Après-moi, la deluge (where’s your data, reprise ad nauseam)

Austria’s supreme court is to decide soon whether to open the floodgates. If the court rules that Max Schrems et al can sue Facebook over its handling of their personal data, and if their suit is successful – or looks like it might be – then every law firm in Europe will be trying to … Continue reading Après-moi, la deluge (where’s your data, reprise ad nauseam) →

Security training or MDM – you choose

IT service desk culture is full of sarcastic problem descriptions – PICNIC, ID-ten-T, PEBCAK. All of them serve as reminders that the root cause of many issues is user error, not systems failure. This is particularly true in information security, a point I’ve covered more than once before. So why bring it up again? Because … Continue reading Security training or MDM – you choose →

Encryption – blessing or curse?

Encryption is shaping up to be one of the great philosophical debates of the technological era. It’s become a proxy for a wider debate about the rights of citizens, and the balance between liberty and security. The debate, and the issues, are real. But encryption is the wrong target. All we’re seeing is yet more … Continue reading Encryption – blessing or curse? →

Business as usual

It’s hard to know what - indeed, whether - to post in the wake of the Paris attacks. I’d just come off the phone to a French client when the news broke, which made it feel all the more immediate and proximate. I wish we had a simple answer to this awful conflict; at the … Continue reading Business as usual →

Death of the internet or birth of better privacy?

Microsoft and Amazon have both revealed that they are building data centres in the EU. In Microsoft’s case, Deutsche Telekom will be the data “trustee”; I assume this is in part an anticipatory response to the ongoing Stored Communications Act lawsuit presently in progress in Dublin (in brief, a case to determine whether US government … Continue reading Death of the internet or birth of better privacy? →

Over-sharing, over-confident and over here

William Brandon, CISO at the Bank of England, has noticed the risks associated with LinkedIn profiles. He’s quite correctly pointed out that telling the world what you do, which systems you look after and whom you work with is a bit of a goldmine for hackers and social engineers. In other news, RBS is the … Continue reading Over-sharing, over-confident and over here →

Snooper’s Charter – oppressive and useless in equal measure

The government wants ISPs to store everyone’s browser history. Not the least intrusive thing ever proposed, and a world first for a democracy. Should we be proud to be leading the pack in surveillance of our own population – again? (We’ve the most CCTV cameras per capita too, remember). Let’s count the ways in which … Continue reading Snooper’s Charter – oppressive and useless in equal measure →

Told you so: supply chain failure costs CPS £200k

I published this note about supply chain security today. Less than 8 hours later we learn that the ICO has fined the Crown Prosecution Service £200k for failing to secure some laptops that held confidential information on victims of crime. The laptops were stolen from a residential flat being used by a film production company … Continue reading Told you so: supply chain failure costs CPS £200k →

Front door locked, back door open

Before you leave your house, do you check all the locks – doors and windows? Bet you do. When you audit your organisation’s IT security, do you do the same thing? Bet you don’t. You may have excellent perimeter defences; strong security policies; thorough security awareness training. You may run mobile device management, and configuration … Continue reading Front door locked, back door open →

What’s worse – poor security or poor communications?

The TalkTalk saga grinds on. It’s abundantly clear that their security was inadequate. Even their CEO admits it, although she’s determinedly clinging on to her job – presumably some poor sucker in IT will eventually carry the can. After all, that’s what happened at Target. What’s interesting is not so much that they were hacked, … Continue reading What’s worse – poor security or poor communications? →