SC Total Security Conference: ICO talks about need for encryption
The Information Commissioner's Office (ICO) has talked about the need for encryption to be used efficiently and for businesses to be aware of their dataset.
Speaking at the SC Magazine Total Security Conference in London, Dr Simon Rice, principal policy adviser (technology) at the ICO, said that many simple mistakes are being made that lead to investigations and ultimately, monetary penalties.
Rice highlighted the 19 monetary penalties issued to businesses, saying it was "19 too many" and it was "not something that the office enjoys doing and it does not represent everything that we do".
He said: “What can we learn from these? There are many things that are essentially lacking and encryption of mobile devices is one and in the future, mobile and tablets are a high priority area. Our research found that 48 per cent of the drives we purchased from auctions and clearances contained information, 11 per cent of which was personal data.”
He claimed that the fine against Brighton and Sussex University Hospitals NHS Trust in June, where hard drives containing sensitive patient information were sold by a third party who had been tasked to destroy the data, showed that "lessons had been learned".
“There were no checks to what they were paying the third party to do. Security steps were not being taken, it is about choosing difficult passwords, websites storing passwords in plain text or poor coding practises,” he said.
He said that a problem lies with legacy websites being insufficiently tested and maintained, and often policy exists but it is not followed, particularly with encryption.
He said: “Full disk encryption exists in newer operating systems, but users buy a new laptop but they are not aware of it. I heard of someone having full disk encryption but leaving their laptop open on a train unlocked. We ask can you prove your laptop was encrypted? You have got a policy, but what audit trails do you have? If it is just basic encryption and not data encryption then it is still on the disk.”
He concluded by encouraging delegates to audit their data to know what they have got, especially after security breaches of data that a business was not aware of.
“So audit, see what data is there and what is appropriate to what industry standard. Also, get a third opinion via a vulnerability scan or penetration tester to make sure of what you might not be aware of,” he said.