IT Governance Blog on IT governance, risk management, compliance and information security.

Keep a step ahead, and stay out of trouble – deploy easy-to-use encrypted USB sticks today!

	SafeXs FIPS 197 USB Stick Silver Package Get SafeConsole Lite Free!   Various capacity options available: FIPS 197 from just £48 and FIPS 140-2 from just £76.50

Mobile giant 02 have suffered a couple of embarrassing gaffs this week. Firstly it was revealed that they had been inadvertently been passing their customers phone numbers on to any site that they visited when using O2’s 3G network on smartphones. With almost half of O2’s customers using smartphones, the data leakage could possibly have affected up to 15 million people.

O2 blamed a ‘technical’ glitch and has since stated the problem has been resolved and apologised to its customers. However a leading consultant at Sophos, Graham Cluley, commented that such issues had “been known about for almost two years at least”.

The Guardian reported yesterday that O2 also ‘regularly hands over subscribers’ phone numbers to sites that offer age-restricted material and premium-rate billing, whether the users realise it or not.’

What?! I hear you cry. The Information Commissioners Office’s is considering investigating the incident however it seems unlikely that that any action will be taken as a mobile phone number, in the eyes of the ICO, on its own, is not considered as a ‘personally identifying information’.

Even though, with your number being passed onto potentially anyone under the sun, you could be the subject of phishing attacks, reverse charge texts and unsolicited marketing.

These incidents further highlight what companies do with our data when we’re surfing the internet; and how little we actually know as consumers. And what can you do as a consumer? Where is the avenue for reproach? We’ll all be politely told that the issue was a ‘technical problem’ and has now been resolved. But when did we sign up for this in the first place? I mean if, when you bought your latest phone, there were questions like: “Would you like us to share your information with every single website you visited?” Or, “Would you like us to pass your details on to sex chat services?” You would tick yes to these?!

Often terms and conditions are deliberately confusing, long winded and impenetrable for consumers; allowing the service provider you’re signing with the legal ambiguity to do with your information as they wish. But in the instances referenced in this article, this wasn’t the case. One was an error and the other – passing customer details onto premium and age-restricted sites – well, no one seems to know. O2 have thus far refused to comment. Are they allowed to do this?

One thing is for sure. Such instances cause huge brand damage and loss of custom. Retaining customer loyalty and brand image is of huge importance to all businesses and organisations. I dare say that if an SME suffered an instance like this that they would have a far more difficult time of it. Protection of customer data is important. The data protection act says so.

But I often wonder, when the brand is so big and they have so much money, as in the instance of Playstation last year, and now someone like O2, are they beyond the pale?

You can read more about data protection and the Data Protection Act here >>>

It seems like every week we hear of a new news story where a company has been hacked, broken the Data Protection Act and/or fined. Although in these hacking stories the data of innocent people is often compromised, it seems like the blame is often being put upon the companies, when in fact it should be the hackers who are taking the blame.

After a data breach occurs, how much investigation goes into finding the hacker that committed the crime? Little? Or none? It is easier to blame the company where the attack occurred, issue a fine, and pronounce them incompetent of looking after your data. But is this really the case? Lee Howell, Managing Director at the World Economic Forum, stated that “it’s impossible to be completely secure online”. So if this is true, then why should the victims (companies) be put to blame? Yes, I agree that companies who manage sensitive data should take the necessary precautions to do everything they can to protect that data, but where does the justice lie for them if they did not commit the real crime?

Take it like this; if you were to lock your house up at night (doors, windows etc.) before you went to bed, and you were burgled during the night, should it then be you who faces prosecution for not protecting your house properly, or should the person who broke into your house be prosecuted?

Lee Howell talks about social norms in terms of cyber crime, concluding that “we do not yet fully understand how social norms are shaped in the virtual world. Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?” This can be referenced to the point above about the current justice system for hackers and hacked companies.

It is important to note that one of the main reasons cyber criminals don’t get caught is because of the anonymity of it all. Hackers are often more technologically advanced than the people tracking them down, which can mean that most investigations come to a halt before they’ve even begun. You can find hacking software easily on the web, meaning that anyone can try their hand at it, which has thus been a major cause in the proliferation of hacking. Another main reason why hackers fail to get caught is the difficulty in cross-border policing. If you notice a computer attack that came from country X, tracking down that cyber criminal would be near-on impossible due to the different laws and regulations held between two different countries. Adam Segal from The Diplomat says, “It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack.” With so much difficulty in tracking down hackers, they often get away with the crime, but does their anonymity give them the right to this?

More attention should be put on the hackers themselves (tracking them down and prosecuting them), rather than the companies who suffer data breaches because of them. A unified approach and shift in focus will lead to a more realistic deterrent for cyber criminals, hoping to break the cyber gang culture that is appearing across the web.

Food for thought anyway.

The Information Commissioner’s Office (ICO) website shows that £541,000 in fines were issued during 2011 between 7 organisations, making the average fine £77,285! This is not counting the fines issued by courts following a prosecution. This is an increase of 238% over 2010, when the power to issue monetary penalty notices were first introduced to the ICO.

In 2010 there were 2 fines issued for a total of £160,000. If the same percentage increase occurs in 2012, over 2011, total fines issued could be over £1.8M!

Avoid these fines for as little as £156, here’s how:

	Complete Data Protection Toolkit Price: Just £156 This complete toolkit provides all the tools and resources you need to carry out your own DPA project and become compliant quickly and cost-effectively. The proven do-it-yourself approach towards achieving DPA compliance!

The Information Commissioner’s Office has formally requested greater powers to conduct compulsory audits of local government and public sector organisations. The ICO presented the secretary of state with a business case stating that there were “particularly significant and widespread data protection compliance concerns’ within the public sector. The ICO presented statics, which included the amount of complaints of potential data protection breaches from individuals. Over the last five years local government (4,110) and the health sector (3,701) topped this list. Read the full report here. 2011 saw the ICO issue more fines than ever to public sector organisations. With these potential new powers of compulsory audit, the ICO will be clamping down even further in 2012. Ensure you are compliant with the data protection act for 2012. Complete Data Protection Toolkit (Download) Price: £156       ICT Strategy Toolkit FREE with this best selling toolkit until December 23rd 2011! The DPA toolkit contains all the tools, guides and documentation templates you need to become DPA compliant. The ICO is expected to come down even harder on those found to be in breach of the DPA in 2012. Can you afford not to be compliant? Achieve DPA compliance for less than £156 with this toolkit >>>

More products to help you improve your data handling…

Data Protection Act Staff Awareness e-Learning Course	SafeStick (CESG Approved FIPS 140-2 Certified USB Stick)

	Compliance by Design: IT controls that work by Chong Ee Price: £39.95 Availability: Immediate download Reconsider how you view compliance – and your business will reap the rewards!

More to explore …

Data Protection Compliance in the UK: Second edition

Data Protection vs Freedom of Information (eBook)

PCI DSS: A Practical Guide to Implementing and Maintaining Compliance

	Information Security Foundation based on ISO/IEC 27002   This course serves as a practical guideline for all members of staff as they initiate, implement and maintain an information security programme. An understanding of the best practice guidance as outlined in ISO2702 is essential to ensure the compliance to ISO27001 in any organisation.Find out more>>

Use THE Cyber Security Toolkit

The all-inclusive, comprehensive No 3 Toolkit will provide you with everything you need to accelerate and develop an ISO 27001-compliant ISMS.

	No 3 ISO27001 Comprehensive ISMS Toolkit   When you use our highly practical and informative books and tools to help you tackle the project, you receive unique guidance and support for your organisation – plus, with this package, you save money. Find out more>>

Get Cyber Security Qualified for just £500

With a growing demand for professionals possessing IS audit, control and security skills, CISA has become the preferred certification program by individuals and organisations around the world. If you’re interested, then take advantage of our fantastic saving on our CISA course.

	CISA – Certified Information Systems Auditor Training Course – In London EC4N RRP: £1,595.00 Price: £500.00 You Save: £1,095.00 Saving over £1,000, this course is run by ITG Training, the official UK reseller of ISACA’s CISA materials. This course will offer you concise exam preparation so you will feel ready for sitting the exam – and passing first time! Find out more>>
		-

Don’t give cyber criminals an early Christmas present. Protect your business with one or more of the options above and you’ll be able to have a very Merry Christmas!

Banks are charging higher fees by default to merchants that have not proved compliance with the payment card industry data security standard (PCI DSS). You could be paying much more than you need to – FACT!

In addition to these extra charges, the Information Commissioner’s Office (ICO), has made it absolutely clear that organisation found to be non-compliant with PCI DSS, and having suffered a data breach, will be deemed non-compliant with the data protection act (DPA) and will be fined up to £500,000. Double penalties are a very real risk, as well as reputation damage and diminished customer loyalty!

Tackle both compliance challenges together for just £600!!!

	DPA and PCI Foundation Combination Course 13-14 December 2011 in London RRP: £935.00 Price: £600 You Save: £335.00

Tackle both compliance challenges together, once and for all, this December …

This December we are holding our best selling DPA and PCI foundation courses back-to-back to allow organisations, such as yours, to get to grips with these important compliance issues.

If you book these courses separately, the cost would be £935. This combination course allows you to book for just £600, saving you £335 in the process!

Don’t miss out! Book on the PCI and DPA course now >>