Archive for the ‘Mobile Devices’ Category

No BYOD Policy? 50% Chance of a Breach….

Friday, March 22nd, 2013

Half of all firms which allow staff to bring their own device, but don’t have any firm information security policies or practices around BYOD, have suffered a security breach – according to Dell, and as reported by Out-law.com.

A Dell executive director is reported to have said: “we would not advise customers to simply let users bring in any device at all. In fact, what we’ve found is that customers that have allowed a BYOD policy, that have allowed end users to bring in anything that they want, 50% of those companies experienced a security breach.”

I’m surprised it’s only 50%; I suspect that the other 50%, the ones who haven’t reported a security breach, only haven’t reported one because they don’t know that it has occurred. Adequate staff awareness and effective information security incident reporting is, still, a minority activity – organisations that would allow staff to use insecure personal devices for corporate tasks are, by definition, unlikely to be among the minority of organisations who take these things seriously.

BYOD should only be rolled out after a properly informed risk assessment and deployment should be built around a clear policy and comprehensive Acceptable Use Agreement – in fact, whether you’re thinking of implementing BYOD or of overhauling an existing BYOD scheme, your best starting point is this BYOD Policy  Template Toolkit.

BYOD and the DPA

Friday, March 8th, 2013

Bring Your Own Device (BYOD) brings enormous potential benefits for organisations that adopt it, as well as for their employees. It also brings significant commercial and regulatory risks. In this post, I want to applaud the UK’s Information Commissioner for issuing clear and helpful advice on the steps that should be considered by organisations contemplating BYOD.

The cornerstone of the ICO’s advice is this: “It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.” This guidance is as true for organisations dealing with data that is subject to PCI DSS, GLBA, HIPAA, PIPEDA or virtually any other law anywhere in the world that sets out to protect personal information.

Organisations that have embraced or otherwise implemented BYOD should now move quickly to ensure that their BYOD policies and practices are aligned with the ICO’s advice - IT Governance Ltd have just issued a BYOD Policy Template toolkit (supported, as part of the price, with an Acceptable Use Agreement) that is designed for easy customisation to suit the requirements of your own organisation. This toolkit, uniquely, was constructed so that it would not only reflect the ICO’s most recent guidance, but so that it could easily be integrated into any ISO27001 or ISO22301 management system (particularly if it already uses one of the ITPG documentation toolkits).

I know, from conversations with many CIOs, that BYOD simulaneously entices and worries them – they can see the corporate financial benefits but worry about the security implications. In an environment where only BlackBerry is traditionally seen as a secure corporate communications device, the idea of migrating to potentially unsafe Android devices is a real worry. The thing is, any organisation can limit its BYOD options to those it considers safe – there is no reason to allow just any technology if corporate assets and personal data might be at risk.

BYOD is not going to go away. We are now clearly past the Early Adopter phase for this approach, which means that more and more organisations are going to have to think hard about how they approach the matter.

Combined with the growing use of Cloud services, BYOD could be the beginning of the end for traditional IT infrastructure – and for the IT department as we know it.

 

 

What level of security do you need?

Friday, February 22nd, 2013

In amongst all the accusations and counter-accusations (see, for instance, this summary in Cybersecurity: Experts Wonder If New Obama Order Goes Far Enough in the International Business Times) about who is cyber attacking who, and who isn’t, two thoughts emerge: the first is that more and more organisations around the world are suffering the consequences of cyber attacks, and the second is that not all are!

Business continuity professionals face this conundrum every day: managements telling them that while other organisations have clearly suffered severe disruptions from some form of external event, their organisations haven’t (yet).  These choice, in more banal terms, could be described as: some houses have been broken into in this neighbourhood, but some haven’t – should we take precautions against that possibility or not?

A key part of a sensible answer to this questions would depend on your assessment of the likelihood of a breakin, starting perhaps with an assessment of how many house robbers there are in the vicinity. If you think that you live in a hot area for house theft, you’d probably decide on some precautions – probably not at the same level as required by the neighbourhood bank, but certainly enough to secure your house and assets.

The same approach is necessary for digital assets. The Internet is a hot area for the theft of digital assets, so basic precautions make sense for everyone. If you’re an organisation, ‘basic precautions’ means:

  1. Vulnerability scanning & penetration testing;
  2. Encryption of mobile devices;
  3. Staff training and awareness; and
  4. Email encryption.

What to do about UK data breaches?

Thursday, November 24th, 2011

Another day, another (damning) survey.

A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”

This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies: 

The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.

And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

There are three things that every organisation must do as a matter of course:

  1. Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
  2. Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
  3. Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.

Any organisation can do these three things. It isn’t hard.

My own company has tried to make it easy for our customers. We’ve provided specific DPA classroom training as well as a comprehensive DPA Compliance Documentation Toolkit for some years.

We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.

Analysis of Information Commissioner Cases

Tuesday, November 22nd, 2011

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

Incident type No. Cases

%

Lost / stolen unencrypted laptop 16 18.8%
Lost / stolen unencrypted USB (20) CD (1) camcorder (1) 22 25.9%
Lost / binned / theft / exposure of papers records 24 28.2%
Data exposed on website / emailed or
faxed to unauthorised individuals
16 18.8%
Unsecure / incorrect / exposure of electronic data storage 7 8.3%
Unsecure / incorrect / exposure of electronic data storage 7 8.3%

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

Offender No. Cases

%

Lawyers 4 4.7%
Schools 11 12.9%
Councils 18 21.2%
Social services 4 4.7%
Hospitals / NHS trusts 29 34.1%
Commercial organisations 10 11.8%
Police 3 3.5%
Government 6 7.1%
Public sector 88.2%
Private sector 11.8%

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

Encrypt sensitive email – or be fined!

Friday, June 10th, 2011

Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.

And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.

Social Media & IT Governance

Monday, April 11th, 2011

“‘IT departments make the mistake of ignoring social media at one extreme or banning it at the other, when what they really need is a risk based strategy’, says Gartner research director Julie Short.”

She is of course correct. I’ve been arguing, since the appearance of Instant Messenger as a killer social media application, that it’s a mistake for IT departments to simply lock down or prohibit the use of new media and communications channels in the enterprise.

There are three reasons for this.

The first is that stopping people using applications which they already know will make communication quicker, easier, more dynamic and more effective makes IT departments appear Luddite - which is not exactly in line with what one might expect from that part of the business which is in charge of technology-based competitiveness.

The second is that good people will mostly tend to go and work for organisations that use technologies that they know about, rather than being forced to operate with outdated tools. And those organisations that limit themselves to recruiting from amongst the less ambitious will tend, over time, to destroyed by those who are more future-orientated.

The third, of course, is that we live and work in a fast-moving Internet world; organisations that prohibit or over-control use of social media technologies are cutting themselves out of competition and, eventually, out of business.

I recognise that there are risks – to the confidentiality, integrity and availability of information – in the unbridled use of new social media within an enterprise. A risk-based strategy involves identifying specific risks, adopting appropriate policies, selecting and enforcing relevant controls, and reviewing and monitoring activity. We made all of these tools available in our Social Media Governance Toolkit, on the basis that what most organisations want today is to deploy the controls and get on with exploiting the social media channel, rather than having to re-invent the social media policy wheel.

Social Media Governance

Friday, April 1st, 2011

Gartner says that “IT & business leaders must face the fact that social colloboration is already a reality.” I agree. As a company, we have been working with social media in its varying, evolving forms for a number of years. This blog, for instance, has been in existence for five or six years – it’s never been a blog-a-day blog, but I’ve been writing about issues in and around information security and IT Governance irregularly for a long time. We published a Web 2.0 Best Practice Report in July 2008 and coined the phrase ‘Threat 2.0′ to describe the combination of threats to confidentiality, integrity and availability of date posed by the explosion in social media.

As a company, we’ve been producing the IT Governance blog for a couple of years, have a twitter feed (which we’ve just made the default way of ensuring that everyone inside the company is able to stay on top of our own news and developments), an IT Governance on Facebook page and a large number of topic-related IT Governance LinkedIn groups, all sitting under a single IT Governance profile.

We’ve grappled with social media for many years, from the early excitement of each of the ‘next big things’ through to the period of mainstream adoption, where issues like employee accountability, corporate resilience, privacy, compliance, confidentiality, data integrity and archiving are being taken increasingly seriously by business, IT and compliance leaders in organisations large and small across the world.

Our Social Media Governance Toolkit was developed out of a combination of our own experience, research and identification of existing good practice across the Internet. It continues to be informed by both internal and external feedback from actual use and we continue to make upgrades available to customers who have already purchased their own copy.  For instance, we will shortly be sending out a LinkedIn Group Policy template, reflecting our own experience with the need to ensure that LinkedIn Groups continue to be useful forums for exchanging information in a reasonably informal (but unspammed) environment.

We hope, as increasing numbers of organisations deploy our Social Media Governance Toolkit (or similar policies and practices), that we will between us keep the ‘free interchange’ aspect of the Internet working effectively.

Local Councillors Must Comply with DPA

Wednesday, January 26th, 2011

According to an article published today, local councillors must register with the ICO if they process personal data in their constituency offices. Apparently 6,000 are already registered and another 13,000 could and should. Of course, registration with the ICO is just the start – once registered, they also have to comply with the DPA. Compliance is relatively straightforward – the problem is that most organisations, particularly smaller ones, leave compliance until after they’ve been breached and then have to deal with all the sad repercussions of negative press coverage and distressed constituents. The penalties for compliance failures are potentially very significant.

To encrypt or not to encrypt?

Friday, October 1st, 2010

For the Forth Valley NHS Board, the answer is now a resounding ‘Yes’. Of course, it should have been a ‘Yes’ before there was a data breach, and before sensitive patient details were put at risk. However, the Board has now recognised (and has formally committed to ensure) that the only USB sticks available for use by Board staff should be issued by the Board, and that these USB sticks should all be encrypted.

It is, in today’s world of portable media, a basic security step. ISO27001 control A.10.7.1 specifically deals with management of removable media and any organisation implementing this control must (amongst other things) use encryped memory sticks – which can be purchased with USB-resident encryption, so that they are simple to deploy and use in the workplace.