When is an encrypted laptop, not an encrypted laptop?

If you have an encrypted business laptop, does that mean it's totally safe and therefore
if you lose it, then it doesn't really matter because of the encryption?
Erm, well not necessarily. In fact, you will be surprised to discover when your encrypted
laptop in, in fact, encrypted!

Consultancy

First let me explain the reason I bought this up. I read an article in SC Magazine today,
about a Scottish QC who had the misfortune to have her business laptop (unencrypted,
we believe) stolen from her home whilst she was on holiday. You can read the story
here.
The laptop apparently contained personal details of individuals involved in eight court
cases, that Ruth Crawford, the unfortunate QC in question, was involved with. Clearly,
this is highly sensitive information, and is a situation that all legal professionals would
be horrified to find themselves in.

Information Security
Business Continuity
Physical Security
Government
Accreditation
Data Protection
PCI Compliance

Kevin Macdonald from the Scottish Information

Commissioners Office (ICO) who investigated
this data breach, took the opportunity point out
that this was "a warning to other legal
professionals" and that " it's not just about
being served with a penalty of up to 500,000,
it could affect (their) careers too." On this
occasion the QC concerned was not issued with
a financial penalty, as the theft occurred prior
to April 6 2010, the date the ICO was given the
power to fine for serious breaches.

Services

At the moment, the ICO does not have the power to force mandatory disclosure in such
cases, but it is in their sights. The statement relating to this incident included this
comment, The ICO would also like to assure the legal profession that any information
reported to this office will not be disclosed unless there is specific legal authority for us
to do so. Therefore all breaches should be reported to our office as soon as practically
possible". If you have read any social media and press commentary on the subject of
mandatory disclosure, you will know it feels like a matter of time. So are we saying that
encrypted laptops are the way forward for the legal professions? Many already use
them as a matter of course. Well, its one possible solution to a security issue..

Workshops
Seminars
Presentations
Training

Expertise
Lead Auditors
CLAS Consultants
ISO 27001
ISO 22301
PRINCE2
IT Security

In this case the laptop was apparently unencrypted, perhaps not a good start. However,
it was in her home and she was away from home, on holiday. Perhaps a simple
approach would have made its lack on encryption less of an issue. By locking it away at
her office during non work hours and particularly during annual leave, as a matter of
good security policy perhaps?

Call 0121 559 6699

Email bestpractice@advent-im.co.uk
Visit www.advent-im.co.uk
Advent IM can also be procured directly through G-Cloud

expert

integrated

independent
Advent IM Ltd 2014

One common misconception about encrypted laptops is that... well, it's always
encrypted and so therefore the possibility of losing it is not a huge issue. This is not the
case and a laptop is only encrypted if it is totally powered down. Being logged off is not
enough, it is not encrypted - even at that stage.
Whilst the article in SC Magazine finishes with a helpful quote from an encryption
software producer on self-encrypting drives, it doesn't address the underlying issue
that it doesn't matter how good the encryption is if your security policy, staff security
education and on-going review process, is not robust. Relying on technology in
isolation, can make staff complacent and make dangerous assumptions, such as if your
laptop is encrypted then you have nothing to worry about.
So, when is an encrypted laptop, not an encrypted laptop? Pretty much most of the
time actually.

Advent IM is the UK's leading independent information security and physical security
consultancy. We specialise in holistic security management solutions for Information
Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical
Security and have a proven track record of successful certifications.

Consultancy
Information Security
Business Continuity
Physical Security
Government
Accreditation
Data Protection
PCI Compliance

Services
Workshops
Seminars
Presentations
Training

Expertise
Lead Auditors
CLAS Consultants
ISO 27001
ISO 22301
PRINCE2
IT Security

Advent IM Ltd 2014 any republishing in part or full with express permission of Advent IM

Call 0121 559 6699

Email bestpractice@advent-im.co.uk
Visit www.advent-im.co.uk
Advent IM can also be procured directly through G-Cloud

expert

integrated

independent
Advent IM Ltd 2014