A car mechanic in Southport (UK) has been contacting clients, warning them of the possibility of a data breach. As a small business (his database contained 600 customers, some going as far back as 23 years), he might have been under the impression that hard drive encryption for his laptop was not necessary. Many small and medium sized enterprises probably share this belief. The realization that this might not be case swiftly follows a data breach.
Thief Just Walked in From Street
According to the owner of the Autofix Centre, he was momentarily escaping the fumes from painting a van when he realized his laptop computer was missing. A review of footage from a security camera shows a man walking in from the street and taking the laptop. Just like that. Unfortunately, noise from the painting equipment masked the goings-on in the background.
The owner of the car shop, Gordon Mawdsley, has been in business for 13 years at his current location, with his client database going back 23 years. He says he’s been on the phone ever since the incident, telephoning customers to warn them of the possible risk.
Who would have predicted such a thing from happening to Mawdsley? Almost no one (I add the word “almost” because we’ve got 7 billion people on the planet; there’s always a chance someone somewhere made the prediction). However, the common man (and woman) knows that it would have happened to someone at some point. And from a security perspective, that’s what matters, isn’t it?
It Started with Actuarial Science
In the 1600s, John Graunt noticed that, in a given age range, the mortality rates were about the same, year to year. That is, if 15% of the population lived to the 50- to 69-year age-range this year, that was probably the case last year and for the following year as well.
This was the beginning of actuarial science and the modern insurance business: you don’t need to know who’s going to die when and how, all you need to know is that a certain percentage will live to a certain age.
I bring this up because the purpose of life insurance (in theory) is to protect oneself. You don’t know how, when, or where, but you know it’s going to happen at some point. The purpose behind encryption software is also protection: you don’t know how, when, or where a laptop will go missing, but you know it’s going to happen at some point.
Most companies carry insurance (and in certain regions or countries, all companies do so). Why would they not automatically do the same for encryption when it comes to computerized data?