Encryption failing costs £150,000

Insurer Fined

Royal and Sun Alliance (RSA) has been fined £150,000 by the Information Commissioner’s Office following the loss of personal information relating to 59,592 customers.

Following the theft of a hard drive, which contained customers’ names, addresses and bank account details including account numbers and sort codes, ICO enforcement officers found that RSA did not have appropriate measures in place to protect financial information, when the theft occurred at the offices in West Sussex between 18 May and 30 July 2015, an ICO undertaking found .

The device also held credit card details of 20,000 customers, although security numbers and expiry dates were not affected.

The investigation found that the device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered. It was kept in a data server room, which required access via an access card and key, to which 40 members of RSA’s staff and contractors (some of whom were non-essential) were permitted to enter unaccompanied.

Steve Eckersley, head of enforcement at the ICO, said: “When we looked at this case we discovered an organization that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.

“There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

Dr Bernard Parsons, co-founder and CEO of Becrypt, said that the fine should serve as a warning on how dangerous storing unencrypted data can be.

“We find data at rest – information stored in removable hard drives and portable devices such as laptops and tablets – is frequently the weak link in an organization’s security, leaving them extremely vulnerable to a serious breach in the event of a device being stolen or lost,” he added. “Alongside the threat of malicious insiders stealing portable storage devices, we have also seen cases of burglaries targeting technology in recent months.

“These kinds of data loss incidents can be prevented if all potentially sensitive and valuable information stored on portable storage devices is encrypted against unauthorized access by default. This means that, even if the worst happens and a device is stolen by an insider, the organization can be confident that the data it contains will be safe from abuse.”

Mark James, IT security specialist at ESET, said: “The fine itself may seem fairly insignificant, but that of course is not the whole story. The PR exposure, your customer hearing about your failings and of course the damage done through the act in the first place, all has a cost.

“Encryption is not new, it has a relative low cost and can be rolled out and maintained with ease, it would not have stopped the theft of the hard drive in this case, but it would have stopped the data from being accessible. Fines need to be in place, but more importantly there needs to be follow-up, if you are holding other people’s data you need to do all you can to keep it safe.”

Infosecurity 2017

Data Breach Disclosures Jumped 40% in 2016

Number of Data Breach Disclosures Jumped 40% in 2016

Though there were no mega breaches, 2016 had more breaches on record than any previous year, according to a new report.

Last year witnessed few data breaches of the kind that rocked 2015 when organizations like Anthem, the Office of Personnel Management and Ashley Madison reported security incidents involving tens of millions of personal records. Still, 2016 was a pretty bad year for data breaches. New data from the Identity Theft Resource Center (ITRC) and CyberScout show that 2016, in fact, had more reported breaches than any previous year.

A total of 1,093 security incidents involving loss of sensitive data were disclosed last year. The number represented a 40 percent jump compared to the 780 breaches reported in 2015. In all, about 36.7 million records were exposed in the breaches, which the two organizations described as any incident where an individual’s name along with their driver’s license number, Social Security Number, bank or financial account data, medical records and credit or debit card data is exposed.

In keeping with recent trends, the business sector including retail organizations, suffered the most number of breaches and accounted for 495 or 45.2% of all reported incidents. Healthcare organizations, with 377 breaches or 34.5% of the reported total, ranked second in the list of most breached organizations, followed by educational institutions with 98, and then government and military entities with 72 reported incidents.

In terms of raw numbers, banks and credit card companies had fewer breaches (52) than organizations in any of the other sectors included in the data breach report. However, that number does not tell the full story of the extensive financial damage caused to several banks in 2016 by attackers who exploited the SWIFT messaging network to illegally transfer huge sums of money to offshore accounts.

Hacking, payment card skimming, and phishing attacks represented the leading cause for data loss for the eighth year in a row, according to CyberScout and the ITRC. Combined, the three attack methods accounted for 55.5% of all reported security breaches last year, or nearly 18% higher than in 2015.

Many of the phishing attacks — the report does not specify an exact number — involved CEO business email compromise schemes, and resulted in the exposure of highly sensitive corporate data including those related to state and federal tax filings.

Non-malicious slip-ups, like accidentally sending out an email with sensitive customer data or employees negligently posting confidential data on a public facing website, accounted for a surprisingly high 9.2% — or nearly 1,000 — of the reported incidents last year.

Eva Velasquez, president and CEO of ITRC says it is not entirely clear if the higher number of data breaches in 2016 occurred because there were more actual breaches, or simply because more of them are being reported under new disclosure requirements.

“It is our opinion that both are factors here, but that it is more likely that breaches are actually being discovered due to more robust security measures being in place,” she says.

While the business sector was most impacted last year, it is important keep in mind that over time other sectors have been impacted more heavily for different reasons, Velasquez points out. At one time, for instance, financial companies were big targets since attackers perceived them as having a lot of valuable information. In recent years, the medical and business sectors have gone back and forth as favourite targets.

A study released in December by TrapX showed that attacks on healthcare organizations for instance, grew 63% in 2016 and included some major incidents such as a breach at Banner Health that exposed 3.6 million records, and another at Newkirk Products which compromised 3.4 million records.

“As the thieves come up with more creative ways to monetize our data, different data becomes more valuable, hence the thieves change their targets,” Velasquez says.

Data breaches have become the third certainty in life, adds Adam Levin, chairman and founder of CyberScout. “Businesses of every size and stripe are under assault practically every minute of every day,” Levin says.

“As defenders, they must get everything right while an attacker need find only one point of vulnerability … and make no mistake, foreign and domestic attackers are well armed, fully weaponized and in war mode.”

Dark Reading 2017

Mega security breach’ of the future

 

What will the ‘mega security breach’ of the future look like?

Posted by Kathryn Cave on January 16 2017

Security is an area that just keeps gaining prominence. The breaches keep hitting the headlines. And it is pretty clear that a horrific attack – that most people simply can’t imagine yet – is on the horizon. This means while it is not always helpful to focus on the negative stuff – it can be hard not to with security – and at least by looking at the worst case scenario it might help us confront what we could be up against.

At a December roundtable in London, Jason Hart CTO of Gemalto, highlighted the rise of integrity based attacks. These see attackers manipulating company data for their own benefit rather than simply stealing it. He believes that this will hit business reputations very hard and over the next 12 to 18 months [since December] at least one UK firm will fold because of it.

Andrew Nash, Founder and CEO of identity management startup firm Confyrm, who has a long pedigree with organisations like RSA, Google and PayPal, also attended the event. He focused more on identity theft but agreed that today criminals are more likely to play the long game than they did in the past.

He talked about blowout credit card fraud – where thieves sit on a bunch of stolen cards for months and

He talked about blowout credit card fraud – where thieves sit on a bunch of stolen cards for months and months then use them all in one pre-planned hit – and stressed we’re going to see more of that mentality in data theft. “If I was a [nefarious] nation state I would produce a cheap wi-fi chip,” he said, embed it in a wide range of ordinary devices, leave it for years and switch it on to scan things occasionally.

Overall though, it is difficult to pin security down because there are a few different types of criminals out there with entirely different motivations. There those who are simply motivated by the desire to steal things they can sell easily. There are those who are in for a longer, more lucrative, haul – maybe an identity theft or integrity attack. There are those who are involved because of some kind of political motivation – which could frankly lead to any kind of mayhem. And of course, there are those there for the LOLs.

This means a criminal could be buying kits on the dark web, conducting smash and grab attacks, and just flogging the data straight on. They could be buying up passwords and other personal information as it becomes available with the aim of making a larger cash. Or they could be plotting something truly enormous to achieve maximum devastation.

So, what does this mean for the future of security breaches? Well, when I threw out a few simple questions in an open forum, the 23 senior security professionals who came back came back to me covered a lot of the same ground.

Not surprisingly, the majority agreed that as so much critical infrastructure has a digital component, cyber threats are now are potentially serious as their physical counterparts.

Greg Day, VP and Chief Security Officer, Palo Alto Networks describes how “more and more traditional national infrastructure is being replaced by its digital twin”. 2016 saw the potentially harmful social impact of this when hospitals had to cancel surgeries because digital health records were held to ransom.

“As the interconnection of data and systems grows into a global mesh, leveraged by an ever-diverse ecosystem of technological devices, it seems we are generating a bigger cyber risk profile,” he says. “However, we should recognise that this is not more risk, but actually a transference of physical information risk into cyber, and in most instances a blurring between the two.”

Yet Lisa Baergen, Director at NuData Security puts it: “The paradox is that investments are being made in physical infrastructure and cyber security separately, [while] the connection between the two is being overlooked.”

In fact, countless breaches have shown critical infrastructure and organisations alike are not prepared. Eric O’ Neill, Security Strategist at Carbon Black believes “a mega security breach will look like a ‘lights out’ scenario, where a carefully orchestrated attack compromises a critical mass of infrastructure components to such a degree that power grids are overloaded or shut down for a significant period.”

But this is just one scenario. The mega breach of the future could take on a variety of different shapes and guises. Douglas Crawford, Cyber Security Expert at BestVPN.com imagines what it might be like if a criminal got hold of a lot of banking passwords. “The economic chaos caused could, in addition to bankrupting potentially millions of individuals, destroy banks and banking systems, create global economic depression, and even bring down governments,” he says.

The interesting thing about this situation is it could arise from a variety of different motivations. Yet Chad Schamberger, Director of Engineering at VirtualArmour believes that mega breach of the future “will be driven to affect a decision, a political election, a financial outcome, or the intent to cause mass chaos across a population. Not necessarily to gather sellable assets but intended to expose the attack surface that has developed by introducing more and more poorly develop connected devices (IoT).”

James Wickes, CEO and Co-Founder of Cloudview agrees: “A mega security breach in my opinion is one that either affects national security or competitiveness.”

Bharat Mistry, Cyber Security Consultant at Trend Micro believes that integrity will play its part. “I think breach data won’t necessarily be around mass data extraction as monetisation of stolen data has almost become a commodity. It’s more likely to evolve towards mass undetected modification data especially in environments where the data is being used to make strategic or economic decisions.”

Other people we spoke to warned that criminals are beginning to use data to improve their own operations. Chris Carlson, Vice President of Product Management at Qualys says “the mega security breach of the future is likely to reflect criminals’ advances in using analytics to combine and crunch stolen data to identify new opportunities for themselves.

“When bad actors combine stolen data from multiple smaller breaches then analyse it, the real risk is that they will identify trends in the data that allow them to innovate and succeed with more specific and targeted attacks on more vulnerable systems. Doing this at scale represents a huge risk to the economy – when a small percentage of people or businesses are hit by attacks, the system can cope. If that percentage grows significantly, the network effect would have serious repercussions,” he says.

While Norman Shaw, CEO at ExactTrak adds: “There is a lot of discussion about big data. This tends to centre around general commercial activities. Why do we not assume that criminals are using the same big data tools to bring together all the data from cyberattacks and maximise the opportunity.”

In some ways, this feels like the teething pains of watching our whole way of life go digital. It isn’t just the business transformation we hear so much about in the enterprise space. It is a full and complete social transformation.

Amit Sethi, Senior Principal Consultant at Cigital believes: “In the future, we will likely see huge data breaches involving personal information that will make everything we’ve seen so far pale in comparison. Unlike with breaches involving passwords where password changes can help you recover, once personal data is stolen, you cannot recover from it.”

In the end though the level of destruction wreaked does come down to the motivation of the criminal. And Baergen of NuData Security describes cyberwarfare as the “elephant in the room” that nobody wants to talk about.

IDG Connect

Security Guardian for VDI

Security Guardian brings global management to Virtual Desktop Integration. Even when not connected to a host computer, The remote Security Guardian units can be directly controlled from the management console. You can remotely turn On and Off access as well as remotely destroy the memory chip.

This video explains how the service works.

Security Guardian Overview

Security Guardian provides a global solution to the global problem of protecting mobile data. This video outlines the flexibility and functionality of Security Guardian. In conjunction with the management console the data owner will know where their data is, who is using it and can remotely turn it On and Off or even destroy the memory chip.

Watch the video to learn more.

UK.gov coughed over £2 MILLION in data breach fines in the past year

Overall fines have TRIPLED from 2011 – 12

The total number of self-reported* data breaches in the UK increased from 730 between March 2011 and February 2012 to 1,150 in a similar period in the year up to early March 2013. The lion’s share of the fines paid out originated from the public sector.

A Freedom of Information (FOI) request to the Information Commissioner’s Office also discovered that the number of fines imposed on organisations for poor data security shot up from nine penalties totalling £791,000 in 2011-2012 to 20 penalties adding up to £2,610,000 in 2012-2013.

The proportion of monetary penalties imposed on the private sector has grown: from one of nine penalties in 2011-2012 to four of 20 in 2012-2013, resulting in fines totalling £520,000 out of a grand total of £2,610,000 – which means the public sector coughed up over £2m. Stats obtained via the FOI request show breaches reported to the ICO grow from 730 in 2011-2012 to 1,150 in 2012-2013.

High fines were levied against organisations such as Sony, which received a fine of £250,000 for the 2011 breach of the PlayStation Network. But the most-penalised organisations are local councils (accounting for eight penalties) and the NHS (accounting for six). NHS trusts alone were hit by fines of £945,000 while local council were stung for £845,000.

The majority of penalties were for simple human error: especially the act of sending or sharing information inappropriately.

ViaSat UK, the security and communications specialist that filed the FOI request, said that while the increase in reported data breaches may mean more beaches are happening, it also suggests that more breaches are actually being spotted and reported; a positive development.

“Those of us concerned about the state of data protection in the UK can take some comfort from these figures,” said Chris McIntosh, chief exec of ViaSat UK. “First is the fact that more data breaches are being reported. While this may mean an increase in the number of breaches, it also suggests that such breaches are being more readily identified and reported, rather than left unreported where the issues causing them will fester, unresolved.

“Second, it is clear that the ICO is standing by its promise to use both the carrot and the stick when enforcing the Data Protection Act. Not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors.” ®

IT lawyer Dai Davis of Percy Crow Davis & Co added that many tens of thousand of breaches are unreported each year.

“At present the only breaches that must be reported are some by telecommunications companies (BT, Vodafone etc.),” Davis explained, adding that the ICO figures obtained by ViaSat probably refer to truly voluntary disclosures.

Leaknote*Self-reported data breaches cover breaches of data security that organisations are compelled to report to the ICO.

Original URL: http://www.theregister.co.uk/2013/04/25/data_breach_foi/
By John Leyden

Related stories: Nicked unencrypted PC with 6,000 bank details lands council fat fine
(7 June 2013
)

Half of all companies lose devices with important data

Half of companies have lost a portable computing device with important data on it that had security implications for more than 20% of organisations, asurvey has revealed.

Further, 57% of employees believe that bring-your-own-device (BYOD) practices put their personal data at risk as well, according to a survey by data governance software company Varonis.

Despite these concerns, the study also revealed 86% of employees use their personal devices for work at all hours of the day, with 44% admitting to doing so during meals.

Additionally, 20% of respondents consider themselves “borderline workaholic”, 15% take their devices on holiday and 7% claim their work and home lives are one.

But the study found the productivity drain is greater for companies that allow BYOD. Nearly a quarter of respondents said they spend more time than they care to admit doing things unrelated to work during work hours.

According to the findings, almost three-quarters of employees are now allowed to access company data from their personal devices.

This growing trend to work remotely is likely to have an impact on breaches and data leakages, as mobile devices continue to have major security implications, according to the research report.

The study found that implementing a BYOD policy did reduce security incidents, but only by 5%.

The most popular method to secure mobile devices is password protection (57%), followed by 35% who wipe devices remotely and 24% who use encryption.

“Being connected to work around the clock appears to be accepted as the ‘new normal’,” said David Gibson, vice-president of strategy at Varonis.

“While organisations are capturing the many benefits of BYOD – and the willingness of the workforce to embrace this style of working – companies must protect themselves,” he said.

Gibson said all companies that allow BYOD should:

  • Develop a BYOD policy that lets people know what is and is not allowed;
  • Make sure controls are appropriate to the risks– if the data is valuable, organisations need to control where it resides and who has access to it, need to be able to audit use and spot abuse;
  •  Monitor the effects of frequent interruptions and “always-on” habits to watch for signs of impaired productivity or health.

“Only by limiting the potential damage – both to organisations and employees – can organisations make the most of a trend that will continue to leap forward, whether businesses allow it to or not,” he said.

UK’s million missing laptops

The million mobile devices that have gone missing in the past year are a business data time bomb, according to Sony’s VAIO Digital Business report 2013.

The report, which polled IT leaders at 600 UK businesses, blames bring-your-own-device (BYOD) practices, poor security habits and a rebel workforce.

The findings show that one in four UK businesses have had a laptop lost or stolen in the past 12 months, but only 28% of those polled reported having anti-theft security features on their laptops as standard.

The research shows that businesses are failing to make use of existing security technologies to keep pace with rapidly changing working practices.

“Businesses should take advantage of this ready-and-waiting safety net, which can be easily implemented regardless of IT infrastructure,” the report said.

Data security was ranked as very important by 75% of respondents and loss of confidential company data was identified as the number one concern of nearly half of respondents.

Yet 90% admitted accessing company data from a personal device, regardless of corporate policy, and two-thirds of those surveyed admitted saving confidential business data on their laptops.

Some 46% of those polled said they would bypass company policy and bring in their own device if frustrated by their company-provided machine.

Further compounding this problem, 66% said they take their work laptop home with them every day, with most laptops lost or stolen on trains, followed by private homes and airports.

Some 42% of respondents said they were using their own laptop for work and, for 88% of business laptop users, it is the machine they use in the office as well as remotely.

The study showed that 82% are not changing their password on a monthly basis, 20% of respondents said they never change it and 17% only do so when prompted to.

Despite these trends, the report said businesses are not investing enough in securing their data, with nearly half spending less than £1,000 a year on laptop security and only 28% of business laptops being fitted with anti-theft security as standard, even though many security features require only simple activation.

The report said while 56% of those surveyed had remote back-up software and 42% had some form of data encryption, only 25% had remote lockdown and only 18% had location tracking enabled.

According to the report, what people look for in a business laptop is a clear reflection of the modern mobile approach to work.

The top feature for most users is long battery life, followed by rapid boot-up, weight and a good range of connectivity options.

The research found that even though people realise the importance of security, finger print security access was the least in-demand feature.

“This indicates that the issue isn’t awareness, but education on how to use the security features laptops already have,” the report said.

A long recovery road after a data breach

Small to medium-sized businesses face a long recovery road after a data breach
Understanding why data breach preparedness is a priority is key. According to the latest Ponemon Institute Study, State of SMB Cyber Security Readiness: US Study, the road to recovery is long and hard for small to medium-sized businesses (SMBs) after a data breach.
 Not only did the SMBs lose customers, costs to acquire new customers went up significantly, some organizations had to lay off employees and it took almost a year to recover from the damage to their business reputation.  The purpose of the study was to understand the ability of SMBs to prepare their companies for a possible cyber security threat or data breach.

The study examined the differences in perceptions about the consequences of a data security breach between those companies that experienced a breach and those that have not.  The average cost of a data breach was almost $900K, which is almost three times more than what unaffected companies estimated.  This lack of awareness about the costs and consequences of a data breach can negatively affect an SMB’s ability to be prepared for a cyber security attack.  Although participants stated that the priority for their IT security spending was to meet compliance requirements and implement a data breach response plan, the reality is most companies didn’t have policies in place to deal with a breach of data.  In addition, respondents expressed that their biggest frustration in implementing a data security plan was dealing with employee negligence and felt it was unrealistic to expect an organization of their size to be totally secure from a cyber attack. In response, The Ponemon Institute has the following recommendations to improve the current state of cyber readiness for SMBs:

  1. Like bigger sized organizations, make it a priority to implement formal data protection and security programs to detect cyber security risks.
  2. Conduct risk assessments and monitoring to identify data breach risks. Establish security objectives and set actionable metrics to be able to measure that your company is meeting security goals.
  3. Ensure that employees’ mobile devices are properly protected with anti-virus/anti-malware protections and encryption technologies.  Identify your sensitive and confidential information that needs security and protection at all times.
  4. Educate workers through training and awareness programs on the importance of following proper security procedures.  Make the business case for investing in cyber security.

As with many things, it’s not the size that counts, it’s the content that is important.  And no matter how large or small the business, the importance of protecting that content should always be the first priority in every company’s cyber security plan.

Original article from Experian 22nd Feb 2013

UK Biggest Data Loss Disasters of 2012

The UK’s Biggest Data Loss Disasters of 2012
With the growth in the use of personal devices for work, it is no surprise that data loss increased in 2012. In fact, it is astounding to think that UK data loss in general has risen by an estimated 1,000 per cent in just under five years.

Here, we take a look back at some of the biggest data losses the UK faced in 2012.

NHS trust loses personal data of 600 maternity patients, and kids On at least two separate occasions in 2012, the NHS was forced to admit losing two unencrypted USB sticks containing highly sensitive personal patient data. In the first instance, the device in question contained data relating to around 600 maternity patients. A second USB stick containing the names and dates of birth of 30 children and full audiology reports of a further three was also lost. This caused great embarrassment to the NHS, and distress to the patients whose confidential information was compromised.

Lost data blunders costing  councils £1.9 million A series of blunders by various UK councils led to them being fined heavily for serious data breaches, including the disclosure of highly sensitive, personal information. The fines totalled an astonishing £1.9 million. The mistakes included information being sent to the wrong people, while one individual even left hard copies of highly confidential documents on the train.

Shopacheck loses data on 1.4 million customers In terms of the number of customers affected by any single data loss incident, Shopacheck experienced the biggest loss in 2012. The loan firm managed to lose sensitive financial information pertaining to 1.4 million of its customers after two back-up tapes went missing. The tapes contained highly confidential information including customer names, addresses, dates of birth, telephone numbers and email addresses.

Police force pays £120,000 penalty for data breach Greater Manchester Police was fined £120,000 after a memory stick, which had no password protection, was stolen from an officer’s home. This caused a serious breach of data security, not least because the device contained information about members of the public who had given statements as part of drug investigations. It also contained details of police operations, potential arrest targets and the names of officers.

USB stick with nuclear plant data lost by ONR official While on a business trip to India an Office for Nuclear Regulation (ONR) official lost an unencrypted USB memory stick containing data relating to one of the UK’s nuclear power stations in Hartlepool. What made it worse for this blundering individual was the ONR confirming that unencrypted USB sticks should not be used for transporting documents with a security classification. It seems this official should have thought a little more about effective ways to protect his organisation’s sensitive data.

As these examples demonstrate, data loss can largely be attributed to human error and ineffective backup and security solutions. Once again, we are reminded of the importance of implementing effective data protection policies. Many of these disasters could have been mitigated with the use of a solution such as EVault’s Endpoint Protection for mobile devices (laptops and tablets), or by using the cloud, to backup sensitive company data.
Let’s hope that businesses realise this in 2013!

Original article by By Jean-Jacques Maleval, Mon, January 21st, 2013

EU data protection law proposals include large fines

Firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws.

The European Commission has put forward the suggestion as part of a new directive and regulation.

The new rules include users’ “right to be forgotten” and an obligation on organisations to report data breaches “as soon as possible”.

The boss of one tech-focused organisation described the proposals as a “tax” on firms holding customer data.

The Justice Commissioner, Viviane Reding, said it was important for EU citizens – particularly teenagers – to be in control of their online identities.

“My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information,” she said.

The commission says that key changes to the 1995 data protection rules include:

  • People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.
  • Users will have the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.
  • Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”.
  • In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it.
  • Companies with 250 or more employees will have to appoint a data protection officer.

The rules would apply to data handled outside the EU if the companies involved offered services to citizens living in the 27-nation zone.

USB stick and CD
Some firms are concerned that they would have to confirm data loss within 24 hours of being hacked.

The commissioner said that by simplifying the current “patchwork” of rules and cutting red tape, businesses could expect to save a total of 2.3bn euros ($3bn; £1.9bn) a year.

However, organisations which break the rules face penalties.

The commissioner suggested that companies that charged a user for a data request be fined up to 0.5% of their global turnover. She said that sum should double if a firm refused to hand over data or failed to correct bad information.

She added that companies responsible for more serious violations could be fined up to 2% of their turnover. The sum is capped at 1m euros for other bodies.

Cost worries

One lawyer told the BBC that the benefits would be outweighed by the new burdens placed on businesses.

“The one bit of a good news is that they result in harmonisation across Europe which is better than the existing situation with 27 different national laws, but the content of some these proposals is very onerous,” said Marc Dautlich, head of information law at Pinsent Masons.

“These are all going to involve costs and resource. And in a difficult economic climate.”

Adam Malik, organiser of the Digital London conference, said that he accepted that customers had a moral right to ask for data deletion, but the new rules – as he understood them – could place some enterprises in jeopardy.

“This is just an additional tax on all businesses which hold electronic customer records,” he said.

“Also we need clarity on what is personalised data. Lots of lawyers will be happy about this directive for years to come – meanwhile innovation is discouraged.”

Security company FireEye also expressed concern about the suggested data loss demands.

“Reporting within 24 hours of discovery is admirable but if the company wasn’t aware of the breach for 24 days then where do all involved stand?” asked its director of European operations, Paul Davis.

But others were more positive about the proposals.

“Businesses can either see it as a glass half-empty or a glass half-full,” said Alan Mitchell, strategy director of Ctrl-Shift, a technology consultancy whose clients include the UK government.

“This legislation will enable UK and EU business to lead this growing market and develop new technologies and businesses.”

The rules need to be approved by the EU’s member states and ratified by the European Parliament before they can come into effect.

That could take two or more years, during which time they may be amended or rejected outright.

Published by The BBC     25 January 2012

51% of UK networks compromised by BYOD

Half of UK business networks have already been compromised by the bring-your-own device (BYOD) phenomenon of workers using personal devices for work-related activities and for attaching to corporate networks.

That’s the assessment of new research from Virgin Media Business, which found that in 2012, a full 51% of the UK’s secure IT networks were breached due to employees using personal devices.

In surveying 500 British CIOs, Virgin Media Business found that smaller businesses experienced 25% fewer breaches of security compared to larger organizations.

“Last year was clearly a bumpy road for companies introducing personal devices at work,” said Tony Grace, COO at Virgin Media Business. “That’s natural enough as no one has so far been able to come up with the magic solution. CIOs shouldn’t see this as a burden and in 2013 they can take the lessons learned and turn these personal devices into business enablers to really help drive the bottom line.”

In 2012 the consumerization of IT and BYOD have gone from being buzzwords and theories, to being everyday matters and issues for CIOs. “Security, connectivity and user policies are the three key factors needed to embrace new technology successfully, but this isn’t anything new,” the research found. “With just 20% of big businesses allowing staff to use their own kit in the office, there needs to be a shift in mindset.”

The issue will only grow larger: Virgin Media noted that a tablet was sold every second in the run up to Christmas, up 112% from last year, meaning January is likely to see a clear influx of the devices in the workplace, driving a need for clear policies on BYOD.

“With sales of tablets expected to have gone through the roof over Christmas, it looks like personal devices in the workplace is here to stay,” said Grace. “But with just a fifth of large firms having a BYOD policy, businesses will continue to experience security breaches until connectivity, security and user policies are put in place.”

Security Guardian was designed to make BYOD work at minimal cost.

This article is featured in: Compliance and Policy  •  Industry News  • Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

Government departments release data on missing IT equipment

Ministry of Defence lost 1,058 items of equipment in 2011-12

Government departments saw 2,070 pieces of IT equipment lost or stolen in 2011-12, according to written answers in the House of Commons.

With the exception of the Department for Education and the Cabinet Office, all central departments have now written formal responses to requests regarding how many pieces of IT equipment were lost or stolen during 2010-11 and 2011-12.

408 of the missing items for 2011-12 were computers and 499 were mobiles, of which 422 were BlackBerrys. 1,163 were categorised as ‘other’.

The requests were lodged by Gareth Thomas MP, Labour’s shadow minister for the Cabinet Office.

Over half of the missing pieces of IT equipment across government were accounted for by the Ministry of Defence (MoD), which lost 1,058 items in total, including 206 computers, 24 mobiles and 34 BlackBerrys. Unlike some other departments, these figures are raw data and do not include any recovered property.

794 pieces of equipment were categorised as ‘other’. This category refers to IT items such as CDs, DVDs, and removable memory such as USB sticks.

Explaining why the figures for the department were so high, an MoD spokesperson said, “The MOD employs more than 250,000 individuals operating all round the world, with frequent movement of forces and equipment between locations in support of operations.”

The spokesperson added, “The MoD takes the loss or theft of equipment very seriously and works hard to detect and deter theft. There are robust processes in place to raise awareness of the need for vigilance in all aspects of security and we actively encourage individuals to report loss or theft. This work has resulted in a rise in the number of reports over the last year.

“Where theft does occur and a suspect is identified, prosecution or internal disciplinary action will follow as appropriate.”

After the MoD, the departments that lost the most equipment include the Ministry of Justice (268) and the Department for Communities and Local Government (151).

However, the Department for Culture, Media and Sport and HM Treasury reported just 10 losses apiece for 2011-12.

In comparison, the Department for Transport and the Department for Business, Innovation and Skills lost 102 pieces of IT equipment each, while the Department for Work and Pensions (DWP) reported 97 items missing. The Department of Health mislaid 63 items, while the Home Office lost 49.

A direct comparison is not possible for the DWP and the Home Office, as they reported data covering each calendar year rather than the financial year. DWP reported 97 losses in 2011 and 48 for 2012. The Home Office mislaid 53 items in 2011; however four of these were recovered. They did not provide data for 2012.

The Northern Ireland Office reported no equipment losses at all for the period. The Wales Office said that there had been one such loss, and the Scotland Office reported four losses.

Shadow Cabinet Office Minister Gareth Thomas MP said, “It’s incredible that so many computers, blackberries and other pieces of IT equipment have been lost.
“With hundreds of pieces of IT equipment being lost across Whitehall, and over a thousand pieces missing at the MOD alone, Ministers should be doing all they can to make sure vital equipment and data are kept secure.”

Ultimate Mobile Data Security – Perfect for the forgetful secret agent…the memory stick that self-destructs by remote control

A data protection company has come up with the perfect piece of kit for the spy who’s more Johnny English than James Bond.

ExactTrak Ltd has developed a memory stick that can be tracked by GPS if it becomes separated from its owner – and can even be destroyed by remote control.

The memory stick, called Security Guardian, is slightly larger than your garden variety device and includes an encrypted memory chip and a SIM card, which means that it can be tracked by GPS and GSM triangulation.

Data protection: ExactTrak's Security Guardian includes a SIM card, so that the memory stick can be tracked if it becomes separated from its owner

Data protection: ExactTrak’s Security Guardian includes a SIM card, so that the memory stick can be tracked if it becomes separated from its owner

If sensitive information is on board the stick when it is misplaced or stolen, the owner has a variety of ways of disabling or destroying information so that it cannot be viewed or shared.

Owners can sign in to their account and block files and information. Alternatively, they can text a specific code to the stick itself, which will disable the device or lock the files within.

And, if all else fails, users can send a high-voltage charge directly into the stick, melting the internal chip and erasing everything contained on it.

Tracking device: The memory stick can be located by GPS and GSM triangulation. But if that's not good enough, files can be blocked or deleted via remote control

Tracking device: The memory stick can be located by GPS and GSM triangulation. But if that’s not good enough, files can be blocked or deleted via remote control

Killer blow: If all else fails, users can send a high-voltage charge directly to the memory stick, frying the internal chip and obliterating all information on it

Killer blow: If all else fails, users can send a high-voltage charge directly to the memory stick, frying the internal chip and obliterating all information on it

This killer bolt can be delivered without an internet connection – regardless of whether the device is connected to a computer or not.

The growing interest in data protection follows a number of high-profile cases where sensitive Government information was left on public transport – including a case in 2009 when a Government contractor lost a memory stick containing the information of 84,000 prisoners.

A 2008 report found that more than 3,200 laptops and mobile phones containing sensitive information had been lost or stolen from government departments.

In their sales pitch, ExactTrak claims that 65 per cent of recorded data losses are due to laptops and USB memory devices that go missing.

In a survey by the Ponemon Institute for Intel, 56 per cent of IT managers admitted that they turned off or disable their encryption. A further 35 per cent admitted to sharing passwords with colleagues.

ExactTrak is currently working with Government and corporate clients, developing a range of products that provide mobile data security and asset recovery.

But it’s not reserved for security services, ExactTrak’s website says: ‘Location monitoring and data security services can be delivered either via secure access to our monitoring platform, hosted on the Fujitsu Global Cloud Platform, or can be located within your organisation behind your own firewall.

 

 

Data losses on USB sticks – it’s raining again

The problem of lost USB sticks has been back in the news recently with data losses moving from laptops to the storage devices.

In January, the Information Commissioner’s Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man jointly criticised Praxis Care after an unencrypted memory stick was lost last year. It contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland.

Last week, the details of more than 1,000 school pupils were lost when a USB stick was misplaced by a member of East Lothian Council.

It was at the end of 2009 that I looked back at ‘a tricky 12 months for the USB stick’ when it was blamed for data loss and Conficker. While the problem has not been eradicated completely, it does seem to be slipping back somewhat.

I recently spoke with a new company offering what it calls the ‘Fort Knox’ of USB memory sticks: I know what you are thinking, heard it all before. Well what caught my attention was that this was less a memory stick and more a tracking device, with GPS and GSM modules to track where it is and deliver this information securely to a management console hosted securely on Fujitsu’s Global Cloud Platform.

It also features remote wipe capabilities of any data on the device, whether it’s plugged in to a USB socket or not.

Named Security Guardian, creator ExactTrak said that its inbuilt software is linked to an online monitoring platform that protects against the biggest problem with mobile data security: human error.

Managing director Norman Shaw told SC Magazine that Security Guardian is been adopted by users due to it being encryption technology-agnostic and available with either 16 or 32GB storage.

He said: “We applied intelligent elements to communicate with the device and we can turn the device on or off and delete the memory. We can know where it is geographically.
“We met with the ICO and they said that it is all very well having encryption but 50 per cent of people share passwords. One of the technologies on this is that if you share a password, you can remotely remove or turn data off. A problem is that data losses are often not reported for months; we say this can overcome the stigma of losing data by saying ‘we lost the device but we deleted the contents of it’.”

Shaw said that this is sold not as a product but as a service, and a recent partnership with Fujitsu saw its Global Cloud Platform selected to host the back-end infrastructure.

The heart of the Security Guardian solution is the management console which provides remote access to the devices and maintains a verifiable audit trail detailing when and where data was accessed. ExactTrak said it needed a partner that could host the management console while providing the utmost levels of security, scalability and availability, and it selected Fujitsu’s Global Cloud Platform as a secure portal and because it could offer “global scalability almost instantly”.

Shaw said: “Once data is on the device it is encrypted. We have Trusted Client technology from Becrypt and the cloud capability from Fujitsu and it is all dynamic data on the device, so what is on there is secure.”

In my recent conversation with Thales, it was suggested that technology should make encryption transparent, and “if you know you are using it then it has gone wrong”. I asked Shaw if he felt there was a problem with encrypted data and that people were not using it.

He said: “Some people realise the problem of encryption, so how do you prove that it was turned on? You say that a laptop was encrypted, but then it appears on eBay and it turns out that it wasn’t encrypted at all.

“With our solution you can say that the data was turned on or off on the management console with a verifiable audit trail and the ICO can say the matter is closed.”

There are solutions out there to prevent data loss and most of them offer different levels of security and capability, and what ExactTrak offers is certainly different – the capability to react after the incident.

Original article from SC Magazine  Feb 2012

Security Guardian USB stick can be tracked and remotely deleted

Using a web-based console, administrators can also apply policies to Security Guardian devices used by their staff, and locate them if required using their built-in GPS capability.

However, the GPS does not simply allow lost devices to be tracked, but also enables organisations to set location-specific policies governing their operation.

The memory can be enabled or disabled for specific geographic areas, so a hospital could configure their memory sticks to only work when they are actually on the premises,” said Shaw.

Administrators can also set a policy so that the device will automatically disable its memory if it has been unable to check in with the ExactTrak cloud service for any length of time.

In this state, the data is preserved, but cannot be accessed until the Security Guardian is able to communicate with the management service again. When the memory is disabled, it is electrically isolated from the USB interface, according to ExactTrak.

Unlike many other secure USB Flash drives, Security Guardian devices are not self-encrypting. This is because customers told ExactTrak that they wanted them to function with encryption services they were already using, such as Becrypt Trusted Client, Shaw said.

Because of the unusual nature of the Security Guardian devices, they will be sold via system integrators such as Fujitsu as part of a service package including GSM provision. Customers can expect to pay £25 to £30 per device per month.

Published in V3.co.uk  Feb 2012

Huge rise in reported data breaches

Reported data breaches to the Data Protection Commissioner rose by 350pc in 2010, following the introduction of a more stringent code of practice in the middle of last year.

Publishing his annual report earlier today, Data Protection Commissioner Billy Hawkes said last year had seen a “dramatic increase in the number and significance of organisations that have lost personal data”. The report shows 410 data security breach incidents from 123 organisations were reported to the DPC in 2010, up from 119 reports from 86 organisations in 2009.

“It can be assumed that the sudden increase reflects the more exacting demands placed on organisations by the code of practice rather than an increase in the absolute number of data breaches,” the report said. The figures show the level of reported breaches spiked after the code was introduced last July. At the press conference this morning, the DPC confirmed early signs suggest this year’s level of breaches will be similar to last year’s

Original article from Silicon Republic.