Posts

Showing posts from October, 2017

Spooky happenings in NZ

Image
Last night as darkness draped itself across the IsecT office, an eerie silence descended. No more tippy tappy on the keyboards, the writing finished, our job almost done for another month - the end of another chapter.  A fantastic horror/thriller on the movie channel delivered the perfect stress antidote, a different kind of tension entirely. More poppycocck than Hitchcock but fun nevertheless. Today we've packaged up the privacy awareness materials, just under 100 megs of it, ready to deliver to our subscribers. My energy sapped, even strong coffee has lost its potency. It's time for a break! I'll have a bit more to say about the module tomorrow, if I evade the demons and survive the night that is.

Polish until it gleams

Image
Today we're busy finalizing the privacy awareness materials for delivery to subscribers imminently. It is always a bit fraught at this time of the month as the deadline looms but things are going well this time around - no IT hardware failures or other crises at least.  The new materials are proofread and gleaming, ready to package up and upload as soon as the poster graphics come in. I even managed a few hours off yesterday to visit friends at the radio club. Luxury! We'll have a bit of a break before starting the next awareness module on social engineering, long enough hopefully to repair a broken pipe supplying water for the animals.  I've been patiently chainsawing fallen pine trees out of the way for some while now, finding three breaks in the pipe so far. The stock water tanks have nearly run dry so it's a priority to fix the breaks, pump the water and finish the job. Our contingency plans involve carting water around in portable containers or getting a tanker del...

Peddling personal data

Image
Earlier this month, I blogged about personal data being valuable and hence worth protecting like any asset. But what about commercial exploitation such as selling it to third parties? Is that OK too? Some companies find it perfectly acceptable to Hoover-up all the personal information they can to use or sell to third parties, whereas others take a more conservative and (to my mind) ethical position, limiting personal data collection, using it for necessary internal business activities and refusing to sell or disclose it further (not even to the authorities in the case of Apple ).  The EU position on this is clear: personal information belongs to the people, not the corporations. Since privacy is a fundamental human right, people must retain control over their personal information, including the ability to limit its collection, accuracy, use and disclosure.  The US position is ambiguous, at best. Efforts to tighten-up US laws around privacy and surveillance have been lackluster...

Equifax cultural issues

Image
Motherboard reveals a catalog of issues and failings within Equifax that seem likely to have contributed to, or patently failed to prevent, May's breach of sensitive personal information on over 145 million Americans, almost half the US population. Although we'll be using the Equifax breach to illustrate November's awareness materials on privacy, we could equally have used them in this month's module on security culture since, according to BoingBoing : "Motherboard's Lorenzo Franceschi-Bicchierai spoke to several Equifax sources who described a culture of IT negligence and neglect , in which security audits and warnings were routinely disregarded, and where IT staff were unable to believe that their employers were so cavalier with the sensitive data the company had amassed." 'A  culture of IT negligence and neglect' is almost the opposite of a security culture, more of a toxic culture you could say. Workers who simply don't give a stuff about ...

Privacy & personal choice

Image
Control is at the core of privacy - not just information security controls but a person's control over personal information about themselves, and their self-control.  It's fundamentally a matter of choice, whether or not to disclose our personal information, when, to whom, and how it is to be used and secured ... which presents a conundrum for those of us who choose to use social media, cellphones, email, the web and so on - the chattering classes. Every time I update this very blog (and sometimes even when I don't!), I'm revealing a bit more about myself. As with my body language, the way I express things may be as telling as the literal content.  In the midst of writing the security awareness materials on privacy, I'm especially conscious of that aspect right now so I'm being extra careful about what I say here and (to some extent) how I say it ... but I'm only human. There are limits to my ability to control myself.  Those of you who have been tracking an...

Privacy lost

Image
Today I've been thinking and writing about privacy risks, comparing the differing perspectives of individual people and organizations. Something that stands out from the risk analysis is that, despite journalists, authorities, privacy pro's and victims being aghast when privacy breaches occur, we all gladly accept significant privacy risks as a matter of course. In a few cases ( e.g. tax), we have virtually no choice in the matter, but mostly we choose to share our personal information, trusting that the recipients will protect it on our behalf. To be honest, privacy doesn't even enter our minds most of the time. It doesn't occur to us, because of our blase attitudes. Admittedly, it would take extreme measures to be reasonably assured of complete privacy, and even then there would still be risks: consider people in 'witness protection schemes' for example, or moles, spies, criminals and terrorists doing their level best to remain anonymous, below the radar. We ...

A different tack

Image
There are several good reasons for protecting personal information, of which compliance with privacy laws and regulations is just one.  For example, personal information can be extremely valuable in its own right - a business asset in fact.  Consider the adverse consequences of personal information being lost or corrupted, perhaps the result of a system/hardware failure, a software bug, an inept or malicious system administrator, malware, ransomware or ....  well anything that can damage/destroy or deny legitimate access to information could of course affect personal information. In a sense, it is "just" information.  At the same time, its commercial value is strongly linked to its confidentiality. This is why we are invited to pay $thousands for various mailing lists, offers which we either ignore or robustly decline since we are strongly ethical and most certainly  not spammers! It's why sales professionals jealously guard their personal contacts. They are tru...

Data breach reality check

Image
In searching for information relating to GDPR and privacy for next month's awareness module, I bumped into the Business Continuity Institute's Horizon Scan 2017 report . The report's headline data come from a survey of 666 business continuity and risk management professionals from Europe and North America (mostly), concerning their perceptions about threats and incidents ... and immediately a few issues spring out at me. First of all, the survey population is naturally biased given their field of expertise: although sizable, this was clearly not a random sample. As with all professionals, they probably overemphasize the things that matter most to them, meaning serious incidents that actually or are believed to threaten to disrupt their organizations. It's no surprise at all that 88% of BC pro's are concerned or extremely concerned about "cyber attack" - if anything, I wonder what planet the remaining 12% inhabit! On the other hand, BC pro's ought to kn...

Privacy update

Image
This month we are updating the privacy awareness module for delivery in November, with a particular focus on GDPR just six months away.  By the time it comes into force in May 2018, compliance with the EU G eneral D ata P rotection R egulation will be a strategic objective for most organizations, thanks to the potential for massive fines and adverse publicity for any who are caught in contravention. Provided they are aware of it, we believe managers will welcome assurance either that everything is on track to make the organization compliant by the deadline, or that GDPR is definitely not applicable to them.  Our job is to make managers aware of GDPR, emphasizing the governance and compliance plus information risk and security management aspects - updating corporate privacy policies for example, and ensuring that suppliers and business partners are on-track as well as the organization itself. If cloud service providers were struggling to meet the compliance deadline, for instan...

A 2-phase approach to bolster the security culture

Image
Culture is a nebulous, hand-waving concept, hard to pin down and yet an important, far-reaching factor in any organization.  The new awareness module (the 63rd topic in our bulging security awareness portfolio) is essentially a recruitment drive, aimed at persuading workers to join and become integral parts of the Information Security function. The basic idea is straightforward in theory but in practice it is a challenge to get people to sit up and take notice, then to change their attitudes and behaviors.  During September, we developed a two-phased approach: Strong leadership is critically important which means first convincing management (all the way up to the exec team and Board) that they are the lynch-pins. In setting the tone at the top , the way managers treat information risk, security, privacy, compliance and related issues has a marked effect on the entire organization. Their leverage is enormous, with the potential to enable or undermine the entire approach, a...

Security culture module

Image
Well, despite Finagle's Law ,  we've limped home over the finishing line.  Another tidy stack of security awareness content is packaged up and will shortly be ready for our subscribers to download, customize and deploy. 'Security culture' is the 63 rd awareness topic we've covered, among the most challenging module to develop and yet also the most rewarding: it's clear, in retrospect, what an important topic this is for any organization that takes information security seriously enough to run an awareness program.  In short, there is no better mechanism than an effective security awareness program with which to foster a security culture. How on Earth have we ducked the issue for so long?   Perhaps it's a maturity thing. Perhaps it's cultural: we are forging new paths, heading  way off the track well-beaten by more conventional security awareness programs.  Just in case you missed it, there's so much more to security awareness than phishing! I pity...