Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Apr 15, 2015

Yet another information security awareness case study


Controversial plans to replace two Surrey/South London hospitals with a new one were prematurely and inappropriately disclosed on a train:
"The proposals were revealed by management consultants who held a conference call on a commuter train after meeting the trust chief executive Daniel Elkeles.  The call was heard and recorded on a mobile phone by a BBC London reporter."
Someone being overheard discussing sensitive stuff on their mobile phone in a public place is nothing new, an everyday common-or-garden information security incident.  The factors that make this particular one notable include:

  • The disclosure involved trusted third parties possessing (and disclosing!) valuable information belonging to an organization, having been disclosed to them by senior management.  This begs lots of questions about roles and responsibilities, compliance obligations, non-disclosure agreements, ethics, accountability and governance, as well as the information risks and security controls.
  • The disclosed information was particularly sensitive.  Aside from the patients and staff who are directly impacted by the proposals being discussed, the hospitals are landmarks, important assets for their two local communities which, by the way, are several miles apart and socially diverse.  The issue has been a political hot potato in the area for at least a decade.
  • The management consultants concerned should have known better. Whatever their reasoning or justification, this was an embarrassing and perhaps costly incident, quite unprofessional and avoidable.  We can but wonder what damage it might have caused to their ongoing client relationships and future business prospects.
  • 'Conference call' implies this was an open discussion on speakerphone, making it likely to be overheard by everyone in the vicinity.
  • It was overheard by a reporter/journalist and perhaps other local commuters in the carriage, any of whom may have found the information relevant and fascinating.
  • Recording the discussion captured at least some of the content, providing undeniable evidence, non-repudiation and the opportunity to transcribe, analyze and share the information more widely.  By the way, virtually every commuter these days has the technical capability to record or transmit such information discreetly if not covertly using a veritable panoply of portable ICT devices.
  • The disclosed information was published and broadcast by the news media. It is now out there in the public domain, beyond the control of the administrators and politicians and doubtless causing concern in the area - not least for the chief executive, the management consultants and various others involved/implicated in or directly affected by the fiasco.

I'll leave it as an exercise for you, dear reader, to explore and evaluate the threats, vulnerabilities and impacts in this incident, and to consider how it might have been avoided or mitigated.  [Hint: as with the Sony hack, this is another excellent case study to discuss in a information risk workshop setting, or indeed a realistic, highly credible scenario for incident management or business continuity exercises, tests, audits and reviews.]

While I feel sorry for those adversely impacted by the incident, I am grateful for yet another free but valuable information security awareness and improvement opportunity as a result of the incident being disclosed.   We can all learn from incidents of this nature.  The trick as always is for someone to identify and consider them as case studies, teasing out the underlying information risk and security issues, and ultimately persuading the organization to make whatever changes and improvements might be necessary and appropriate to analyze and treat the information risks.  It's not enough to nod sagely, say "tut-tut" and ponder: what are you actually going to do differently as a result of reading about this?  At the very least, has it altered your perception or appreciation of the associated information risks?  If nothing changes, it's an awareness opportunity lost, a senseless waste.

Don't worry though.  I'm certain there will be plenty more learning opportunities in due course - in fact, I'm sure I can see the next one peeking into view just around the corner ...

Regards,