Bosses 'ignore toxic data risk'

Bosses must stop leaving data security to the "IT boys" and other staff and take responsibility themselves, the UK's information watchdog has said.

Many did not understand the risks of storing personal data, said Information Commissioner Richard Thomas.

They had to realise that it could be a "toxic liability" as well as an asset to an organisation, he added.

Mr Thomas is currently investigating 30 "serious" breaches of data protection law by the government and other bodies.

But he said a lot of data losses went unreported and some organisations were not even aware that it had gone missing.

Tighter policies

"It's often said that personal data is an asset for an organisation, we are saying it can be a toxic liability. There are many risks associated with holding information," he told BBC Radio 4's Today programme.

"There has been too much sloppiness, too much lack of awareness, of the risks of holding information and we are saying, really this is a matter for the top board, the chief executive of an organisation.

"It's no good saying the IT boys are looking after this, it's no good saying the lawyers are sorting out the policies, it's no good saying human resources are doing the training - it's right across the organisation.

"Computing power is so strong these days that many bosses don't simply understand what are the risks they are facing."

He said organisations should tighten up their policies, encrypt laptops, improve supervision and buy software that prevented large amounts of data can not be downloaded "all at one time".

"Things will inevitably go wrong, therefore you should plan for things going wrong," he told Today.

Giant databases

He said progress was being made but added: "We are still long way from saying we have got a tighter grip on the management of personal data."

In a speech later at the Royal Society of Arts in London, Mr Thomas will urge companies and other organisations to hold the least amount of data possible and warn they should face tougher penalties when any is mishandled.

He will also warn that creating giant databases of personal information would carry "significant risks" for the UK.

The government has recently defended a proposal to create a huge database recording all internet and telephone traffic.

Opposition parties have criticised the plan which could see details of every phone call, e-mail and text message sent in the UK recorded and kept for two years.

'Lose trust'

"The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong," he will say.

"The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made.

"The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer.

"Put simply, holding huge collections of personal data brings significant risks."

The speech will come as new figures show that reports of data loss are increasing.

About 100 incidents were reported to the commissioner's office in the six months from November last year. The total for the year to date is 277.

The NHS is one of the worst offenders, reporting 65 incidents in total, including 27 computers lost or stolen.

However, the real figures are likely to be much higher, because there is currently no legal obligation to report data losses.

There have been a string of high-profile data losses in recent months.

Earlier this month, a computer hard drive containing the personal details of about 100,000 members of the armed forces was reported missing during an audit carried out by IT contractor EDS.

And last year, HM Revenue and Customs lost a disc containing the names, addressees, dates of birth and bank account details of up to 25 million people claiming child benefit.

From: http://news.bbc.co.uk/1/hi/uk_politics/7697093.stm

According to SC Magazine "the activity of placing moles is becoming common".

Others say that the FSA has been quietly warning finance and insurance companies for the last two years of this growing practice.

For more see:
www.scmagazineuk.com/Companies-being-hit-by-moles-who-are-employed-by-gangs-to-steal-data/article/118641/ 

It turns out that BackupGenius has been the subject of such a false positive from some adware scanners recently. We have investigated this very rigorously and it has been confirmed to us how this has come about.

In just the kind of way that Tablet PCs had failed to. They were supposed to – but never did, despite the hype and the backing of a huge industry, from Microsoft on down.

So it’s the price – right? Well no actually The price levels help but while they are a little cheaper than a laptop they’re not that much cheaper. You can pick up a decent laptop with your groceries from Tesco’s for £299– and shave at least 10% off that with just a quick search online.

It’s about technology, portability and most of all psychology. It’s about what people want. Half the world’s addicted to Facebook and most people live at least part of their lives through email and the web.

We’ve put up with breaking open the laptop and finding a power socket – or sitting at a desk to do it – only because we had to. WiFi is increasingly everywhere, so with an Eee or - one of a growing league of clones – we don’t have to.

These are computers you don’t have to ‘sit at’. Or ‘lug around’. You pick them up – do some stuff – put them down or drop them in a pocket. Sometimes they’re connected – sometimes not.

This is a new experience. This is a new kind of freedom: Ubiquity. Take it in the kitchen, even use it in the bath! The day I got my first Eee I stood at the bar waiting for a pint typing away quite comfortably! Try doing that with your laptop.

Is it a ‘desktop replacement’? No. These devices will see more of the coffee table, kitchen worktop, the bedroom, the high street and the open spaces than the top of anyone’s desk. Reaching the parts all the other PCs fail to reach – remarkably like your mobile phone.

Maybe it started with the OLPC (One Laptop Per Child) initiative – maybe it didn’t but the worldwide love affair with ‘netbooks’ marks a sea change – we have a new landscape…. and Microsoft has a problem.

Because it’s a change driven entirely by demand. Not just that it’s far outstripped supply, but that it’s setting the direction - and the pace. This idea didn’t come out of the labs and strategies of Microsoft or HP. The established players are all playing catch-up. Indeed Microsoft – caught uncharacteristically on the hop– have changed their product pricing and XP retirement strategy as a result. Twice. A special version for the new little beasties – and a special low price. Restrictions on screen and disc size relaxed within days of their announcement.

Vista looking more vulnerable by the day. The only serious attempt to get it onto a Eee class machine – by HP – judged a pretty obvious mistake, that’s hobbling their strategy in this exploding market.

Microsoft have had to move fast to stop this getting away form them entire. Linux has taken a hold while most people were looking the other way.

The price difference has been more a psychological than a financial or practical factor – that it doesn’t ‘feel’ like buying a PC – so ‘so what’ if it doesn’t have Microsoft Windows on it?  The hardware is beginning to ‘feel’ disposable.

Time will tell, but Linux2008 has proved itself here already. It’s now a contender.

But it’s early days – and the industry has, it seems, yet to realise how important this all is. Pumping out some clones to capitalise on Asus’s success is one thing… absorbing a shift in the zeitgeist – a new computing paradigm - is quite another.

Even before all this more and more people were needing more than one PC – work PC, laptop – home PC…  Now there’s another reason, and the age or ubiquity has silently dawned – while most people were asleep.

© Barry E James, June 2008

Just back from California and the RSA security conference it’s clear that there’s a shift in the awareness of this issue – in the USA as well as here - and that it’s now a top three issue for many companies – it’s even acquired a name: DLP – “Data Loss Prevention”.

The birth of a term

While it’s interesting to see the birth of a new term (try Googling it today and you’ll come up dry, but go back in a couple of weeks or so and it’ll be a different story) this is no new problem. It’s over two years since we started running seminars on this – notably with MERIT in 2006.

It’s official – sort of: This dropped into my inbox from California this morning:

“… Data Loss Prevention (DLP) solutions enable business and government organizations to safeguard their most valuable assets — intellectual property, customer data, and other sensitive information. … DLP is a top 3 priority for CIOs in 2008, realize the importance of DLP to demonstrate compliance, reduce risk, safeguard brand and reputation…”

Ugly though the term is – and goodness knows we have enough alphabet soup already – the fact that I also heard it mentioned on almost every stand I visited over three days there attests to the fact that it is something we have needed to put a name to for a while now. The language is playing catch-up

A new market

It’s emerged that not only is there a black market in such data – but that it’s undergoing something of a recession itself – with street prices for personal data falling recently because of oversupply, and inbuilt ‘QA’ checks with data ‘vendors’ being blackballed if they supply overused or out of date information. It’s now a fully-fledged criminal business - and it’s globalising.

Time was when you could rely on the likelihood that the laptop stolen at the station or left in the taxi would be wiped and resold in some pub within a few days. That’s changed with the new ‘owners’ as aware as we are that the data probably has far more value than the laptop.

Zeitgeist - a shift in attitudes

Likewise just last year the company/organisation losing such data was as likely as not to be regarded as a victim rather than culpable. That’s changing too – fast. Since the recent highly publicised breaches everyone from Gordon Brown and M&S on down is increasingly aware of what a dim view the press, the regulators and soon no doubt the courts will take when the ‘victim’ didn’t take credible precautions.

There will be an answer: DLP (with apologies to Paul McCartney):

There is in fact an answer to the problem of lost and stolen laptops – it’s simple, comprehensive, inexpensive and practical (and no it’s not just encryption – that can only ever be a part of the answer). It can ensure not only that the data isn’t breached – but that it isn’t lost to you either.

Stop-Loss

Whether it’s for your own organisation or for your clients we’ll be happy to fill you in on how to close off this risk  – for free. As you would expect we have some tools – and a very neat and effortless solution – to help with this. But this advice is genuinely free and something you can apply yourself straight away with no cost to you, no charge at all.

Just go to www.TakeWare.co.uk/contacts/stoploss and leave your phone and email  details and we will respond with the information you need to prevent this becoming a problem. What have you got to lose?

© Copyright Barry E James, The TakeWare Company, April 2008 (V1.00)

Along side the FREE download we are pleased to offer to our first 100 customers the chance to get a fully functioning BackupGenius™ device at rock bottom prices:

2GB only £9.99
(around 8GB of compressed data)

4GB only £14.99
(around 16GB of compressed data)

To avoid dissapointment ORDER NOW HERE, this offer is only available to the first 100 orders.

Go to the TakeWare® Store

(UK orders only, international customers please contact us for pricing)

Watch this space!

Soon you can download a TakeWare app to your own memory device for the first time - creating your very own Plug&Go appliance!

Watch this space for imminent news!