Last week the UK Ministry of Defence (MoD) revealed that three laptops containing thousands of potential recruits’ personal data have been stolen from its possession over the past two years. Defence Secretary Des Browne, in explaining the event, told parliament that although the MoD has strict data protection systems in place, procedures had not been followed, allowing the thefts to take place.
“The MoD has clear policies, systems and procedures in place to protect the security of information – both personal data and classified information,” Browne says.
“We have software protection through encryption and a formal information security process through which individual IT systems and the databases they contain must be accredited by the appropriate MoD authorities.
“Our internal investigations following this theft reveal that those procedures were not followed. This was a breach of MoD security regulations.”
Browne told MPs he has appointed a senior data protection officer to ensure MoD practices and procedures are of the highest possible standard. He has also asked Information Advisory Council chairman Sir Edmund Burton to conduct an independent review of the circumstances that led to the ‘systematic failures’.
In the lead up to the overhaul of the MoD’s security practices, Elizabeth Clifford-Marsh of Army Technology asked the EMEA vice president of SafeNet, an information security company specialising in encryption technologies, Gary Clarke, his thoughts on the UK MoD’s current position and how what it thinks the defence force can do to reduce such risk in future.
ECM: Do other countries or organisations handle private data better than the UK MoD?
GC: The US Government has already mandated encryption protection for sensitive data on discs, laptops and workstations but this does not happen in the UK.
It is essential that we take notice of effective preventative steps being taken by other organisations and the US procedures are something we should consider adopting here. The government has revealed the data contained in the stolen laptops was not encrypted.
ECM: What type of security measures should have been in place?
GC: Everyone accepts that random theft can happen but people do expect that in the event of a theft at the very least the organisation would have data encryption policies in place so even if the mobile devices are stolen, the data is safe.
Firstly, the organisation should have mandatory encryption policies in place for any data that leaves the building. All employees should be fully aware of the robust rules and regulations regarding data handling.
Secondly, organisations should ensure that all that all data set to be transported outside of the building is encrypted beforehand.
ECM: Is there a case for not storing this type of information on a portable device?
GC: We live in a mobile working world where the company is no longer defined by firewalls. The problem is that too many security policies have not caught up with his shift in working culture.
The important thing is to adjust security policies to take account of this. And if data has to be transported on a portable device then we expect that the correct security measures will be in place.
The Ministry of Defence is charged with our defence and protection and should maintain the highest standards of security at all times. Encryption and security measurers should be embedded into the very heart of the organisation and this should always include protecting sensitive data.
ECM: What lessons can be learned from this incident?
GC: The ongoing problem of sloppy data security has occurred across several government departments over the last few months. Lessons need to be learned from this so that these problems can be avoided at all costs.
Sadly this is not the first example of the government losing vital data. We have already seen private details of junior doctors published online and data on nearly half the population lost in the post by HMRC.
However, I hope that this disaster will be seen as a wake-up call to departments to start implementing the correct policies and encryption procedures. Nobody is saying that theft can be prevented but what we do expect is that the people we trust with our most vital personal details do everything in their power to protect it.