Tag Archives: Data Security

Equifax Hit With £500,000 Fine



The UK’s Information Commissioner’s Office (ICO) has hit credit reference agency Equifax with a GB£500,000 fine for the 2017 data breach.  Equivalent to US$660,000, the fine is the largest ever imposed by the ICO and is the maximum permitted under the legislation in force at the time. Under the newer GDPR laws, the fine could’ve been as high as $20 million.

The Equifax data breach involved the records of 146 million people, with nearly 15 mlllion being UK nationals. The ICO was scathing in its comments about Equifax, saying, “The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.”

During the cyber attack last year, a range of personal information was taking including, names, dates of birth, addresses, passwords, driving licences and financial data.

The Information Commissioner herself, Elizabeth Denham, went on to say, “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”

Equifax’s approach to data protection and the care of our personal data was negligent, and frankly, I don’t think they deserve to be in business. The full judgement is here pdf.

Money photo by Sharon McCutcheon on Unsplash.


Business Values Our Data. Why Don’t We?



Organisations love information about you. Everywhere you go, it’s sign up here, tell us about this and what do you think about that? Trust me, businesses aren’t interested in you for altruistic reasons: they either want to sell you stuff, or sell your information to other businesses who want to sell you stuff. Your information has value to them and they want it.

An email from a major UK hotel chain arrived in my inbox the other day, offering me an annual birthday gift in exchange for updating my profile with my date of birth. I imagine the gift will be a discount on a hotel stay around the time of my birthday but the email didn’t say. Perhaps not to be sniffed at but birth dates are often used as part of security procedures around bank accounts so it’s worth being cautious.

I think we’ve all become aware over the past few years how easily it is for big names to be hit with a data breach – Equifax, Yahoo, British Airways – and a hotel chain seems like a juicy target too. Wouldn’t be the first either. Lots of lovely customer information with credit card numbers.

Consider too that factual personal information like dates of birth can’t be changed. If a password is stolen as part of a data breach, the solution is to change the password. Credit card number lifted? A new credit card arrives in the post. There’s nothing you can do if your date of birth is taken. It’s on your birth certificate.

It’s not worth it. If the hotel chain wants my age band and month of birth, I’ll happily give it up for a discount, but when it comes to day, month and year, I think I’ll pass. You should too.

Photo by Rene Böhmer on Unsplash.


Rocstor Encrypted External Hard Drives



Rocstor LogoRocstor specialise in data storage and secure encryption solutions: that’s encrypted external hard drives to you and me, but it’s an increasingly important market. Andy and Scott talk to Anthony Rink from Rocstor about how their products can keep your data safe.

Rocstor offers a range of external data storage products with real-time encryption built-in as standard. The encrypted drives meet FIPS Level 2, meaning that it’s hardware-encrypted (not software) and that any tampering of the drive to get at the crypto keys is obviously apparent. To suit different circumstances, some models use tokens, others PINs and some use both with ruggedised and waterproof units also available. Depending on features, $250-$300 gets you 1 TB of secure external storage.

Interview by Andy McCaskey of SDR News and Scott Ertz of F5 Live: Refreshing Technology for the TechPodcast Network.

Support my CES 2018 Sponsor:
30% off on New GoDaddy Orders cjcgeek30
$.99 for a New or Transferred .com cjcgeek99 @ GoDaddy.com
$1.00 / mo Economy Hosting with a free domain. Promo Code: cjcgeek1h
$1.00 / mo Managed WordPress Hosting with free Domain. Promo Code: cjcgeek1w
Donate to the Show: Support this podcast

 


A Six Sigma Approach to Security



How sure are you that your security policy is effective. Let’s say that it is, so how effective is it? What costs are incurred by the policy, and I don’t mean just monetary. One way to answer these questions and ensure the policy is not only effective, but also efficient, is to apply the Six Sigma approach.

I’m meeting more and more IT folk who are Six Sigma trained, either Black Belt or in training for the recognition. A Black Belt must be able to explain the philosophies and principles of the quality program, including how systems, tools, processes, and continuous improvement can best be applied at multiple management levels and to diverse business processes throughout the organization., (quality, process/continuous improvement, etc.) and will be able to apply them in various business processes throughout the organization. However, quality is frequently mentioned in terms of product development and manufacturing. I think that it must also be applied to digital security.

Who is responsible for the security of digital assets? Each and every employee who has contact with the data must understand that she’s responsible for the data’s security, to the extent authorized by her corporate authority. However, policies based on making everyone responsible rarely succeed, be cause ultimately, no one accepts the personal responsibility. By using a Six Sigma approach, the security analyst starts at the other end, rather than the corporate user of data, the analysis begins with the customer, ultimately the real end user of corporate data. The Six Sigma process can evaluate security holes, causes, and what long-term affects intermediate actions have by evaluating the number of times customer service has been affected by security failures.

Dave’s Opinion
The Six Sigma approach to effectiveness and quality assurance is based on ensuring no failures occur. Sigma is used to mean deviations from the norm: defects from perfect quality. Six Sigma means that only 3.4 defects per million occur.

The Six Sigma approach is popular in many management applications, not just information technology; however, I have rarely seen it applied to security management. Maybe, it’s time.

Call for Comments
What do you think? Leave your comments below.

References
Six Sigma
101 Things A Six Sigma Black Belt Should Know