Brian Pennington

A blog about Cyber Security & Compliance


May 2012

Information Commissioner’s Office consults on new anonymisation code of practice

The Information Commissioner’s Office (ICO) has begun a public consultation on a new anonymisationcode of practice.

English: Information Commissioner's Office bra...

The code will provide guidance on how information can be successfully anonymised and how to assess the risks of identification. The ICO has also launched a tendering process to establish a network of experts to share best practice around the release of data in an anonymised form.

Anonymisation techniques can convert personal data into a form so that individuals are no longer identifiable. The consultation will be relevant to any organisation that wants to release anonymised data, for example under the government’s open data agenda.

Christopher Graham, Information Commissioner said:

“The UK is putting more and more valuable data into the public domain. The open data agenda will see this process continue and I welcome the power this information gives the average UK citizen to understand how the public sector operates and hold organisations to account.

“However, while the public wants to see openness, they want to see their privacy rights respected too. The risks of anonymisation can sometimes be underestimated and in other cases overstated; organisations need to be aware of what those risks are and take a structured approach to assessing them, particularly in light of other personal information in the public domain.

“Anonymisation can allow organisations to publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. Our code will aim to provide clear, practical advice on how data can be anonymised. We are now inviting individuals and organisations to submit their views on how this can best be achieved.”

The consultation will play an important role in making sure that the new code achieves the right balance between the protection of individuals’ privacy and the benefits of making information publicly available.

The consultation will remain open for the next 12 weeks, before closing on 23 August 2012. A copy of the draft code and consultation document is available in the consultation section of the ICO website.

A final version of the ‘Anonymisation Code of Practice’ – incorporating any changes recurring from comments received – is due for publication in September.

The code of practice will allow organisations to better achieve compliance against the proposed European Data Protection Act. Read my post Proposed European wide Data Protection Act – a review for further information.

Another alternative to anonymisation is Tokenization which is a recognised solution for PCI DSS. For details of a Free copy of the Tokenization for Dummies eBook click here.


Database security and SIEM are the top Risk and Compliance concerns

Image representing McAfee as depicted in Crunc...

The McAfee report Risk and Compliance Outlook: 2012, has been published and has discovered Database Security and Security Information and Event Management (SIEM) were among the top priorities due to an increase in Advanced Persistent Threats (APT).

Database hold the valuable data the criminals are searching for, it therefore follows that Database Security is a growing issue and one flagged as the biggest concern. The report indicates that over one quarter of those surveyed had either had a breach or did not have the visibility to detect a breach. This is a huge concern when considering that most compliance requirements are concerned with knowing if a breach could or has occurred for example Payment Card Industry Compliance (PCI DSS) and the pending European Wide Data Protection Act.

The other major was Security Information Event Management (SIEM) which correlates well with the fears over Database Security with approximately 40% of organizations planning on implementing or update their SIEM solution.

Key findings of the report:

  • Similar to the 2011 survey, there is a positive trend in security budgets for 2012 with 96% of the organizations indicating same or more expenditure on risk and compliance
  • Organization state ‘Compliance’ as the driver for almost 30% of IT projects
  • Software and Appliance are the top choices for Risk and Compliance products. On average, one-third of all organizations prioritized the upgrade/implementation of unique risk and compliance products to address vulnerability assessment, patch management, remediation, governance, risk management, and compliance
  • Survey data showed rapid uptake towards Hosted SaaS and Virtualization. Nearly 40% organizations claim to be moving towards these deployment models in 2012
  • Patch Management frequency is a challenge – almost half of the organizations patch on a monthly basis with one-third doing it on a weekly basis. Just like last year’s analysis, not all companies are able to pinpoint threats or vulnerabilities, as a result, 43% indicate that they over-protect and patch everything they can

“Managing risk through security and compliance continues to be a leading concern for organizations the world over,” said Jill Kyte, vice president of security management at McAfee. “Meeting the requirements of increasingly demanding regulations while reducing exposure to the new classes of sophisticated threats and having an accurate understanding of risk and compliance at any point in time — can be challenging. To address this issue, organizations are looking to ‘best-of-breed’ solutions to manage all aspects of their risk and compliance needs and reduce the amount of time spent managing multiple solutions.”

Some other headline findings of the survey show:

  • Visibility is a pervasive challenge organizations continually face in managing their IT risk posture. The issues revolve around having the visibility to see vulnerabilities within their processes and controlling the ever-changing internal and external threat vectors
  • 80% of the survey respondents recognize the importance of visibility; more than 60% have about the same visibility they had in 2010; 27% improved their visibility since 2010; and 8% now have less visibility compared to 2010
  • The top two controls that respondents have implemented to manage risk and subsequently their compliance postures are the monitoring of databases and of configuration changes for the entire enterprise environment/ infrastructure
  • Approximately 60% of surveyed organizations view SIEM solutions as an important solution to provide real-time visibility into their applications, databases, system performance, and event correlation

A summary of the whole report is below along with a link to the full report.

Risk and Compliance Posture

During 2011, over 60% of the respondents implemented and updated existing tools to improve the visibility and control of their IT processes in an effort to minimize organizational risk. Product groupings include:

  • Risk Management
  • Application, Database and Network Vulnerability Assessment
  • Log Management and Security Information Event Management (SIEM)
  • Database Activity Monitoring
  • Policy Compliance Assessment and Governance Risk and Compliance (GRC)

Respondents indicate that their 2012 implementation and upgrade priorities include

  • Risk Management at 19% and 18% respectively
  • Vulnerability Assessment at 18% and 19%
  • Patch Management at 16% and 21%
  • SIEM at 16% and 21%
  • Further, 48% of the respondents (an increase of 8% over last year) indicate that their organizations have updated/deployed a GRC solution in 2011 in an effort to aggregate and monitor organizational risk and compliance status

Overall it appears that enterprises recognize that they cannot efficiently address risk unless they understand what they are up against and can apply the appropriate controls. Without this knowledge and insight, the effectiveness of any security and compliance efforts cannot be effectively measured against the risks there are:

  • 39% of incidents involved a negligent employee or contractor
  • 37% concerned a malicious or criminal attack
  • 24% involved system glitches including a combination of both IT and business process failures

Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack. Given this, it’s not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures

Patch Management

At the time they wrote the report McAfee believed there are over 49,000 known common vulnerabilities and exposures (CVE’s) as reported by US-Cert National Vulnerability Database (NVD).

During 2011 the NVD reported 3,532 vulnerabilities, which translates to about ten new security vulnerabilities being discovered each day. While the rate of newly discovered vulnerabilities is impressive, the good news is that the trend is on a descending path: 4,258 vulnerabilities were reported in 2010 and the peak was in 2008, when almost 7,000 vulnerabilities were reported.

More than half of the surveyed companies indicated they know precisely which assets need to be patched when new threats materialize to prevent the threats from impacting their businesses. Conversely, 15% of the surveyed indicate they are not confident in their ability to know which assets to patch when new threats materialize.

Comparison of patch cycle (weekly, monthly, and quarterly) to confidence levels shows that that as the patching frequency declines so does an organization’s confidence. Specific analysis shows:

  • Organizations with weekly patching practice – 53% feel confident about patching of assets
  • Organizations with monthly patching practice – 49% feel confident about patching of assets
  • Organizations with quarterly patching practice – 43% feel confident about patching of assets


Ever changing threats, data breaches, and IT complexity add additional burdens to the already difficult tasks associated with having the visibility necessary to monitor security events, detect attacks, and assess real and potential damage.

Near real-time visibility is critical to any risk management program in today’s complex and diverse computing environments. Without it, organizations are flying blind.

Similar to last year,

  • approximately half of the respondents spend 6 to 10 hours per month on risk management activities that assess and correlate the impact of threats on their organizations
  •  7% of small organizations (1,000 or less employees) spend 15-20 hours on risk and threat activities
  • 16% of organizations with more than 1,000 employees spent 15-20 hours on risk and threat activities

Policy Compliance and Configuration Challenges in Achieving Compliance

Regardless if an organization views industry standards and compliance mandates as a way to improve their practices or as a necessary evil, implementing standards is just the beginning of the road to compliance.

The real challenge often lies in maintaining compliance over time, especially as compliance standards and mandates evolve and increase in number. Organizations need to recognize:

  • Business and technology boundaries are constantly changing, expanding
  • New technology brings new risks, new processes and thus new compliance issues
  • Businesses require flexibility to maintain competitiveness – rigid controls can hinder flexibility, thus hurt operational effectiveness.

According to the Ponemon Institute

“True Cost of Compliance” study: “…while the average cost of compliance for the organizations in our study is $3.5 million, the cost of non-compliance is much greater. The average cost for organizations that experience non-compliance related problems is nearly $9.4 million.”

Database Security When asked about sensitive database breaches,

  • 12% of the organizations stated that they have experienced a breach
  • 15% “are not sure”

These results indicate weakness in security control effectiveness and a lack of visibility. Conversely, three-fourths of the respondents overall and in particular those from North America, Germany and the UK, indicate that their databases have never been breached.

According to Forrester Research analyst Noel Yuhanna in his most recent database security market overview report:

“The database security market is likely to converge with the overall data security market in the future, as DBMS vendors extend the security features that are bundled with their products”.

Mr Yuhanna’s market insight closely corresponds with our respondents’ use of database security solutions:

  • 49% of the organizations use dedicated database security solutions; McAfee, followed by Oracle, tops the list of database security solution providers
  • 42% of the organizations use DBMS vendor security features to protect their databases
  • As compared to 34% organizations from Brazil, a higher number of organizations from France (66%) and the UK (58%) have dedicated database security solutions. Regional analysis shows 61% of Brazil-based organizations use DBMS vendor security features compared to 36% of the North American organizations. IBM holds a strong market share in North America, France and Germany as compared to its share in APAC and the UK.

The link to the full McAfee report is here.


Proposed European wide Data Protection Act – a review

Over the last few months I have attended several conferences and read a lot of research on the proposed upgrade of the European Commission’s 1995 Data Protection Act and have found it fascinating. The rumours, the speeches, the headlines and of course the lack of clarity on how the major issues will be dealt with in the real world.

EU Justice Commissioner Viviane Reding, the Commission’s Vice-President said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,”

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Do not get me wrong I am 100% in favour of a consolidated European Data Protection Act because ambiguity in one country leads to breaches in another and that is not good for business or for the privacy of individual citizens.

After all the consultations and feedback the big development was the leaking of a draft EU Data Protection Act document at the end of 2011. The draft provided concrete evidence to substantiate the rumours and speculation about the requirements and likely fines and provided confirmation about the direction the Act was heading.

The Act is heading in the right direction but some of the points were likely to be contentious for example the “Right to be forgotten” and “all business with 250+ employees needing a Data protection Officer”, there are others but I will cover them later in the post.

One thing is obvious, a consolidated European Data Protection Act has polarised people into one of four camps:

  1. Those concerned with the privacy of the citizen who want more restrictions and tougher sanctions.
  2. Those concerned about the impact and cost to businesses who want less restrictions and lower sanctions.
  3. Those who have to translate and ultimately enforce the Act and to try and stop it becoming another Human Rights Act….! They want a simple and coherent Act that is easy to enforce without a constant steam of lawyers muddying the waters.
  4. Those citizens who in the main do not have a clue what is being done in their name and there are 500 million of them.

Viviane Reding Vice-President of the European Commission, EU Justice Commissioner believes the proposed EU wide Data Protection Act will save European businesses €2.3Billion annually whilst protecting the privacy of European Citizens.

Great, everyone one wins. Or do they?

The majority of the savings will probably benefit businesses that currently have to cope with 27 differing Data Protection Acts currently being operated across the EU commission member states. However if you are a small business operating in one or two countries you may struggle to financially benefit from the consolidation.

The impact on the local Data Protection Authority (DPA), which in the UK is called the Information Commissioner, is likely to be massive which means they will need more staff to accommodate and enforce the new requirements which also means the individual states will have to spend more money.

Why will there be a massive impact? There are several reasons but one in particular stands out as an administrative nightmare, if Personally Identifiable Information (PII) relating to a European citizen is transferred outside the boundaries of the EU the local DPA has to be informed. How many times this will need to be done is hard to calculate but how much data goes to the Call Centres in the Philippines? With 600,000 Philippine’s employed in call centres it is going to be a lot. Then there is the data processing in India, Data Translation in America, Disaster Recover contingencies across the globe, Cloud computing (where is the cloud?), the list of possibilities is endless.

The EU Commission is mindful of these implications and is discussing how some specific actions can be taken into account when defining the final draft. Three specific areas they are looking at are:

  1. Binding corporate rules on what, where and how.
  2. Sectoral adequacies, and the continuation of the Safe Harbour Agreements
  3. Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic.

Using the UK as an example, last year the UK Information Commissioners (ICO) office handled 30,000 complaints and with the proposed requirements on businesses that number could easily quadruple.  You could say “some of the 30,000 complaints lead to convictions and fines and that could pay for the increased costs of operating the new Data Protection Act”, on the face of it you are correct except the fines are collected by the UK Treasury and are not handed to the ICO. If the fines were passed over then the process could be self-funding.

On the 3rd May 2012 Viviane Reding announced the intention to conduct a funding review of all DPAs and then to lobby Governments for the correct funding in each country and she believes that if the leveraged fines were pointed in the right direction they could become a revenue generator for the country.

“the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let’s also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues”

This review will not impact individual DPAs until the summer of 2013 which is likely to be 12 months before the Act is enforceable but 12 months after the hundreds of thousands of business have asked for assistance on what they need to do, who they need to register with, etc.

A significant improvement within the Act will be a requirement on business to be pro-active. Prevention is better than the cure or in this case better than a Data a Breach.

Businesses will be required to:

  • have “Privacy/Data Protection by Design” which means that, at the point of building a process or system, security has to be on the list of desired out-comes.
  • Data Protection by default, which means all systems have to be secure.
  • All business must undertake a Privacy/Data Protection Impact Assessment, which means they must have a documented process for assessing the risk to their PII data and be able to demonstrate that they have undertaken, “at least” annually, an assessment of the risk and taken steps to mitigate the risk. This is not a Penetration Test this is a thorough assessment of people, process and technologies surrounding and impacting on the PII data. A good guide is contained in the book Privacy Impact Assessment by David Wright and Paul de Hert ISBN-10: 9400725426.

Another huge improvement is the requirement on business to formally notify the local DPA of any breaches. Breach Notification has been in existence for several years, for example in California and in Germany. The new requirements will mean businesses can no longer delay notifying those affected in the hope that it will never surface.

It is proposed that the organisation’s Data Controllers notify the DPA within 24 hours.

Mandatory Breach Notification is a difficult area because some breaches can run for months or years before they are discovered. It is the point of discovery that is important, as far as the Act is concerned, but if a business did try to cover up then there is a good chance they will be found out and the details of who did what will be clear for the world to see.

In 2007 when the UK’s HMRC lost a CD containing the child benefit details of 25 million people everyone expected an avalanche of Identity Thefts but, fingers crossed, nothing has happened in the last 5 years. They notified the authorities and the press within days. It could be argued however that, as a result, 25 million people were alerted and put under stress for no reason. Further details of the loss can be found here.

Similar to the HMRC situation in 2008 was when Heartland Payment Systems lost millions of credit card records. In this case they did not know the breach had occurred for approximately 8 months, but when they did find out they undertook forensics and notified the authorities within 8 days. The issue in this case was the data was used for criminal purposes. The criminal Albert Gonzalez AKA “segvec,” “soupnazi” and “j4guar17” has since been convicted and is currently serving 20 years for various crimes involving up to 130 million stolen credit cards’ data. Details of Gonzalez can be found here.

Once the DPA has been informed the organisation then has to inform the individuals affected. This is the first direct cost of a breach. See my post The huge and unexpected administrative costs of a data breach. There is always the risk that they may not understand the notification, for example a report indicated that “39% of those who received them (or properly noticed them) initially thought it was marketing material of some form”.

If adequate protection is in place, for example Tokenization, it is unlikely the organisation will have to inform the individuals. This makes putting security in place and being able to prove it was running essential.

Another impact which affects many countries, especially the UK, is the Freedom of Information Act (FOIA). Currently the FOIA does not allow access to information relating to voluntary breach notifications, which means if a cover up has been attempted but was not successful there is a chance they can avoid having all the information going public by admitting it and therefore suppressing it. The new Act will mean nearly all of the information about a breach will be in the public domain including an organisations failure to protect PII and possibly the organisations attempts to cover it up.

Across Europe the enforcement of the Act will be handled by the individual DPAs, around 1,500 seasoned Data Protection professionals, but many sceptics have speculated that larger businesses can flex their political muscle and lobby for leniency or to keep their breach out of the public eye.

The commission has recently taken a strong line on the need for independence and in April 2012 took action against Hungary for its DPAs lack of independence. For any Country to be hauled in front the of the European Courts of Justice is embarrassing, especially if they have to amend their own legislation. Full details of the Hungarian action can be found here.

Summary of proposed key changes in the proposed Act:

The Right to be forgotten is a contentious area for many organisations, for example;

  • Can someone with a bad credit history evoke the right to avoid their past?
  • If some evokes the right with their insurance company they will lose their Car Insurance no claims bonus – could this then create a right to be remembered? And who pays the administration costs for the reinstatement of the data.
  • In the case of employees past and present what information can be retained and what information has to be retained.

Privacy by Design. There is a debate as to whether the actual working will be Privacy or Data Protection which will be finalised when the final draft is passed for law. Organisations need to understand and account for:

  • why they need the data
  • what they are going to do with the data
  • how they intend to process the data
  • what protections are required
  • who will manage the processes

All organisations employing 250+ employees must have a Data Protection Officer.

All companies storing PII must undertake “regular” Privacy Impact Assessments. The wording may change to Data Protection Impact Assessment but that will not change the requirement to undertake, log and act upon the results of the Assessment.

All international data transfers need to be logged and the Data Protection Authority Informed.

Explicit consent must be obtained to include PII in databases and an ability to easily have their information removed.

Compulsory Breach Notifications within 24 hours of the breach.

Personally Identifiable Information is likely to include

  • Bank Account details
  • Credit Card data
  • IP addresses

Data Portability. Business must address the portability of data;

  • What is going to be done with it
  • How is it secured
  • How will fraud and Identity Theft be avoided

Significant fines can be levied. Actions that are likely to involve a fine from the DPA include

  • Failure to appoint a Data Protection Officer
  • Unauthorised International Data Transfer
  • Failure to undertake a Privacy/Data Protection Impact Assessment

Fines will be levied on a sliding scale

  • 0.5% of global turnover or                  €250,000
  • 1.0% of global turnover or                  €500,000
  • 2% of global turnover or                     €1 million of Global Turnover
  • So far no minimum figure is known.

The new EU Data Protection Act will be compulsory for all organisations except for Law Enforcement, who will operate under a European Commission “directive”. The Directive is designed to allow for faster and easier transfer of data and joined up policing across the member states.

This post was meant to be a short summary, compared to my notes it is, but the far reaching impact of this Act is largely unknown by most organisations and has a high probability of being passed into law during 2012 give a requirement to be compliant by 2014. Whatever the date is there is a need for organisations, of any size, to be aware of what is coming and to start developing plans to have Privacy and Data Protection at the forefront of their business plans NOW.


After a couple of recent articles, Channel 4 and TSYS, I thought I should re-post this old article.

Brian Pennington

Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google or Lush to see the impact.

With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.

There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.

The act of recording a call can break the rules of PCI DSS…

View original post 594 more words

Survey: 99% rate Security is a major consideration when choosing the Cloud

Intel have produced a very interesting survey on the way businesses perceive the Cloud, what they are looking for whether it is Private or Public and who seems to be the most secure.Below is my summary of the survey’s results.

Intel surveyed 200 IT professionals about a wide variety of cloud topics, including the key business and technology drivers behind their implementation plans, the importance of security in determining how the cloud is implemented, and their level of investment in security as part of cloud initiatives. The respondents were IT professionals in organizations of 100 to 1,000-plus employees across a variety of industries.

  • 18% of the companies surveyed already offering cloud services
  • 42% are currently in the process of implementing
  • 38% are in the evaluation stage
  • 4% are planning to evaluate cloud initiatives

Security plays a major role in the selection of a deployment model for 99% of the companies surveyed but only 44% sited security issues as the foundation for their decision making in selecting a private versus public cloud delivery model.

  • 80% said the most common drivers of security plans for cloud initiative issues are related to protecting customer, vendor, and employee data
  • 76% said protecting servers and other platform/infrastructure resources from attack was the most important
  • 72% said it was protecting financial data
  • 48% believed that the overall organizational investment in cloud initiatives is security related.
  • 52% are deploying the private cloud (or most likely to be utilized)
  • 31% prefer a hybrid cloud 11% prefer a public cloud

Security was cited as the biggest concern by 66% of those surveyed about outsourcing some IT to a cloud service provider

Other key findings from the survey include the following:

Implementing security is no easy task

  • 60% have experienced moderate challenges
  • 22% have experienced major challenges

Security concerns are similar for outsourcing

  • For 66% data loss and compromised platform or infrastructure assets are the biggest concerns for IT professionals when it comes to outsourcing to a cloud provider
  • For 60% the security capabilities and assurances offered are extremely important to 60% of IT professionals when making a selection.

Trust in cloud service providers is mixed

  • 54% of IT professionals have some trust in the ability of their cloud service provider to secure assets in the cloud
  • 43% have a great deal of trust

Hardware-based security provides greater assurance

  • A cloud service provider with additional hardware-based security measures is viewed as delivering a higher level of security by 78%.

Minor differences by company size

  • Data reveals no significant differences in results amongst the range of company sizes in their survey. However, of those companies with 1,000 or more employees, 24% are already offering cloud services, compared to 10% for each of the other segments

Intel asked IT professionals to tell us about security in their current IT environment

  • 31% are regularly thwarting 100 or more virus or malware attacks every month
  • Companies with 500 or more virtualized servers are more likely to be thwarting an even greater volume of attacks. In this category, approximately 31% report thwarting more than 500 attacks every month, and 24% are thwarting 1,000 or more attacks.

IT professionals report a wide variety of potential security concerns to keep them up at night. Three top the list:

  1. 62%, attacks targeting specific data types
  2. 61% attacks of server, platform, and data centre infrastructure assets
  3. 60% and hackers seeking to gain control of software assets 4. Almost half are concerned about rootkit attacks at the hypervisor level or below, network attacks, and attacks targeting end-point devices

For those organizations with a cloud vendor already in place, controlling access to cloud resources becomes a more significant concern (70% versus 51%).

Cloud computing is considered an important strategic investment by almost all the companies surveyed with

  • 18% is already offering cloud services or capabilities
  • 76% of those currently evaluating or planning to evaluate expect to implement cloud services within the next year

They asked IT professionals to tell us what technologies they were currently deploying that support a current or planned cloud environment

  • 73% are currently using virtualization to consolidate servers and enabling virtual machine (VM) mobility across multiple servers in order to support a cloud
  • Nearly half offer automation and metering and chargeback based on usage and enable business units to self-provision resources.

Choice of a Private Cloud

  • For 52% of those surveyed a private cloud is the leading deployment model, no matter what phase of implementation
  • The Private Cloud is the preference for 63% of those already offering cloud computing
  • 51% of those in the implementation phase prefer the Private Cloud
  • For those still evaluating the cloud 49% prefer Private Cloud

Public clouds are more likely to get consideration from companies with:

  • 500–999 employees (29% versus 5% among smaller and larger companies) Less than 10 worldwide locations (17% versus 5% among companies with 10 or more locations)
  • 250–499 virtual servers (31% versus 3% among companies with 500 or more virtual servers)
  • Less than $10 million U.S. dollars (USD) in revenue (21% versus 7% among companies with USD $10 million or more)

Although there is a clear preference for delivery model, the same is not true for the cloud service being considered or already implemented. All three of the major services get equal consideration across the survey sample:

  • 58% Software as a Service (SaaS)
  • 57% Infrastructure as a Service (IaaS)
  • 56% Platform as a Service (PaaS)

The IT professionals they surveyed recognized the importance of security across delivery models and for both internal and external implementations. They back up their concern with a high level of investment in security as part of the overall investment in cloud initiatives. For example, when averaged across the sample group 48% of the investment in cloud initiatives is related to security.

Do high-profile security breaches reported in the news have any impact on cloud decision making? When asked to recall recent newsworthy breaches or attacks

  • 24% mention the high-profile public security breach of the Sony* PlayStation* Network
  • 70% say the breaches they recall have no impact on their decision to move forward with cloud initiatives.
  • 30% are on hold while they deepen their evaluation of their security plans and controls

The survey asked respondents to say what they experienced as the greatest challenges to implementing security

  • 95% who are already implementing or offering cloud services have experienced slight challenges in implementing security for a private or hybrid cloud
  • 22% indicated that they had experienced major challenges

The biggest headache? Data Protection challenges, experienced by 44% of those surveyed

Asked how they overcame their challenges, those surveyed reported that their top method was to increase or upgrade security measures, as well as to research thoroughly and leverage vendor relationships. Other approaches included training, hiring consultants, and increasing budget. A number of companies continue to grapple with unresolved issues.

64% of companies surveyed have had their planning efforts influenced by the following organisations, number 1 being the highest influencer

  1. Cloud Security Alliance (CSA)
  2. Open Data Centre Alliance (ODCA) – more than a third
  3. Trusted Computing Group (TCG)
  4. Distributed Management Task Force (DMTF)

Of the IT professionals surveyed

  • 61% are currently evaluating a cloud service provider
  • 23% have selected a cloud service provider
  • Most reported that the security component offered by the cloud service provider is important, with 60% considering it extremely important.

The leading concern of those surveyed about outsourcing some IT to a cloud service provider is security – 66%

One in three cited compliance issues related to privacy and regulations as one of their greatest concerns

Among IT professionals who are evaluating or have already chosen a cloud provider

  • 54% have some trust in the ability of their cloud service provider to secure assets in the cloud
  • 43% have a great deal of trust
  • 60% reported that they were extremely or very concerned about the infrastructure their cloud provider uses
  • This is even higher for those thwarting 10 or more attacks a month (35% versus 15% for those fighting off fewer attacks)

In this same group

  • 68% are concerned about rootkit hypervisor attacks
  • 35% are extremely concerned
  • Those IT professionals thwarting 10 or more malware attacks per month are twice as likely as those fighting off fewer attacks to be extremely concerned about rootkit hypervisor attacks (40% versus 19%)

Providing the right security assurances goes a long way toward building trust in a cloud service provider

  • According to those who have chosen or are evaluating cloud providers, security controls in the platform (74%) are the most common security assurances provided
  • Those already using a cloud service provider are significantly more likely to be assured of security controls in the platform than those IT professionals still evaluating vendors (85% versus 70%).

78% believe a cloud service provider with additional hardware-based security measures to reduce some forms of malware provides a higher level of security. This was higher for those companies thwarting 10 or more attacks per month (62% versus 42% for those fighting off fewer attacks).

48% IT professionals report that cloud service providers make their security assurances moderately visible whilst 45% report them as highly visible.

Regular, periodic reports on security incidents (73%) are the most common methods used by vendors to document compliance with privacy or other regulatory requirements, followed by specified level of responsibility for a security breach (60%) and the ability for the organization to conduct compliance audits (60%).

Security Is Foundational to Those Offering Cloud Computing

By far the biggest business and IT drivers for security are protection of data and server platforms. Compared with companies implementing or evaluating cloud computing, those companies already providing cloud-based services are more likely to:

  • List their top two IT drivers as the need to protect data (74%) and the need to protect servers and other platform and infrastructure resources from attack (66%)
  • Say security was the foundation of their decision for implementing a private cloud initiative versus a public cloud (57% versus 41%
  • Report high visibility into the security assurance provided by cloud service providers (67% versus 40%)
  • Have considered or implemented SaaS over PaaS or IaaS (86% versus 52% of those implementing or evaluating cloud services)
  • Be deploying technology that enables business units to self-provision resources (71% versus 44%)
  • Have an enterprise-class data centre (60% versus 21%) with more than 500 virtualized servers (34% versus 13%)
  • Be from companies with more than 1,000 employees (24% versus 10%)

High Level of Concern about Security in the Early Planning Stages

Those evaluating or planning to evaluate cloud computing are inclined to be significantly more worried about security than those already offering services or in the implementation stage. Those in the earlier stages tend to be:

  • Driven most by the need to protect data (87%) and to protect servers and other platform and infrastructure resources from attack (76%)
  • Least confident that their current network and data centre assets are adequately protected (43% very confident versus 64% not confident)
  • Able to recall more high-profile breaches and attacks (55% versus 33%)
  • Least trusting of the ability of cloud service providers to secure their assets in the cloud (20% have a great deal of trust versus 58%)
  • Least likely to be influenced by industry standards groups

Midsize Companies Are Implementing Cloud Initiatives

Now In the sample group, those in the process of implementing cloud computing are inclined to be from midsize companies with 100–999 employees. They tend to be:

  • Driven more than any other stage of implementation category by the need to protect servers and other platform and infrastructure resources from attack (81%) and to protect data (75%)
  • More likely to consider a public cloud (23% versus 2% of those already offering services or in the planning and evaluation stage)
  • More likely to have a localized or regional data centre (57% versus 41% of those already

For further information visit the Intel web site here.


No NHS fines for breaching the Data Protection Act then two come along in quick succession

At the end of April the Information Commissioner’s Office fined The Aneurin Bevan Health Board for breaching the Data Protection Act and today they fined Central London Community Healthcare (CLCH) NHS Trust £90,000.

The CLCH breach first occurred in March 2011, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

Read the summary of the April fine “Information Commissioner finally fines the NHS for a breach of the Data Protection Act


Guidance for merchants on how to securely accept mobile payments the PCI way

This has been coming for a while but finally the PCI SSC has published a fact sheet outlining how merchants can securely accept payments using mobile devices such as smartphones or tablets.

The “At a Glance: Mobile Payment Acceptance Security fact sheet” provides merchants with actionable recommendations on partnering with a Point-to-Point Encryption (P2PE) solution provider to securely accept payments and meet their PCI DSS compliance obligations.The ability to use smartphones and tablets as point-of-sale terminals to accept payments in place of traditional hardware terminals offers great flexibility. As mobile technology continues to change at a rapid pace, the Council continues to work with the industry to ensure data security remains at the forefront of mobile evolution.

This latest educational resource is the product of the Council’s Mobile Working Group and is the result of valuable input from leading merchants, vendors and organizations actively involved in the mobile payment acceptance industry. The document helps clarify and distill some of the more complex technology and security terminology into straightforward, practical guidance that can help merchants to:

  • Better understand their responsibilities under PCI DSS, and how they translate to mobile payment acceptance
  • Leverage the benefits of the Council’s recently published Point-to-Point Encryption (P2PE) standard and program
  • Choose a mobile payment acceptance solution that complements the merchant’s PCI DSS responsibilities, for example a P2PE solution provider

Using this resource to guide them in how PIN Transaction Security (PTS) and P2PE standards work together, merchants can better understand how to securely use external plug-in devices with smartphones or tablets to accept payment cards by first encrypting and securing the data at the point that the account data is captured. The smartphone or tablet has no ability to decrypt the data, thus simplifying PCI DSS scope for the merchant.

“We know merchants are eager to take advantage of their existing smartphones or tablets to accept payment cards,” said Bob Russo, general manager, PCI Security Standards Council. “And the Council and its stakeholders want to help the market to do this in a secure way. We’re excited about this easy-to-use reference that will help merchants understand how to use the suite of PCI Standards to enable their businesses while still keeping data security top of mind.”

As with all SSC fact sheets, this guidance does not replace or supersede any of the PCI Standards

The Council continues to work with the payments community to address mobile payment acceptance security and evaluate whether additional requirements are needed in this area. As part of this ongoing initiative, the Council plans to publish best practices for securing mobile transactions later this year.

“The PTS and P2PE standards are being leveraged by mobile solution providers today. With this fact sheet we hope to help merchants understand how these standards work and the options that are available to them for accepting mobile payments in a secure and PCI DSS compliant manner,” said Troy Leach, chief technology officer, PCI SSC.

The link to the At a Glance: Mobile Payment Acceptance Security fact sheet is here.

The good old fashion way to breach the Data Protection Act – lose some paperwork

The London Borough of Barnet was fined £70,000 by the Information Commissioner for losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and other details of 15 vulnerable children or young people.

A social worker took the paper records home to work on them out of hours and was unfortunately burgled. Why would a criminal steal worthless paperwork? Well the paperwork was inside a laptop bag complete with laptop.

The Information Commissioner’s Office investigation found the council had “failed to take appropriate organisational measures against the accidental loss of personal data held on paper records. Although the council had an information security policy and some guidance for staff on handling sensitive papers, the measures failed to explain how the information should be kept secure”.

This is the second fine for this council after is lost an unencrypted device containing personal data was stolen from an employee’s home in June 2010.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”


PCI Security Standards Council announces qualified integrators and resellers certification program

The PCI SSC quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments.

Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments was identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

To help address this security challenge, merchants, acquirers, payment software vendors and card brands participated in a Council taskforce to evaluate market needs and make recommendations on how to address them. This included development of more guidance and best practices for integrators and resellers and a global list of PCI Council certified integrators and resellers.

The Qualified Integrators & Resellers (QIR) program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. The PCI SSC will be offering training online in late summer 2012, and the validated list for merchants will be published on the PCI SSC website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can click here or email questions to

“Product solutions that are a good fit for a PCI compliant organization need to be installed, configured, and managed properly to support PCI DSS,” said Diana Kelley, principal analyst at security IT research firm SecurityCurve. “Integrators and resellers need to understand what makes a solution effective for protecting cardholder data and the cardholder data environment in order to provide the most value to their customers. That’s why I think the new integrator and reseller certification and training for 2012 is a welcome addition to the Council’s comprehensive training offerings.”

“This program comes as a direct result of industry feedback and stakeholder requests for greater quality assurance and accountability around the secure installation of payment software,” said Bob Russo, general manager, PCI Security Standards Council. “Not only will it help integrators and resellers better understand how to address some of the basic security flaws we’re seeing that can be easily avoided, but it will also make it easier for merchants to have confidence in the services being provided to them. Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly.”

Reproduced from the PCI SSC Press Release.


UK Fraud Report 2012

In April Experian released their 2012 review of Fraud in the UK. There are some interesting findings and a summary of the 28 page document is below.

Executive Summary of the report

  • Annual fraud losses across the UK are now estimated to now top £70 billion
  • Of this around £3.5 billion is in financial services
  • A year-on-year rise of 4% in application fraud rates across all financial services products has been noted – reflecting a trend traditionally seen during downturns
  • Mortgage fraud rose by 8% in 2011, highlighting the level of exaggerated affordability and adverse credit some customers are now trying to hide
  • Insurance fraud has risen by 23%
  • The most significant year-on-year increase in fraud was seen around current accounts, which were up by more than half
  • First party fraud has continued to rise, while third party identity fraud has declined
  • A seasonal uptick in first-party fraud was also noted with significant H2 rises during the run up to Christmas
  • Traditional blue collar and welfare-dependent groups were among the most likely to attempt first-party fraud, as well as now becoming victims of fraud
  • The switch sees fraud moving closer to home and suggests an ‘anyone goes’ approach by fraudsters willing to aggressively pursue more lower-yield opportunities
  • Card fraud and automotive fraud both saw 40% year-on-year falls, suggesting identity capabilities and verification technology are improving
  • Elsewhere, fraud on savings and loan products has seen modest falls within the past year, also reflecting improving industry-wide good practice

Fraud in the UK is now at a record level.   During the past 12 months, Experian estimates it went up by at least 4% and is an industry with an annual turnover that is now estimated to cost the country more than £70 billion.

Mortgage Fraud Rates

  • 2006, around 15 frauds per 10,000 applications were being detected.
  • 2008 the figure stood at around 26 per 10,000.
  • 2011 34 per 10,000 mortgage applications were found to be fraudulent.

Insurance Fraud Rates

At present around 11 frauds in every 10,000 policy application and claims are fraudulent.

The Association of British Insurers is detecting more fraud than ever with more than 2,500 fraudulent claims worth £18 million every week.

The most common frauds

  • Home insurance with 66,000 bogus or exaggerated claims detected
  • Dishonest motor insurance claims with 40,000 frauds uncovered

Of these, motor frauds were by far the most costly, totalling £466 million. As a result, insurance fraud is estimated to now cost £2.1 billion per year.

Current Account Fraud Rates

Within the past 12 months, the rate of current account fraud jumped from more than 20 per 10,000 applications, to around 36 in every 10,000 applications. Around 60% of current account fraud was committed by first-parties, while the remaining 40% was committed by third-party identity fraudsters.

Automotive Fraud Rates

Fraud rates have fallen significantly in automotive finance, dropping from nearly 40 frauds per 10,000 applications at the end of 2010, to around 23 per 10,000 by the end of 2011. The vast majority (85%) of successful frauds were committed by first-parties, possibly reflecting an increasing availability and prevalence towards dealer credit.

Card Fraud Rates

Experian found that during the past two years the overall rate of credit card fraud has also dropped away.

There has been a sizeable swing from third to first-party frauds during 2011. After a stable first three quarters to 2010, the proportion of first party fraud began to rise rapidly, peaking at 70% in Q3 2011. Although the economy is likely to be a factor, with hidden adverse credit and inaccurate salary as the most common reasons given, this trend in behaviour is also partly driven by some lenders’ changes to reporting methodology.

Savings Accounts Fraud Rates

The fall in fraud rates has coincided with a decrease in the average time after application when a fraud was noted, with 75% of fraud being marked within one month of the application.

Towards the end of 2011, lenders began to note more first-party frauds, citing previous payment fraud. The victims are largely the highest earners as they continue to clearly represent the richest pickings for fraudsters.

Loans Fraud Rates

Loans show a slowly decreasing fraud rate, down around 10% on the year but remaining at around seven frauds per 10,000 applications. More than three out of four (76%) loans were marked as fraud within one month in H2 2011, down slightly from 83% in H1 2010.

First Party Fraud – where it occurs

London continues to be the centre of UK fraud, with acute problems in the inner-city boroughs of Tower Hamlets, East Ham and Woolwich. There also London continues to be problem in and around south east London.

The recent trend for a broad westward migration along the Thames Valley and out into the Home Counties has also continued. This is typified by the commuter towns of Reading, Luton and Croydon, which all recorded above average levels of fraud.

Northern Ireland continues to be a disproportionately high-risk region.

Elsewhere in the UK, provincial inner cities including Birmingham, Manchester, Leeds, Sheffield, Coventry, Leicester, Derby, as well as a triangle of Fenland towns around Peterborough, all showed an uptick in first-party fraud.

Third Party Fraud – where it occurs

The geographic spread of third-party fraud is broadly in line with first-party fraud, although there are far higher concentrations within the London boroughs, inside the M25’s commuter belt and with notable spikes along the Thames Estuary’s gateway towns.   During the past few years there has been a gradual migration outside of Greater London, although more recently the numbers suggest a contraction back into London – particularly around East London.

The fraudsters pattern of behaviour by numbers

  1. The UK’s leading ecommerce businesses say their peak fraud period is from 9pm to 12 midnight. Nearly three out of 10 (28%) companies surveyed cited this period in which most fraudulent orders were put through their site
  2. With thousands of websites to defraud and thousands of institutions offering credit, it’s no great loss to fraudsters when they do get beaten by the embedded defences companies put in place. Fraudsters simply move onto the next site in the list. According to a survey of fraud managers at internet retail operations, seven out of 10 (70%) of retailers don’t report fraud to the police
  3. Fraudsters favour a mid-range attempt that doesn’t arouse suspicion or warrant great scrutiny. Fraud managers have indicated that nearly half (43%) of attempted fraudulent transactions were in the £250 to £500 range, while less than a third (29%) were in the £500-plus bracket
  4. Despite the obvious advantages offered by the online retail environment, many fraudsters still prefer to use a third-party to distribute stolen property, often favouring the convenience and ease of a speedy cash sale to a member within their broadly co-operative fraud networks
  5. Fraud managers have their own online forums to discuss, share information, tips and fraud alerts to work together to beat the fraudster, so it’s unsurprising to find that fraudsters also have their own forums as well. Numerous ‘carding sites’ exist on the web where sets of card numbers, names, addresses and other information any web-literate person can purchase and take home, before attempting their own Card-Not-Present scam.

Download the full copy of the Experian 2012 Fraud Report here, registration is required.

You may also want to read RSA’s April Online Fraud Report 2012


RSA’s April Online Fraud Report 2012

In their April Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Citadel Trojan.

Citadel Trojan hooks system processes to isolate bots from AV and security.

The Citadel Trojan was first introduced for sale to cybercriminals in the Russian-speaking underground in February 2012. The Trojan, which was initially based on the Zeus Trojan’s exposed source code, is already at its second upgrade release, version, which was shared with its customer-base on March 15th.

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature they have apparently implemented: DNS Redirection. Per the feature list, the developer claimed that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

To add value for their customers, the developers went the extra mile to add a list of AV software providers and security scans to the DNS redirection lists embedded into the configuration. On a change-log posting from the team, the developer specified that at least 104 different security-vendor URLs were added to this feature.

RSA researchers were able to confirm that the DNS-redirection method embedded into the Citadel configuration file was not a feature available in the original Zeus Trojan; it is new programming, courtesy of the Citadel team.

The Citadel Trojan’s configuration contained more than 650 different URLs of a large variety of AV-providers and security scanning services based out of different countries (USA, DE, RU and more). Each ‘forbidden’ URL was followed by a “=” mark and the IP mask address to which the botmaster wants the victim rerouted.

Another interesting feature analyzed by RSA researchers appeared in a Citadel variant, raising questions as to redirection scheme to Citadel resources. At first sight, the analysis result seemed somewhat peculiar, showing that Citadel was using legitimate URLs as its C&C’s drop point as well as the configuration update point (Google, CNET).

Phishing Attacks per Month

After a brief peak in phishing that came in the beginning of the year, the two months which followed have shown a slight decrease. February marked a 30% drop in worldwide phishing volume and March followed with another 9% drop with 19,141 unique phishing attacks identified by RSA in March. When compared year over year, March 2012 saw a 9% increase from the phishing volume in March 2011.

Number of Brands Attacked

The number of brands targeted through March increased 8% compared to February, standing at a total of 303 brands targeted by phishing attacks.

US Bank Types Attacked

There was a considerable increase in the phishing volume experienced by U.S. regional banks last month – increasing from just 7% in February to 30% in March. Meanwhile, attacks against U.S. nationwide banks decreased 24%. This isn’t surprising as phishers tend to alternate their cashout schemes by aiming at the small and regional institutions as well.

Top Countries by Attack Volume

The most prominent change in March in attack volume was the 23% increase for the UK and a 24% decrease for Canada. Overall, the countries that are consistently targeted most by phishing attacks include the U.S., UK, Brazil, Canada, the Netherlands and South Africa.

Top Countries by Attacked Brands

In March, about three out of ten attacks were targeted at brands in the U.S and one out of ten targeted at brands in the UK. This is not surprising as these two countries also continue to see the most volume of phishing attacks overall.

Top Hosting Countries

The U.S. hosted just slightly over half of the phishing attacks identified in March. 8% of attacks were hosted in Brazil, showing a 5% increase from February. Sixty other countries were responsible for hosting 17% of phishing volume in March.

Previous RSA Online Fraud Report Summaries:

  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


May is Scam Awareness Month

The Trading Standards Institute (TSI) has launched its Scam Awareness Month to stop the surge in criminals scamming people out of their saving.

From fake lottery wins in the post to Microsoft and Anti Virus support on the phones, Prince X trying to get his millions out of the country via email and door-to-door conmen they all appear to be on the increase.

The criminals, politely called “scammers” are allegedly getting away with an estimated £73 billion* a year.

The TSI Scams Awareness Month has one big message ‘Turn them in and turn the tide’.

Working in partnership with Citizens Advice and Action Fraud, the national fraud and internet crime reporting and advice centre, trading standards teams across the country are encouraging anyone receiving scam mailings, or friends and family of anyone they believe is a victim of scam mailings, to contact them.

“The mailings received in this year’s ‘SCAMNESTY’ will be analysed and the information shared with partner enforcement agencies in the UK and abroad. This will help us crack down on the senders and their networks, and enable us to help victims of scams directly, giving them tools to deal with this problem, ”  said Louise Baxter, chair of the TSI Consumer Education Liaison Group, which is co-ordinating the campaign.

Peter Wilson, Director of Action Fraud, said: “An essential part of stopping fraudsters preying on vulnerable people is to make sure these incidents are reported to Action Fraud. Whether you’ve lost money or not, we want to know what’s happened. All information is good information when it comes to tracking down those responsible for the network of scams that continue to plague people, particularly the elderly, daily.”

Another important aim of May’s campaign is to help people to recognise the warning signs and then to seek advice or simply reject approaches.

People with elderly or vulnerable relatives are being urged to be extra-vigilant. An increase in mail, unusual payments or bank transactions, or more incoming telephone calls than normal to a parent, grandparent or other vulnerable adult could be a sign that scammers are at work.

Ron Gainsford, TSI Chief Executive, said: “Time and again we hear from trading standards of yet another of these distressing stories about vulnerable adults preyed upon by cruel, greedy people, and we fight to find ways to protect these victims. It is challenging because we cannot interfere with human rights and individual choices, but it is vital that we are all aware that such scams are taking place, and how, through the post and internet, they get into victims’ homes and lives.

“The May edition of our house magazine, TS Today, features just such a case where thanks to a last minute trading standards intervention, an elderly victim wasn’t scammed out his house – the very roof over his head. “TSI supports the Think Jessica campaign run by Marilyn Baldwin, whose mother was scammed out of thousands.”

Citizens Advice Chief Executive Gillian Guy said: “There are a lot of rogues and chancers looking to make a quick buck by ripping off others. It’s only by working together that we will crack down on these con artists and stamp out scams for good.

“Anyone who thinks they have been a victim of a scam can get help from Citizens Advice, either by going to their local bureau or calling our consumer service phone line.”

The TSI offer the following tips:

  • Stop, think and be sceptical. If something sounds too good to be true it probably is.
  • Do not be rushed into sending off money to someone you do not know, however plausible they might sound and even where an approach is personalised.
  • Ask yourself how likely it is that you have been especially chosen for this offer – thousands of other people will probably have received the same offer.
  • Think about how much money you could lose from replying to a potential scam – it’s not a gamble worth taking.
  • If you are unsure of an offer, speak to family or friends and seek advice before sending any money or giving out any banking or credit card details.

Scams can be reported to

  • Action Fraud on 0300 123 2040 or at
  • Citizens Advice consumer service on 08454 040506.
  • During May, any suspicious letters can also be handed in at libraries in many areas.

*Figure taken from the Annual Fraud Indicator 2012.

Blog at

Up ↑

%d bloggers like this: