Alan Calder on IT Governance, information security & ISO 27001

While the UK cyber security strategy, published last week, is full of good stuff, it is lacking in one key area: compulsion. My view on this was quite widely reported last week: if UK organisations won’t take adequate action to protect personal data, under legislation that has been around since 1998, and won’t report breaches voluntarily to the Information Commissioner, then what on earth is going to cause them to share information about much more damaging cyber breaches?

The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.

Another day, another (damning) survey.

A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”

This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies: 

• Leicestershire City Council lost an unencrypted USB stick containing personal information of 80 children;
• a Scottish advocate whose unencrypted laptop (containing personal data of individuals involved in cases she was working on) was stolen while she was on holiday;
• An ASCL employee had a laptop containing unencrypted personal data stolen from home;
• Holly Park School in London had an unencrypted laptop stolen from an unlocked office at the school;
• Two London Housing Associations allowed details of thousands of their tenants to find their way onto an unencrypted USB stick belonging to one of their contractors – which was then left in a pub!;
• Southwark council ‘misplaced’ - for two years – an unencrypted laptop containing the personal information of 7,200 people – which was then found on a skip;
• A survey revealed that 17,000 USB sticks were left in dry cleaners during 2010!

The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.

And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

There are three things that every organisation must do as a matter of course:

1. Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
2. Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
3. Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.

Any organisation can do these three things. It isn’t hard.

My own company has tried to make it easy for our customers. We’ve provided specific DPA classroom training as well as a comprehensive DPA Compliance Documentation Toolkit for some years.

We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

It’s encouraging to see that a growing number of SMBs (small and medium businesses) are getting wise to the fact that they are as much at risk in cyber space as are larger organisations like Sony. More and more of our clients are asking us to carry out penetration testing projects on their networks and websites. I hope they are in the vanguard and that penetration testing becomes as standard a cyber defence tool as strong passwords.

There are a number of reasons why SMBs are increasingly hunted as cyber prey:

1. Their cyber defences are usually inadequate – poorly written web applications, loopholes in their network defences, out-of-date patching, default security configurations, and so on;
2. SMBs also have valuable information – credit card data, personal information, intellectual property, and so on – and stealing an aggregate 10,000 records from 100 SMBs is likely to be easier than a single theft of 10,000 records from a larger, better defended organisation;
3. Infecting hundreds of SMB websites with malware is an inexpensive way of creating pharming sites, or Trojan downloader sites, which have the added advantage of legitimate URLs;
4. Controlling hundreds of SMB network servers in an SMB ‘bot net’ can be more effective for a hacker than controlling 1,000s of domestic PCs.

The cost of recovery from a successful cyber attack can be significant; the damage done to clients and credibility can be even more significant. Most smaller organisations shy away from penetration testing because it seems arcane, technical and expensive. It doesn’t have to be.

A recently published study into Global 2000 IT-spending intentions identified that 39% of corporations are spendng more on information security this year, with 37% planning to increase spending in 2012.

With cyber security identified as a key strategic threat facing organisations worldwide, sensible CIOs and CISOs will now be spending at least 13% of their IT budget directly on information security. There is a growing body of evidence that points to increased expenditure having a direct impact on reducing frequency and impace of cyber crime. In particular, the 2010 Cyber Security Watch Survey found that there was, on average a 10% reduction in the losses from cybercrime resulting from significantly increasing spend on cyber security. As individual cyber incidents can cost $3 million or more, a 10% reduction can be seriously worth having!

In fact, adopting and applying cyber security standards for managing information security and business resilience can pay off massively – depending on whether you adopt a self-help approach or bring in outside consultants, a best practice ISO27001 Information Security Management System can cost as little as £3.5k to £10k to implement and more than pay for itself in reduced financial damages in almost  no time!

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

Uh, no. A LulzSec member says the group is ‘bored’ and is therefore disbanding. Does that mean an end to cyber attacks? Uh, no. The individual members of a group of hackers don’t all stop doing stuff just because a couple of the members are bored. Sure, they might disband. Some of them have – allegedly – already joined up (again?) with Anonymous. Irrespective of what the ex-LulzSec folk do, they’ve already done enough to inspire copy-cat attackers around the world – or so says Kevin Mitnick, retired hacker, author and security consultant.

And, if that’s not enough, kids are being taught hacking basics at DEFCON kids (for 8 to 13-year olds), so that takes care of hacking for the future. And, as I’ve said on many occasions in the past, it’s not just hackers doing it for the craic, there is a whole commercial hacking scene as well: for instance, a cyber-spying company in India specialises in hacking into email and stealing information contained therein.

The Internet is an extremely insecure environment. There are lots of bad people out there. It’s like medieval Europe – when bands of predatory attackers roamed around, looking for opportunities to rape, rob and pillage – and towns and cities threw up battlements and turrets, and dug moats, and installed portcullises and so on – all to keep the bad people out. If you decided to build your house on the plain, or to run a fair beside the river, you would very quickly lose everything. It’s like that on the Internet today. You can’t just connect to the Internet and expect to remain unpillaged for long – you need battlements and other such stuff. Today, we call that stuff Internet Security and, because we can’t check it by walking (or riding) around the walls just looking for cracks that a pillager might exploit, we use penetration testing and vulnerability scanning to make sure that we’ve identified and closed down any security holes BEFORE they are exploited.

It does tend to be cheaper to close vulnerabilities before they are exploited…..

Among the most common errors of judgement that I see from company directors is the failure to carry out regular and detailed reviews of their business continuity arrangements. For most boards, the whole discussion is boring. It becomes even more boring when the discussion has to work its way through identification of critical systems and processes, determination of Minimum Tolerable Periods of Disruption and Recovery Time Objectives, as well as identifying threats and vulnerabilities and estimating likelihoods and impacts of external events that might unacceptably disrupt key processes.

Inactions have consequences. DistributeIT.com.au ceased to exist as an independent business because it hadn’t identified the possible impact of a devastating hack attack: it didn’t have adequate offsite backups for the 4,800 websites it hosted.  And that’s what business continuity plans are for: to ensure that, as an organisation, you can survive when something terrible happens. You would have thought that an IT company would understand the importance of backups but, again, my experience is that most organisations never actually think through the circumstances in which they might have to recover from their backups and they are therefore never prepared when disaster strikes.

The good news, of course, is that there are internationally recognised standards for business continuity management – BS25999 (shortly to be ISO22301) and ISO/IEC 27031  - and there are Business Continuity Management Toolkits to help you with an BCM implementation – but there is no substitute for directors paying attention to what is going on in the risk world around us, and taking appropriate action to survive the unexpected. Right now, of course, being hacked is one of the more likely things to happen - so there really isn’t an excuse for being caught napping on this one!

90% of businesses have, according to Juniper Networks and the Ponemon Institute, suffered a cyber security breach in the last 12 months. 90%? Wow!

Certainly, just looking at the security breach headlines of the last few days, you would have to conclude that far too many organizations don’t give a damn about online security. News reports in my inbox today:

• Baltimore employee hacks employer’s system to show porn to the board;
• 4 Brazilian Government websites shut down (third hack this year);
• Petrobras website hacked and graffitied;
• Red Cow Marketing & Technologies in Canada hacked;
• News International servers hacked (a revenge attack)

And these reports are all subsequent to the arrest, earlier this week, of a 19-year old now facing charges under UK Computer Misuse legislation. Guess what – there must be more than one person out there with the skills, capability and interest in hacking into your website or network!

Over the course of the last few weeks, we’ve heard that hackers have identified security vulnerabilities and have exploited them to hack any number of high profile organisations:

• SOCA (the UK’s Serious and Organised Crime Agency)
• IMF
• CIA
• CitiBank
• Sony
• Nintendo
• Sega
• Fox
• British Phonographic Industry
• International Federation of the Phonographic Industry
• PBS
• US Senate
• Etc

So, unless you are carrying out regular monthly or quarterly hackerguardian scans and/or regular penetration tests, and with the average cyber attack costing its victim something in the order of .5 million US dollars, you have to ask yourself: ‘Do I feel lucky today?’ Well, do you?

As Iran has discovered, arresting individuals the government doesn’t like, or doesn’t agree with, doesn’t stop others protesting. Quite often, as Tunisia, Egypt, Libya, Yemen and others learned, arresting one person can lead to far more violent, vigorous and ultimately destructive protests.

The arrest, last night, of a 19-year old man alleged to have been one of the Lulz masterminds will not immediately patch the Internet security vulnerabilities that have been so gleefully exploited by hackers over the last few weeks. Unpatched security vulnerabilities are still an open invitation to hackers to penetrate an organisation’s data banks and, as has been proven time and again, there are lots and lots of hackers interested in proving their prowess. Many are also interested in the commercial resale value of what they are able to access.

Arresting one or more hackers is not a solution to cyber security weaknesses. The only practical solution is to identify those weaknesses and then remediate – and, as I’ve said before, that is a very straightforward process: vulnerability scanning, penetration testing, and then remediation – patching vulnerabilities, training staff, and improving technical security architectures.

The only solution to the cyber security threat is better security.