Goto Blog Home PageRevell Research Systems: Alastair Revell's Web Log
On this page....
<January 2020>

RSS 2.0     Atom 1.0     CDF

Blog Roll
About Alastair Revell
Alastair Revell is the Managing Consultant of Revell Research Systems, a Management and Technology Consulting Practice based at Exeter in the United Kingdom.
Contact Alastair Revell
 EMail Revell Research Systems Limited Email Me
Legal & Other Notices
Sign In
The material published in this web log is for general purposes only. It does not constitute nor is it intended to represent professional advice. You should always seek specific professional advice in relation to particular issues. The information in this web log is provided "as is" with no warranties and confers no rights. The opinions expressed herein are my own personal opinions.

Web Log Home | Welcome to this Web Log | Using this Web Log | New to Blogs? | About Revell Research Systems | Contact Details

Review Entries for Day Saturday, November 18, 2006

This morning's article on the BBC News website that 11 million customers of the Nationwide Building Society in the UK have had their identities put at risk is a reminder to businesses that laptop and PDA security should be high on their agendas.

A considerable amount of similar data is held on many organisations' laptops and PDAs across the country. Indeed, most laptops are only secured with a password and anyone familiar with the various cracking tools readily available on the Internet will know just how easy it is to gain access to such machines.

Very few firms actually consider encrypting data on their laptops to defend against exactly this sort of scenario, but doing so would mitigate the risk considerably.

Many firms are allowing and even encouraging their staff to carry PDAs (which I do believe is more than appropriate, being something of an advocate for them). However, I am often alarmed at just how few insist that they should even be minimally secured with a simple password and even more alarmed at the poor grasp of the security issues that those that carry them actually have. As a matter of course, PDAs carry names and addresses of individual contacts, which obviously is a data protection issue.

The problem is that it doesn't become an issue until a laptop or PDA is lost or stolen. It is then that the reality dawns about just how bad the situation could be, but by then the damage has already been done.

Although I doubt that the laptop's data was looked at in this case, with the laptop probably being reformatted and sold on by the thief as quickly as possible, it won't be long before criminals start considering the potential value of the data on stolen devices. I suspect we will start to see cases where companies are blackmailed and an accelerating trade in illegally obtained data. Indeed, I am prepared to predict that we will see laptops and PDAs stolen to order because the potential value of the personal banking details of 11 million people is considerably greater and apparently easier to obtain than other items that might traditionally be stolen in a domestic burglary (which according to the BBC was how the Nationwide's laptop was stolen).

It also occurs to me while writing this article that this builds on a theme that seems to be unintentionally developing in this blog concerning the general cavalier attitude that financial institutions seem to have towards their customer's security. (For instance, my article on Bank Fraud in July.) I note from the BBC's article that the Nationwide have taken three months getting around to telling their customers about the incident.

Another alarming factor about the Nationwide case is the sheer number of people that must be affected. 11 million people represents almost one in five of the UK population, which is very close to every household in the country being affected statistically speaking.

Furthermore, I find it staggering that the Nationwide actually allowed an employee to leave their offices with so much data. It would have been considerably more alarming if the data had contained authentication details such as PIN numbers and passwords...

The problem with data like this is that its just another file on the disk - something pretty insignificant to look at in Windows Explorer and easily forgotten about. My experience is that most people have considerable difficulty in remembering what files they do have on their disks, so I am a bit alarmed that this data might not have been the only important things stored on the Nationwide laptop.

One would imagine that banks and building societies take considerable care in securing their customers' data. Indeed, the same level of care that the government might take storing the details on each and everyone of us in the proposed national identity card database.

The casual ease with which this data fell into the wrong hands has important ramifications for us all...

More about Alastair Revell

Saturday, November 18, 2006 11:59:15 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Comments are closed.
RSS 2.0 Feed If you enjoyed reading an article on this blog, why not subscribe to the RSS 2.0 feed to receive future articles?
Revell Research Systems Logo Visit the Revell Research Systems Web Site if you want to learn more about this management and technology consulting practice.