The lessons of Nationwide's lost laptop

gallery

"Turning on disk encryption on every PC can turn into a helpdesk nightmare. If you implement encryption, it means that anyone who loses their key has effectively shredded all their data. Powerful tools have powerful risks," says Alex van Someren, chief technologist at nCipher.

"Companies create for themselves a different administrative problem about supervising vast numbers of keys that lock up people's data. If they don't have a copy, or they leave, or someone falls under a bus, they are doomed."

Encryption will now form part of Nationwide's defences, there are many other questions that still need asking. For instance, what was a middle-manager doing with so many customer details on his laptop? The official answer was that he needed them for market research.

Did he have permission to take the information off the Nationwide premises? Was any of this covered by a security policy? Was there an incident response plan in existence so that people know what to do and how to behave? It seems likely that most of these things had not been considered, which is why the FSA was so displeased.

KPMG's Alldrick underlines the need for multiple controls to achieve true security in depth.

For a start, you need deterrent controls designed to prevent people doing wrong things in the first place. These will normally be enshrined in the company's security policy and standards, and will outline what is expected of people, and what they can expect to happen if they fail to comply - usually, disciplinary action or termination of employment.

The deterrent controls should then be backed up preventative controls, normally in the form of technology to stop information falling into the wrong hands.

Encryption of data files on laptops would be one such control. Another would prevent - or certainly monitor - mass downloads of commercially-sensitive information.

In the Nationwide case, the system should certainly have queried the downloading of large numbers of customer records. Even if the employee had had good reason to copy the records and the authority to do so, then the fact should have been logged.

Once the theft was discovered, there should have been detective controls in place to help determine the extent of the risk, and the level of loss.

"When he reported the incident, there should have been an investigation immediately as to what was held on the laptop, and as a result of that, risk mitigation set in place. And as a result of that, additional corrective controls implemented," says Alldrick.

He makes the case for having a detailed incident response plan, so that people know exactly what to do.

"It is very difficult to predict every scenario, but you should have incident management and reporting processes in place," he says. "You can base that on a model - a stepped phased approach."

When the incident is reported, first determine the severity of it, and the risk involved.

That will determine who needs to know about it (the more severe, the higher up the organisation it will go), and who needs to be involved in resolving it. Then look at how to mitigate the risk, and possibly change procedures, which can then be incorporated into the security process for the future.

Internal communication during an incident is vital, but Alldrick says it is something that many companies fail to do well. "In an incident, the main priority is to fix what is wrong, and people want to get the business back to normal as soon as possible. So reporting can take a back seat, and internal communication is not as effective as it could be," he says.

Email to a friend

Print this page