Tag Archives: secure data

Big Data …. Friend or Foe?

Delighted to have a post from Advent IM Operations Director, Julia McCarron.

Ellie has been asking me for a while now to do a blog piece on ‘big’ data, and I must confess to dragging my heels because I wasn’t really sure what it was. I guess if I had put my mind to it essentially it must have been the aggregation of information that made it ‘big’ and I’m not far off with that. But last night’s edition of Bang Goes the Theory made me think about what it means … and the fact that ‘big’ is probably too small a word to describe its reach.

 ID-100180473If we want to be specific about it, big data is defined as a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.[1]  But it seems to me that this 2-D definition doesn’t do it justice. From what I can see, it’s about taking these large data sets and analysing them to find patterns – that’s what makes it ‘useful’. What you do with those patterns can be for good or bad and can range from diagnostic to research to marketing to preventative in nature, and affect people, places, processes, objects … you name it basically.

I know this kind of analysis goes on because I have a ‘loyalty’ card that regularly sends me money off vouchers for the things I buy on a frequent basis/ I know internet banner ads show me handbags for a reason, usually because I’ve just purchased another one online. I understand that it’s the accumulation of data about my buying habits that is profiled to appeal to me; but I hadn’t realised just how far this can go. On the programme in question a big data collection company said that as a result of the release of DfT data on bicycle accidents, someone had within days written an app for people which told them where to avoid riding their bicycle and therefore minimise the risk of having said accident. Who would have thought that was possible? Rolls Royce engines contain computers that analyse their activity, whilst in the air, and report in real time on peaks and troughs outside the ‘norm’, which enable airlines to do maintenance work before a problem occurs.

But if you think about it big data isn’t new. Einstein’s Theory of relativity came about because he carried out hundred of experiments and analysed them painstakingly by hand. Intelligence services cracked Hitler’s codes by looking for recurring patterns, first totally reliant on the human brain before that human brain created freecrumpetsmachines to make the analysis easier and quicker. I only get 100 free ‘bonus’ points with my next purchase of Warburton’s crumpets because a computer looks at my buying habits and has identified that I buy them every week. (Other crumpets are available – actually no they aren’t). All that has changed is the scale, speed, selectiveness and sensitivity of the collection and review of that data.

The issue comes though when that big data is also personal data, and this is probably where most of us start to question whether it’s a good thing or bad thing. The BGTT Team demonstrated how easy it is to profile individuals from their online data footprints. It’s not just about what you put on various social media but it could also be an innocent publication of contact details by your local golf club. I’m a security conscious person, for obvious reasons, but I’m sure if someone really wanted to they could find out more about me than I thought was possible, just by running a few scripts and analysing trends. I’m a genealogy enthusiast and within minutes I could potentially find out when you were born within a 3 month window, the names of your siblings, your mother and father …. and those all important security questions; your mother’s maiden name and town of your birth.  So should we attempt to simply lock everything down?

 At the same time as all this personal big data is being analysed its also being put to good use.  Researchers are creating medical devices that can analyse brain activity and detect when a second brain trauma is occurring … and they’ve done this by analysing patterns and trends from hundreds of thousands of scan outputs to create a simply, non intrusive device that monitors pressures, electrical current and stimulus. If I opt out of my having my NHS patient record shared, I could make it that bit harder to find a cure … or be cured.

Ultimately, we wouldn’t be where we are today without big data but there is no doubt that in a digital age big data will just keep growing exponentially. I don’t think we can avoid big data and I don’t think we should, but from a security perspective I think we all just need to think about what we post, what we agree to make available, what we join up to and what we are prepared to say about ourselves in public forums. If a field isn’t mandatory don’t fill it in, don’t agree for your location to be published and maybe tell a little white lie about your age (girls we are good at that!). We can never be 100% secure – it’s not possible. Even our fridge can go rogue on us now and order food we’ve run out of but don’t actually want to replenish. But having a security conscious mind can protect us, whilst still providing a big data contribution. 

[1] Wikepedia

some images courtesy of freedigitalphotos.net


PCI-DSS PA-DSS (v3.0) Expected Change Highlights (v1.0) Tool

As mentioned in previous blog post, the payment card processing standard has some changes coming up. The standard should be issued in full next month, in the meantime and as promised, we are offering  a free guide to the anticipated changes to allow you to get ahead of the curve.

You can get it free from the Advent IM website on the news page or on the dedicated PCI-DSS page


Advent IM: ISO/IEC 27001:2013 Version 3.0 of the mapping tool released today

We have today released version 3.0 of the popular and helpful ISO/IEC 27001:2013 mapping tool. This compares and maps controls, clauses and other areas from the 2005 version against the new 2013 version and vice versa.

The new version of the tool sees some additional information around documents and records.

It is available FREE from the Advent IM website either via our Latest News page or via the dedicated ISO27001 page


Scribd, “world’s largest online library,” admits to network intrusion, password breach

Data Destruction – Passing the Buck – Guest blog from Malcolm Charnock – Icex

data protection act 1998 Advent IM  consultantsData Protection

Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. Its should form part of an organisation’s overall Information Security Policy with specific reference to the Data Protection Act (1998)

Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us. 

Data Destruction – Passing The Buck by Malcolm Charnock


One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. “Different requirements”? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data.

I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction “specialist” who they have no real knowledge of!

The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the same impact as the MOD but the thought process behind any Information Security Policy should be similar.

ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisation’s processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again.


There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of “accreditations” cited on most ITADs’ websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.

Advent IM Information Security Audit

  • Is your Data Destruction contractor approved? By whom? Have you audited them?
  • Do they use third party contractors? Are they approved? By whom? Have you audited them?
  • Are their processes and policies secure and approved? By whom?
  • Is there a contingency in place?
  • How are data holding items transported? By whom? Are they approved? Have you audited them?

If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.

The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the company’s Data Security policy which led to the breach. – Malcolm Charnock

Images courtesy of Microsoft Clipart and istock


Why Physical Security in NHS Trusts needs a major health check

Young Nurse Tending to Young Woman with Neck Brace and Arm Cast

Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff.  This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost – a pariah to any NHS Trust.

Looking at the Threat Landscape

In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. .  However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression.

The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour.  In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs;  car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.

Drugs: Expensive and potentially dangerous

Drugs: Expensive and potentially dangerous

The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as funding becomes available and usually without any long term objective in mind.  In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted.  For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do.  The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.)  A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed.

Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act.  The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed.  This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly.

In any organisation, loss creates cost and this is something each and every Trust is currently facing.  A recent Daily Mail article highlighted theft from the NHS as a serious issue.  Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives.  The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience.  These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data?  If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for.

During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.

iStock_000015534900XSmallSo how do Trusts shift the security mind set?

  • The Threat environment has changed and security needs to be approached as a cyclical, on-going process.  It needs to be reviewed and tested regularly.
  • The narrow view of security within the NHS as being aggression-based and the responsibility of the manned guarding component needs to be dispelled.  Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different.   A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else.
  • Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape.
  • Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of “this is the way we’ve always done it” and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information.
  •  A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review – removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.

Advent IM Senior Security Consultant – Paul Smith MSc MSyI

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.

All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.