I’m confused

cd-443032_1920
Computing and technology is as delicate and fallible today as it was 30 years ago!

In the last 3 weeks we have experience 2 major public IT failures.  I am slightly confused how they could both become so massive.

 

I entered the IT industry nearly 30 years ago.  Like so many in those days, I entered from a previous career and  fell into the profession.  Falling into it, we brought experiences with us from previous careers.  One thing we all acknowledged was the fallibility of technology, or anything mechanical.  We made sure we reduced risk wherever we could and where we couldn’t we had a fall back process. So what  is happening in this world today? (oh ‘eck I’m sounding like me Dad!).

This weekend, we saw British Airways (BA) grounding all its flights because of a catastrophic computer failure.  It is reported that this was caused by a massive power surge at their data centre.  We saw images of airports crammed with disappointed passengers and what looked like confused employees.  As I sat watching the news, my only thought was how could a massive power surge cause such damage?

30 years ago when I was involved in setting up my first data centre for a 1,500 bed hospital, we knew that a power surge on our delicate computing equipment could cause a failure we could find it difficult to recover from.  So we installed a clean supply and a bank of Uninterruptible Power Supplies to smooth out that supply and maintain us long enough for generators to power up in the event of loss of power.  I can only assume that BA didn’t do this in their data centre. One that controls thousands of passenger journeys every day!  We also anticipated that a failure could result in loss of important patient data, so we had a ‘hot fail over’ where we could pick up normal IT services, albeit on a reduced capacity, but a service nevertheless.  And that ‘hot fail over’ was housed away from the main computer facility.  Finally we had manual fallback procedures which we had practised.  These procedures included staff assigned the responsibility of communicating with system users and hospital users. I didn’t see any of this on the news reports.

The measures we put into place were not cheap at the time and took some justification, weeks of writing business cases I remember.  When we lost power to the computer suite and no users noticed, it was justified.

Since then, technology has moved on and many of the things that were expensive then, are now pennies now.   Especially when you put them against the cost of initial implementation and the cost of losing systems businesses have become to rely on. Finally there is the reputation damage, which is not always acknowledged.  This is anecdotal, but the view in my local on Saturday was heavily toward avoiding flying with BA for the foreseeable future.  Sure this will be forgotten over time but what will be the immediate cost?

Have we become complacent?  With our always on society and IT Service companies offering 99.999999% up time are we forgetting the fallibility of these devices?  I would suggest we probably are and it is time to re-evaluate.

One of the first lessons I learned about managing IT was three letters C I A .  No not the US intelligence agency, but maintaining Confidentiality, Integrity and Availability.  Those three letters stand as much today as they did all those years ago, even now, whenever I consider changes to IT or assessing risk, I recite CIA.  In fact they are probably more poignant. Risks haven’t reduced, they have changed and in some areas increased.  I don’t know how much this failure will have cost BA or how much WannaCry will have cost the NHS.  One thing that is certain, it will be more than putting technology, people and processes in place to reduce and manage the risks!

My final though this morning was:  what will the ICO make of both of the NHS and BA incidents?  They both involved personal data.  One involved damage through encryption and the other non availability at the point of need.  Watch this space.  There could be even more cost winging its way.

I’m confused

Now have I patched my wet ware?

Divers in Peaches
Picture by: Hans-Peter

No this blog is not about diving or any other type of sports where one might get wet.  Wet Ware is a rather unattractive name some security professionals give to the user of a computer system.  It is claimed that it is impossible to ‘patch’ Wet Ware which results in it being the most vulnerable part of most systems.

In my last blog, I suggested that not all cyber (I am growing to dislike this term) incidents can be prevented by technology.  There had been a recent incident at Lincoln County Council, which had been caused by a user opening a bad email and clicking the link it contained.  Patching our wet ware (last reference I promise) is actually becoming more important than ever.  It is not impossible, but it is not a small task.

In the PWC Information Security Breaches Survey 2015 It has been reported that 50% of the worst security breaches in the year were caused by inadvertent human error.  The numbers are rising as well.  There was a 58% increase in large companies and 31% increase in small companies of breaches as a result of human error.

Dealing with this is multifaceted:

  • The top of the organisation has to be seen to ‘do the right thing’.  If top management are ‘gun ho’ handling company information, then you can be sure the rest of the organisation will be.
  • Policies and procedures.  I know these are considered a pain.  But they don’t have to be, they can be short and only cover what is needed.  Policies and procedures are important they give employees a reference point.  I have very different standards in the management of my information to that of some of my customers, but their policies give me a point of reference to how I should behave.  Without that I may do my own thing.  What policies should a business consider?  That depends largely on the risks they feel they are mitigating but as a minimum the following could be considered:
    • Document control.  Where and how is information stored, who can access the stores? How long do you retain the information for your records?
    • Protective marking of information.  Ask yourself a question:  If I rang your company, spoke to a secretary, sounded knowledgeable and asked for some information would they know if I was allowed to see it?  A simple marking systems which indicates the level of sensitivity of the information would provide that guidance.  So if I rang and ask to see a document that was marked Company Eyes Only, they would instantly know that they could not send it outside of the organisation.
    • Joiners, Movers and Leavers actions.  What do you do with system access rights on each of these occasions?
    • Use of removable media like USB sticks, CDs or Cloud transfer services such as OneDrive, DropBox etc.  Once data leaves your system and enters one of these environments, what control do you have?
    • Bring you own device.  What devices of their own are you going to allow you employees to use for work related activity?  What are their responsibilities if they do use their own technology?  What are you going to do to prevent loss of data on that device etc.
  • Training. You have your policies and procedures and now you have to inform people what they are how to use them and why they are relevant.  In addition to training on the policies, I would also include training on responsible business use of the internet and especially social networking.

In the bullet points above, I have skimmed the surface of what organisations should consider to ensure their employees don’t become the weakest link in the Information Security Chain.  Combine this with general development and it will not become too onerous a task.  Certainly a lot less hassle than a breach, which the PWC report says now costs on average £40,000 – £250,000 for small companies and between £800,000 and £2.1m.  Ouch!

www.sandettie.co.uk

 

 

Now have I patched my wet ware?

Do I need a cyber-proof widgimewit?

Cyber Widget
Picture by Dan Zen

Cyber Security is not about technology.  Cyber Security is about managing a corporate risk and that means assessing it as a whole: People, Process and Technology and putting up the correct level of mitigation.  When I read about Cyber Security all I seem to see is technology that I need to buy to prevent bad people gaining access to my network, PC, Tablet or Phone.  Technology is one element and to my mind something the technologist should be left to once the risk is evaluated and understood.  Without understanding the risks it is easy to spend a fortune on the latest cyber-proof widgimewit which is actually unnecessary for your level of risk and isn’t doing much for you.

One area I see constantly neglected is staff training.  When I first started to work in an office, we were fairly good at managing and protecting our information.  We were trained on the filing system, and cabinets and offices were locked at the end of the day.  If a file was loaned, tracers were used and the office I worked in used a marking system so we know how much of various pieces of information we could share, which I understand was common practice in most large companies.  If you dare mess up the filing, not complete a tracer card or not enter a new document into the register you risked the wrath of the office manager.

With the use of electronic filing systems discipline seems to have gone out of the window, along with the training that went with it.  After all the technology will take care of it won’t it? No.  And these bright young people we employ will work it out from themselves won’t they? No.  The technology not only brings with it a potential for poor information management processes, it also brings additional information security headaches and they can’t all be solved with technology.  Take the recent example of Lincolnshire County Council.  Last week they experienced the dread of a Ransomeware attack.  A piece of malicious software that scrambles the data on computers rendering it useless.  For a fee the attackers claimed they would provide the key to unscramble the data.  It was reported that the council did not pay the ransom. That was the right thing to do, but they subsequently spent considerable time fixing the problem during which no IT was available and effectively, business was suspended.  This must have cost the Council, not only cash, but also damage to their reputation.  What caused the problem?  A link in an email was clicked by a member of staff and this triggered the malware.  I have to say,  there but for the grace of god go I.  Only this week I was nearly fooled by one of these emails, but the knowledge I have makes me a little more cautious and makes me always have a second read.  It is time that we re-instilled the discipline and training that we used to have around information. I am not saying that training would have prevented the particular incident in Lincoln, but it could have.

Do I need a cyber-proof widgimewit?

What’s in your top 10

 

Top Ten
Picture by: woodleywonderworks

On 20 January this year, The Times reported the Top 10 Business Risks as:

  1. Reputation
  2. Cyber Liability
  3. Supply Chain
  4. HR-Related Risk
  5. Intellectual Property Theft
  6. Climate Change
  7. Catastrophe Risk
  8. Political Risk
  9. Mass Migration & Social Upheaval
  10. Internet of Things

I was heartened to see Cyber Liability included in this list and considered alongside general business risks.  That’s its rightful place.  The risks associated with cyber are intertwined with other business risk and therefore should not be considered separately or differently.

Let’s take a closer look at that list and see just how much Cyber is intertwined:

Reputation – a good reputation can be lost in a second.  What would you think of a company that lost its customer records?  Would you want to trust them with yours?  So when considering reputation in the modern world, you don’t just need to consider your good service standards, slick processes etc. But what would a cyber attack do to my reputation?

Supply Chain – OK they provide you with a great service and a good price, but do they care as much about their cyber risk as you?  If not they could become a weak link in your defences.  So in assessing your supply chain now you need to consider how they manage their cyber risk.

Intellectual Property Theft – If you have valuable Intellectual Property, consider how you will protect it.  Think.  It is probably easier and cheaper to attempt to steal it through a cyber attack than any other way.

Internet of Things –  Who really knows what affects this will have on business in the future.  We can be certain it will though.

As you can see, the 5 are closely linked, reinforcing the message that Cyber Risk cannot be considered standalone.

In the article a lot of reference was made to risk transfer, in layman’s terms insurance, but I pose the question:  Is insurance going to cover everything?  Surely all policies will require the insured to have taken reasonable steps to have prevented an attack.  Taking a non-IT related example:  I have car insurance for accident and theft.  If I leave my car with the keys in and it is stolen the insurance will not pay out.  They claim, probably quite rightly, that I haven’t taken reasonable steps to secure the vehicle.  So, if I have cyber insurance and I’m running out of date software with known issues and experience a cyber attack, will the insurance companies view that I didn’t take reasonable steps to secure my systems?  So I would recommend that before considering the transfer option, all companies look at doing what they can to reduce the cyber risk. Cyber Essentials is a great start and for those wanting a bit more, The 10 Steps to Cyber Security is the next step.

What’s in your top 10