Category Archives: outsource

Data Protection and Temporary Workers – the Perfect Data Breach Storm?

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

advent IM data protection blog

oops there goes the sensitive data. Image courtesy of

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that  “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have.  Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?

Aspirationally Paperless?

First published in Tomorrow’s FM February 2013 as part of the Water Cooler regular feature with FM experts: Lee Haury, Liz Kentish, Wendy Mason, Martin Pickard, Lucy Jeynes, Iain Murray and John Bowen. The discussion was inspired by Health Secretary Jeremy Hunt’s desire to see the NHS go paperless by 2018….

The Advent IM response to a paperless NHS.

Data Protections Advent IM

Yay! Paperless was easy!

Paperless as a concept, has been around for a long time. Look around the average office and you will see varying degrees of success in its implementation. For many it is still largely aspirational. Removing  paper records does have some security benefits, presuming they were securely disposed of, of course! By this I mean you are removing one potential source of data loss, but how many of us can commit  to never printing off information or emails for instance? One security eye would always have to be on the possibility of employees doing this and valuable assets being put at risk or marching out of the door. Information is an asset, however it is stored. The NHS (for it is they and Jeremy Hunt who have inspired this discussion) has had a fairly disastrous year with Information Security and received huge monetary penalties. These breaches were not generally the result of hacks or other cyber-criminal activities but the result of poor security awareness and  people doing daft things with both paper records and electronic devices.

Bottom line is, if you are going to use mobile devices and remove the need for paper records, then Security policies have to be watertight and thoroughly trained through all users, they need to know they are accountable. That means if someone decides to load a laptop with thousands of patient records, they should be challenged or potentially prevented, by policy, from doing so. For instance if the device were used merely for securely accessing patient records as and when they were required, it would remove  the need for either paper or local digital storage. Hopefully the NHS are thinking a little further than merely paperless and thinking about how the replacement digital information is going to be stored and accessed. Significant and ubiquitous awareness training is required to make a success of any such initiative and prevent patient data risk.

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.

All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.

Watching you, watching me – CCTV in school toilets and why we need to consider more than numbers

Every once in a while, some stats will appear that capture everyone’s imagination and prove to be a sub editor’s dream for headlines. The Big Brother Watch FOI report release this week has brought with it a wealth of headline opportunities, many of them toilet related and all quite breathless in their indignation. But the placing of cameras in private places is just the beginning of the story.

Whilst as security professionals we can totally understand the general public’s shock at the level of CCTV use in secondary schools and academies, we were as disquieted as everyone else about the use of CCTV in areas such as toilets, showers and changing areas. Not everyone realises the complexity of securing a school, college or university. There may be several buildings with varying traffic and visitors. Effective security looks at all threats and risks and treats them appropriately. So it’s not very surprising that the hue and cry has erupted over the acceptability of placing CCTV cameras in such intrusive areas. When performing one day School Security Health Checks we suggest that a Privacy Impact Assessment be carried out, for what will be now be obvious reasons.

For us though it shows the beginning of the problem and isn’t an isolated issue. We deal with schools, colleges and universities frequently. One of the main things they like help with is CCTV and the Data Protection Act. A head teacher is a head teacher not a security expert but the responsibilities that come with managing the images that come from CCTV are quite expansive and are not limited to where the cameras are placed.

We find that for instance, external cameras may inadvertently be recording images that they should not be. So if the camera’s field of vision includes perhaps an area of a neighbouring garden or there is a view of someone’s home, then the use of that camera is contravening the Data Protection Act and the user could be fined. Its irrelevant that this was not the intention of the user, it simply can’t be done.

Also, there may be issues around storing and deleting the images. Schools need to be fully conversant with how to  secure the images they have captured. Security isn’t just about the camera, the images have to be handled carefully – as happens with pupil and staff personal data and protected from either malicious or accidental breach. Deleting images when they should no longer be stored is also covered by the Data Protection Act and once again a user could find themselves in hot water if images are not being securely deleted after the allotted period has expired.

Who views the images created by CCTV systems? Again this falls into the policy and procedure area when we perform health checks. Only appropriate and necessary staff should have access to CCTV images as would apply with any sensitive data for pupils or staff. If we are to use the wonderful security opportunity that CCTV affords us, we must do it securely and appropriately is the message that most comes out of the Big Brother Watch report. You can access the full report on a pdf here.

We plan to publish a White Paper on this topic and if you follow this blog you will receive a notification of when it has been released and where you can obtain a copy. Alternatively you can email us and ask for one. or keep an eye on the website

We have visualised some of the key elements we thought you may find interesting. These relate to both the number and ratio of CCTV cameras as well as those found in private areas in school. Whilst we don’t mind you using them if you wish, can you just drop us a note to let us know and make sure you credit both ourselves and Big Brother Watch.

Security out- sourcing: anything to learn from the G4S experience?

Security out- sourcing: anything to learn from the G4S experience?

Advent IM in Outsource magazine 20.07.12

Spreading the risk – a more secure alternative?

Recent events with G4S and LOCOG/the Government’s procurement of security for the Olympics, will clearly not be leaving the headlines anytime soon. Indeed you could be forgiven for thinking this was a security event, not a sporting one. Is there anything to be learnt from the Olympic Security out-sourcing? A good place to start would be to understand how organisations source physical security.

We have always done it this way

Let’s be clear, out-sourcing security can work and work very well for end users. The impetus for out-sourcing any service should have a solid base in the desire for the best possible service from people who are experts in their field. If the motivation is always cost cutting rather than sourcing excellence to improve end user experience, then nine times out of ten you will simply get what you pay for.

Physical Security has a long standing relationship with out-sourcing.  That does not mean however, that because it has been out-sourced for so long that it is done well in all cases.  Frequently, we see providers specifying to clients what they can have based on their portfolio of services, rather than the client understanding what they need based on Threat and Risk Assessments and specifying this to the provider. This is a bit like visiting a car showroom and saying, “sell me the car I need.” You may find yourself returning a short time later asking why you can’t fit your six kids into your Aston Martin but if you didn’t specify your needs from the outset the car sales person will see you what he wants … One size never fits all, it may fit some but everyone prefers something that meets their needs when they can get it. So, how can something as important as security not be bespoke?

Facility Management and Security

In business, Physical Security has been moving for many years into the Facility Management arena.  It is a natural place in many ways, especially if this is not simply managing the manned guarding aspect but also equipment contracts such as CCTV and door entry systems, PIR’s etc.

In-house FM may manage an out-sourced contract for Physical Security provision.  An FM provider may manage a contract for a client, or an in-house FM may manage a contract with an FM provider who manages a Physical Security Contract with a provider.  There may be a separate contract for management of equipment contracts, that could be managed by the in-house FM, the out-sourced FM provider, the security provider it has been out-sourced to or possibly even further along the chain (still with me?) …That is a lot of moving parts in a chain that requires clear areas of accountability at all stages, not to mention governance (who is guardian of CCTV image management for instance, and is everyone clear on that along with Data Protection Act requirements?). Governance also includes relationship management and compliance checks. Remember it is only the function that is being out-sourced, not the responsibility … or the accountability.

Proactive or Reactive Procurement?

“Understanding the risks involved can save money and reputational damage. Keeping your supplier close and having an open, honest relationship ensures any danger of things going wrong is reduced, or at least spotted early and corrected,”

– CIPS CEO David Noble

Chartered Institute of Purchasing & Supply (CIPS) state that it is the job of the buyer to ensure that:

  • Materials of the right quality
  • Are delivered in the right quantity
  • To the right place
  • At the right time
  • For the right price
  • And the sixth right: from the      right source

Reactive Procurement is taking only one or his heavily biased toward one of these ‘rights’. Proactive procurement is based on strategic decisions of all the six ‘rights’, then the supplier will not have been selected on price alone, for instance.

When we examine how Physical Security is sourced the issues and potential pitfalls, start to emerge. If we go back to our example of G4S and the Olympics, Government Procurement decided not to split security provision, and thereby risk, across several smaller providers, but to go with one large provider.  So the focus appears to have been on procurement ie. cost. Whilst we want our Government (and in this case LOCOG also) to be cost sensitive with our hard earned taxes, we also want the job done correctly. This option appears to have introduced a ‘single point of failure’ because only one supplier was procured.

This is the difference between sourcing the service you want, need and are specifying with expert knowledge and procuring the cheapest or ‘most economically advantageous’ as Government procurement tender documents read.  Let’s be clear, to a supplier, procurement is there to hard bargain on cost, they are not there to provide any level of expertise or the associated judgment call, on the service being requested.

For a regular organisation understanding that all stages of the chain have to be carefully managed, is key.  KPIs based upon the threat and risk landscape should be in place to ensure performance is being measured against the correct metrics. They also need to make sure that their bespoke needs are the ones being answered and not what the provider is telling them they can have. The threat and risk landscape will change, will a client be penalised for changes to reflect mitigation of these changing risks?

One final thought on proactive vs. reactive, G4S are shouldering 100% of the responsibility for this debacle, not Government procurement. On a realistic business level for organisations considering their options for out-sourcing security, when things go wrong it is rarely the procurement team who get an unhappy phone call from the end user, it is normally the Facility Manager.

The future

Many Facility Managers and providers welcome the idea of system integration – Security Systems can easily be included in this model and can provide very valuable data back to an organisation across disciplines when part of a wider integrated function. For this to be realistically achieved, and the associated service and cost improvements to be reaped, the whole chain of supply and accountability needs to be resilient and transparent. There are real benefits to be had from out-sourcing Security and even more to be had by bringing everything together to provide a holistic management view.

Some pointers

  • See it as an investment in an organisation’s excellence – for that is what it is. If you view it purely as a cost saving exercise, you may come unstuck.
  • Take expert advice on your real threats and risks and specify accordingly.
  • Get the bespoke solution you need not the solution the out-sourcing provider wants you to buy.
  • For larger out-sourcing projects think about spreading the risk of a single point of failure – more than one provider may be the answer.
  • Ensure clear, accountability, resilience and due diligence throughout the chain and wherever possible limit multiple ‘moving parts’.

Originally published in Outsource Magazine 23.07.12, reproduced here with the kind permission of the Editor.


0121 559 6699