2008 hasn't really started any better than 2007 finished - a laptop is stolen from the boot of a car, containing 600,000 personal data records - heaping data disaster upon data disaster. Reality says that laptops will be stolen, even when we think they are secure. I've had a laptop stolen from a hotel room, as have many friends and colleagues, and I know of friends and colleagues who've had laptops stolen from cars, or worse*
While it's wise to do everything to avoid theft (I always use a Kensington lock on my laptop in hotels now), the other important step is to minimise the impact of the loss. According to the BBC news report "Teachers put pupil data at risk", which was prompted by research by RM, teachers in nearly half of England's primary schools back up pupil data on CDs and memory sticks, which they then take out of school. The survey of 933 schools found only 1% of respondents were encrypting the data. And I'm pretty sure that you'll have the same - is there a member of the management team in your university who takes home a complete copy of your student database each night on their laptop?
So what can you do to avoid becoming the next headline?
The information that I wrote last October on data security is still accurate today, and contains an action plan, but here's a very quick reminder of two ends of the scale:
- It should be absolutely non-negotiable that anybody using a laptop for work (and which probably have some personal data on it) should always have to type in a password at logon. Do all of your university laptops conform? Do all laptops used by staff in the university conform, even if they are not owned by you? Has anybody 'tweaked' the system to avoid having to type their password in every time. I know it's a pain (I will admit that I used TweakUI to automatically log on to my home PC, but changed that a couple of years ago when I realised what would happen if my computer was stolen) but it's an important basic step.
- At the other end of the scale, if you have staff taking home personal data which it would embarrass you to lose, then use encryption of one kind of another.
If it's a spreadsheet or document file, encrypt the file. (Under the "Prepare - Document for Distribution" menu in Office 2007")
If it's a complex database, or series of data files, then you should consider encrypting the whole file storage system, stopping people from easily accessing the data. Windows Vista Enterprise Edition (which is the version you normally licence in education) has BitLocker built in, which allows you to ensure that all files are encrypted (without it becoming a hassle for your users - see Russell's video).
This is potentially quite a boring subject, but the alternative to doing nothing is that you go through quite an 'exciting' time, like HMRC.
We've been through it ourselves - to read our Trustworthy Computing web site for more about our security journey.
* Worse: One friend took his laptop into a supermarket (to avoid leaving it in his boot) and had it stolen from his trolley. Or so he thought. When the security staff at the supermarket watched the CCTV tapes, to help him find the thief, it appeared he'd walked in with an empty trolley. So where was the laptop? On the roof of his car...
Before you laugh to hard, I bet you've heard of people leaving phones on the roof of their car, and driving off...