What a balls up

For one person to start using data encryption for every day stuff is fairly trivial. To make it common practice to do it for an entire government department, much less government, is a bit more drastic. It takes an incredible amount of resources to do efficiently and safely, and it can surprisingly make security worse (not to mention a false sense of security) if done poorly. Especially in cases like this, it is completely necessary.

However, this is irrelevant; it's not about security of the data, it's about the fact that someone was foolish enough to lose the data. Obviously, proper security measures would be greatly beneficial, but one should focus on the issue at hand first.

Quote:

---

It takes an incredible amount of resources to do efficiently and safely, and it can surprisingly make security worse (not to mention a false sense of security) if done poorly

---

No, it doesn't. This is the concept of "politically correct" and not much more. The way I would see it is that if I send something in plaintext then I am a wanker............... if I force someone to decrypt it first, I ensure they get at least 10~20:xbones:

I am afraid that it is the old CYA concept, and if these guys can't even do that....................? :eek:

To use a full-quality encryption method on any and all data for an entire government organization is realistically a pretty large resource leap when you talk about its entirety. As easy as it seems for people like us, getting every single user of the network to have a perfect adherence record is a bit more challenging. To enforce it technologically is also moderately difficult.

To employ a means of encryption unsuited for the task, as well, lures the group into a false sense of security. On one hand, it is simply helpful to eschew data 'attackers,' but can equally so lull one into a sense of security that may dissuade one from using other means. This is, of course, no excuse not to do it. Any push forward is beneficial. However, given the manner in which the data is lost, encryption (or lack of) is not the root of the issue. It is a very powerful band-aid, but it still does not ail the viral stupidity and insecurity in all other forms of data handling on the user/employee end.

Quote:

---

To use a full-quality encryption method on any and all data for an entire government organization is realistically a pretty large resource leap when you talk about its entirety.

---

I do not believe that anybody is suggesting that. If your data isn't secure whilst it is on your site then you have a quite different problem. Encryption will not help resolve it.

The purpose of encryption is to protect confidential data whilst it is in transit and offsite. That is relatively infrequent and would not be difficult to implement.

You do not seem to appreciate that within the British Government there is a very strict hierarchy. For example who can sign on behalf of a department or section, who can authorise the destruction or transfer of data and so on.

Ultimately it is the person who authorises the transfer of data who is responsible for its security. Obviously the chain of command has broken down in this instance.