Interlocking security

If ever a case highlighted the need for a systematic approach to information
security, it was the theft from the car of an Ernst & Young auditor’s laptop
containing the credit card details and addresses of more than a quarter of a
million customers of in the US. Sure, he should never have left the
laptop in his car, but even if he had taken it with him there was always a risk
of theft or loss.

The incident demonstrates that encrypting data is important, but encryption
alone is not enough. Users still put passwords like ‘password’ or ‘Dell’ under
the lid of the laptop or on the battery pack.

Data security requires a holistic approach. It’s as much about mindset as
about the need for passwords, secure ID tokens and encryption.

Security should be considered from all angles: physical, personnel,
procedural, technical, policy and regulatory. Most companies rely on the
physical and technical alone.

A good starting point for accountancy firms reviewing security is the ISO/IEC
27001 international standard. For example, checks should always be carried out
on potential new recruits. According to the DTI, a quarter of companies don’t
carry out any background checks when recruiting and one in eight does nothing to
educate staff about their security responsibilities.

It’s not good enough to give a laptop to someone who is always on the road
and tell them never to leave it in their hotel room. This sort of ‘no choice’
edict simply brings a security policy into disrepute. Everyone will have to
ignore it in order to do their jobs. If an auditor regularly has to leave a
laptop in a car for good reason, the company should provide a secure storage

Ignoring security can have expensive consequences. Loss of sensitive personal
information counts as a breach of the Data Protection Act (1998) and can result
in a hefty fine. Quite apart from that, the damage to the reputation of a
company can be enormous.

All aspects of security should be considered together, so controls support
and mitigate each other and a failure of one does not invalidate the others.
That way, if an employee leaves a laptop in their car – against company policy –
its theft will not be disastrous if, say, the computer is protected by a
token-based two-factor authentication and encryption system, with the token
always in the user’s possession.

Kerry Davies is managing director of Echelon Consulting

Related reading