Sunday 28 March 2010

Unique selling point?

Wouldn’t it be refreshing if service companies started to promote a unique selling point which is to offer their clients a secure environment! I know this sounds a bit daft but let’s look at some examples. The classic case is accountants. They process their client’s financial information and exchange this with their clients. A lot of clients send their data by email or on memory sticks both of which are totally insecure, you have to ask yourself why not send your financial details to the accountant on a postcard, it has the same level of security.

So my thought is why don’t accountants and the like offer a unique selling point to their clients, a secure way of transferring data. For example a secure portal for clients to login to so they can exchange data or the business supply their clients with encrypted USB sticks with the company logo on it so it advertises the business as well as proving the client with a way of protecting themselves and their data.

The implementation of such a solution could be promoted to the clients and used to secure new business as a USP.

Simple!

Wednesday 24 March 2010

Quis custodiet ipsos custodes?

A lot of businesses don’t appreciate where threats come from; they defend the perimeter of their network without looking too closely within. I was reminded of this the other day when the story of the Swiss HSBC employee reared its ugly head again.

For those of you who don’t know a chap called Herve Falciani stole data about some customers with the view to selling this information. He was employed in the IT department so had privileged access to data. What was his motivation? Well it is reported that he was asking £2,000,000 for the data he stole.

Whilst the theft was made over three years ago it is still coming back to haunt not only the business but also the clients. HSBC has had to revise how many records were stolen twice now. First it was a handful, then 15,000 customers and more recently 24,000 customers affected by this theft. The implications are pretty catastrophic, for some more than others, because the details of their accounts have been exposed which in turn could risk them prosecuted by tax authorities!

So is too much power being left in the hands of the IT department? Yes they need some privileges to do their work but how much? As frequently demonstrated too much.

Most organisations have a security model that can be likened to a sieve, they know there are holes so they attempt to plug them. When they discover the next leak, out come the sticking plasters and another hole is plugged. Realistically this takes a great deal of effort, there is usually something that has been overlooked and so can be exploited. The thing is how much monitoring do you put in place and who monitors those doing the monitoring? After all if you have not spotted a security hole you won't be looking for it or monitoring it. At what point do you stop this process as well, there are only finite resources and in the end who will guard the guards

A recent survey has shown that a staggering 59% of ex-employees take some of their employer's data with them when they leave. This is a pretty high figure when you think about it. Over half of all people that have ever worked for a company will have some of its data. All of that data out there, uncontrolled and the business typically blissfully unaware of how many copies are floating about. Once outside the control of the business there is no way to stop how many times said data is subsequently copied.

I was also reminded of when my own business suffered from this very problem. Several years ago an ex-employee, whom I believed I could trust, surfaced at a competitor and as soon as they joined the competitor our clients started to get phone calls and emails telling them this person now worked for them and asking would they like to transfer their business.

Fortunately no personal data was involved however it did highlight to me the weakness we had by trusting people with privileges on our network. Whilst this also doesn’t speak much of this person’s character (especially as when they left I had reassurance from them that they would never do anything to betray any trust) it also made me appreciate how valuable even the smallest amount of data can be to someone else. I don't know what his motivation was, perhaps desperation to get a job so offering a list of potential new business on the condition of a job could have been the angle, I will probably never know and to be honest don't really want to.

We also did not know this was happening but fortunately several of our clients contacted us to make us aware that this was happening and I thank them for their loyalty to us. What made it so obvious was that the competitor had foolishly used privileged information only we had and in doing so exposed it's source.

After this exercise I immediately decided to change the way we worked and how we granted privileges to staff and so rolled persistent encryption on our data so that no matter who had access to our data, if it were ever copied it would be rendered useless outside of the control of our network. Fortunately the product we implemented is very good and forces encryption whenever anything is created but denies the ability of the creator/author to decrypt it.

Whilst I appreciate that this is not a magic bullet (trust me we also have some IDS, DLP and NAC in place as well as usual server security and auditing) I am able to rest more easily at night knowing that if someone has found a new way to copy our data outside of our control, and inevitably they will, it will be in a pretty useless format once they take it away.

After all there is only so much security you can put in place before you prevent someone from being able to do their job so instead of putting in too much, put in smart solutions that give the most protection for the least overhead like we have.

Thursday 18 March 2010

Something to look forward to...

It has been nine days since my last post. I can't believe I left it so long and a lot has happened since I last posted.

It is now only 19 days until the legislative changes allowing the ICO to up their game and is given real teeth. I have been very busy speaking to various organisations about information assurance and compliance for the new legislation and as it is the same info it is getting a bit samey.

On that note, I notice that Argos has managed to escape falling foul of the changes because the security flaw with their payment confirmation emails is now in the public domain. Even though they have exposed client personal financial data that could have serious implications to the various clients they cannot be fined retrospectively. Mind you I would imagine the PCI is not too happy about them exposing not only client credit card details but also the CVV as well so I would imagine there will be discomfort coming their way.

I am looking forward to April where I will be attending the Counter Terror Expo and also InfoSec. I have never been to the counter terror expo but some of the presentations caught my eye as there are a lot of parallels with some of the work I do. It should be an interesting expo. I am also looking forward to InfoSec, I enjoy attending this and it is an opportunity to meet up with some familiar faces. I am meeting up with at least two ex colleagues which should be a good laugh.

Tuesday 9 March 2010

28 days later...

I love that film, dark and scary. I was thinking about this film today and being sad it got me wondering how many days until the ICO can impose their half million pound fines? Guess what, when I post this 28 days later will be the deadline of April 6th.

After April 6th I wonder if we will see similar panic and terror on the streets as we did in the film?

Wednesday 3 March 2010

How much is fraud costing you, it could be more than you think!

I have been looking at fraud this week, trying to work out how much it costs each person and the figures shocked me. Thinking about it I should have been more realistic in my expectations but even so the figure was surprising.

Fraud is estimated to cost the UK economy between £13bn and £20bn every year! This equates to a cost of £330 for every person in the country, every man, woman and child which is paid for through higher charges for goods and services and through higher taxes. The cost of every act of fraud is passed onto the end consumer to pay for it.

On average 6% of an organisation’s annual revenue is lost to fraud and 58% of these fraudulent activities are committed due to inadequate controls within the business.
So thinking about it, because a business doesn’t take their security seriously enough, it costs you and me, on average, £330 per year, each!

I don’t think this is fair. OK there will be crimes that are difficult to stop, but it would be nice for them to make a bit more of an effort. It is well-known by industry that most frauds that are carried out in the UK are done so by well educated, married men between the ages of 35 and 44.

Whilst I appreciate you can’t prevent everything, implementing tighter controls would mean that the level of fraud would come down and the net benefit would be that we would get cheaper goods and services. The knock on effect would also be that individuals would see fewer cases of identity theft so less angst in having to resolve it.

I would guarantee you that if you call a business and ask them if they have adequate security in place they will say they have but the reality is always way short of the mark.