Bank of Ireland USB key loss a reminder to firms everywhere

4 Nov 2008

Following the embarrassing loss of yet another electronic device at Bank of Ireland (BOI), it is an important lesson to firms everywhere that they should be educating their workforce about responsible use of devices such as USB keys, mobile phones and laptop computers.

Colm Murphy, director of IT security specialist Espion, said the damage caused by a lost USB device – which typically can contain up to 32MB of data – could be limitless.

“Companies should be educating their employees about their responsibilities in relation to both the physical security of mobile devices, and also the sensitive data stored within the mobile device. These policies should define what classifications of data can be stored on laptops, and what controls must be in place to secure each classification of data.

“These controls may include encryption and two-factor authentication, but should only be implemented for devices storing sensitive data. Applying these controls across the entire company should not be necessary, and would result in an overspend on security relative to the overall risk.

It emerged this morning that a USB key containing names, address line and bank numbers of 894 (BOI) customers was mislaid by an employee.

In April, four laptops containing details on 31,000 BOI Life customers were reported as stolen.

“As today’s workforce becomes more mobile, technologies such as VPNs and wireless and mobile devices have, for many, replaced the traditional desk-bound computing environment. As laptops, Blackberrys, USB drives and other mobile devices become defacto, data no longer just resides on secured servers located at corporate headquarters.

“Although this shift has advantages for companies and their employees in terms of productivity and flexibility, it presents a host of challenges as to how the data outside the four walls of the office can be adequately safeguarded. Whereas previously, security threats came in the form of hackers targeting the server rooms of companies, now every laptop could potentially contain confidential customer and/or corporate data that is critical to a company’s operations.

“The extent of the damage a laptop/USB drive theft can create is limitless – no longer can the value of the loss be based on the hardware cost, it could be a whole lot more,” Murphy said.

While in most data breaches in recent years laptops were unencrypted, Murphy pointed out that while encryption is essential, it is not the only step to be taken.

“Encryption, while essential for sensitive data, should be considered as the last line of defence, not the only line of defence. Companies should issue guidelines for users regarding handling of mobile devices to help employees understand under what circumstances their mobile devices are at most risk. For example, laptops and USB drives should never be left in cars or brought to the pub on a Friday evening.

“Companies need to define an incident-response plan for responding to mobile device losses. This will ensure that the relevant individuals within the organisation are notified in a timely manner in the event of a loss.

“Without an incident-response plan, incidents will inevitably be handled poorly in an ad-hoc manner, which could result in management first hearing about the loss on the 9 o’clock news, not from their staff,” Murphy said.

But what should firms be doing right now? “Companies should put their incident-response plan into place. This will ensure that the relevant individuals within the organisation will be notified. Because of the potential public exposure that is associated with mobile device loss, individuals from public relations, IT and management may be required to be notified quickly to manage the situation.

“Companies should attempt to identify the extent of the data exposure, This involves determining what classification of data was on the device and determining whether or not the data is protected by encryption, authentication or other controls.

“Once the extent of the data exposure has been determined, the company must then determine if it is legally, or morally, obliged to disclose information about the loss.

“Companies need to ensure that their physical security team is liaising with their information security team to ensure that the real cost of mobile device thefts are calculated. The replacement cost of a laptop may be only a few hundred euro, but the resulting exposure of the data on the laptop could cost the company everything.

“Companies need to focus on all types of mobile devices, not just laptops. Smart phones and PDAs can now contain as much data as laptops and are a greater target for theft,” Murphy said.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com