Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.
Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.
Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.
In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.
When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.
The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.
The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.
In a recent survey, half of mobile phones that are recycled – and past on to a new owner – contain sensitive information. This shouldn’t really come as a surprise, as organizations are only just getting the message about disposing of old computer systems and ensuring the data has been suitably destroyed.
It is very easy, especially as an individual, to rush in and pick up a shiny new phone when the contract expires, or to request a new phone from the IT department when the corporate one dies. However, there needs to be awareness, by the user, that they should clear down all the data on it first. From a corporate perspective, this should also be done – a second time as a precautionary measure.
A quick email out to employees pointing out the issues with data on old phones when they are returned / recycled will go a long way in creating awareness around the problem – from both the personal and the corporate perspectives. And a check / update on security policies and procedures for mobile phone disposal will go a long way to sorting out the problem. Bearing in mind a lot of mobile devices are now just as powerful as laptops (in that they contain considerable quantities of sensitive data, and often have access to corporate applications over the Internet), the check should be made before the auditors come round and check for you…
OK, so we were digital long before 2002, but it was then that the amount of data stored digitally overtook that which was stored in an analog manner. A recent analysis of ‘all’ storage also showed that we now have enough capacity for 295 exabytes of information… which is about 404 billion CDs.
Of course how much if it is actually used is not presented – and neither is how much of it is repeated, i.e. the amount of unique data is probably just a fraction of that. Finding things you know exist becomes harder each day, and a good friend Adrian Seccombe has written a short post on just this problem… losing things in your digital pocket. For enterprises this particular problem is worse, with thousands of hours of productivity lost each year due to people looking for data they know exist but can’t find – and then trying to reproduce it.
Archiving with full-text indexing is one option – but that is often catching less and less information as more ‘digital pockets’ are used. Furthermore, the loss of an unsecured ‘pocket’ could now result in a £500K fine from the Information Commissioner’s Office (ICO). Data growth is inevitable, but as the legislation evolves to encompass new working practices (the cloud, consumerization of IT, social networking sites, …) so too will the risks. As ever, it is time to revisit policies around security and data management and check that they have moved with the times… and if not, make the change before they become a liability.
… or “Who will watch the watchers?” In a recent case a malicious insider has admitted, not of stealing information – but of, in effect, adding to it. As an IT insider he had access to the systems which dealt with loyalty cards and set up a number of bogus accounts and then filled them with points… that he could later spend.
A great deal of time and effort goes into protecting systems at the endpoint or servers in the datacentre and companies now at least acknowledge the insider threat… but when it comes to applications there is still a naivety of “all our people are good”. Which brings us to who is watching the people who are supposed to be watching the systems? Unfortunately there is very little that can be done to stop the determined malicious insider – after all they have the access to the systems given to them and often they carry out tasks they are supposed to, given that they have the authorisation to do so. However, this is where good application design and usage policies can help. For a start, all administrators should have their own usernames and passwords – no sharing. There should also be good logs / audit trails, especially for functionality requiring additional privileges. Finally, there needs to be some means of reviewing the log files – either automatically or manually… and preferably not by one individual (otherwise they could become the malicious insider). Often just informing people that this functionality and policy is in place will deter the potential casual insider… and for those who are not deterred at least you now have some evidence.
In a recent announcement by SAP, they say that they will ‘push all useful data to mobile devices’. Good news… but not entirely unexpected, the smart-phone of today is just as powerful as the laptop of yesteryear and much easier to carry. However, security and usage policies are sorely lacking in enterprises of all sizes.
I wrote previously on keeping up with the user and what they install on their smart-phones, this just emphasises the point further. If all data is available, even that from the heart of the data-centre, then the security should be as strong as that you usually have for the data-centre… policies for appropriate usage, data-loss-prevention and anti-malware to name a few. Remote device management including data wipe should be considered, and even encryption for the device and any removable media (aka memory cards).
The data-centre has arrived in your pocket… but does the CIO/CISO realise it… and if they do, have they done anything to protect it… yet?
We have been talking about Information Security for a few years now, but with the changes in legislation earlier this year that means you can incur £500K fines, it’s time to look beyond the reactive and towards the proactive. Time to move from Information Security to Information Assurance.
So why Information Assurance rather than just Information Security? Businesses rely on information, and most realise that accurate, available and appropriately shared information is key to growing a business. Conversely, missing or inaccurate information in the wrong hands will damage the business and potentially the business’ reputation.
From a security aspect, it is only the security of the information and systems that is taken into account. Data loss prevention and all the, now commonplace measures to prevent it, coupled with endpoint and datacentre security strategies enable companies to ‘tick the box’. Reporting and auditing are key for this to be provable so that information is kept safe and the newspapers and legislators held at bay. Assurance is all this – and more! Information assurance is about assessing the business’ ability to keep the information safe and that it is accurate and available - to the right people at the right time. It’s about developing a shared understanding across all areas of the business as to how information is used, and its about improving the information available according to business priorities.
As we start to move out of recession, but while the purse strings are still being tightly held it is time to revisit information strategies and look at how information can be used more effectively to drive the business. New rapid assessment services are starting to appear which can build on your information security policies and turn them into information assurance ones.
I was on a train yesterday and couldn’t help but overhear a conversation that went something like this…
“He’s sent me the mortgage details on email… could you get them for me and tell me what it says?”
“Sure, I use XXX, my username is YYY and my password is ZZZ.”
Good grief… I thought everyone knew that you were supposed to keep usernames and passwords ‘secret’. Evidently not. Of course this is the basic problem… people are trying to do something important to them - and are not thinking about security.
There are instances where sharing confidential information is required, and when in ‘work’ mode, people (sometimes) think twice about who can overhear but move into a non-work mindset and common sense disappears. In this instance, it would have been better to have waited until they could check their email themselves, or wait until they could find somewhere more private to speak, or even to have SMS’d the details (ideally in more than one text). In fact anything would have been better than shouting the details on a crowded train.
Oh well… it serves as a good reminder to us all that you should think twice when dealing with confidential information, especially when in public places. Cyber-criminals are not fussy how they obtain the information they need… the easier, the better.
PS A quiet word to the person on the train as I left suggesting that changing their password would be a good idea as everyone in the whole carriage now knew it – seemed a reasonable thing to do. Of course whether they do it or not… time will tell.
So, I was one of the tens of thousands who were stuck overseas due to the now infamous volcanic ash cloud. I got back at the weekend after an uneventful trip – ok, so it was a week later than expected, but it all worked out. However… while away I started to receive interesting SMS messages from my bank – but from different numbers! In essence they were offering to increase overdraft limits to help me cover any potential costs while being stranded. Or were they…
As with the post on credit card companies – the problem is not who you are (hopefully you know), but on who is purporting to be on the other end of the phone. Was it really my bank, or some enterprising cyber-criminals who were making the most of a bad situation? In this case, it could well have been both – one genuine message and then several copycat ones. There was no indication that they even knew who I was – no personalization in any way.
So… the moral of the story remains the same, if someone contacts you and says they are from the bank or a credit card company a little healthy paranoia is a good thing – take their name and department and say you will call them back on a number you have. Take your bank’s main number on holiday - preferably not the ‘freephone’ one as that probably won’t work abroad. And of course don’t use numbers given in text messages or any they may give you…
Yesterday at the European Cyber Security Awareness Day event in Brussels the Business Software Alliance (BSA) released some interesting research. They found that people in Germany, France, Poland, Spain, and the UK are confused over where their online data is stored.
About one in five citizens admitted to being unaware of whether their personal data is being held ‘in the cloud’, and 60% said they didn’t know what ‘in the cloud’ means.
When it comes to who should take responsibility for protecting online data, respondents were confused, with more than a quarter expressing a belief that a combination of stakeholders including government, businesses, technology companies, and consumers should be responsible for securing data held ‘in the cloud.’ The BSA says that this suggests that there may be a need for better coordination between government, businesses, and users and better education on cyber risks and best practices.
Coordination between government and business can go a long way in fighting cybercrime and protecting online data. Sound cyber security policies and technologies that protect the online environment are crucial but education can’t be overlooked. Users need to be made aware of online risks and know how to spot and protect themselves against malicious activity. I believe that better education is key to good cyber security.
At Symantec we’ve noted a worrying increase in so-called “credit card dumps” on offer in the criminal underworld over the past year. Dumps, which are copies of the information stored on the magnetic stripe of the original card, are usually obtained via electronic “skimming devices” fitted to the credit card machine or bank teller.
The devices often take the form of an additional card reader that is placed over the original and records any data that passes through it.
Skimming devices can be combined with a doctored keypad that is placed over the real one or a small video camera that records the PIN code entered for each card. Newer versions even contain a GSM module that will send the encrypted dumps back to the attacker. Video footage from surveillance cameras has shown that scammers can install the fake keypad and card reader in under five seconds.
Once the criminals have the information, they have the card number and can clone the credit card. The clones can be almost indistinguishable from authentic cards, often including holograms and embossed gold numbers. If the criminals have recorded the PIN codes, the cards can be used at any ATM to withdraw cash.
Spotting a skimming device is not easy as the devices are highly sophisticated and usually match the look and feel of the credit card or teller machine.
People should look out for any attached keypads or strange looking card slots. Often they are fixed point mounted and create a small overlap that just looks a bit odd and wiggles a bit.
This type of thievery is not confined to the developed economies and travellers should be particularly wary when abroad. For example, thousands of football fans will be travelling to South Africa in a couple of months for the 2010 World Cup. While the country is a developing economy, it has a highly sophisticated and modern banking infrastructure and credit card fraudsters to match it.
Credit card skimming can happen virtually anywhere so while enjoying what South Africa has to offer over and above the World Cup, it is important for travellers to pay special attention to what happens to with bank or credit cards, wherever they are used.
For more information on Internet scams relating to the 2010 Soccer World Cup, visit www.2010netthreat.com.
Candid Wüest, senior threat researcher at Symantec