Local councils have an unfortunate knack of ending up in the headlines after suffering data loss incidents. Either because of their obligation to report such events or because some aspect of their operations results in an inordinate amount of risk, councils dominate the Information Commissioner’s Office’s guilty list.
In the past year, Wigan Council lost the personal details of 43,000 children on an unencrypted laptop, Surrey County Council reported the loss of thousands of details of children and families on lost laptops and BlackBerrys, while Blackburn with Darwen Borough Council lost the records of 3,500 citizens on a stolen laptop.
Richard Dawson, IT services manager at Bracknell Forest Borough Council, admits this is a problem that “keeps me up at night”. With 4,000 staff, including 1,400 IT users, 1,000 desktops, 400 laptops and an “ever increasing” number of BlackBerrys to keep track of, Dawson has to juggle complex security and auditing requirements while recognising that “my users aren’t IT professionals. They’re social workers, tree surveyors and road engineers. A laptop to them is just a device in their way, and the security we put in place has to be seamless and let them do their job.”
The arrival two years ago of the government’s Connect project, a secure extranet connection to the Department of Work and Pensions for any local authority paying revenues and benefits, came with a number of security caveats – 96 of them, in fact.
“We achieved [compliance] in June this year, but it meant we had to install a lot more security,” Dawson says, “particularly secure USB access and laptop encryption.”
While USB-port security was initially contentious – “the finance director told me USBs were not a problem until I pointed out that an 80GB iPod could take out the whole finance system” – there was no argument over laptop security.
Besides encryption, Dawson installed Absolute Software’s tracking and monitoring product on 400 of the council’s laptops. As well as allowing for remote hard drive deletion, the software reports in to Absolute’s monitoring centre every time it is connected to the Internet. If it is flagged as stolen, the centre notifies police and prepares an evidence pack.
“I’ve used the recovery service four times now and I’ve been very pleased with its deletion of the data and recovery of the device,” Dawson says.
The software has also had an added benefit in the form of asset management. “We’ve made savings through asset management and the better placement of hardware,” Dawson says. “We no longer have expensive laptops sitting in cupboards just for presentations, as I’m able to give people the technology they need for their job and not just a stock item. I’ve also got the ability to recall the devices now I know where they are.”
The software itself lurks in the BIOS and runs as an undetectable background process: “It’s seamless and invisible to the user, so there’s nothing for them to play with,” he says. The technology has been no substitute for education, and Dawson continues to urge staff against leaving laptops unattended in cars. “But social workers don’t want to take laptops into vulnerable locations,” he says. “So we’ve installed secure kits in their vehicles that allow them to be left behind, but locked down.”
Beyond compliance with internal policy and government audits, what these measures ultimately provide, Dawson says, is reputation management. “I won’t be in the press any time soon, touch wood.”