If you lost your laptop this
morning what would you be worried about?
It is a good question, isn’t it?
Inconvenience springs to my mind. How long would it take to get a new one
sorted out? In the office, IT could probably sort me out with an old desktop. I
could log on to the network but most if not all of my documents are on my own
hard drive. I am not great at saving to the shared drives.
So it is going to be
a mess.
Not to mention the embarrassment
of admitting it. And reporting it. And just how am I going to do that
presentation on Thursday with no laptop? Which incidentally I have to re-write
because the file was only saved on the laptop. No backups.
And then I realise something
else. Lots of things are on that laptop. The staff budget for a start. A lot of
salary information, even National insurance numbers. That big confidential
contract. I saved that to the hard drive so that I could go through it one last
time over the weekend. Oh and I used it to do my personal banking...what about
my own account details?
Scary isn’t it? I have never lost
a laptop or had one stolen but I know lots of people who have. And of course
many a data breach has been caused by this sort of thing. Stolen laptops give
up their secrets in the wrong hands.
And yet, guess what? When we
change our laptops, do you give a second thought to the old one? I have given
mine back to IT loads of times, and never worried about it at all. It was safe,
in the hands of the professionals.
Redundant things are forgotten
about. You have your new toy and the old one gets tucked away somewhere. In the
old storeroom with that broken chair, 3 old desktops, that old server, the
table that used to be in the conference room, an old projector. When we replace
the accounts PC’s in April we will think about having a clear out.
And so the risk calculator rises
up into the red right there. We have company assets, all neatly recorded in a
register by the financial controller, but he has no idea where each one is. It
is just within the company somewhere. He will only be told if it is disposed
of. And the person responsible for company data, the nominated data controller,
is not worrying about stuff in the IT store. It is safe enough. No one ever
goes in there.
So life goes on. You replace the
accounts PC’s and a fax machine in the sales office dies. The store is quite full
but everyone is flat out rolling out Windows upgrades. Clearing out the
storeroom is not a priority.
And then the board approves the
new budget and you can replace all the laptops, get those new servers and
upgrade the mobile phones. The whole team are flat out on procurement, working
to a deadline, and young Damian is told to clear out the storeroom. Get someone
in Damian; recycle like it says on the company website. ACME Widgets PLC
support the environment.
Damian is a willing lad, of
course. Bright too. He had his NVQ in IT and everything. He has a word with the
boss to check his brief and does some research. There are rules. You cannot
just dump this stuff, and you need to think about the data.
And this is where it all goes
Pete Tong of course. It is now down to luck who Damian rings and what he is
told. If he is the conscientious sort, he might do ok, but if he is just a box
ticker, and if the boss expects to get his storeroom cleared for free, ACME
Widgets could be about to lose more than one laptop. They could be about to
help the criminals load them into the van. And they would be none the wiser
until they hear the Mongol hordes ride into the car park and see Genghis Khan
leap out of the saddle, scimitar in hand.
Ironic really. Leaving one laptop
on a train is careless, giving 20 to Arthur Daley is negligent. One allows you
to claim on the insurance, the other gets you a £500k fine. But which do we
actually worry about most?
I once had an employment contract
which stated that I must not leave company property in the boot of my car. They
meant the laptop. Now you could add in the Smartphone I suppose. They were
intent on taking disciplinary action if negligence allowed a theft. I am sure
someone in HR is writing a clause or two about bringing your own devices into
work these days, and using the company wifi to do all sorts of things that
might cause a data breach. Meanwhile, down in the storeroom, Arthur Daley is
picking up another load of redundant IT equipment for free.
It’s not as if people have not
been fined for this sort of thing. The deterrent is there. But it does not
happen enough to worry anyone. The threat is not as ‘real’ as someone breaking
into your car and stealing your laptop.
We all carry our data around with
us and theft or just plain misplacement is a daily problem if, like me, your
brain is addled with age. I can barely remember my name, let alone where I put
my phone so you can see the problem. But what has to happen to raise the
awareness of what can happen when we throw things away?
For you sake, I hope it is not a
£500k fine.
PS
Did you hear Genghis on the radio this morning? The Daily Mail have done an expose on pension data being freely available on the dodgy deals front and Chris Graham rolled up on the Today programme threatening beheadings and £500k fines to all and sundry. There was a huge assumption made that all the data involved had been collected illegally.
That may well be true but the story the journalists should be following up is how this data is collected and what permissions are being granted by the consumer at the time. For instance, a lot of the data was allegedly mortgage application data. If a box has been ticked (or not unticked) to say the data can be used for marketing purposes, it is not illegal data and it is just another Daily Mail scare story.
More on this subject another day.
No comments:
Post a Comment