Compliance with information security and privacy-related laws, regulations, standards and policies may be a rather dry subject, but it's an increasingly important one and as such is definitely worth covering in security awareness programs - unless, that is, you truly believe that your technical security controls alone are sufficient (in which case, you are either a unique technical genius or sadly deluded!). We have just delivered an awareness module all about security compliance, some 67Mb of stimulating awareness content that, to be perfectly honest, barely scratches the surface.  We freely admit we are not legal experts.  We don't know all the ins and outs of our customers' legal obligations, the rules imposed by their industry regulators, or their corporate policies towards security.  But we do know about security awareness, about motivation and creativity.  And in many ways our international perspective lets us see beyond the narrow confines of any individual or...

Bob Carr, CEO of Heartland Payment Systems, spoke openly about their massive 2007/2008 security breach at the SC World Conference in 2009 .  Whether you work in the financial industry or in information security, it's well worth setting aside 45 mins or so to watch him present and think carefully about the underlying risk, security and commercial issues. Essentially, Bob's point is that the payment card industry is clinging to a fundamentally flawed security model. Card numbers taken from magstripes, or presumably from chip-n-PIN cards, are passed through the point of sale systems, the merchant back-office systems, and card processors such as Heartland, all the way to the card issuers. For a good part of this journey, the card numbers are unencrypted and hence are vulnerable to being captured by the bad guys. PCI DSS attempts to lock down all these intermediate points, but so long as the underlying data are in the clear, there is always going to be a risk of unauthorized or inap...

Remarks towards the end of a blog piece by Andy Ellis reminded me about a key difference between awareness and training.  He and I may be concerned with information security awareness specifically but the principle is not limited to a single topic.  Safety awareness is not the same as safety training.  Being commercially aware is different to undergoing commercial training courses.  You get the point. Andy said: "But much more importantly, we weave security awareness into a lot of activities. Listen to our quarterly investor calls, and you'll hear our executives mention the importance of security. Employees go to our all-hands meetings, and hear those same executives talk about security. The four adjectives we've often used to describe the company are "fast, reliable, scalable, and secure". Social engineering attempts get broadcast to a mailing list (very entertaining reading for everyone answering a published telephone number). And that doesn't ...

This morning’s strength 7.1 earthquake in central Christchurch , South Island, New Zealand, is a reminder that contingency and continuity plans are not just tedious red tape.  With the IsecT office being hundreds of miles away in North Island NZ, we didn’t feel the earth move as such but we certainly felt the shock on seeing the news.  It leaves us wondering about our own readiness to survive a similar disaster, not least because of our proximity to Napier, another NZ city devastated by a similar quake in the 1930s.  Today it's a fabulous Art Deco city having been almost entirely rebuilt.  In the 1930s, it was a scene of death and destruction. From a security perspective, the Christchurch quake is an awareness opportunity.  Carpe diem (seize the day)!   It's all over the news.  Employees can see for themselves what a real incident looks like and, with a bit of judicious prompting, imagine themselves in just such a disastrous situation, struggling firs...