Archive for the ‘David Cowan’ Category

External pressure for internal information security controls – David Cowan on Computer Fraud & Security

November 17, 2011

Organisations wishing to win new business through tenders and bids are under pressure to give clear information on how they deal with information governance and security. This has become so important that an organisation issuing a tender might choose one supplier over another based solely on its compliance with applicable regulations or the fact it holds the ISO 27001 certification.

Companies are therefore wondering if they should get certified, what compliance entails and what the implications of these ‘bureaucratic complications’ are. In any case, an information security review or internal audit can be a vital tool to enable a firm to understand its current maturity level and possible improvements as well as to answer lengthy and detailed security questionnaires.

Clickon the link below to read the article (PDF – extract from ‘Computer Fraud & Security’, November 2011)

External pressure for internal information security controls – David Cowan on Computer Fraud & Security

Private vs. public sector IT security: more dedicated staff, yet less awareness

March 3, 2011

According to recent data, the private sector lags behind with regards to data protection, while public sector organisations lead the way. David Cowan explains how firms can improve their IT security and avoid losing money, clients and reputation.


A recent survey commissioned by the Information Commissioner’s Office (ICO) revealed that there is a remarkable difference between the public and private sector’s approach to Information Security. The data contained in the research carried out by Social and Market Strategic Research (SMSR) showed that, in fact, the public sector was much more aware of the Data Protection Act principles compared to the private sector.

When asked to identify, unprompted, the main principles contained in the ACT, the 7th Principle ‘Personal information is kept secure’ was mentioned by 60% of public sector organisations, compared to only 48% of private firms. However, a more shocking divide can be found in the awareness of the Information Commissioner’s Office’s existence: 42% of private firms had not heard about it at all, a percentage that actually increased from the previous years – yet this was not the case for public organisations, where only 3% were not aware of the UK’s independent authority set up to uphold information rights in the public interest.

A lack of awareness, however, does not prevent the majority of private sector firms from having more than 10 members of staff dedicated to information security-related duties, compared to an average of 2 in public sector organisations. Quantity is not directly proportional to quality, it seems.

In reality, the public sector has had more reasons to be more data protection-savvy due to handling large volumes of personal and sensitive data. The private sector should start following their example. Regulations have become stricter and ICO fines are tougher, with the authority now able to impose a fine of up to £500,000 for a serious breach. It is important, then, that all firms improve their awareness of information security and that they have an efficient system in place for protecting personal and sensitive information, and to deal with any breach in the most appropriate manner.

Private organisations which deal with sensitive and confidential data – such as banks and law firms – should take these results as a wake-up call and an opportunity to learn from the public sector. They are in fact the most at risk of suffering major consequences in case of a breach of the DPA.

Critically, it is important to understand the steps for improving Information Security. First of all, it is vital that organisations are aware of their information assets and the associated risks. They can do this by conducting an assessment of their Information Security Management System, in particular the controls surrounding the information assets of the organisation. This can then be assessed against the international standard for Information Security ISO 27001, to identify any weak points, possible corrective actions and areas of risk.

Once these have been identified, it is possible to plan remedial work which covers policies, procedures and technology, as well as staff education and awareness, implementing it on a continuous cycle. It is important to note that documents and technology alone are not enough to guarantee an improvement; however, they can minimise information security risks.

Staff commitment, from senior management to the most junior employees, is the key to make all the controls and procedures work. If staff are not made aware of policies and procedures introduced, or are not willing to collaborate, perhaps because they do not understand why they should change the way they have always worked, then no amount of technology can keep an organisation in line with the appropriate standards and regulations.

At the same time, management need to take strong ownership and underline the importance of data protection with a clear Information Security statement; their strategy should include disciplinary actions for whoever does not adhere to the policies. Investing time and effort in prevention will pay off more than insurance, as the latter may reduce some of the damages although not the most important cost – the organisation’s reputation.

It is undeniable that although data security risks can be minimised, they cannot be completely eliminated – there will always be a human or technical error that results in sensitive data being lost, destroyed or disclosed. This, unfortunately, can happen in both the public and private sector, often even when all the appropriate measures are in place. For that, you can only act accordingly to the associated risks, for instance by allowing data to protect itself not only through encryption, but through the implementation of a data classification system that restricts access to unauthorised viewers.

Information Security is not a final destination; instead, it is a never-ending journey where everyone from senior management to service desk engineers commits to an ethos in order to protect personal information from loss, leakage and theft in a manner which is proportional to the identified risks.


David Cowan, Head of Consulting Services

This article is published on Infosecurity UK:

Data security: controlling the risks – The EGB Masterclass

February 23, 2011

by Dan Jellinek, E-Government Bulletin

David Cowan

Public sector information security breaches often hit the headlines, but are public bodies really any worse than private sector in this area? What are the main risks, now and in a future of ‘any time, any place’ access to systems through cloud computing, and how can they best be tackled? We ask David Cowan (pictured), Head of Consulting at IT services provider Plan-Net.

Q: What are the main areas of risk for public bodies in keeping their data secure?

A: Public bodies are subjected to a plethora of regulations, standards and frameworks on data security due to the nature of the information they hold, and the associated risks of handling the sheer volume of personal or sensitive data. The main areas of risk are staff failing to observe the organisation’s information security procedures; malicious activity from both internal and external sources such as staff unlawfully selling or obtaining personal data and external threats from fraud, or from crime syndicates or rogue groups using ‘phishing’ or social engineering; and organisations and staff not being aware of their legal obligations, such as the legal obligation to report an information security breach under the Data Protection Act.

Q: What is the scale of risk faced by public bodies?

A: It is difficult to quantify the scale of the risk, but even with all the controls, standards and regulations in place to reduce risk, it is still not possible to eradicate it altogether. The size and geographical spread of public sector organisations increases the risk of data leakage and malicious activity occurring, as does the reliance on recording personal information within huge databases across the public services.

Q: What are the potential consequences of security breaches?

A: The greatest risk to an organisation is the potential reputational damage which could occur as a result of an information security incident reaching the public domain. The Information Commissioner’s Office is now empowered to hand out large fines of up to £500,000 for serious breaches of the Data Protection Act, and there is the possibility of criminal prosecution depending on the severity and scale of the breach. Public bodies could even lose access to public sector frameworks and IT networks as a result of a perceived systematic breakdown in their processes and procedures. The impact on individuals and society could include a lack of trust in public sector organisations handling their personal information; loss of productivity; and individual distress or harm caused by a breach.

(Read the rest of this interview on E-Government Bulletin issue 329: )

5 tips for moving Disaster Recovery to the Cloud

October 5, 2010

As virtualization technologies become increasingly popular, more and more businesses are thinking about using cloud computing for Disaster Recovery. Experts in the field believe that there are many advantages in embracing this solution – however, there are also some potential threats that need to be taken into account.

In order to consider cloud computing services, organisations need to evaluate the potential risks to their Information Assets and, in particular, how a 3rd party supplier will affect the Confidentiality, Integrity and Availability of their data.

Here are five tips on how to deal with the main challenges:

1. Risk Assessment and Asset Valuation

Right from the outset, organisations should try to understand what the greatest risks to the business are and identify which information assets are too important or too sensitive to hand over to a 3rd party supplier to control.

2. Smoke and Mirrors

To overcome the risks associated with choosing a new supplier, it is a good idea to carry out due diligence on the Cloud Supplier – find out all you can about who you will be trusting with your information and review their facilities, processes and procedures, references and credentials, i.e. if they are ISO27001 accredited.

3. Migrating Information

Once a decision is made to either partially or wholly migrate data/systems to the cloud, the biggest challenge is how to ensure there is a seamless migration to the external provider’s service. This is a very delicate step which, if dealt with inadequately, may result in data loss, leakage or downtime which could prove extremely costly to the business.

4. Service Level Management

When businesses trust 3rd parties with their vital corporate, personal and sensitive information, it is important to set up structured SLAs, Confidentiality Agreements, Security Incident handling procedures, and reporting metrics, and above all ensure they provide compliant, transparent, real-time, accurate service performance and availability information.

5. Retention and disposal

Depending on the policies and regulatory requirements applicable to the business, one of the main challenges with cloud computing is how to ensure the corporate retention polices are enforced if the information is located outside the company’s IT network perimeter. Obtaining certificates relating to the destruction of data is one thing, but proving that information identified as sensitive or personal is only kept for as long as necessary is another.  With the economies of scale often associated with cloud computing, total adherence with retention policies of individual companies may prove difficult if resilience, backup and snapshot technologies are employed to safeguard the environment from outages or data loss.

David Cowan, Head of Infrastructure and Security

Find this article in the ‘5 tips’ section of Tech Republic:

How many police officers does it take to email 10,000 criminal records to a journalist by accident?

September 16, 2010

Just one. But this is not a joke.

A simple mistake caused by the recipient auto-complete function within an email client resulted in Gwent Police committing what has been referred to as the first major UK data security breach since the new regulations introduced by the Information Commissioner’s Office came into force in April this year. What is of particular interest about this case is that a breach of this scale (10,000 records) and gravity (the data leaked involved personal and sensitive information) occurred within a police environment which allegedly had strict policies and procedures. If that is the case, how were the policies circumvented so that the officer was able to commit this breach, and are security incidents caused by human error ultimately unavoidable?

The elephant in the room is that personal and sensitive data such as criminal records should not have been placed in an excel spreadsheet if strict processes were indeed implemented, not even for internal use. In fact, it is important that organisations dealing with personal, sensitive and confidential data have well-defined information asset classification and media handling procedures. Through the identification and labelling of confidential and sensitive data, all information would be classified based on its value and risk to the organisation in terms of Confidentiality, Integrity or Availability. Criminal records, for instance, would be labelled as private, restricted or confidential depending on the classification marking scheme and would be automatically restricted to only personnel who are authorised to access this information. If a similar scheme had been in place at Gwent Police and the information clearly labelled and controlled, then the breach would have been almost certainly avoided because the data included in the email would not have been accessible by non-authorised personnel.

It is possible, though, that Gwent Police actually had all the tools necessary to protect the data, but lacked the general awareness and training extended to all personnel. Certainly it wouldn’t be the only organisation affected by this issue.  Recent data collected by PricewaterhouseCoopers, illustrates that despite spending more than ever on information security, only half of companies surveyed provide staff with any form of security training, and only  one in five large organisations believe their security policies are very well understood by their employees. The results of the latest Information Security Breaches Survey highlight the need for better education in order to reduce risks, as a striking 92 per cent of firms with over 250 employees and 83 per cent of smaller firms (up to 25 members of staff) admit to have recorded a security incident in the past year.

Lack of awareness, little understanding of the implications and perhaps forgetfulness or stress are the most likely causes of human error, which can result in staff ignoring security measures, such as sending confidential data to their private email address, losing an unencrypted USB device or accidentally sending information to the wrong recipient. It is important to note that in these cases, if the data was correctly labelled and encrypted there wouldn’t be a breach of the Data Protection Act. In most cases, the ICO serves an enforcement notice if there is a failure to comply with the Act and the failure has caused or is likely to cause damage or distress to anyone.  The potential repercussions could include the public disclosure of the facts by the ICO, internal disciplinary actions within the organisation or a fine which, under the new regulations, can amount to £500,000.

Comparison with data collected by PwC in 2008 shows that the cost of cybercrime to the business has doubled to more than £10bn in just two years. The average cost of a breach in a large organisation is now between £280,000 and £690,000 (it was £90,000 – £170,000 two years ago) and due to the increased use of cloud computing, risks are rising rather than diminishing. Although the number of organisations with a formal Information Security policy and sufficient IT security tools has improved, the measures seem to be unable to resolve the greatest threat, the human factor: 46 per cent of large organisations have declared that staff have lost or leaked confidential data, which in 45 per cent of cases resulted in a “very” or “extremely” serious breach of information security.

As this data suggests, even with the most advanced technology in place it is not possible to eradicate risk altogether; however, it is possible to mitigate the damage and prevent mistakes like the one the Gwent police officer made by adopting encryption technology and policies that are emitted from the top and are backed up by disciplinary procedures – but it is extremely important that these are accompanied by extensive training and awareness sessions across the organisation. By educating all members of staff, including trusted partners and 3rd party suppliers, it will help reduce, although not eliminate completely, risks to a level that is acceptable for the organisation, which in the case of large organisations which deal with sensitive information, such as the Police or other public sector organisations, needs to be as low as possible.

David Cowan, Head of Infrastructure and Security

This article has been published on Government & Public Sector Journal:

Public sector, private data – is outsourcing the Service Desk too risky?

June 3, 2010

As the Treasury announce cuts amounting to £6.25bn, £95m of which deriving from a reduction in IT spending, attention is once more directed towards outsourcing as a means to reduce IT expenditure. But Information Technology stores and processes large amounts of personal, sensitive and confidential data, and when it comes to the public sector it can have a very high level of sensitivity, hence a lot of trust is bestowed upon personnel that have access to it. It is already difficult to place confidence in in-house staff, due to the high number of data breaches that are perpetrated by internal staff, backed up by statistics, but the option of off-shore outsourcing elevates the threat level from code yellow to code red.

Widespread use of Cloud computing is unlikely to become a reality in the foreseeable future: strict regulations relating to the Data Protection Act, which the public sector in particular follows religiously, make it virtually impossible to obtain assurances that the data stored outside the organisation’s premises is adequately controlled and kept secure. However, remote access provided to support staff based at another location, be it in the same or another country, still presents a risk in that information can still be collected and recorded. 

With the government CIO, John Suffolk, encouraging the use of outsourcing to countries offering cheaper labour as a cost-cutting strategy, it is time to understand to what extent this can be done and if the public sector can really benefit from off-shoring the Service Desk after all.

Organisations in the public sector are essentially different from private companies: although it seems obvious, it is important to bear in mind that they are funded by British taxpayers, and therefore work for them. However, providing access to personal and sensitive data to companies thousands of miles away and outside the European Union which have different culture, ethics and laws might put the safety of their personal details at risk. For instance, information such as identity, financial and health records can fall into the wrong hands and be used for malicious intent. Not long ago, ITV found that British medical and financial records held abroad could be bought for just a few dollars. No matter how ‘rare’ this event might be, it is not a risk Britons are prepared to take, if the decision were up to them.

It is certainly difficult for organisations in the public sector to carry out a satisfactory level of service when their budgets are being reduced, but it is important to think about the consequences of outsourcing the IT department: a move initially intended to save money can end up making the organisation lose money as a result of large fines and court cases, and most importantly, it can lead to a loss of credibility and reputation.

Recognising a ‘safe’ provider is not easy, especially as identification of a risky supplier often only happens once a breach has been committed, when it might be too late for an organisation to escape liability and to save face. However, it is possible to assess a provider’s trustworthiness before a breach occurs: they should follow Best Practice and have a mature Information Security Management System in line with the ISO 27001 standard, assessed through an independent security review, risk assessment and gap analysis.

There are also better alternatives to extreme or risky versions of outsourcing. For example, the IT department can be kept internal, for better control, but be managed by a third party which is aware of the stringent safety measures necessary for working in this peculiar sector. That said, most information security breaches pertain to threats inside an organisation and are in many cases not a malicious act but a consequence of ignorance, frustration or lack of risk awareness. Well-trained and appropriately-skilled Support staff can reduce these security incidents to a minimum, as would implementing organisational-wide information security awareness sessions.

Management commitment within the industry is especially important to convey the significance of protecting personal and sensitive data and the seriousness of breaching the Data Protection Act, which does not only concern IT staff. Extensive training is necessary to raise awareness across the entire organisation – whenever there is a data breach it is never the provider that suffers the worst consequences, but the organisation’s reputation.


David Cowan, Head of Infrastructure and Security

This opinion piece appears in this week’s Dispatch Box on Public Technology:

Is information safe enough at NHS trusts?

April 1, 2010

It looks like NHS trusts are starting to realise that Information Security is not just a matter of using complex passwords, locking drawers at the end of the day and installing the latest firewall and antivirus solutions. The Information Commissioner has been particularly critical of the NHS in the past due to a high proportion of security breaches as a result of inadequate Information Security controls and staff awareness programmes.

The result has been an NHS wide initiative to ensure all removable media including laptops and USB drives are encrypted. However, this may not be enough. As reported by the BBC recently, a remarkable amount of non-medical personnel at UK trusts have access to patient records including recent medical history – at least 100,000 including porters, hospital domestics and IT staff, a Big Brother Watch survey stated.

It seems like the risk is not only from staff at off-shore service providers collecting and selling British data to make a few extra pounds, as reported on ITV not long ago. It also comes from internal personnel who have the potential to access extremely sensitive data without the appropriate authority or preventative controls.

 This is not surprising: data collected in the BIS Information Security Breaches Survey 2009 illustrated that 60 per cent of all companies suffered a security breach in the previous two years and of these, 50 per cent were perpetrated by staff, often premeditated or malicious but in many cases simply a matter of a stolen laptop or lost removal media device.

There is an obvious need for greater awareness of information security regulations across the entire organisation, and measures must be taken to protect personal and sensitive data. Management in particular need to be involved in order to avoid resentment, complacency and to ensure everyone takes the matter seriously.

In the case of the NHS, information at risk is highly sensitive and breaches can have very serious outcomes. Consequences of Data Protection Act breaches are not confined to costly fines and a few employees being fired – it is the organisation’s reputation that suffers the most.

This risk can be mitigated by conducting an independent gap analysis and security review which would assess compliance with Information Security best practice, i.e. ISO27001, IG Toolkit v7, and certify that information held within an organisation is secure, reducing the risk of incidents and the cost to the business.

Equally important are staff awareness sessions to which not only general staff but executive participation is required, which is vital in creating a culture where Information Security is part of the organisation’s DNA.


David Cowan, Head of Infrastructure and Security

One of you may be fired

December 17, 2009

Those of us old enough still remember the advertising slogan suggesting that ‘no one ever got fired for buying IBM’. And it was largely true. Many IT managers spent a lot of money on IBM systems as it appeared a risk free option – even if they were not always convinced it was the best solution for the business.  

The sentiment is not confined to IBM of course. More recently you could easily replace IBM with names such as Microsoft, Cisco or Dell, for example. The problem is that it is there are usually too many options available. And the same is true when it comes to virtualisation.

With a list of benefits as long as your arm, the decision to adopt a virtual desktop infrastructure in the first place seems a no brainer. But that’s where the easy decisions end. Once committed to virtualising the environment, many organisations quickly become bogged down with the sheer number of options, features and functionalities. 

So, rather than using an unbiased and well-researched approach to the platform selection process, far too many organisations are making snap judgements based on unfounded or irrelevant criteria – or simply on a name.

So who are the front runners? Unless IT managers have been living in the Himalayas for the last five years, they will certainly be aware of VMWare, Microsoft HyperV and Citrix with its XenDesktop. But there are also a number of other suppliers such as Quest and Sun with their own, lesser known offerings that should not be ruled out.

The problem often lies in the criteria organisations use to select their platforms. What they need to do is carefully detail what is required and which platform best meets those needs. After all, the main benefits of virtualisation are achieved in the long term and these will be negated if an unsuitable platform is selected in the first instance.

For example, when deliberating between Microsoft Hyper V and VMWare, it is easy to get caught up in comparisons between up-front cost and perceived compatibility with a current operational platform. HyperV may appear to be cheaper than VMWare at first glance, but this will only be the case for organisations for which it is the fit-for-purpose solution.

There are clearly many organisations where HyperV is the right choice, but elsewhere, while there may be initial savings to be made on up-front cost, these will soon be forgotten once the platform begins to come up short further down the line. Equally, choosing VMWare because of its reputation and positive press will be as costly for organisations that cannot hope to utilise its vast scope within the requirements of their environments – or for those that discover incompatibility issues later down the line when it is too late.

It is surprising how often companies get this wrong. So, before you reach for the cheque book, make sure you have looked carefully at what you are signing up for or take independent expert advice. At the very least you can then blame it on someone else. 

David Cowan


David Cowan, Head of Infrastructure

This article appeared in the Dec 2009 issue of Networking+

2012: avoiding the IT Apocalypse

December 4, 2009

2012. If you take the legend behind this year’s Hollywood blockbuster of that name to hold some truth, we’re in for a bumpy ride in a couple of years. Ok, so the major cities of the world are unlikely to disappear into gaping chasms but the Mayan prophecy used as inspiration for the movie which predicts the occurrence of an unspecified major change in 2012 might not be so unbelievable when it comes to IT.

Of course, that isn’t to suggest anything of the apocalyptical nature seen in the big-screen blockbuster is likely to occur, but from an IT point of view at least, 2012, and the period leading up to it, are looking to be a time of great change.

Take Windows XP as an example. 2012 is the year in which Microsoft expects to put an end to supporting its most loved OS, and to leave the world with the option of carrying on unsupported or making the leap to Windows 7. Gartner analysts appear to be pro-migration, advising Vista-traumatised users not to bypass Windows 7 like they did with its predecessor. Early adopters have given it positive feedback but perhaps more importantly, there do not seem to be too many other options – the scent of change is in the air.

So with that in mind, many of you will be asking “what’s the rush?” A compelling event in 2012 means it’s a long time before an OS migration becomes first priority you might think. However this way of thinking could be a mistake. According to Gartner, the process of a full-scale migration takes, on average, 12-18 months. With this in mind, suddenly 2012 doesn’t look that far away.

An interesting example of the timescales involved can be found by examining the plans for the IT Infrastructure of the 2012 Olympics in London. The appointed IT supplier for the games, Atos Origin, has already started to design IT systems and infrastructure for the main site and numerous venues around the UK, and plans to start works in the new year, launching the data centre and software in July 2010.

Atos need to ensure they balance in the sweet spot between a system which is too new, and therefore raw and still not completely understood, or too ancient, and unable to meet the needs which will occur during the biggest sporting event ever seen.

While London 2012 might seem to be on a scale far larger than anything most organisations would need to tackle, the principles remain the same. Money will be saved and problems avoided by anticipating any compelling event and acting accordingly. With that in mind, 2012, apocalyptic or not, should not be too far from your thinking today.

David Cowan


David Cowan, Head of Infrastructure Consulting