Is your data at risk?

2008 hasn’t really started any better than 2007 finished – a laptop is stolen from the boot of a car, containing 600,000 personal data records – heaping data disaster upon data disaster. Reality says that laptops will be stolen, even when we think they are secure. I’ve had a laptop stolen from a hotel room, as have many friends and colleagues, and I know of friends and colleagues who’ve had laptops stolen from cars, or worse*

While it’s wise to do everything to avoid theft (I always use a Kensington lock on my laptop in hotels now), the other important step is to minimise the impact of the loss. According to the BBC news report “Teachers put pupil data at risk“, which was prompted by research by RM, teachers in nearly half of England’s primary schools back up pupil data on CDs and memory sticks, which they then take out of school. The survey of 933 schools found only 1% of respondents were encrypting the data. And I’m pretty sure that you’ll have members of the leadership team in your school who take home a complete copy of your pupil database each night on their laptop (hint: go and look at the laptop belonging to the timetabler first).

So what can you do to avoid becoming the next headline?

The information that I wrote last July on data security is still accurate today, and contains an action plan, but here’s a very quick reminder of two ends of the scale:

  • It should be absolutely non-negotiable that anybody using a laptop for school work (and which will therefore have some personal data on it) should always have to type in a password at logon. Do all of your school laptops conform? Do all laptops used by staff in school conform, even if they are not school owned? Has anybody ‘tweaked’ the system to avoid having to type their password in every time. I know it’s a pain (I will admit that I used TweakUI to automatically log on to my home PC, but changed that a couple of years ago when I realised what would happen if my computer was stolen) but it’s an important basic step.
  • At the other end of the scale, if you have staff taking home personal data which it would embarrass you to lose, then use encryption of one kind of another.

    imageIf it’s a spreadsheet or document file, encrypt the file. (Under the “Prepare – Document for Distribution” menu in Office 2007″) 

    If it’s a complex database, or series of data files, then you should consider encrypting the whole file storage system, stopping people from easily accessing the data. Windows Vista Enterprise Edition (which is the version you normally licence in education) has BitLocker built in, which allows you to ensure that all files are encrypted (without it becoming a hassle for your users – see Russell’s video).

This is potentially quite a boring subject (and can be quite dry, as I discovered researching this), but the alternative to doing nothing is that you go through quite an ‘exciting’ time, like HMRC.

We’ve been through it ourselves – to read our Trustworthy Computing web site for more about our security journey.

* Worse: One friend took his laptop into a supermarket (to avoid leaving it in his boot) and had it stolen from his trolley. Or so he thought. When the security staff at the supermarket watched the CCTV tapes, to help him find the thief, it appeared he’d walked in with an empty trolley. So where was the laptop? On the roof of his car…  
Before you laugh to hard, I bet you’ve heard of people leaving phones on the roof of their car, and driving off…

Comments (4)

  1. Unfortunately the hardware requirements of BitLocker are not well advertised and it is too late (when a school has shelled out for laptops) to realise that they aren’t TPM machines.

    Can we have a logo/sticker similar to the Certified for Vista one?  I’ll even give you the wording: "Bitlocker – secure by design"

  2. Ray Fleming says:

    Hi Merrion,

    You’re right, that the normal default way to enable BitLocker is to use a hard disk with TPM (which stands for "Trusted Platform Module"). This is a widget that is built into the hard disk which ensures you can’t just take out the disk and put it into another PC and then read the data.

    If you are dealing with data that needs to be very secure, then it’s worth making sure you’re buying laptops that are fitted with TPM chips.

    However, you can use BitLocker without TPM(and still achieve the same security) but it takes a little more setting up.

    Here’s the instructions I found:

    For more background on security and Windows Vista, then this white paper is pretty good:


  3. Moohorse says:

    Our reseller will only sell us Windows Vista Business. How can we get hold of Bitlocker? WHy on earth isn’t that included in the Business SKU?


  4. Ray Fleming says:

    Hi Moohorse,

    I wonder if you’re buying your Windows Vista licences in the most cost-effective way? Rather than buying a PC with Windows Vista Business, in education it normally costs less to buy Windows Vista Home, and then upgrade via the Academic Select licence to get the Enterprise version.

    NB This answer is ONLY applicable to education, for non-education, you’ll need to check with your reseller.

    If you’re in the UK, check out our Education Large Account Resellers here:

    And also check this blog post: