Spooky happenings in NZ

Last night as darkness draped itself across the IsecT office, an eerie silence descended. No more tippy tappy on the keyboards, the writing finished, our job almost done for another month - the end of another chapter. 

A fantastic horror/thriller on the movie channel delivered the perfect stress antidote, a different kind of tension entirely. More poppycocck than Hitchcock but fun nevertheless.

Today we've packaged up the privacy awareness materials, just under 100 megs of it, ready to deliver to our subscribers. My energy sapped, even strong coffee has lost its potency. It's time for a break! I'll have a bit more to say about the module tomorrow, if I evade the demons and survive the night that is.

Polish until it gleams

Today we're busy finalizing the privacy awareness materials for delivery to subscribers imminently. It is always a bit fraught at this time of the month as the deadline looms but things are going well this time around - no IT hardware failures or other crises at least. 

The new materials are proofread and gleaming, ready to package up and upload as soon as the poster graphics come in. I even managed a few hours off yesterday to visit friends at the radio club. Luxury!

We'll have a bit of a break before starting the next awareness module on social engineering, long enough hopefully to repair a broken pipe supplying water for the animals. I've been patiently chainsawing fallen pine trees out of the way for some while now, finding three breaks in the pipe so far. The stock water tanks have nearly run dry so it's a priority to fix the breaks, pump the water and finish the job. Our contingency plans involve carting water around in portable containers or getting a tanker delivery direct to the tanks, not exactly ideal with temperatures starting to climb towards summer, and a pregnant 'house cow' due to give birth any day now. 

Peddling personal data

Earlier this month, I blogged about personal data being valuable and hence worth protecting like any asset. But what about commercial exploitation such as selling it to third parties? Is that OK too?

Some companies find it perfectly acceptable to Hoover-up all the personal information they can to use or sell to third parties, whereas others take a more conservative and (to my mind) ethical position, limiting personal data collection, using it for necessary internal business activities and refusing to sell or disclose it further (not even to the authorities in the case of Apple). 

The EU position on this is clear: personal information belongs to the people, not the corporations. Since privacy is a fundamental human right, people must retain control over their personal information, including the ability to limit its collection, accuracy, use and disclosure. 

The US position is ambiguous, at best. Efforts to tighten-up US laws around privacy and surveillance have been lackluster so far, often being stalled or knocked back by those same tech companies that are busy profiting from personal information, or by the spooks.

With the battle lines drawn up, once GDPR comes into effect next May the charge is on. Privacy and unrestricted commercial exploitation of personal information are essentially incompatible, so something has to give. We've already witnessed the failure of a half-baked attempt at self-regulation (Safe Harbor) and it seems Privacy Shield is also faltering. What next?

One possibility is a commercial response, where organizations increasingly decline doing business with US corporations that openly exploit and fail to protect personal information. That, coupled with the massive fines under GDPR, might finally drive home the message where it hurts them most: the bottom line. 

As Rana Foroohar from the Financial Times puts it "Privacy is a competitive advantage. Technology companies may have to say whether they are data peddlers or data stewards." Personally, I don't see it as a quite such a black-and-white issue, with plenty of room between those extremes.

A key issue, for me, is that matter of personal choice: we deliberately choose to give up some elements of our privacy under some circumstances, and that's fine provided we are fully informed and voluntarily accept the implications - two of the requirements under GDPR. What's unacceptable, to me anyway, is when my personal information is obtained sneakily and/or exploited or disclosed to third parties, without my knowledge and consent. I resent that. How about you? Perhaps it's another one of those cultural things.

Equifax cultural issues

Motherboard reveals a catalog of issues and failings within Equifax that seem likely to have contributed to, or patently failed to prevent, May's breach of sensitive personal information on over 145 million Americans, almost half the US population.

Although we'll be using the Equifax breach to illustrate November's awareness materials on privacy, we could equally have used them in this month's module on security culture since, according to BoingBoing:

"Motherboard's Lorenzo Franceschi-Bicchierai spoke to several Equifax sources who described a culture of IT negligence and neglect, in which security audits and warnings were routinely disregarded, and where IT staff were unable to believe that their employers were so cavalier with the sensitive data the company had amassed."

'A culture of IT negligence and neglect' is almost the opposite of a security culture, more of a toxic culture you could say. Workers who simply don't give a stuff about information security or privacy are hardly likely to lift a finger if someone reports issues to them, especially if (as seems likely) senior managers are complicit, perhaps even the source of the toxin. Their lack of support, leadership, prioritization and resourcing for the activities necessary to identify and address information risks makes it hard for professionals, staff members and even management colleagues who do give a stuff .... and that's why we are determined to help organizations educate and motivate management through security awareness and training materials written for that specific audience, not just staff.

In case it's not crystal clear already, consider this. Which of these do you think would have a better grip on its information risks, privacy and other compliance imperatives:

An organization whose security-aware managers understand the issues, proactively supporting, encouraging and leading the associated information risk management activities

- or -

One whose managers pay this no attention whatsoever, perhaps even actively undermining any attempts to deal with the issues?

Privacy & personal choice

Control is at the core of privacy - not just information security controls but a person's control over personal information about themselves, and their self-control. 

It's fundamentally a matter of choice, whether or not to disclose our personal information, when, to whom, and how it is to be used and secured ... which presents a conundrum for those of us who choose to use social media, cellphones, email, the web and so on - the chattering classes.

Every time I update this very blog (and sometimes even when I don't!), I'm revealing a bit more about myself. As with my body language, the way I express things may be as telling as the literal content. 

In the midst of writing the security awareness materials on privacy, I'm especially conscious of that aspect right now so I'm being extra careful about what I say here and (to some extent) how I say it ... but I'm only human. There are limits to my ability to control myself. 

Those of you who have been tracking and reading this blog for a while now could probably identify my style of writing, pointing out characteristics that have caught your eye, both good points and bad. I'm talking (well writing!) about metadata gleaned from this blog and perhaps other sources that tells you it's probably me at the keyboard - things such as:

• My choice of language, vocabulary and grammar, doubtless including spelling and grammatical errors, inconsistencies and quirks some of which I am probably not aware of, and others perhaps deliberate;
• My phrasing, sentence and paragraph structure, sentence length, word length; 
• My use of punctuation, parenthesis, ellipses, bullet points, CaPiTaLs, abbreviations etc. (and, yes, italicising non-English words and abbreviations is a habit I picked up decades ago in the science labs);
• The way I quote, cite and reference sources, paying respect to those whose efforts I draw upon (the scientific approach, again);
• Idioms and turns-of-phrase, ways of expressing things that hint at my cultural background and grammar school upbringing (there I go once more, another snippet of personal information disclosed gratuitously); 
• The way I generally break most things down into paragraphs of about 50-100 words or bullet points of about 20 words, and how I string them together to tell the story (at least, that's my intent!);
• When I update the blog;
• The graphics I include, especially the ones I develop or commission rather than just selecting others' work - another rich vein of information there about me, my preferences, visual acuity, color bias and more;
• My "humour" (well it amuses me, anyway), cynicism and values;
• How much I write, the depth and breadth as well as the content and nature of my writing;
• The page layout, plus the titles, side-bar, labels, font, font size, line and paragraph spacing, justification;
• The URL for the blog, and the web service provider behind it ... 

... These are all metadata, cues that tell you "Yes, it's Hinson again, blabbering on as usual". I like to think it would take an extraordinarily perceptive and capable mimic to pass themselves off as me consistently without being spotted as such, but I'm not entirely sure. Furthermore, my writing style is slowly evolving and occasionally changes more dramatically, often for effect. Sometimes I even surprise myself!

As I said, I'm aware of this. I know what I'm doing. I choose to write and publish this item, and the blog as a whole, and as such I have no problem with you or anyone else gleaning whatever you like from it - or do I? Actually, there are aspects that I might find concerning, for instance I occasionally mention being out of the office at conferences, courses or meetings: I hope there are no burglars reading this blog closely enough to spot the business opportunities! 

As with body language, I am not totally in control of the metadata. Some of it is subconscious, some I can modify or manipulate more or less at will (such as using "US English" most of the time except when I revert to my version of the Queen's English). 

Along with all the above, the simple fact that I'm blogging tells you quite a lot about me, the person before the keyboard, and yet privacy laws have virtually no relevance here because it is my choice to open up. All authors give a little of themselves with every utterance. As to what else I choose to keep to myself, well you'd have to guess or figure it out. I rather doubt you care in the least about me, personally, but that may not hold for, say, Donald Trump: his daily outpourings must be something of a nightmare for an institution used to formalities, authorisations, publicists and so forth. Likewise for a large tranche of the population these days that has grown up in an era of email, Twitter and Facebook. Privacy is rather different now to past eras and no doubt will continue evolving over the years and decades to come.

Privacy lost

Today I've been thinking and writing about privacy risks, comparing the differing perspectives of individual people and organizations.

Something that stands out from the risk analysis is that, despite journalists, authorities, privacy pro's and victims being aghast when privacy breaches occur, we all gladly accept significant privacy risks as a matter of course. In a few cases (e.g. tax), we have virtually no choice in the matter, but mostly we choose to share our personal information, trusting that the recipients will protect it on our behalf.

To be honest, privacy doesn't even enter our minds most of the time. It doesn't occur to us, because of our blase attitudes.

Admittedly, it would take extreme measures to be reasonably assured of complete privacy, and even then there would still be risks: consider people in 'witness protection schemes' for example, or moles, spies, criminals and terrorists doing their level best to remain anonymous, below the radar. We know they don't always succeed.

Extremists aside, ordinary people like you and me mostly pay scant attention to our privacy. We use the Internet, and cellphones, and all manner of government and commercial services either under our own names, or with superficial efforts to conceal our identities. We share or post selfies online, email and text others, and wander about in public spaces under the full gaze of myriad CCTV cameras. We use our credit and debit cards to buy stuff, register for various services, and generally anticipate nothing untoward ... which in turn places even more pressure on the organizations and individuals to whom we disclose our personal information, hence the reason that privacy laws such as GDPR are so important in a societal sense.

Attitudes have changed markedly within a generation or three. Way back when I was a naive young lad, the very concept of taking, let alone sharing explicit selfies was alien to me. Porn was available, of course, but access was discreet, guilt-ridden and exceptional, despite the raging hormones. As Victorian values have relaxed, we've been through "free love", page 3 girls, Hugh Heffner, tolerated or legalized prostitution, gay rights and other largely sexual revolutions - in most Western nations anyway: clearly there are cultural discrepancies with distinct differences of opinion on decorum and propriety. Scandinavian attitudes to nudity are part of the enjoyment of saunas, for me: the naked human body is something to be revered and celebrated, as it was in the original Olympic games. I still smile when I remember a male American guest at a sauna party in the 80's, already feeling distinctly awkward about the men enjoying their collective nakedness, quite unable to cope with an influx of naked women when 'their' sauna went cold: he left hurriedly, all a fluster.

Privacy, then, is just as much a cultural phenomenon as it is a question of personal information, informed disclosure, security and so on. The underlying issue is more to do with control of personal information, than protection. Whether I choose to reveal my secrets to others, or to withhold it, is the key point, a dynamic concern with cultural as well as personal overtones, making privacy a deeper, more involved and more interesting awareness topic than it might appear.

A different tack

There are several good reasons for protecting personal information, of which compliance with privacy laws and regulations is just one. 

For example, personal information can be extremely valuable in its own right - a business asset in fact. 

Consider the adverse consequences of personal information being lost or corrupted, perhaps the result of a system/hardware failure, a software bug, an inept or malicious system administrator, malware, ransomware or ....  well anything that can damage/destroy or deny legitimate access to information could of course affect personal information. In a sense, it is "just" information. 

At the same time, its commercial value is strongly linked to its confidentiality. This is why we are invited to pay $thousands for various mailing lists, offers which we either ignore or robustly decline since we are strongly ethical and most certainly not spammers! It's why sales professionals jealously guard their personal contacts. They are truly concerned about identity theft, as opposed to identity fraud. 

Treating personal information as a business asset worth protecting and exploiting puts an unusual slant on privacy. In particular, it emphasizes the commercial value of controls securing personal information, beyond the begrudging 'avoidance of fines' angle. It's also, I believe, a way to increase the pressure on senior management to do what needs to be done in order to secure personal information, even if they are not that fussed about privacy laws - a carrot-and-stick approach.

We'll expand on this and other good reasons to take privacy seriously in the next awareness module. 

Data breach reality check

In searching for information relating to GDPR and privacy for next month's awareness module, I bumped into the Business Continuity Institute's Horizon Scan 2017 report.

The report's headline data come from a survey of 666 business continuity and risk management professionals from Europe and North America (mostly), concerning their perceptions about threats and incidents ... and immediately a few issues spring out at me.

First of all, the survey population is naturally biased given their field of expertise: although sizable, this was clearly not a random sample. As with all professionals, they probably overemphasize the things that matter most to them, meaning serious incidents that actually or are believed to threaten to disrupt their organizations. It's no surprise at all that 88% of BC pro's are concerned or extremely concerned about "cyber attack" - if anything, I wonder what planet the remaining 12% inhabit! On the other hand, BC pro's ought to know what they are talking about, so their opinions are credible ... just not as much as hard, factual data concerning the actual incidents.

On that score, this year's report provides information on actual incidents:

"A new metric introduced in the BCI Horizon Scan Report measures actual disruption levels caused by the threats listed in figure 1 in order to provide a comparison against organizations’ concerns. Figure 2 shows a contrast between the levels of disruption caused by a particular threat and how concerned an organization is about it. The study shows the actual causes of business disruption slightly differ from the threats practitioners list as significant concerns. The top causes of business disruption according to the same respondents include unplanned IT and telecommunications outages (72%), adverse weather (43%), interruption to utility supply (40%), cyber attacks (35%) and security incidents (24%)."

The discrepancy between BC pros' perceptions and reality is quite marked. I'll come back to that in a moment.

Second, the way incidents (and/or threats - the report is somewhat ambiguous over the difference) are described puzzles me.  Here are the top 7, ranked according to the proportion of respondents who claimed to be "extremely concerned":

1. Cyber attack (e.g. malware, denial of service) 
2. Data breach (i.e. loss or theft of confidential information) 
3. Unplanned IT and telecom outages 
4. Security incident (e.g. vandalism, theft, fraud, protest) 
5. Adverse weather (e.g. windstorm, flooding, snow, drought) 
6. Interruption to utility supply (i.e. water, gas, electricity) 
7. Act of terrorism

These are indistinct, overlapping categories - for example #1 and #2 often occur together, and both often accompany other categories such as #3, #5 and #6. #2 "Data breach" is a specific type of incident outcome with a huge variety of causes, ranging from deliberate attacks by outsiders or insiders, to accidental disclosures and ineptitude, plus thefts of IT equipment and storage media ... speaking of which #4 "Security incident" in fact refers to physical security incidents, judging by the examples.

#7 "Act of terrorism" seems way too high on the list for me ... but whether that's because I am fortunate enough to live and work in a tranquil backwater, or because the terrorists are winning (creating terror, even among supposedly level-headed BC pro's!), or is a genuine reflection of the threat level, I can't easily tell.

The top 7 actual causes of incidents tells a rather different story to the list above:

1. Unplanned IT and telecom outages 
2. Adverse weather (e.g. windstorm/tornado, flooding, snow, drought) 
3. Interruption to utility supply (i.e. water, gas, electricity, waste disposal) 
4. Cyber attack (e.g. malware, denial of service) 
5. Security incident (e.g. vandalism, theft, fraud, protest) 
6. Transport network disruption 
7. Availability of talents/key skills (e.g. ‘bench strength’)

"Cyber attack", the #1 perceived threat, turns out to be #4 on the actual causes.  "Data breach" drops way down from #2 perceived to #8 in actuality, while transport disruption and lack of talents/key skills appear to be significant risks that are not perceived as such. "Act of terrorism" comes in at a more realistic (but still far too high, as far as I'm concerned) #13 on the actual causes.

Those discrepancies seem to indicate serious problems with the risk identification and assessment processes used by BC pro's for BCM purposes, which in turn are presumably being used to plan and prioritize BC activities ... or do they? One could argue that actual incidents are historically based, while BC pro's are paid for their expertise in predicting the future - professional soothsayers you could say. Hmmm.  Food for thought there.

Moving to the report's conclusions, I'm impressed to see this issue picked out in black and white as the first item:

"1. Organizations need to focus on the objective appraisal of threats and their particular impacts.

This year’s report has highlighted some gaps between the level of concern and actual disruptions caused by various threats. For example, the study noted significantly high levels of concern over cyber attacks and data breach which may be influenced by increased media coverage. Business disruptions nonetheless are still mainly driven by other threats such as unplanned IT and telecom outages and adverse weather. As such, organizations need to continually look at the business impacts of various threats and deploy appropriate tactics to become more resilient."

Well said! It would be interesting to explore why there are such marked discrepancies between perception and reality among BC pro's, since that would be an obvious handle to improve the alignment if appropriate (conceivably the BC pro's are right after all - perhaps we'll see changes in the actual causes in future reports!).

Anyway, back to the plot, the survey inspired the following graphic that we'll include in the awareness content (citing the source, of course):

Privacy update

This month we are updating the privacy awareness module for delivery in November, with a particular focus on GDPR just six months away. 

By the time it comes into force in May 2018, compliance with the EU General Data Protection Regulation will be a strategic objective for most organizations, thanks to the potential for massive fines and adverse publicity for any who are caught in contravention. Provided they are aware of it, we believe managers will welcome assurance either that everything is on track to make the organization compliant by the deadline, or that GDPR is definitely not applicable to them. 

Our job is to make managers aware of GDPR, emphasizing the governance and compliance plus information risk and security management aspects - updating corporate privacy policies for example, and ensuring that suppliers and business partners are on-track as well as the organization itself. If cloud service providers were struggling to meet the compliance deadline, for instance, there would be implications for their customers - another thing for management to consider. A GDPR compliance checklist would therefore be a worthwhile and timely addition to the awareness materials.

The task of achieving GDPR compliance largely falls to IT and compliance specialists. Our awareness objectives for that audience are more tactical in nature, relating to project management, technical challenges and change management. The compliance checklist may help them consider the compliance project status from management's perspective, perhaps re-prioritizing and re-energizing the remaining activities.

For the general worker awareness audience, we plan to tackle the personal angle, addressing rhetorical questions such as "What's all the fuss?", "What's GDPR?" and "What's in it for me?" ... suggesting three awareness posters similar to the one above. We'll be developing those and other ideas into a brief for the graphics team this weekend.

GDPR and privacy are already making appearances in the professional media and will increasingly hit the general news outlets in the run-up to May - albeit mostly as fillers for slow news days. The first major organizations to be fined for GDPR non-compliance will surely be headline fodder, for a few days at least. Our customers' employees will have had the background hopefully to notice privacy-related news and appreciate what's behind the headlines, linking the general media with the corporate awareness programs. There's a broad educational purpose to November's module, in addition to the more direct awareness role. 

A 2-phase approach to bolster the security culture

Culture is a nebulous, hand-waving concept, hard to pin down and yet an important, far-reaching factor in any organization. 

The new awareness module (the 63rd topic in our bulging security awareness portfolio) is essentially a recruitment drive, aimed at persuading workers to join and become integral parts of the Information Security function. The basic idea is straightforward in theory but in practice it is a challenge to get people to sit up and take notice, then to change their attitudes and behaviors. 

During September, we developed a two-phased approach:

1. Strong leadership is critically important which means first convincing management (all the way up to the exec team and Board) that they are the lynch-pins. In setting the tone at the top, the way managers treat information risk, security, privacy, compliance and related issues has a marked effect on the entire organization. Their leverage is enormous, with the potential to enable or undermine the entire approach, as illustrated by the Enron, Sony and Equifax incidents.
   
   
2. With management support in the bag, the next task is to persuade workers in general to participate actively in the organization's information security arrangements. Aside from directly appealing to staff on a personal level, we enlist the help of professionals and specialists since they too are a powerful influence on the organization - including management. 

October's awareness materials follow hot on the heels of the revised Information Security 101 module delivered in September. That set the scene, positioning information security as an essential part of modern business. Future modules will expand on different aspects, each one reinforcing the fundamentals ... which is part of the process of enhancing the security culture. Consistency is key, along with repetition. The trick, though, is for the awareness program to maintain interest levels, hence simply saying the same thing over and over is counterproductive: people soon tune-out and glaze-over.

Another factor to take into account is that changing the culture inevitably takes time. Lots of time. This is a   s l o w   process. We've provided a survey form with a strong hint that the security culture should be measured on an ongoing basis since improvements may not be immediately obvious. The awareness effort may appear to have been wasted unless changes can be demonstrated through suitable metrics. There's another more subtle purpose to the survey though, getting management to determine what's sufficiently important to be worth surveying. There's value in the process of designing the metric, as well as the survey results - a little bonus.

That's it, October's module is done and dusted. So what next? 

With just six months from November until GDPR comes into force, we will be revising the privacy module to help subscribers pave the way through awareness. Once again, November's materials will build upon the same foundations, boosting understanding in the privacy area specifically while gently maintaining the undercurrent of information risk, security and compliance in general.

Right now, I have a more immediate goal in mind. After a month's hard work and the weekend's tech nightmare, I think we've earned ourselves lunch in town. 

Security culture module

Well, despite Finagle's Law, we've limped home over the finishing line.  Another tidy stack of security awareness content is packaged up and will shortly be ready for our subscribers to download, customize and deploy.

'Security culture' is the 63rd awareness topic we've covered, among the most challenging module to develop and yet also the most rewarding: it's clear, in retrospect, what an important topic this is for any organization that takes information security seriously enough to run an awareness program. In short, there is no better mechanism than an effective security awareness program with which to foster a security culture. How on Earth have we ducked the issue for so long?  

Perhaps it's a maturity thing. Perhaps it's cultural: we are forging new paths, heading way off the track well-beaten by more conventional security awareness programs. 

Just in case you missed it,
there's so much more to
security awareness than phishing!

I pity organizations that rely solely on their security and privacy policies. 'Laying down the law' is undoubtedly an important part of the process, necessary but not sufficient. If it were, speed limit signs coupled with the threat of prosecution would have long since curbed driving incidents: we'd be left dealing with genuine accidents, mechanical failures and so forth, but excess speed would hardly ever be an issue. Patently, it is not ... and that's despite the parallel investment in awareness, training and education. 

It doesn't take much to imagine the carnage on our roads if 'laying down the law' was all that happened.

Turns out it's not too hard to elaborate on the business benefits of a corporate security culture. There are genuine business reasons for managers, in particular, to take this seriously, something that Enron, Sony and Equifax management and stakeholders might appreciate more than most.

We'll complete the delivery and update the website tomorrow, once the final stages of the computer rebuild are completed. It has been a long weekend!