Data security and incidents where data systems have been hacked are again in the news.  The damage in reputational terms can be enormous, and in some cases can destroy an organisation; this does not take into account the fines that can be levied by ICO (Information Commissioner’s Office).

Some of the higher profile cases often occur because of computer issues such as poor anti-malware and anti-virus systems, poor software patching or simply human errors because of a lack of training and awareness.

There are a number of ways that organisations can improve their data security:

  1. Incorporate cyber essentials or cyber essentials plus which adjusts computer systems to protect against improper access. It also provides encryption of hard disks to make it harder to read data files.

    This is commonly known as computer hardening.

  2. Incorporate a management system for data security; Commonly ISO 27001 & 27002   ISO 27001: 2013 is the certifiable Standard and 27001:2013 is the code of practice covering the standard

These management systems put systems in place to enhance security in a number of areas:

  1. Management direction for information security;
  2. Organisation of information security;
  3. Human resources security;
  4. Asset management;
  5. Access control;
  6. Cryptography;
  7. Physical & environmental security
  8. Operations security;
  9. Communications security;
  10. System acquisition, development and maintenance;
  11. Supplier relationships;
  12. Information security incident management;
  13. Information security aspects of business continuity management;
  14. Compliance.

This Standard is not easy to put into place and it is a somewhat lengthy process, but once fully practice it does give a degree of comfort to the management of the organisation that good professional; data security protection has been put into place.

Naturally the organisation must undertake regular internal audits and the system is assessed and surveillance visits carried out by an accredited certification body to ensure continued compliance with the Standard.

We have been helping organisation set up ISO 27001 systems and then make sure they pass assessment, and at the first go.

Once certified Quality Matters can offer internal audits and consultancy to make sure that the certification remains fully valid and the surveillance visits pass without problem.

Please see our web-site for details.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

ISO 27001:2013 Information Security Management standard calls for controls to be implemented on removable media to stop unauthorised access/ transmission of data.

There have been cases where a disgruntled employee downloads data containing commercial information onto some form of portable memory device just before leaving employment. This can be customer information, product information, designs or drawings.

The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done. If this data contains sensitive information, then the company can be held liable under the Data Protection Act (GDPR).

Most security minded employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling of USB ports for this purpose; the ports can still be used for a keyboard or mouse.

I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.

A less effective method would be to have a ‘No USB memory stick’ condition in the Employee’s terms and conditions, but this does need to be policed, and is less effective.

I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.

Security of data must be extended to portable memory devices.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

What is Encryption?

Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.  It is important that an email with a sensitive attachment is encrypted to avoid this information being read by unauthorised persons.

A very simple encryption might be to use the alphabet In reverse:

A    B    C    D    E    F    G    H    I    J    K    L    M    N    O    P    Q    R    S    T    U    V    W    X    Y    Z

Z    Y    X    W    V    U    T    S    R    Q    P    O    N    M    L    K    J    I    H    G    F    E    D    C    B    A

‘Please reply to this message’ becomes KOVZHV IVKOB GL NVHHZV

Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.

‘Please reply to this message’ Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in seconds by an experienced cracker.

Encryption used by spies during the cold war depended on a code based on a book with the page number, line and word in a line used to decrypt the message.  Both the sender and receiver must have a copy of the book. This method is far more difficult to crack.

Modern computers rely on even more secure methods:

The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.

The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.

The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.

Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

There has been considerable interest, and dismay, at the number of times sensitive data has been lost or stolen, indeed the amount of data lost seems directly proportional to the technological advances in devices and perhaps the stupidity or arrogance of their owners.

Government seems to be a prime data loser, despite telling businesses how important data security is to them and the country.

Desktop computers – these are sitting on our desks giving access to vast amounts of data, yet many people get up and leave their desks without a thought to the risk they are taking. I always lock my desk computer before leaving it, even for a few minutes, because I understand that a moments inattention could put my data at risk and seriously damage my reputation as a security conscious individual. I use Windows L.

Laptop computers – these are becoming smaller and smaller. My latest acquisition is a tablet,  no hard drive and is small enough to slip into my briefcase. The down side of this is that it is even easier to lose. I encrypt my data so that would not be a problem but the loss of the thing would be very inconvenient. The data is, however, safe.

Memory sticks and SDHC cards – probably the greatest threat to data known today. These tiny devices can hold Giga bytes of data and yet can slip easily into a pocket. These devices should always be encrypted, but sadly many are not. All my data sticks have the ability to lock and encrypt data.

Mobile phones and PDA devices – most people do not activate the pin number lock to prevent unauthorised access and a s such they risk having their phone numbers taken, their email contacts list taken and if secret pin numbers and passwords are stored, then these are at risk. Add to that the ability of many devices to access business based systems and email remotely then it is easy to see what a major security threat these unprotected devices can pose.

I use a pin to protect my smart phone and have set a pin to protect the sim card as well. If my phone was lost or stolen, I can send it a text message which locks it and no amount of fiddling will unlock it, even if a new sim card is inserted and the factory defaults enabled.

A recent threat concerns web cams which bare on most des and laptops; it is possible for a remote hacker to turn on the webcam without the warning LED being activated and look at the use without their knowledge or consent.  I have a sticker over my webcams which is removed when I want to use it and replaced when I am not.

Keep data secure

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

We should all hope that 2014 is going to be a more secure year for our data. It seems that every day brings fresh news that our data has been compromised in one way or another. The chief culprits appear to be government departments, banks and hospitals which are being forced to own up to data breaches.  The fines being levied by the Office of the Information Commissioner are higher if the organisation is caught out rather than owning up to a breach.

In addition to lost data disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.

We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.

Let us make sure that 2014 is a year of increased data security, here are a few precautions that can help to reduce the possibility of data loss:

  • Always shred or burn confidential documents or documents having identifiable data;
  • Very confidential documents should be cross shredded rather than strip shredded;
  • Never give passwords or log on information to email enquiries, telephone callers or visitors;
  • HMRC will never refund overpayments of tax to your credit card; It is a scam.
  • Be wary of emails directing you to a bank or other secure site which asks for personal information;
  • Never give passwords or pin numbers to anyone calling on the telephone even if they identify themselves as police or bank officials;
  • Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.
  • Never dispose of old computers/laptops or tablets until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;
  • Never leave confidential documents on desks overnight or when unattended (clear desk policies);
  • Laptops should be secured with a multi-strand cable to an immovable object like a radiator, when unattended;
  • Laptops should be password protected;
  • Laptops and tablets should kept close to you in public places to prevent theft;
  • Laptop disks should be encrypted, if data is sensitive;
  • Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;
  • When considering a complex password use a £ as this is not available on non UK keyboards;
  • Never leave desktops and laptops logged in and unattended;

The list goes on and on but use common sense – assume that the worst may happen and take precautions to stop or at least reduce it.

Let us all have a happy and safe 2014

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Quality Matters has always considered data security as a prime requirement and security of client data is paramount.  To ensure that data security is achieved we use firewalls, anti virus and anti malware systems as well as encryption to Mil Standards and physical security measures.

Every time a  PC, Server or Laptop is retired the hard drives are removed and the residual hardware broken down and disposed of in accordance with the WEEE directive (WEEE is the Waste Electrical, Electronic Equipment Directive).

Recently we realised that we had quite a number of hard drives which had been removed from old equipment; these drives contain data, which could be recovered.  In the past we have wiped the data from disks and sometimes reformatted them.  We believed that this rendered the data unrecoverable. However we stopped doing this some years ago when it became apparent that forensic data recovery was possible even though we had carried out wiping and reformatting.

What should we do with the ever growing store of used hard drives?  

We are based in Maldon in Essex and happened to visit one of our Clients and found almost by accident a company that would deal with our drives in a failsafe manner.  

This company EOL IT Services (www.eolitservices.co.uk) based on the Baltic Wharf in Station Road Maldon has the answer.  Hard drives can be securely wiped or destroyed.  Destruction is totally secure as the hard drive is rendered into granules.  The granules are then recycled.

In addition this company will take away redundant IT equipment and pay any residual value; any non functional equipment is broken down and recycled.  EOL IT Services has a zero landfill policy and nothing is exported to third world for recovery of metals etc.

We were very pleased with the speed, efficiency and cost effectiveness shown by staff at this company.  We will use them again and have passed their details to some of our Clients.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

I visit quite a number of businesses each year and those seeking certification to ISO27001, the information security management standard, are rising in numbers.

The first step in any 27001 assignment involves a gap audit to see how near (or far) the company is from  meeting this standard.  Usually it transpires that some significant work is required to meet this exacting standard.

To put the standard into perspective;  If ISO9001 , the quality management standard, equated to a molehill then 27001 would equate to Everest. I hope I haven’t put you off!!

One of the sections within 27001 deals with access control and the part I want to cover is the control and use of passwords.  Here are some rules for passwords:

  • Passwords should be complex, i.e should be six characters or more, must contain at least one number , one uppercase letter and if possible a non alpha or numeric character.   I often put £ in my passwords because only UK keyboards have this.
  • The password should not be in a dictionary either forwards or backwards.
  • Never use Pa33w0rd (Password) or lEt m3 1n (letmein) or a pet or partners name.
  • Never disclose your password to anyone
  • Change your password regularly
  • Never write it down unless it is heavily disguised.

I see breaches of these rules on a regular basis including:

  • Post it notes with the password stuck to monitors or under keyboards.  
  • Passwords with three characters, 
  • Passwords that are really obvious like January-week 1, which increments to January-week two and so on.

Most systems can be hacked in a relatively short time so I recommend that a computer should lock if more than a set number of incorrect passwords is entered. Make it harder and time consuming for the hacker.

Let us make 2011 a more secure year for our computer systems.  Remember the data on your system is valuable and can cause a great deal of distress, if not financial loss if it is stolen by others.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

There has been considerable interest, and dismay, at the number of times sensitive data has been lost or stolen, indeed the amount of data lost seems directly proportional to the technological advances in devices and perhaps the stupidity or arrogance of their owners.

Desktop computers – these are sitting on our desks giving access to vast amounts of data, yet many people get up and leave their desks without a thought to the risk they are taking. I always lock my desk computer before leaving it, even for a few minutes, because I understand that a moments inattention could put my data at risk and seriously damage my reputation as a security conscious individual.

Laptop computers – these are becoming smaller and smaller. My latest acquisition has an 8.9 inch screen, no hard drive and is small enough to slip into my briefcase. The down side of this is that it is even easier to lose. I encrypt my data so that would not be a problem but the loss of the thing would be very inconvenient. The data is, however, safe.

Memory sticks and SDHC cards – probably the greatest threat to data known today. These tiny devices can hold giga bytes of data and yet can slip easily into a pocket. These devices should always be encrypted, but sadly many are not. All my data sticks have the ability to lock and encrypt data.

Mobile phones and PDA devices – most people do not activate the pin number lock to prevent unauthorised access and a s such they risk having their phone numbers taken, their email contacts list taken and if secret pin numbers and passwords are stored, then these are at risk. Add to that the ability of many devices to access business based systems and email remotely then it is easy to see what a major security threat these unprotected devices can pose.

I use a pin to protect my PDA and have set a pin to protect the sim card as well. If my device was lost or stolen, I can send it a text message which locks the PDA and no amount of fiddling will unlock it, even if a new sim card is inserted and the factory defaults enabled.

A recent survey mounted by the BBC shows just how many electronic devices are left in cabs. The number is staggering. The value of data and equipment is vast.

Moral – keep devices safe, encrypt data, activate pin numbers on phones and PDAs.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.