Archive | Information Security RSS feed for this section

Bitcoins and gold coins

Is hiding your hoard in a rusty tin can safer?!

News stories have emerged about an American couple who have found buried treasure on their land. Initially they thought they might have found a marker for a grave, perhaps for a pet.  However, what they discovered were several tin cans full of rare 19th century American coins.  The haul is expected to fetch $10million.

This good news coin story throws into relief last year’s news of a man who threw away his ‘Bitcoin fortune’ when he disposed of an old hard drive.

The ‘cryptocurrency’ has been in the news again.  MtGox, one of the biggest Bitcoin exchanges, went offline after technical issues and ‘unusual activity’.  It had been suggested that security loopholes had led to millions of Bitcoins being stolen.  MtGox has now filed for bankruptcy.

It seems that many investors whose Bitcoins had been lodged with MtGox may have lost their investment and industry analysts are warning that Bitcoin will be subject to ‘more fraud’.  Fraudsters have already been busy according to Dell SecureWorks.  They have identified 150 different forms of malware designed to steal Bitcoins.

An article in American Banker, draws the lessons learned from the history of PayPal to predict that Bitcoin is likely to be subject to transaction and phishing fraud, identify theft and organised crime.  The authors recommend that Bitcoin learns from PayPal’s hard work in driving fraud elsewhere by focusing on security.

Of course, Bitcoin is not the only cryptocurrency as this article in ITProPortal outlines.  What makes these currencies so attractive – they work across borders and are untraceable – is what makes them risky too.  Perhaps hiding your hoard in a rusty tin can is a safer bet!

Cyber-attacks and staying private

Cyber-attacks on banks have been high-profile news in the UK.  £1.3 million was taken from Barclays when a computer was hijacked, while police foiled a similar plot against Santander.

The Bank of England’s policy makers have responded, drawing attention to the ‘potential vulnerabilities’ in the banking system, including old and complex IT infrastructure and a reliance on centralised systems.

Concern about a lack of preparedness against cyber-attacks was also expressed at a recent London meeting of information security risk and management professionals. Delegates discussed the ‘perfect storm’ of cyber-security risks – the widespread adoption of social media, cloud services, mobile devices – combined with the proliferation of unstructured data.  Potential risks to organisations include intentional or accidental data breach; social media account hacking and identify theft.  (Government figures for the cost of cyber-security breaches have been discussed previously on this blog.)

The UK is a global leader in identify fraud.  Fraud is said to have cost the UK over £70 billion in 2012 and nearly a quarter of residents have fallen victim to some form of identity fraud.

Staying private

Personal data is ‘the new oil of the internet’ according to the World Economic Forum. Increasingly sophisticated criminals are using the information and data we share to develop ‘spear-phishing’ targeted email campaigns or are able to glean personal details such as pet’s names or mothers’ maiden names which can be used to answer security questions.

As information professionals we are well-placed to help our organisations – and individual colleagues – understand the new information landscape and to help them stay safe and secure.

Phil Bradley is speaking about Privacy (session C103) in a special session at this year’s Internet Librarian International conference.

Val on Google+

 

 

Managing information risk – European business must do better

European companies are improving when it comes to managing information risk, but they must do even better.

PWC and Iron Mountain have published their 2013 Risk Maturity Index, exploring attitudes to information risk and examples of best practice in mid-sized businesses in six countries in Europe (France, Germany, Hungary, Netherlands, Spain and UK*).  Their findings suggest there has been some improvement in attitudes to information risk, but that there is still a long way to go.  Middle sized (250-2,500 employees) European companies are ‘ill equipped’ to navigate the complex information landscape.

Key findings of the study

  • Awareness of the importance of information risk management is growing
  • The average number of data breaches is growing 50% per year
  • 36% of companies are keeping all of their data ‘just in case’
  • Only 45% of companies have an information risk strategy
  • 42% of those surveyed are worried about the security of their company’s stored data
  • Only 25% consider their employees to be a serious threat to information security
  • 45% do not monitor employee social media use

National differences

Companies in the Netherlands performed better than in any other country.  They were more likely to have strategies and plans in place to deal with BYOD and minor data ‘mishaps’. They were also much more likely to have a corporate risk register.  Alongside companies in France, Dutch businesses were most likely to treat information risk at board level.

Hungary takes second place in the Risk Maturity Index.  Over the last 12 months, businesses have focused on raising employees’ awareness of information risk issues and providing relevant training.

Spanish companies lag behind those in other countries and are least likely to provide guidelines to employees or to have key security measures in place.

Best practice

  •  Information management and risk must be a board level issue
  • Information audits – identify what you have, where it is stored and how it is classified
  • Operate a policy of ‘controlled trust’

*600 senior managers were interviewed in mid-sized businesses in the six countries.

The White Paper is free to download from Iron Mountain.

[Follow Val Skelton on Google+]

Collaborating to ensure cybersecurity

Earlier this year the European Commission published its Cybersecurity Strategy.

The document called for the development of a platform to bring public and private sector stakeholders together so they could share good practice and develop secure ICT solutions.

At about the same time in the US, President Obama published an executive order which also focused on the importance of protecting infrastructure from cyberattacks.

Both initiatives reflect the invaluable contribution that the digital economy makes to society and the economy and the importance of protecting sites and services from malicious cyberattacks.  Organisations and nations need to manage and mitigate cyber risk and there is much to be gained from stakeholders sharing experience and information about potential threats, vulnerabilities and solutions.

Writing for Harvard Business Review, Harry D. Raduege, Jr.writes writes about the importance of bringing together leaders from all sectors to learn and share.  In particular, he believes they should focus on:

  • Understanding the problem - what are the key issues and threats facing your organisation?
  • Making one person accountable – a leader in your organisation should be identified as designated to look after all cyber/digital issues
  • Coordinating efforts – not just within your own organisation, but also up and down your supply and value chain
  • Communicating – not just within supply chains but beyond with government agencies; professional bodies and regulators

Meanwhile, the UK’s National Audit Office has expressed concern about a skills shortfall in information security.  Responding to the report, Marisa Viveros writing for Harvard Business Review agrees that holistic and collaborative measures are called for, mirroring the interdisciplinary approaches of academia.

Above all, education about cybersecurity and IT issues is “one of the best investments a company can make”.

More information on the EU’s cybersecurity plan can be found here.

[Follow Val Skelton on Google+]

Cyber security in the UK

Effective cyber security is good for business, according to the UK’s Department for Business, Innovation and Skills (BIS), which has published its 2013 Information Security Breaches Survey.  The report presents the findings from over 1000 respondents across small, medium and large firms in a range of sectors.  The figures show that companies in the UK have experienced the highest ever number of reported security breaches and the costs to firms are also at an all-time high.  The average cost to a large firm of its worst security breach is reported to be between £450k and £850k.  For small firms, the figure ranges between £35k and £65k.

The increased use of cloud computing, mobile devices and social networks can increase risk (14% of large organisations reported a security breach via a social network).  Ongoing changes in the business environment can also lead to uncertainty about who is responsible for information and data ‘ownership’.  This is particularly true in large organisations where 33% of respondents reported that such responsibilities were ‘unclear’.

Most of the respondents reported that they have written information security policies, yet 34% report that employee understanding is poor.  Training levels remain low, despite evidence that training and awareness can significantly reduce the impact of security breaches.

Threats from outside – and within

The BIS states that cyber-attacks have grown ‘in frequency and intensity’ over the last year.  These include hacktivism attacks, phishing, identity fraud and denial of service attacks.  Companies are not just subject to external threats.  Staff related breaches may be both deliberate and inadvertent and can range from accidentally sending emails to the wrong recipients or disgruntled employees taking business critical data with them when they leave the company.

Key findings

  • 87% of small firms experienced a security breach last year
  • 93% of large companies experienced a security breach
  • 36% of the worst security breaches were caused by inadvertent human error
  • 10% of the worst security breaches were caused by deliberate misuse of systems by staff
  • 23% of respondents haven’t carried out any form of security risk assessment
  • 9% of large organisations had a security or data breach in the last year involving smartphones or tablets
  • 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services
  • 92% of respondents expect to spend at least the same on security next year (and 47% expect to spend more)

[Follow Val Skelton on Google+]

Antivirus software – an ‘illusion of security’?

The detection rate of new viruses by antivirus software is currently lower than 5%.

In a Hacker Intelligence Initiative study of 40 antivirus (AV) products (conducted by business security firm Imperva) the results suggest that it can take up to a month for 75% of the products to add viruses to their lists and begin protecting their customers against them.  On average it took three weeks between information about threats being made available and AVs addressing them.

The challenge is that new viruses and malicious programs are being created and distributed on an industrial scale every day and that AV software needs to be updated continuously.  Hackers and attackers understand AV products in depth and are able to design around their strengths and weaknesses.

The researchers ‘hunted down’ 82 viruses using a mixture of search, hacker forums and ‘honey pots’ and then tested them against 40 AV products.  They conclude that AVs are fast to respond to malware that spreads rapidly but that blind spots exist when it comes to viruses with limited distribution.

The anti-virus products tested include paid-for and freeware (e.g. Avast), with little significant difference in performance between the two groups.

Imperva concludes that IT security should continue to use AVs but that they should also focus on what they call ‘aberrant’ behaviour.  They give an example of a breach of information security in a US state.  Once the initial breach had been successful, systems failed to notice that data was being accessed and moved around several times before eventually being moved out of the network by the hackers.

According to Gartner (2011) the global annual spend on antivirus software is $7.4 billion.

You can read the research findings (including some thoughts on the methodology) here.

Original source: ITProPortal

Exiting employees helping themselves to information

It’s not just stationery that walks out of the office with exiting employees.  According to a survey conducted by the records and information management company Iron Mountain, a significant proportion of employees has removed confidential information from the office – in spite of data protection and other information governance guidelines.

2,000 office workers in France, Germany, Spain and the UK were surveyed.  32% of them admitted to taking or forwarding confidential information on more than one occasion.  Of those who are removing information:

  • 51% are taking information from confidential customer databases
  • 46% are taking presentations
  • 21% are taking company proposals
  • 18% are taking strategic plans
  • 18% are taking product or service roadmaps

The employees’ attitudes to their actions are interesting.  Many of those surveyed felt a sense of ‘ownership’ of the information, particularly if they had a role in creating it in the first place.  34% of respondents were completely unaware of any company guidelines regarding the removal of information from the office.

Information and data are – of course – key organisational assets.  Information professionals have the opportunity to influence organisational information governance policy and educate employees about their information responsibilities.

European businesses and information risk

Although intellectual property can represent a high percentage of a company’s value, a significant proportion of organisations are failing to protect their information assets.

According to research undertaken by Iron Mountain and PwC, European businesses are not taking the protection of corporate secrets and intellectual property (IP) as seriously as other information risk issues.

The research shows that only 41% of mid-sized European businesses have plans to protect intellectual property and that 54% of companies believe that safeguarding this type of information is less important than protecting financial, customer and employee information.

Four industry sectors (financial services; insurance; manufacturing; pharmaceuticals) in six European countries (France, Germany, Hungary, Netherlands, Spain, UK) were analysed.  The pharmaceutical industry, despite being IP intensive, performed the worst – only 30% of the companies include IP in their information risk management and data protection plans.

Companies should focus beyond the direct cost of data loss or theft and take into account other, less direct costs, such as the potential impact on brand reputation and public trust.  According to the research, the best companies:

  • Treat information as a board room issue
  • Have a balanced information strategy – which is regularly monitored
  • Have a multi-disciplinary team in charge of information risk

A summary of the report (Information Risk Maturity Index) is available here.

How to align IM with organisational risk management

As recent events have only too clearly shown, poor information management and control (particularly when combined with a ‘flexible’ appreciation of information ethics and legislation) can lead to financial and reputational loss.

It was an extraordinary coincidence of timing that while a UK Government Select Committee was in progress in Westminster, members of NetIKX were discussing the concept of organisational information risk management.

Liz Scott-Wilson, currently an information architect at a large law firm, has years of experience in information management and consulting roles in both the public and private sectors.  In her presentation she shared what she considers to be the most valuable lesson of her career.  When it comes to exerting influence within your organisation the key to success is to focus on what keeps senior people in your organisation awake at night.

Senior managers are unlikely to care much about the intricacies of information governance but they will be concerned about organisational risk.  Liz outlined how in a previous role, she had analysed a (very detailed) organisational risk register and identified information pressure points.  She then used these to demonstrate how effective information management could help mitigate organisational risk at key pressure points.

Key lessons from Liz’s presentation:

  • Focus on real pain points for senior managers
  • Ensure you understand the power systems in your organisation
  • Find friends in your organisation’s governance/risk teams
  • Reflect organisational language in your strategy
  • Demonstrate how IM can bring plausible and affordable processes to mitigate risk

The key call for action was to encourage anyone interested in demonstrating the importance of IM to organisations to meet with organisational risk managers.

 

(There were two speakers at the event.  Watch out for a second blog entry!)

Facing up to the cybersecurity challenge

In the latest issue of McKinsey Quarterly James Kaplan identifies a perfect storm of factors that are conspiring to make cybersecurity a major business challenge.

  • Stakeholders expect more ‘openness’.  Increased demands for mobile/smartphone access present new types of security threats
  • More corporate value is to be found online – making it a more attractive target for cybercriminals
  • Interconnected supply chains making extended networks vulnerable to weak links in the chain
  • Increasingly sophisticated cybercriminals and malware

Organisations need a new mindset to tackle cybersecurity challenges. This includes moving from a focus of ‘protecting the perimeter’ to identifying, and protecting, their most valuable intellectual assets.  Most critical of all is to acknowledge that cybersecurity is at best a constant battle rather than a one-off problem that can be tackled and ‘solved’.