information security and common sense richard henson university of worcester november 2008
TRANSCRIPT
Information Security and Information Security and Common SenseCommon Sense
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
NovemberNovember 20082008
Yes, good Information Security Yes, good Information Security IS common sense…IS common sense…
as is safely driving a motor car…as is safely driving a motor car…
““Where did it all go Wrong?”Where did it all go Wrong?”
““End User” ComputingEnd User” Computing Rapid Advances in TechnologyRapid Advances in Technology Confusion about legislationConfusion about legislation Lack of policy or inconsistent Lack of policy or inconsistent
implementation of policyimplementation of policy Data handling training issuesData handling training issues
Safe Storage of Safe Storage of Organisational InformationOrganisational Information
Before Digital Before Digital Data…Data…
Paper in a Paper in a Locked, Locked, Fireproof Fireproof Cabinet, in a Cabinet, in a locked room…locked room…
Use of Digital Data within Use of Digital Data within Organisations in the early daysOrganisations in the early days
BIG Computers BIG Computers – centralised resources centralised resources
& storage& storage– Terminal-only access Terminal-only access
to data to data – Printing only via Printing only via
centralised resourcecentralised resource Data processing Data processing
areas private…areas private…
The Rise of The Rise of End User ComputingEnd User Computing
1980s…1980s… The PC offered the The PC offered the
possibility of organisational possibility of organisational data in the hands of “non data in the hands of “non professionals”…professionals”…– network administrators and network administrators and
some academics predicted some academics predicted that there would be big that there would be big problems…problems…
– few people listened… THEY few people listened… THEY SHOULD HAVE!SHOULD HAVE!
Have we been down Have we been down this road before?this road before?
Days of “mainframe” or “centralised” computing… Days of “mainframe” or “centralised” computing… comparable to mass transport systems (e.g. stage comparable to mass transport systems (e.g. stage coach, railways, bus)coach, railways, bus)– ““professional” driversprofessional” drivers– people driven aboutpeople driven about
Example of Technological Example of Technological Change causing rapid Cultural Change causing rapid Cultural Change; systems inadequateChange; systems inadequate
Also true of the coming of the motor car…Also true of the coming of the motor car…
Result of “the motor car” Result of “the motor car” cultural change…cultural change…
Transport became personalisedTransport became personalised– those handling motor vehicles were often a those handling motor vehicles were often a
menace to other road usersmenace to other road users– many accidents, injuries, lives lostmany accidents, injuries, lives lost
Systems catch up Systems catch up with cultural change…with cultural change…
Professional bodies ineffectiveProfessional bodies ineffective ALL DRIVERS only controlled through ALL DRIVERS only controlled through
the use of legislationthe use of legislation– on cars… minimum standardson cars… minimum standards– and on drivers…had to be 17 to drive…and on drivers…had to be 17 to drive…
Then more cultural change…Then more cultural change…
And then more legislationAnd then more legislation– Driving TestDriving Test
– National Speed LimitNational Speed Limit
– Safer carsSafer cars
Are roads safe today?Are roads safe today? Despite increases in traffic, UK road deaths Despite increases in traffic, UK road deaths
been falling consistently for many yearsbeen falling consistently for many years– safer cars?safer cars?– better driving?better driving?– tougher penalties?tougher penalties?
So a cultural problem CAN be brought under control…So a cultural problem CAN be brought under control…
The Challenges of The Challenges of “End User Computing”“End User Computing”
In early 1990s, immediate workplace In early 1990s, immediate workplace computer-related threats to SMEs computer-related threats to SMEs were… were… – RSIRSI– eye straineye strain– EU Health & Safety legislation (1992)EU Health & Safety legislation (1992)– Floppy disks…Floppy disks…
» because viruses could stop computers because viruses could stop computers functioning!functioning!
The Hidden ThreatThe Hidden Threat Lot of changes with the coming of the PC…Lot of changes with the coming of the PC…
but the threat to personal data from but the threat to personal data from removable media NOT fully acknowledgedremovable media NOT fully acknowledged– floppy disks could only hold small amounts of floppy disks could only hold small amounts of
data…data…– Data Protection Act, 1984, only a civil offenceData Protection Act, 1984, only a civil offence
» end-user computing for business use not anticipated…end-user computing for business use not anticipated…
Digital Data and the LawDigital Data and the Law Data Protection Act updated in 1998Data Protection Act updated in 1998
– did not address the problems associated with did not address the problems associated with putting the end user in controlputting the end user in control
» digital data can be easily carried arounddigital data can be easily carried around
– two big technological advancestwo big technological advances» Writeable CDs..Writeable CDs..
meant removable media could now carry huge amounts of meant removable media could now carry huge amounts of personal datapersonal data
» The Internet…The Internet… allowed organisational networks to link to the world…allowed organisational networks to link to the world… and unlimited amounts of data to be potentially taken off and unlimited amounts of data to be potentially taken off
organisational machines…organisational machines…
Too much focus on the Internet?Too much focus on the Internet?
Internet (mis)use caused data lossesInternet (mis)use caused data losses– and damaged reputations…and damaged reputations…
In the face of media horror stories…In the face of media horror stories…– organisations steered clear of the organisations steered clear of the
Internet for sending dataInternet for sending data– saw writing to CD as the safe way to gosaw writing to CD as the safe way to go– didn’t acknowledge that data copied didn’t acknowledge that data copied
to a CD tends to stay there…to a CD tends to stay there…
The USB stickThe USB stick Employees had been happily copying data to Employees had been happily copying data to
writeable CD… even writeable DVD…writeable CD… even writeable DVD…– MUST have been data losses!MUST have been data losses!– So what? Not a Health & Safety issue! Data Protection Act So what? Not a Health & Safety issue! Data Protection Act
max penalties not enough of a deterrent to even focus minds max penalties not enough of a deterrent to even focus minds on reading it…on reading it…
USB stick encouragedUSB stick encouraged– People had problems using writeable CDsPeople had problems using writeable CDs– even more convenienteven more convenient– stored even more datastored even more data– less bulky to carry around (!!!)less bulky to carry around (!!!)
It was a disaster waiting to happenIt was a disaster waiting to happen– perhaps the only surprise was that it took so long…perhaps the only surprise was that it took so long…
The New LawThe New Law Finally (2008) legislation being updated to Finally (2008) legislation being updated to
acknowledge the problemacknowledge the problem– New term of “Data Recklessness” embedded New term of “Data Recklessness” embedded
into Data Protection legislationinto Data Protection legislation» serious penalties!!!serious penalties!!!
– Information Commissioner’s Office (ICO) has Information Commissioner’s Office (ICO) has increased powers..increased powers..
» FURTHER changes expected during the 2008-9 FURTHER changes expected during the 2008-9 Parliamentary SessionParliamentary Session
Information CommissionerRichard Thomas
So… why such a long wait?So… why such a long wait? Again… back to the motor carAgain… back to the motor car Original Highways Act?Original Highways Act?
– law in 1835law in 1835– only substantially updated in… 1959only substantially updated in… 1959– Why then? had become Why then? had become
» a matter of public concerna matter of public concern
Equally, Data Protection now Equally, Data Protection now – A MATTER OF PUBLIC CONCERNA MATTER OF PUBLIC CONCERN– latest surveys: by 2007 as concerned about latest surveys: by 2007 as concerned about
privacy as they are about terrorism!privacy as they are about terrorism!
What are the consequences What are the consequences for Organisations?for Organisations?
• Need to Need to get seriousget serious about data protection, or risk the wrath of the Information about data protection, or risk the wrath of the Information Commissioners OfficeCommissioners Office• one recent sufferer was… one recent sufferer was…
• Richard Branston, Virgin Media (3383 customer records went missing)Richard Branston, Virgin Media (3383 customer records went missing)• Would you want to be next???Would you want to be next???
What to do?What to do? Apply common sense?Apply common sense? Now (from 2007) an International Standard for Now (from 2007) an International Standard for
organisations to follow:organisations to follow:– ISO 27001ISO 27001– based on British Standard BS7799based on British Standard BS7799
» UK leading the world in design…UK leading the world in design…» but not implementation!but not implementation!
– any organisation achieving this quality standard gains in two any organisation achieving this quality standard gains in two crucial ways:crucial ways:
» unlikely to lose data through “recklessness”unlikely to lose data through “recklessness”» can use the ISO 27001 “kitemark” to show potential customers can use the ISO 27001 “kitemark” to show potential customers
that their personal data is being properly looked afterthat their personal data is being properly looked after
Is getting ISO 27001Is getting ISO 27001cost-effective?cost-effective?
BIG questionBIG question– even before…even before…
» ““credit crunch” arrivedcredit crunch” arrived» data recklessness became lawdata recklessness became law
Cost overhead of ISO 27001 quantifiableCost overhead of ISO 27001 quantifiable– intensive, highly focussed coursesintensive, highly focussed courses– paperwork deliberately customisable to meet the paperwork deliberately customisable to meet the
needs of large and small organisationsneeds of large and small organisations If data is lost, what of the cost overhead of:If data is lost, what of the cost overhead of:
– bad press?bad press?– disgruntled customers?disgruntled customers?– hefty fines?hefty fines?
Is Good Information Security Is Good Information Security Common Sense?Common Sense?
YES…YES…– just as driving safely is common sensejust as driving safely is common sense
BUT…BUT…– even good drivers could fall asleep at the wheeleven good drivers could fall asleep at the wheel
What would the roads be like today if:What would the roads be like today if:– 1835 Highways Act was still in force unchanged?1835 Highways Act was still in force unchanged?– no-one had to pass a driving test?no-one had to pass a driving test?
QUESTIONS???QUESTIONS???