I deal with securtiy and encryption so this is totally off topic for me but I can't help but comment on this.
I was fascinated to see the BBC website providing so much free advertising to Apple and their new iPad. I can’t understand the hype around this product, it is meant to be a device to open up a whole new market segment. I am sorry, a new market segment? Don’t they mean an old, stale market segment that has never taken off and will probably not but one Apple can exploit because their target audience is people who put brand over function and will buy shiny Apple products no matter what they are?
When I first saw the iPad my first impression was it is a big iPhone. Sometimes in the weekend papers you get a catalogue and one of the items of tat for sale is typically a mobile phone aimed at the older consumer, you know the type, it has a simple display and BIG chunky buttons. That is what the iPad looked like to me, an iPhone for the elderly.
Don’t get me wrong, I do like some of the products that Apple produces, I own some of them, I just don’t think Apple deserves the hype they get each time they launch something, especially something as lame as this.
Let’s cut through the Apple veneer and look at the reality of tablet computing. They are difficult to use unless you like clipboards because you need one arm to cradle the device so it is one handed typing if you use it whilst you are out and about. The iPad is touch screen only so no handwriting unlike other tablet devices that support a stylus. From the tech specs and reviews it appears not to be able to multitask, it is more linear so you need to exit one then launch the next application each time you switch between them. They are cagy about the internal spec, speeds and memory due to them saying it is proprietary and cannot be compared like for like but I don’t buy this argument, I think what are they ashamed of?
Personally, I would look at the new HP Tablet IF I were considering one handed awkward computing, but then personally I would not look at tablets full stop. Instead I think the best route, if you want a device without optical media, is to go down the Netbook route. At least you get multitasking, the ability to connect external devices and the option to install different applications that are not all channelled through an expensive online portal that holds you and the device to ransom.
I don’t want to comment further, suffice to say that Apple are genius at appealing to a narrow sector of society and always will be. On this basis my gut feel is that this device will fill a gap in the market, not a technological gap but an emotional gap in the lives of people who are Apple fans who just have to have one, then ask what does it do.
My prediction is we will see a lot of iPads on eBay in about 3 months after people get exasperated with tablet computing. It is not new, it has never really worked and it never will for the mass market, they are hard to use and the novelty wears off really quickly.
Judging by the technical reviews (not the gushy non-techie journos who are infatuated with Apple) and how I predict users will typically feel after the initial shiny shiny new gadget feeling has worn off and they have get to grips with using it regularly I think it will be dubbed the iSlate!
Friday 29 January 2010
Tuesday 26 January 2010
Look after your data….
If you have read my previous posts you have probably guessed that I have a bit of a thing about data security. Thinking about it, why do we have security in organisations? What is it protecting? Ultimately it is protecting what that organisation values which in the IT world is data. Without data computers are just tin and wires.
This is why I have taken to standing on my electronic soap box and start ranting about data security!
I happen to think it is a very important subject and deserves a lot more attention than most organisations give to it.
From my experience there are many excuses, the most common being cost, this really annoys me. It is much cheaper to implement good security and prevent a data breech than to suffer the cost and consequences of having to retrofit security.
The second is “we don’t have anything that needs securing”, again this really annoys me and it is utter crap. It shows they don’t value their data. People who have this approach only really value something when it is gone. There are some lighter moments in my life when I see peoples worlds crumble when they realise their data is more important than they were saying.
The third is “we have something already which is good enough”, typically just disk encryption, don’t start me off on that one again!
I so often see poor data security which was implemented as a knee jerk reaction. This typically ends in an expensive disaster, swiftly plugging a security hole without any planning leads to years of suffering the consequences.
I am mindful of a case where an overenthusiastic organisation had gone to great lengths to encrypt their archive data following a data breech. Their approach was typical “we have had a breech, let’s fix it ASAP”. The person that was made responsible for the project dutifully encrypted all of the archive data but did not documented the implementation and subsequently left the organisation. The archive data was accessed so infrequently that no one knew they could not decrypt the data without the information in their ex-colleagues head. Now came the time to access archive data and the found they couldn’t, there were terabytes of scrambled data that was no use to them.
Priceless!
Sunday 24 January 2010
The false economy of shutting the stable door after the horse has bolted
The bulk of my life at the moment is spent speaking to people about computer security and their current problem(s), usually a result of implementing the cheapest solution to meet minimal requirements. This typically ends up with us being asked to plug the holes that they are focussing on at that moment; very rarely do they stop and look at the entire estate.
Look, I know budgets are tight but surely it makes sense to look at the entire estate and resolve all of your security issues in one hit rather than the on-going cost of fire fighting.
When a company has a security breech there are several things to consider, the first is the tangible cost of resolving the problem. This is what organisations focus on because, as I said, it is tangible.
The second is the intangible cost of the problem, one that is not so readily seen and the effects can take a while to be noticed but by then can be too late and can devastate a business because they were unprepared for them. The intangibles are made up of several factors, reputation damage which affects how much existing business you will retain and how much new business you lose as a result of shoddy security. How many clients will want to do business with an organisation that exposes their details? There is also the cost of damages and making right, for example if the organisation exposes financial details then there is the cost of monitoring accounts for fraudulent transactions which all adds to the costs.
I won’t go into the long list of intangibles because they vary from industry to industry however what I can tell you is that year on year the cost of a data loss has gone up. How do I know? Every year, the Ponemon Institute publishes the average cost of a data breech and it is printed there in black and white. If you want a copy, email me and I will send you a copy of the reports.
There are numerous cases where businesses have gone bust as a direct result of being cheap with computer security.
So when asking those higher up the company food chain for an IT security budget, find out if they have business insurance for fire and theft, I know this sounds a bit off topic but bear with me. Businesses don’t typically burn down that often and whilst we perceive crime to generally be on the up, the instances we deal with are thankfully few and far between (unless you are in the police or insurance game) so why do business bosses feel the need to insure against these things but not insure against data loss? The bottom line is businesses do plan for these possibilities and have mitigation and planning to deal with them, and so you can argue the same case for data security?
So the message for today is to think of computer security as another form of business insurance, because whilst you don’t want to be in a situation where you have to use your insurance, you are bloody glad you’ve got it when you really need it and so will the bosses of the business.
Look, I know budgets are tight but surely it makes sense to look at the entire estate and resolve all of your security issues in one hit rather than the on-going cost of fire fighting.
When a company has a security breech there are several things to consider, the first is the tangible cost of resolving the problem. This is what organisations focus on because, as I said, it is tangible.
The second is the intangible cost of the problem, one that is not so readily seen and the effects can take a while to be noticed but by then can be too late and can devastate a business because they were unprepared for them. The intangibles are made up of several factors, reputation damage which affects how much existing business you will retain and how much new business you lose as a result of shoddy security. How many clients will want to do business with an organisation that exposes their details? There is also the cost of damages and making right, for example if the organisation exposes financial details then there is the cost of monitoring accounts for fraudulent transactions which all adds to the costs.
I won’t go into the long list of intangibles because they vary from industry to industry however what I can tell you is that year on year the cost of a data loss has gone up. How do I know? Every year, the Ponemon Institute publishes the average cost of a data breech and it is printed there in black and white. If you want a copy, email me and I will send you a copy of the reports.
There are numerous cases where businesses have gone bust as a direct result of being cheap with computer security.
So when asking those higher up the company food chain for an IT security budget, find out if they have business insurance for fire and theft, I know this sounds a bit off topic but bear with me. Businesses don’t typically burn down that often and whilst we perceive crime to generally be on the up, the instances we deal with are thankfully few and far between (unless you are in the police or insurance game) so why do business bosses feel the need to insure against these things but not insure against data loss? The bottom line is businesses do plan for these possibilities and have mitigation and planning to deal with them, and so you can argue the same case for data security?
So the message for today is to think of computer security as another form of business insurance, because whilst you don’t want to be in a situation where you have to use your insurance, you are bloody glad you’ve got it when you really need it and so will the bosses of the business.
Saturday 23 January 2010
Who is responsible for data security?
This is one of my favourite topics and one that businesses typically overlook.
Let’s look at an imaginary example with the rather snazzy names of The XYZ Coffee Bean Company and Acme Payroll Services. The XYZ Coffee Bean Company has outsourced payroll processing to Acme Payroll Services. Acme Payroll Services now holds personal information, bank details etc for all of the staff at The XYZ Coffee Bean Company. Acme Payroll Services has a security breech and the personal details of staff at The XYZ Coffee Bean Company are stolen.
Q. Whose responsibility was it to secure The XYZ Coffee Bean Company payroll data that was stolen from Acme Payroll Services?
A. The XYZ Coffee Bean Company.
This answer usually surprises people, after all Acme Payroll Services should have provided a duty of care to The XYZ Coffee Bean Company and Acme Payroll Services should have been responsible for securing their own environment and protecting their customers? Morally the answer is yes, legally the answer is nope!
I have been speaking to lots of organisations about Section 144 of the Criminal Justice and Immigration Act of 2008 because it sets out the responsibility of the data controller / custodian (who owns the data) and the data processor (who handles the data). It has been a scary journey with most organisations being unaware of this. I am afraid that if an organisation owns the data, then that organisation is responsible for it, no matter where it goes, even to third party organisations.
I think this approach is great because it puts to responsibility directly onto the company that initially gathered the data. I want to know that if I give my personal details to The XYZ Coffee Bean Company they will be legally bound to ensure it is looked after, no matter where it goes. If they don’t take care of it, they are liable, not the third parties that they farm my data off to so it should make them more responsible.
Wouldn’t it be refreshing if (a) organisations actually knew Section 144 exists and then (b) put processes in place to ensure they complied with it?
Never mind, I guess until more organisations take section 144 seriously we will continue to have a slipshod approach to securing data.
Thursday 21 January 2010
Encryption for the masses?
Encryption for the masses is becoming more of a reality but is it a good thing?
What you ask?
Those who know me know I have been banging on about data security for some time now so will be wondering why am I now asking if encryption is a good thing? In reality I am not questioning if encryption is a good thing, of course it is (so long as you remember passphrases etc) but is choosing an encryption product because it comes with an antivirus product the best way to do it?
Why have anti-virus companies suddenly taken an interest in encryption? If you read the vendor websites they say it is because they now offer a total endpoint security solution. Noble marketing but is it the real motive?
I don’t think so, I think it is just a product USP arms race, one vendor offered encryption and suddenly had a USP and so the rest followed suit not to be left behind. Is this best way to get disk encryption? If you are a home user, probably, yes, if you are an organisation I think not.
What you ask?
Those who know me know I have been banging on about data security for some time now so will be wondering why am I now asking if encryption is a good thing? In reality I am not questioning if encryption is a good thing, of course it is (so long as you remember passphrases etc) but is choosing an encryption product because it comes with an antivirus product the best way to do it?
Why have anti-virus companies suddenly taken an interest in encryption? If you read the vendor websites they say it is because they now offer a total endpoint security solution. Noble marketing but is it the real motive?
I don’t think so, I think it is just a product USP arms race, one vendor offered encryption and suddenly had a USP and so the rest followed suit not to be left behind. Is this best way to get disk encryption? If you are a home user, probably, yes, if you are an organisation I think not.
The thing is by using an anti-virus bundle you are tied to them. Rip and replace of anti-virus software is comparatively simple compared to ripping and replacing disk encryption.
With my cynical hat on I say this is the main reason why they are bundling disk encryption, it ties the client to a long term subscription for the anti-virus product. Most organisations recoil at the thought of replacing their disk encryption product because of the pain it will cause.
It is a bit like getting a free laptop with a 3G broadband contract. The laptop is not usually what its cracked up to be and you are tied to a 24 month contract, the mobile provider more than gets the cost of the laptop back because of the length of the contract and you get stuck with the broadband contract for 24 months. What seemed like a good idea at the time of purchase turns out to be a long process of regret.
I don’t know if you have tried to rip and replace disk encryption on a large estate of machines, trust me, don’t even go there, it’s a nightmare. You would typically look to replace when you do an OS refresh and if you work on a rolling cycle that could mean managing different encryption products and that can bring a whole raft of problems to the poor people who have to support the estate.
Another cynical thought is that if these vendors are just in a USP features war and have bought products to ship with their AV software, how much development are they going to continue to put into the encryption product? Not a lot I would warrant, it is a loss leader and doesn't justify further investment.
Finally what if you want to extend your encryption to encompass email or network data, portable data or mobiles etc…? I can’t see anti-virus manufacturers extending their encryption product portfolio to accommodate these areas so what initially appeared to be a cheap solution starts to get expensive as you add up the cost of having to manage multiple vendors to cobble together a solution to meet your organisations encryption requirements.
Wednesday 20 January 2010
New year, new attitudes?
I wanted to start this blog because I am getting frustrated with the general lack lustre approach to the way organisations secure our data (or not as is typically the case).
I have a personal interest in this, as should you, because organisations out there hold personal information about all of us. I have no idea how many organisation hold data about me but thinking about how many things I am subscribed to, companies I have done business with or have had dealings with, it is lots and I would be very surprised if any of it is encrypted.
I want organisations to provide a duty of care and not to have my personal details compromised if they have a security breech. I want people to look after my personal information as I am sure you want them to look after yours.
Computers have changed everyone’s lives both directly and indirectly. Storage has become cheaper and larger in size, and portable devices are smaller in volume but larger in capacity and more portable than ever. More data can be stored in smaller devices which means more can be lost or stolen.
People’s third hand experience of computers within organisations is mostly positive but some people’s experience has been bad and in some extreme cases catastrophic.
The cases I am thinking of are when people are the victims of someone else losing their data, not through any fault of their own but because an individual or organisation that was entrusted with their personal information has not had the decency to secure it properly.
The most prolific case in the UK being HMRC losing two disks with all of the child benefit details, approximately 25 million financial records. I was one of the 25 million victims who had personal bank details exposed.
We are forever told about the risk of identity theft and how we should protect ourselves but it is all for nothing if others can’t be bothered to secure our personal details.
In the past it has not been a criminal activity for an organisation to lose your personal details but hopefully thing are about to change in the UK and it is about time too!
Most organisations are blissfully unaware of these upcoming changes or how it will affect them both in terms of what has already been implemented and what is proposed. I am hoping this legislation will change the approach of organisations towards security.
My biggest pet hate at the moment is a blasé attitude towards data security. I have heard “We have implemented disk encryption so we should be covered” so many times and it is such a naïve approach. This sort of approach is like getting the biggest and best locks on the front door of your house, bolting it shut and declaring that no burglars can get but at the same time leaving every window of you house open.
Yes encrypting a hard disk has secured one portion of your estate but it hasn’t secured all of it and where there is insecure data, there is risk.
Data is probably an organisations biggest hidden asset and, unless you are a cat farmer, the most difficult to control.
I would challenge any organisation to declare they know exactly where all of their data is and how many copies there are. Most organisations have little if any control over their data worryingly both in the public and private sectors, most of which leak data like sieves with the biggest offender being the NHS in the UK.
A while ago disk encryption was high on everyone’s agendas, cases like the Nationwide Building Society having a laptop stolen with 11 million customer records on it highlighted the vulnerability of computers that were portable and so a wave of disk encryption started. Great, people started to implement security, the five lever lock was fitted to the front door. Now it is time to get the window locks and burglar alarm fitted. It is time for people to look at securing data, not devices.
You see it is not the computers that are portable, although I have heard many stories of computers walking, it is the data. Most organisations still try to prevent data from being copied but there are too many holes to plug. I say let users copy the data, as much as they want, I say just make sure the data is useless when it is outside of the organisations control, if it is encrypted it is gobbledegook and useless.
It doesn’t matter if you work in the public or private sector, change is afoot and there will be big fines and also the chance to languish at her majesty’s recreational facilities for criminals.
Hopefully when people start getting £500,000 fines for losing data people will start to take this matter seriously.
I have a personal interest in this, as should you, because organisations out there hold personal information about all of us. I have no idea how many organisation hold data about me but thinking about how many things I am subscribed to, companies I have done business with or have had dealings with, it is lots and I would be very surprised if any of it is encrypted.
I want organisations to provide a duty of care and not to have my personal details compromised if they have a security breech. I want people to look after my personal information as I am sure you want them to look after yours.
Computers have changed everyone’s lives both directly and indirectly. Storage has become cheaper and larger in size, and portable devices are smaller in volume but larger in capacity and more portable than ever. More data can be stored in smaller devices which means more can be lost or stolen.
People’s third hand experience of computers within organisations is mostly positive but some people’s experience has been bad and in some extreme cases catastrophic.
The cases I am thinking of are when people are the victims of someone else losing their data, not through any fault of their own but because an individual or organisation that was entrusted with their personal information has not had the decency to secure it properly.
The most prolific case in the UK being HMRC losing two disks with all of the child benefit details, approximately 25 million financial records. I was one of the 25 million victims who had personal bank details exposed.
We are forever told about the risk of identity theft and how we should protect ourselves but it is all for nothing if others can’t be bothered to secure our personal details.
In the past it has not been a criminal activity for an organisation to lose your personal details but hopefully thing are about to change in the UK and it is about time too!
Most organisations are blissfully unaware of these upcoming changes or how it will affect them both in terms of what has already been implemented and what is proposed. I am hoping this legislation will change the approach of organisations towards security.
My biggest pet hate at the moment is a blasé attitude towards data security. I have heard “We have implemented disk encryption so we should be covered” so many times and it is such a naïve approach. This sort of approach is like getting the biggest and best locks on the front door of your house, bolting it shut and declaring that no burglars can get but at the same time leaving every window of you house open.
Yes encrypting a hard disk has secured one portion of your estate but it hasn’t secured all of it and where there is insecure data, there is risk.
Data is probably an organisations biggest hidden asset and, unless you are a cat farmer, the most difficult to control.
I would challenge any organisation to declare they know exactly where all of their data is and how many copies there are. Most organisations have little if any control over their data worryingly both in the public and private sectors, most of which leak data like sieves with the biggest offender being the NHS in the UK.
A while ago disk encryption was high on everyone’s agendas, cases like the Nationwide Building Society having a laptop stolen with 11 million customer records on it highlighted the vulnerability of computers that were portable and so a wave of disk encryption started. Great, people started to implement security, the five lever lock was fitted to the front door. Now it is time to get the window locks and burglar alarm fitted. It is time for people to look at securing data, not devices.
You see it is not the computers that are portable, although I have heard many stories of computers walking, it is the data. Most organisations still try to prevent data from being copied but there are too many holes to plug. I say let users copy the data, as much as they want, I say just make sure the data is useless when it is outside of the organisations control, if it is encrypted it is gobbledegook and useless.
It doesn’t matter if you work in the public or private sector, change is afoot and there will be big fines and also the chance to languish at her majesty’s recreational facilities for criminals.
Hopefully when people start getting £500,000 fines for losing data people will start to take this matter seriously.
Subscribe to:
Posts (Atom)
