Archive for the ‘IT security’ Category

Identifying priorities in IT security spending

August 20, 2012

Understanding your business’ priorities in terms of security spending is simple.  It starts and ends with protecting your reputation and therefore your customer data. Identifying what those specific priorities are does, however, take a little more time, but not necessarily investment.

Avoiding a situation where hackers post a file that contains passwords of over six million of your customers to the web (LinkedIn in June 2012) could be classed as priority in terms of security spending. You may suffer a virus attack internally, which whilst it might be somewhat annoying, is largely irrelevant as long as your customer’s data is not compromised – unless of course it affects customer service, which will of course also affect your reputation.

Therefore, it is up to anyone with externally facing systems to determine what and how the information they hold about their customers is protected.  The way to do this is to regularly test your defences with external third-party vulnerability testing. This activity cannot be seen as a project but an on-going process. From this, a business can identify its risks and decide how to tackle them based on their impact to reputation and customer data.

In addition, businesses must also conduct their own internal assessment of all risk. There is of course some necessary spend on the hygiene products to ensure a decent perimeter security system, such as anti-virus and anti-spy ware, but after that, to avoid wasting money, risks have to be prioritised according to your business environment. For example, you can invest in some sophisticated security event logging software which is useful when a security event happens, but you’d rather invest in preventing that event from happening in the first place…first.

There is a perception that security breaches take place where clever hackers find some kind of technical weakness in a company’s systems, which means you have to spend lots on even more clever security software, but largely this is not the case. Most breaches are down to people making mistakes internally. This might be mistakes in how a system is configured or simply carelessness in handling data.  Businesses would be far better off spending time, rather than money looking at avoiding these problems.

Adrian Polley, Director

Advertisements

Legal and financial firms should follow the ICO’s data security guidelines, too

August 10, 2012

Just two days after the news of a Torquay health trust being fined £175,000 for publishing sensitive data of over 1,000 of their own employees on their website, the Information Commissioner’s Office (ICO) released the top five areas which need improvement in order to keep personal and sensitive information safe within an SME. Although aimed at charities and public sector organisations, these tips are also relevant to the private sector, in particular the financial and legal arena where a vast amount of personal and sensitive information is handled.

The guidelines issued by the ICO include giving employees data protection training, being clear on what use is made of personal information and having an established data retention period, where it is only kept for as long as necessary. It is important to highlight the emphasis on the ‘people’ factor and the role of security awareness training in the protection of information within an organisation. Human error is still the leading cause of data protection breaches across the UK, most of which are not malicious. About a third of all data breaches (36 per cent) are due to negligent employees, according to the latest Symantec/Ponemon Institute ‘UK cost of a Data Breach’ study. It is therefore crucial to give more attention to educating people rather than simply concentrating on purchasing the latest data protection tools and technology.

Organisations have to act in two ways: on one side, they have to train their employees so that they are more aware of data protection regulations, the applicable risks to the organisation and internal policies, as well as the consequences of not following these regulations and policies; on the other side, they need to protect themselves from their own employees, making sure encryption is used on all devices, as well as limiting access to data to only those who are authorised.

If personal and sensitive information is lost, stolen or made public, the organisation responsible for the breach will potentially face a hefty fine – but the consequences of a data breach are not only financial. Especially in the case of financial and legal firms, there will also be reputational damage which may be too difficult to recover from.

It may be the case that for a large multi-national company the money and reputational loss involved does not affect their bottom line or position within the market too much, it is not the same for small and medium-size enterprises. With less money at their disposal and a limited number of loyal clients, a large fine can severely affect their capital and the subsequent reputational loss might lead to business loss and, ultimately, failure.

For this reason, it is increasingly important that SMEs in the legal and financial sector invest time and resources on preventing information security incidents, in order to avoid having to pay for their mistakes at a later date. There is a lot of trust bestowed upon these organisations by their clients, so the least they can do is to make sure that their details are kept safe and secure, ensuring that this trust is well deserved.

David Cowan, Head of Consulting Services

BYOD – Convenience Vs Security?

March 23, 2012

The explosion in the use of personally owned devices in the corporate workplace is on the rise and accommodating Bring Your Own Device (BYOD) is becoming a fact of life for many organisations. Whilst there may be benefits to adopting this approach, businesses must try and minimise the risks if they allow employees to use personally owned smartphones or tablets.

One of the key risks in adopting this strategy is that your business may be more vulnerable to having confidential information being compromised if there is a lack of control, ownership and management of devices. A basic tenet of information security is the ability to control data and this could be compromised if companies implement BYOD. Tablets and smartphones are very susceptible to being lost or stolen and any data contained on them is vulnerable because of the lack of security measures – this becomes a higher risk if the organisation does not have the ability to encrypt or remotely wipe data. Traditionally, corporate-owned devices have usually been configured to a standardised format, allowing for greater control; but by removing this systematic approach to mobile devices, there is a good chance data could be compromised due to poor security and data management.

Security best practice for the mobile BYOD environment presents fresh challenges for IT professionals, and there are benefits to taking a risk-based approach. Having a clear understanding of how employees are using their personal devices can assist in mitigating the risk, but what organisations must remember is that with the addition of each new device to the network, the risk grows. By not taking this approach, how do you know if users are storing login details for corporate applications and databases or if malicious code can be released into the corporate network because of poor patching polices?

Organisations should start with the basics and consider the following questions:

  • Do you need to impose restrictions on usage through the enforcement of strong policies?
  • How will the devices be used? In this instance it is crucial to consider this from a business and personal perspective.
  • How are you going to enforce your policies? Organisations must ensure these are tailored to specific roles, devices and locations – there is a not a ‘one-size-fits-all’ solution.

They need to decide how they will monitor devices and activity to ensure policies are being adhered to. As an example, they should look at how Apps are controlled – what can and cannot be installed – and ensure they have the ability to block Apps that may introduce unwanted risk. Do they really want a rogue App that creates a gateway for unhindered access to their corporate information or intellectual property?

Agreements with users

BYOD also raises more complex issues and these are primarily around liability and trust: for those users who wish to use their own devices, organisations must formulate opt-in agreements. The business must decide what level of control it requires over devices to provide them with assurance that the smartphones or tablets are being used correctly and appropriately.

Employees who wish to use their own devices should be required to sign an agreement allowing the organisation the right to access the device and review it as necessary. This must include the ability to wipe data from the device if it is lost or stolen or in the event the worker terminates their employment.

Security measures

Securing mobile devices is bringing fresh challenges to those who wish to secure their corporate data, and as much as the user may not like it, rules have to be imposed to reduce data leakage or loss, and these must be auditable.

Rather than place extra burdens on IT staff, organisations can also consider using an outsourced Mobile Device Management service. There are numerous organisations offering this and the options are many: for instance cloud or hosted, and full or partial service.

When a business wishes to introduce a BYOD culture, there are many things to consider from a risk perspective. However, device security must include the following in order to ensure unauthorised access to data is minimised:

  • Turn on auto-locking;
  • Enable encryption;
  • Enforce strong passwords;
  • Turn on password protection;
  • Enable inactivity time out;
  • Lock out after a specified amount of failed logons;
  • Remote wipe if the device is compromised.

 A new culture

Although often overlooked, one of the best ways to prevent security incidents is to create a ‘security culture’ where all employees are aware of risks and consequences of using their own devices unsafely for work purposes and not following company policies.

As human error is still the number one cause of most security incidents, often due to employees circumventing strict measures in order to speed up work operations, it is only through the appropriate awareness training that risk can be minimised.

It is by taking these steps that BYOD can become a normal practice within an organisation without any added security risks, so that everyone can enjoy all the benefits the use of personal devices for work can bring, as well as the endless possibilities brought upon by mobile and home working.

Colin Greenlees, Senior Security Consultant

Focus on 2012: 5 key areas in Enterprise IT

December 19, 2011

According to the industry analysts, experts and professionals, some of the changes and novelties introduced in the last few years are set to become actual trends in 2012. Influenced by the ever-challenging economic climate, disillusioned yet careful outlook on industry best practices and need to obtain measurable efficiency from any IT project, these are the five key areas that will acquire growing importance next year:

1)      Larger use of non-desktop-based applications

This is due to of a growing need for mobility and flexibility. Users need to be able to work while travelling, from any desk or office (for instance, in the case of large/international companies) and from home, as home-working is growing due to the financial benefits involved. It is also a good choice to guarantee business continuity in the case of unforeseen circumstances such as natural disaster or strikes which leave the workers stranded or unable to reach the office. As well as cloud applications, virtualised desktops are becoming a must-have for many organisations. Companies with older desktops which need updating anyway will find this switch more financially convenient, as well as those which have a large number of mobile users which need to access applications from their smartphone or laptop while out of their main office. It can also give those organisations considering or embracing home-working more control over the desktops, as they will be centralised and managed by the company and not at user level.

2)      Larger use of outsourced management services

The ‘doing more with less’ concept that started to take grip at the beginning of the past recession has translated into practical measures. These include handing part or the whole of the Service Desk to an external service provider which, for a fixed cost, will know how to make the best of what the company has, and provide skilled personnel, up-to-date technology and performance metrics. Managed services, IT outsourcing and cloud services will become even more prominent in 2012 and the following years due to their convenience from a practical and financial point of view. With the right service provider, the outcome is improved efficiency, less losses deriving from IT-related incidents and more manageable IT expenditure.

3)      Management plans for ‘big data’

There is much talk around the current topic of ‘big data’, which describes the concept of the large amount of varied data organisations have to deal with nowadays. There are some practical issues that arise from this – mainly how to store it, share it and use it, all without breaching the Data Protection Act. However, at the moment it is still very difficult to understand how to take the next step: using this data strategically and to create business advantage. This is something companies will have to look at in the years to come; as for the next year, they might just concentrate on dealing with data safely and efficiently, possibly storing it on a private virtual server or using public cloud services.

4)      A more balanced approach to security

This new approach sees the over-adoption of security measures dropped after the realisation that it might affect productivity as it may cause delay in carrying out business operations; it could also diminish opportunities that are found in sharing data within the sector to allow organisations to improve and grow; lastly, it can be counter-productive, with employees bypassing the measures in place in order to make operations quicker. Although being compliant with on-going regulations is becoming vital, there will be more scoping and tailoring than large technology adoption. Organisations will be analysed to understand which areas are in need of security measures and to what extent. This way, heavy security measures will be applied only to high risk areas rather than throughout the whole organisations, with less critical areas able to work more freely. In this approach, risks are balanced against efficiency and opportunity and the end result is a tailored solution rather than a collection of off-the-shelf products.

5)      Less budget control

Due to the challenging economic climate, other departments, in particular the financial department and therefore the DOF, will have more control over IT investments. CIOs and IT Managers will have to be able to evaluate if their IT project is necessary or just a nice-to-have, and how it can bring business advantage.  All proposed IT investment will have to be justified financially; therefore, it is important to analyse each project and find a reasonable ROI before presenting it to the finance decision-makers. This implies that IT professionals have to learn ‘business talk’ and manage to translate difficult technical descriptions in business terms.

All in all, developments within IT will not come to a halt next year – investment and changes will continue but with a more careful outlook and a stronger focus on efficiency, safety and Return on Investment rather than on following trends or adopting the latest technology for the sake of it. Because of this, the difficult economic climate could also be seen as a good thing: organisations make wiser and far-sighted choices that will create a solid base for any future decision that will be made when times are less tough and spending capacity rises, increasing the efficiency potential of IT for business purposes.

Tony Rice, Service Delivery Manager

External pressure for internal information security controls – David Cowan on Computer Fraud & Security

November 17, 2011

Organisations wishing to win new business through tenders and bids are under pressure to give clear information on how they deal with information governance and security. This has become so important that an organisation issuing a tender might choose one supplier over another based solely on its compliance with applicable regulations or the fact it holds the ISO 27001 certification.

Companies are therefore wondering if they should get certified, what compliance entails and what the implications of these ‘bureaucratic complications’ are. In any case, an information security review or internal audit can be a vital tool to enable a firm to understand its current maturity level and possible improvements as well as to answer lengthy and detailed security questionnaires.

Clickon the link below to read the article (PDF – extract from ‘Computer Fraud & Security’, November 2011)

External pressure for internal information security controls – David Cowan on Computer Fraud & Security

Private vs. public sector IT security: more dedicated staff, yet less awareness

March 3, 2011

According to recent data, the private sector lags behind with regards to data protection, while public sector organisations lead the way. David Cowan explains how firms can improve their IT security and avoid losing money, clients and reputation.

 

A recent survey commissioned by the Information Commissioner’s Office (ICO) revealed that there is a remarkable difference between the public and private sector’s approach to Information Security. The data contained in the research carried out by Social and Market Strategic Research (SMSR) showed that, in fact, the public sector was much more aware of the Data Protection Act principles compared to the private sector.

When asked to identify, unprompted, the main principles contained in the ACT, the 7th Principle ‘Personal information is kept secure’ was mentioned by 60% of public sector organisations, compared to only 48% of private firms. However, a more shocking divide can be found in the awareness of the Information Commissioner’s Office’s existence: 42% of private firms had not heard about it at all, a percentage that actually increased from the previous years – yet this was not the case for public organisations, where only 3% were not aware of the UK’s independent authority set up to uphold information rights in the public interest.

A lack of awareness, however, does not prevent the majority of private sector firms from having more than 10 members of staff dedicated to information security-related duties, compared to an average of 2 in public sector organisations. Quantity is not directly proportional to quality, it seems.

In reality, the public sector has had more reasons to be more data protection-savvy due to handling large volumes of personal and sensitive data. The private sector should start following their example. Regulations have become stricter and ICO fines are tougher, with the authority now able to impose a fine of up to £500,000 for a serious breach. It is important, then, that all firms improve their awareness of information security and that they have an efficient system in place for protecting personal and sensitive information, and to deal with any breach in the most appropriate manner.

Private organisations which deal with sensitive and confidential data – such as banks and law firms – should take these results as a wake-up call and an opportunity to learn from the public sector. They are in fact the most at risk of suffering major consequences in case of a breach of the DPA.

Critically, it is important to understand the steps for improving Information Security. First of all, it is vital that organisations are aware of their information assets and the associated risks. They can do this by conducting an assessment of their Information Security Management System, in particular the controls surrounding the information assets of the organisation. This can then be assessed against the international standard for Information Security ISO 27001, to identify any weak points, possible corrective actions and areas of risk.

Once these have been identified, it is possible to plan remedial work which covers policies, procedures and technology, as well as staff education and awareness, implementing it on a continuous cycle. It is important to note that documents and technology alone are not enough to guarantee an improvement; however, they can minimise information security risks.

Staff commitment, from senior management to the most junior employees, is the key to make all the controls and procedures work. If staff are not made aware of policies and procedures introduced, or are not willing to collaborate, perhaps because they do not understand why they should change the way they have always worked, then no amount of technology can keep an organisation in line with the appropriate standards and regulations.

At the same time, management need to take strong ownership and underline the importance of data protection with a clear Information Security statement; their strategy should include disciplinary actions for whoever does not adhere to the policies. Investing time and effort in prevention will pay off more than insurance, as the latter may reduce some of the damages although not the most important cost – the organisation’s reputation.

It is undeniable that although data security risks can be minimised, they cannot be completely eliminated – there will always be a human or technical error that results in sensitive data being lost, destroyed or disclosed. This, unfortunately, can happen in both the public and private sector, often even when all the appropriate measures are in place. For that, you can only act accordingly to the associated risks, for instance by allowing data to protect itself not only through encryption, but through the implementation of a data classification system that restricts access to unauthorised viewers.

Information Security is not a final destination; instead, it is a never-ending journey where everyone from senior management to service desk engineers commits to an ethos in order to protect personal information from loss, leakage and theft in a manner which is proportional to the identified risks.

 

David Cowan, Head of Consulting Services

This article is published on Infosecurity UK: http://www.infosecurity-magazine.com/view/16319/comment-public-vs-private-sector-information-security/

Data security: controlling the risks – The EGB Masterclass

February 23, 2011

by Dan Jellinek, E-Government Bulletin

David Cowan

Public sector information security breaches often hit the headlines, but are public bodies really any worse than private sector in this area? What are the main risks, now and in a future of ‘any time, any place’ access to systems through cloud computing, and how can they best be tackled? We ask David Cowan (pictured), Head of Consulting at IT services provider Plan-Net.

Q: What are the main areas of risk for public bodies in keeping their data secure?

A: Public bodies are subjected to a plethora of regulations, standards and frameworks on data security due to the nature of the information they hold, and the associated risks of handling the sheer volume of personal or sensitive data. The main areas of risk are staff failing to observe the organisation’s information security procedures; malicious activity from both internal and external sources such as staff unlawfully selling or obtaining personal data and external threats from fraud, or from crime syndicates or rogue groups using ‘phishing’ or social engineering; and organisations and staff not being aware of their legal obligations, such as the legal obligation to report an information security breach under the Data Protection Act.

Q: What is the scale of risk faced by public bodies?

A: It is difficult to quantify the scale of the risk, but even with all the controls, standards and regulations in place to reduce risk, it is still not possible to eradicate it altogether. The size and geographical spread of public sector organisations increases the risk of data leakage and malicious activity occurring, as does the reliance on recording personal information within huge databases across the public services.

Q: What are the potential consequences of security breaches?

A: The greatest risk to an organisation is the potential reputational damage which could occur as a result of an information security incident reaching the public domain. The Information Commissioner’s Office is now empowered to hand out large fines of up to £500,000 for serious breaches of the Data Protection Act, and there is the possibility of criminal prosecution depending on the severity and scale of the breach. Public bodies could even lose access to public sector frameworks and IT networks as a result of a perceived systematic breakdown in their processes and procedures. The impact on individuals and society could include a lack of trust in public sector organisations handling their personal information; loss of productivity; and individual distress or harm caused by a breach.

(Read the rest of this interview on E-Government Bulletin issue 329: http://www.headstar.com/egblive/?p=771 )

Surviving IT spending cuts in the public sector

February 15, 2011

How to create cost-efficiencies in the post-Spending Review scenario

After the announcement of 25%-40% budget cuts last year, it is reasonable to expect IT to be one of the departments to suffer the most in public sector organisations. However, cuts in IT support and projects may bring inefficiencies and disruptions, which can then lead to real losses and increasing costs.  More than ever, CIOs and IT Directors at public sector organisations are taking various options into consideration, from quick-fixes to farther-sighted ideas, trying to find a solution that will produce savings without compromising on service quality and data security, and perhaps even increasing efficiency. Here are some common ideas analysed:

Solution 1: Reducing headcount

Firing half of your IT team will produce immediate savings since you will not have to pay them a salary the following months, but when Support staff is insufficient or not skilled enough to meet the organisation’s needs it can lead to excessive downtime, data loss, security breaches or the inability to access applications or the database. A ‘quick-fix’ such as this represents a false economy. Reviewing resource allocation and improving skill distribution at Service Desk level, on the other hand, can be a valid solution. Indeed many IT departments can find themselves top heavy with expert long serving team members where the knowledge supply out-weighs the demand. A larger proportion of lower-cost 1st line engineers with improved and broader skills and a fair reduction of the more deeply skilled and costly 2nd and 3rd line technicians can not only reduce staff spend, but also create efficiencies with more calls being solved with first-time fix.

Solution 2: Offshoring

Although the thought of employing staff who only ask for a small percentage of a normal UK salary may sound appealing, offshoring is not as simple as ABC. It requires a large upfront investment to set up the office abroad, with costs including hardware, software, office supplies and travel and accommodation of any personnel that manages the relationship with the supplier. Organisations are not able to afford that kind of investment, especially since this solution only creates cost-savings in the long term – but the public sector needs cost savings now. Furthermore, the different culture and law can represent a risk to information security: data could be easily accessed by staff in a country thousands of miles away and sold for a couple of dollars, as various newspapers and TV channels have found out. With the extreme sensitivity of data processed by Councils, charities and the NHS, no matter how hard foreign suppliers try to convince the public sector to offshore their IT, it is unlikely this will happen – it is simply too risky.

Solution 3: IT Cost Transparency

Understanding the cost of IT and its value to the organisation, being able to prioritise and manage people and assets accordingly and knowing what can be sacrificed, can help identify where money is being wasted, which priorities need to be altered and what can be improved. For instance, do all employees need that piece of software if only three people actually use it more than twice a year, and do you need to upgrade it every year? Do all incidents need to be resolved now, or can some wait until the more urgent ones are dealt with? Do you need a printer in each room, and when it breaks do you need to buy a new one or could you make do with sharing one machine with another room? These and many other questions will lead to more efficient choices, but only after having identified and assessed the cost and value of each aspect of IT, including people and assets.

Solution 4: Cloud computing

There are contrasting opinions on this matter. The Government CIO, John Suffolk encourages the use of this service, and reckons that the public sector would be able to save £1.2bn by 2014 thanks to this solution. However, many believe that placing data in the hands of a service provider can be risky due to the highly sensitive nature of the data involved, so traditional Cloud computing may not be an ideal solution.

A shared environment such as the G-cloud, where various public sector organisation share private data centres or servers, may be a safer option that allows the public sector to achieve major efficiencies and cost savings, while minimising issues related to data security.

Solution 5: Shared Services

A shared service desk is not for everyone – it can only work if the organisations sharing have similar needs, culture and characteristics, and as IT can be a strategic advantage for competitive businesses, sharing the quality may mean losing this advantage. But for the public sector, this solution may be ideal. Local councils with the same functions, services and needs will be able to afford a higher level of service for a reasonable price, sharing the cost and the quality.

Solution 6: Service Management Good Practice

‘Doing more with less’ is one of the most used quotes since the recession started. And it is exactly what the public sector is looking for. Public organisations don’t want to be ITIL-aligned, obtain certifications, and tick the boxes. All they want is efficiency and cost savings – and through the right Service Management moves, after an Efficiency Review to find out what needs improvement and how, this can be obtained through the right choices regarding people, processes and technology.

Solution 7: Managed Services

A solution where the IT Service Desk is kept internal with its assets owned by the company, but managed by a service provider is becoming more and more popular among organisations from all sectors. When the sensitivity of data and a desire for a certain level of control over IT rules out full outsourcing, but in-house management does not allow to reach potential cost savings and efficiencies, a managed service may represent the ideal ‘in-between’ choice. The post-Spending Review public sector, then, may benefit from a flexible solution that is safer than outsourcing, but more cost-effective than an in-house solution.

Every challenge can be a new opportunity

Although budget reduction may affect investment in large IT projects and shiny new technology, it also represents the ideal opportunity to analyse what is essential and what is not, and to prioritise projects based on this. The public sector, then, find itself prioritising for effectiveness over compliance, cost-efficiency over cheapness and experience over offers, when choosing providers and tools for their IT. This will lead to the choice of solutions that will help organisations run more smoothly and safely, invest their resources better and, ultimately, deliver a service that will bring maximum customer and user satisfaction.

Martin Hill, Head of Support Operations

(also on Business Computing World: http://www.businesscomputingworld.co.uk/how-to-create-cost-efficiencies-in-the-post-spending-review-scenario/)

10 things we learnt in 2010 that can help make 2011 better

December 23, 2010

This is the end of a tough year for many organisations across all sectors. We found ourselves snowed-in last winter, were stuck abroad due to a volcano eruption in spring, suffered from the announcement of a tightened budget in summer, and had to start making drastic cost-saving plans following the Comprehensive Spending Review in autumn. Data security breaches and issues with unreliable service providers have also populated the press.

Somehow the majority of us have managed to survive all that; some better than others. As another winter approaches it is time to ask ourselves: what helped us through the hard times and what can we do better to prevent IT disruptions, data breaches and money loss in the future?

Here are some things to learn from 2010 that may help us avoid repeating errors and at the same time increase awareness of current issues, for a more efficient, productive and fruitful 2011:

1- VDI to work from home or the Maldives

Plenty of things prevented us getting to work in 2010; natural disasters, severe weather and industrial disputes being the biggest culprits. Remote access solutions have been around for a long time, but desktop virtualisation has taken things a stage further. With a virtual desktop, you’re accessing your own complete and customised workspace when out of the office, with similar performance to working in the office. Provided there’s a strong and reliable connection, VDI minimises the technical need to be physically close to your IT.

2- Business continuity and resilience with server virtualisation

Server virtualisation is now mainstream, but there are plenty of organisations large and small who have yet to virtualise their server platform. When disaster strikes, those who have virtualised are at a real advantage – the ability to build an all-encompassing recovery solution when you’ve virtualised your servers is just so much easier than having to deal with individual physical kit and the applications running on them. For anyone who has yet to fully embrace the virtualisation path, it’s time to reassess that decision as you prepare for 2011.

3- Good Service Management to beat economic restrictions

With the recent economic crisis and the unstable business climate, the general message is that people should be doing more with less. It’s easy to delay capital expenditure (unless there’s a pressing need to replace something that’s broken or out of warranty) but how else to go about saving money? Surprising, effective Service Management can help deliver significant cost-efficiencies through efficient management of processes, tools and staff. Techniques include rearrangement of roles within the IT Service Desk to get higher levels of fix quicker in the support process, and adoption of some automatic tools to deal with the most common repeat incidents. Also getting proper and effective measures on the service, down to the individuals delivering it, helps to set the bar of expectation, to monitor performance and improve processes’ success.

4- Flexible support for variable business

An unstable economic climate means that staffing may need to be reduced or increased for certain periods of time, but may need rescaling shortly afterwards. At the same time epidemics, natural disasters and severe weather conditions may require extra staff to cover for absences, often at the last minute. Not all organisations, however, can afford to have a ‘floating’ team paid to be available in case of need or manage to get contractors easily and rapidly. An IT Support provider that can offer flexibility and scalability may help minimise these kinds of disruption. In fact, some providers will have a team of widely-skilled multi-site engineers which can be sent to any site in need of extra support, and kept only until no longer needed, without major contractual restrictions.

5- Look beyond the PC

Apple’s iPad captured the imagination this year. It’s seen as a “cool” device but its success stems as much from the wide range of applications available for it as for its innate functionality. The success of the iPad is prompting organisations to look beyond the PC in delivering IT to their user base. Perhaps a more surprising story was the rise of the Amazon Kindle, which resurrected the idea of a single function device. The Kindle is good because it’s relatively cheap, delivers well on its specific function, is easy to use and has long battery life. As a single function device, it’s also extremely easy to manage. Given the choice, I’d rather the challenge of managing and securing a fleet of Kindles than Apple iPads which for all its sexiness adds another set of security management challenges.

6- Protecting data from people

Even a secured police environment can become the setting for a data protection breach, as Gwent Police taught us. A mistake due to the recipient auto-complete function led an officer to send some 10,000 unencrypted criminal records to a journalist. If a data classification system had been in place, where every document created is routinely classified with different levels of sensitivity and restricted to the only view of authorised people, the breach would have not taken place as the information couldn’t have been set. We can all learn from this incident – human error will occur and there is no way to avoid it completely, so counter measures have to be implemented upfront to prevent breaches.

7- ISO27001 compliance to avoid tougher ICO fines

The Data Protection Act was enforced last year with stricter rules and higher fines, with the ICO able to impose a £500,000 payment over a data breach. This resulted in organisations paying the highest fines ever seen. For instance Zurich Insurance which, after the loss of 46,000 records containing customers’ personal information, had to pay over £2m – but it would have been higher if they hadn’t agreed to settle at an early stage of the FSA investigation. ISO 27001 has gained advocates in the last year because it tackles the broad spectrum of good information security practice, and not just the obvious points of exposure. A gap analysis and alignment with the ISO 27001 standards is a great first step to stay on the safe side. However, it is important that any improved security measure is accompanied by extensive training, where all staff who may deal with the systems can gain a strong awareness of regulations, breaches and consequences.

8- IT is not just IT’s business – it is the business’ business as well

In an atmosphere where organisations are watching every penny, CFOs acquired a stronger presence in IT although neither they nor the IT heads were particularly prepared for this move. For this reason, now the CIO has to find ways to justify costs concretely, using financial language to propose projects and explain their possible ROI. Role changes will concern the CFO as well, with a need to acquire a better knowledge of IT so as to be able to discuss strategies and investments with the IT department.

9- Choose your outsourcing strategy and partner carefully

In 2010 we heard about companies dropping their outsourcing partner and moving their Service Desk back in-house or to a safer Managed Service solution; we heard about Virgin Blue losing reputation due to a faulty booking system, managed by a provider; and Singapore bank DBS, which suffered a critical IT failure that caused many inconveniences among customers. In 2011, outsourcing should not be avoided but the strategy should include solutions which allow more control over assets, IP and data, and less upheaval should the choice of outsourcing partner prove to be the wrong one.

10- Education, awareness, training – efficiency starts from people

There is no use in having the latest technologies, best practice processes and security policies in place if staff are not trained to put them to use, as the events that occurred in 2010 have largely demonstrated. Data protection awareness is vital to avoid information security breaches; training to use the latest applications will drastically reduce the amount of incident calls; and education to best practices will smooth operations and allow the organisations to achieve the cost-efficiencies sought.

Adrian Polley, CEO

This article has been published on Tech Republic: http://blogs.techrepublic.com.com/10things/?p=2100

How many police officers does it take to email 10,000 criminal records to a journalist by accident?

September 16, 2010

Just one. But this is not a joke.

A simple mistake caused by the recipient auto-complete function within an email client resulted in Gwent Police committing what has been referred to as the first major UK data security breach since the new regulations introduced by the Information Commissioner’s Office came into force in April this year. What is of particular interest about this case is that a breach of this scale (10,000 records) and gravity (the data leaked involved personal and sensitive information) occurred within a police environment which allegedly had strict policies and procedures. If that is the case, how were the policies circumvented so that the officer was able to commit this breach, and are security incidents caused by human error ultimately unavoidable?

The elephant in the room is that personal and sensitive data such as criminal records should not have been placed in an excel spreadsheet if strict processes were indeed implemented, not even for internal use. In fact, it is important that organisations dealing with personal, sensitive and confidential data have well-defined information asset classification and media handling procedures. Through the identification and labelling of confidential and sensitive data, all information would be classified based on its value and risk to the organisation in terms of Confidentiality, Integrity or Availability. Criminal records, for instance, would be labelled as private, restricted or confidential depending on the classification marking scheme and would be automatically restricted to only personnel who are authorised to access this information. If a similar scheme had been in place at Gwent Police and the information clearly labelled and controlled, then the breach would have been almost certainly avoided because the data included in the email would not have been accessible by non-authorised personnel.

It is possible, though, that Gwent Police actually had all the tools necessary to protect the data, but lacked the general awareness and training extended to all personnel. Certainly it wouldn’t be the only organisation affected by this issue.  Recent data collected by PricewaterhouseCoopers, illustrates that despite spending more than ever on information security, only half of companies surveyed provide staff with any form of security training, and only  one in five large organisations believe their security policies are very well understood by their employees. The results of the latest Information Security Breaches Survey highlight the need for better education in order to reduce risks, as a striking 92 per cent of firms with over 250 employees and 83 per cent of smaller firms (up to 25 members of staff) admit to have recorded a security incident in the past year.

Lack of awareness, little understanding of the implications and perhaps forgetfulness or stress are the most likely causes of human error, which can result in staff ignoring security measures, such as sending confidential data to their private email address, losing an unencrypted USB device or accidentally sending information to the wrong recipient. It is important to note that in these cases, if the data was correctly labelled and encrypted there wouldn’t be a breach of the Data Protection Act. In most cases, the ICO serves an enforcement notice if there is a failure to comply with the Act and the failure has caused or is likely to cause damage or distress to anyone.  The potential repercussions could include the public disclosure of the facts by the ICO, internal disciplinary actions within the organisation or a fine which, under the new regulations, can amount to £500,000.

Comparison with data collected by PwC in 2008 shows that the cost of cybercrime to the business has doubled to more than £10bn in just two years. The average cost of a breach in a large organisation is now between £280,000 and £690,000 (it was £90,000 – £170,000 two years ago) and due to the increased use of cloud computing, risks are rising rather than diminishing. Although the number of organisations with a formal Information Security policy and sufficient IT security tools has improved, the measures seem to be unable to resolve the greatest threat, the human factor: 46 per cent of large organisations have declared that staff have lost or leaked confidential data, which in 45 per cent of cases resulted in a “very” or “extremely” serious breach of information security.

As this data suggests, even with the most advanced technology in place it is not possible to eradicate risk altogether; however, it is possible to mitigate the damage and prevent mistakes like the one the Gwent police officer made by adopting encryption technology and policies that are emitted from the top and are backed up by disciplinary procedures – but it is extremely important that these are accompanied by extensive training and awareness sessions across the organisation. By educating all members of staff, including trusted partners and 3rd party suppliers, it will help reduce, although not eliminate completely, risks to a level that is acceptable for the organisation, which in the case of large organisations which deal with sensitive information, such as the Police or other public sector organisations, needs to be as low as possible.

David Cowan, Head of Infrastructure and Security

This article has been published on Government & Public Sector Journal: http://www.gpsj.co.uk/view-article.asp?articleid=303