Kerry Davis

If ever a case highlighted the need for a systematic approach to information security, it was the theft from the car of an Ernst & Young auditor’s laptop containing the credit card details and addresses of more than a quarter of a million customers of hotels.com in the US. Sure, he should never have left the laptop in his car, but even if he had taken it with him there was always a risk of theft or loss.

The incident demonstrates that encrypting data is important, but encryption alone is not enough. Users still put passwords like ‘password’ or ‘Dell’ under the lid of the laptop or on the battery pack.

Data security requires a holistic approach. It’s as much about mindset as about the need for passwords, secure ID tokens and encryption.

Security should be considered from all angles: physical, personnel, procedural, technical, policy and regulatory. Most companies rely on the physical and technical alone.

A good starting point for accountancy firms reviewing security is the ISO/IEC 27001 international standard. For example, checks should always be carried out on potential new recruits. According to the DTI, a quarter of companies don’t carry out any background checks when recruiting and one in eight does nothing to educate staff about their security responsibilities.

It’s not good enough to give a laptop to someone who is always on the road and tell them never to leave it in their hotel room. This sort of ‘no choice’ edict simply brings a security policy into disrepute. Everyone will have to ignore it in order to do their jobs. If an auditor regularly has to leave a laptop in a car for good reason, the company should provide a secure storage box.

Ignoring security can have expensive consequences. Loss of sensitive personal information counts as a breach of the Data Protection Act (1998) and can result in a hefty fine. Quite apart from that, the damage to the reputation of a company can be enormous.

All aspects of security should be considered together, so controls support and mitigate each other and a failure of one does not invalidate the others. That way, if an employee leaves a laptop in their car – against company policy – its theft will not be disastrous if, say, the computer is protected by a token-based two-factor authentication and encryption system, with the token always in the user’s possession.

Kerry Davies is managing director of Echelon Consulting

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!