SMEs and Security or How SMEs can impact UK PLC Security (image)

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.

All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.

Watching you, watching me – CCTV in school toilets and why we need to consider more than numbers

Every once in a while, some stats will appear that capture everyone’s imagination and prove to be a sub editor’s dream for headlines. The Big Brother Watch FOI report release this week has brought with it a wealth of headline opportunities, many of them toilet related and all quite breathless in their indignation. But the placing of cameras in private places is just the beginning of the story.

Whilst as security professionals we can totally understand the general public’s shock at the level of CCTV use in secondary schools and academies, we were as disquieted as everyone else about the use of CCTV in areas such as toilets, showers and changing areas. Not everyone realises the complexity of securing a school, college or university. There may be several buildings with varying traffic and visitors. Effective security looks at all threats and risks and treats them appropriately. So it’s not very surprising that the hue and cry has erupted over the acceptability of placing CCTV cameras in such intrusive areas. When performing one day School Security Health Checks we suggest that a Privacy Impact Assessment be carried out, for what will be now be obvious reasons.

For us though it shows the beginning of the problem and isn’t an isolated issue. We deal with schools, colleges and universities frequently. One of the main things they like help with is CCTV and the Data Protection Act. A head teacher is a head teacher not a security expert but the responsibilities that come with managing the images that come from CCTV are quite expansive and are not limited to where the cameras are placed.

We find that for instance, external cameras may inadvertently be recording images that they should not be. So if the camera’s field of vision includes perhaps an area of a neighbouring garden or there is a view of someone’s home, then the use of that camera is contravening the Data Protection Act and the user could be fined. Its irrelevant that this was not the intention of the user, it simply can’t be done.

Also, there may be issues around storing and deleting the images. Schools need to be fully conversant with how to  secure the images they have captured. Security isn’t just about the camera, the images have to be handled carefully – as happens with pupil and staff personal data and protected from either malicious or accidental breach. Deleting images when they should no longer be stored is also covered by the Data Protection Act and once again a user could find themselves in hot water if images are not being securely deleted after the allotted period has expired.

Who views the images created by CCTV systems? Again this falls into the policy and procedure area when we perform health checks. Only appropriate and necessary staff should have access to CCTV images as would apply with any sensitive data for pupils or staff. If we are to use the wonderful security opportunity that CCTV affords us, we must do it securely and appropriately is the message that most comes out of the Big Brother Watch report. You can access the full report on a pdf here.

We plan to publish a White Paper on this topic and if you follow this blog you will receive a notification of when it has been released and where you can obtain a copy. Alternatively you can email us and ask for one. bestpractice@advent-im.co.uk or keep an eye on the website www.advent-im.co.uk

We have visualised some of the key elements we thought you may find interesting. These relate to both the number and ratio of CCTV cameras as well as those found in private areas in school. Whilst we don’t mind you using them if you wish, can you just drop us a note to let us know and make sure you credit both ourselves and Big Brother Watch.

Cookies and Implied Consent

The recently much publicised ‘Watering Down’ of the UK implementation of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which were enacted on 25^th May 2011 through the Privacy and Electronic Communications (EC Directive)  (Amendment) Regulations 2011 (PECR 2011 for short).

Much has already been written about the lack of compliance of websites, and those offering subscriptions to online services ahead of the 26^th May 2012 deadline for enforcement, which has just passed.

The simple answer is that the ICO have changed their position on ‘Consent’ between their earlier, and their most recent statements of the last few days.  The reasons for this are irrelevant if you are the one subject to the ongoing enforcement enquiries of the ICO, seeking evidence as to what action you have ‘already’ taken towards your being compliant with PECR 2011.

So what do you need to know?

√      Audit what types of cookies you have got, why and where they are used within your website;

√      Analyse the intrusiveness of your cookies; and

√      Depending on the intrusiveness of your cookies, put in place appropriate notices and consent messages.

How does the change in the ICO’s position affect you today?

The updated guidance provides additional information around the publicised issue of ‘Implied Consent’, and the ICO says:

• ‘Implied consent’ is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
• If you are relying on ‘implied consent’ you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
• You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
• In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that ‘explicit’ consent is more appropriate.

The ICO themselves have a prominent text box at the top of every page which says “The ICO would like to place cookies on your computer to help us make this website better.  To find out more about the cookies, see our privacy notice (which is a Hypertext Link to their full policy description)” with a box for the User to tick if they agree with the statement “I accept cookies from this site” and a button to ‘Continue’ either way.  The ICO don’t mind anyone copying their solution but point out they will monitor and possible amend their solution in the future.

This approach by the ICO clearly meets the 2 requirements of the Regulation 6, that you must provide clear and comprehensive information about any cookies you are using and you must obtain consent to store a cookie on a user or subscribers device.

When you are doing your cookie audit you need to collect the following data:

• Identify which cookie are operating on or through your website;
• Confirm the purpose(s) of each of these cookies;
• Confirm whether you link cookies to other information held about users – such as usernames;
• Identify what data each cookie holds;
• Confirm the type of cookie – a ‘session’ or ‘persistent’ type;
• If it is a ‘persistent’ cookie how long is its lifespan;
• Is it a first or third party cookie? – If it is a third party cookie who is setting it; and
• Double check that your privacy policy provides accurate and clear information about each cookie.

The fuss in recent days relates to the new position of the ICO that ‘Implied Consent’ for cookies is a reasonable proposition in the context of the Data Protection Act 1998 in particular Principle 3 – ‘Personal Data must be adequate, relevant and not excessive’.  What it is not is a euphemism for ‘Doing Nothing’, in many cases you may still need to follow the ICO guidance to be able to successfully rely upon it.  Whether the consent is ‘Implied’ or ‘Specific or Prior’ it must still be given by the user ‘Freely’ therefore some action must be taken by the ‘consenting individual’ from which their consent can be inferred.

The consenting individual must be ‘informed’ of that cookies are being set or information being accessed on their device and just visiting the website is insufficient, even when there is an explanation deep in the small online print, of the Policy or Terms and conditions statement.  If a user is browsing from page to page on a website by clicking a button the individual must have a reasonable understanding that by doing so they are agreeing to cookies being set.

Many comments and commentators have said that implied consent puts the onus on the User, the ICO does not share this view and have made it clear that the “understanding is all on the website operator’s side and the user  ‘giving’ consent is unaware that their actions are being interpreted in this way”.  Where ‘implied consent’ is being relied upon, the provider must ensure that clear and relevant information explaining to users what is likely to happen while the user is accessing the site, is made readily available them.  The ICO says that it does not feel it’s their place to determine exactly how the provider does this.

So if you want to know more about how to steer a safe path through this complex issue, come and talk to us.

www.advent-im.co.uk

Watch out FLAME – Malvern’s new ‘dirty lab’ is open…

Francis Maude with MP Harriet Baldwin and Baroness Pauline Neville-Jones opening the ‘dirty lab’ at Malvern. Picture Worcester News

As members of the Malvern Cyber Security Network, we were lucky enough to be invited to the opening of the country’s first ‘dirty lab’ on Friday (25th May 2012). The lab was opened by Cabinet Office Minister Francis Maude, who was accompanied by Baroness Pauline Neville-Jones, Special Minister to Business on Cyber Security, and has been set up by local companies, including our very own Trusted Partner encription, to help test IT systems and prevent one of the 21st Century’s biggest threats – cyber attacks.

Commenting ahead of the trip, Francis Maude said, “My visit to Malvern is an excellent opportunity to see and hear about the work local business and SME’s are undertaking. Government is working to raise awareness of the potential cyber threat to business reputation, revenues and intellectual property. But cyber security also offers huge benefits for business and is an important growth area for our economy.”

Following the official opening, the Minister and Baroness Neville-Jones joined members of the Networking Group to discuss issues affecting SME’s including how Government would encourage an integrated approach to cyber security with business and academia, how SME’s access the £650m budget being made available to combat cyber security threats, barriers to procurement for SME’s delivering innovative products and services to mitigate against cyber attacks and the best way for SME’s to gain information on cyber security policy and guidance. All too soon the interesting discussions came to a close but it was clear that the Minister and Baroness have a number of areas they both want to develop, and we hope their next visit will be a round table discussion to move things to another level and provide two-way dialogue on what is clearly a key national threat in an increasingly technological world..

The opening of the lab was made all the more apt with news on Monday 28th May of the latest cyber threat to be discovered – Flame. According to researchers, Flame is a complex targeted cyber attack that has collected private data from countries such as Israel and Iran. Having only recently been detected, it is believed to have started its attack in 2010. This new threat appears not to cause physical damage, but once a system is infected it collects huge amounts of sensitive information by beginning a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations and intercepting the keyboard etc….

The United Nations has only today (30/5/12) stated that it is to issue a warning to governments about the Flame worm, which it perceives to be the “most serious warning ever” as the worm could possibly attack critical infrastructure.

The attack is thought to be state sponsored but its exact origins remain unknown. So why are these attacks such a threat and how can the Malvern Cyber Security Group (MSCG) help UK businesses protect itself?

Tony McDowell, Managing Director of encription explains.

“Threats, like the recently discovered Flame malware, have been all too apparent within commercial and Government systems over the past two decades.  The increasing sophistication of malware, such as Flame, is of concern to all individuals and organisations; in fact the size and sophistication of Flame takes malware to a new level.  Although this malware appears to have been targeted at specific organisations it is only a matter of time before it  will be available on the open market., as has historically been the case when exploit writers are continually developing new attacks.  This is one of the key reasons for the formation of the MCSG , to assist all organisations in combating cyber attacks and theft”.

The lab will not only be used for research purposes into understanding cyber attacks such as Flame, their origins, modus operandi and complexities but also to provide training for people learning cyber defence techniques.

It is clear that if we can understand the threats we can stay one-step ahead in protecting UK businesses from cyber attack.  We look forward to bringing you news on success stories at the lab in the future.

School Security – brand new service for Schools, Colleges and further education establishments

School Security from Advent IM – the one day health check

After a highly successful pilot scheme, Advent IM Ltd announces the launch of its UK wide, Information Security and Data Protection audits for schools and educational facilities – a one day health check for policies and procedures.

Unprecedented levels of staff and pupil personal data, even fingerprints are held by schools and other educational establishments.                              

The level of personal information held by schools and educational establishments on pupils and students has never been so high. For instance, as well as standard, individual information on address, medical conditions, results, social services reviews etc… many schools now employ fingerprint technology for the issue of school meals and other services. This is highly personal data and schools need to have more than technology in place to secure it. It’s not just about how data is stored but also about who has access to it and how it is moved about and later sanitised or destroyed. To ensure data is adequately secured requires a full understanding of actual and not perceived risks to the security of its data. This means that focus needs to be on where the data needs to be and ensuring appropriate levels of security are in place to mitigate those risks.

Advent IM Ltd, the UKs leading Holistic Security Consultancy, understands the education sector, having worked with many different establishments, from primary schools to Universities. Our new service offering is designed to provide a health check on school policies and procedures to ensure appropriate processes are in place for safeguarding pupil and staff data. This includes not only electronic management of data but also physical control of access to and storage of hard copy data. It underlines internal awareness of the Data Protection Act and can help schools build sustainable policies and procedures to ensure best practice within the Act and wider information security.

Experience shows us time and again that data loss, breach or compromise is more often than not due to human error. In a recent survey by the Ponemon Institute, it was discovered that almost 80% of data breaches came from within, whether it was accidental or intentional.  In a school environment, the possibility of a curiosity-based breach via a pupil cannot be ruled out.  Indeed, most pupils know technology better than we do and see finding ways to circumnavigate the system as a challenge, but staff can also be a weak link. There are many reasons why the human element is so vulnerable to security lapses. They can be a lack of policy or understanding, or a failure to ensure the policy is understood by all staff. It is rare that a data breach is a malicious act, but making sure all the human aspects are battened down, in addition to the technological security elements, is a “must do” for any school.

One of the schools to go through the pilot scheme was Wren’s Nest in the West Midlands.

“The Consultant gave Wren’s Nest a thorough, detailed information security audit which we found extremely helpful. The report, advice and guidance have provided our organisation with a valuable insight into information security. We will now investigate our current procedures and policies to enable us to move forward and identify further e-safety tools and policies to meet current legislation and reassure all key stakeholders of how seriously we take Information Security. It has clearly highlighted what additions/amendments we need in our action plan for security of IT and data protection for staff and children. The benefit will be; reassuringly robust security for everyone. Thank you.”

Another pilot scheme member was Sutton School and Special College, a repesentative commented:

“It [the audit] highlighted many areas that were not currently being monitored effectively. I will use this report to further enhance policies and procedures within the school. The report is an effective guidance for structured and continuous improvement.”

 

Advent Im Ltd MD, Mike Gillespie

Advent IM Ltd’s Managing Director,Mike Gillespie said, “This service is a really quick and simple way for a school, academy or college to understand what really needs to be done to ensure its compliance with information security good practice and the Data Protection Act. More than that though, it means that the school gets a realistic picture of where its real threats and risks lie as well as guidance on how to enter a cycle of continuous improvement”

Cloud post #2 – The Revenge

Growth in the ‘usage of Cloud services’ is in growth what do we think about that? Assess the real risks and don’t cloud the security issues.

OK so there aren’t any actual sharks and the leader does have a shameless pun, but it is an addendum, or part 2, to our original Cloud blog post which you can read here if you haven’t already. (It will open in a new window so you won’t lose you place)

Reading a survey from CIF last week (here), its clear to see that the number or at least the percentage of organisations using Cloud services, is increasing. This includes the public sector, perhaps an enlightened reader can tell us how much of that is driven in UK by G-Cloud.

However, its clear that the research term ‘Use of Cloud services’ could be a bit misleading. There are variations in service types – Platform services, Software Services and Infrastructure services and they are not all in growth.

Geographical references beyond ‘Europe’ are not available in the report, which makes it difficult to deep dive on the cause. However, according to the PWC Global State of Information Security Survey – in terms of ‘Government’, as we had noted Public Sector increased interest, IaaS is over-indexing in terms of uptake on this particular service type.

‘Global’ vs. ‘Government’ vs. ‘Europe’ Cloud Service % of organisations taking this service. Source PWC Global State of Information Security 2012

The same source highlights security concerns amongst Cloud users and if we refer these back to some of the points made in our original blog, the security policies of the data end location is clearly a very important and sensitive issue, this comes through with over 30% of respondents flagging this up and making it the top security threat in this survey.

One of the other things we highlighted back in January was the ability to be able to audit the data centre where your organisation’s data is held, this also comes through as a concern from Cloud users, including ‘Government’ users.

What is the greatest risk to your Cloud computing strategy? ‘Government’ vs. ‘Global’

Being able to audit where your data goes or is moved to, as well as fixing the end points for moving your data are very important, as we said back in January. Whether this is achievable if going through a ‘broker’ style relationship for instance, is debatable. In these situations, the cost model the driver and so wherever the broker can source will be where the data sits or is moved to and this may not mean all of the data  is in the same place either. Specifying end points, for instance, in a service level agreement may start to push the price up and so it is crucial you understand just what your risk appetite is in terms of what you will allow to happen to your data. Disturbingly, as a footnote to all the security issues highlighted in the PWC data, the CIF survey  identified that 1 in 5 respondents were expecting to put their IT security services in the Cloud…

The CIF report states “One sign of the immaturity of the cloud market is reflected in terms of contractual process, as barely half (52 per cent) of cloud users negotiated the legal terms of their contract with their cloud service provider (CSP), with larger organisations more likely to do so. This also infers an evolution of the culture that led to the click-thru agreement online more than a business critical supply agreement.”

Its clear then that  organisations need to go into the Cloud with its eyes wide open and armed with a comprehensive Risk Assessment.  Whilst it’s easy to label security consultants as Luddites who want to hold back the tide of progress, it is in fact not true. We are realists who want businesses to protect themselves, their clients, their supply chain and their employees and progress into the future securely.