about us - CURRENT news

Grant McGregor News - March 2011

Data Encryption - Counting the cost of inaction.

Loss of data on stolen laptops and mislaid USB sticks no longer leads to merely being named and shamed in the press...or slapped on the wrist!

February 2011 saw the second wave of substantial fines from the Information Commissioner's Office (ICO) over breaches to the Data Protection Act. After November 2010's first landmark cases where financial penalties were issued to a County Council for ‘serious incidents', and to an employment services company for the loss of an unencrypted laptop, two more councils have now been fined for the loss of unencrypted laptops.

One, Ealing Council, was fined £80,000, while Hounslow Council was fined £70,000. In both cases, a third party service that works for the councils lost two laptops containing sensitive information when they were stolen from the home of an employee. While both laptops were password protected they were  not encrypted which was in breach of the policies of both councils. In spite of there being no evidence to suggest that the data was accessed, the ICO ruled that Ealing Council breached the Act by providing an unencrypted laptop to an employee in breach of its own policies. This had been in place for several years and the ICO reported that there were insufficient checks that relevant policies were being followed or understood by employees.

Deputy Commissioner, David Smith, said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough. The penalty against Hounslow Council also makes clear that an organisation can't simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.”

What's particularly interesting in this case though is that Ealing Council actually had a policy in place requiring all data to be encrypted, something which they'd evidently failed to roll out across the whole organisation. "Every organisation in the UK needs to get the message that the ICO is serious about security breaches. There are technical measures organisations can take to try and make laptops more secure when they are lost or stolen. Until organisations get the message these fines will continue.”

With four fines already issued, the ICO seems keen to make its point but it remains to be seen whether such warnings will be taken seriously. If lessons are to be learned the hard way, it seems clear that the ICO will not be turning a blind eye. The maximum possible fine, though, is £500k so the ICO much room for heftier penalties in the future. There are many more examples of organisations who have fallen foul of unencrypted laptops and loss of sensitive data.

Perhaps the fines will serve as a wake-up call to organisations; they now need to ensure they have robust policies and processes in place for managing, storing and securing information and that their staff are trained to use these processes. To leave data unprotected is a dereliction of duty and the clear message is that action must be taken to protect data and to ensure that data is protected.

Since the ICO has presented an approximate average £80 per record breached cost through these fines, it becomes possible to calculate the cost of inaction compared to inaction. Given these facts now is perhaps a great time to be an IT manager looking to make the case for data protection.

There are some signs of a positive impact from these rulings; large parts of the government are starting to adopt encryption using software solutions such as FIPS accredited DriveCrypt and also ensuring employees give a legitimate reason for taking any information outside the organisation. In all likelihood, these fines and actions by the ICO will continue until this practice becomes the norm and not the exception. Securstar's DriveCrypt Enterprise product provides a centrally managed, secure, automatic full disk encryption solution to organisations of all sizes. It is deployed in minutes, and provides total protection for loss or theft of data stored on Laptops, PCs and Servers.
Learn more about DriveCrypt hard disk encryption software from Securstar.

It's not just failure to encrypt laptops that causes potential data breaches...

A survey of dry cleaners in the UK has found that more than 17,000 USB sticks were left behind in 2010

Sean Glynn of Credant Technologies, who conducted the research, said that the results were 'staggering'. “Inevitably, unsuspecting consumers leave USB sticks behind, creating a potential risk for their employers if these devices have proprietary information on them and end up in the hands of criminals,” he said.

“Such technologies are available today in the market, offering the centralised detection, encryption, auditing and compliance reporting that organisations need to ensure the protection of their data. With the best intentions in the world, the reality is devices are often left behind and the information they contain could be devastating if disclosed. Organisations need to plan for this when developing their security strategies.”

Fully hardware encrypted USB sticks such as Blockmaster's SafeStick are available in a variety of sizes to provide CESG, CCTM Government certified, AES256 CBC military level hardware encryption of all data. An Enterprise Management console also enables IT security personnel to apply security policies, remotely kill lost sticks, recover lost passwords, backup data, audit use, deploy apps and more.


However, having encrypted USB keys available to users does not prevent unencrypted USB sticks from being used on the network. Having so-called 'endpoints' open on the network (such as USB ports) can lead to data being deliberately or unwittingly taken off the organisation's systems on a portable device such as a USB stick or even an iPod or mobile phone. A variety of endpoint security, device management or port lock down solutions exist to counter this threat. These solutions are often called Data Loss Prevention software and include tools such as DeviceLock and GFI EndPoint Security soon to be known as GFI Device Warden. They are designed to detect and prevent the unauthorised use and transmission of confidential information via network endpoints.

What about the data that is sent over email?

In sharing sensitive information high security and ease of use do not usually go together. Consider how you would transfer a large confidential file to an external recipient quickly and without taking the risk that the file might be read or captured, fails to reach the recipient at all or simply jams your network. Although apparently straightforward in terms of ease of use, email is not the best way to send secure documents, files, data or intellectual property. Large file attachments can be a problem, they may need to be encrypted, and quite often mailbox policies are in place which restrict the size of emails people can send or receive. Also sending files by email is NOT guaranteed and receipt of the files cannot be proven. The use of alternatives such as FTP still require lots of authorisation and access codes to be set up by both parties. More and more organisations are implementing managed file-transfer products as an effective strategy to ensure that confidential information is not exposed.

One solution that appears to be ideal for communicating with partners, clients or employees, sister companies or external service providers is CryptShare. Whenever you need to share confidential files, but you do not have an influence on the IT infrastructure of your communication partner, CryptShare can provide an immediate solution. Encrypted transfer from your company to your partners is made easy, and equally so for your partners to send files to you. Installed in minutes on a server inside your network, users simply use a web browser. Organisations can empower their staff to very simply and safely exchange files with business partners, customers or even with each other, without having to install client software, swap security certificates or drown email servers.



A user simply uploads a file up to 2Gb in size to the system. Cryptshare then automatically emails the recipient telling them that the file is available for them to download. The sender receives an email back confirming when the file has been downloaded by the recipient - providing a full, legal audit trail. This eliminates all Email mailbox attachment security, size limits and support issues, reduces email storage / archiving requirements and resource usage too. Learn more about CryptShare encryption file transfer software.

Some Related Articles

• The ICO Press Release
• Computer Weekly Article
• Infosecurity Magazine on Encryption
• They wish they'd encrypted...

Contact Us with your Data Encryption questions or requirements.

News from Grant McGregor's IT Partners

• GFI Software news page
• Insight Blog
• Microsoft Press Centre
• Miniframe SoftXpand News
• Softek news page
• Steljes news page

News from IT publications and websites

• BBC News - Technology
• computing.co.uk
• Computer Weekly
• The Register
• V3.co.uk
• ZDNet UK