Welsh Councils break DPA 2.5 times a week

April 15th, 2014 by

It’s quite a staggering statistic: 135 breaches of the Data Protection (DPA) Act by Welsh Councils in 2013: more than double the 60 breaches in 2012.

This basically means that every other day the DPA is being broken in a council in Wales. This information came to light after a Freedom of Information request by the BBC.

Nearly all councils in Wales breached the DPA last year. Breaches ranged from financial and personal information sent in error, data being lost, a failure to encrypt data and confidential papers being left on public transport.

Breathe a sigh of relief if you live in the Blaenau Gwent, Ceredigion, Neath Port Talbot, Vale of Glamorgan and Swansea areas as these councils reported no breaches last year.

Anne Jones, Assistant Information Commissioner for Wales, said: “It’s important local authorities live up to their legal responsibilities under the Data Protection Act.”

“Keeping people’s personal information secure should be hardwired into their culture as losses can seriously affect reputations and as a consequence, service delivery”.

Manage sensitive data with BS10012

So what can these councils do to better manage the confidential data they handle?

BS10012 is the British best-practice Standard that provides the specification for a Personal Information Management System (PIMS). It details the actions that organisations should take to ensure they comply with UK data protection and privacy laws.

Learn more about BS10012 and compliance to the UK Data Protection Act.

The secrets behind the undisclosed Chinese cyber threat

April 14th, 2014 by

Chinese Cyber ThreatThat a number of major western companies and government agencies have been attacked by hackers in the last five years will come as no surprise; we’re becoming increasingly inured to the idea that cyber attacks are now the norm. That those organisations should choose to remain silent about the attacks, however, is unusual.


There are many reasons that so few organisations reveal having been hacked. They might not realise they were hit. If they do know that they were hit, they might not have sufficient information about the attack, and be unaware of where it came from or who perpetrated it. They might prefer not to announce their vulnerability due to the nature of their work: the negative publicity and  reputational damage engendered by disclosing a breach can have a significant impact for many companies, especially those in the security industry (for example, defence contractors). In the case of human rights organisations, they might just be afraid.

This raises an obvious question: should it be mandatory for US organisations to inform the public when they’ve been attacked, like the proposed EU data protection legislation recommends in Europe?

Nasa, Coca Cola, and Lockheed Martin have all been hacked in recent years, but in each case it was some time before the fact was revealed. It’s believed that many of these attacks originated in China, but that remains difficult to prove so organisations are hesitant to point the finger. Blaming China also makes it difficult for large organisations to do business with the world’s second largest economy.

The New York Times and Google were also hacked, but are unusual in publicising this information, and for blaming China for their attacks. Indeed, their openness has been seen as a positive step in addressing the effects of international cyber warfare.

US Defense Secretary Chuck Hagel is currently on a 10-day trip to the Asia-Pacific region, and his meeting with Chinese Defence Minister Chang Wanquan on Tuesday focused on Chinese cyber attacks, among other topics. The Pentagon having recently announced plans to more than triple its cyber security staff, the US took the unusual step of trying to reassure China about its cyber strategy, clearly hoping that China would reciprocate by being more open about its use of cyber attacks. China is yet to respond.

For more information on this subject, read 21st Century Chinese Cyberwarfare, which argues that the People’s Republic of China uses cyber warfare to promote its own interests and enforce its political, military and economic will on other nation states.

For a wider view of what cyber security means, read CyberWar, CyberTerror, CyberCrime and CyberActivism, which will help you make the most of international standards and best practices to create a culture of cyber security awareness within your organisation that complements your technology-based defences. 

(Image source: Silicon Angle)

IT Governance Nominated for European Security Blogging Award

April 14th, 2014 by

For the second year running, a selection of Europe’s top security bloggers will be competing for several European Security Blogging Awards.

IT Governance is very proud to announce that it has been nominated for ‘Best Corporate Security Blog’. Over the last few years our team has worked tirelessly to turn the IT Governance blog into a portal of useful information about information security and other IT governance, risk management and compliance (IT GRC) areas. We are very proud to be nominated for an award recognising our commitment.

Other high profile bloggers such as Graham Cluely and Brian Honan (an ITGP Author) have been nominated across several awards, making for a very healthy competition.

If you’d like to cast your vote then you can do so by visiting the European Security Blogging Awards voting page.

The awards will be held at InfoSec on 30th April – you can register to attend InfoSec here – www.itgovernance.co.uk/infosec2014.aspx

We would like to thank all of our readers who have helped make the IT Governance Blog a success, and we look forward to continuing to provide you with valuable information in the future.


COBIT 5 for cyber security: want to know more?

April 14th, 2014 by

COBIT® 5 is often seen as merely a business framework for the governance and management of enterprise IT, but what some don’t realise is that it can be used to address the growing threat from cyber crime.

It provides a means to address cyber security in a systematic way and to integrate it with an overall approach to security governance, risk management and compliance.  Furthermore, it has now been included in the new US Cybersecurity Framework, which maps to COBIT 5.

With the release of COBIT 5, ISACA recognised the need for clear guidance on how information and cyber security issues could be addressed using the framework. This leverages the core principles at the heart of the framework and the relevant enablers to deliver a holistic approach to information and cyber security.

ISACA provides guidance on the topic of employing COBIT 5 to address cyber security in COBIT 5 for Information Security and Transforming Cybersecurity Using COBIT 5.

Find out more from Sarb Sembhi of ISACA

To find out more about how COBIT 5 can be leveraged to help you address the cyber crime menace, attend the ISO 27001:2013 and PCI DSS V3 – new Standards in the Global Cyber War event in London on 8 May.

Sarb Sembhi of ISACA London will be giving a talk at the event on how COBIT 5 can be used to address cyber threats.

Do you use a penetration testing tablet?

April 11th, 2014 by

As a penetration tester, you’ll know that having the right tools for the job is of critical importance. A new weapon in the arsenal of penetration testers is the penetration testing tablet. These devices, such as the Pwn Pad 2014, provide a highly flexible and convenient means to pen test a network.

Read a review of the Pwn Pad 2014 by a professional penetration tester.

Packed full of the latest penetration testing apps, these devices are ideal for penetration testing professionals and ethical hackers who are always on the go, and who don’t want to carry around bulky laptops or other large pen testing equipment.

If you haven’t selected your penetration testing tablet yet, we recommend the Pwn Pad 2014. Our own technical services team use the device and have found it to be a more than capable penetration testing tool.

See the Pwn Pad 2014 in action

Want to know more about the Pwn Pad 2014? Come and see the device in action at our event in London on 8 May at the Churchill War Rooms.

Has the board’s perception of cyber security changed with the changing cyber risk environment?

April 11th, 2014 by

I hope that it has. As cyber risks proliferate it is important that cyber security is driven from the very top of the organisation. Organisations that manage cyber risk effectively are in a better position to take advantage of new business initiatives, new technological advancements, and, importantly, to win new customers and contracts.

The realisation that big data, Cloud, Internet of Things (IoT), Bring Your Own Device (BYOD) and social media are creating as many threats for businesses as they create opportunities is important for addressing cyber security at an organisational level. According to Information Week Research: State of Cloud Computing , 51% of organisations are reluctant to migrate to the Cloud due to concerns about data security flaws. This highlights the fact that many business owners are sacrificing effectiveness and innovation out of fear of a data breach.

Following the success of its first Boardroom Cyber Watch 2013 Survey, IT Governance has launched the Boardroom Cyber Watch 2014 Survey again this year. It aims to find out how business owners, board directors and IT professionals are adapting to the constantly changing array of cyber risks. The survey will be followed by an incisive report that will shine fresh light on this and other issues.image

Take part in the Boardroom Cyber Watch 2014 Survey today – it is multiple choice and takes less than 5 minutes to complete.

You will receive a free copy of the IT Governance report on company directors and IT security, and will be entered into a prize draw to win a Samsung Galaxy Tab 3.

Please note: The survey closes end of April and the results will be published in May 2014

Deal With 2016 Cyber Threats Today

April 10th, 2014 by

The Information Security Forum (ISF) has recently published their forward-looking report on the security threats and cyber landscape of the future ‘Threat Horizon 2016 – on the edge of trust.’

This annual report attempts to identify what the cyber security issues will be in two years’ time and what organisations need to do now to mitigate the possible threats and scenarios they will face.

The forecast doesn’t look good. Heavily influenced by Edward Snowden’s revelations of cyber surveillance by the US government, the Threat Horizon report cites a breakdown in trust between individuals, business and governments.

It also brings in to focus increased cyber risks caused by inadequate cyber defences, a lack of encryption, poorly designed mobile applications and a shortage of skilled cyber security professionals.

The report states that organisations must build cyber resilience now: the ability to defend against cyber attack whilst also having provisions in place should an attack occur.

The threats identified included:

  • Service providers become a key vulnerability: cyber criminals target the supply chain rather than the organisation itself.
  • Big data = big problems: be wary of making strategic decisions based on incomplete data sets.
    • Ensure the organisation has the skills to analyse big data properly and apply it to cyber security issues.
  • Mobile apps become the main route for compromise: cyber criminals target mobile apps as their fast paced development often means a lack of security.
  • Encryption fails: due to the huge increase in processing power combined with poorly designed software.
  • Skills gap becomes a chasm.

The cyber threat landscape won’t wait for you. You need to address 2016 threats now. Developing an enterprise wide cyber resilience strategy is essential for all businesses.

Get started today by downloading our free Green Paper: Cyber Resilience: Cyber Security and Business Resilience

OpenSSL & Heartbeat Explained

April 10th, 2014 by

heartbleedOver the last few days the press has been full of stories about the vulnerability in OpenSSL that allows unauthenticated retrieval of memory blocks up to 64kB in size – and that retrieved memory could contain encryption keys. This vulnerability has been officially recorded as TLS heartbeat read overrun (CVE-2014-0160) and is a serious vulnerability which has a CVVS2 Base Score rating of 9.4. There is an official fix for the vulnerability, which requires either installing OpenSSL 1.0.1g or recompiling OpenSSL with the DOPENSSL_NO_HEARTBEATS flag set.

The vulnerability does not affect all deployments of SSL, only those which use vulnerable installations of OpenSSL, so Microsoft base installations should not be affected. A key check for organisations will be to scan their servers to see if they are affected. Vulnerability scanner vendors such as Tenable have released plugins or modules that detect this vulnerability through their update services like the Nessus profession feed. Nessus released their plugin and announced it on their RSS feed on Wednesday. As the vulnerability has been announced and exploits are publicly available, it is now critical that organisations patch their servers before the attackers successfully use the exploit. – This exploit is suitable for the lesser skilled “script kiddies” to use, so it can be expected that attacks will be conducted out of curiosity by the vast army of script kiddies out there.

Organisations must determine if they are vulnerable, patch and then gain assurance the patch has been successfully deployed. The use of vulnerability scans and 3rd-party penetration testing can help with this activity. Once patched, an organisation can then advise its users on the best action to take, such as changing passwords.

Managing cyber risks effectively can also help manage IT costs

April 10th, 2014 by

A coherent cyber risk management strategy, aligned with business objectives, enables organisations to mitigate cyber attacks more effectively by focusing IT spending on the right areas.

A client of IT Governance recently expressed their concerns regarding the increasing number of data breaches in the news. To reduce the likelihood of a data breach, this same client has bought different types of anti-malware software in the hope that this will more effectively protect the organisation from cyber attacks. Has this client made the right investment on the right software, or have they lost money?

While technology plays an important role in protecting yourself against cyber crime, it’s not enough. Organisations need to look at the processes that drive the technology and the people behind those processes.

Organisations are not making the right level of investment in information security

More than 40% of the 260 respondents who took part in the IT Governance Cyber Watch Survey 2013 admitted that they weren’t making the right level of investment in information security. Buying software licences is an easy way of ticking a box, but it can be expensive without resolving the issues at the core of robust, dependable information security.

The role of cyber security standards for managing IT costs

There are various standards and frameworks that can serve as guidance for managing cyber risks, but ISO27001 is considered the most robust and comprehensive.

Implementing ISO27001 – the international information security standard – can help businesses rationalise and reduce their security expenditure and the impact of cyber crime. The Case for ISO27001:2013 explains the business benefits of adopting ISO27001, including an increased ability to manage and control the costs of information security solutions.

Book a FREE Compliance Surgery at InfoSecurity Europe 2014

April 10th, 2014 by

Infosecurity Europe is the most important date in the calendar for information security professionals across Europe. Taking place at Earl’s Court in London, Tuesday 29 April – Thursday 1 May, the event will feature over 325 exhibitors, approximately 13,000 visitors and a diverse range of new products and services.

IT Governance will be at Infosecurity Europe (Stand F103) and we would like to offer you the opportunity to set up a 1:1 meeting with one of our expert consultants.

Make the most of your time at the event and reserve an appointment with an IT Governance specialist by booking a FREE 15-minute expert compliance surgery.

Our team of experts will help you to understand and make progress with:

  • ISO27001
  • PCI DSS compliance/completing self-assessments
  • Data Protection Act (DPA) regulations and responsibilities
  • ISO22301 Business Continuity Management Systems
  • ITIL/ISO20000 IT service management compliance
  • NHS N3/IG toolkit submissions/self-assessments
  • European directives (e.g. European e-Privacy directive).

Compliance surgery appointments are accessible to all Infosec visitors and are available throughout the full three days, at a time convenient for you.

Book your FREE 15-minute session today:

Online: www.itgovernance.co.uk/infosec2014.aspx
Email:   events@itgovernance.co.uk
Telephone:   0845 070 1750

%d bloggers like this: