Browsing articles in "Information Security"

Embrace ISO 27001

Oct 15, 2015   //   by David   //   Blog, Information Security  //  No Comments

‘Info Sec sits with the IT Department’, is a comment I hear regularly from clients in the Business Continuity area.  Of course in many organisations it does. The risk for those of us who specialise in BC is that Information Security becomes more and more important to Executives and Business Continuity gets pushed to the bottom of the heap.

Again a trend I see when doing supply chain reviews for clients is that companies who have ISO 27001 say that their BC plan complies with that Standard and that is sufficient. They have no interest in achieving ISO 22301 as what they have already complies with a Standard.

And guess what?  Most companies are happy to accept that as sufficient evidence of their supply chain being suitably covered!

Selling the need for Information Security (Or ISO 27001) is fairly easy, the fear factor works a treat here! You just need to list the hacks and leaks; Sony, Ashley Madison, various banks and many more.

Selling BC is a more difficult matter.  Yes you can cite plenty of examples of incidents but they rarely hit home in the same way.  That can often be because the media loves to focus on security breaches. For example the New York Times had 700 stories about security issues last year!

So is ISO 27001 a threat or a benefit to those of us who come from a BC background? Well the obvious answer is that it is both!

Just look at our own Institute’s threat survey which showed that cyber-attacks were the number one threat, if that is what our responders are saying we must address their concerns.

What if you don’t know about Information Security though?  You may have no technical background and it may mean little or nothing to you when the jargon starts to roll out.

Actually you know more than you think!  Step back a little, all of us in the BC world know a great deal about running exercises. And they will have covered just about any issues you want to name; fire, flood, plague of frogs (a very specialist one that!), pandemics and many more.  A security breach is just another incident so if you want to start showing how much value a BC person can add, try running an exercise on a security breach.

You can easily Google information to give you a good technical sounding starting point or someone in IT can explain how a breach could occur if you don’t know yourself, but in the end our exercises often start by simulating the response AFTER an event. Given that, the ‘how’ isn’t always so critical.

The key focus should be on reputational damage at one end and steps to prevent a repeat at the other.  This is a good chance to test how well your Comms spokesperson can respond to the firestorm that will happen in the media and on Twitter. Your reputation is at risk and a poor response can be catastrophic.

It is also a chance to put your IT Department under pressure on how they would cope!




Being more involved

An exercise is a good start as a BC person but what next?  Well good security is more than technical prevention.

Many, many breaches are caused by human decisions and errors. Opening attachments which hide viruses and clicking on links. Good information security follows the 90/100 rule. 10 percent of security is technical and 90 percent relies on you to adhere to policies and good practices.

For example, the lock on the door is 10 percent. You remembering to lock it, checking to see if it is locked, ensuring others do not prop the door open, and keeping control of keys is 90 percent.

So get a copy of ISO 27001:2013, read the requirements, be surprised at how much you recognise and begin to work on adding it into your BIAs and BCPs.

Embrace ISO 27001 and turn a threat into an opportunity!

The top causes of data disasters

Jun 15, 2014   //   by David   //   Blog, Information Security  //  No Comments

I have this post from Continuity Central, it needs nothing added!

The top causes of data disasters…

HDD crashes prevail as the most common cause of data loss according to a recent global survey by Kroll Ontrack. 72 percent of those surveyed noted that their most recent data loss came from a desktop or laptop hard drive, followed by SSD (15 percent) and RAID/virtual services (13 percent), showing that data loss impacts every type of storage from the individual user up to the enterprise level.

When asked about the cause of their most recent data loss, 66 percent (compared to 29 percent in 2010) of the 1,066 surveyed across North America, Europe and Asia Pacific, cited a hardware crash or failure, followed by 14 percent claiming human error (compared to 27 percent in 2010). Software failure ranked as the third most common cause of data loss with 6 percent.

Looking at individual response segments, laptop and PC crashes prevailed as the leading cause of data loss among both businesses (71 percent) and home users (72 percent) respectively and SSD device loss ranked second, accounting for 18 percent of data loss cases for home users and 10 percent for businesses.

Among businesses, 27 percent said their most recent loss disrupted a business process, such as prohibiting them or their company from actually providing a product or service to their customers. A further 15 percent admit to losing personal data from their business machine contrasted with 7 percent whom acknowledged losing business-related data from their home machine.

Kroll Ontrack surveyed 1066 recent data recovery customers from 10 countries across North America, Europe and Asia Pacific. Forty-eight percent were businesses, 32 percent were home users, 13 percent were partners and 3 percent were government entities. 


The eBay Effect

May 28, 2014   //   by David   //   Blog, Information Security  //  No Comments

Everyone will have heard about the problems at eBay and there is little to be gained by going over it but one point that is probably worth mentioning is the use of the same password for multiple sites.

The danger of your password being found by hackers is more than just the site they have compromised.  How many people use the same password across multiple sites?  Often with a login of your email address?  So if a hacker gets that combination then they can happily try lots of other common sites to see if you are on there. Go on, admit it, you use the same login for eBay, Amazon and probably your email as well don’t you?

I know we all now have so many on line presences and so a subsequent number of logins and passwords that many folk simply feel it is easier to take the risk of using the same one many times rather than the risk of never remembering one!

There are many sites offering good advice on how to get around this, but this is probably one of the easiest: