Leader: Missing laptops and lazy risk management
Has the government really got this so wrong?
1: The UK government is losing worrying numbers of laptops from key departments.
2: The bodies concerned aren't taking a thorough approach to risk management.
The first point comes from a recent silicon.com Freedom of Information enquiry - or enquiries, to be precise, as we had to approach more than half a dozen departments separately.
The second is really our opinion. But then that is what these articles are all about.
Two departments, Defra and the Department of Health, told silicon.com in response to the enquiry that they do not differentiate between 'lost' and 'stolen' laptops - an approach that ignores one of the most critical elements of risk assessment.
The two departments saw 17 and 18 laptops go astray respectively over the past 12 months but appear to have failed to ask the right questions about how or why.
After all, a laptop that is dropped in the River Thames, for example, poses a far lesser risk than a laptop which is stolen by somebody targeting that specific laptop owner outside their place of work.
Companies must understand where their problem sits on a sliding scale because this isn't even so black and white as 'lost' or 'stolen'. At what point does a lost laptop become stolen? And even within the bracket of 'stolen' laptops it is vital to break it down further and understand exactly what has happened.
Further reading...
♦ Exclusive: Laptop thefts' real gov't data risk
♦ Mobile phones leak from UK government
Was that laptop stolen by an opportunist who thinks they can get £100 'from that bloke down the pub' or was it a targeted theft which suggests the endgame is accessing information on that device? Factors such as location - a theft outside the office is far more worrying than one while sitting outside a restaurant several miles from the office - must play a part in drawing up a clear idea of the level of risk.
Similarly, organisations must correlate these factors with what they know of the data on the laptop and the way it is protected, all the time asking themselves 'how likely is it that data is going to be accessed and how likely is it this theft will come back to haunt us?'.
Too many organisations seem to assume the story ends when an employee reports their laptop missing. Fill in a form, order a replacement and move on. But in truth the story could only just be beginning.