Question: When is encrypted data still unsafe?
Answer: When it’s too damn hard to use it
Cambridgeshire County Council has today become the latest Authority to receive a slap on the wrist from the ICO. It seems that the Council encrypts its memory sticks, but for some reason a member of staff couldn’t use them, and retreated to the old way of using a non-encrypted stick, which was then lost.
The detail from the ICO states that staff encountered problems using the technology. This is NOT surprising. I know nothing about handling adults with learning difficulties. Why should I? Equally, why would someone who works in Adult Learning know anything about encryption?
Technology of any kind to non technologists is a pain. It’s confusing, frightening and gets in the way. It doesn’t have to be this way. Cambridgeshire should be applauded for its education programme for staff. But something hasn’t worked, and without the detail, it’s hard to attribute blame. But this is me, so I’m going to try anyway.
I am afraid part of the problem falls at the feet of the vendor of their stick encryption. Software and hardware vendors have a tendency to assume that just because people use Facebook, they are IT literate. At Sophos, our engineers don’t build anything that needs the user to click too many buttons to make it work. And if our customers do find it too hard, they have the right to hit us with sticks. The best IT products are a bit like cheese: if you have to think about how it works, you won’t use it. Apple and Google have it right – the interfaces are simple things of joy – they are intuitive and let you get on with life.
My message? Take the trouble to get your staff to try out new software gizmos before you buy them. If the staff can’t use them with minimal instruction, you are going to fail, and you have an expensive whizzy white elephant on your hands. And the net result isn’t project failure, it’s some poor sod’s personal details lost and potentially at risk.