Is It Time For The Public Sector To Introduce Mandatory Data Encryption?

6 August 2010

In 2008, at least eight separate incidents of data loss by large public service organisations were reported. This includes incidents relating to the National Health Service, Royal Air Force, General Teaching Council, Home Office and Department of Work and Pensions. In the majority of these cases, data was lost in the process of being transported from one place to another. But in the majority of cases, no encryption was in place to prevent the data being accessed by unauthorised persons. If such data ñ which has included the personal details of 11,400 teachers, 84,000 prisoners, and 21,000 patients ñ were to fall into the wrong hands, the consequences could be severe, leaving the affected individuals open to invasions of privacy, blackmail and identity theft.

Data encryption involves converting readable data, known as plaintext, into unreadable code using a sequence of instructions known as a cipher. If a piece of data has been encrypted, the user can only access the plaintext if they know what type of cipher has been used. In this way, encrypting sensitive data can provide an effective way to protect against information falling into the wrong hands.

For businesses looking to encrypt data, the process need not be complicated. All machines running Windows XP Pro come with the option to encrypt data by editing the properties attached to a particular file so that it is only accessible to that user. Further, the same tool can be used to automatically encrypt all data stored on the hard disk. In addition, any computers running Windows Vista Ultimate and Enterprise editions are protected from intrusion by the built in BitLocker Drive Encryption functionality, which prevents unauthorized users from breaking into the Windows file system.

For storage devices such as USB flash drives, there are a range of encryption options. In addition to encrypting individual files in a manner similar to that described above, it is also possible to purchase devices which require additional verification, such as biometric fingerprint authentication, in order to decrypt the files on the device.

In the alternative, some companies may prefer to transmit data via the internet to avoid the possibility of physical data loss. If such a method is chosen, encryption can again be employed to ensure the data is not accessed by unauthorised third parties. Symmetric-key encryption involves both the sender and the recipient holding the same ëkeyí which is used to encrypt the data, meaning that only those two participants are able to access the information sent between them. It is estimated that a key containing 128 characters is sufficient to prevent even an experienced computer forensic expert from cracking the code by brute force, since there would be over 300 decillion possible key combinations.

Still more secure is asymmetric-key encryption which uses a combination of a public key and a private key to form a pair that makes the number of possibilities almost infinite. While such measures may sound complex, network encryption software is readily available from several manufacturers and should prove relatively simple for a systems administrator to implement.

When deciding on a method of transport and encryption for sensitive data, an organisation. As decision making process will typically involve weighing up organisational needs against the administrative burden and cost associated with implementing the measures. But with a Nationwide Building Society recently incurring a fine of nearly 1 million GBP following the theft of a laptop containing confidential customer data, can you really afford not to?

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission