If you lost your laptop this morning what would you be worried about?
It is a good question, isn’t it? Inconvenience springs to my mind. How long would it take to get a new one sorted out? In the office, IT could probably sort me out with an old desktop. I could log on to the network but most if not all of my documents are on my own hard drive. I am not great at saving to the shared drives.
So it is going to be a mess.
Not to mention the embarrassment of admitting it. And reporting it. And just how am I going to do that presentation on Thursday with no laptop? Which incidentally I have to re-write because the file was only saved on the laptop. No backups.
And then I realise something else. Lots of things are on that laptop. The staff budget for a start. A lot of salary information, even National insurance numbers. That big confidential contract. I saved that to the hard drive so that I could go through it one last time over the weekend. Oh and I used it to do my personal banking...what about my own account details?
Scary isn’t it? I have never lost a laptop or had one stolen but I know lots of people who have. And of course many a data breach has been caused by this sort of thing. Stolen laptops give up their secrets in the wrong hands.
And yet, guess what? When we change our laptops, do you give a second thought to the old one? I have given mine back to IT loads of times, and never worried about it at all. It was safe, in the hands of the professionals.
Redundant things are forgotten about. You have your new toy and the old one gets tucked away somewhere. In the old storeroom with that broken chair, 3 old desktops, that old server, the table that used to be in the conference room, an old projector. When we replace the accounts PC’s in April we will think about having a clear out.
And so the risk calculator rises up into the red right there. We have company assets, all neatly recorded in a register by the financial controller, but he has no idea where each one is. It is just within the company somewhere. He will only be told if it is disposed of. And the person responsible for company data, the nominated data controller, is not worrying about stuff in the IT store. It is safe enough. No one ever goes in there.
So life goes on. You replace the accounts PC’s and a fax machine in the sales office dies. The store is quite full but everyone is flat out rolling out Windows upgrades. Clearing out the storeroom is not a priority.
And then the board approves the new budget and you can replace all the laptops, get those new servers and upgrade the mobile phones. The whole team are flat out on procurement, working to a deadline, and young Damian is told to clear out the storeroom. Get someone in Damian; recycle like it says on the company website. ACME Widgets PLC support the environment.
Damian is a willing lad, of course. Bright too. He had his NVQ in IT and everything. He has a word with the boss to check his brief and does some research. There are rules. You cannot just dump this stuff, and you need to think about the data.
And this is where it all goes Pete Tong of course. It is now down to luck who Damian rings and what he is told. If he is the conscientious sort, he might do ok, but if he is just a box ticker, and if the boss expects to get his storeroom cleared for free, ACME Widgets could be about to lose more than one laptop. They could be about to help the criminals load them into the van. And they would be none the wiser until they hear the Mongol hordes ride into the car park and see Genghis Khan leap out of the saddle, scimitar in hand.
Ironic really. Leaving one laptop on a train is careless, giving 20 to Arthur Daley is negligent. One allows you to claim on the insurance, the other gets you a £500k fine. But which do we actually worry about most?
I once had an employment contract which stated that I must not leave company property in the boot of my car. They meant the laptop. Now you could add in the Smartphone I suppose. They were intent on taking disciplinary action if negligence allowed a theft. I am sure someone in HR is writing a clause or two about bringing your own devices into work these days, and using the company wifi to do all sorts of things that might cause a data breach. Meanwhile, down in the storeroom, Arthur Daley is picking up another load of redundant IT equipment for free.
It’s not as if people have not been fined for this sort of thing. The deterrent is there. But it does not happen enough to worry anyone. The threat is not as ‘real’ as someone breaking into your car and stealing your laptop.
We all carry our data around with us and theft or just plain misplacement is a daily problem if, like me, your brain is addled with age. I can barely remember my name, let alone where I put my phone so you can see the problem. But what has to happen to raise the awareness of what can happen when we throw things away?
For you sake, I hope it is not a £500k fine.
Did you hear Genghis on the radio this morning? The Daily Mail have done an expose on pension data being freely available on the dodgy deals front and Chris Graham rolled up on the Today programme threatening beheadings and £500k fines to all and sundry. There was a huge assumption made that all the data involved had been collected illegally.
That may well be true but the story the journalists should be following up is how this data is collected and what permissions are being granted by the consumer at the time. For instance, a lot of the data was allegedly mortgage application data. If a box has been ticked (or not unticked) to say the data can be used for marketing purposes, it is not illegal data and it is just another Daily Mail scare story.
More on this subject another day.