When we think of data loss prevention (DLP), all too often our minds race ahead to technology and solutions (unless you read the earlier blog post on written material). For a large number of potential incidents (these are incidents which could have occurred, but haven’t yet), a discussion with employees is a great place to start.When talking about DLP, the key message is “don’t shoot the messenger”. For people on the front line of dealing with intellectual property, customer details and other confidential information, information security is not top of their list. They are not (yet) specialists in the field, so what they do in their day-to-day work is what they do, nothing more or less. Remember the good old days of creating a CD ROM with a report on it and sending it through the post as it was too big to email… and the CD being lost, and no-one minding? Well while you may think those days have gone, in reality they haven’t… sure, an incident will draw attention to poor business process, but unless you are proactive to discover what is happening, then there is an incident just waiting to happen. How do you find these business process weaknesses? Ask – and it’s not just the managers, it’s everyone. But before you ask you need to make employees aware of what you are asking – and why… and most importantly, this is not about finding a messenger to shoot, it is about improving security. For your company information, for your customers’ information, for your partners’ information – in fact, for all information.So, where to begin? Start with the obvious, what is the information you are interested in and how would someone recognise it? Then ask about how it is distributed and who to. Is this something that is created every week, month or quarter? Does it get written to a CD ROM, emailed or printed out? Remember, the person who carries out the task does not always understand everything that may go into the transaction. They may press ‘F3’ in the application, insert a blank CD ROM and the system writes out the information – in an encrypted form. In which case, all is well. However, understanding that that process is carried out means it can be checked and verified secure.A simple check of ‘real’ processes – those which are carried out – can help build information security within the organisation. This can then be extended as more security awareness is created to look for improvements. For example, the report used to be too big to email (ten years ago), is it still true today – or is there a better way? People will be happy to suggest ideas for improvements – as long as they don’t think they will be ‘shot’.
By Dr. Guy Bunker
In today’s electronic world, we concentrate on ensuring information held on computers remains secure, but in doing so we frequently forget ‘old-style’ data loss – that which occurs through misplaced or forgotten papers.
The media concentrates on large scale electronic data breaches with lost laptops or hacking, but occasionally we still hear of ministers who have had their photographs taken while inadvertently showing a document, or of a briefcase left on a train or a folder left under a seat in a restaurant.
Far more frequently, it’s the paperwork left around at work which can cause problems – nearly a quarter of all data loss is from printed matter. How many times have you walked into a meeting room to find ‘interesting’ information left on the table or on the whiteboard?
Here are five tips to help you prevent the written word becoming a writ…
- Put up a sign in conference rooms, reinforcing the policy, to ensure that all paperwork is taken away, whiteboards are cleaned and flipcharts have the used pages removed and disposed of securely.
- Shred important documents; don’t just throw them in the bin. Board papers, financial outlooks, patent ideas; all are valuable information to other people or malicious insiders.
- Remind people that, unlike laptops, you can’t encrypt a printed document – so if they need to take them ‘on-the-road’, they need to protect them. If they can use an electronic version rather than printed, then that is better, as it can be more easily secured. (And it helps the environment as well.)
- Revisit the shredding policy. For many organisations, document shredding is outsourced and documents are placed ‘whole’ in bins that are then taken offsite and shredded. However, there are probably still some pieces of information that should be shredded in-house (such as board papers and M&A documents). Local shredders should be made available for this purpose and the appropriate policy communicated to all.
- Shredding - it’s not just for paper. What happens to old CD ROMs? All too often they sit in a drawer and then get thrown in the rubbish at a later date. However, they could contain 1000s of records, put in place a policy to shred removable media when it comes to the end of its useful life – this includes CD ROMs, DVDs, tapes and even removable hard drives and USB sticks (although the latter can be deleted electronically rather than physically).
By Dr. Guy Bunker
The Government launched its follow on programme to Project Auburn today, which is designed to broaden the sharing of cyber-threats between businesses and the Government. Recent studies, including the report from Mandiant, have demonstrated that the attacks are happening on a daily basis and against companies of all sizes.
Project Auburn was aimed at the largest of companies and critical infrastructure providers, but incidents (such as that with Dyson) have shown that it really is any and every company that is a target. It will need the security incident information that the larger companies have access to, in order to help protect themselves.
While the new project has many plus points, there are still issues surrounding just who will have access and exactly what to. The new group of companies (160 of them) is still only a very small subset of UK businesses and it needs to be broadened out considerably more. While many companies may not be able to contribute to the information pool, they will be able to consume it. Along with the information on the attacks there needs to be guidance on how the threat can be recognised and mitigated. This guidance needs to be written in language which can be understood by non-experts, as well as by experts, to address the majority of SMEs in the UK.
The launch makes reference to the ability to monitor attacks and who is being targeted in real-time, there needs to be a notification mechanism in place for companies and organisations which are not currently participating in the programme – and it needs to be relatively rapid. A government process which takes three months to notify the organisation that is under attack and having information exfiltrated is of little use.
Finally, there needs to be international cooperation. From an Internet and cyber-attack perspective, there are no international boundaries, so information needs to be shared – not only between the UK Government and UK businesses, but also in a reciprocal arrangement with other equivalent security programmes in other countries.
Forewarned is forearmed.
For those of you that read our blog regularly, you will know that in December we referenced how ‘bring your own device’ (BYOD) would continue to be one of the dominating security themes in 2013. Research released last week from the ICO and YouGov reflected this trend. Overall, the poll of over 2,000 British adults found that employers appear to have a laissez faire attitude about allowing their staff to use their personal laptops, tablet computers and smartphones for work.
Looking at the figures in more depth, the survey shows that whilst 47 per cent of all UK adults now use their personal laptop or smart device for work purposes, less than three in ten are given guidance on how to do so securely. The YouGov survey also shows that email is the most common work activity carried out on a personal device, accounting for half (55%) of people who use their own devices for work purposes. This was followed by 37 per cent who used a personal device to edit work documents and 36 per cent to store work documents — many of these activities are likely to involve the processing of confidential or sensitive information.
The survey comes as the ICO publishes a free guide to help CIOs address some of the main issues around properly protecting customer, patient or personal data in a BYOD context.
To some extent, the culture of BYOD has developed as a direct result of companies saving money by not purchasing dedicated corporate devices for their staff. The problem comes when they cut corners on securing these devices within the corporate network. We know that, essentially, people use their own devices to suit their needs and ultimately to be more productive, which is commendable.
Many organisations have policies in place regarding the use of such devices, but the proliferation of smart devices means that another level of protection must be added as once that device holds company data; it needs to be covered by the company’s security policy. These devices are not just an entry point into the corporate network; they are also an exit point. Businesses need to consider what happens to the data stored on these devices when the individual leaves the company. There needs to be a policy and a process to ensure that corporate information has been appropriately removed as part of the leaving process. From a more mundane perspective, the company also needs to ensure there is a policy relating to when the device breaks or is lost to ensure that the productivity of the individual is not compromised.
Any organisation that does not take BYOD seriously is simply setting itself up for a data breach which will ultimately be more costly to the organisation (in terms of revenue and reputation) than dedicating some time to updating and enforcing the appropriate security policies.
The RSA conference was held last week in San Francisco and what an event it was… 23,000 participants, 350+ companies, countless education sessions and copious quantities of food and drink.
The Mandiant report came out the week before and that had created a lot of buzz which did not abate. But what was the overriding theme? To me it was ‘big data’ (security buzzword of the year 2013!) or, rather, it was the fact that security today is starting to require an awful lot of data to be collected and analysed.
The term security analytics was used by multiple speakers – so expect that one to make the buzzword list next year. The latest generation of APTs (Advanced Persistent Threats – and the runner-up in security buzzword of the year 2013) are sneaky and there is no silver bullet to prevent them. Defence in depth is still required – and one of those defences is to collect vast quantities of information and then analyse it to look for anomalies which then points to security issues. It’s the quantities of this information (terabytes and petabytes) which then turn it into a ‘big data’ problem – or one that requires a ‘big data’ solution. Spotting the useful information in this mass of data is akin to the old needle in a haystack – not something anyone can do, even with all the smart tools that exist.
We (as an industry) have a new challenge here, if, as we are told, there are increasing cyber-attacks on businesses of all sizes, then how can we help those companies which do not have the expertise and resources (time, money and people) to combat them, or the security-poor as they were labelled at the conference?
Tools need to become even easier to use, not require large numbers of professional services personnel (aka consultants) to get the solutions installed and providing value back to the organisations. How can we turn the information collected into ‘everyday value’ rather than just forensic insurance? There isn’t an answer today (and especially not one that falls into the affordable bracket), but we need to look for one.
One message that came through at the RSA Conference was that not every security defence needs a substantial and on-going investment. In the case of information governance, for example, we are seeing that success comes through a diligent approach to security, rather than through big budgets.
The other theme which was apparent was identity. This is an increasing challenge for us all, especially with the increase in BYOD and cloud collaboration. Once more, there isn’t a solution today which works everywhere – even though there were numerous vendors touting their individual solutions at RSA.
A new open identity initiative was launched www.globalidentityfoundation.org to build on the Jericho Forum Identity Commandments. This programme looks promising, as it is a pragmatic approach to the global issues which need to be addressed – I look forward to seeing the progress next year.
And so to next year… this year, the place was buzzing, from the first day to the last – and that included the booking office for next year. I suspect the exhibition hall will have sold out by the time you read this. We have booked our space… and it’s twice as big as this year – but, then again, we will have more than twice as much to show. To RSA 2014… hope to see you there.
This week, we are taking another look at our recently commissioned research into security within the public sector. Our survey of compliance officers, IT managers and C-level executives has shown that the sector has made great leaps forward in cyber security. It is certainly a higher priority than it was just a few years ago. However, the research also uncovered a couple of areas that require more attention in order to avoid a data breach or similar security breach. Last week, we looked at how third parties’ security measures were a potential weakness that could be exploited. This week, we look at how social media use could open the door to security breaches and brand damage.
What is clear from the survey results is that there is now a heightened awareness amongst public sector organisations (PSOs) about security risks. Numerous data loss stories, coupled with tales of organisations having their reputations damaged by the activities of errant staff, have acted as a warning to the UK’s public sector. Indeed, in the event of a data leak, the top two concerns for PSOs were listed as reputational damage and financial consequences (such as fines).
Social media is changing the way in which public sector organisations communicate with the people using their services, as well as other public sector affiliates. It is an incredibly useful tool to engage with target audiences, posting information about everything from new building projects to central government updates. But social media is also a consumer tool and this blurring of the lines between personal and professional can cause confusion amongst social media users within PSOs.
As many as 38 per cent of PSOs do not have a social media policy in place which determines the do’s and don’ts of outbound communication. This is setting many organisations up for a fall. For example, many organisations encourage staff to use their own social media accounts to spread their messages further. However, if their Facebook or Twitter feed was initially set up as a personal account, there may be what is deemed as inappropriate messages also on these feeds. It is not necessarily the place of the employer to dictate the contents of a personal social media account, but they may wish to encourage staff to create work-only accounts or not to spread the message at all – if a policy is in place, then people are aware of boundaries and unlikely to make costly mistakes.
The other issue with social media is the immediacy of the phenomena. Traditionally, any external communications with the public would be crafted with a specific message in mind. The announcement would be edited and signed-off by numerous people in a process that could take days or even weeks. Finally, the announcement would be made and the full consequences would have been thought through. Nowadays, a tweet can be written and sent in seconds with little thought to how this affects the organisation’s communications strategy or its brand reputation.
Our research showed that 71 per cent of respondents enable the use of Twitter (with only a fifth actively banning it). Of those that allow the use of Twitter specifically, two-thirds believe it should be used solely as corporate communications tool, the other third feeling that it should be allowed for personal use as well. Surprisingly, other social media channels – blogs, LinkedIn, bulletin boards – are less popular in comparison, despite being more obvious business platforms.
Ultimately, PSOs need to consider their usage policies for social media. Implementing an outright ban is no longer an option. Safe and clear guidelines need to be put in place for all employees and they must be enforced. If a technological enforcement is not used, then the communications channels should be monitored. If not all the time, then at least enough to ensure that the policies are being followed. Social media can be an invaluable communication tool for the public sector, but only if it is managed effectively and used as part of a broader strategy. By ignoring the risks, organisations increase the likelihood of problems further down the line – and these are the ones that can go viral. When it comes to social media, ignorance may not be bliss.
*Clearswift commissioned research into the attitudes of individuals who work in UK public sector organisations towards information security. In total, 277 people across 247 unique UK public sector organisations were surveyed, ranging from compliance officers and IT managers to C-level executives. The organisations that took part include the NHS, city/local councils, universities, trusts, central government and the police. The survey was conducted on behalf of Clearswift by Surveys in Public Sector (SPS), a division of Ingenium IDS. Ingenium is the UK’s foremost public sector demand creation & research organisation.
We recently commissioned a piece of research* into the attitudes of UK public sector organisations (PSOs) towards information security. Over recent years, high-profile data leaks have brought a renewed focus on the security measures that these organisations have in place. Frontline defences are better than they once were, but this is not an area where we can afford to sit on our laurels. In this, the first of two blog posts, we look at the relationships PSOs hold with third parties and what this means for their digital defences.
All PSOs work with a multitude of third parties, from cleaning contractors to exam boards to private health clinics. They will all be party to an exchange of information that is likely to contain sensitive information and this is where the weakest link could break in the security chain. 90% of respondents in the survey said they rated information security as important when selecting business partners and third parties to work with. However, this means that one in ten doesn’t see it as important.
Our research showed that there is a disjointed approach to security among PSOs. It is possible that some are paying lip-service to security by only carrying out the bare minimum and not thinking beyond their own borders. 85% of respondents we spoke to stated they felt their organisation managed security threats well, but 38% admitted they didn’t have a strategy for their outbound communications. Without a policy on what information can be sent out of the organisation, PSOs are lining themselves up for information governance headaches further down the line.
The protection of data must be a joint responsibility between the PSO and all its third parties, even if the ownership remains with the PSO. Fully understanding the communication channels and the information that is shared will help protect against nasty surprises caused by assuming security measures are in place. Unfortunately less than two-thirds (63%) regard the managing of information exchange with external agencies as a joint effort.
Taken in its entirety, our research shows that the public sector has taken a step in the right direction when it comes to matters of information security... But there is still work to do. Clearly, some PSOs are still not taking the risks seriously or understanding the consequences of not putting adequate measures in place. These are the ones we are likely to hear about in the future and most likely for all the wrong reasons.
You can view the report here.
*Clearswift commissioned research into the attitudes of individuals who work in UK public sector organisations towards information security. In total, 277 people across 247 unique UK public sector organisations were surveyed, ranging from compliance officers and IT managers to C-level executives. The organisations that took part include the NHS, city/local councils, universities, trusts, central government and the police. The survey was conducted on behalf of Clearswift by Surveys in Public Sector (SPS), a division of Ingenium IDS. Ingenium is the UK’s foremost public sector demand creation and research organisation.
Sign up now »
Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).
- Have an incident response plan.
- Pre-define your incident response team
- Define your approach: watch and learn or contain and recover.
- Pre-distribute call cards.
- Forensic and incident response data capture.
- Get your users on-side.
- Know how to report crimes and engage law enforcement.
- Practice makes perfect.
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.