It’s not just the Ukrainians and the Polish that are seeing a surge in demand as the Euro Championships take place. Here at Symantec, we have noticed some curious spikes in data usage, around the time of key games.
For instance, our data processing centres saw a 20% uplift in week on week user traffic in the hour prior to kick off in the game between England and France on June 11th. During the match this increased further, hitting a 75% uplift compared to the previous week. During that peak our bandwidth monitoring saw the equivalent of approximately 7,500 live media streams passing through our UK data centres per second.
I’ve no doubt that businesses of all types experience similar upturns in data demands during big sporting events such as the Euro’s, which leaves open the obvious question; how are people preparing for a whole host of sporting events that are taking place in 2012? With a summer of sport set to be watched by millions across the globe, many are sure to reference the internet consistently throughout to keep up to date with their favourite events and any key developments. The spikes we have witnessed throughout the Euro’s has provided a nice gentle stress test for our systems, which have coped with the increase comfortably. Other organisations should use this tournament just as we have, as a key indication of the likely impact that business is going to face.
Though often hard to calculate the exact amount of data expected to pass through a company’s system, recent spikes should prove very useful in informing how people should equip and prepare for the likely surge we will see over the coming two months. It would be silly to neglect this information, and be caught out when data peaks during busy periods. Being prepared to respond to these increases will ensure a seamless continuation of business, ruling out any potential losses or disruption that might occur to those that have not heeded the early warning signs.
Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.
Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.
Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.
In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.
When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.
The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.
The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.
Smartphones and PDAs have redefined and improved the workplace in recent years but also created new challenges for IT departments. Now tablets are making a splash in the market and last week the iPad 2 launches in the US. Therefore, the new Symantec Three-Minute Trend Series episode, discussing consumer electronics trends and how they affect enterprise IT couldn’t be more relevant.
In a recent announcement by SAP, they say that they will ‘push all useful data to mobile devices’. Good news… but not entirely unexpected, the smart-phone of today is just as powerful as the laptop of yesteryear and much easier to carry. However, security and usage policies are sorely lacking in enterprises of all sizes.
I wrote previously on keeping up with the user and what they install on their smart-phones, this just emphasises the point further. If all data is available, even that from the heart of the data-centre, then the security should be as strong as that you usually have for the data-centre… policies for appropriate usage, data-loss-prevention and anti-malware to name a few. Remote device management including data wipe should be considered, and even encryption for the device and any removable media (aka memory cards).
The data-centre has arrived in your pocket… but does the CIO/CISO realise it… and if they do, have they done anything to protect it… yet?
In Germany this week, a court ruled that wireless routers need to have a password – failure to do so can result in a fine of 100 Euros. In essence, if your wireless network is unprotected, then someone could use it to download and abuse copyrighted materials – and that is your fault for not protecting your network.
The password strength is not defined… and if you really wanted to download stuff using someone else’s wireless network, then a trip to a coffee shop would be much quicker than war-driving down a street.
While I keep my home wireless network secure, Bruce Schneierhas an interesting perspective on keeping it open. The choice in the UK is still up to you…
As we head into Christmas party season we can expect that alcohol-fuelled “forgetfulness” will see many work laptops and smartphones left in bars and varying forms of public transport as people raise a glass to celebrate the festive season as well as having survived an incredibly difficult year.
In an increasingly mobile workforce the number of corporate devices with sensitive data on them, such as laptops and smartphones, is growing. In fact, ABI Research recently stated that the number of smartphones shipped this year was 178.3 million.
With that in mind, please be careful that you store your laptops and phones in a safe place before ordering your first tipple.
So course Christmas parties are a time to let your hair down and have fun. However, losing a work laptop or smartphone could leave you with more than just a hangover. If your business doesn’t operate daily back-ups then it may not be able to recover your precious corporate information. The worst case scenario will be if the device has fallen into the wrong hands, as it poses an incredible security risk. A criminal will be able to use the unprotected laptop or smartphone to access very sensitive corporate information – which they could then sell for considerable profit in the black market.
Listed below are 10 of the most common documents a cybercriminal will try to access should your device inadvertently fall into the wrong hands:
1. Your credit card information e.g. credit card number, magnetic stripe information, transaction data
2. Your employee information e.g. employee ID, salary and benefit information, personal health information
3. Sensitive customer data e.g. name, date of birth, national ID number
4. Price lists
5. Design documents
6. Source code
7. M&A contracts
8. High net worth client lists
9. Marketing plans
10. Financial earnings reports (during quiet period)
With this abundance of precious information available on corporate laptops and devices, make sure you take necessary precautions to minimise risk, should they fall into the wrong hands. Firstly both laptops and smartphones should be locked with strong passwords. Also, you shouldn’t forget about physical security – laptops can locked down with cables and Kensington locks and PDAs can be protected in locked cases.
However, should you fall victim, follow this guide and also informing your IT manager immediately, so that the device can be remotely disabled.
So the recession, it would seem, has not impacted the IT community’s will to develop and invest in Green IT solutions. Global research, out today from Symantec, has shown that while companies around the world are keeping a close eye on their wallets, IT executives are happier than ever before to spend on Green IT initiatives, with over sixty-eight percent of UK executives expecting to see an increase in green IT budgets over the next 12 months.
This optimistic outlook for future investment is being driven by the ability of new IT products to impact energy efficiency and therefore fit within companywide sustainability initiatives, leaving the realms of the IT department and delivering value back to the business as a whole. IT departments are even willing to pay a premium for energy efficient products. Symantec’s 2009 Green IT survey showed that fifty-seven percent of those questioned would pay at least 10 percent more for energy efficient products, while 40 percent are willing to pay at least 20 percent more.
Over the past 12 months, IT has emerged as a new driving force in implementing green initiatives – not only for energy savings benefits, but also as a result of widespread desire to implement environmentally responsible practices. The pendulum has swung both ways and IT is now taking a balanced approach that is more integral to an organisation’s ‘green’ strategy, proven by the fact that the vast majority of respondents are now responsible for the energy costs of their data center.
So some of the cyber-criminals who were responsible for the massive TJX data breach are being prosecuted – well, 11 of them, is that all, probably not but its a good start.
This case was not one where a laptop was stolen, or some CDs were left on a train or anything so mundane. This was all about people driving around in cars looking for un-secured wireless networks and then hacking in to steal data. Not just once, but over a long period of time – and then the data was sold on in the underground economy.
The scary thing is that despite the original news of the breach and the method it was achieved, there are still open wireless networks out there. A quick scan at one point on the Thames reveals ~20 wireless networks and nearly 20% are open. Of course there might not be anything of interest there – but they are still open and that’s a starting point. In other news it was revelaed that a gang in Russia has control of 100,000 PCs, stealing usernames, passwords and other personal information. These PCs are not just individuals, but corporate machines as well.
If you do nothing else today, have a check for wireless networks in your workplace (and at home) and make sure they are secure – if you don’t know how to secure them, then look it up on the web – there are lots of pages offering help… use them. Ignorance isn’t bliss.
A US agency announced that they were going to give USB drives to its employees in order to mitigate against the risk of data loss and eliminated the use of unsanctioned USB storage. The USB keys have encryption and are password protected – so it all looks good. However, they seem to have missed out on a number of important issues… unless they have additional software based management in place then there is nothing to stop people from using their own devices. USB keys are frequently mislaid (which is why data loss is an issue) however, most people have more than one – ‘just in case’. Not all data is equal (when it comes to data loss) and so there needs to be policy based on content. If the information is sensitive, then it should be encrypted, if it isn’t then perhaps it doesn’t need to be encrypted. USB keys are most often used for transferring benign information such as presentations - by encrypting it and making it harder to share, people will look to at other ways to transfer the information.
The idea of company issued USB flash drives is not a new one – but remember to think through what people actually use them for rather than assuming it is always for sensitive information.
It was reported in the news that a CD marked ‘Home Office’ and ‘Private and Confidential’ was found behind a keyboard when a system was taken to be repaired. The data was encrypted but it raises an interesting problem: How should you fix systems which contain sensitive data? Sensitive here doesn’t just mean customer information (although that is obviously important) it also means intellectual property as well.
If repairs can be done on-site, then that is obviously the best way as the data will not wander off. However if a system has to be taken away for repair then there is a possibility of data-loss. A new process or procedure may need to be developed and put into operation.
What is the data on the system, does it contain sensitive information, if so, then how will you protect it when it is offsite? If the failure is not a hard drive then perhaps that can be removed and stored safely on-site while the system is repaired. Alternatively, perhaps the disk needs to be completely erased (and the OS re-installed) before it goes away – this would need to be done in another system as the original one is broken. (It’s all backed up… isn’t it?!?!)
If it is the hard disk that has failed and perhaps it is going to a data recovery service then ask a few questions – how will the drive be looked after when it is offsite, is the data encrypted, does it matter if it goes missing? what would happen if it was lost while out of your control?