We've released January's awareness module on physical security a few days early to beat the Christmas rush. While many information assets are intangible ( e.g.  digital data and knowledge), some have a physical medium, existence or expression that is vulnerable to a variety of physical risks.  Furthermore, many of the controls over intangible information, particularly the IT systems that store, communicate and process most of it, have physical security aspects.   The security awareness materials for January focus on the physical protection of physical information assets against various physical risks.   Proprietary knowledge in the heads of key workers means they really are “our greatest assets”, so health and safety measures are relevant to information security.  We also provide a briefing on hardware hacking to catch the imagination of your IT people.  ...

In his book No Tech Hacking, author Johnny Long ably describes some simple non-technical attack methods mostly involving social engineering and physical site intrusion, but it is a shame he doesn’t present a more compelling call-to-action.  Readers can and indeed should be more aware of, and ideally resistant to, the methods described.  The book presents the basic information but doesn’t really motivate readers to respond, leaving us rather flat.

Serious business disruption stemming from an IT incident at N ational A ustralia bank on the night of November 24th led to serious questions being posed in the press about the bank's governance and even its HR practices . This was clearly a costly incident for the bank, creating a flurry of adverse customer and  media commentary (such as "FURIOUS consumers are demanding compensation after a NAB computer bungle delayed millions of wages, pensions, family payments and business transactions across Australia.    Tens of thousands of anxious people could still be without cash for the weekend because of backlogs from the shambles.") and hence brand damage, in addition to the direct costs of investigating and resolving the incident itself and compensating customers .  Now that the dust is settling, let's review the business continuity aspects of the case, based on media reports, public statements by NAB and a little idle speculation. The actual IT incident, originally t...

Business continuity in the title of December's security awareness module refers to the central purpose of various forms of resilience, disaster recovery/business resumption and contingency planning: these are not purely academic approaches but serve to support the business in a very practical way, in times of crisis. Making processes and systems resilient is an ideal approach to business continuity management if the organization can shrug-off incidents that might otherwise interfere with or stop vital business activities, keeping operations running without a noticeable break.  Disaster recovery and business resumption planning, however, start with the assumption that the business has unfortunately been disrupted as a result of a disaster, for instance if the resilience measures turn out to be inadequate in practice.  Contingency planning takes that line of thinking a step further, preparing the organizatio...