Today was a glorious summer day in Hawkes Bay - about 30C under clear blue skies, hot sun and plenty of greenery thanks to the odd thunderstorm lately.  Not exactly the ideal weather for slaving away in the office. As I was hootling down the track on the 4x4 farmbike on my way to turn off our water pump this afternoon, I turned to look across our paddock ... and saw Maka ("maarka"), our tame/pet red deer hind, sniffing at a little brown wobbly thing, staggering drunkenly around as it struggled to stand on the slope. The fawn was only an hour or so old. We didn't even know Maka was pregnant, let alone due today, so it was a very pleasant surprise.  Mother and baby are doing well. We feel like proud grandparents.

Social engineers exploit their "knowledge" of psychology to manipulate and exploit their victims. So how about we turn the tables - use our knowledge of psychology to counter the social engineers? That thought popped unexpectedly into my head over the weekend as I was grubbing weeds in the paddock. I've been mulling it over ever since, making hardly any progress to be honest.  One thing that occurs to me is that social engineers are potentially just as vulnerable to manipulation as their victims, although they have the advantage of having consciously and deliberately performed their attacks ... which could in fact be a weak point: if they believe they are in the driving seat, they may not anticipate being driven.  There is some evidence of this, for example 419ers (advance fee fraudsters)  have occasionally been led along the garden path by savvy targets. Scam-baiting became  A Thing about a decade ago, relatively amateurish though and risky to boot: the authoritie...

A day or so ago I wrote about organizations being pressured into security awareness for compliance reasons.  With some exceptions, compliance is externally imposed and doesn't directly benefit the organization through increased profits - rather it avoids or reduces the losses and costs (including penalties) associated with non compliance.  That is still a financial benefit but with negative, oppressive connotations.  Today I'm moving on to more positive, profitable matters, the business benefits arising from security awareness and training, of which there are several: Better recognition and identification of information risks More appreciation and understanding of information risks Fewer, less costly incidents Better governance Greater organizational and personal resilience Organizational learning and sustained improvement (maturity) A genuine, deep-rooted and all-encompassing corporate security culture Deterrence Getting the most out of other information security control...

Security awareness may be something you have to do for compliance reasons (mostly to avoid penalties) or something you want to do to gain the benefits, often both. Today I'll concentrate on the compliance aspects, the most straightforward part, leaving the business case for another day's blogging. Compliance pressures come at us from all sides! Laws and regulations: many information-related laws and regs mandate adequate information security, particularly those concerning privacy and governance, plus those applicable to the healthcare, financial services, government, infrastructure/utility and defense industries. Some of them specify awareness and training explicitly, others are more circumspect, typically referring to ensuring compliance without saying precisely how to achieve that. Contracts and agreements: PCI-DSS is the classic example of a contractual obligation to secure information, specifically card holder information relating to credit and debit cards. Security awar...

I've been talking about simplifying our awareness content, making the materials more actionable, more direct in style - and here's an example. Dipping into our stash of awareness content I discovered an awareness briefing on "Data backups" written six and a half years ago.  It's not a massive tome, just a single A4 side of information, and the content hasn't aged significantly (although "PDA" is not an acronym we hear much these days!). But the written style needs some adjustment. The original started out with a summary:  "IT Department makes regular backups of data on the network drives so computer users must either store all their information on the corporate network, or make alternative backup arrangements. Make sure you have good backups before it is too late." The first sentence is passive, referring to "computer users" in the third person, rather than speaking directly to the reader. I have railed before about the term ...

The graphic is about securing data in the cloud, taking us into the realm of cloud computing and Internet security.  At the end of my previous blog item , I mentioned that I'd be looking for situations where tightening security by adding additional controls is not necessarily the best approach, and sure enough here's one. Putting corporate and personal data into the cloud involves a  significant increase in some information risks, compared to keeping everything in-house.  Strong encryption of both data comms and storage is a substantial and obvious control - necessary but not sufficient to mitigate the cloud risks entirely.  Many other information security controls can be applied to reduce the risks further. However the costs increase all the time.  Extremely risk-averse organizations may take the position that cloud computing is simply too risky, even with strong controls in place, so they partially or wholly avoid it ... which also means forgoing the benefits,...

February's working title "Protecting information" is so vague as to be almost meaningless, yet it is written in an active sense, hinting at the process or practice of protecting information - the things we actually do, or should consider doing at least. We might instead have gone for "Information protection", placing more emphasis on the principles than the practices but, i n keeping with yesterday's piece about engaging our reader on an individual basis, the new materials will be relatively simple and pragmatic: I'm thinking checklists and action plans, stuff that the reader can pick up and use directly. More "Microwave ready meal" than "Michelin chef's secret recipe". Leafing through our stash of awareness content, we have previously delved into information classification schemes (what they are for, how they are designed and how they typically work): this time around we might skim or ignore the theory to focus on using classific...

Over the past couple of months, I've written and published a suite of 'Hinson tips' on another passion of mine: amateur radio. The tips concern a cutting-edge development in digital communications, and how to get the most out of the associated software.  I've had a lot of feedback on the tips, reflecting global interest in the new software and, I guess, the need for more guidance on how to use it.  The reason I'm bringing it up here is that my writing style appears to have influenced the nature of the feedback I'm getting from, and my relationship with, the readers.  I honestly wasn't expecting that. There was already a reasonably comprehensive help file for the program, well-written but in a fairly formal and dry technical style typical of technical manuals (not those ineptly translated from Chinese via Double Dutch!). A constant refrain is that people don't read the help file, just as we don't RTFM (Read The Flamin' Manual!). I suspect part of ...

The topic for February: ' protecting information ' is the working title, a deliberately vague term giving us plenty of latitude.  Exactly what we will bring up, how we will raise and discuss things, the specific awareness messages we will be drawing out and so on is not determined at this point. It will become clear during January as we complete our prep-work and develop the awareness materials. This morning, in connection with a discussion thread on the ISO27k Forum , I've been contemplating information risk management in a general sense by thinking through a situation, coming up with a specific example that draws out a much broader learning point. Briefly setting the scene, the thread was started by someone asking whether it is really necessary under ISO/IEC 27001 to have a policy on risk-assessing valuable documents individually. We talked about grouping related assets together  (such as 'Contents of cupboard 12')  and controls (such as electronic backups) b...

The  Internet of Things  and  Bring Your Own Device  typically involve the use of small, portable, wireless networked computer systems, big on convenience and utility but small on security.  Striking the right balance between those and other factors is tricky, especially if people don’t understand or willfully ignore the issues – hence education through security awareness on this topic makes a lot of sense. From the average employee’s perspective, BYOD is simply a matter of working on their favorite IT devices rather than being lumbered with the clunky corporate stuff provided by most organizations. In practice, there are substantial implications for information risk and security e.g.: Ownership and control of the BYOD device is distinct from ownership and control of the corporate data and IT services; The lines between business use and personal life, and data, are blurred; The organization and workers may have differing, perhaps even conflicting expectatio...