The Information Commissioner’s Office (ICO) has announced today that it has fined Glasgow City Council £150,000 following the loss of two laptops because neither had any encryption software applied.
The fine follows an incident where two laptops were stolen from Council offices during refurbishment. To complicate matters, the Council had already been made aware of the risks of theft and although one laptop was locked in a storage drawer, the key to the drawer was kept insecure along with the second laptop.
The investigation into the two stolen laptops revealed that the council had issues a large number of devices without any encryption and, although lots of these were later encrypted, 74 remain unaccounted for (and without encryption) with at least six known to have been stolen. Two years previously the Council had been issued with an enforcement notice following the loss of unencrypted memory sticks.
Kevin Macdonald, the ICO’s Assistant Commissioner for Scotland said:
To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.
It is staggering to think that in such a short time, the Council has managed to fall into such a bad habits around basic security principles.
Encryption is the essential last resort for IT
Security – be it around IT hardware, portable devices (laptops or tablets or phones), documents, people, or anything – is built on a framework of overlapping security controls. The idea being that if one control fails, security is still in place because the other controls still work.
When it comes to portable IT assets – especially laptops – the sad truth is that they are at significantly greater risk of loss or theft than pretty much anything else in your inventory. Users will consistently circumvent your physical security controls (i.e. leaving them on trains, forgetting to lock drawers etc), and they are an attractive target for criminals.
This means it is essential that you assume they will be stolen and ensure that encryption is part of every single build.
Four main lessons
There are a lot of lessons that can be learned from the fine issued to Glasgow City Council, so you should take this opportunity to review your processes and see where you can improve.
The four main take away points from this are:
- Ensure all portable devices are encrypted – with laptops this should be whole disk encryption at a minimum, for tablets or smartphones your mobile device management policy should include mandatory file encryption and strong passwords.
- Ensure all your employees are properly trained in how to care for portable devices and how to use your security furniture. Keys must always be properly secured.
- Maintain a working, accurate asset register. Without it you don’t even know if your devices have been lost / stolen.
- Have a functioning risk management process in place which is able to respond to changing threat levels (such as the reports of increased crimes) and is able to drive security practices within your business.
Without these four simple steps, your security activity is fundamentally undermined and it is only a matter of time before you suffer a loss and (if it relates to personal data) a penalty from the Information Commissioner.
Security must never be seen as a cost to your business, it is there to protect against greater losses and allow you to continue to operate. Cutting corners is not a good use of your resources and, as we keep saying, unless you put aside enough resources to deal with the inevitable security breaches, it is a massive risk management failure.
Implementing encryption would have been a lot cheaper for Glasgow City Council.