Public Access vs. Private Records Protection

June 30th, 2008 by Agent Smith (0) DLP, Data Loss, Data Theft, Identity Theft, In The Spotlight, Laws & Standards, endpoint security, online fraud, security breach

The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.

Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.

“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.

We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).

UK SMEs Warned To Improve Security

June 30th, 2008 by Agent Smith (0) DLP, Data Leakage, Data Loss, Data Theft, IT security, endpoint security, online fraud, security breach

The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.

Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.

Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.

Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.

Stockbrokers Get Fine for Poor Security

June 30th, 2008 by Agent Smith (0) DLP, Data Encryption, IT security, Identity Theft, Laws & Standards, endpoint security, online fraud, security breach

The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.

London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.

The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.

The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.

HMRC Breach Caused By Poor Security

June 29th, 2008 by Agent Smith (0) DLP, Data Leakage, Data Loss, IT security, Identity Theft, In The Spotlight, Research and Studies, endpoint security, online fraud

A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.

The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.

The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”

The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.

Researchers Call for Measurable Security Objectives

June 29th, 2008 by Agent Smith (0) IT security, In The Spotlight, Research and Studies, endpoint security

The next big step in security policies should be heavily focusing on ways to quantify completed and ongoing security objectives, says Pete Lindstrom, senior analyst at the Midvale, Utah-based research firm. The purpose of this move would be to both justify spendings and highlight the value yielded by ongoing projects.

This message was presented during the Burton Group Catalyst Conference ‘08 and as SearchSecurity.com noted, Lindstrom is sketching a new model to help security experts measure and articulate security program successes and failures to senior management.

“We need to get objective and quantitative in our environments in order to better manage our programs,” Lindstrom said. “We have to collect ourselves together as a profession and define what it means to meet our security objectives.”