When you are in the computer security business, hardly an hour goes by without news of some laptop containing sensitive information about customers or staff getting lost or stolen. Now, for the average business person they may not hear these stories multiple times a day – but they are certainly starting to show up multiple times a week.
The latest example brings us to Ireland and a burglary at the Bord Gais Energy offices. To quote the official company announcement, “Bord Gais Energy can confirm that a burglary took place on Friday, 5th June in one of its Dublin offices. During this incident four laptops were stolen, one of which contained customer information and bank details for 75,000 Bord Gais Energy electricity customers.”
To highlight the impact on the Bord Gais, even a month later their website commits 20% of the home page to the story on Laptop Theft. This is an IT manager’s nightmare – IT is impacting the business in an adverse manner.
In a poor choice of words the letter from Bord Gais to consumer, the letter states that “data security and laptop encryption is a major priority for us.” Well that is true now, when the letter is being written. However, the tens of thousands of impacted customers are probably more concerned about how Bord Gais let this happen.
On the website, Bord Gais points out the solution – “We have reviewed our laptop encryption programme and can confirm all laptops are now fully encrypted.” But they also admit the causes:
Why were the laptops not in a secure location?
The laptops were being used on a day-to-day basis and were left in locked offices overnight.Were the laptops not encrypted?
All of the laptops had levels of security on them – however only one of them had hard drive encryption – the remaining three had password protection.
Bord Gais is not uniquely incompetent in laptop security matters – think about your own companies, do the above events occur in your organizations. Even when laptops are supplied encrypted, do some employees switch off encryption and ignore company policies. Do they even know what the company policy is? Do they even understand what encryption is? Why do they have rights to shut off encryption?
Bord Gais is facing all these questions now. Smart companies address these questions internally, amongst themselves, before the publicity hits home.
