I’m confused

cd-443032_1920
Computing and technology is as delicate and fallible today as it was 30 years ago!

In the last 3 weeks we have experience 2 major public IT failures.  I am slightly confused how they could both become so massive.

 

I entered the IT industry nearly 30 years ago.  Like so many in those days, I entered from a previous career and  fell into the profession.  Falling into it, we brought experiences with us from previous careers.  One thing we all acknowledged was the fallibility of technology, or anything mechanical.  We made sure we reduced risk wherever we could and where we couldn’t we had a fall back process. So what  is happening in this world today? (oh ‘eck I’m sounding like me Dad!).

This weekend, we saw British Airways (BA) grounding all its flights because of a catastrophic computer failure.  It is reported that this was caused by a massive power surge at their data centre.  We saw images of airports crammed with disappointed passengers and what looked like confused employees.  As I sat watching the news, my only thought was how could a massive power surge cause such damage?

30 years ago when I was involved in setting up my first data centre for a 1,500 bed hospital, we knew that a power surge on our delicate computing equipment could cause a failure we could find it difficult to recover from.  So we installed a clean supply and a bank of Uninterruptible Power Supplies to smooth out that supply and maintain us long enough for generators to power up in the event of loss of power.  I can only assume that BA didn’t do this in their data centre. One that controls thousands of passenger journeys every day!  We also anticipated that a failure could result in loss of important patient data, so we had a ‘hot fail over’ where we could pick up normal IT services, albeit on a reduced capacity, but a service nevertheless.  And that ‘hot fail over’ was housed away from the main computer facility.  Finally we had manual fallback procedures which we had practised.  These procedures included staff assigned the responsibility of communicating with system users and hospital users. I didn’t see any of this on the news reports.

The measures we put into place were not cheap at the time and took some justification, weeks of writing business cases I remember.  When we lost power to the computer suite and no users noticed, it was justified.

Since then, technology has moved on and many of the things that were expensive then, are now pennies now.   Especially when you put them against the cost of initial implementation and the cost of losing systems businesses have become to rely on. Finally there is the reputation damage, which is not always acknowledged.  This is anecdotal, but the view in my local on Saturday was heavily toward avoiding flying with BA for the foreseeable future.  Sure this will be forgotten over time but what will be the immediate cost?

Have we become complacent?  With our always on society and IT Service companies offering 99.999999% up time are we forgetting the fallibility of these devices?  I would suggest we probably are and it is time to re-evaluate.

One of the first lessons I learned about managing IT was three letters C I A .  No not the US intelligence agency, but maintaining Confidentiality, Integrity and Availability.  Those three letters stand as much today as they did all those years ago, even now, whenever I consider changes to IT or assessing risk, I recite CIA.  In fact they are probably more poignant. Risks haven’t reduced, they have changed and in some areas increased.  I don’t know how much this failure will have cost BA or how much WannaCry will have cost the NHS.  One thing that is certain, it will be more than putting technology, people and processes in place to reduce and manage the risks!

My final though this morning was:  what will the ICO make of both of the NHS and BA incidents?  They both involved personal data.  One involved damage through encryption and the other non availability at the point of need.  Watch this space.  There could be even more cost winging its way.

I’m confused

GDP…What?

I must confess.  Until last summer I didn’t know much about GDPR.  I had heard a new data protect regulation was on the way, but that was the sum of my knowledge.  I felt that was a little shameful, as a person who specialises in assisting businesses understand information risk management.  After all data protection is about managing your risks around the data you hold.

I went off and searched for information and found an abundance, probably too much and too complex and much of it aimed to scare, talking about fines of 4% of global turnover.  But I recall that I had to go and find information.  Nothing at that point had been ‘pushed’ to me.  Not that I can recall anyway.

Now I have an interest in understanding the regulation, but what about the general business population, how much do they understand?  I have been doing a few seminars on GDPR recently; whenever I ask the audience how many know about it, there is normally less than 10% who admit to knowing anything.  Then they appear almost embarrassed to be in a minority.  This prompted me conduct a short survey amongst local businesses to understand the level of understanding and preparedness.  I can’t admit to it being scientific, but the findings are quite concerning.

The questionnaire was sent to local businesses, randomly selected from the Chamber of Commerce membership database and my own contacts.  It included a combination of small, medium, large and public sector organisations.  There was a 24% response rate, with 81% saying that they currently hold data that can identify individuals.  The responses were completely anonymous.

The first question asked how aware businesses were aware of GDPR?  32.5% declared no awareness at all, but 46.5% said they were aware of GDPR but did not understand how it would affect the business.  That is 79% of businesses who, as yet, have done nothing to prepare or don’t even know about it.  We are now only a year off the deadline for compliance!

Some businesses have started to examine the implications, but 34% of the respondents said they didn’t know when they would start.  This coupled with the fact that 37% of the organisations have not yet defined or allocated any resource to the implementation.  Even more concerning when 42% indicated that they thought implementation would take between 6 months to 1 year or even longer.

Why aren’t businesses prepared?  Why is knowledge of GDPR so low?  Well I take you back to my first paragraph.  I think businesses still have to go in search of the information.  When you find it, for most business leaders, it can be scary.  Some generating the FUD (Fear Uncertainty and Doubt) that we had with cyber a few years ago.

There has been little information pushed from the powers that be.  When I compare GDPR to Auto Enrolment, I think every business leader in the country got personal correspondence from the DWP clearly telling them what they needed to do, however there has been nothing similar on GDPR.

The ICO has some excellent publications: ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’, being just one.  Isn’t it time to the Government started pushing this information out to businesses and not expect them to stumble upon it?  This is a big change for many businesses and they need support.

GDP…What?

Can you afford to ignore cyber security

A quick scan of the Information Commissioner’s Office (ICO) website shows that since the beginning of August to 13 October, 17 enforcement notices have been made.  These range from a small fine for processing personal data when not registered with the commissioner, to the TalkTalk decision.  In total since August £840,650 has been levied in fines. Nearly a million pounds in just short of three months.  The TalkTalk decision makes up almost half of this amount, but two things are evident:  The ICO is looking at all types of business, small businesses are not immune; the TalkTalk decision sends a clear message to businesses of all sizes to take their IT security seriously.

In summary of the case the ICO states:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.  TalkTalk should and could have done more to safeguard its customer information.  It did not and we have taken action.”

The ICO found against TalkTalk on the 7th Data Protection Principle: Security.  This states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data”.

As a result, by 2 November TalkTalk will have to hand over a cheque for £400,000 to the ICO. Ouch.  But added to this profits have reduced by 56% and according to The Register in the month after the breach 9,000 customers did the WalkWalk.  It isn’t just the fine that hurts

There is no doubt that the fines are increasing.  Hampshire Council have been fined £100,000 for leaving details of 100 people in a disused building. A GP surgery has been fined £40,000 for revealing details on one patient.  When the new General Data Protection Regulation is implemented the maximum fine that can be levied will increase to 4% of turnover.  That could be the ruin of some organisations.  It is clear from the ICO that they will not simply accept that a business has been hacked and that is a crime.  They will expect businesses to demonstrate they have done all they can to prevent unauthorised access.  This latest finding almost puts Cyber Security on a level with Health and Safety and all organisations should begin to take it seriously.

Reading the ICO statement, how many organisations can honestly say they do ‘all’ they can to avoid data loss?  When I, as a consumer share my details, how can I be sure that the organisation I am sharing with has done all it can?

I suppose the first step for most organisations is Cyber Essentials.  Launched by the UK government in 2014, some experts suggest that implementing the 5 basic controls could reduce the risk of simple commodity attacks, such as the one against TalkTalk by 80%.  One blogger, an early implementer of Cyber Essentials suggested that even though they held the ISO27001 certification (a much more complex assessment), they still learned from implementing Cyber Essentials. When the scheme was launched in 2014 Christopher Graham the Information Commissioner of the time was quoted as saying “Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”. Now it doesn’t say that they would be exempt from prosecution, but there are demonstrable mitigations to the risks.  A few hundred pounds on Cyber Essentials and time implementing and monitoring it annually has to be a reasonable investment.

Cyber Essentials may go some way to satisfying the ICO, but what about the customers of a business?  The Cyber Essentials badge should also go some way to satisfying the customer that the business takes security seriously.  However, the badge isn’t everything.  Before trusting it completely ask the business when they were last certified.  One weakness of the certification is a lack of an expiry date.  Technically a business who certified at the start of the scheme can still say they have Cyber Essentials today, even though they haven’t done anything since. It isn’t a one-off process, to keep current businesses should renew yearly, just like a Cyber MoT.

Featured image by Alexander Baxevanis (used under Flickr Creative Commons Licence)
Can you afford to ignore cyber security

Let’s reduce the use of the ‘C’ Word

JCB Backhoe Loader
An Asset – Picture by Ramesh NG

Prior to acquiring a new asset like the lovely digger in the picture above, a business would assess:

  • Can we afford it?
  • Do we buy outright or lease?
  • What will be the on-going costs be?
    • insurance;
    • maintenance; etc.
  • Do we have the skills in the organisation to us it?
    • Can anyone use it or do we need to train a specific cohort of people to use it?
  • What risk come with owning it?
    • Could it be stolen?
    • What happens if it breaks down?
    • Could it increase the damage we could do,over a man and a spade? (I don’t work in construction)
    • if we become reliant on it what will be happen if it is no longer there?

So why don’t these similar questions get asked about the information assets a company owns. But would the company who buy the digger necessarily think the same way about their information assets?  Do they view information as an asset?  It appears that many business, large and small don’t and don’t view the tools they use to access information as an asset either.  What would they do though if the information they have come to rely on and take for granted was unavailable?

Without access to information, how long would the average company last? There is a massive amount of information about this on the internet,  some ‘facts’ I have found include:

  • 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine).
  • 60% of companies that lose their data will shut down within 6 months of the disaster.
  • 93% of companies that lost their data centre for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington).
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute).

So why would an organisation spend time and effort assessing the business risk around a asset like a digger and not do the same for their information assets.  It is no more difficult is it?

Well it probably is.  For one thing information is not tangible any more. Pre-computers it was , one could hold it, see it know where it was.  Today it is a bit mysterious.  But there is more of it and we are actually more reliant on it. Secondly, for years the technology industry has been selling the message – information is safer stored electronically.

A whole industry has grown up around information security and with it a culture.  One that is cloaked in mystery and techno speak.  Language that is not aligned to business. A language that can generate massive amounts of FUD (Fear Uncertainty and Doubt) and this is probably the major issue.

Nearly 30 years ago when I first ventured into IT we revelled in our own language.  A language that made us feel special, aloof and expensive!  After many spectacular IT failures the profession realised that to achieve success it had to align to business needs and work alongside the business to deliver goals.  I see parallels emerging with the Security Industry.  We need to better align with business and make the risks associated with information relevant to the business.  Understand what the business wants to achieve and help them do that safely, easily and cost.  We need to work alongside the business. The ‘C’ word – Cyber (oh heck I’ve said it), it  scares many businesses leaders into inertia, so let’s reduce the use of it and speak our cutomers’ language and we where that get us.

Feature image by: www.gotcredit.com

Let’s reduce the use of the ‘C’ Word

Password INCORRECT

Art of Deception

I have just finished reading The Art of Intrusion’  by Kevin Mitnick and William M. Simon.  Some may remember the name Mitnick, he is probably one of the most famous hackers of all time.  In this book Mitnick and Simon present real life cases of computer hacking.  Whilst it is now ten years old, many of the stories told in the book are, sadly, still relevant today.  What took my attention was the statement at the very end of the book: pages 258 & 259 to be precise, which I hope Mr Mitnick and Mr Simon don’t mind me reproducing here:

And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight — and not leave new passwords in some easy-to-find place — then tomorrow morning, we would suddenly find ourselves living in a much more secure world.

We hope that will be an action message for every reader of this book.”

I’m sure the book has had success, but how many people have taken note of that last paragraph and actioned it?  The message about passwords is forever being talked about.  Every year SplashData produce a list of the top passwords used worldwide. In 2015 the number 1 position was held by the password ‘123456’ closely followed in second position by ‘password’ and then ‘12345678’.  One of the first things hackers want, is to get hold of a password.  Once they have one of these, their task is much easier and it looks like the users of computers are not making this too difficult.

Passwords are a pain though.  I think I have over 70 now and trying to dream up new passwords for every site/system and then changing them regularly is even harder.  It is recommended that passwords are complex, between 8 and 12 characters and also contain special characters such as #^&? etc.. So personally, I am expected to remember:

  • 840 characters;
  • the associations of those characters to sites/systems;
  • the reminders that will help me remember my password!

And change them all regularly.  If I follow security recommendations of changing passwords every 90 days, that means annually I am having to remember 3,360 characters just in connection with my computer activity.  That’s hard and is probably the reason people reuse, write them down or have ridiculously simple ones. But until something more reliable comes along we are stuck with the dreaded things and we have to make the best of them.

When reading Mitnick’s final paragraph, I remembered the work that had recently been published by CESG in cooperation with CPNI – Password Guidance Simplifying your Approach.  In what seems to be a very well written and straightforward document they recommend, amongst other things, lightening the burden on users.  Specifically they state:

  • Users have a whole suite of passwords to manage, not just yours.
  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help users, but carries risks.

This seems sound practical advice.  So I would recommend that if tomorrow, every business looks at their password policy and revises it in line with the CESG advice then we could find ourselves living in a much more secure world.

Reducing the risk of the risk of this:

Password - Incorrect

Featured image by: Eric Schumuttenmaer

Password INCORRECT

Now have I patched my wet ware?

Divers in Peaches
Picture by: Hans-Peter

No this blog is not about diving or any other type of sports where one might get wet.  Wet Ware is a rather unattractive name some security professionals give to the user of a computer system.  It is claimed that it is impossible to ‘patch’ Wet Ware which results in it being the most vulnerable part of most systems.

In my last blog, I suggested that not all cyber (I am growing to dislike this term) incidents can be prevented by technology.  There had been a recent incident at Lincoln County Council, which had been caused by a user opening a bad email and clicking the link it contained.  Patching our wet ware (last reference I promise) is actually becoming more important than ever.  It is not impossible, but it is not a small task.

In the PWC Information Security Breaches Survey 2015 It has been reported that 50% of the worst security breaches in the year were caused by inadvertent human error.  The numbers are rising as well.  There was a 58% increase in large companies and 31% increase in small companies of breaches as a result of human error.

Dealing with this is multifaceted:

  • The top of the organisation has to be seen to ‘do the right thing’.  If top management are ‘gun ho’ handling company information, then you can be sure the rest of the organisation will be.
  • Policies and procedures.  I know these are considered a pain.  But they don’t have to be, they can be short and only cover what is needed.  Policies and procedures are important they give employees a reference point.  I have very different standards in the management of my information to that of some of my customers, but their policies give me a point of reference to how I should behave.  Without that I may do my own thing.  What policies should a business consider?  That depends largely on the risks they feel they are mitigating but as a minimum the following could be considered:
    • Document control.  Where and how is information stored, who can access the stores? How long do you retain the information for your records?
    • Protective marking of information.  Ask yourself a question:  If I rang your company, spoke to a secretary, sounded knowledgeable and asked for some information would they know if I was allowed to see it?  A simple marking systems which indicates the level of sensitivity of the information would provide that guidance.  So if I rang and ask to see a document that was marked Company Eyes Only, they would instantly know that they could not send it outside of the organisation.
    • Joiners, Movers and Leavers actions.  What do you do with system access rights on each of these occasions?
    • Use of removable media like USB sticks, CDs or Cloud transfer services such as OneDrive, DropBox etc.  Once data leaves your system and enters one of these environments, what control do you have?
    • Bring you own device.  What devices of their own are you going to allow you employees to use for work related activity?  What are their responsibilities if they do use their own technology?  What are you going to do to prevent loss of data on that device etc.
  • Training. You have your policies and procedures and now you have to inform people what they are how to use them and why they are relevant.  In addition to training on the policies, I would also include training on responsible business use of the internet and especially social networking.

In the bullet points above, I have skimmed the surface of what organisations should consider to ensure their employees don’t become the weakest link in the Information Security Chain.  Combine this with general development and it will not become too onerous a task.  Certainly a lot less hassle than a breach, which the PWC report says now costs on average £40,000 – £250,000 for small companies and between £800,000 and £2.1m.  Ouch!

www.sandettie.co.uk

 

 

Now have I patched my wet ware?