Secure your Data

Every day I here about people doing silly things on their computers so I feel I should try and help educate people on where they are going wrong. I am realistic as well so I don’t expect that I will get through to everyone but if one person reads this and this stops them from doing something silly then I will be happy. I know I here you say small minds etc but the fact is if one person learns something new they will normally tell someone else about their experiences and so on…..

Anyway here are my top tips for keeping safe on-line:

1. Watch what you download on file sharing sites. There are a vast amount of viruses which get spread through these sites and a lot of the time you won’t know until it has already infected your computer. Not to mention that the content is more than often illegally copied!
2. Download all security patch updates whether for windows or any other program.
3. Never agree to install a program unless you know where it has come from or have purposely downloaded it.
4. Protect your children by blocking web sites with unsavoury subjects. You can buy software to do this or buy a good quality ADSL router as some have these features already built in.
5. Social networking sites! – don’t post personal information about yourself that people could use to steal your identity such as date of birth, address and even photos.
6. Never disclose your username or password to anyone whoever they claim to be especially the banks as this is how crooks like to trick you into obtaining your personal details. You may have heard it being referred to as “Social Engineering”.
7. Make sure your anti-virus and anti-malware products are always up to date. It’s best to pay for one rather than using the free ones as they have more features to protect you! Also make sure you enable the scheduled scan – it’s amazing how many PC’s I see that don’t have this enabled because it slows people’s machines down!
8. Always make sure that you have a padlock on display within your browser when buying items on the internet otherwise your card details can be are not secure.
9. Ignore emails that ask you to confirm your bank details as these are generally known as “phishing” emails which only have one purpose in mind and that is to steal your personal info! No matter how convincing they are always ignore them.
10. Computers should be treated like weapons as they can be very effective at what they do but can be very dangerous without the right training. Ask friends and family if you are not sure what you are doing. Or if you have any questions post a comment and I will offer a bit of free advice.

Secure your information

Everyone will have come across the various government department data leaks that have been recently publicised within the media and quite often people are in disbelief at how such events can happen in the first place. Whether the data is millions of people’s bank details, a top secret document or some other sensitive information, the problem is the same albeit with varied degree of impact. Some incidents could cause reputational damage; it may be financial, or possibly have an effect on the running of the organisation.

So what is Information Security?

Information Security is basically how an organisation protects their assets; where an asset can be anything within an organisation that has a value to the business. It deals with the confidentiality, integrity and availability of all information related assets.

For example it is normal to have varied classification levels within your organisation which are assigned to information assets, the level of which is dependent on the sensitivity of each asset. Each classification would have a different security access level which is directly related to the impact of any data loss so if you have a document that is highly confidential  this is going to be treated differently than a document which is unclassified because the impact of data loss is lower.

Information Security is not rocket science but many organisations still get the simple things wrong or don’t take security seriously enough. I am sure most businesses that deal with large amounts of cash wouldn’t carry it in a clear bag to the bank each day! Why should we deal with other valuable information so haphazardly? Just because an information asset doesn’t have an obvious monetary value, it doesn’t mean that you wouldn’t suffer damage to your business reputation or suffer financial losses if the information got into the hands of a competitor or the media.

It’s all very well me telling everyone to look after your data better and more securely than you currently do, but each individual business must assess the impact and risk of losing information or having data being compromised. To put this in perspective – what would happen to your business if you heavily relied on taking credit card payments via a POS terminal and the bank revoked your right to use one because of a data breach which was traced back to your company? This may seem far-fetched and you may say that would never happen to my business but the reality is that it could and banks are well within their rights to do this or insist that you put certain security measures in place, which would cost thousands of pounds to implement. No matter how slim a risk this may be it doesn’t negate the possibility of this happening, however if the banks see that you have good security measures already in place and very little could have been done to prevent such an incident they may be more lenient and the impact on your business could be significantly lower. Further reading on this subject could be found via the Payment Card Industry (PCI) Standard web site.

There are various methods that can be utilised to improve your security dependant on what your company needs and the best one in my opinion to look at is ISO 27001. This is an international standard which covers all areas of information security and is widely respected throughout the world. Whilst this may be too much for a small business to take on in its entirety as the standard covers 133 separate controls over the following 11 sections:

1. Security Policy
2. Organisation of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance

Most businesses will be able to take certain elements of what the standard covers and improve the way in which they look at information security. If every business did this our information would be a whole lot safer. Ignorance in no excuse these days for business owners so if they start to lead the way – people will follow! If we can start to educate people maybe information security will be  a topic of the past rather than the topic of the day and perhaps we might start to handle the security of data in a better way.

At the end of the day Information Security is there to protect your company / client information and should always be aligned to the needs of the business rather than creating a barrier which inhibits growth. Perhaps we could look at how Health and Safety has been developed over the past 20 years and apply some of the methods to information security whilst still being realistic.

I would appreciate your comments on this subject ….

Having been back from NISC 10 now for about 10 days I have had time to reflect on whether it was a success or just another security conference that doesn’t actually achieve anything!

Subjects were very comprehensive and included serious issues regarding emerging technologies such as virtualisation and increasingly the way in which we want to be accessing data wherever we are. These are areas that no doubt I will discuss in more detail at a later time as each are complex issues in themselves so watch this space!

A great positive that came out of this for me is the amount of local and central government people that attended. You could look at this in two different ways dependant on your level of scepticism but I choose to look at this as a positive. With new revelations of data leaks coming out of various government departments each week something must change and I hope that all the relevant delegates that attended actually learnt something that they can take away and implement within each of their corresponding departments or local authorities. I guess only time will tell !!! However I do sympathise with some of them as there are some deep underlying problems with staff within these departments and some are better than others so these security professionals have a very hard task actually trying to change the mindset of the average civil servant which is no mean task. Good luck to them but I must say that without true government support and buy in from them they have no hope. Perhaps they should take note from private sector companies that take security seriously and start to change the mindset from the very top – are you listening Mr Brown…..

Over the coming weeks I will start to talk about various other information security issues that were discussed at NISC 10 which I can unequivally say now was a big success. However now is the time to start and make a difference whatever you do, as the responsibility lies with all of us to protect our customers data or even just by protecting our own identity.