MoD laptop loss should cause an evaluation of its security policy
Following the report of a laptop being lost by the Ministry of Defence, claims have been made that its overall security needs to be re-evaluated.
Stephen Midgley, vice president of global marketing at Absolute Software, claimed that the real concern was the lapse in technical security and protocol in that a laptop was – apparently – left unattended along with the encryption keys.
He said: “High-profile organisations like the MoD need to be totally on top of their security – leaving no spaces for error. Encryption alone is not enough, especially when the keys to decode encryption files are also left exposed to prying thieves.
“The real question – and concern - for the MoD: do they know what data was on the missing device and is now accessible to someone outside of the MoD? If they do not, then the MoD will have great difficulty in determining the scope and magnitude of this security breach.”
Sean Glynn, product manager at Credant Technologies, claimed that the report was ‘jawdropping in its apparent lack of common sense'. He said: “It is one thing to have excellent encryption on a laptop, but it's entirely another to have the security key - presumably a USB stick or similar - located along with the machine.
"This smacks of lax security on a scale that is breathtaking in its crassness. There is little or no point in having encryption on a portable device if the authentication key is stored with the machine.
“If the MoD can't vet its own staff and stop these thefts happening - and also fail to implement an understanding of why and how security systems operate in its staff - then what hope is there for civilian organisations?”
Midgley agreed with these points, commenting that the ability to track, manage and protect both the devices and the data on them is paramount to maintaining security in this increasingly mobile environment.
“Organisations of all sizes, whether private or public, are faced with the daunting challenge of managing data that often travels beyond the confines of physically secure environment, such as an office building,” said Midgley. Organisations, as part of a layered approach to security, require the ability to remotely track devices both on and off the network and be able to communicate with them in a situation when the device is triggered to be missing.”
Commenting, Rodney Joffe, senior vice president and senior technologist of Neustar, said: “The MoD is not an organisation of 1,000 people, it is a huge company with lots of departments feeding into it and I will take a bet that any department it happened to doesn't happen again to. There is no substitute for experience.
“In the department that lost the laptop, someone got a report from an IT manager saying we get all of the training and the new standards and requirements and understand it.”