Posts Tagged ‘Data Security’

Welsh Councils break DPA 2.5 times a week

April 15th, 2014 by

It’s quite a staggering statistic: 135 breaches of the Data Protection (DPA) Act by Welsh Councils in 2013: more than double the 60 breaches in 2012.

This basically means that every other day the DPA is being broken in a council in Wales. This information came to light after a Freedom of Information request by the BBC.

Nearly all councils in Wales breached the DPA last year. Breaches ranged from financial and personal information sent in error, data being lost, a failure to encrypt data and confidential papers being left on public transport.

Breathe a sigh of relief if you live in the Blaenau Gwent, Ceredigion, Neath Port Talbot, Vale of Glamorgan and Swansea areas as these councils reported no breaches last year.

Anne Jones, Assistant Information Commissioner for Wales, said: “It’s important local authorities live up to their legal responsibilities under the Data Protection Act.”

“Keeping people’s personal information secure should be hardwired into their culture as losses can seriously affect reputations and as a consequence, service delivery”.

Manage sensitive data with BS10012

So what can these councils do to better manage the confidential data they handle?

BS10012 is the British best-practice Standard that provides the specification for a Personal Information Management System (PIMS). It details the actions that organisations should take to ensure they comply with UK data protection and privacy laws.

Learn more about BS10012 and compliance to the UK Data Protection Act.

The 5 most common types of data stolen

March 18th, 2014 by

iStock_000019633342_SmallCyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

What you should be doing is carrying out regular vulnerability assessments of your network to identify where you are vulnerable. After a vulnerability assessment is carried out, you should be conducting a risk assessment to identify critical components which will, if compromised have a high impact on the organisation. Finally, these systems should then be penetration tested to identify if they are exploitable and what the impact would be.

IT Governance is currently running a 20% discount on its CREST-accredited pen testing services if booked before 28 March 2014.

The Internet of Things – a new cyber crime target

February 10th, 2014 by

As we are entering the era of the Internet of Things (IoT), our homes are becoming increasingly populated by devices that are connected to the Internet in order to share information with each other and the external world more easily. Ranging from smart phones and smart TVs to motor-cars with 4G and Wi-Fi, from automated household appliances to sophisticated business tools, this web – connected smart devices are collectively known as the Internet of Things. According to a Cisco report, it’s predicted that 50 billion objects worldwide will be connected to the internet by 2020.

The benefits that the Internet of Things can bring are numerous, but so are the concerns that it can facilitate cyber attacks. According to a Proofpoint’s report on cyber attacks, cyber criminals are beginning to target home appliances and smart devices. Often these Internet-connected devices have significant implications for device owners. They are easier to hack as they don’t have robust security measures, such as strong passwords, in place so are obviously easier to infiltrate and to infect than PC, laptops or tablets.

Organisations using the Internet of Things can see huge benefits such as greater efficiency, lower costs, improved services, greater accessibility to information, increased employee productivity and higher customer satisfaction. But although there are numerous benefits, organisations face grave risks such as espionage, corporate and personal data breaches, theft of intellectual property, and attacks on infrastructure components because they are more exposed to the internet. It is strongly recommended that manufacturers of smart devices need to start focusing on building more secure tools for organisations and individuals. Organisations should implement robust measures to secure their infrastructures and business information.

According to an ISACA report on how European IT professionals perceive the Internet of Things, 27% stated that the risk outweighed the benefits. 39% of respondents said that increased security threats were seen as the biggest governance issue, followed by data privacy at 26%.

European Internet users are very concerned about cyber security. According to the Eurobarometer report carried out by the European Union in 2013, 28% of Europeans don’t feel safe when simply browsing the Internet and carrying out online transactions. The main fears among European Internet users are that personal information is not kept secure by websites and organisations and that banking information can be stolen and bank accounts hacked while transactions are carried out. 84% use the internet for email access, 50% for commercial transactions and 48% for online banking are Swedish, Dutch and Danish, but they are also the ones who feel more informed about cybercrime and cyber security. In contrast, the Romanians, Hungarians and Portuguese are less likely to use the internet for e-commerce and feel less informed about cybersecurity, and as a result are more concerned.

With a robust Information Security Management System (ISMS) in place, customers and clients will feel more secure when making online transactions, and will build trust towards organisations and experience greater customer satisfaction. IT Governance EU thinks that cyber security training course are necessary for individuals and organisations in countries like Portugal, Hungary and Romania in order to raise awareness of cyber security risks. ISO 27001 ensures organisations are protected from information risks and threats which could otherwise lead to reputational damage, financial repercussions and the loss of assets. The ISO27001 Certified ISMS Foundation Training Course is an introductory training course which raises awareness and builds information security knowledge. To those who need an advanced level of training to deliver information security management to an organisation, we recommend attending the ISO27001 Certified ISMS Lead Implementer Online which is designed to give comprehensive and practical advice for implementing and maintaining the requirements for ISO27001.

We recommend downloading our ISO27001 & Information Security greenpaper overview which gives organisations the foundation to start with their implementation towards a better security.Download our free green paper on information security and ISO27001 >>

IT Governance is a specialist in helping organisations with cyber security, cyber governance and cyber compliance. Find out more about our products and services here.

For more information about IT Governance training courses call us on 00 800 48 484 484 or
email us at

Yahoo Mail suffers another cyber attack

January 31st, 2014 by

Have you checked your yahoo account this morning? I suggest you do. Yesterday Yahoo announced that its email service had suffered a cyber attack, resulting in the usernames and passwords of an undisclosed amount of users being compromised.

It’s always fun isn’t it when they don’t tell you how many accounts have been affected. 3? 3,000? 3 million?! (For the record Yahoo has 273 million accounts worldwide). Anyway, best to log in (if you can) and get that password changed. Something like your birthday, password 123 or qwerty should be fine. Sorry I’m being flippant (it sometimes happens on a Friday). It’s just that I discovered this week that 40% of all passwords appeared in the top 100 list of passwords. Basically a bunch of keys for hackers. Try enough locks and you’re going to open 40% of doors.

Anyway, back to Yahoo. In a blog published on their website yesterday they stated:

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

What’s the potential damage, I hear you ask. Well it could be anything from targeting email addresses for spam or scam messages to using the details for banking and shopping sites. Add in the fact many of us use the same password across multiple sites, and that if a hacker had access to your email account they could simply send themselves a password reminder, and the alarm bells start ringing.

It’s Friday so I’m not going to lay any particular blame at anyone’s door. You can draw your own conclusions. What I will say is this: we all need to do more.

Individuals need to use better, stronger (and not repeated!) passwords and educate themselves of how to be safer on the internet. Organisations need to do more to secure their data bases, networks and our personal information. We’ve been living in the digital world for a while now. It’s time everyone took more responsibility for their digital existence.

Take advantage of IT Governance’s free resources:

ICO Reports 25% Increase in Data Breaches in Q3

January 29th, 2014 by

The Information Commissioner’s Office (ICO) published its Q3 statistics this week, revealing that reported data breaches rose by 25% in the third quarter. The continued upward trend saw 420 reported breaches, which is up 397 from the previous quarter and a running total of 1152 for the financial year.

As for the type of breaches, the usual offenders headed the list were: personal information being disclosed in error, lost or stolen paperwork and loss of hardware containing sensitive information.

What’s clear to me here is that most of the breaches could have been prevented. The implementation of proper data handling procedures and some simple staff training could have reduced the number of these incidents.

These solutions aren’t expensive, especially when you consider the powers of the ICO to fine up to £500k. If you’re unsure about whether your data handling processes are sufficient and compliant with the Data Protection Act, I suggest you take a look at a DPA guide or a DPA Foundation training course.

And the gold medal for the most breaches goes to…

The health sector - Accounting for 38% of all breaches, the health sector takes home its third gold medal of the year. I’m being slightly mean though, as it should be noted that the NHS is obliged by Government laws to report breaches.

If all organisations were subject to this obligation I’d expect the total figure of breaches to be drastically higher!

You can view the full breakdown of breaches by industry and incident type here on the ICO’s official website.

2014 is a very important year for all things data related. There continues to be breaches across the public and private sector, whilst there have been several huge incidents involving US retailers Target and Neiman Marcus. 2014 is also the year when the proposed EU Data Directive is set to be finalised and come in to force.

There will undoubtedly be more scrutiny on how all organisations handle data; it’s also in your own interest to look and improve how you handle and store data.

My advice: act now and get your data house in order.

The pocket guide ‘Data Protection Compliance in the UK‘ is a pretty good place to start.

How much custom would you lose from a data security breach?

October 30th, 2013 by

We take it for granted nowadays that we can work pretty much wherever we are. The majority of us use laptops, tablets and smartphones for work as well as for leisure, Wi-Fi is by and large available wherever we go, 3G and increasingly 4G service is the norm, and cloud computing means we can access our data on the move. But an increasing reliance on virtual networks means sensitive data is more and more vulnerable to targeted attacks. Web-based applications may be convenient for you and your workforce to operate wherever you are, but they are also convenient for cyber criminals, as your and your customers’ information is more exposed.

US Government hacked

In the news this week, it was reported that 28 year-old Lauri Love from Stradishall in Suffolk was arrested in a joint operation by the UK’s National Crime Agency and the FBI on suspicion of hacking into US Army, NASA and government computer systems and allegedly stealing data on thousands of individuals, causing $25,000-worth of damage. If a vicar’s son in East Anglia can hack into the networks of some of the most powerful organisations in the world, what chance do you stand?

You are vulnerable too

FireHost this week reported a 32% rise in the third quarter in cross-site scripting (XSS) and SQL injection activity targeting web applications carrying sensitive information. Evidence shows that SQL attacks are becoming more automated as hackers and cyber criminals are moving away from enterprise infrastructure attacks and are identifying and exploiting vulnerable application assets. Automated scanning means even if you are a relatively small, unknown organisation, your web presence will be found. This puts any business with hosted resources at risk, including yours. It isn’t scare-mongering but fact: it’s not a matter of if you will be attacked; it is a matter of when.

How would your customers react?

Elsewhere, a Harris Interactive survey commissioned by Cintas Corporation has revealed that two thirds of US adults would take their business elsewhere after a data breach. Whilst these results may seem on first glance to be specific to the US, there can be no doubt that their application is global, and the message is clear: you only get one chance. If your data is breached, your customers could go straight to your competitors and not come back.

How can you prevent attack?

Penetration testing identifies the vulnerabilities in your information security systems by simulating a malicious attack, testing known and unknown weaknesses in your security arrangements, including open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Whether complying with DPA, other Data Protection Laws, or meeting business, legal and contractual requirements in line with ISO27001, organisations must carry out penetration tests at least quarterly on all their Internet-facing websites.

50% discount

IT Governance currently has a special 50% discount offer on all our CREST-accredited penetration testing services booked by the end of November 2013. Visit our website or call us today on 0845 070 1750 to find out how we can address your security needs.

Snowden: One of the worst information leaks in US history

August 23rd, 2013 by

Edward Snowden, a former CIA worker, leaked materials to the media that allegedly showed the US to have conducted widespread and illegal surveillance of its citizens and other nations.

Reports from the Guardian and Washington Post claim that the US National Security Agency (NSA) have been illegally collecting millions of telephone records from Verizon customers, emails, live chats and search histories from Facebook and Google and had even bugged EU offices in Washington and UN headquarters in New York.

What this news story breaks down to is an employee had access to sensitive information that he decided to leak for personal reasons.

This begs all kinds of questions for the CIA. Was there adequate screening of his role? Did he have more access than he needed to? Was he left unsupervised for long periods of time?

In turn, you could ask this of yourself. Do you monitor your staff regularly? Do you ensure appropriate information security training is enforced?

An employee leaking sensitive data from your organisation may not have the same impact that Snowden has caused, but it will cause you brand damage, it will cost you and you will have breached the law.

Everything is relative. If one person can bring down US security, think what one person, armed with the right information could do to your business.

One of the first steps every organisation should take is to conduct a risk assessment. This will help you assess areas of weakness and the vulnerabilities posed by internal and external threats. Find out more >>

9 out of 10 senior staff members have BYOD access to corporate data in Australia

August 7th, 2013 by

A ZDNet survey of IT decision makers in Australia has today revealed that 89% of senior managers have access to corporate data on their own personal mobile phones.

The survey also finds that, of the respondents, nearly half reported that their organisation does not have a formal, documented security policy. Turning the focus to best practice, only 17% of respondents said that their organisation is certified to ISO27001 with an additional 11% currently undergoing certification. That in turn shows a not insignificant 72% of the respondent’s organisations have not considered/are not pursuing certification to ISO27001.

ISO27001 is the internationally recognised best practice standard for an information security management system which underpins intelligent cyber security risk management strategies. Closely related to cyber security ISO27001 specifies the requirements for an Information Security Management System (ISMS) against which an organisation can be audited and certified.

Leaving mobile phone access so unrestricted leaves the confidentiality, integrity and availability of an organisation’s corporate sensitive data vulnerable to loss or misuse through malware, hacking or simply the physical loss of a phone. Mobile Security: A Pocket Guide addresses the key themes of mobile security and informs as to the safeguarding of sensitive information, the use of encryption, employee boundaries, and virus protection.

The honest assessment, from within, of the BYOD (Bring Your Own Device) information security practices in Australia must act as an embarrassing wakeup call. Just as an embarrassing ring tone on a phone causes its owner to swiftly stop it ringing so must IT Directors and Managers firmly grasp their policies and practices tightening access and improving security.

ISO27001 certification brings many benefits including international recognition, commercial advantage over non certified competitors, improved business practices and regulatory compliance.

Download a free copy of our Information Security & ISO27001 Introduction Green Paper to find out more >>

Revealed: How much you should spend to prevent data loss

August 7th, 2013 by

Here’s an interesting statistic: Cyber Crime costs organisations 2.7% of turnover.

The Irish Times have reported this statistic following the annual Deloitte Information Security and Cybercrime Survey.

In our recent Boardroom Cyber Watch 2013 survey, we revealed that nearly half of organisations admit they don’t make the right level of investment in information security – or don’t know.

So how much should organisations spend in order to prevent a data loss?

If cyber crime costs organisations 2.7% of turnover then consider the numbers:

  • If your turnover is £10m – the cost of a data breach is £270k.
  • If your turnover is £100m – the cost of a data breach is £2.7m.

Do the maths based on your own organisation’s turnover and there lie your answer. You probably want to spend up to that amount. Afterall, you should only have to invest once in order to avoid an annual loss.

No matter what size your organisation is, you are very likely to fall victim to a cyber attack at some point – if not already. In 2012, 87% of small businesses and 93% of large businesses experienced a cyber security breach [Source]. What makes your organisation different?

80% of these breaches could have been prevented through basic security hygiene.

Are you Cyber-secure? Does your cyber-risk management match minimum UK government guidelines?

Find out before you join the 90% of firms who have already suffered a cyber breach.

Call 0845 070 1750 or email today to see how quickly we can get an experienced consultant to come and assess your exposures and take the first steps to a more cyber secure business future.

Find out more about the 10 steps to cyber security today >>

Is encryption key to cyber security?

July 23rd, 2013 by

The confidentiality of data has never been more of a concern for organisations. In the age of the Internet, email and the World Wide Web, never before has there been a greater risk that data can be stolen, lost or accessed without proper authorisation.

With news of the US government’s PRISM programme hitting the headlines, it has put the whole issue of the confidentiality of data front and centre in people’s minds. If the US government can access their data easily, who else may be snooping on their confidential data? Hackers, cyber criminals? The list of possibilities is endless.

‘Distrust and caution are the parents of security.’
Benjamin Franklin

But what can we really do to prevent our data from being accessed by unauthorised parties? The answer is pretty simple really. The most basic step is to encrypt any confidential information. Any information that would damage your organisation, should it leak out of the organisation, should be encrypted.

Referring back to the case of PRISM, Google are now trialling the use of encryption software on their Google Drive service as a way of boosting customer confidence that their information will remain confidential, as reported by CNET.

Encryption has traditionally been seen as a highly technical solution to the issue of maintaining the confidentiality of information. But this isn’t the case anymore, there are suppliers of cloud encryption services such as Alertsec Endpoint Protect that enable SMEs to roll out encryption quickly and easily using pre-defined policies.

Whilst there are more complex encryption solutions for larger organisations available, such as Sophos or Symantec PGP, the only thing that complicates their use is the policies individual organisations decide to pursue with regard to encryption.

Encryption isn’t the complete solution to cyber security. PEOPLE and PROCESSES are equally as important, but it will help to enable organisations to protect their data effectively!

%d bloggers like this: