May flowers … planning security for the future

Having secured your operation against the security issues seen in April and reviewed in my last blog post, how do you assess the robustness of your organization to defend against the ongoing threat environment in May and through the summer?

It is difficult enough for an organisation to determine its exposure to security threats, such as have been seen in the last couple of months. It is often harder to establish guidelines and policies around the handling of different types of information flowing through the many channels of your business in a robust and defensible way. A simple risk based approach can be used to develop these policies and ensure that your organisations are protected as much as possible.

The analysis can be done very quickly and simply by a small team.

First, look at the types of information that may have been affected, breaking them down into broad categories, for example

  • Contracts
  • Plans and Strategies
  • Client confidential information
  • Bidding documents for deal A
  • Marketing information
  • etc.

Like any risk based approach for each of the above categories you need to consider two dimensions.

  • Likelihood – how likely is it that the information has been compromised? A simple scale of Unlikely/Likely/Very Likely should be considered.
  • Consequence – what are the consequences if the information were to be compromised. You should consider financial and reputational impacts to yourselves and where appropriate your clients. A simple scale of Low/Medium/Significant is in most cases sufficient.

If this is plotted as a simple matrix it is possible to assign a risk to each combination of likelihood and consequence, and to devise mitigating actions for those information categories that have a high risk.


For each of the assessed risks it is important to take appropriate mitigating actions, for example as shown below. The mitigating actions are best worked out as a workshop session.

Critically the risk matrix can also be used to categorise your information and decide on its use, storage and techniques for distribution, especially electronic. This can minimize your exposure to future threats and demonstrate to your clients the effectiveness of your information security controls.

Again a simplified example of a set of strategies for information handling could be.

Such a review can be completed in about a day using a small team and can provide invaluable input to dealing proactively with information that may already have been compromised, or to define a future strategy for handling information.

Having an effective strategy for management of your information is vitally important since two things are certain

  1. ~ Clients want their information quicker and at a location and on a device of their choosing. Cloud based distribution of information is going to remain.
  2. ~ Valuable information will be of interest to other parties and techniques for stealing that information will only increase in sophistication.

 

Safe4 will continue to provide a top level of security for all confidential documents stored by its customers within their overall security strategy.

I hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

Please respond to this blog or contact us at [email protected] with any questions or comments.

New document from the ICO confirms the need to keep browsers updated

Recent well-publicised issues regarding security threats to Internet users have highlighted the problems that arise through the use of out-of-date operating systems and web browsers when accessing Internet-based services.  Safe4 have rigorously applied all current security patches to our servers, and consequently we have avoided any of the risks caused by the Open SSL HeartBleed bug (see the other posts on this blog).

As a result some users of very old technology, typically Windows XP and early versions of Internet Explorer, have been blocked from accessing Safe4.  This is because the older security protocols have been the cause of many of the current threats to secure web-based services.  As before, our advice to users is to upgrade their operating system and browser and apply all of the security patches supplied by Microsoft, or alternatively to use another browser such as Google Chrome or Mozilla Firefox.

The UK Information Commissioner’s Office has now published further guidance on this issue, with specific reference to data protection.  Their document can be read by clicking here.

Safe4 will continue to apply all possible protection measures to safeguard our customers’ information, and will not maintain the use of outdated security protocols to permit access by unsupported browsers or operating systems.

Microsoft patches Internet Explorer Vulnerability

Following the announcement earlier this week that a vulnerability had been found in all versions of Internet Explorer (6, 7, 8, 9, 10 and 11), Microsoft has acted quickly to provide an update. All users of Internet Explorer are strongly encouraged to upgrade at the earliest opportunity.

The upgrade process is simple – just use the Update functionality built into Windows by clicking on “Check for updates” in Windows Update which can be accessed from your Control Panel.

Further details can be found on the Microsoft blog –http://blogs.technet.com/b/microsoft_blog/archive/2014/05/01/updating-internet-explorer-and-driving-security.aspx

In an interesting move Microsoft has also issued an update for users of Windows XP – despite discontinuing support for XP at the beginning of April. Safe4 would however encourage you to upgrade as soon as practical to take advantage of the latest security features and to remain secure against future threats.

If upgrading from Windows XP is impractical for you at the moment, we recommend using a browser other than Internet Explorer, as mentioned in earlier blogs.  Google Chrome and Mozilla Firefox are both viable alternatives.

 

Posted by Alistair Stubbs, Safe4 Information Management Technical Director