UK ICO warns that “information can be a toxic liability” October 29, 2008
Posted by separkin in News.add a comment
The Office of the UK Government’s Information Commissioner has released a press release to coincide with a speech given by Information Commissioner Richard Thomas. The speech highlights some views towards the handling of personal data within organisations.
Two opinions expressed by Mr. Thomas are especially pertinent to Trust Economics:
- Top-level directors should take more responsibility for the protection of personal data held by their organisation within databases etc. This includes demanding that appropriate data security policies be put in place, that privacy be built into software applications used within the organisation, and that employees be suitably trained to manage data security risks. In relation to Trust Economics this implies both that workable policies be enacted, and; that in a general sense, company staff be educated not only in how to interact with the security controls that protect the data they work with, but also in the procedures to follow when those security controls fail (some activities have possible negative consequences that make them seem ‘risky’ in the first place). Mr. Thomas asks “How many staff do not tell their managers when they have lost a memory stick, laptop or disc?” – just as it is important to learn from reported data breaches, it could be equally of use to glean an understanding of the behaviour and working culture that promotes silence on the subject in so many cases.
- An increased capacity to store personal data can have its own associated risks (to the degree that Mr. Thomas refers to information as a “toxic liability”). With this it could be argued that organisations should develop a greater awareness of what their system users are capable of achieving with the data that they have access to. Instead of securing data to the point of making interaction with it impossible, organisations should seek to allow potentially productive access to personal data only if and when necessary, and when it is necessary, it is important to have an informed understanding of what an employee can then do with that data (and just as importantly how and why they may do what they do).
There is also a BBC article that discusses Mr. Thomas’ speech.
RSA Insider Confessions Report October 23, 2008
Posted by separkin in News - Reports.add a comment
A report published by RSA in 2007 (‘The Confessions Survey’, available here as a PDF) identifies some of the things employees can do which have the potential to adversely affect the security of their organisation’s data (e.g. holding secure doors open for strangers, or e-mailing company data to a personal e-mail address for access at home).
Statistics are included which make a distinction between the behaviour patterns of the two groups of employees that were surveyed (‘Government’ and ‘Enterprise’). This in itself goes some way towards illustrating that a one-size-fits-all approach to security does not necessarily apply to both public and private organisations, and that the work cultures (i.e. the accepted or encouraged patterns of employee behaviour) in different kinds of organisations should be considered when dictating the information security policy.
Round-Up Of Some Interesting Computer Weekly Articles … October 23, 2008
Posted by separkin in News.add a comment
Securing the desktop and still allowing for flexibility – discusses the need to balance the security of a system with the capacity to allow employees to do things that they would feel are acceptable within their job (including catering for those who believe they are within their rights to use Facebook at work!). An interesting quote: “The first stage is understanding what’s going on. Before you can actually control what people can do, you have to have a sound basis for making the decisions about what is and what is not allowed”. This could be interpreted as a requirement to understand employee behaviour in relation to both the resources that are within their reach, and the security controls that are either in place or available to limit or manage access to those resources.
Electronic information sharing is key to effective government – an article that discusses how document-centric information security can promote co-operation between disparate organisations (or distant parts of the same organisation). Information exchange between organisations can lead to increased productivity and knowledge development, but this exchange needs to be secured in a manner that doesn’t simply make the entire process unwieldy.
Can too much IT security be bad for business? – IT professionals attending the IT Security Forum ring alarm bells about how an increased expectation of the use of information security controls affects their organisations. This includes how limiting use of USB storage devices can in turn limit the capacity for information exchange, and concerns about the strict nature of policies concerning the inclusion of sensitive information in unencrypted e-mails.
These articles all highlight a need to balance:
- the use of information security controls in an organisation;
- the potential benefits to an organisation of using the information that is available to it;
- the ways in which members of an organisation use information to realise those benefits.
Verizon Data Breach Report October 23, 2008
Posted by separkin in News - Reports.add a comment
This year Verizon released their ‘2008 Data Breach Investigations Report’, describing their findings from cases of data breaches that they have been called in to investigate over the last four years. These findings relate, for instance, the sources of a data breach (e.g. insider or external party), and trends within particular industries (Financial Services, Retail etc.), as well as detailing some typical means of accessing and exploiting a company’s IT systems. The report (and the accompanying supplemental report) offer some interesting insights, and perhaps more importantly, some statistics relating to data breaches (something which as yet is rare to see in the public domain).
If more data of the kind described in these reports were to be made available, it would obviously help IT managers and the like in identifying where vulnerabilities in their managed systems could arise. However it may also help IT managers who want to weigh up both:
- where their security efforts should be concentrated should they wish to try to reduce the risk of a data breach, and;
- where within their sphere of control efforts could be relaxed so as to promote (or at least not inhibit) productivity amongst company employees. Ideally a view of security management should consider both how the users of secured systems will behave, as well as having some sense of the behaviour patterns that those users choose to employ to keep their own part of the business running (one of the core considerations of the Trust Economics project!).
The reports are available as PDF documents from:
http://www.verizonbusiness.com/resources/security/databreachreport.pdf (the main report)
http://www.verizonbusiness.com/resources/security/databreachsuppwp.pdf (the supplemental report)
