Category Archives: Cloud

Data Protection and Off Shoring Data

Some thoughts on EU Data Protection Day from Advent IM and Security Institute Director, Mike Gillespie.

Today (Jan 28th) Is EU Data Protection Day #DPD2014 and it has sparked some interesting content and discussion on Social Media so far.

It has also afforded those organisations who bang the drum for Data Protection and Privacy to bang it a little louder and longer, trying to get the attention of those that really need to take heed.

10118847-10118847-definition-legislationAnyway, the topic of off-shoring services and functions and with going personal data , cropped up. As a data subject I ought to be able to expect to be explicitly consulted if my data is going offshore to a country not on the trusted country list. Personal data according to  Principal 8 of the Data Protection Act (1998)

“…shall not be transferred to  a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

Principle 2 states

“Personal Data shall be obtained for only one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”

No organisation should be allowed to hide the intent to offshore personal data in it’s “small print” or to decide to offshore personal data without consulting the data subjects. Some companies pay only lip service to this requirement and data can be shipped around the world to suit the business and without the explicit agreement of the data subject.

Bottom line, businesses off-shore services to save money. However, the cost of maintaining data protection and privacy of personal data and offshore is prohibitive and so guess where the cost is cut? Cheap hosting in non-compliant countries is the cost-saving great hope, it seems. Buying hosting space from a Cloud Broker for instance, means that data could be shuttled around the world to wherever the space is cheapest if end points have not been specified in the SLA and let’s face it, if you priority is cheap then I can’t imagine it being much of a priority…

The European Data Protection Directive defines consent as-

“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him, being processed”

So we may expect that the individual may signify agreement other than in writing. However non-communication should not be interpreted as consent. In other words, opt-in not opt-out…

istock_000012299872medium.jpgThe problem is that companies can exploit vague language in the law.  For instance, Personal data should only be processed fairly and lawfully. In order for that data to be classed as ‘fairly processed’ at least one of these six conditions must be applicable to that data (Schedule 2)

  • The data subject (the person whose data is stored) has consented (“given their permission”) to the processing;
  • Processing is necessary for the performance of, or commencing, a contract;
  • Processing is required under a legal obligation (other than one stated in the contract);
  • Processing is necessary to protect the vital interests of the data subject;
  • Processing is necessary to carry out any public functions;
  • Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject

So the argument might be that it is OK to offshore because “processing is necessary for the performance of or commencement of a contract and as I have moved my call centre to (for the sake of argument and only as an example) India, and as my contract requires the provision of a call centre then my contractual obligation also requires the move of the personal data to India.

Even when consent is given, it should not be assumed that it is forever. although in most cases, consent lasts for as long as the personal data needs to be processed – individuals may withdraw their consent, depending upon the nature of the consent and the circumstances in which the personal information is being collected and used. How many orgainsations like supermarkets or banks offer you this option? Ever had one of those personal injury or PPI calls and asked them to take you off their list only to be told they can’t delete you because of Data Protection!?

So the Terms and Conditions is where the sneaky stuff hides in clauses that says they reserve the right to have a cavalier attitude to your data (or move it elsewhere for further cheaper processing once its initial processing is complete) should they choose and then label that as your consent…

You can connect with Mike and enjoy further Security Discussions on Linkedin.

Advertisements

SME Information Risk: 48% suffered reputational damage already from lost data

Originally published in Outsource Magazine August 2012

According to a recent survey by Iron Mountain and PricewaterhouseCoopers LLP (PWC), in Europe, mid-sized businesses are placing themselves at unnecessary Information Security risk.  The average index score for Information Risk maturity in this group was only 40.6 (a score out of 100), which sharply highlights the gap between what business is currently doing and what it is supposed to be doing.

Are businesses listening to the warnings about Insider Threat?

Are we listening yet?

Shockingly, 64% of the mid-sized businesses surveyed had no information risk strategy in place, which was effectively monitored.  Given that almost half of the businesses surveyed said they had already suffered reputational damage as a result of lost or misplaced data, this lack of information security appears cavalier at best. It could be your personal data or your organisations data being handled, managed or stored by these businesses.

According the Norwich Union Business Continuity survey (of which information security and reputational damage would be important elements) only 8% of businesses without a plan, which had suffered a serious incident, survived 5+ years, 40% never re-open after a serious incident. If the failings within mid-sized businesses are as widespread as the PWC data suggests this is very bad news for many businesses and could be the one area we start to see them over index, sadly.

Hiding in plain sight

So what does a small or medium sized business do to protect itself, its own valuable data and potentially that of its customers and supply chain? Well, Information Security issues are not like the monster under the bed, despite what the popular press may have us believe.  They don’t frequently leap out to shock you and grab your ankle. More frequently they hang around, waiting to be noticed by someone until it’s just too late and the worst has happened. No amount of finger crossing can spare you from its teeth by then – or the ICO’s teeth in this case. It is normally a series of failings or an extended period of time when risks have been ignored or misunderstood.

Being an SME can make an organisation more ‘fleet of foot’ than many larger businesses. The advantages of being reactive and able to quickly change course or take advantage of a sudden opportunity is a great flexibility to have. Potentially though, the risk side of things can be pushed to one side or ignored and then a lack of due diligence can mean that the new undertaking or direction is being done effectively ‘on the hoof’ and without the anchor of proper governance.  This can also be reflected in the approach to procurement when the questions about the correct checks and balances for security are simply not being asked.  This is possibly because there may not be a dedicated FTE for each role and employees wear several hats. It may be a naiveté about accountability and responsibility either from a legislative or industry requirement basis.  If your organisation is lucky enough to have employed someone with and Information Security or Data Protection background, then this is less of an issue. That is assuming that the resource to have an FTE with these expert skills is available. Generally this is not the case and whilst many businesses are more than familiar with the old outsource service of security, they do not necessarily make the connection to Information and Data.

“Sometimes I feel like the conversation itself is encrypted”

That is how it feels to have a conversation with a security guru. Within minutes the language becomes dense and acronym laden and the eyes of the non-security person may start to glaze or dart about like a frightened rabbit in car headlights.

The concept of Information Security is understandably daunting. Many businesses are put off by the language and apparent complexity. Everyone is put off by things they don’t’ understand but that is what outsourcing is for. Part of the issue is that organisations and those within them responsible for security of information, do not want to feel daft, the language and complex terminology they are coming up against makes them feel inadequate and sounds potentially expensive.

Although security has a long relationship with outsourcing, this has been largely around physical security and areas such as manned guarding. For some reason, outsourcing an organisation’s Information Security, Data Protection or Business Continuity appears to have passed many organisations by as a possibility.

When you think about it though, it makes perfect sense. Areas that are complex and needs and expert help, that may not require and FTE or be too cost sensitive to resource on an FTE basis or maybe required to move an organisation through an accreditation to assist with perhaps getting onto a Government supply framework, or supplying the NHS for instance. Whilst every organisation needs to be security aware and educate their staff effectively, understanding the accountabilities, policies and processes are far more relevant to an SME than having an inside out knowledge of security terminology and the dazzling amount of acronyms. Outsourcing is the natural choice.

One of the 64%?

So the data security inertia may not solely come from a lack of interest or concern about what happens to client, customer or internal information. True some organisations have a genuinely laissez-faire attitude, but many don’t and some of the lack of appropriate action can have come from fear, confusion and misinformation.

Given the ICO’s power to fine up to £500k for serious incidents, this could potentially see a number of the unprepared 64% close for good. It makes much more sense to find an expert outsource partner to translate and guide. Security is a business enabler. Once the security is in hand and under control, an organisation can go on with the business of growing in a secure environment for both the organisation and its partners. It allows organisation to tender for business that they may not normally have been in a position to. It brings likeminded businesses together, allowing them to partner and support each other knowing that they are on the same page and that their respective information assets are properly managed.

Outsourcing Information Security may be a newer area of outsourcing but as with all good outsourcing it is there to provide the expertise it would appear is lacking in the SME arena. Ensuring the best quality, independent advice from an outsource partner could provide the competitive edge and reassurance an SME needs to realise its true potential.

Data sources: PWC Iron Mountain survey “Beyond cyber threats: Europe’s first information risk maturity index” and Norwich Union Business Continuity Survey

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?

Advent IM Join G-Cloud

Advent IM Supplier to Government, G-Cloud

Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director

www.advent-im.co.uk-G_Cloud.aspx 

If you are a public body and are interested in procuring security consultancy direct, you can search us here.

http://govstore.service.gov.uk/cloudstore/search/?q=advent+im

 

 

Advent IM at INFOSEC Europe and Counter Terror Expo 2013

The Security Insititute, Mike Gillespie, Advent IM Director

Mike Gillespie – Advent IM MD, newly elected Director for The Security Institute, is speaking at CTX

It is that time of year again and the great and good of the world of security will be gathering in our nation’s capital for two of our industry’s key events. This year is an exciting one for Advent IM as Mike Gillespie our Director will be speaking at Counter Terror Expo. More further on…


Advent IM will be around at both events and if you are hoping to meet up then there are a couple of options. If you are at Infosec on 23rd (day 1), we will be represented on the Malvern Cyber Security Cluster stand  – K84 as we are a member of this group. Or you can live tweet us and arrange a meet up @Advent_IM using the hashtag #AdventInfosecinfosec logo

Advent IM CTX Counter Terror ExpoIf you are attending Counter Terror Expo, you may be interested to know that Mike will be speaking at the Cyber Security and Electronic Terrorism Conference on the 24th at 9.30am. His subject will be The Cyber Threat to the Built Estate. Click here for details. If you want to meet up with one of the team you can live tweet us @Advent_IM using the hashtag #AdventCTX

If you are a Security blogger then you might be interested in the Security Bloggers Meet-Up on the evening of the 23rd April. You can sign up here and don’t forget you can also vote for your favorite Security blogs. The results will be revealed at the Meet-Up. 

If you are a member of The Security Institute then you will also be able to find us at the reception on the evening of the 24th. Again if you want to arrange to meet up via Twitter then you can tweet us @Advent_IM using the hashtag #AdventSyI

We look forward to meeting you and hope you enjoy these events.

MP900216025