Friday, February 26, 2016

Blast from the past: Is resurrecting the fax machine actually helping Sony’s CEO to protect sensitive information?

In November 2014, Sony Pictures experienced a particularly damaging cyberattack, when information about employees and their families, including executive salaries, was obtained by hacker group, Guardians of Peace. The group also leaked private email exchanges between top executives that left the studio running around doing damage control with the media over use of the material.

As a result, earlier this week, Sony Pictures CEO Michael Lynton revealed that he has reverted back to writing sensitive messages by hand and faxes them to their destination.

However, is this really doing anything to improve data protection at Sony Pictures?

Fax machines have to be viewed as one of the least secure ways to share data. In the last three months of 2015 alone, the ICO reports that sending sensitive information to the incorrect recipient (for example, entering the fax number incorrectly) caused 38% of data breaches in the legal sector, 25% of incidents in the justice sector and 23% of incidents in the health sector.

In addition, even if the information is sent to the correct machine, the data owner – that is, the person sending the information – then has absolutely no control over who picks up the printout and what they subsequently decide to do with it. (Loss of paperwork is another leading cause of data breach incidents.)

Why, then, is the CEO of such a large tech company like Sony trusting in a system that is proven to put sensitive data at risk?

Encryption solutions exist that can protect organisations’ sensitive information to industry and government accredited standards while keeping tools like email usable to all members of the business and third parties. Technology is available with the ability to control what recipient do with shared information – such as save locally or print – and see detailed audit logs of what they’ve done with it. Companies like Sony should therefore be setting an example to the wider industry by adopting data security technology that offers genuine protection and information assurance to their employees and their customers.

If organisations are genuinely going to learn the lessons of the Sony cyberattack, they need to make sure information security is a natural part of how all employees collaborate to ensure they remain productive but to importantly also protect sensitive customer and corporate data.

Friday, January 22, 2016

Why is real-time, online editing a game changer?

With the latest release of Egress Switch Secure Workspace, users can create and edit documents collaboratively online whilst enjoying the advanced security levels for which Egress Switch is renowned. In this blog post, we explain why Switch Secure Workspace 3.0 is a game changer for the secure collaboration and file sharing space.

Working in a digital world

The 21st Century workplace faces a dilemma. The digital revolution has brought about three trends:
  • Organisations are embracing remote, even transnational, working practices
  • More and more data is being created and communicated electronically
  • Threats to information security are more widespread and insidious than ever

As workers collaborate on tasks over the internet, the vast amounts of data transferred makes it tremendously difficult to maintain control of and protect sensitive information. Alongside this, organisations are going paperless and moving workflow to the cloud, bringing cost savings and efficiency – but how do you balance maintaining quick and easy access to documents whilst upholding security? When the data is out of sight, it can sometimes be easy to keep information security out of mind – however security infrastructure must keep pace with the current trends in working practices if organisations are to avoid data breach catastrophe.

With online editing, Switch Secure Workspace solves this dilemma.

The compromise with file sharing and collaboration products has always been between usability, security and cost, but with Switch Secure Workspace there is no more compromising. No more cost-cutting at the expense of security or paying more for a secure solution that’s left unused due to its technical complexity.

Teamwork made easy

Real-time, online editing is an instrumental feature in Switch Secure Workspace’s innovative solution to these crucial issues. Microsoft Word, Excel and Powerpoint files can be edited within Switch Secure Workspace in an easy-to-use editing window. All the main features you associate with MS Office products are there, from chart creation and complex formulas to presentation animation.

Using the discussion and chat features it’s simple for colleagues to discuss the work they are producing. All document changes are tracked and highlighted so you can see who’s been working on the documents.

Detailed auditing of all editing and collaboration is another impressive feature not seen in other products, and something of an Egress Switch trademark. Throughout a document’s lifecycle, you’ll always know who’s viewed or edited it, while fine-grained permissions controls mean documents always stay within trusted circles.

Switch Secure Workspace works on any modern browser, as well as on tablets and mobiles; it’s remote working without resorting to email and getting lost in version mismatches, or worse still, using insecure FTP services. No additional software needs downloading, so there’s no stepping outside the secure platform to edit – everything happens within a workspace and within your control.

Collaboration without compromise

Switch Secure Workspace 3.0 is the first solution to bring all these features together and satisfy the plea for a user-friendly collaborative platform that doesn’t sacrifice security, reduce efficiency or negate cost savings with exorbitant deployment expenditure. The online, real-time editing is the best of its kind, and the auditing and permissions controls are powerful and unique. That’s why Switch Secure Workspace 3.0 is a game changer.

Thursday, December 17, 2015

Consensus at last - but what does the EU General Data Protection Regulation mean for you?

Discussions over the EU General Data Protection Regulation (GDPR) have rumbled on since 2012. Consequently, it's understandable that this week's breaking news about a final agreement over the legislation already seems like old news. However, while it may have been almost three years since the need for change was acknowledged, the regulation as it stands today is vastly different to that under which organisations currently operate.

As a result, there is an inevitable widespread need for an update to policy, procedure and technology. With the regulation on track to be formally adopted in January 2016 and enforced a short two years later, organisations need to evaluate, implement and adopt processes and technology now, so they don’t fall foul later.

Two points to watch out for

Across the board, two of the most significant changes to be introduced are mandatory reporting of data breaches that are 'likely to harm individuals' within 72 hours and hefty fines of up to 4% of global turnover for non-compliance (the ICO's current maximum of £500,000 will pale in comparison for many large organisations).

Mandatory notification is expected to result in a rise of in the number of data breaches being reported - not because more breaches are happening but because fewer can be swept under the carpet. Consequently, organisations will be forced to open themselves up to scrutiny, with regulatory bodies looking at how the sensitive data they handle is protected throughout its lifecycle. Any shortcomings will be exposed and will count against them.

As we recently examined, TalkTalk's data breach from October 2015 is estimated to cost them £35m in one-off costs alone. We need only add 4% of their global turnover to that and we can see why the EU GDPR will be keeping CFOs awake at night!

The good news is that now there's clarity, there can be action. Boards across Europe need to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their data so they're prepared for when the regulation is enforced. We can see from previous breaches that it is the small slip ups, caused by human error, that have been the most common and largely the most damning. As a result, security policy need to be matched with user training and education, and underpinned by smart, intuitive technology. Getting a head start on this now can only pay dividends in the future.

Friday, December 11, 2015

There’s no job security when your job is security

“There’s no job security when your job is security”. That’s the kind of line that would be enough for any CSO, CIO or even CEO to start penning their resignation letter.

The reality is obviously somewhat different. However if the history of the last 12-18 months has taught us anything, it is that no-one is exempt from a high-profile data breach. Breaches so severe that jobs can be lost and reputations so badly damaged that businesses are put at risk.

Finally, it seems, the penny has dropped. Organisations including the likes of TalkTalk, Facebook, Gmail and Twitter now accept that no set of security measures is completely infallible to a breach.

As a result, they are starting to assess two things.

The cost of a data breach

Research carried out by IBM and the Ponemon Institute earlier this year found that on average, the global total cost of a data breach increased from $3.52m to $3.79m within the last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 in 2014. In the case of TalkTalk, it is estimated their breach could cost as much at £35m.

Of course, a monetary value also tells us nothing about the inconvenience and emotional cost of a breach to the real victims of PII loss – you and me. Consumers are now much more aware both of the risks of a breach and their rights if the worst happens. For example, research by Deloitte warns that three-quarters of customers would reconsider using a company in the event of a breach.


What to do when the inevitable happens

Probably as annoying, if not worse than an actual breach, is a company who appears to have no grip on exactly what happened or how bad the breach was. Again, take TalkTalk as an example. Their high-profile breach and the subsequent media circus that followed it was made worse by their own confusion about what had happened and the lack of communication to their already worried customers. In fact, it was more than 24 hours before customers were even notified there had been a breach. What then followed was confusion about what data had been stolen, the number of accounts affected and whether the stolen data had been encrypted in the first place. TalkTalk’s CEO continues to cling onto her job and claims to currently have the support of the founder and the board. However, one has to question how long this will be the case, particularly once the true implications of the breach are felt through lost revenue and lack of customer support.


The risk to data extends further than just a cyber-attack

Organisations need to consider the complete lifecycle of the data they own and manage, therefore understanding where the vulnerabilities lie. This could, of course, be an external cyber-attack orchestrated by a third party intent on accessing and profiting from sensitive data. However, it could also be an inexperienced employee sending highly sensitive information in a clear text email to the wrong recipient, as highlighted by the recent email breach at the North Carolina DHHS.

As research shows, often the biggest risk to any business is human error.

So what does a CSO, CTO or CEO make of this? In time I think we will reflect on these high-profile breaches and realise that they signalled a gear change in data security. At an exec / board-level, suddenly focus and – more importantly – budget are being allocated to better understand all aspects of data security across a business. No longer will complacency rule, because everyone knows that in all likelihood at some point they will be forced the answer the question:

“You had one job: Secure the data. What happened?”

If this results in greater information assurance, more vigorously tested security measures and processes, then it has to be a positive for our data and our confidence as consumers in the market.

Wednesday, November 25, 2015

Underpinning Public Sector reform with smart and secure communication

The major spending reviews of the last eight years have put the Public Sector under unprecedented pressure to preserve high levels of citizen service and support, whilst battling reductions in budget and staff resources. This situation is not set to change any time soon, with George Osborne today announcing further spending cuts for this parliament.

Alongside this, the Public Sector has also been challenged with transforming the way it delivers services, moving away from a traditional ‘vending machine’ approach towards one based on insight, intelligence and early intervention.

So, how can public sector workers face these challenges and, as seems to be their common rhetoric, do more with less?

Delivering the new vision for public services

Let’s take a (simplified) example of child suffering from recurrent chest infections, probably linked to damp living conditions. In a traditional, fragmented system it is harder for a GP or health worker to make a meaningful change to the child. The correct medical intervention is to tackle the infection, however this does not resolve the underlying cause.

The new vision for public services calls for a more coherent and integrated approach to service delivery that tries to get to the root of the problem. Integrated networks of organisations and individuals able to work together seamlessly are key to this.

However as many areas are finding, this is easier said than done. What’s clear is that these new place-based models cannot work if the information flows needed to support them are stagnant and fractured.

This, therefore, puts the need for intuitive and easy-to-use communication solutions at the heart of public service delivery, bringing together professionals from across health, education, blue light, local authorities, and increasingly third and private sector organisations. What’s more, information security must be built into this from the start, meaning citizens’ personal data – be that name, contact information, health details, etc – can only be accessed by approved individuals.

As the public sector is increasingly asked to tailor service delivery to meet individual’s unique needs, it will inevitably require secure communication solutions that can support this level of flexibility, while also providing sophisticated information security, and truly delivering cost and efficiency benefits.

Tuesday, July 7, 2015

How can schools share sensitive pupil data securely?

Schools are expected to process and share increasing amounts of information about pupils – from exam results being sent to governing bodies, to information about ethnicity, special educational needs and medical conditions being shared with approved organisations such as local authorities, and health and social care providers. This is necessary to ensure that not only are curriculum standards being met but that schools are providing holistic care for the pupils in their charge.

Yet schools need to be aware of the types of data they are sharing – and how to do this securely.

Most of the information shared is personal data, as it includes of names, gender and dates of birth. However, sensitive personal data, including ethnicity, physical and mental health, sexuality, and criminal records, can also be shared with these external organisations. Therefore, it is essential that schools ensure the correct technical steps are being taken in order to protect this information as it leaves their institutions.

Sharing pupils’ data outside of schools 

Despite the sensitive nature of this data, a concerning number of schools still continue to utilise unsecure mechanisms for sharing this information. Data exchanged via plaintext emails, fax and even post could not only compromise children’s privacy but also expose institutions to fines up to £500,000 by the Information Commissioner’s Office (ICO) if a data breach takes place.

To resolve this issue, in ‘Inspecting e-safety’, Ofsted has declared that it is inadequate practice to send pupils’ information without using encryption technology to protect this highly sensitive data. In addition, according to the ICO, email and file encryption solutions certified via CESG’s CPA scheme are best suited to meet the appropriate security levels required by schools, as well as help them remain DPA compliant.

Top tips for secure pupil data exchange  

In order to protect pupils’ data that is shared over the internet, schools need not only implement risk management policies and procedures (such as staff training and / or the shredding of all confidential paper waste) but also ensure appropriate technical measures (such as encryption software) are put in place, including:

Email and file encryption

Mechanisms for secure electronic transfer vary widely, however it is important that they offer robust encryption, sophisticated functionality and ease of use – all without affecting existing work processes and infrastructure. In practice, this looks like:

  • Capabilities that integrate seamlessly with existing email clients, such as Microsoft Outlook, so school staff don’t need to log into separate systems to send emails and files securely
  • Ability to provide real-time access control over encrypted emails and file attachments, as well as time-based access restrictions, to reduce the impact of sending information in error and / or third parties mishandling data  
  • Embracing cloud technology securely. As an increasing number of schools move their systems to the cloud via Office 365 Education and Google Apps, they need to provide the highest level of assurance around who can access this data both in transit and when stored in users’ mailboxes 
  • Easy for recipients to use. Uptake of any encryption solution depends on recipients being able to not only understand its necessity but actually be able to intuitively use it

Secure web form 

While email and file encryption are useful when schools need to share sensitive information externally, a secure web form provide an alternative mechanism for securing pupils’ data flowing back into the network. In particular, this can be of importance, when parents need to provide information, including scans of passport, when pupils join a new school. Some of the key advantages of a secure web form include:

  • Security: Providing third parties with an encrypted solution to use means that pupils’ sensitive data is always awarded the correct level of information assurance
  • Simplification and improved efficiency: Web forms provide a single point of contact for numerous third parties and can be integrated internally to populate existing systems and workflows, reducing the admin time schools need to spend simply processing incoming data
  • Cost-effectiveness: A secure web form can replace the need to send  personal data and any other information by post or couriers 

Thursday, June 18, 2015

Bank of England bans ‘autocomplete’ – but is this really the best way forward?

We’ve all done it. Hit ‘Send’ and suddenly realised you cc’d in Dave from Marketing instead of Dave from HR, felt that immediate sickening feeling and realised at best you’ve made yourself look a bit foolish. At worst – and likely what we all haven’t done – you’ve managed to send highly confidential information about Britain’s potential exit of the EU (or, ‘Brexit) to a Guardian journalist.

Unfortunately, that’s what happened to the Bank of England’s Head of Press last month. Not only did the email include details about research into the financial implications of Brexit, termed ‘Project Bookend’, it ironically also included instructions on how to fend off enquiries about this top-secret activity.

In an arguably knee-jerk reaction, the BoE have since announced the disabling of ‘autocomplete’ functionality for their email platform – meaning employees will need to repeatedly type individual email addresses every time they send an email.

But is this really the right course of action to take?

In some ways, it is encouraging to see the BoE taking information security seriously. Data protection is relevant for all organisations – whether you’re handling traditionally recognised ‘personally identifiable information’ or, as in this case, commercially sensitive data and intellectual property.

However, it is likely that turning off autocomplete is going to meet with a lot of frustration amongst BoE employees. Not only will it be a time-consuming process for staff to laboriously type every single address for every single email sent, just imagine the bounce rate (and therefore repeated processes) for typos! Plus, this solution won’t actually provide any control over the email addresses BoE employees type in.

Frustratingly for them, the technology exists that would allow the BoE to have the best of both worlds – business convenience and data protection. It is mystifying why they haven’t instead implemented smart technology that could control who confidential information is sent to, and accessed by, and what they can do with it. Data protection doesn’t need to take us back into the Dark Ages of Technology – organisations just need to be aware of what information security solutions are already available.