Archive for August, 2009

« Older Entries

UPS – Big Brown Encrypts All Laptops

August 28th, 2009

street-sign-computer-privacyUPS, the parcel service and global transportation and logistics business, may excel at getting packages to your house – but till this month they managed much of their UK operation on unencrypted laptops. However, UPS has added encryption to all of its UK laptops as part of a settlement after a 2008 breach of the Data Protection Act.  UPS signed an Undertaking to assure the Information Commissioner’s Office (ICO) that personal information will be kept securely in future.

UPS got into this situation when, in October of 2008, an unencrypted laptop was stolen from a UPS employee who was on on business abroad. It contained the payroll data of approximately 9150 UK based UPS employees. The data included the names, addresses, dates of birth, National Insurance numbers, salary and bank details of those employees. This unencrypted laptop has never been recovered.  All UK employees were notified by UPS of the theft and precautionary measures were organised for them.  Of course, nobody ever explained why an employee was traveling around the world with confidential employee data on a laptop.

Password protected laptops are not secure

Mick Gorrill, Assistant Information Commissioner with the ICO, said ‘Password protected laptops are not secure. I urge all organisations to restrict the amount of personal information that is taken off secure sites. I am pleased that UPS has encrypted its laptops and smartphones, and I urge other organisations to follow suit.”

Benefits of Hard Drive Encryption

As many companies now know, if you decide to use hard drive encryption, managed encryption offers many benefits.  Right from the start, encryption deployments are easier with a managed approach.  Once in place encryption keys are easier to manage when you can access the laptops remotely and with online management, access to audit reports is convenient from any internet device around the world.

IT leaders implementing encryption on computers (laptops may be the prime target – but many desktops are at risk too) should focus on management and user management strategies.  Encryption technology itself is mature with the primary differentiating factor being the management techniques. Main issues include deciding what should be encrypted, how to recover the passwords that unlock encrypted data when users lose them or leave the company, and how to ensure that all remote and even far-flung laptops are encrypted.

Data Protection Act Encourages Encryption

This is one more example where the The Data Protection Act 1998 has helped to encourage businesses to step up and take action to ensure appropriate protection of data. The ICO, which is responsible for enforcing the Act, has shown great success in getting organizations to cooperate after DPA violations.

UPS is updating its security policies and is implementing a number of other procedural changes to protect personal information in the future.  Whether your organization is UK-based or not, the resources and examples from the ICO can provide any IT manager with lots of ammunition to get buy in to security and encryption plans.   This way, you can implement policies on your own – not as part of complex legal negotiations if an ICO or the equivalent in your country.

No comments »

Posted in Data Protection, Encryption

Tags:

HHSBC – Unencrypted Data on Open Shelves, in the Post and With Couriers!

August 23rd, 2009

hsbcKudos to the United Kingdom and their Financial Services Authority (FSA).  The FSA is an independent body that regulates the financial services industry in the UK.  They have been given a wide range of rule-making, investigatory and enforcement powers and they just fined three HSBC firms more than £3m for failing to adequately protect customers’ confidential details from being lost or stolen.

HSBC and unencrypted data

These fines are not for a small or one time incident – but for ongoing failure to ensure the security of confidential data.  Just look at this list of issues.

  • “Large amounts” of unencrypted customer details had been sent via post or courier to third parties.
  • Confidential information about customers was also found left on open shelves or in unlocked cabinets
  • In April 2007, HSBC Actuaries lost a floppy disk containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.
  • In February 2008, HSBC Life lost a CD containing the details of 180,000 policyholders.

It should come as no surprise that the FSA found that HSBC staff had not been given sufficient training on how to identify and manage risks such as identity theft.  The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

Financial Services Authority and Data Safety

Unfortunately this is not a unique step as in the last four years, the FSA has fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Fortunately, the FSA has been empowered to take action!  Highlighting the teeth that the FSA has been given, the three HSBC firms agreed to settle at an early stage of the FSA’s investigation and therefore received a 30% discount.  They could have been fined another £1,500,000!

All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals – Margaret Cole, Financial Services Authority

FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.  HSBC obviously failed to met this standard and Clive Bannister, group managing director of HSBC Insurance, said: “We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret.

The FSA is asking for even more opportunities to impact companies that are lax with security protocols.  They want to ensure that fines better reflect the scale of the wrongdoing and that any profits made from the breaches are reduced.  Under the new proposals, fines will be linked more closely to income:

  • Up to 20% of the company’s income from the product or business area linked to the breach over the relevant period
  • Up to 40% of an individual’s salary and benefits (including bonuses) from their job relating to the breach

Now, maybe if more regulatory agencies around the world took action like the FSA we would actually see a world where data is actually safer and companies are routinely encrypting their drives.

6 comments »

Posted in Encryption, Identity and Information loss

Tags:

Accountants, HR Staff and No Encryption – Oh My!

August 18th, 2009

lockedIt seems so obvious to us that anybody with a laptop should have file encryption, but obviously we are more than casual believers.  However, we have to wonder about companies that are allowing Human Resources and Finance staff to put massive amounts of data on laptops.  Certainly for folks in these positions, file encryption should be an obvious requirement – or as these tales will reveal – maybe not!

HR laptops sitting in a car

Williams, a 101-year-old natural gas producer and distributor, has 4,400 employees company wide.   In late July a Williams laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a car in Tulsa, Oklahoma in the United States.  The passenger-side window of a Williams employee was broken and the laptop, which was in a black bag, was stolen.

Company spokeswoman Julie Gentz said that the computer contained names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007.   Obviously there is more than enough information in the laptop files to allow any semi-knowledgeable criminal to carry out fraud without the actual person being aware of it.

While the laptop was password-protected, it did not make use of hard disk encryption software like AlertSec.  A letter issued Friday to all employees by Stephanie Cipolla, vice president of Williams Human Resources, indicated that unauthorized access is possible, despite their existing security measures.   It seems like after the fact, everybody is willing to admit that security holes and issues exist – but that is way too little and way too late!

Just because you are 101 years old – does not mean you know how to safely run a business!

National Security AND Laptop Security

The US Army National Guard does a fabulous job protecting Americans and their allies around the globe.  But, they can’t keep their own members safe!  The Army National Guard is reporting a July 27th data breach via an unnamed contractor whose laptop was stolen.  About 131,000 former and current Army Guard members could be affected by the data loss, which occurred July 27  when a personal laptop owned by an Army Guard contractor was stolen, said Randy Noller, a spokesman for the National Guard Bureau.

The Army Guard will inform those Guard members who are determined to be impacted by this incident by mailing a letter to them, Noller says. The National Guard Bureau has set up a web page and the Army Guard will have a toll-free call center  featuring up-to-date news and information on the data compromise.  So in the end they will probably wind up doing more work than if they had simply had the hard drive on the laptop encrypted!

Why would a contractor, or anybody, need data on 131,000 guard members on their laptop!

3 comments »

Posted in Encryption, Identity and Information loss

Tags:

Security Layers – Never too much

August 13th, 2009

server-roomWhen we talk about encryption we often focus on laptops and desktops in public areas – computers that are at high risk of loss or theft.  However the UK Ministry of Defence published details of its data loss incidents for 2008 and this report shows that while you think your nice shiny server room is protection enough – think again!.  The Ministry of Defence reported the loss of an entire server from an apparently secured government building, and the loss of 1.7 million individuals’ personal data.

This loss occurred in September 2008 when it was apparently discovered that ” a server was missing following the closure of a secured government premises”.  The report goes on to provide details of the data which are described as “names, addresses, details and service numbers or National Insurance numbers and medical records relating to around 700 individuals – 200 of which are reported to be active records.

Security layers

This instance is one more example of why you need a combined, layered approach to data security.  While you start with security around physical obstacles, doors and locks, you have to also include information security programs like hard drive encryption software from Alertsec.

Often when laptop computers go missing, you have a quote from a security expert that sensitive data shouldn’t be on laptops.  Instead, they note, secure data should only be on servers that are under key and lock, and are guarded.  Well, as the Ministry of Defence discovered – the server is, by itself, not the best defence!

Size does not matter when it comes to security

sr1500-8A server has no  special properties that will prevent it from becoming stolen.  While many people think of servers as big computers, like the mainframes of olden days, the reality is that any computer can act as a server, including laptops.  Even if you use equipment designed specifically as servers, that equipment is shrinking in size everyday.

While server room physical security should be enough, you have to consider if the servers can easily be transported and you have to consider what will happen to the servers when they are decommissioned.  Encryption software is not just for laptops – but for any computers that store sensitive data regardless of how many layers of security you think you have in place.

On servers you can use encryption software that might be more complicated to administer – but your system administrators can handle that.    On laptops and desktops you want to focus on encryption software that is easy to setup and maintain.

As the Ministry of Defence proved – your data can’t be too secure.

No comments »

Posted in Data Protection, Encryption

Tags:

Security Strategies Need Implementation Ease

August 9th, 2009

locked-hard-driveEighty-five percent of organisations have experienced a data breach in the past 12 months — up slightly from 84 percent a year ago, according to the fourth-annual encryption trends study recently released by the Ponemon Institute. The study of 997 IT business managers, analysts and executives in the U.S. also found that 22 percent of organisations have experienced at least five security breaches within the past year — a rise from 13 percent of respondents last year.

The report summarizes key findings from the study that included nearly 1000 U.S.-based enterprise IT leaders, analysts and executives.  A similar study conducted with UK based IT leaders shows very similar results.

Encryption of data on mobile data-bearing devices used by employees is very important or important.

More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that reality that valuable data is more mobile than ever.

More than 70% have fully executed or just launched data encryption strategy in their organization.

Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organisations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.

However, this survey data is quite misleading.  Most of the organisations that we’ve written about here on the Alertsec Blog could have answered “Yes, we have a data encryption strategy.”  However, having a strategy and having a strategy in use and even having a strategy effectively in use are all different.  Almost every company that has had a security breach has had a strategy – the breach occurred because management was lulled into believing that having the strategy meant everything is secure.

Security programs need to be easy to administer

The percentage of organisations using a platform approach to managing encryption solutions has increased where one software is used as a platform throughout the organisation.  Additionally, 76 percent would strongly recommend or recommend the platform-based approach if where it reduces the cost of acquiring, deploying and managing encryption.

That’s why we’ve but so much focus on the ease in administering the Alertsec Xpress software.  Alertsec Xpress administration is designed to offer hassle-free deployment and set-up. Alertsec Xpress is pre-configured with a “best practice” setting to offer a secure, yet user friendly, implementation.

Security exceptions don’t have to break the rules

When standard settings do not correlate with the internal security policy, Alertsec offers the opportunity to create a customer specific configuration. This specific configuration could also add a local administration account which enables the customer to do additional work on the PCs, once deployed. The ability to add additional users to a PC and read and monitor the local log file are key benefits for a larger deployment.

Data Breaches continue to be a huge problem

As noted at the start of this article, the Ponemon Institute study reports that eighty-five percent of organisations surveyed had had at least 1 data breach in the last 12 months.  When you compare this to the  70% of the companies who claim to have a data encryption strategy it makes our point.

Having a strategy is one thing.  Picking software like Alertsec that will allow you to fully implement that strategy is where the rubber hits the road in the world of digital security.

No comments »

Posted in Data Protection, Encryption

Tags: