Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

password

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

Advertisements

Office agrees it must do more to protect customer data

The UK Information Commissioner Office (ICO) has warned shoe retailer Office after the personal data of over one million customers was hacking.

The hacker accessed customers’ details and website passwords via an unencrypted database.

Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:

The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.

“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”

“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”

The data breach also highlights the risks associated with customers using the same password for all their online accounts.

Sally-Anne Poole added:

“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”

Office has agreed to an “undertaking under the Data Protection Act 1998”, the details are here.

Lack of guidance on BYOD raises data protection concerns

The UK Information Commissioner’s Office (ICO) has commissioned a survey into business attitudes towards Bring Your Own Device (BYOD).

The survey results shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablets or smartphone for at work and for work business, which may be placing people’s personal information at risk.

The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

Simon Rice, Group Manager (Technology), said:

The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.

“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?

Today’s guidance from the ICO explains how organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.

Key recommendations from the ICO’s guidance:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft

The survey results below shows that email is the most common work activity carried out on a personal device (55%) which consider what information can be in the body of an email or attached leaves an organisations open to many commercial, legislative and regulatory risks for example PCI DSS compliance.

All UK Adults online who use a smartphone, laptop or a tablet PC for work purposes access usage
Work email

55%

Accessing work files

35%

Storage   of work documents and work files

36%

Social networking (e.g. LinkedIn, Twitter, Facebook) for work

26%

Editing work documents

37%

Uploading   work information to a website

19%

Work video chat (e.g. skype etc.)

7%

Work related applications (Apps)

16%

Work related online banking

14%

Work related shopping

12%

Work related web browsing

35%

Other

22%

None of these

.

The Top 25 “worst” passwords

SplashData have published their 2012 password survey results.  

They analysed of millions of stolen login credentials posted by hackers discovered that for the third year in a row, “password” was the most commonly used password, with “123456” and “12345678” sin second and third place.
 
The top 25 most common passwords for 2012 are:-

Rank Password Change in rank since last year
1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged
4 abc123 Up 1
5 qwerty Down 1
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New

.

Serious Disconnect Between Businesses and Mobile Users

Image representing McAfee as depicted in Crunc...
Image via CrunchBase

McAfee have released their report “Mobility and Security: Dazzling Opportunities, Profound Challenges”.

“Devices are no longer just consumer devices or business devices. They are both,” said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University, the primary author of the report. “Devices are more than extensions of the computing structure, they are extensions of the user. The way users interact with their personal data mirrors the way they want to interact with corporate data.”

Key Report Findings:

  • Reliance on mobile devices is already significant and accelerating rapidly; the emerging mobile environment is both diverse and freewheeling
  • IT is becoming increasingly consumerized as evidenced by the fact that 63 percent of devices on the network are also used for personal activities.
  • Lost and stolen mobile devices are seen as the greatest security concern for IT professionals and end-users – Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data. More than a third of mobile device losses have had a financial impact on the organization and two-thirds of companies that had mobile devices lost/stolen have increased their device security after this loss.
  • Risky behaviors and weak security postures are commonplace – Although the need for mitigating mobile security risks and threats is acknowledged, fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three users keeps sensitive work-related information on their mobile devices.
  • There is a serious disconnect between the policy and reality – 95 percent of organizations have policies in place in regard to mobile devices
  • Mobile devices are being used by much of the workforce, over extended periods of time, for a significant percentage of tasks previously conducted on desktops.
  • On average, employees use mobile devices for work purposes between 2 and 4.5 hours a day. On average, use of laptops was 4.5 hours per day.

Mobile devices are used in a wide range of job functions

  • Business executives using them most – 56%
  • Sales and others in the mobile workforce – 47%

Mobile phone usage

  • Email – 93%
  • Contacts – 77%
  • Web access – 75%
  • Calendaring – 72%

Four different types of mobile devices are used by at least one-third of employees both for professional and personal use,

  • Laptops – 72%
  • Smartphones – 48%
  • Removable media, including USBs – 46%
  • External hard drive – 33%

Almost Half of Users Keep Sensitive Data on Mobile Devices

  Passwords/Pin Codes Credit Card details
Professional & personal information & data 23% 19%
Only professional information & data 11% 7%
Only personal information & data 17% 15%
I do not use, store or send this information or data using mobile devices 49% 58%

Recommendations for Businesses

  • Mobility is ushering a new computing paradigm into the workplace. With devices eclipsing PCs and virtually every business application being device-ready, mobile computing offers an opportunity to make workers more productive, competitive, and happy. Mobility done right is a major competitive advantage in the workplace.
  • Consumerization of IT is here to stay. Many smart companies are allowing, encouraging, and, in some cases, providing a stipend for,  employee owned technology to work. Businesses need to find ways to enable, secure, and manage employee-owned technology in an optimal way to drive cost savings.
  • Users are changing the way they think about policies. Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role, and the situational context.
  • Data loss and leakage are of utmost concern to individuals and enterprises, and there is no silver bullet. Classify data, even at a high level, and apply data leakage processes and mechanisms in order to protect corporate data while respecting users’ privacy.
  • User awareness about mobile threats is still nascent. Apply security and management paradigms from laptops and desktops to mobile devices. Educate users about the risks and threats through employee agreements and training. “Businesses must find ways to protect corporate data, and call it back when an employee leaves, while ensuring the privacy of the employee,” says David Goldschlag, vice president of Mobility for McAfee. “Employees are no longer lifelong members of the organization, but rather consumers, who often change jobs every few years. When they do, they come with a kit of stuff, but once they leave, they need to give you back the data that belongs to the company. Businesses need a way to facilitate that process while respecting the ‘kit’ that the employee brings to the company.”

Recommendations for Mobile Users

  • You are part of a computing sea of change. With devices eclipsing PCs, and virtually every app device-ready, mobile computing offers you an opportunity to be entertained, informed and connected wherever you are. Use this to your advantage to be more productive on the go.
  • Driven by users’ desire for device choice and employers’ need for cost savings, individuals are increasingly bringing their own devices to work. Take advantage of your employers’ program and use your technology to be more nimble in your work.
  • Familiarize yourself with your employer’s mobile device policy and the intent behind it, and decide whether it fits your needs. If so, accept the policy and move on; if not, use two devices, one for personal use and one for work.
  • Take steps to secure your device. Install anti-theft technology, and back up your data. Configure your device to auto-lock after a period of time. Don’t store data you can’t afford to lose or have others access on an insecure device.
  • Be aware of mobile device threats. In many ways, they are the same as in the online world. You can be hacked, infected, or phished on a mobile device just as easily (and often more easily) as you can online.

The McAfee White Paper can be found here http://www.mcafee.com/us/about/news/2011/q2/20110523-01.aspx

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: