Tuesday, 14 October 2014

(Lack of data) Protection

If you do the Twitter thing, follow me at @hotpixUK
or LinkedIn here http://uk.linkedin.com/in/tonysmiththathousingitguy

You cannot have missed the news headlines last week, surrounding South Staffordshire Housing Association, better known as HousingPlus, had leaked thousands of resident details onto the internet. Read more about it here.

Frankly, there is little that can be said about that, except that SSHA are really sorry. Hope is, that they can 'guarantee' nothing similar can happen again. In reality, to put tenant details like that on the internet, takes a great deal of effort.

Now sometimes it takes a malicious current/past employee with access to do so, adding  a secret Easter Egg (which happened to me once), or some self service portal glitch? Sounds like the latter here, if so it would be good to know what application so we can all avoid in future. Here we have certainly SeenMoreData than expected.

My take is actually that most employees, in IT or other teams, try to do the best they can, and would feel pretty beat up about something, that could have been prevented like that. Well, I doubt if we will really know, but what precautions should we be taking. What could we learn, so it does not happen to us?

Well structured self service portals adequately insulated from SQL injection type attack is a great start. Last week it was revealed that even the UNIX BASH shell can be susceptible to that type of compromise. Have you had your website certified by some third party, to prove its security and stability for your auditors?

How well protected are your staff laptops? Are they well secured and encrypted with Bitlocker (or similar)/Pin/Fingerprint reader, on TPM chip enabled machines? Are your mobile devices trackable by GPS location and are you utilising MDM (Mobile device Management) software, to protect them? Is any data on those encrypted and could it be remotely wiped, if needed? Does the MDM already adequately segregate work and other apps? You may already lock down laptop USB ports, to discourage loose unencrypted data being available at large, on those types of memory sticks.

Be sure to educate staff on these risks and their responsibilities, and have them sign to say they have understood this, as well as everything else organisationally, they need to understand. The best encrypted laptops in the world can be easily compromised by users writing their password on a post-it, stuck to it. I wont reveal who I saw doing this last week, but your laptop password was clearly '0pen2esame'.

Robust testing of software and procedures another one. Everyone, everywhere seems to test less and less these days. It might be because of lack of staff, or we are not so old skool any more. More than ever, we have layers on layers, on layers. Testing takes time, but more downtime is wasted if problems get through and disrupt normal operation. If 100 staff are unable to work properly for 2 hours, the IT team might not think that too serious. But thats about 5.4 person weeks wasted right there. Surely its worth putting that effort in?

Sometimes, just the use of an external 'Critical Friend' can identify a number of data protection risks, as well as some historic measures, that probably need to be revisited.

What price do you put on that embarrassment factor? Well we would have to ask SSHA on that one. Did any staff lose their jobs over that one, or suppliers contracts terminated? What would you do with such a breach? Lets hope you never have to deal with one.

Related Post: If a data breach had been made and put on twitter by one of your customers, would you know about it?


You can link with me on LinkedIn here - http://uk.linkedin.com/in/tonysmiththathousingitguy It would be great to connect !

Massive Attack - ProtectionMassive Attack - Protection.
(c) Tony Smith, Acutance Consulting www.acutanceconsulting.co.uk 07854-655009

PS As usual, if there are subjects you might like me to tackle on this blog, or you could benefit from any of our services please get in touch and let me know!

You can access a quick list of blog posts here
Could we help you or your organisation? Our contact details are here , get in touch we will be pleased to chat about your problems or issue.

File Under: 360,1stTouch,4Js. , 07854655009 , ," """" ",,#UKHousing,1st Touch,3squared, Acutence,Aareon,Academy,ActiveH,Alignment,ALMO,Anite,Apex,ArchHouse,Archouse,asbestos,Asprey e-state pro,Asset Management,Aurora,Average IT Costs,App,Associates,ACL,Abritas,AMS,AX,aspireview, BO,BPR,Browser Applications,Business Objects,Business Process Review,Business social networking, Blockwise, Block wise,BI,BancTec,BluTek,Bluebox, Castle,CBL,Cedar Open Accounts,Cx,Change,Cheaper Housing IT,Chics, CHR,Citrix,Civica,Clearview,CMS , CCS IT Keystone CCSIT, Contractor Systems,CORE,CorVu,Cost Reductions,Covalent,CRM,Crystal Reports,CTI,CTX,Customer Relationship Management,Cashflow, COA,Coactiva,Codeman,Comino,Competitive Dialogue process,complex IT procurements,Component Accounting,Consilium,Consolidation,Consultancy,Consultant,Contact Manager,Context,CIH,Chartered Institute Of Housing,Cadcorp,Cerrus Saturn,convergeOne,CACI,CPL Director, Deeplake,Development Systems,Document Management,Documotive,datasystems , Microsoft dynamics GP 2013 ECMK,EDRMS,England, English,EnterpriseBI,ERP Systems,ERP,Elmhurst,Estatecraft,EDM,ESRI,Exponential-e, Finance,Financial Systems,Financials, Factorwise,Facebook ,Fusion, Getting best from,gotonysmith, Grasp,Grip,GeoSolveIT,GIS,GGP, HouSys,Housing software,HG,Housemark survey,Housing Blueprint,Housing Group,hotpixuk, HousingIT,hotpix,Hardware,Hitex,Housing Contact Company, Impact Response,implementations,In House,In4,InMotion, InMotion2014, InMotion2015, InMotion2016 , Exhibition, conference, Infoflow,Information Technology,Informix,inHouse,in-house workforce, Innovation,Inside Housing,Internet Portal,Invu,Ireland,Irish,IT Budget,IT Training,iWorld, Innovation Group Apex,ITIL, In4Systems Promaster,IT,Insight, Keylogic,Keystone,Kirona,Kypera,Keyfax, Ledgers,Linkedin,Locality,Liquid Voice, MD ,Mr Void , MrVoid, Measuring Change,Mebus,Miracle,MISCS, mobile functionality,Monopoly board images and pictures, Montal,MS Dynamics,MS Dynamics CRM2011,Miracle Software,Management Reporting,MI,M3,MIS,MIS-AMS,Mobysoft, Northgate Codeman,Neighbourhoods and Communities, Northgate,Notice,NROSH,NINTEX , NINTEX workflow,Nintexworkflow, OA,OGC Buying Solutions,Ohms,OJEU Limits,OmFax,Omniledger,Open source software,open tender,OpenHousing,Opti-Time,Oracle,Orchard,Outsource and outsourcing,OpenContractor,ORS,OneServe, PIMMS Data Systems, Paloma,performance management systems,PfH,Pick,PIMMS,pimms4communities,Planned maintenance,People Value,Plus,Peoplevalue,PM,Progress,Promaster,Proval,Pyramid,PRINCE2,prince,Pamwin, QL,QLX,Quiss,Qlikview, Registered Providers,Registered Social Landlord,Rent Increase Freezes,Repairfinder,Reporting,Reports,ROCC , Rocket,RPs,RSL,Reality,ReAct,reidmark,RM865, Saffron,SAP,Scots, Scottish,Scotland,SDM,sector,Server Virtualisation,servicing, Servitor,Sharepoint,Simdel,Simdell,Slash and Burn,Social Media,Software,SQL Open Housing,SQL Reporting Services,SQL reporting services,SQL Server,Star rating,Stores and Stock,Strategic Asset Management,Sunguard ,Surveys,Sx3,System alignment, Systemwise,SM,Sequoa,Serros,SP,Scout,score,Swordfish,Serengeti,SOTI,south view,Sunguard,Service Charges, Template,Task,Terminal Services, tonys , tonysm , tonysmi , tonysmith, tonysmitht, gotonysmith, tonysmithth, tonysmiththa, tonysmiththat, tonysmiththath, tonysmiththatho, tonysmiththathou, tonysmiththathous, tonysmiththathousi, tonysmiththathousin, tonysmiththathousing, tonysmiththathousingg, tonysmiththathousinguy, sharepoint, share point Three Star,Today,Total repairs,Tribal,Twitter,U2, tonysmith , tonysmiththat , thathousing , thathousingIT , thathousingITguy ,TED,Tagish Casework,TP Tracker,Telecetera,Tagra,Trace, UniClass Enterprise,Unidata,Universal Housing,Universalcredit, universal credit, universal credits,UC,Universe,Unrest, UK, United Kingdom ,Ukhousing,UK Housing, Van Stock,Voice and data,Vantage Sentinel,Version One,Visualmetrics,Voluntas, Wales,Welsh,Windows Server,Workflow and tasking,Wheatley, Xmbrace,XML ,XenApp,Xen App .

No comments:

Post a Comment