Leader: Hammering home the message of laptop security
Auction site leaks and corporate stupidity must stop...
There are two approaches to laptop security. First, there is the technological approach. Encryption, secure log-ins, one-time passwords, token authentication - all have their merits.Then there is the common sense approach, which also complements the former approach very well - just don't lose the thing in the first place.
Don't walk away from your laptop in a busy departure lounge and assume it will be safe for thirty seconds. Don't even put it down beside you unguarded as you read your newspaper at the train station. Laptops have a habit of going missing very quickly under such circumstances.
One security firm, Pointsec Mobile Technologies, this week uncovered the dangers of such lax approaches to security. The company found that 70 per cent of laptops it bought at auction contained recoverable data and that much of that data was sensitive company information.
And worse still, it would appear people losing laptops aren't even bothering to ring up to see if they have been handed in - not if the number of laptops being auctioned off by airport and train station lost property operations is anything to go by.
Perhaps the person assumes 'oh well, it's insured' - but while the £1,000 replacement cost may not hit home too hard, there is no accounting for the cost of the information on the hard drive falling into the wrong hands.
Pointsec bought a number of laptops from a lost property auction at Gatwick airport as well as from internet sites such as eBay and other public auctions.
Among the delights they found on the laptops were 77 Excel spreadsheets with the names of customers at a major insurance firm. The spreadsheets also included addresses, phone numbers, dates of birth and log-in details and passwords.
To a competitor such details would be gold-dust. For the company concerned it represents an unforgivable lack of respect for its customers' data and privacy.
So what can we do about this? Well, in the case of lost laptops that are recovered and sold at auction, a little more determination on the part of the person who lost it to get it back would be a start. As a CFO or CEO or even a shareholder, you would be pretty irate to hear an employee had lost 'the keys to the safe'. You would be even more irate to find out they hadn't done everything within their powers to recover those 'keys'.
But what about that trade in recovered second-hand laptops and PCs? For years the police have been auctioning off goods recovered from thefts and other organisations - such as the aforementioned airports and train stations - have been doing likewise. But should laptops that are recovered or passed on post-theft be sold without first being wiped of any data?
How far removed is this from a breach of data protection or the handling stolen goods? Perhaps there should be a law stating that anybody selling second-hand laptops - or any storage device - must be responsible for ensuring it is wiped entirely or face legal action under the data protection act.
It's a sad day when we find ourselves discussing measures to protect people from their own stupidity (which is often the case where lost or unsecured laptops are concerned) but as a society, as a set of individuals whose details are stored on an unknown number of laptops, in unknown locations and in the hands of an unknown number of individuals, isn't this something we should be considering?
What do you think? Register a reader comment below and have your say.