- Consultancy firm Deloitte has admitted that the loss of a laptop containing BSkyB staff pension details also included information about pension scheme members from Network Rail and British Transport Police.
Would you let a fox guard your hen houses?
Then why do we sit and just watch consultants tell us what to do when it comes to questions of information security and risk management? Is it because we believe our consultants can objectively sit in judgement of our procedures when their own house ain’t in proper order? Are we really that naive?It is a real irony to have a security consulting firm, offering an information security advisory practice, have one of its laptops containing confidential client information stolen by a thief.
The laptop contained details of more than 100,000 people, including names, national insurance numbers and salaries.
“Through interviews and workshops with key systems managers and information custodians, we would gather the necessary information to provide a picture of the business processes using client information. This exercise can produce some instant and powerful results leading to a demonstrable improvement in the way that client information is protected. Some of these include:
- – Identifying business processes and staff that have unnecessary levels of access to client information
– Identifying applications that are unnecessarily processing client information
– Identifying serious breaches of policy and procedure that require immediate address
– Raising levels of awareness among information custodians of the profile client information security has with senior management.”
Security 101 – Deloitte fails – can you trust them with your data?
Bottom line is that while Deloitte tells its clients to be careful not to lose data, the firm seems not to follow this advice with how it treats customer information.
Deloitte has assured that a start up password as well as an operating system user ID/password authentication procedure was in place with the laptop. Not assuring considering that it was probably a Windows XP operating system or Windows Vista where authentication procedures can be broken quite easily. However, if the encryption was done properly, it is unlikely that the opportunistic thief that stole the handbag with the notebook in September was able to access these data.
However, by allowing such information to be stored on a notebook, Deloitte broke one of its own rules it suggests to its clients for better risk management, namely:
– what is the rational for giving an employee the right to have such a huge database on his or her notebook – change application procedures to avoid having to deal with this risk
In fact, already during 2007 Deloitte pointed out in one of its white papers to watch out for such risks by stating:
The dramatic increase in the use of laptops and of handheld devices, such as the Blackberry and the Treo, puts enterprises at significant risk if the equipment is lost or stolen. Several high-profile data leaks involving financial services institutions have taken place over the last few years when laptops containing personal information – names, addresses, account numbers, and in some cases social security numbers – were stolen (Deloitte Financial Services – Global Asset Management Industry Outlook Issues on the horizon 2007 page 7 (9 of pdf file).
Obviously, the company does not appear to follow its own advice very closely.
Firms like Deloitte must effectively manage operational and compliance risks. Firms face the challenge of consolidating all the various risk-related issues and initiatives across
their organizations to manage their risks more effectively and efficiently. Deloitte’s case shows another example where a firm has failed and apparently the left hand does not know what the right hand is doing.
Would you leave a fox to guard your prize chickens? Or put differently, are you putting prisoners in charge of running a prison? In this case of data breach, can you trust Deloitte to help manage your risks in the future?
For reasons I truly cannot fathom, organizations such as Deloitte
a) establish information security policies which are
b) not properly enforced thereby
c) enabling employees to ignore or circumvent them.
So why should you hand over your corporation’s data to such a firm or let it do advisory work for you on how you can manage your risks better? Your choice.
2008-10-10 the UK’s Ministry of Defence announced that it was investigating the loss of a computer hard drive that could contain the personal details of 100,000 members of the armed forces. With greetings from the Taliban?
MoD laptop containing personal data on about 600,000 people was stolen – an incident which, along with the loss of 25 million child benefit records by HM Revenue & Customs, prompted a review of data handling procedures across the public sector.
More on the UK’s disasters – scroll down search page, you will find much more on this topic: