Greatest source of security risk is internal processes not hackers
Posted 27th August 2008 at 12:18 by roymoggadmin
Greatest source of security risk is internal processes not hackers
Again we have seen in the press a big fuss made of the loss of data left on a pen drive. I must say this was for me not a surprising issue. Loss of data (or security breaches) are commonly not due a fault in the IT security systems but in the breach of security practices by users - and lax thinking about the gold mine for criminals they have on their hard disk. I must admit myself that it is all too easy when developing software to request test data and be given the full personnel file without any question - I have had on my laptop the complete records of a major defence organisation in order to demonstrate a system at a major conference - so it does happen. I expect this is what happened recently when a PA consultant took away a sensitive data set probably to work on it at home - so his extra work and good citizenship got him in trouble.
Security breaches are becoming rare from the lonely geeks in front of PC's in the middle of the night as we are starting to get a grip on these characters and their methods have become less and less sophisticated as time moves on. What is disturbing is the lack of attention we have as managers and users to data security and the management of confidential information.
In a recent report it was highlighted:
An interesting point is that ill informed security policy can actually have quite the opposite effect. If it is too difficult for users to get at the data to do their jobs don't under estimate their ability or ingenuity to use access rights to get at the data anyway. Far better to have a grown up discussion and train them in proper use of sensitive data.
I know from personal experience that the reported extent of losses of data, laptops, pen drives or CD's is the tip of the iceberg. I have known people have the entire data set for all the staff in a hospital on their laptop before they were pulled up. It goes on and we are turning a blind eye to it. It we dont want to get on the front page of the News of the World and have people baying for our blood we best start looking at this.
There is an interesting article on this at:
http://www.information-age.com/magaz...ner-risk.thtml
Again we have seen in the press a big fuss made of the loss of data left on a pen drive. I must say this was for me not a surprising issue. Loss of data (or security breaches) are commonly not due a fault in the IT security systems but in the breach of security practices by users - and lax thinking about the gold mine for criminals they have on their hard disk. I must admit myself that it is all too easy when developing software to request test data and be given the full personnel file without any question - I have had on my laptop the complete records of a major defence organisation in order to demonstrate a system at a major conference - so it does happen. I expect this is what happened recently when a PA consultant took away a sensitive data set probably to work on it at home - so his extra work and good citizenship got him in trouble.
Security breaches are becoming rare from the lonely geeks in front of PC's in the middle of the night as we are starting to get a grip on these characters and their methods have become less and less sophisticated as time moves on. What is disturbing is the lack of attention we have as managers and users to data security and the management of confidential information.
In a recent report it was highlighted:
- 39% of data breaches involved business partners - sometimes the data being compromised at the partners offices.
- Insiders are a big threat to data security and disgruntled personnel can even be approached by criminals - just think how easy it is to just send a zipped file with all your personnel data outside your organisation - what checks do you have?
- Organisations in practice have little control over a partners security - it is blind faith. In Banking as the FSA made it clear recently you are still accountable for data security in an outsource situation - they can impose severe sanctions and fines if it goes wrong.
- Badly configured systems are another area where breaches can be facilitated - sometimes security systems are completely absent (what's your security like).
- Executives, consultants and IT staffers who take home their laptop full of sensitive information then let the kids surf the web using Moms pc - do your kids adhere to the company security policy when surfing the web I doubt it? And what about all that spy ware they have just loaded onto your work machine!!
An interesting point is that ill informed security policy can actually have quite the opposite effect. If it is too difficult for users to get at the data to do their jobs don't under estimate their ability or ingenuity to use access rights to get at the data anyway. Far better to have a grown up discussion and train them in proper use of sensitive data.
I know from personal experience that the reported extent of losses of data, laptops, pen drives or CD's is the tip of the iceberg. I have known people have the entire data set for all the staff in a hospital on their laptop before they were pulled up. It goes on and we are turning a blind eye to it. It we dont want to get on the front page of the News of the World and have people baying for our blood we best start looking at this.
There is an interesting article on this at:
http://www.information-age.com/magaz...ner-risk.thtml
Total Comments 0
Comments
Post a Comment
|
Total Trackbacks 0
