is exactly what happened in February 2011, when Ealing and Hounslow Councils were fined a total of £150,000 by the body, following the loss of two unencrypted laptops, containing the details of around 1,700 people. Public sector professionals, no matter what their job title, have a duty of care towards their clients and constituents to ensure their safety and protect their funding. In the case of processing personal information, this includes securing laptops, and the electronic data stored on them. Laptop theft and the law In fact, those that work in the public sector also have a legal obligation regarding IT security. In the UK, anyone that processes personal information, for example, someone that holds records detailing a person’s eth- nicity, political opinions or information about their health, must comply with the eight principles of the Data Protection Act. This legislation is designed to ensure that personal information is: • Fairly and lawfully processed • Processed for limited purposes • Adequate, relevant and not excessive • Accurate and up to date • Not kept for longer than is necessary • Processed in line with a person’s rights • Secure • Not transferred to other countries without adequate protection. In terms of laptop and mobile IT security, the seventh principal of the Data Protection Act is particularly important: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Consequently, organisations that hold or process personal data are legally required to secure and take steps to prevent the ‘accidental loss’ of personal information stored electronically. Organisations that breach this, or any other, principal in the Data Protection Act can incur substantial financial penalties from the ICO, meaning that councils, government departments and other public sector professionals could be penalised for the loss of unencrypted laptops. Page 3 2
  • 4. Preventing laptop theft IT theft can be costly, and potentially dangerous, but there are simple steps that those in the public sector can take to reduce the risk of it occurring. 1. Staff should take care to avoid accidentally advertising IT assets to thieves by refraining from discussing electronic devices on their organisation’s website, social networking sites or informing the local press when a lot of new equipment has been purchased. 2. When new equipment is bought, its packaging should be flattened, turned inside out and crushed before it is put outside with the rubbish, to avoid notifying potential thieves to a delivery. 3. IT equipment should never be left unattended, and laptops and PCs should be secured to a desk using a lockdown system or fixed to furniture, such as a radiator, with security cables when in use. Security cables slot into a laptop’s universal security slot and can be used to secure devices to any solid or fixed object. The cables are constructed of high-tensile steel and fitted with anti-drill locks to make it difficult for a thief to remove a laptop. Lightweight and portable, the cables are designed so that employees can carry them with them when working remotely or seeing clients and are a must-have security device for professionals that are constantly on the move. Laptop lockdowns secure machines in a highly visible way for theft deterrent. The devices lock laptops to desks in the open or closed position, enabling users to carry on working on the machines. Hindsight is a wonderful thing. Although it may be easy to criticise the mistakes of others, it is essential that we learn from them to stop the small mistakes, with potentially devastating consequences, from happening time and time again. Case Study: NHS North Central London In June 2011, an unencrypted laptop, containing the details of more than 8 million patients, was reported lost or stolen from a storeroom at the London Health Programmes, part of NHS North Central London. The laptop was one of 20 missing from the authority and contained details of cancer, HIV, mental illness and abortions that could be used by blackmailers. Although, reportedly, the data did not include patient names, it was feared that postcodes and information on gender, age and ethnic origins, that could potentially identify individuals, were also held on the laptop. At the time of writing, the theft was believed to represent the largest ever data breach in NHS history. Although NHS North Central London followed a procedure of deleting any sensitive electronic information once it had been processed, this policy was rendered useless because the laptop was taken before the data could be removed by staff. If the laptop was encrypted, the important data held on the machine would have been rendered largely useless to thieves. The Trust would have also been wise to invest in a purpose built cabinet constructed of reinforced steel to store their mobile IT in overnight, rather than locking them in a storeroom. Such cabinets are designed to resist crowbars and lock-picks and can also charge mobile IT devices if desired. Page 4 3
  • 5. 4. Encryption software should always be installed onto mobile IT devices, even if the authority it belongs to follows the policy of deleting information once it has been processed. If a thief steals a laptop before its contents can be destroyed, its information could still be accessed for illegal purposes. Encryption can protect patient records by scrambling data to make it difficult for unauthorised personnel to determine its meaning, often rendering it useless to thieves. 5. Although encryption is vital to protect data, it should not be relied upon alone. Some thieves will not stop at anything, not least encryptions, to access important information, and those that steal laptops from the NHS often do so because the data that they contain far exceeds their resell value. 6. Simply locking laptops in storage rooms will not keep them safe. Laptops and tablets are best protected in a secured lockable cabinet that can be bolted to the wall or floor. This cabinet should be constructed of reinforced steel, not wood or plastic, and be designed to resist crowbars, cutting equipment and lock-pickers. 7. It should be compulsory for staff to follow laptop and mobile IT security measures by incorporating procedures, and penalties for breaching these procedures, into your company handbook and employee contracts. An IT security policy should be issued to all staff, and employees should be required to sign this document to confirm their compliance. 8. Staff need to be made fully aware of their duties regarding laptop security, and this includes regularly explaining relevant policies through company communication channels, such as emails and newsletters, and offering adequate training. A manager should also be appointed to make sure that this tuition is being given, and that the security policies are being followed. 9. External IT technicians should always present ID before they are taken to service computers, and staff should ensure that they sign in and out. 10. When travelling with laptops on public transport, staff should avoid storing their laptops in luggage compartments, where devices could be taken by other passengers. Instead, laptops should be kept on laps or between feet. 11. Ensure that visitors are accompanied when they walk around the building and insist that all guests sign in and out. Case Study: West Sussex Council In July 2010, West Sussex County Council was criticised for the theft of an unencrypted laptop, containing the details of an unknown number of children. The laptop was stolen from the house of a council employee and was believed to be part of a group of 2,300 unencrypted laptops in use by the body. The Information Commissioner’s Office (ICO) condemned the council because the member of staff responsible for the loss had received no formal training in data protection or IT security. The case of West Sussex Council highlights the importance of regular and effective IT security training for all members of staff within an organisation. Not only should such training cover how public sector professionals can protect their laptops whilst in the workplace, but guidance should be given to staff about how to secure machines when working remotely. This includes securing laptops in the home and during transportation. Page 4 5
  • 6. 12. When out and about, staff should carry their laptops in anonymous bags or cases in order not to alert thieves to its contents. 13. Ideally, laptops and other mobile devices should never be left unattended in a vehicle because concealed areas like the boot or glove box will be the first places that thieves look. Laptops should always be accompanied by their owners and should never be left in a car overnight. It is far better to secure a laptop to furniture inside a building using a security cable. 15. Laptop theft should be reported to the police as soon as possible; the quicker the police are aware that confidential information has gone missing, the more likely it is that equipment will be recovered and that public sector organisations will not have to seek a replacement. In following the above guidelines, public sector professionals can take easy steps to mitigate IT security breaches within their organisations, protect client safety and avoid costly fines. Case Study: Hull and East Yorkshire Hospitals NHS Trust In February 2011, the Information Commissioner’s Office (ICO) served Ealing Council and Hounslow Council with monetary penalties totalling £150,000, following the theft of two unencrypted laptops. The ICO ruled that the councils had breached the Data Protection Act when the machines, containing details of around 1,700 individuals, were stolen from an employee’s home. Ealing Council provides out of hours service for both of the councils and uses laptops to record information about a variety of individuals. Although the stolen machines were password protected, they were unencrypted, despite each council having a policy in place that required this software to be installed on to all staff laptops. Ealing Council was fined £80,000 for breaching its own policy on data encryption after the ICO ruled that there were insufficient checks by the body to ensure that staff were complying with the security procedures in place. By contrast, Hounslow Council received a penalty of £70,000 for failing to have a contract in place with Ealing Council and neglecting to monitor the behaviour of its partner regarding laptop security. Unfortunately, these London councils could have avoided incurring such hefty fines, and risking client safety, by simply encrypting their data. In this case, the fact that the organisations acted in spite of their own policies and failed to encrypt data appears to be because employees were not aware of their obligations regarding IT security. To prevent this situation from happening in the future, public organisations need to maximise internal communications systems, for example emails and company newsletters, to explain to staff what they need to do to keep their IT safe. This communication should be regular and be supported by frequent training to ensure that all personnel understand the policy that they must follow. Public sector organisations should also ensure that these policies are outlined in the employee handbook and that there are appropriate disciplinary procedures in place to emphasise the seriousness of staff compliance. Page 6 5
  • 7. Conclusion With a workforce frequently on the move, laptops are an invaluable tool throughout the public sector, provided the correct security measures are in place for their use. If a computer is not encrypted and physically secured, there can be devastat- ing consequences, not to mention hefty fines, if its data falls into the wrong hands. Putting IT security into practice does not have to be time consuming or costly, but it is essential. It is hoped that this white paper will help to emphasise the importance of employing physical security solutions for mobile IT and will go some way towards preventing future cases of laptop theft from the public sector. Appendix The Politics of IT Security white paper has been compiled using information from the following sources: ‘More than 1,000 government laptops lost or stolen, new figures show’, The Guardian, 4 March 2008, http://www.guardian. co.uk/politics/2008/mar/04/2 ‘West Sussex council criticised over laptop theft’, BBC, 8 July 2010, http://www.bbc.co.uk/news/10561538 ‘Councils fined for unencrypted laptop theft’, The Information Commissioner’s Office (ICO), 8 February 2011, http://www. ico.gov.uk/news/latest_news/2011.aspx ‘Missing: Laptop with 8.6million medical records’, The Sun, 15 June 2011 http://www.thesun.co.uk/sol/homepage/news/3637704/Missing-Laptop-with-86million-medical-records.html ‘NHS on Amber alert’, Risk-uk.com http://www.risk-uk.com/newsdetail.php?newsID=327 The Billion Euro Lost Laptop Problem, The Ponemon Institute and Intel, April 2011 http://antitheft.intel.com/Libraries/Documents/The_Billion_Euro_Lost_Laptop_Problem.sflb.ashx‘ ‘Lost, stolen and recovered mobiles, laptops and removable media’, The Home Office, 23 May 2011, http://www.homeof- fice.gov.uk/publications/about-us/transparency/lost-mobiles-laptops-media/ ‘Data Protection Act 1998’, Legislation, http://www.legislation.gov.uk/ukpga/1998/29/section/9A Resources Readers of The Politics of IT Security might also find these resources helpful: ‘Is your IT in safe hands?’, Government Technology, July 2011 http://www.governmenttechnology.co.uk/features2/ item/2580-is-your-it-in-safe-hands ‘ICT Security Tips For Public Sector Professionals’, Egovmonitor.com, 28 June 2011 http://www.egovmonitor.com/ node/42549 ‘NHS should physically lock-down their laptops’, PublicService.co.uk, 16 June 2011http://www.publicservice.co.uk/fea- ture_story.asp?id=16782 Page 6 7