The BBC reports that 24,369 UK citizens were affected by the theft of a laptop computer belonging to an employee of A4e, a training company. While the associated risk is low, people are being notified as a precaution. It goes without saying that the use of full disk encryption software like AlertBoot would have been a better choice over waiting for a breach to occur…but then, how do you control employees who won’t follow policies?
Laptop Stolen from Home
The laptop was stolen from the employee’s home. It was a personal computer, and contained names, postcodes, dates of birth, and court awards to customers of Community Legal Advice Centers operated by A4e.
Isn’t that ironic? Releasing data breach notification letters is essentially an admission that the law was not followed, and here we have a company that offers legal advice sending their own notification letters. Of course, the incident speaks less about A4e’s incompetence and more about the difficulty in controlling employee behavior.
What prompted the employee to save such information to his laptop? A4e is “examining how its data security procedures were breached so it can ensure it does not occur again.” The problem with such an action is that the next breach is not going to be like this one. On the other hand, it will most definitely involve an employee that didn’t follow the rules.
Monitoring Employees, Running Checks
Employees need to be monitored. This does not mean that one must track every minutiae when it comes to employee behavior. Rather, a plan must be effected in order to ensure that security objectives are being met. In other words, don’t keep track of what Jane and Bob are doing; keep track of where that sensitive file is going (this way, you also fend off accusations of being Orwellian and Big Brother-y).
Likewise, you must do the same to ensure that your data protection tools are working. For example, we have an laptop encryption audit report built right into the AlertBoot. This is expressly so you, or an administrator, may keep track of which computers are protected.
If you have one computer that requires protection, you don’t really need this report. If you have 25 computers or more, you might see the importance of such a report, especially if you’re routinely monitoring and running checks, which will allow you to head off any potential problems.
For example, there is encryption software out there that can be turned off by employees…which some do. This is not a problem for AlertBoot, since encryption can only be uninstalled by an administrator (of course, regardless, you still need to run checks and audits, which is why the reporting engine comes in handy); however, you can see why a report that updates itself on encryption statuses would be handy for the more “liberal” encryption software out there.
Which I don’t understand in the first place. I mean, isn’t one of the more valid reasons for the deployment of disk encryption programs the fact that employees don’t follow the rules? What’s the use of using encryption software that can be turned off by these same employees?
Related Articles and Sites: