Information Security and Common Sense Richard Henson University of Worcester November 2008
Yes, good Information Security IS common sense… n as is safely driving a motor car…
“Where did it all go Wrong?” n “End User” Computing n Rapid Advances in Technology n Confusion about legislation n Lack of policy or inconsistent implementation of policy n Data handling training issues
Safe Storage of Organisational Information n Before Digital Data… n Paper in a Locked, Fireproof Cabinet, in a locked room…
Use of Digital Data within Organisations in the early days n BIG Computers –centralised resources & storage –Terminal-only access to data –Printing only via centralised resource n Data processing areas private…
The Rise of End User Computing n 1980s… n The PC offered the possibility of organisational data in the hands of “non professionals”… –network administrators and some academics predicted that there would be big problems… –few people listened… THEY SHOULD HAVE!
Have we been down this road before? n Days of “mainframe” or “centralised” computing… comparable to mass transport systems (e.g. stage coach, railways, bus) –“professional” drivers –people driven about
Example of Technological Change causing rapid Cultural Change; systems inadequate n Also true of the coming of the motor car…
Result of “the motor car” cultural change… n Transport became personalised –those handling motor vehicles were often a menace to other road users –many accidents, injuries, lives lost
Systems catch up with cultural change… n Professional bodies ineffective n ALL DRIVERS only controlled through the use of legislation –on cars… minimum standards –and on drivers…had to be 17 to drive…
Then more cultural change… n And then more legislation –Driving Test –National Speed Limit –Safer cars
Are roads safe today? n Despite increases in traffic, UK road deaths been falling consistently for many years –safer cars? –better driving? –tougher penalties? So a cultural problem CAN be brought under control…
The Challenges of “End User Computing” n In early 1990s, immediate workplace computer-related threats to SMEs were… –RSI –eye strain –EU Health & Safety legislation (1992) –Floppy disks… »because viruses could stop computers functioning!
The Hidden Threat n Lot of changes with the coming of the PC… n but the threat to personal data from removable media NOT fully acknowledged –floppy disks could only hold small amounts of data… –Data Protection Act, 1984, only a civil offence »end-user computing for business use not anticipated…
Digital Data and the Law n Data Protection Act updated in 1998 –did not address the problems associated with putting the end user in control »digital data can be easily carried around –two big technological advances »Writeable CDs.. n meant removable media could now carry huge amounts of personal data »The Internet… n allowed organisational networks to link to the world… n and unlimited amounts of data to be potentially taken off organisational machines…
Too much focus on the Internet? n Internet (mis)use caused data losses –and damaged reputations… n In the face of media horror stories… –organisations steered clear of the Internet for sending data –saw writing to CD as the safe way to go –didn’t acknowledge that data copied to a CD tends to stay there…
The USB stick n Employees had been happily copying data to writeable CD… even writeable DVD… –MUST have been data losses! –So what? Not a Health & Safety issue! Data Protection Act max penalties not enough of a deterrent to even focus minds on reading it… n USB stick encouraged –People had problems using writeable CDs –even more convenient –stored even more data –less bulky to carry around (!!!) n It was a disaster waiting to happen –perhaps the only surprise was that it took so long…
The New Law n Finally (2008) legislation being updated to acknowledge the problem –New term of “Data Recklessness” embedded into Data Protection legislation »serious penalties!!! –Information Commissioner’s Office (ICO) has increased powers.. »FURTHER changes expected during the Parliamentary Session Information Commissioner Richard Thomas
So… why such a long wait? n Again… back to the motor car n Original Highways Act? –law in 1835 –only substantially updated in… 1959 –Why then? had become »a matter of public concern n Equally, Data Protection now –A MATTER OF PUBLIC CONCERN –latest surveys: by 2007 as concerned about privacy as they are about terrorism!
What are the consequences for Organisations? Need to get serious about data protection, or risk the wrath of the Information Commissioners OfficeNeed to get serious about data protection, or risk the wrath of the Information Commissioners Office one recent sufferer was…one recent sufferer was… Richard Branston, Virgin Media (3383 customer records went missing)Richard Branston, Virgin Media (3383 customer records went missing) Would you want to be next???Would you want to be next???
What to do? n Apply common sense? n Now (from 2007) an International Standard for organisations to follow: –ISO –based on British Standard BS7799 »UK leading the world in design… »but not implementation! –any organisation achieving this quality standard gains in two crucial ways: »unlikely to lose data through “recklessness” »can use the ISO “kitemark” to show potential customers that their personal data is being properly looked after
Is getting ISO cost-effective? n BIG question –even before… »“credit crunch” arrived »data recklessness became law n Cost overhead of ISO quantifiable –intensive, highly focussed courses –paperwork deliberately customisable to meet the needs of large and small organisations n If data is lost, what of the cost overhead of: –bad press? –disgruntled customers? –hefty fines?
Is Good Information Security Common Sense? n YES… –just as driving safely is common sense n BUT… –even good drivers could fall asleep at the wheel n What would the roads be like today if: –1835 Highways Act was still in force unchanged? –no-one had to pass a driving test? n QUESTIONS???