We are in the final stages of preparing July's awareness materials on "Workplace information security".  Six cool new poster designs have come in from the art department so the staff/general employee stream is practically finished, aside from proofreading.  We're working hard to complete the management and professional briefings and tying up a couple of loose ends, leaving just the newsletter left to prepare, right on cue. As usual, we've left it to the very end of the month to make the newsletter, and in fact the whole module, as topical as humanly possible. The latest ransomware outbreak all over the news this week is a classic illustration of the value of our innovative approach to security awareness.  We've covered malware at least once a year since 2003, several times in fact since malware often crops up in awareness modules covering related topics such as social engineering, identity theft, phishing, fraud, email security and cybertage. Every time throu...

I find brands fascinating. We are immersed in a heavily branded world, surrounded and constantly bombarded by brands. They are thrust at us through advertisements and emblazoned on product packaging. Many are really quite crude and obvious - childish graphical logos in bright primary colors, simplistic tag lines, annoying jingles and endless endless repetitition. Others are far more subtle and sophisticated. The very best take subtlety to the point that we no longer appreciate we are being coerced, be we are, oh yes we are.  Brands go well beyond the logos, jingles and taglines, taking in very diffuse perceptions about the organizations and their products in general - myriad aspects such as quality, price, reliability, innovation and, most of all, trustworthiness. Most of us are loyal to certain brands while avoiding others (brands can be liabilities as well as assets), spreading branding's influence into the social sphere as we demonstrate and discuss our preferences with friends....

One of the workplace information risk and security issues worth discussing with management is the possibility of a total ban on portable ICT devices such as laptops, tablets and smartphones by airlines, and perhaps other forms of mass public transport. At present, some ICT devices are banned from the cabin by some airlines on some routes, but it is not inconceivable that the ban might be extended given escalating terrorism and safety threats. I presume the only reason we are still allowed to take our explosive battery packs on board at all is the inconvenience and customer dissatisfaction that would follow if portable and wearable devices were completely banned - a typical risk-reward trade-off. As far as the security awareness program goes, whether and how a ban is extended is inconsequential: the point is to prompt the audience to think about how they would deal with that situation. It's a theoretical exercise at this stage, based on a credible scenario. What effects would it hav...

My physical workplace is, as usual at this time of the month, becoming cluttered with printouts and notes about the new module, vying for space with all the normal desk chaff - receipts and expenses claims, IT stuff, music CDs, crockery from lunch al-desko, and more.  It's much the same with my virtual workplace too as my mind fills to the brim with thoughts, many part-formed, some tantalizingly close to crystallising out while others remain chaotic. This is a curiously appropriate representation of my brain right now - or at least it would be if it were constantly shifting about: It's time to focus on completing the materials, discarding half-baked ideas and letting go of threads that aren't likely to mature in time.  It's not entirely wasteful though as the notes, threads and other memories will be there the next time we work on a related security awareness topic.  In infosec terms, there are risks in our way of working. We're on the critical path now, so any inci...

Today I'v e been searching for news items to illustrate the awareness materials on workplace security, particularly incidents involving corporate information.  At first I thought maybe we have over-estimated the risks: Googling for, say, "office security" brings up stacks of news about MS Office but not so much on traditional office break-ins, fires and the like. "Commercial burglary" was a more productive search term but still not exactly overwhelming. Likewise searching for "theft from vehicle" leads to a plethora of brief police incident logs and the occasional news piece about laptops and other IT gizmos stolen from parked cars - seemingly just opportunistic thefts by druggies. Digging a little deeper, though, I realized that those police incident logs indicate a level of crime so widespread and commonplace that it is barely newsworthy any more. Tot up all those little incidents involving theft of computers, laptops, iPads, smartphones and the like...

A piece in the Redmond Magazine Protecting Office 365 from Attack  caught my eye today - specifically this chunk on "User-Awareness Training" [sic]: "One of the most effective but underutilized strategies for defending your network against malware such as Osiris/Locky is user-awareness training. Because it's impossible to catch all malware, your users are the last line of defense for your network, and they should be trained as such. Accordingly, you should implement the following user-awareness training strategies: Threat awareness: Have your users take refresher courses on how to identify a phishing attempt and the importance of their participation in the fight to defend resources against malware once every quarter. Specifically, they must learn not to engage with any suspicious e-mail, report suspicious e-mail, and ensure that their endpoints are protected with anti-malware software and effective backups. It might sound simple, but many users still aren't aware...

Over on the ISO27k Forum , a member told us about having passed an ISO/IEC 27001 certification surveillance audit with a minor noncompliance. The auditor reported that the firewall's firmware had not been updated since a year ago despite the availability of a more recent update. The auditor was concerned that this left the network exposed to malware such as Wannacry. While not disputing the facts, reading between the lines, the auditee was clearly disappointed that this had been raised because the information risk does not seem significant, given that the organization has other effective controls in this area. A negative audit finding, even something as trivial as a minor nonconformance, can be hard to accept if you genuinely believe you are doing a great job. There may not be fireworks but it's a challenge, for sure, a knock to one's integrity and credibility. Leaving aside the certification aspects for a moment, if it were me in that situation I’d be inclined to ask why ...

Protecting information in the workplace is such a broad brief that we're working on 4 policy templates for the July awareness module: Workplace information security policy - concerns the need to identify and address information risks wherever work is performed, and wherever valuable information exists (not just at the office!).   This is an update to our 'office security policy'. Information retention policy - the timescales for retention and/or the criteria for disposal, of information should be specified when it is classified, along with the security requirements for safe storage, communications and access. Information disposal policy - when information is no longer required, it may need to be disposed of securely using forensically sound techniques. Information classification policy - updated to reflect the need to specify retention and destruction requirements where applicable ( e.g. if mandated in laws, regulations or contracts). Several other information security pol...

Hey, a weekend off! The weather was fine (no rain, blue skies) so we got some outside jobs done, including removing yet another fallen tree (about the fifteenth from the cyclone in April), repairing and installing a gate and despatching a dozen fattened lambs to market.

Every day is dress-down day in the IsecT office. Like most Kiwis, we much prefer comfortable clothes to formal attire such as business suits and ties. Why anyone - especially knowledge workers - would voluntarily choose to don a noose that constricts the flow of blood to their own heads is beyond me. The necktie is a bizarre fashion legacy from the fifteenth century  - the very antithesis of 'smart'. Anyway, today was a tad more laid-back than I anticipated. I got up with the very best of intentions to crack on with the module, only "stuff" occured.  Firstly came a string of emails from the CSA (Cloud Security Alliance) inviting me to get involved in their work on cloud and IoT security . They are doing fabulous things and it's very flattering to be asked, except I can't afford the time to wade in. By a process known as Chinese whispers (telephone in the US), my simple, naive inquiry about their activities on IoT security got transmogrified into an offer to...

Having completed and submitted our bids yesterday, it's back to the day-job today, picking up where we left off the workplace information security awareness module. Well it would be noses-to-the-grindstone ... except MS Office is playing up for no obvious reason, so I sit here watching the clock tick while it reinstalls, again, idly wondering why an organization the size of Micro$oft can't be bothered to put enough resources and effort into sorting out its numerous information security and quality problems properly, for once ... and so here I am an hour and much frustration later. It seems to be running, for now, sort-of: Outlook still tells me it isn't activated while the Office365 online site says "We’re still setting a few things up, but feel free to get started" (thanks a bunch: it was working until you screwed it up, M$). No cl ue what was wrong with it - lack of oomph  in the dilithium crystals or something. Given how keen M$ is to charge us, perhaps we shou...

Many information security controls are multi-purpose, hence they could be specified in several places, several policies plus procedures and standards and guidelines etc . That multiplicity creates a nightmare for the ISO/IEC JTC 1/SC 27 project team trying to generate a succinct version of ISO/IEC 27002 without duplications, gaps or discrepancies in the control catalog. It’s also a potential nightmare for anyone writing corporate policies, or an opportunity depending on how you deal with it.  My current pragmatic approach is to mention [hopefully] all the important controls in each topic-specific policy template, with a reference section that mentions other related policies, creating a kind of policy matrix. I’m still wary of gaps and discrepancies though: with 60+ policies in our matrix so far, it’s fast approaching the limit of my intellectual abilities and memory to keep them all aligned! It’s an ongoing task to review and revise/update the policy templates, without breaking li...

As a small business, we have to do and manage much the same stuff that any business has to do, such as: Marketing, promoting and selling our products e.g. maintaining and updating our websites, preparing advertising copy etc. Procurement and sales administration - licensing, invoicing etc. Customer and supplier relations Financial administration: budgeting, accounting, tax, expenses, pay & rations HR & personal development IT - hardware, software, firmware, wetware and - yes - IoT Information risk and security, including awareness (golly!) Strategy, governance, compliance  Planning, resource allocation, priorization Market and competitor analysis Research and development Operations/production - working hard to make the products we sell Quality assurance and quality control Packaging, delivery and logistics Elf'n-safety Blogging and other social marketing/social media stuff In our case these are on a smaller, simpler scale compared to, say, a multinational megacorporati...

As information risks change, existing information security controls ought to be reviewed and if necessary updated. Abrupt, major changes tend to be obvious and, in mature organizations, trigger the risk review and security update process, whereas gradual, incremental changes may creep up on us unnoticed. Working practices are evolving. We are spending less time tethered to our desk-based 'workstations' these days, and more time on the move, whether just wandering around the office from meeting to meeting, traveling between offices and other workplaces (and working on the hoof), working from temporary and makeshift workplaces or working from home (if only to avoid the tedium of commuting).  The nature of 'work' is also evolving thanks to automation ( e.g. robotics, computer-controlled machinery and IoT  things) and networking ( e.g. the Web plus WiFi, Bluetooth and cellular): manual labor is being supplemented or replaced by intellectual labor - we're thinking mor...

One of the pleasures of my job is continual learning, doing my best to keep up with the field. I read loads, mostly on the Web but I also maintain a physical bookshelf well-stocked with books ... including: Sir Tim Berners-Lee recounts the original design and development of the World Wide Web in the 1980s and 90s . This is more than merely an authoritative historical account, however valuable that may be. Tim elaborates on his big dreams and deep personal philosophy that drove him to conceive and gift to humanity the most powerful information technology invented - so far.  62 years ago when Tim was born (happy birthday!), ENIAC was in the final few months of its life and the 5,000-tube UNIVAC was just 2 years into commercial production. Computers were monstrous beasts with (by today's standards) minimal processing, storage and communications capabilities, yet ironically they were known as 'electronic brains'. Networking was virtually nonexistent, and email wasn't even i...

Today we're exploring and elaborating on the information risks associated with the wide variety of modern-day workplaces I mentioned yesterday. The risk-control spectrum diagram is a convenient way to get our thoughts - as well as the risks - in order. It's straightforward to present and discuss the risks along with the corresponding security controls, in a priority sequence that sort of makes sense.  'Sort of'  hints at an underlying issue that I'd like to discuss today.  Whereas we strive to make the security awareness materials reasonably complete and accurate, we cannot entirely reflect any specific customer organization and its particular business context or needs, not least because we simply don't know what they are. At the same time, that ambiguity presents an awareness opportunity. It opens the way for customers to consider, discuss, challenge, adapt and extend the generic content. Take for instance our placement of the "Working from home" to t...