This is beyond stupid and irresponsible now. I’m tired of seeing these stories. A few days ago we heard that 15 laptops were stolen from the HSE, 2 of which were unencrypted and contained personal information of patients. Now we hear that 4 unencrypted laptops with 75,000 customer’s banking details were stolen from Bord Gáis.
What the hell is new about encrypting laptops anymore? It should be a matter of practice: Buy/build a laptop and encrypt it. But oh no, these lazy organizations don’t want to do that or some inept managers just don’t care.
Brendam Drumm of the HSE should be sacked (without his massive pay rise) anyway. But we were promised all laptops would be encrypted by September of last year. Was that done? No. Who would think a government agent would lie or fail like that? SACK HIM!
We need some new laws:
- It should be mandatory to encrypt all business laptops by law. Trying to get just those with personal data hasn’t worked. Data is movement is too fluid.
- There should be employment law protection for whistle blowers; that’s needed anyway, e.g. the financial system.
- It should be a mandatory requirement for the Data Protection Commissioner to prosecute the directors of companies where unencrypted laptops are stolen. There will be a fixed, non-negotiable punishment. That’ll get ‘em worried.
- Failure to prosecute will be a prosecutable offense regardless or not if the data protection commissioner is still in office or not. Prosecution will be mandatory as will the punishment. That’ll take care of the cronyism that’s rife in our country.
Organisations like the HSE probably have MS Software Assurance. If they then then deploy MS’s Windows Enterprise edition and enable BitLocker. If not, go have a look at a 3rd party solution.
It should be taken further than that Aiden. I believe that there needs to be a centralized IT body put in place for ALL governement agencies that is solely responsible for the management of the datacenter(s), desktops and associated security, and that body needs to report directly to a minister respnsible for IT Strategy in Gov’t and Industry. Further, any private organization that has personal data needs to adhere to the same strict standards that will be put in place for Gov’t to protect the public.
I wouldn’t disagree with that at all. It could certainly reduce costs. I’d also think that a steering board made up of experts from private industry should be involved to provide top level best practice advice.
Paul Hearns from CompuScope was on Newstalk 106-108 earlier talking about this. The presenter tried to excuse the HSE on this matter but he was having none of it. Rightly, he said a large organisation should find deploying this stuff easier. Centralised policy can force encryption out with little human intervention, e.g. BitLocker via GPO or 3rd party agents via ConfigMgr, etc.