Tape Glorious Tape, There’s Nothing Quite Like It

By Guy Bunker | June 30, 2008 | Leave a Comment 

Guy Bunker

Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into – no tapes. The driver had worked for 18 years with the company – alas no more as they had violated the company’s information protection policy – they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great – high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format – so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…

OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid – and would result in the loss of data.

Part of developing an information security policy is to revisit processes which touch sensitive data – this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.

The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.

(In this case, encrypted backups should have been employed – not just for the car break-in scenario, but also the other ones as well…)

Tapes

Cultural Failures?

By Guy Bunker | June 25, 2008 | Leave a Comment 

Guy Bunker

Finally the Poynter report is being released into the HMRC data loss and the conclusion… the loss of records can’t be blamed on a single official. For me the good news is that the poor sap junior official who was being blamed now isn’t – it was never their sole fault, after all they were just following orders. The report highlights ‘cultural failures’ and practices that weren’t what they should have been. The former is an interesting comment and the latter rather obvious given what occurred.

Data loss on a massive scale is not new, if you look back a few years (yes years), the American Veteran Association lost millions of records… TJX did the same… and yet things didn’t change. It’s not just the UK, but across the globe. It didn’t used to be a crime to lose a laptop - the change in the environment has (virtually) made it so. We live now in a time where the attitude towards personal data is beginning to change, but like an oil tanker, it is going to take a while to turn around. Most companies (and governments) don’t know where their sensitive data is – and until they know that, how can they possibly protect it? If they don’t know which business processes handle or even touch sensitive data then how can they change them?

Information security policies need to be created, consistently implemented and then audited – on a regular basis.

If you have a bank account, a credit card, pay taxes, do a little shopping online, then your details will be in around 700 databases! If you are one of the people handling sensitive data (or think you have sensitive data) then look at what you do – look at where you can fix potential issues or find someone else who can. Technology alone is not the silver bullet. Above all else, treat the information you handle with the same due care and attention that you would want others to do with yours.

It is only when people truly understand the risks and consequences and change their behaviour that the culture will change.

How High… How Low?

By Guy Bunker | June 18, 2008 | 1 Comment 

Guy Bunker

It was reported yesterday that an MPs PC had been stolen from a constituency office. There was the usual ‘rush’ to assure everyone that there wasn’t anything ‘secret’ or ‘top secret’ on it. This is only really interesting as it reminds us that desktops as well as laptops can be stolen – and it doesn’t matter if you are high up in government or just one of the rest of us. Certainly from a business perspective, the loss of desktops is significantly less than laptops (there are easier targets, although there was a data centre that was targeted and even disk arrays stolen) - however, for small businesses and especially for individuals desktop machines as well as laptops are targeted by burglars.

Most home computers have confidential data on them, perhaps it is a cookie for on-line banking (giving a thief easy access), or maybe other account information for credit cards, or other on-line shopping accounts. For business laptops we talk about full disk encryption as being best practice to protect the data against theft, we should also consider the same practice for desktops and home computers. Of course, you also need to look at doing a backup, while it’s great that your data doesn’t fall into the wrong hands – you will also need a copy yourself.

Just so as you know… encryption does give a little overhead (i.e. it slows it down a little) but probably not so as you would notice. From both an enterprise and a consumer perspective there are tailored solutions on the market, and for individuals you can use the solution built into the operating system or there are a number of ‘free’ solutions as well. There is no excuse.

Data protection begins at home! (As well as in the office, or on the road, …)

24 Percent

By Guy Bunker | June 13, 2008 | 1 Comment 

Guy Bunker

A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.

Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!

We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification – preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined – especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.

Just One Cotton Picking Moment

By Guy Bunker | June 13, 2008 | Leave a Comment 

Guy Bunker

Cotton Traders revealed that their website had been hacked and details of 38,000 transactions had been stolen. They have now worked with experts to fix the problem. OK, so this is ‘yet another’ case of data loss – however, for me I find it interesting that the size of the target organization is relatively small and yet it is obviously still worth the criminals attacking it. Is this because smaller organizations do not necessarily have the security expertise to secure their environments, or because their website was unpatched and therefore open to a well known attack? We don’t know, all we know was that they were attacked and they have now fixed the problem.

Smaller companies seem to think that they will not be a target for an attack… “It won’t happen to me, I’m too small to be on the radar” – this just goes to prove that this is not the case. Hopefully other smaller companies will now sit up and take notice of the potential threats and associated consequences and look how they can prevent it from happening to them.

Where’s The Boundary?

By Guy Bunker | June 9, 2008 | 1 Comment 

Guy Bunker

A man has been accused of stealing clients using LinkedIn. In this instance, the person involved is a recruiter and he allegedly ‘linked’ to clients while working at one company and then left to start a rival firm – with his contacts from LinkedIn.

Is this data theft? Or is this something that people used to do all the time but because it wasn’t on the ‘web’ people couldn’t find out about it? I think it is the latter. We all create contacts while at work, and some are more organized than others and file them, others, like myself, have a large pile of business cards with notes on them. I guess that if you are a recruiter, you too would have a large pile of business cards – and if you invite people on LinkedIn, well, isn’t that also something we all do?

Should companies look at banning LinkedIn, in the same way as they did with FaceBook? Only to find it wasn’t practical, people would spend more time finding a way around the system, than they would using it – so we have seen a reverse of this trend. So, no, it shouldn’t be banned. Should it be subject to (yet another social networking) policy? Something that defines the boundary between work and not-work. Perhaps… but I would think that people would just add the contacts while at home. I don’t think you can be banned from doing that after all it’s what LinkedIn is all about – keeping up with friends and colleagues in a business context. Maybe companies need to create their own ‘company’ LinkedIn accounts – so that, if nothing else, they have a copy of the information as well.

The way to look at this is that when someone new joins your company, they bring with them their contacts – rather than when they leave, they take them away.

What The FAX…

By Guy Bunker | June 6, 2008 | Leave a Comment 

Guy Bunker

Bad process strikes again. A businessman was convicted and jailed for fraud after one of his employees accidentally sent a FAX to the wrong person resulting in some unfortunate data-loss! While sending email to the wrong person is commonplace, sending a FAX to the wrong person is seldom reported. However, it does show that data can be lost in a variety of ways and the risks and consequences can be quite dire.

Businesses need to start thinking out-of-the-box when looking at processes in order to catch all the different ways in which data can accidentally (or otherwise) be lost, leaked or breached. FAX machines, printers, photo-copiers all pose a risk as they tend to take a copy of the data before processing it. So, if someone walks out with the physical device they could retrieve the data. New(er) copiers now encrypt the data to disk making it harder to walk out with the disk and recreating the data… is this true of the devices in your organization?

The Wrong Dave

By Guy Bunker | May 24, 2008 | 4 Comments 

Guy Bunker

We’ve all done it – a little too quick on the ‘send’ button and email has gone to the wrong person. Email systems are just trying to be helpful when they predict which email address you want based on the first few letters.. ‘d’, ‘a’, ‘v’, {return} and you inadvertently have selected the incorrect recipient. Usually it doesn’t matter but in a case this week it did. The consequences are, in this case, not too great – but imagine it was health information, or credit card details. There is technology out there (and yes Symantec has some), which looks at the content of email and can prevent them going outside the organization – or rather can check if that is what you really meant to do.

Content based classification and automated policy management is available today and can solve the problem of ‘the wrong Dave’.

Narrowing The Search…

By Guy Bunker | May 24, 2008 | Leave a Comment 

Guy Bunker

Yet more unencrypted data has been lost… well, no surprise there to be honest. At least they know where the data is – somewhere between London and the Isle of Wight, except it could be anywhere because it was en route with a courier.

There were two process failures here. The first was the fact that it was unencrypted data – which was making two trips, one to the third party and then one back to the owners. The other was that it took more than a week to know it was missing.

So, what to do… revisit old policies! If it involves confidential customer information and it’s going offsite then it should be encrypted. [Full Stop!] Backup products today can encrypt the information – so there is really no excuse. There should also be an effective tracking mechanism for data that is traveling with or being stored whether it is with a 3rd party or even by internal personnel. That way, even if the data is encrypted and lost the disaster recovery plan won’t be a disaster itself because the data isn’t where it was expected.

The good news, well piece of process, which we should all take heed of in this case was that the data was being verified as readable / usable. Frequently backup data is not checked and you get to the point of needing it and it is inaccessible, or not complete. I remember a case a few years ago when the data was required and there wasn’t any on the tape – except the header. The reason… the data had changed mount point on the system and the backup policy hadn’t been altered. So it regularly backed up ‘nothing’… and was always successful! So, checking the data integrity on a regular basis is a great habit to get into.

Don’t Send The Password With The Data

By Guy Bunker | May 9, 2008 | Leave a Comment 

Guy Bunker

It emerged this week that one organization had to send out a memo to its staff reminding them not to send out encrypted documents with the password! I won’t mention which organization it is – as I have a feeling there are quite a few with this problem. The other one I have seen very recently, is the yellow sticky with the password attached to the laptop!

These are great examples of where the people, process and product story has broken down. In both cases encryption is the technology – and that works to protect data. The process is in place – encrypt sensitive data if it might get lost (so, on a laptop, or in an email going out of an organization, or on a CD, or on a mobile phone, or … you get the picture) but the process is incomplete – what do you do with the password, how do you communicate it, if required. Finally there is a lack of education to the staff (or in this latest case the education is retrospective and reactive rather than proactive) – why are we doing this… to protect individuals’ information, or corporate information… and so if you send the password at the same time you may just as well have not encrypted it. Of course, there is some irony here – in the US with its disclosure laws if the data was encrypted when it was lost, then that is the end of it – no disclosure – even if the password was on a note!

Education needs to happen from the top to the bottom of an organization and processes need to reflect every step which includes how to communicate passwords when needed.

How do you send a password… well that just depends… in many cases you can just phone the person up and tell them, or you could send it by SMS text message… or… well you decide – it’s your organization. Just make sure that there is a policy and people know what it is.


Your Password Here

« Previous PageNext Page »