Archive for the ‘Data Protection’ Category

Cyber security – how much should I spend?

Wednesday, April 24th, 2013

Cyber security costs money – but then, so does cyber insecurity – and the problem with data breach costs is that they are usually accompanied by even more expensive business disruption and reputation damage – often when you need it least!

Increasingly, organisations ask: “How much should we spend on getting ourselves cyber-secure?”

Here are two guidelines:

    1. According to the recently published ISBS 2013 survey, the total cost of cyber insecurity to British business increased three-fold last year. Therefore, whatever you spent on cybersecurity last year, you should spend roughly three times as much this year.
    2. The cost of the worst breach, for smaller organisations, was between £35k and £65k – and, with the median number of breaches for small organisations having climbed to 17, the actual annual cost is likely to be in the order of £100k. So, for a smaller organisation to spend up to £100k in an initial investment in order to reduce the growing annual losses to cyber risk, makes good sense. If you’re a larger organisation, for whom the worst breach costs in excess of £1 million, the necessary investment could easily be of that order.

Of course, how much you actually need to invest does depend on your actual cyber insecurity – and the way to work that out is to compare your current cyber security stance with that described in either the UK Government’s 10 Steps to Cyber security, or in the NIST/CSIS 20 Security Controls. The appropriate framework depends on your organisational size. Yes, you will need to deploy competent and appropriately skilled people to do the assessment, and this is where services like professional cyber security risk assessments come in..

123456 is your Passw0rd to Cyber Extinction

Tuesday, March 26th, 2013

In a long and interesting Wired post (Kill the Password: Why a String of Characters Can’t Protect Us Anymore) at the backend of last year, Matt Honan wrote about how easy it is for a hacker to crack pretty well any given password. One part of his argument is that, given enough time and using modern password hacking tools, even strong passwords can be cracked relatively easily.

Also in Wired, Nate Anderson wrote yesterday (How I became a password cracker) about how easy it was for him – a non-hacker – to acquire the skills and tools to become an effective password cracker. If you think that people worrying about passwords is all a lot of hot air, and that, anyway, ‘it couldn’t happen to you – or to anyone in your company’, then these two articles are essential reading.

There are two possible takeaways from these articles. The first is that it’s time to go beyond passwords, to two-factor authentication and the more widespread use of software like Trusteer Rapport. While this is a logical direction of travel for organisations with deeper pockets (and we’re seeing more and more of these sorts of solutions from online banking institutions), it’s not so easy in the short term for individuals or most other organisations.

For individuals, the only short term solution is a combination of a strong password – 8 alphanumeric characters(combining numbers, letters, upper and lower case, special characters) changed at least every 90 days – and sustained, suspicious vigilance – particularly of anyone or anything asking for sensitive information (birthday, mother’s maiden name) under any circumstances.

For other organisations, staff training and awareness – ideally delivered within a structured ISO27001 Information Security Management System that enforces proper password selection and management – is the essential, immediate step. The best and most effective way to deliver staff training and awareness is online – using an easily customisable, pre-created e-learning solution. Organisations that postpone the decision to take a structured, formal approach to information security are very like dinosaurs who thought that meteor-triggered climate change wouldn’t affect them. After all, the most commonly used passwords today are still 123456 and passw0rd.

No BYOD Policy? 50% Chance of a Breach….

Friday, March 22nd, 2013

Half of all firms which allow staff to bring their own device, but don’t have any firm information security policies or practices around BYOD, have suffered a security breach – according to Dell, and as reported by

A Dell executive director is reported to have said: “we would not advise customers to simply let users bring in any device at all. In fact, what we’ve found is that customers that have allowed a BYOD policy, that have allowed end users to bring in anything that they want, 50% of those companies experienced a security breach.”

I’m surprised it’s only 50%; I suspect that the other 50%, the ones who haven’t reported a security breach, only haven’t reported one because they don’t know that it has occurred. Adequate staff awareness and effective information security incident reporting is, still, a minority activity – organisations that would allow staff to use insecure personal devices for corporate tasks are, by definition, unlikely to be among the minority of organisations who take these things seriously.

BYOD should only be rolled out after a properly informed risk assessment and deployment should be built around a clear policy and comprehensive Acceptable Use Agreement – in fact, whether you’re thinking of implementing BYOD or of overhauling an existing BYOD scheme, your best starting point is this BYOD Policy  Template Toolkit.

BYOD and the DPA

Friday, March 8th, 2013

Bring Your Own Device (BYOD) brings enormous potential benefits for organisations that adopt it, as well as for their employees. It also brings significant commercial and regulatory risks. In this post, I want to applaud the UK’s Information Commissioner for issuing clear and helpful advice on the steps that should be considered by organisations contemplating BYOD.

The cornerstone of the ICO’s advice is this: “It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.” This guidance is as true for organisations dealing with data that is subject to PCI DSS, GLBA, HIPAA, PIPEDA or virtually any other law anywhere in the world that sets out to protect personal information.

Organisations that have embraced or otherwise implemented BYOD should now move quickly to ensure that their BYOD policies and practices are aligned with the ICO’s advice – IT Governance Ltd have just issued a BYOD Policy Template toolkit (supported, as part of the price, with an Acceptable Use Agreement) that is designed for easy customisation to suit the requirements of your own organisation. This toolkit, uniquely, was constructed so that it would not only reflect the ICO’s most recent guidance, but so that it could easily be integrated into any ISO27001 or ISO22301 management system (particularly if it already uses one of the ITPG documentation toolkits).

I know, from conversations with many CIOs, that BYOD simulaneously entices and worries them – they can see the corporate financial benefits but worry about the security implications. In an environment where only BlackBerry is traditionally seen as a secure corporate communications device, the idea of migrating to potentially unsafe Android devices is a real worry. The thing is, any organisation can limit its BYOD options to those it considers safe – there is no reason to allow just any technology if corporate assets and personal data might be at risk.

BYOD is not going to go away. We are now clearly past the Early Adopter phase for this approach, which means that more and more organisations are going to have to think hard about how they approach the matter.

Combined with the growing use of Cloud services, BYOD could be the beginning of the end for traditional IT infrastructure – and for the IT department as we know it.



What level of security do you need?

Friday, February 22nd, 2013

In amongst all the accusations and counter-accusations (see, for instance, this summary in Cybersecurity: Experts Wonder If New Obama Order Goes Far Enough in the International Business Times) about who is cyber attacking who, and who isn’t, two thoughts emerge: the first is that more and more organisations around the world are suffering the consequences of cyber attacks, and the second is that not all are!

Business continuity professionals face this conundrum every day: managements telling them that while other organisations have clearly suffered severe disruptions from some form of external event, their organisations haven’t (yet).  These choice, in more banal terms, could be described as: some houses have been broken into in this neighbourhood, but some haven’t – should we take precautions against that possibility or not?

A key part of a sensible answer to this questions would depend on your assessment of the likelihood of a breakin, starting perhaps with an assessment of how many house robbers there are in the vicinity. If you think that you live in a hot area for house theft, you’d probably decide on some precautions – probably not at the same level as required by the neighbourhood bank, but certainly enough to secure your house and assets.

The same approach is necessary for digital assets. The Internet is a hot area for the theft of digital assets, so basic precautions make sense for everyone. If you’re an organisation, ‘basic precautions’ means:

  1. Vulnerability scanning & penetration testing;
  2. Encryption of mobile devices;
  3. Staff training and awareness; and
  4. Email encryption.

Basic Technical Security: Encryption and Pen testing

Wednesday, February 20th, 2013

I’ve argued, for some time, that laptop and mobile device encryption should be an absolutely standard security measure – mobile devices will get lost or stolen, and boot disk encryption is the only realistic way of protecting against the risk of someone accessing  data or using the device to access your network. In fact, my company now has published Green Papers on the subject of Encryption, and we’ve recently become  Sophos and Symantec distribution partners. Device encryption is a security measure as fundamental as fitting security bars to a shop window in a dodgy neighbourhood (and, believe me, the Internet is a seriously dodgy place to hang out).

Vulnerability scanning and penetration testing is now just as fundamental – it’s a bit like doing a routine inspection of your various perimeter defences (security grilles, door and window locks, fan lights and cat flaps) to make sure they’re still doing their job – after all, rust, a loose screw, a broken key or an incorrectly shut fan light window could give a cat burglar an illegal ingress opportunity – in much the same way that an unpatched website vulnerability or inadequately secured firewall will allow free access to your networks by a cyber hacker (most of whom are way niftier thayour a average cat burglar) – where they may sit, undetected, for months on end, waiting for valuable data to come their way.

Would you be happy to have a ruthless burglar living, undetected, in your attic? No? So why allow them to hide inside your corporate network? Start routine vulnerability scanning and penetration testing today…….confirm that the windows are actually locked and that you’re hacker-free.

Infosec Skills Shortage

Tuesday, February 19th, 2013

The last few weeks have seen a spate of stories – in the national press as well as in the more specialist industry journals – bewailing the shortage of information security/cybersecurity skills.

Here’s an idea: do a training course! Get some of those valuable, scarce skills! Training is available at all levels – from Foundation courses on best practice information security management, or on cloud security – all the way through to more challenging qualifications like CISSP and Ethical Hacking.

The thing is, in the IT industry, we mostly accept the logic that virtually everyone should do at least an ITIL Foundation course, that lots of people should do PRINCE2 – even though most people won’t really ever use the qualification – but we haven’t placed the same level of importance on basic information security training.

That has to change now. Information security is too important to leave to chance. You have to start ensuring that everyone who has any sort of IT service management qualification also has a foundational understanding of risk management and control selection. Here’s a good starting point: ISO27002 – Best Practice for information security management.

Cyber Hackers

Monday, February 18th, 2013

Fortune, in its Europe edition, dated 11 March 2013, identifies six different hacker types, and offers a summary of their differing motives, objectives and signature attacks. The six types that it lists are:

  • State sponsored hackers – from China, Russia, Iran, Israel, the USA – whose objectives are espionage, theft of state and commercial information, cyber sabotage and cyber warfare;
  • Cyber-criminals – based all round the world – whose objectives are simply illegal commercial gain, by stealing payment card details, customer data and online fraud;
  • Insiders – your staff, and ex-staff – who may want to get even, prove a point, settle a score or ingratiate themselves with a future employer:
  • Script kiddies – increasingly sophisticated hackers, who like the intellectual challenge and simply want to demonstrate their hacking prowess to others like themselves;
  • Hacktivists – whose objectives range from religious fanaticism through to  Internet freedom or anarchism; and
  • Vulnerability brokers, whose business model is to find vulnerabilities in commercial software (eg Google) and sell details of those vulnerabilities to the highest bidder (usually state-sponsored or a high-level cyber-criminal) for them to exploit.

To those six groups I would add state intelligence organisations, which usually all have a commercial arm that operates on behalf of commercial enterprises to help them advance their commercial objectives ‘by other means’.

“Not my field….”

Saturday, February 16th, 2013

There have been a number of occasions, over the years, where an otherwise competent company director has said to me, of technology or information security: “it’s not my field, so I don’t really have a view.” Now, there are many circumstances in which this might be a reasonable thing to say, but when one is talking about the organisation’s cyber security, it’s not so smart.

Let me draw a parallel. Does one have to be a petrol head to be interested in whether or not a motor car will get you safely from A to B? Do you have to be some kind of geek to be interested in whether or not the brakes and steering will work? Does one have to have studied mechanical engineering at University to want someone technically qualified to tell you that the engine will operate as intended?

Uh, no.

So why does one have to understand technology to insist that the organisation employ (or contract with) someone technically qualified to assess the strength and robustness of the organisational cyber defences? It’s a relatively trivial matter to establish whether or not someone is technically competent, and it’s equally as straightforward to require a monthly report that confirms that your cyber defences have been tested, that newly identified vulnerabilities have been fixed, and that the organisation is appropriately protected.

The alternative, increasingly, appears to be coverage in the newspapers, on top of the longer lasting impacts of being successfully breached – and, increasingly, it won’t just be defence companies, as it is now:

EU Commission and UK Cyber Security Strategy

Wednesday, December 7th, 2011

While the UK cyber security strategy, published last week, is full of good stuff, it is lacking in one key area: compulsion. My view on this was quite widely reported last week: if UK organisations won’t take adequate action to protect personal data, under legislation that has been around since 1998, and won’t report breaches voluntarily to the Information Commissioner, then what on earth is going to cause them to share information about much more damaging cyber breaches?

The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.