Ah, the UK Home Office. In recent weeks, it’s become to me what “W” has become to Jon Stewart and The Daily Show: my meal ticket. Granted, in this case, it’s not really the Home Office department that’s to blame, but contractors. The Home office did everything it should have, e-mailing a database of criminals’ records that was encrypted (probably with the use of a file encryption software like AlertBoot) to the contractors. The problem was, once the contractors received the information, they decrypted it the info and saved it to a USB flash drive unencrypted. Using full disk encryption on that memory device would have been a boon towards ensuring information security.
Otherwise, it’d be like an armored Brink’s vehicle bringing in a truckload of money and the receiving party stuffing it inside their mattress, believing that the mattress will always be there (Surprise! We got you a new mattress because the old one was…all clumpy and not cushy. It was time to replace it, anyway. The goods?receiving party: Noooooooooooooo!)
The baffling thing, to me at least, is the fact that these consultants decided to save something in an unencrypted format. It seems to me that it would be logical to just save the encrypted file to the memory stick…until I remembered that consultants actually have to expend some energy working, contrary to whatever clichés you may have heard.
My guess is that the consultants copied over the information from the format the Home Office department was using to whatever the consultants were using for doing their jobs. Of course, once you do this, you need to encrypt the new file, which becomes a problem if you don’t have any encryption software solutions at your company. It also doesn’t make sense to ask the Home Office to encrypt it for them because that defeats the purpose of having the file encrypted when it was e-mailed originally—you’d have to e?mail the unencrypted file back to them.
I don’t know how it works in the UK, but in the US, there are federal requirements when a company bids for a project. For example, any companies that want to send in an RFP (request for proposal) for infrastructure projects must have engineers on staff who’ve passed the engineer in training exam, in addition to PEs—or at least that’s what I was told by professors who encouraged our graduating class to take the exam. Perhaps it’s high time that governments also include in their requirements that companies bidding for projects that deal with sensitive data be equipped with encryption software.
Of course, it’s one thing to have a way to encrypt data; it’s something else to have people use them.