SecurEnvoy says latest ICO rulings highlight need for easy-to-use encryption

6 October 2011

The latest two laptop data loss incidents in the educational sector – details of which were revealed by the Information Commissioner's Office on October 5 – are slightly different from the usual data loss censures by the regulator, says SecurEnvoy.

But, the tokenless two-factor authentication specialist says, both incidents occurred in educational organisations where staff really should have known better when it comes to encrypting personal data. Yet, despite this – and the fact that one of the laptops actually had encryption software installed on it – the breaches still happened.

According to Steve Watts, SecurEnvoy's co-founder, whilst both educational organisations should have known better, the fact that these laptop breaches actually happened suggests that there is a sizeable gulf between security theory and practices relating to IT systems when it comes to day-to-day usage.

“The ASCL incident - in which a laptop containing sensitive information was stolen from an employee's home - is particularly interesting, as the computer reportedly had encryption software installed, yet the decision on whether to encrypt specific files was effectively optional, as I understand it,” he said.

“This tells us a lot about the gulf between the theory and the practice in that organisation. Security, as all professionals know and understand, should not be optional, but mandatory, so whoever installed that software – or interpreted the ASCL's security policy as they did – is probably now feeling the wrath of management, but I think this incident reveals that the technology designed to enforce security policies not only needs to be bullet-proof, but also very easy to use,” he added.

The SecurEnvoy co-founder went on to say that, when he and Andy Kemshall formed the company way back in 2003, they had a firm idea of developing a security authentication system that was so easy to use that anyone that operate a mobile phone could also use the SecurEnvoy security platform.

Eight years down the technology turnpike, he explained, and the company has users of its technology on all five continents – and those users probably don't think twice when using their mobile phone as a means of authenticating themselves to a central resource and across the Internet.

Despite what some IT professionals claim, he says, effective security is not rocket science, but is more about simple-to-use and transparent technology that “just works,” leaving people to get on with their regular business.

Had simple-to-use security – such as SecurEnvoy's tokenless two-factor authentication – been in active use on the ASCL laptop stolen from the employee's home, then it is almost certain that the censure by the ICO would not have happened.

Coupled with the fact that Holly Park School in Barnet - where the second laptop containing unencrypted data was stolen – did even not have a data protection policy in place at the time of the theft, this again highlights the differences between IT security theory from a management perspective, and the reality at the sharp end in the school's classrooms.

“Yes, it's always a shock when a laptop containing business information is stolen, but it's a lot easier to pick up the pieces after an incident if you know the data on the machine is encrypted and cannot therefore be read by the thief - or anyone else handling the stolen computer,” he said.

“Questions are obviously being asked in both organisations and, as the dust settles on the ICO rulings on these incidents, systems and procedures will introduced – and/or tightened up - but without easy-to-use technology being available to staff on the ground, then these sorts of incidents will happen again and again in other organisations, and the ICO's office will never be short of business,” he added.

“That may make for good headlines in the IT media, but it isn't good for the staff at the sharp end, who are left to implement draconian security policies with the technology equivalent of blunt instruments.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development