We are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers? This month alone (Aug 2015) Carphone Warehouse reported a security breach where up to 2.4 million people may have had their names, addresses, dates of birth and bank details made accessible to hackers. In addition, up to 90,000 customers may have had their encrypted credit card data made accessible to hackers also. Included in these numbers are customers of other mobile telephony companies which Carphone Warehouse operates or provides services for.
Also this month, the Information Commissioner’s Office (ICO) issued a fine of £180,000 to The Money Shop, on account of data breaches regarding two servers. One server was stolen from a store in Northern Ireland, where it had been stored in a room without adequate security controls, contrary to company policy. The other server had been lost by a courier firm in transit. Both servers contained sensitive customer information and lacked sufficient encryption. Neither has been recovered. There are other recent examples cited in contemporary media which have garnered international attention concerning dating sites, cycling teams’. The list is not exhaustive.
The loss of face, business and public confidence in such instances can be devastating to your business. The negative connotations associated with your brand can impact heavily, steering faithful and potential clients elsewhere.
The organisations in the press for the wrong reasons, receive this attention as they are in the public eye and the public engage with them on a regular basis by using their services. However, there are other organisations which are breached regularly, yet receive very little column inches.
In the four quarters of 2014/2015, the NHS/Health Services reported 747 instances of data breaches. The highest by some figure of organisations that have reported such breaches to the ICO. Yet very few, if any such breaches have been reported in the national media considering that personal medical records may have been made available to hackers. However, these instances do not solely affect large organisations.
For example, the local flower store with an owner/manager and three or four members of casual staff who have not been vetted, located in an affluent area who input customer names, addresses, phone numbWe are living in interesting times as far as information security is concerned. Does it not seem that every few months a large multinational or well established British brand/individual appear to have been the victims of hackers?
As well as the moral component associated with protecting your customers’ data, organisations, large or small, have the responsibility for implementing some form of information security policy as stipulated by law, namely the Data Protection Act 1998 and the processes and procedures pertaining to any accreditation body which your organisation may be signed up to.
Principle 7 of the DPA
The ICO provides Principle 7 as dealing specifically with security. In brief the following is applied to information security:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Specific controls are not stipulated by Principle 7, as necessary processes will differ from firm to firm and are dependent on the type of information held. A large multinational with country-specific servers will have very detailed controls in place to administer their information security to that of the charity which stores all its information in hardcopy in a locked filing cabinet in a locked room with access by designated persons.
However, the risk assessments made to determine these controls will be of a similar doctrine to both the large and small organisation, in order to reach the necessary conclusions.
In the UK, regarding information security, the ICO requires that an organisation, as a minimum, takes into account the following factors in order to formulate controls:
The nature and extent of your organisation?s premises and computer systems;
The number of staff you have;
The extent of their access to the personal data; and
Personal data held or used by a third party on your behalf
The threats to an organisation’s information security can come from within, from slack procedures to wilful abuse. Threats from outside of the company will usually exploit vulnerabilities in your IT systems, circumnavigating firewalls, utilising unprotected ports, malware etc. If your business is doing everything in its ability regarding cost reasoning, risk analysis methods that are current and suitable for your organisation, documented processes and procedures which are adhered to by staff, you just may run less of a risk of receiving a fine from the ICO should the worst happen and your information systems are hacked.
All things being said, the non-monetary consequences of your customer’s information being accessible to hackers has far more business penalties than any fine. Be pragmatic, utilise specialist advice where necessary and have an information policy that is understood by your employees. In effect, do all you can to minimise the risk to your clients regarding the safekeeping of their sensitive information. ers on computers lacking any form of encryption presents a series of information security risks. Chances are, such a situation may never see the light of day via any report yet, may prove catastrophic for customers.
As well as the moral component associated with protecting your customer’s data, organisations, large or small, have the responsibility for implementing some form of information security policy as stipulated by law, namely the Data Protection Act 1998 and the processes and procedures pertaining to any accreditation body which your organisation may be signed up to.
Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.
Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.
In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.
WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.
The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.
With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets
In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.
A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.
On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.
A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.