Is your IT in safe hands?

In June, NHS North Central London became the latest public sector organisation to admit to an IT security breach that could put individuals at risk. An unencrypted laptop, containing details of more than 8 million patients, was one of 20 machines reported stolen from a storeroom at its London Health Programmes department, and held information on cancer, HIV, mental illness and abortions.
Although the reported theft may represent the largest data violation in NHS history, the fact that the London Health Programmes failed to learn from the countless mistakes made by others is, perhaps, even more disappointing. In July last year, West Sussex Council was criticised for the theft of an unencrypted laptop, containing the details of an unknown number of children. Just months later, a Freedom of Information request revealed that a staggering 75 per cent of the 226 pieces of IT equipment lost or stolen from Scottish public sector bodies was unencrypted.
What is more, it was only back in February that Ealing and Hounslow Councils were fined a total of £150,000 by the Information Commissioner’s Office (ICO), following the theft of two laptops. Since April 2010, the ICO has the authority to hand out penalties of up to £500,000 to organisations in serious breach of the Data Protection Act.
So why is laptop theft becoming so common within the public sector? With security blunders well publicised, is it that organisations fail to take heed and implement preventative measures? Or is the problem due to a lack of clear guidance and anti-theft advice?
Although causes are likely to be numerous, there is no escaping the fact that, with hospitals, local and central government processing sensitive information, laptop loss from public sector organisations can lead to serious consequences. In addition to hefty fines, vulnerable people, or confidential projects, could be put at risk if sensitive data falls into the wrong hands.
Public sector professionals, no matter what their job title, have a duty of care towards their clients and constituents, and this includes securing laptops, and the electronic data stored on them. So, how can those in local and central government keep their IT equipment safe?
In order to answer this question, it is essential to determine exactly how organisations have got their IT security wrong in the past. In the case of the Ealing, Hounslow and West Sussex authorities, the ICO ruled that, although the councils had IT security procedures in place, each organisation acted in spite of its own regulations.
Although any ‘rule book’ should cover both how devices should be secured within the workplace and when working remotely, security guidelines can only be effective if people are aware that they exist. It is paramount that training is provided to ensure that every member of staff understands what they need to do to protect IT assets and acts accordingly. A manager should be appointed to regularly check that this tuition is being given, and that policies are updated when new equipment is purchased.
Aside from a lack of training, neglecting to encrypt mobile devices is perhaps the biggest trap that many public sector bodies have fallen into. Even if an organisation claims to delete data once it has been processed, as was the case at the London Health Programmes, this procedure does not protect sensitive information if it is taken before personnel can remove it from the system. Encryption can keep documents safe by scrambling data, making it difficult for thieves to determine its meaning.
Encryption is an effective, easy and low cost way to ensure that important information remains confidential, but public sector professionals should not rely on it alone. Determined thieves will not stop at anything, not least encryptions, to access important information, and those that steal laptops from the public sector often do so because the data that they contain far exceeds the machines’ market value. In fact, research by the Ponemon Institute shows that only two per cent of the cost of a stolen laptop is incurred by actually replacing it.
In order to keep IT equipment truly secure, and even prevent it from going missing in the first place, organisations should deploy physical restraints. As staff at NHS North Central London discovered, simply locking devices in storage rooms will not keep them safe. Laptops and tablets are best protected in a secured lockable cabinet that can be bolted to the wall or floor, especially overnight. This cabinet should be constructed of reinforced steel, not wood or plastic, and be designed to resist crowbars, cutting equipment and lock-pickers.
While laptops are in use, they should be fixed to furniture with security cables. Staff should never leave equipment unattended, and avoid discussing IT assets on their organisation’s website, social networking sites or telling the local press when new equipment has been purchased.
Laptop theft within the public sector is fast approaching an epidemic, and those in local and central government must act now to guard against it. IT security does not have to be time consuming or costly, but implementing preventative measures is vital to protect clients, constituents and the, already strained, public purse.
Mark Exley is General Manager for Product Development at ICT security specialist LapSafe® Products.

Please register to comment on this article