Opinion

What is the password?

By Gerard Thompson, Information Security Consultant

With over 3,500 MPs, lords and staff, being a computer security administrator in the Houses of Parliament must be a stressful job. They have a lot to think about. There is the possibility of state-sponsored brute force cyberattacks, much like the one that compromised 90 ministerial accounts in June 2016. There are also other, more delicate issues to be negotiated; like the fact that there were 113,208 attempts to access pornographic material within Westminster in 2016 alone. Yet in actual fact one of the most alarming revelations from the Houses of Parliament this month, has been the admission by a number of MPs that their passwords are far from secure.

Admittedly, the social media admissions by MPs that they shared log in details with staff were posted to help defend Damien Green who has recently been accused of accessing thousands of pornographic images on his House of Commons computer back in 2008. They wanted to make the point that it might not have been him, given the fact that others might have his password information. Yet, for information security professionals, these admissions were probably more shocking than the news story they were attempting to deflect.

One MP tweeted: ‘My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!’

The same MP went further that afternoon: ‘All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’’

Unsurprisingly, cybersecurity professionals on Twitter have been shocked by such admissions, with many pointing out that it demonstrates a severe lack of privacy and security understanding within Westminster. To the consternation of the information security industry, however, other MPs have proceeded to jump in, tweeting their own confessions. One such tweet said: ‘I often forget my password and have to ask my staff what it is.’

Another tweeted: ‘Less login sharing and more that I leave my machine unlocked so they can use it if needs be.’

With these admissions, it might be believed that the House of Commons does not have an Information Security policy. Of course it does. The House of Commons Staff Handbook has a specialised section on Information Security Responsibilities and the House of Commons Advice for Member and their staff specifically states that MPs should not share passwords. It is therefore more a question of awareness and training rather than policy. After all, the majority of breaches occur through user error so Westminster staff need to be reminded of their responsibilities.

Other government departments are exemplary in their information security procedures, providing best practice examples of how it should be done. With GDPR and the UK Data Protection Bill soon to be enacted, making the responsibilities of data holders even more stringent, the Houses of Parliament should also lead the way in demonstrating a robust stance on data defence.

SRM provides a complete range of information security services, from GDPR compliance to advanced penetration testing; from its Virtual CISO service to full blown Incident Response. To find out more, for a no-obligation discussion contact mark.nordstrom@srm-solutions.com or call 03450 21 21 51.

Law practices are prime targets for criminals

PWC’s 25th Annual Law Firms Survey found that 73 per cent of respondents had suffered a security incident in 2016. These ranged from insider threats to the phishing of login credentials and ransomware. Routinely keeping large amounts of extremely sensitive data on file for long periods of time, law firms need to be particularly vigilant. Yet awareness, training and a top-of-the range technology solutions will only go some way in providing a defence. Given the ingenuity of hackers, they are unlikely to be sufficient in the long term.

The good news is that the solution is not about buying lots of additional products or simply throwing money at the problem. A strategic approach will provide a more robust and more cost-effective solution.  The effective scoping of the risks and vulnerabilities to which an individual firm is exposed means that defences are maximised using only precisely-targeted and relevant services.

When the EU General Data Protection Regulation (GDPR) becomes effective in May 2018 the regulatory obligations of any organisation which holds data on EU citizens becomes even stricter. The new legislation will not just apply to those with European customers. The current UK Data Protection Bill, which is also due to be enacted in May, enshrines the principles of GDPR into UK law. In addition to new reporting requirements, there will be a greater emphasis on mapping data, knowing exactly what information is held and where.

A specialist consultancy has the experience and expertise to ensure that top level security is provided in the most cost-effective way possible. From advanced penetration testing to compliance and regulatory issues; from data mapping to ensuring there are no gaps anywhere in the system; it is important to have an overall strategic and correctly scoped plan.

While Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) take on the day-to-day responsibility, every member of the board or partnership is also responsible for compliance. To ensure that the ever-changing cyber threat landscape is fully understood, additional support and resource is required. Just as a finance director receives support from accountants, a consultancy which operates at all levels of the cyber security spectrum will be able to provide additional expert guidance to DPOs, CISOs, boards and partners. The reputational and financial consequences of a breach can have devastating effect on the whole firm. Board or partner level support for information security and compliance is therefore essential.

SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.

Our eDiscovery team is also on hand to provide technical expertise and resource for all aspects of eDiscovery, from the reduction and redaction of data to the presentation of evidence in a legally acceptable manner. SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.

For a no obligation chat, contact Mark Nordstrom or call 0345 21 21 51

Find out more:

GDPR

Test and exercise

Read our other blogs:

eDiscovery: the issues facing law firms

Client files on home computers must be encrypted

The technology gap which leaves organisations vulnerable to attack

 

GDPR has been developed to protect us from breaches like Uber

The term ‘reputational apocalypse’ has been used about the recent news of the Uber data breach cover-up. It’s no exaggeration. 57 million sets of customer and driver data were stolen back in 2016 including email addresses, names and phone numbers of customers and the license details of some 600,000 Uber drivers. But while the breach alone is damaging enough, what has escalated Uber’s reputational damage to an apocalyptic dimension is the manner in which they handled it.

Rather than follow correct procedures for reporting a breach, Uber’s executive team at the time allegedly decided to identify the hackers concerned and pay them $100,000 to provide assurances that the downloaded data had been destroyed. Going to considerable lengths to hide the loss of personal data from customers and staff, Uber’s C-suite might have thought they were avoiding the negative publicity other brand names have encountered during similar breaches. By taking a stance that was neither transparent nor informative, what they actually did was to damage the company’s reputation still further.

Thankfully, Uber’s new CEO recognised the seriousness of the situation when he arrived and has undertaken full disclosure. The 2016 breach followed on from a less serious breach in 2014 which Uber also failed to disclose. They were fined $20,000 on that occasion and may have considered, in the light of this modest fine, the risk of non-disclosure in 2016 was worth taking. It is not yet known what penalties will be imposed for the latest breach and its consequent cover up but it is likely the sums involved will be punitive.

Under the EU General Data Protection Regulation (GDPR) the fines for this type of breach will be even higher. After May 2018, when GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher). The intention behind the legislation, which is being enshrined into UK law through the new Data Protection Bill, is to prevent another Uber type breach.

For a start, if a breach does occur GDPR requires the organisation to investigate and inform victims within 72 hours. But GDPR is not simply about reporting times and fines. The essence of the legislation is for organisations to develop a more intelligent, data-centric approach to security. They will have to know exactly where their data resides, who can access it and how it is transferred. They will need to be clear about when and where data is encrypted and decrypted. They must be seen to understand the differences between the private versus public clouds and the cybersecurity threats specific to each. To be GDPR compliant will require many organisations to improve their data systems significantly. If they do not, they must be aware of their accountability.

Uber claimed that their ‘corporate systems and infrastructure’ were supplied by a ‘third party cloud-based service’ and that this service was the target of the breach. This is no excuse under current legislation and the responsibility of Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is made even clearer under GDPR. They have a responsibility to the people whose data they hold and it is never possible to outsource their accountability.

When it comes to CISOs, the buck really does stop here. But that does not mean that they should not be provided with expert professional support. SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.

For a no obligation chat, contact Mark Nordstrom.

Learn more:

GDPR 

Bespoke penetration testing

 

Related blogs:

After GDPR what will happen to ICO notification fees?

Client files on home computers must be encrypted

It’s not a question of if but when

How a CISO can influence at board level

Time running out for GDPR compliance

 

Yes, someone actually said that to me in an interview!

SRM’s GDPR specialist Melanie Taylor explains some of the challenges faced by women trying to get into the world of IT

‘I don’t understand why a woman with a family would want to work in IT’…

Is just one of the things an IT Solutions company in Catterick said to me during an interview.

To start at the beginning! In August 2012 I had an operation to fuse 2 of my vertebrae in my lower back and insert some ‘scaffolding’ to support the once above due to collapsed discs. I knew the operation was coming and had decided that once I could go back to work it would be in IT. I was not going to settle for less, having always enjoyed dabbling in IT and taking PCs, Xboxes and mobile phones apart to fix or clean them it seemed like a logical choice. Getting into Information Security was the ultimate goal but I needed to start with IT in general.

“An apprenticeship! that’s what I’ll do” I told my husband. So I started to apply for any IT apprenticeships I could find, sometimes 5-10 per week and then….. Nothing! Nothing at all. Not even a ‘sorry this place was filled’. I kept going and did, now and again, receive a reply, TOO OLD! You see I was 34. When a company wants an apprentice they want a young one so that they will be fully funded. I still kept going. Applying and chasing with telephone calls. Too old.

But then finally, an interview!

It was for a Network Technician Apprentice role for an IT solutions company in Catterick. I was currently living in Bishop Auckland and was more than happy to travel 25 miles to work each day.

On the day of the interview, I was extremely nervous and also excited at the possibility, this could be it…. The beginning. I arrived in plenty of time and smartly dressed with a little makeup on and hair done, anxious to meet with my interviewers.

Now I can tell you that when someone walks into the room, sees you, and their face drops, you do not get a good feeling, that sinking feeling. That feeling of dread. I was asked to have a seat and was made a cup of coffee. The interview started in an unstructured way and I remember being asked why I wanted the role. “Since leaving school I have wanted to get into IT but just didn’t know how back then. I have had a few years away from work due to a back injury but am now able to work again and decided to go for my career of choice” I said some other stuff and waited for a response. Awkward silence. Then one of the men said, “I just can’t understand why a woman with a family would want a job like this, it gets cold in server rooms you know”. I said I would wear a coat if I was cold. This seemed to be the theme of the interview and I was enlightened with some interesting statistics about how many women worked in IT or rather didn’t work in IT. On the plus side, I was told that the clients would love me although I’m not entirely sure that it was meant as a compliment. Near the end, I was asked if I would not rather take a position in admin! As a last attempt to convince these people (clutching at straws) I blurted out that having my hair done and wearing makeup was not me and I really wanted this opportunity. After I left it didn’t take long for the recruiter to ring to break the news to me, I was not experienced or knowledgeable enough for the position and the learning curve would be too steep, an interesting point considering that the interviewers had already told me that the role needed no experience being an apprentice role and that the last apprentice they had was completely starting from scratch with their knowledge and experience.

Desperately wanting to prove myself I emailed one of the directors that interviewed me and offered to do voluntary work so that they could see my work ethic and how quickly I would pick things up. Nothing! Not a thing back.

I was absolutely determined to keep going, everything happens for a reason right? and looking back at the interview I was beginning to think that maybe it was not the best place to work, for a woman anyway.

Thank you! Thank you so much for not taking me on! I would not be where I am today if you had.

After around 8 months of applying, I had an interview with Newcastle College which was successful and my journey began, but that is another story.

The point of telling you this is to say never give up on your dream career and never stop searching for your perfect employer. You’ll know when you get there and you may not stay forever but it’ll be right at the time.

I am so lucky to have found a company that not only let me fly, they give me wind beneath my wings. Thank you SRM!


Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


 

eDiscovery: the issues facing law firms and solicitors

by Alan Batey

Information Security Consultant and Forensic Investigator

In today’s world, evidence in legal cases is sourced from the vast quantities of Electronically Stored Information (ESI) that exists across a range of platforms and devices. Acting on behalf of clients, large law firms may have access to eDiscovery platforms to sift, sort, redact and reduce the amount of data that is made available, keeping only those files with relevance to the case in a legally recognised format which preserves the integrity of the data and stands the ultimate test of court acceptance. Smaller firms may not have operated an eDiscovery platform, considering it too expensive or shying away from the complex technology. This is not altogether surprising.

ESI comes from a number of sources; from emails, texts, voicemails messages, word-processed documents and databases, including documents stored on portable devices such as memory sticks and mobile phones. In totality it includes an unfeasibly large and complex volume of files. SRM was recently involved in an eDiscovery case where the original ESI involved 1.2TB of data which, in this particular instance, was reduced to 160GB. Although hundreds of gigabytes is more usual, this is still more data than can effectively be processed in a legally acceptable manner without the use of sophisticated management and tools.

Yet many who engage with eDiscovery Platforms find the process is unsatisfactory. They may require assistance with the forensic discovery of electronic documents or need more support in managing the information security risks surrounding the placing of confidential information on a Cloud or server based platform. They may feel their technology partner is unsupportive or that the cost of the exercise lacks transparency. Ultimately, some are worried about the security issues of releasing sensitive information to a third party.

eDiscovery  projects require extremely high levels of skill, technical expertise and diligence. At SRM we work in conjunction with the legal team to advise and execute the eDiscovery requirement for their client. We define each stage and advise on the ongoing process and progress giving a full breakdown of costs for each stage. Our service is at the cutting edge of eDiscovery technology, saving the clients time and money while achieving best results. We also work effectively and strategically to ensure that disruption to the client’s business is minimal.

When such large volumes of data are made available to a third party, trust is crucial. Our eDiscovery  team includes individuals who have worked with the police, MOD and FTSE100 companies. We are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government.

SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.

 

http://blog.srm-solutions.com/ediscovery-and-edisclosure-why-what-how-and-who/

https://www.srm-solutions.com/services/ediscovery-edisclosure/

SRM Blog