UK government bodies are more vulnerable to data breaches now than ever before. Last week saw the London borough of Ealing and Hounslow council fined £80,000 and £70,000 respectively by the Information Commissioner’s Office (“ICO”) following the loss of two laptops containing sensitive personal information.

I have been consulting with one of these councils for over a year now to consider the deployment of Enterprise Rights Management across the entire organisation but this has not yielded a positive result. The last time I spoke to one of the managers responsible for data security I was told that the council was deep in the middle of their ICT strategy and would not be in a position to review anything outside of that until at least late 2012.

With many jobs on the line in local government, there is a great risk that staff could leave with confidential information with the aim of starting their own businesses or selling the information to third parties. However, it is a shame to say that out of 36 local government authorities I have made contact with, not one seems to have a solid strategy to prevent this from happening.

Even those who eventually keep their jobs will be less motivated to put data protection at the top of their agenda, and as such leave the council vulnerable to all kinds of data breaches. This picture is reflective of all government establishments up and down the country, and if there is the potential for financial gain the more vulnerable the organisation becomes.

The very low uptake of tools like enterprise rights management and data loss prevention is a true reflection of where the government at both the national and local levels. It is unlikely that anyone would loose their jobs when a data breach happens, and as such unless the ICO enforces the adoption of data security tools, it will be hard to stem the data breaches.

Yesterday the car manufacturer Renault filed a criminal complaint on an industrial espionage case in which it asserts that a foreign company sought to obtain secrets related to its electric car program.

The case involved 3 executives which have since been suspended. In an age where technology is advancing at a pace never seen in our lifetime, organizations will continue to jostle for dominance. In jostling for dominance like the 3 executives that have been suspended on suspicion to sell corporate intellectual property to a rival car manufacturer, there similar executives who will lay aside corporate ethics to pay for stolen confidential information.

You would think that becoming an executive means that you have earned the trust of your employer, considered to be a person of integrity and on the path to an accomplished career. Therefore considering the risk of being found out and ending a career due to industrial espionage, such an offer is completely out of the question. If you are that promising executive will you will blow the whistle on such an offer? What happens if your are offered say $750K or anything north of $1m for such information, will you say “NO”?

Read More

Sachar Paulus of Kuppinger Cole and I rarely agree on the future of Enterprise Rights Management. First of all he still continues to refer to ERM as Digital Rights Management despite that many closely associated with ERM have explained the difference to him. Secondly, he continues to refer to Apple when talking about ERM, unfortunately as great a company Apple is it does not have its own ERM solution.

In his latest post titled “Without standards for DRM and IRM Cloud Security will remain a daydream” Sachar said there is a need for standards on Enterprise Rights Management, again I commented on the post disagreeing with his view that creating a standard for ERM is the last thing that is needed for this security tool.

I come from an interoperability viewpoint and I strongly back the need for interoperability because it will enable ERM clients to switch from one vendor to another as and when they choose to, and I’ll soon expect them to demand this feature.

As far as ERM is concerned I could say that we are still at the primitive level of interoperability which enables the administrator of the document to run a utility that will remove the security on a document or set of documents. This can then be secured using another ERM solution. At this stage not all ERM vendors provide this solution.

Now creating a standard for Enterprise Rights Management is a different ball game altogether. Creating a standard means exposing the architecture of the ERM application, this makes it an target for security breach. All you need is someone to create an algorithm to crack ERM and all solutions out there become vulnerable.

Finally, I may be ranting on about nothing and someone out there disagrees with me. I’ll like to hear your viewpoint; Standards or Interoperability?

Swiss bank UBS lost out on a major revenue stream when it was discovered that an employee leaked details about the impending GM IPO. This leak meant that GM is required by law to disclose the e-mail in a filing with the U.S. Securities and Exchange Commission.

Up till November 3 UBS was listed as a proposed underwriter in GM’s IPO, however it was dropped without reason. The person who leaked the email, the details of email content and how wide the email was distributed is unknown, but GM said the e-mail went to various institutional investors.

GM has claimed the e-mail does not reflect its views, while GM’s disclosure limits the company’s liability. It’s also unlikely that UBS or the employee would face any repercussions from the SEC but that revenue dent is already made.

It is known that up to 80% of all data breaches do not become public knowledge, and here is a typical case. If it was’nt for the disclosure in the IPO filing the public would be non the wiser. There must be at least 10 major data breaches happening everyday that are impacting revenue, jobs and investor confidence. Data leaks through emails is a big challenge to information security but progress seems to be very slow in this area.

Enterprise rights management have solutions that prevent employees from sending emails to wrong recipients, this solution with data leak prevention or context sensitive DRM can prevent scenarios like the one that happened to UBS. It is estimated that UBS lost £6.2m in revenue as a result of being dropped by GM.

After last week’s high-profile data breach at ACS:Law, BT wants to halt legal applications to obtain customer details of people alleged to have take part in illegal online file sharing. The telecoms company called for the moratorium and it is likely that other telecoms companies will follow the same route.

This really should not be a big issue since the solution to solve this problem has been around for a while. It is called Enterprise Rights Management and works on the principle of persistent security which means the data cannot be used beyond what has been specified by the data owner, whether the data is in use, at rest or in motion.

Read More

Last week I was reading the evening standard while on the train on my way home and my attention was drawn to the story on the recent data theft at Foxtons, the upmarket estate agent chain based around West London. What happened at this company is a classic case of a business not using technology to enforce protection on its intellectual property.

The preference for policy, procedure and discipline to enforce compliance, without using technology to guarantee information security is futile and is clearly not working. If I were a client of Foxton’s and I know that my data can be misused by any employee other than the intended purpose, I will be very worried considering the type of clients it has on its list are mainly high net worth individuals.

Read More

An IT manager with the NHS faces the possibility of going to jail after it was discovered he illegally accessed the records of friends, relatives and colleagues. During his tenure as an IT manager he accessed 431 records.

John Fitzsimmons, director of performance, governance and informatics for NHS Hull, said Trever’s actions were a serious breach of trust. He welcomed the fact a successful criminal prosecution has been brought and that a custodial sentence is being considered.

Even though Mr Fitzsimmons claims it sends out a powerful message to NHS staff and the healthcare community about the importance of data protection, the approach the NHS is taking here is the wrong approach, as staff could find ways to mask their IDs or use ghost IDs to access medical records.

Read More

Today I’ll like you to head over to Simon Thorpe’s blog to read his latest blog post titled “Data loss, encryption & security in health care - is your medical data safe?”. It starts off by giving you an idea how bad the level of data breaches are in the health care sectors are especially in the US and UK.

Simon goes on to discuss protecting health care records using persistent security in the form of Enterprise Rights Management, also called Information Rights Management. Persistent security secures records while it is moving over the network, when it being used and when it is stored on any form of storage media.

Simon, I am sorry to say I do not expect data security to get any better over the life of the current parliament as the government has embarked on spending cuts which is most likely to impact data security. Read my post on the UK government spending cuts.

Access Simon’s blog post titled “Data loss, encryption & security in health care - is your medical data safe?” here.

Yesterday, I wrote a post titled “What Global Companies Are Spending on Google” in which confidential information about advertising spend on some of Google’s major accounts was leaked to the public domain. From an outside perspective one may ask what is all the fuss about that information becoming public? Well here is one reason, one can roughly work out who is paying less or more for their advertising and come to the conclusion that they are operating on different price lists. So you can see why this information is so critical to Google that this information is tightly secured.

Read More

Do you know that today even the most technologically advanced companies need to take the necessary steps to protect their confidential data? It was revealed last week that someone within Google leaked information on how much major corporates spent on advertsing with Google. This leak must have been a major cause for concern to Google because BP which was one of the companies that increased spending as a public relations exercise to stem the damage to its image as a result of the oil spill in the Gulf was also listed.

Read More

I was reading a recent article where an employee of the Manchester Police lost a USB drive. The Daily Star that reported the breach wrote that a high-ranking source in the department said whoever lost the drive was in for “a right rollicking”. Meaning some punishment of some sort will be awarded to the person responsible.

But who should be blamed for a data breach, employee or employer? Whenever there is a data breach, it is the person that looses the data who is made the scapegoat. There are many information security endpoint tools that can help users keep confidential data safe from prying eyes. I believe organisations should take a serious look at their internal processes whenever there is a data breach, and ask what can be done to reduce human error or a deliberate effort to steal data. We are all humans and things get lost and forgotten, the question is what needs to be done to make the confidential data inaccessible to unauthorised persons?

Read More

Since the last election the current UK coalition government has outlined plans to cut £6.2bn, most of what the new government calls “wasteful spending” to start to reduce the budget deficit. The government plans to cut £95m from its IT spending as part of its effort to save £6.24bn in its first round of cuts. Many within IT circles are concerned that this makes government both at the central level and local levels more vulnerable than ever before to all sorts of computer and data security attacks.

Read More

The Office of Inadequate Security recently reported a major data breach at East Devon District Council where the personal data of almost 2,000 council workers was leaked. The incident happened when a former manager of the council sent the data in an excel file to a private email address.

The council says the incident was “unauthorised” and affects 1,891 staff, councillors, employees of Leisure East Devon and pensioners formerly employed at the council. This is a situation that could have been prevented using both Data Leak Prevention (DLP) and Enterprise Rights Management (ERM).

Read More