Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Oct 16, 2017

NBlog October 16 - is privacy a lost cause?

Today I've been thinking and writing about privacy risks, comparing the differing perspectives of individual people and organizations.

Something that stands out from the risk analysis is that, despite journalists, authorities, privacy pro's and victims being aghast when privacy breaches occur, we all gladly accept significant privacy risks as a matter of course. In a few cases (e.g. tax), we have virtually no choice in the matter, but mostly we choose to share our personal information, trusting that the recipients will protect it on our behalf.

To be honest, privacy doesn't even enter our minds most of the time. It doesn't occur to us, because of our blase attitudes.

Admittedly, it would take extreme measures to be reasonably assured of complete privacy, and even then there would still be risks: consider people in 'witness protection schemes' for example, or moles, spies, criminals and terrorists doing their level best to remain anonymous, below the radar. We know they don't always succeed.

Extremists aside, ordinary people like you and me mostly pay scant attention to our privacy. We use the Internet, and cellphones, and all manner of government and commercial services either under our own names, or with superficial efforts to conceal our identities. We share or post selfies online, email and text others, and wander about in public spaces under the full gaze of myriad CCTV cameras. We use our credit and debit cards to buy stuff, register for various services, and generally anticipate nothing untoward ... which in turn places even more pressure on the organizations and individuals to whom we disclose our personal information, hence the reason that privacy laws such as GDPR are so important in a societal sense.

Attitudes have changed markedly within a generation or three. Way back when I was a naive young lad, the very concept of taking, let alone sharing explicit selfies was alien to me. Porn was available, of course, but access was discreet, guilt-ridden and exceptional, despite the raging hormones. As Victorian values have relaxed, we've been through "free love", page 3 girls, Hugh Heffner, tolerated or legalized prostitution, gay rights and other largely sexual revolutions - in most Western nations anyway: clearly there are cultural discrepancies with distinct differences of opinion on decorum and propriety. Scandinavian attitudes to nudity are part of the enjoyment of saunas, for me: the naked human body is something to be revered and celebrated, as it was in the original Olympic games. I still smile when I remember a male American guest at a sauna party in the 80's, already feeling distinctly awkward about the men enjoying their collective nakedness, quite unable to cope with an influx of naked women when 'their' sauna went cold: he left hurriedly, all a fluster.

Privacy, then, is just as much a cultural phenomenon as it is a question of personal information, informed disclosure, security and so on. The underlying issue is more to do with control of personal information, than protection. Whether I choose to reveal my secrets to others, or to withhold it, is the key point, a dynamic concern with cultural as well as personal overtones, making privacy a deeper, more involved and more interesting awareness topic than it might appear.

Oct 14, 2017

NBlog October 14 - a different tack

There are several good reasons for protecting personal information, of which compliance with privacy laws and regulations is just one. 

For example, personal information can be extremely valuable in its own right - a business asset in fact. 

Consider the adverse consequences of personal information being lost or corrupted, perhaps the result of a system/hardware failure, a software bug, an inept or malicious system administrator, malware, ransomware or ....  well anything that can damage/destroy or deny legitimate access to information could of course affect personal information. In a sense, it is "just" information. 

At the same time, its commercial value is strongly linked to its confidentiality. This is why we are invited to pay $thousands for various mailing lists, offers which we either ignore or robustly decline since we are strongly ethical and most certainly not spammers! It's why sales professionals jealously guard their personal contacts. They are truly concerned about identity theft, as opposed to identity fraud

Treating personal information as a business asset worth protecting and exploiting puts an unusual slant on privacy. In particular, it emphasizes the commercial value of controls securing personal information, beyond the begrudging 'avoidance of fines' angle. It's also, I believe, a way to increase the pressure on senior management to do what needs to be done in order to secure personal information, even if they are not that fussed about privacy laws - a carrot-and-stick approach.

We'll expand on this and other good reasons to take privacy seriously in November's awareness module. 

Oct 13, 2017

NBlog October 13 - data breach reality check

In searching for information relating to GDPR and privacy for next month's awareness module, I bumped into the Business Continuity Institute's Horizon Scan 2017 report.

The report's headline data come from a survey of 666 business continuity and risk management professionals from Europe and North America (mostly), concerning their perceptions about threats and incidents ... and immediately a few issues spring out at me.

First of all, the survey population is naturally biased given their field of expertise: although sizable, this was clearly not a random sample. As with all professionals, they probably overemphasize the things that matter most to them, meaning serious incidents that actually or are believed to threaten to disrupt their organizations. It's no surprise at all that 88% of BC pro's are concerned or extremely concerned about "cyber attack" - if anything, I wonder what planet the remaining 12% inhabit! On the other hand, BC pro's ought to know what they are talking about, so their opinions are credible ... just not as much as hard, factual data concerning the actual incidents.

On that score, this year's report provides information on actual incidents:
"A new metric introduced in the BCI Horizon Scan Report measures actual disruption levels caused by the threats listed in figure 1 in order to provide a comparison against organizations’ concerns. Figure 2 shows a contrast between the levels of disruption caused by a particular threat and how concerned an organization is about it. The study shows the actual causes of business disruption slightly differ from the threats practitioners list as significant concerns. The top causes of business disruption according to the same respondents include unplanned IT and telecommunications outages (72%), adverse weather (43%), interruption to utility supply (40%), cyber attacks (35%) and security incidents (24%)."
The discrepancy between BC pros' perceptions and reality is quite marked. I'll come back to that in a moment.

Second, the way incidents (and/or threats - the report is somewhat ambiguous over the difference) are described puzzles me.  Here are the top 7, ranked according to the proportion of respondents who claimed to be "extremely concerned":
  1. Cyber attack (e.g. malware, denial of service) 
  2. Data breach (i.e. loss or theft of confidential information) 
  3. Unplanned IT and telecom outages 
  4. Security incident (e.g. vandalism, theft, fraud, protest) 
  5. Adverse weather (e.g. windstorm, flooding, snow, drought) 
  6. Interruption to utility supply (i.e. water, gas, electricity) 
  7. Act of terrorism

These are indistinct, overlapping categories - for example #1 and #2 often occur together, and both often accompany other categories such as #3, #5 and #6. #2 "Data breach" is a specific type of incident outcome with a huge variety of causes, ranging from deliberate attacks by outsiders or insiders, to accidental disclosures and ineptitude, plus thefts of IT equipment and storage media ... speaking of which #4 "Security incident" in fact refers to physical security incidents, judging by the examples.

#7 "Act of terrorism" seems way too high on the list for me ... but whether that's because I am fortunate enough to live and work in a tranquil backwater, or because the terrorists are winning (creating terror, even among supposedly level-headed BC pro's!), or is a genuine reflection of the threat level, I can't easily tell.

The top 7 actual causes of incidents tells a rather different story to the list above:
  1. Unplanned IT and telecom outages 
  2. Adverse weather (e.g. windstorm/tornado, flooding, snow, drought) 
  3. Interruption to utility supply (i.e. water, gas, electricity, waste disposal) 
  4. Cyber attack (e.g. malware, denial of service) 
  5. Security incident (e.g. vandalism, theft, fraud, protest) 
  6. Transport network disruption 
  7. Availability of talents/key skills (e.g. ‘bench strength’)

"Cyber attack", the #1 perceived threat, turns out to be #4 on the actual causes.  "Data breach" drops way down from #2 perceived to #8 in actuality, while transport disruption and lack of talents/key skills appear to be significant risks that are not perceived as such. "Act of terrorism" comes in at a more realistic (but still far too high, as far as I'm concerned) #13 on the actual causes.

Those discrepancies seem to indicate serious problems with the risk identification and assessment processes used by BC pro's for BCM purposes, which in turn are presumably being used to plan and prioritize BC activities ... or do they? One could argue that actual incidents are historically based, while BC pro's are paid for their expertise in predicting the future - professional soothsayers you could say. Hmmm.  Food for thought there.

Moving to the report's conclusions, I'm impressed to see this issue picked out in black and white as the first item:
"1. Organizations need to focus on the objective appraisal of threats and their particular impacts.
This year’s report has highlighted some gaps between the level of concern and actual disruptions caused by various threats. For example, the study noted significantly high levels of concern over cyber attacks and data breach which may be influenced by increased media coverage. Business disruptions nonetheless are still mainly driven by other threats such as unplanned IT and telecom outages and adverse weather. As such, organizations need to continually look at the business impacts of various threats and deploy appropriate tactics to become more resilient."
Well said! It would be interesting to explore why there are such marked discrepancies between perception and reality among BC pro's, since that would be an obvious handle to improve the alignment if appropriate (conceivably the BC pro's are right after all - perhaps we'll see changes in the actual causes in future reports!).

Anyway, back to the plot, the survey inspired the following graphic that we'll include in the awareness content (citing the source, of course):

Oct 7, 2017

NBlog October 7 - privacy update

This month we are updating the privacy awareness module for delivery in November, with a particular focus on GDPR just six months away. 

By the time it comes into force in May 2018, compliance with the EU General Data Protection Regulation will be a strategic objective for most organizations, thanks to the potential for massive fines and adverse publicity for any who are caught in contravention. Provided they are aware of it, we believe managers will welcome assurance either that everything is on track to make the organization compliant by the deadline, or that GDPR is definitely not applicable to them. 

Our job is to make managers aware of GDPR, emphasizing the governance and compliance plus information risk and security management aspects - updating corporate privacy policies for example, and ensuring that suppliers and business partners are on-track as well as the organization itself. If cloud service providers were struggling to meet the compliance deadline, for instance, there would be implications for their customers - another thing for management to consider. A GDPR compliance checklist would therefore be a worthwhile and timely addition to the NoticeBored materials.

The task of achieving GDPR compliance largely falls to IT and compliance specialists. Our awareness objectives for that audience are more tactical in nature, relating to project management, technical challenges and change management. The compliance checklist may help them consider the compliance project status from management's perspective, perhaps re-prioritizing and re-energizing the remaining activities.

For the general worker awareness audience, we plan to tackle the personal angle, addressing rhetorical questions such as "What's all the fuss?", "What's GDPR?" and "What's in it for me?" ... suggesting three awareness posters similar to the one above. We'll be developing those and other ideas into a brief for the graphics team this weekend.

GDPR and privacy are already making appearances in the professional media and will increasingly hit the general news outlets in the run-up to May - albeit mostly as fillers for slow news days. The first major organizations to be fined for GDPR non-compliance will surely be headline fodder, for a few days at least. Our customers' employees will have had the background hopefully to notice privacy-related news and appreciate what's behind the headlines, linking the general media with the corporate awareness programs. There's a broad educational purpose to November's module, in addition to the more direct awareness role. 

Oct 2, 2017

NBlog October 2 - a 2-phase approach to bolster the security culture

We've just updated the NoticeBored website to describe the new awareness module on security culture and delivered the latest batch of security awareness materials to subscribers. 

Culture is a nebulous, hand-waving concept, hard to pin down and yet an important, far-reaching factor in any organization. 

The new module (the 63rd topic in our bulging security awareness portfolio) is essentially a recruitment drive, aimed at persuading workers to join and become integral parts of the Information Security function. The basic idea is straightforward in theory but in practice it is a challenge to get people to sit up and take notice, then to change their attitudes and behaviors. 

During September, we developed a two-phased approach:

  1. Strong leadership is critically important which means first convincing management (all the way up to the exec team and Board) that they are the lynch-pins. In setting the tone at the top, the way managers treat information risk, security, privacy, compliance and related issues has a marked effect on the entire organization. Their leverage is enormous, with the potential to enable or undermine the entire approach, as illustrated by the Enron, Sony and Equifax incidents.

  2. With management support in the bag, the next task is to persuade workers in general to participate actively in the organization's information security arrangements. Aside from directly appealing to staff on a personal level, we enlist the help of professionals and specialists since they too are a powerful influence on the organization - including management. 

October's awareness materials follow hot on the heels of the revised Information Security 101 module delivered in September. That set the scene, positioning information security as an essential part of modern business. Future modules will expand on different aspects, each one reinforcing the fundamentals ... which is part of the process of enhancing the security culture. Consistency is key, along with repetition. The trick, though, is for the awareness program to maintain interest levels, hence simply saying the same thing over and over is counterproductive: people soon tune-out and glaze-over.

Another factor to take into account is that changing the culture inevitably takes time. Lots of time. This is a   s l o w   process. We've provided a survey form with a strong hint that the security culture should be measured on an ongoing basis since improvements may not be immediately obvious. The awareness effort may appear to have been wasted unless changes can be demonstrated through suitable metrics. There's another more subtle purpose to the survey though, getting management to determine what's sufficiently important to be worth surveying. There's value in the process of designing the metric, as well as the survey results - a little bonus.

Get in touch to bolster
your organization's security culture
through creative security awareness

That's it, October's module is done and dusted. So what next? 

With just six months from November until GDPR comes into force, we will be revising the privacy module to help subscribers pave the way through awareness. Once again, November's materials will build upon the same foundations, boosting understanding in the privacy area specifically while gently maintaining the undercurrent of information risk, security and compliance in general.

Right now, I have a more immediate goal in mind. After a month's hard work and the weekend's tech nightmare, I think we've earned ourselves lunch in town. 

Oct 1, 2017

NBlog October 1 - security culture module

Well, despite Finagle's Lawwe've limped home over the finishing line.  Another tidy stack of NoticeBored security awareness content is packaged up and will shortly be ready for our subscribers to download, customize and deploy.

'Security culture' is the 63rd awareness topic we've covered, among the most challenging module to develop and yet also the most rewarding: it's clear, in retrospect, what an important topic this is for any organization that takes information security seriously enough to run an awareness program. In short, there is no better mechanism than an effective security awareness program with which to foster a security culture. How on Earth have we ducked the issue for so long?  

Perhaps it's a maturity thing. Perhaps it's cultural: we are forging new paths, heading way off the track well-beaten by more conventional security awareness programs. 

Just in case you missed it,
there's so much more to
security awareness than phishing!

I pity organizations that rely solely on their security and privacy policies. 'Laying down the law' is undoubtedly an important part of the process, necessary but not sufficient. If it were, speed limit signs coupled with the threat of prosecution would have long since curbed driving incidents: we'd be left dealing with genuine accidents, mechanical failures and so forth, but excess speed would hardly ever be an issue. Patently, it is not ... and that's despite the parallel investment in awareness, training and education. 

It doesn't take much to imagine the carnage on our roads if 'laying down the law' was all that happened.

Turns out it's not too hard to elaborate on the business benefits of a corporate security culture. There are genuine business reasons for managers, in particular, to take this seriously, something that Enron, Sony and Equifax management and stakeholders might appreciate more than most.

We'll complete the delivery and update the website tomorrow, once the final stages of the computer rebuild are completed. It has been a long weekend!