[Updated 17th March 2013] Hello
everyone! It’s been a long time since I wrote on this blog and I have to say,
there have been so many interesting things happening that I haven’t really been
able to make my mind up on what to talk about... What spurred me into action was
a combination of various industry discussions and security conferences, the
fact that lots of us are busily preparing for the festive season (or wishing
they were!) and that all the children in my life are SO technically savvy...
A blog about information security, payments, risk, fraud, digital innovation and social media... Connect on LinkedIn?
18 November 2012
6 August 2012
INFOGRAPHIC: THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE...
Google
For the corresponding February 2014 post associated with this infographic, see here)
It seems that my previous post on the social media side of incident response attracted some attention and I thank everyone for their feedback. This prompted me to explore the brave new world of infographics... So here we go, my first foray into what is for me unchartered territory. I've used Piktochart and I found it an excellent tool which means that anything you find lacking is of course entirely my fault rather than the tool itself. Your feedback, as ever, will be greatly appreciated!
It seems that my previous post on the social media side of incident response attracted some attention and I thank everyone for their feedback. This prompted me to explore the brave new world of infographics... So here we go, my first foray into what is for me unchartered territory. I've used Piktochart and I found it an excellent tool which means that anything you find lacking is of course entirely my fault rather than the tool itself. Your feedback, as ever, will be greatly appreciated!
24 July 2012
THE UNBEARABLE RISKINESS OF BEING... SOCIAL
Google
[Updated 4th August 2012]
The inevitability of social media in both our private and professional lives is undeniable. With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information...
The inevitability of social media in both our private and professional lives is undeniable. With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information...
15 July 2012
FAILING GRACEFULLY...
Google
Sometimes, despite our best endeavours, things just don't work out the way we planned...
You know the feeling: you think you have it all under control, you think you've engaged with the right people, you have buy in from those who matter, the right culture is in place, you're not struggling for investment and bang! you get hacked. Overwhelming sense of failure ensues. Where did it all go wrong?...
You know the feeling: you think you have it all under control, you think you've engaged with the right people, you have buy in from those who matter, the right culture is in place, you're not struggling for investment and bang! you get hacked. Overwhelming sense of failure ensues. Where did it all go wrong?...
20 May 2012
THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE...
Google
[For the February 2014 version of this post, see here]
Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked recently or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my February posts, I wrote about incident response and the importance of addressing the media in a timely manner. Whilst the NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter here or here... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...
Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked recently or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my February posts, I wrote about incident response and the importance of addressing the media in a timely manner. Whilst the NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter here or here... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...
9 May 2012
CLOSE ENCOUNTERS OF THE THIRD (PARTY) KIND...
Google
Phew... The last month was absolutely hectic, with all those conferences falling within the same short period of time! With all that, I was privileged enough to have been asked to speak at both Internet World and Infosecurity Europe. Two very different experiences... Whilst it is expected to be talking about security at an infosec conference, it is always welcome to be asked to present about security matters at an event with a different focus - in this instance, everything digital... (see my previous post on the subject). It was nevertheless surprising, walking the show floor at Internet World, talking to vendors and poring over the agendas in the various theatres, how little security featured. With everything about the show related to "cyber", not many had made the obvious leap to "cybercrime"... So, on the way to our Devil's Tower, our quest is still to find our curwen hand signs to communicate with the third (party) kind...
Phew... The last month was absolutely hectic, with all those conferences falling within the same short period of time! With all that, I was privileged enough to have been asked to speak at both Internet World and Infosecurity Europe. Two very different experiences... Whilst it is expected to be talking about security at an infosec conference, it is always welcome to be asked to present about security matters at an event with a different focus - in this instance, everything digital... (see my previous post on the subject). It was nevertheless surprising, walking the show floor at Internet World, talking to vendors and poring over the agendas in the various theatres, how little security featured. With everything about the show related to "cyber", not many had made the obvious leap to "cybercrime"... So, on the way to our Devil's Tower, our quest is still to find our curwen hand signs to communicate with the third (party) kind...
22 April 2012
WHO ARE YOU PREACHING TO ANYWAY?...
Google
I recently was
privileged enough to be asked to present at a merchant forum in London. Interestingly,
the intended recipients had been very much in the driving seat since they had
selected the topics themselves. After my previous posts (Part 1 and Part 2) on
connecting the dots between information security, risk and fraud, you can
imagine my pleasure that I, alongside my fellow speakers, were asked to do just
that... A delightfully interactive audience, some very interesting chats at the
breaks and the recent buzz about the value of security conferences prompted me
to share some thoughts on how actively to engage with your stakeholders and get
the results you need...
9 April 2012
5 STEPS TO A SUCCESSFUL SOCIAL ATTACK - What's Your Threshold?...
Google
In a previous post, I highlighted that mass marketing fraud against individuals cost the UK economy £3.5 billion in 2011, that is ten time more than the cost of plastic card fraud in the same year, or equivalent to the total fraud losses incurred by the financial services sector in the same period! Sobering perpective, don't you think? We all know that mass marketing fraud is where criminals aim to defraud multiple individuals to maximise revenue by persuading victims to
transfer monies in advance in exchange for
promised goods, services or benefits. And we all know that this is usually done via mass-communications media (such as telephone calls, letters, emails and text messages) and ranges from foreign lottery/ sweepstake frauds through to ponzi schemes and romance frauds or any other abuse of trust... So, we all know better, don't we?...
1 April 2012
FROM FRAUD TO INFOSEC and vice versa... Part 2
Google
In my previous post, I summarised the UK National Fraud
Authority latest Annual Fraud Indicator and how it relates to information
security. In this post, I delve further on this connection by further refining
the key fraud enablers used to defraud victims of all types. These cut across the
fraud landscape and often overlap which poses further challenges for
quantifying their impact, but the classification is nonetheless helpful and
recognisable.
FROM FRAUD TO INFOSEC and vice versa... Part 1
Google
In my last post, I attempted to give some real business metrics to help secure information security investment. One of those metrics set related to our ability to link infosec to fraud and in this post I’d like to examine the connection a bit further. Lucky for me, the UK National Fraud Authority have just released their 2012 Annual Fraud Indicator (readers beware, it’s 58 pages...), so with my infosec lens, I’ll take you through the report and hopefully give you some more KPIs to think about...
26 March 2012
VERIZON DBIR 2012 - some context...
Google
The Verizon
DBIR 2012 was released last week and I am sure you have seen a lot of blog
posts, articles and tweets on the subject... So let me try and put a different
perspective on it: many of you will have heard me say that the DBIR is the
“gift that keeps on giving”, and yes, it is! But as with every report,
statistics and opinions always have to be put into the right context... The conclusions are not surprising, but there are quite a few little
nuggets in the report that are worth examining...
To start with, I am glad to see that the analysis now offers
some separate insights in relation to SMEs and larger organisations, as some of
the issues can be different depending on size. The case load is also bigger
this year (855 incidents compared to 761 in 2010) and known compromised records
studied were also greater (3.8 million in 2010 compared to 174 million in 2011
- mostly due to the return of the “mega breaches” in 2011 after a relatively
quiet 2010).
18 March 2012
THE INFOSEC INVESTMENT EQUATION: CAN YOU SOLVE IT?...
Google
I can’t believe my last
post was on 4th March! I am positively thrilled that my most
popular entry so far is the one about incident
response... This means that we must be coming to terms with the fact that
data breaches are a statistical certainty and how we handle them is what
matters. Good news: this means we’ve got the attention we need. Now we need to
convert this attention into the investment it requires. External statistics may
give you the hook but, as abundant as they are, do not however make it relevant
to your business when trying to secure the infosec investment you require...
4 March 2012
MANAGE RISK BEFORE IT DAMAGES YOU: PART TWO...
Google
In the previous
post, I spoke about the importance of having an asset register and how
crucial asset classification is. After all, not many of us have unlimited
resources, therefore focusing investment where it matters most is the way to
go. Whilst I was thinking about this, the link between changing the CISO
traditional attitude and the necessity for risk management became even more
apparent and I would like to expand on the trinity of “Asset, Technical
Services and Business Need”...
26 February 2012
MANAGE RISK BEFORE IT DAMAGES YOU: PART ONE...
Neira Jones on Google+
After my part
1 and part
2 posts on incident response and the last post on cloud
computing security, a number of you requested I talk about risk assessments.
Since it’s currently my favourite topic, I am more than happy to oblige... First,
a few facts:
- Epsilon was breached in the first quarter of 2011. At the time, they built and hosted customer databases for 2,500 well-known brands and sent more than 40 billion emails a year on their behalf.
- Not long after, the Sony breach ended up compromising personally identifiable information for more than 100 million of its customers.
Obviously, for both organisations, customer information is a
key asset...
21 February 2012
UNDERSTANDING CLOUD SECURITY: PART TWO...
Google
I
thank you for your attention on the previous
post where we had a look at security considerations for the three main
cloud service models commonly referred to as SPI (SaaS, PaaS, IaaS). As promised
here’s part two looking at other cloud implementation considerations, namely:
- Cloud deployment model: public vs. private vs community vs hybrid deployments,
- Cloud location: internal vs. external hosting or combined,
19 February 2012
UNDERSTANDING CLOUD SECURITY: FINDING THE BOUNDARIES...
Google
It
seems that my previous
post on compliance and third parties struck a chord with a few of you... So
I guess it’s about time I dedicated some time to “The Cloud” specifically! Over
the past couple of years, we have seen a lot of hype and confusion as to what
The Cloud really means and what it can do for you. I think we have now reached
the stage where there is perhaps a bit of disappointment that The Cloud, due to
inflated expectations, is perhaps not a miracle...
12 February 2012
COMPLIANCE IN THE DIGITAL ERA: WATCH OUT FOR THE 3rd PARTY...
Google
By 2015,
there will be more than more than 15 billion interconnected devices on the planet,
twice the world population. In that period, the total amount of global Internet
traffic will quadruple. (Cisco(R)
Visual Networking Index (VNI) Forecast (2010-2015), June 2011)
It is
estimated that every year in the UK, identity fraud costs more than £2.7
billion and affects over 1.8 million people (National
Fraud Authority, October 2010).
Every year,
we share more of ourselves online...
8 February 2012
THE TRUTH BEHIND DATA BREACHES...
Google
I was pleased to see the release of the Trustwave
2012 Global Security Report as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across
18 countries and, unsurprisingly, 89% of
the breaches involved the theft of customer records, including payment card
data and other personally identifiable information such as email addresses.
6 February 2012
INCIDENT RESPONSE & RISK MANAGEMENT GO HAND IN HAND...
Google
I was delighted with the level of interest generated by my last
post on incident response so I thought I’d continue on the same theme... My
thanks go yet again to the NIST
report previously mentioned as I will explore some aspects of
risk management and prioritisation that apply to incident response...
3 February 2012
INCIDENT RESPONSE – HAVE YOU GOT A PLAN?
Google
So, the National Institute of Standards and Technology (NIST)
announced a couple of days ago the release for comments of draft Special
Publication (SP) 800-61 Revision 2, Computer Security Incident
Handling Guide. How very timely that was! With 2011 dubbed the year
of the data breach, and the fact that it takes 3 to 8 months on average for an
organisation to discover they have been breached, what better New Year’s resolution
than to have an effective Incident Response Plan?...
1 February 2012
EU DATA PROTECTION LAWS – WHAT DOES IT ALL MEAN?...
Google
After yesterday’s
post on data protection, I thought it would be logical to follow with some
info on the EU
proposal for new data protection laws...
17 years ago, the EU’s 1995 Data Protection Directive set a
milestone in the history of personal data protection, and whilst its principles
are still valid, the differences in the way that each EU country implements the
law have led to an uneven level of protection for personal data. In addition, the
rules were introduced when the Internet was still in its infancy and the
digital age has brought with it increasing and sometimes unexpected challenges
for data protection. With social networking sites, cloud computing, location-based
services and smart cards, we leave digital traces with every move we make. Evidently,
we now need a new set of rules that is future-proof and fit for the digital age.
31 January 2012
DATA PROTECTION AND ALL THAT – WHAT DO YOU THINK?...
Google
Well, January is nearly over and
it’s time to look at all the research that’s been produced over the past year to
try and draw meaningful and usable statistics...
I do this very selfishly before starting
in anger on the conference circuit as I like to have up-to-date figures and
stats in my presentations (and let’s face it, we all love numbers! ;-)
Today, I focus on the research
produced by the UK Information Commissioner's Office (ICO) in the two following
reports Report on Information
Commissioner's Office Annual Track 2011 - Individuals and Report on Information
Commissioner's Office Annual Track 2011 - Organisations.
30 January 2012
UK CARDS ASSOCIATION 2012 REPORT - WHAT YOU NEED TO KNOW...
Google
The UK Cards Association has
just published its always eagerly awaited and oft quoted annual report for 2012 (http://www.buzzwordcreative.co.uk/UK-Cards-Annual-Report-2012/html/index.html#/1/)
and I am pleased to see that the fraud trend is still on the decline, despite
the staggering numbers:
- At the end of 2010 there were 84.6 million debit cards; 55.6 million credit cards, 6.6 million charge cards and up to an estimated 3.0 million prepaid cards in issue in the UK.
- Payment cards have become an integral and indispensable part of the UK economy accounting for over 8 billion purchases worth £428 billion in 2010, and accepted at almost 1 million retail outlets in the UK alone.
- During 2010, 37 million adults shopped over the internet with plastic cards accounting for over 80% of spending, 717 million card payments and £54 billion worth of goods and services.
29 January 2012
THE RISE OF THE NEW CISO: RISK MANAGEMENT vs COMPLIANCE
Google
For those who didn't attend PCI London on 25th January 2012, I reproduce here the article I wrote for their magazine, I hope you find it of some use... :)
THE RISE OF THE NEW
CISO: RISK MANAGEMENT VS COMPLIANCE
Last year at PCI London 2011, my article for this magazine
was about the need to move from Compliance to Risk Management and I hosted a panel
of industry experts from Visa Europe, MasterCard, the PCI SSC, IRM plc as well
as representatives from John Lewis plc and the Home Retail Group. It was
undeniable that retailers and merchants in general, have felt the need for some
while to invest where business value can be derived. The concept of risk management,
when it comes to looking at Payment Security, undeniably struck a chord!
Subscribe to:
Posts (Atom)