Legal pressures, not to mention your moral obligation to assist unwitting victims, means that you should never delay when disclosing IT security incidents.

In November 2005 a laptop belonging to an employee of the Boeing Corporation was stolen. Among the information on the machine was personal financial data about 161,000 current and former employees of the aerospace giant.

None of the confidential information was encrypted, and therefore the thieves would have been able to read and exploit it easily. Yet this was just one of the two serious failings in Boeing’s IT security procedures that this episode highlighted. The second was not to have immediately owned up to the incident. The company still refuses to reveal the precise timings but has admitted that it was “several days” after the theft before the 161,000 ‘victims’ were officially informed that their personal details were now in the public domain, potentially ready to be used by criminals involved in identity theft.

Companies across the world, have always preferred not to reveal details of IT security breaches. The problem became so bad in the UK that the Metropolitan Police launched a special guarantee under which companies are promised anonymity if they report that their systems have been the target of hackers. Without such a scheme, police were unable to prosecute the hackers because officers were unaware that the incidents had taken place.


It’s easy to understand the dilemma of the targeted organisation. A run-of-the - mill incident might cost a typical bank £250,000 in terms of lost productivity, replacement hardware, or system downtime. Yet if the attack is reported to the police and the suspects subsequently end up in court the whole episode becomes public knowledge, which results in customers losing trust in the bank concerned. At which point the £250,000 becomes totally insignificant. For if a bank loses the trust of its customers,it will lose those customers and revenue.

The nature of the problems that can be incurred is many and varied, ranging from loss of key information, adverse publicity, loss of trust, legal action by customers, and official censure by regulators. All of which can be avoided with a little forethought and a professional attitude to the use of data encryption.

Where once your key information such as customer account data and profitability figures resided on a few desktop PCs in a private office, now the information is spread far and wide. As well as the master copy on the main system, there are often copies (or at least extracts or summaries) in many other computers. Some of which are laptops, which are incredibly easy to lose or steal.