Tag Archives: Information Security

Bosch launches new information security services to protect against cyber attacks

The IT Security Expo and Congress 2019 takes place in Nuremberg from 8-10 October and experts from Bosch will be on hand on Stand 506 in Hall 10.1 to outline the company’s latest information security services for defending against cyber attacks.

Cyber criminals pose a threat to building security solutions. Today’s physical security systems are increasingly IP-based and run on the same networks as generic office and production IT systems.

“The growing use of IT, along with greater networks, is also making building security solutions potentially vulnerable to all of the same risks that plague the rest of the IT world, such as hacker attacks and malware,” explained André Heuer, who heads the information security operation at Bosch Building Technologies. “Particularly so in critical infrastructure, this interaction of IT and facility management makes it essential to find new ways in which to ward off cyber attacks. We want to help our customers expand their information security strategies to include physical systems.”

BoschInformationSecurity

On that basis, Bosch is introducing new information security services to address security needs in conventional building security systems by erecting “cyber barriers”. The company’s portfolio now embraces three complementary components:

Information Security Consulting for designing tailored information security concepts to meet customers’ individual protection requirements

Security Operations Centre which manages vulnerabilities and information security incidents to ensure a consistently high level of security while complying with reporting requirements

IT Security Services which implement appropriate measures to protect building security solutions from cyber threats

All of the services are provided in close consultation with customers’ IT security officers. By offering these options, Bosch feels that it’s “raising the standard of information security in buildings to a new level”.

Leave a comment

Filed under Risk Xtra

CREST bestows first lifetime Fellowships in recognition of outstanding achievements

CREST – the not-for-profit accreditation body representing the technical information security industry – has awarded its first lifetime CREST Fellowships in recognition of outstanding achievement or contribution to CREST and the technical information security industry in general.

“With support from those who hold CREST qualifications, CREST member companies and industry influencers, CREST has grown rapidly into an internationally recognised body with the highest levels of technical standards and governance, a strong Code of Ethics and a reputation for action and the ability to deliver,” explained Ian Glover, president of the organisation.  “That’s why the introduction of the annual Fellowships is so important as they are a way of recognising and thanking individuals who’ve made a significant contribution to build CREST and professionalise the cyber security industry.”

CRESTAwards2017

In addition to the Fellowships awarded to CREST members, further awards have been presented to recognise contributions from industry, Government and academia. These included awards for Buck Rogers (CISO of the Bank of England), Chris Ensor and Harry W from the National Cyber Security Centre and a posthumous accolade for Stephanie Damon of the Cyber Security Challenge UK whose award was accepted on the night by Nigel Harrison. Special contribution awards were also given to Adriana Costa McFadden from CREST and Allie Andrews of PRPR.

This year’s ceremony and dinner took place at the Tanner Warehouse in Bermondsey, with Ian Glover presenting the awards alongside CREST’s chairman Mark Tuner and ex-chairman Paul Midian.

Other CREST fellows for 2017 include Abhijeet Udas, Alex Church, Andrew Davies, Arjun Pednekar, Daniele Costa, Dave Hartley, Dom Beecher, Dominic Chell, Ed Williams, Edward Torkington, Gabriel Caudrelier, Gary O’Leary-Steele, Gavin Jones, Gemma Moore, Geoff Jones, Greg Rudd (CREST Australia), Ian Lovering, John O’Meara, Jonathan Roach, Joseph Hart, Marcus Pinto, Mark Harrison, Mark Raeburn, Martin Law, Michael Woodhead, Paul Beechey, Paul Docherty, Paul Midian, Paul Vlissidis, Richard Dean, Rory McCune, Simon Clow, Stuart Criddle and Tobias Clarke.

Leave a comment

Filed under Risk UK News

“Wireless security skills need to prepare for the IoT age” urges SANS Institute

The proliferation of new wireless communication technologies within consumer electronics and smart devices is overtaking the skills harboured within the information security industry. That’s the considered opinion of Larry Pesce, a leading expert in the field and a SANS Institute instructor.

“There’s a great deal of disparity between the security of the different wireless standards, and particularly so when you compare the 802 family that were predominately built for business use and emerging technologies that came from the consumer landscape such as Bluetooth, Zigbee and Z-Wave,” explained Pesce, who co-authored the books entitled ‘Linksys WRT54G Ultimate Hacking’ and ‘Using Wireshark and Ethereal’.

“For example, Bluetooth has some solid maths around encryption, but many of the security decisions are left in the hands of the users which means things can go horribly wrong. Zigbee has a poor design for how it handles passphrase and replay packets which are highly vulnerable, while security in some of the proprietary formats like Z-Wave offers almost non-existent security.”

blank template 450x450 RGB

Pesce, who also develops real-world challenges for the Mid-Atlantic Collegiate Cyber Defence Challenge, is complementary about newer wireless protocols such as 802.15.4 and Zigbee which uses baseline profiles to help deliver enhanced security, but comments: “The technology is probably ahead of the skill sets out in the field. The problem is also somewhat underestimated.”

Pesce also highlights the privacy issues that wireless-enabled devices are starting to hit against. “If we look forward, a large number of devices in the workplace and the home will be wirelessly enabled and communicating autonomously between each other and back to manufacturers. Unless more consideration is given towards securing both the devices and the communication links, there are likely to be breaches that will burrow into this Internet of Things infrastructure and start to gather private information or act as a staging post for more damaging attacks.”

Wireless Ethical Hacking, Penetration Testing and Defences

Pesce will be teaching the SANS course SEC617: Wireless Ethical Hacking, Penetration Testing and Defences at SANS London in July. The hands-on course takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker.

Using readily available and custom-developed tools, students navigate through the techniques attackers use to exploit Wi-Fi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS and other systems.

The course also examines the commonly overlooked threats associated with Bluetooth, ZigBee, DECT and proprietary wireless systems.

“We’re at a crossroads from a standards perspective,” concluded Pesce. “The vendors are still mostly obsessed with ‘bigger and faster’, but there’s also increased pressure from a privacy perspective and many are having a hard time figuring it out. For information security professionals, the skills needed to secure these new types of wireless connections are in high demand.”

*More information on SANS London Summer 2016 is available at: http://www.sans.org/london-in-the-summer-2016

Leave a comment

Filed under Risk UK News, Uncategorized

“UK businesses could spend £1.2 million recovering from a cyber security breach” states new research from NTT Com Security

Most business decision-makers in the UK admit that their organisation will suffer from a cyber security breach at some point. They also anticipate that recovering from a data breach would cost upwards of £1.2 million on average for their organisation. That’s according to the Risk:Value report issued by information security and risk management company NTT Com Security, which surveyed business decision-makers in the UK as well as the US, Germany, France, Sweden, Norway and Switzerland.

While nearly half (48%) of UK business decision-makers say that information security is ‘vital’ to their organisation, and just half agree it’s ‘good practice’, a fifth admit that poor information security is the ‘single greatest risk’ to the business ahead of ‘decreasing profits’ (12%) and ‘competitors taking market share’ (11%) and on a par with ‘lack of employee skills’ (21%).

Well over half (57%) agree that their organisation will suffer a data breach at some point, while a third disagree. One-in-ten state that they simply don’t know if this will be the case.

Respondents estimate that a breach would cost them an average of £1.2 million, even before ‘hidden costs’ like reputational damage and brand erosion are taken into consideration. Again, on average it would take around two months to recover from a breach. Respondents to the comprehensive survey also anticipate a 13% drop in revenue, on average, following a breach episode.

Starting to hit home

The survey shows that recent high-profile data breaches are starting to hit home. A similar report published by NTT Com Security in 2014 revealed that 10% of an organisation’s IT budget was spent on information security compared to 11% this year. However, in the latest report, around a quarter (23%) of UK businesses reveal that more is spent on Human Resources than information security.

In terms of remediation costs following a security breach, nearly a fifth (18%) of a company’s costs would be spent on legal fees, 18% on fines or compliance costs, 17% on compensation to customers and 11% set aside for third party remediation resources. Other anticipated costs include PR and communications (14%) and compensation paid to both suppliers (12%) and employees (11%).

CyberPadlock1

According to the report, the majority of respondents in the UK admit they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%) as well as suffering direct financial loss (41%). Over a third of decision-makers (34%) expect to resign (or expect another senior colleague to do so) as a result of a breach.

Stuart Reed, senior director for global product marketing at NTT Com Security, commented: “Attitudes towards the real impact of security breaches have really started to shift. That’s no surprise given the year we have just had. We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their own reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well, whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even, possibly, their jobs.”

Who’s responsibility is it anyway?

*41% of UK organisations have a disaster recovery plan in place, with 40% having a formal security policy in place. In both cases, almost half are in the process of implementing or designing one

*When it comes to responsibility for managing the company’s recovery plan, 15% say the CEO now has responsibility, although this still largely falls to the Chief Risk Officer (CRO), the Chief Information Officer (CIO) or the Chief Security Officer (CSO)

*While 77% agree it’s ‘vital’ their business is insured for security breaches, only 26% have dedicated cyber security insurance. However, 38% of those questioned are in the process of obtaining a policy

*One-in-five respondents in the UK say they don’t know if their organisation has any type of insurance in place to cover for the financial impact of data loss or an information security breach

“It’s encouraging to see that almost all UK businesses now have a disaster recovery and formal information security policy in place, or are at least planning to implement one soon,” added Reed.

“Clear, concise internal processes and policies for employees and contractors have so often been overlooked, and this is what can lead to complacency and poor security hygiene. When we talk to clients, we make it absolutely clear that educating staff about security should be a top priority, supported all the while by clear and simple procedures and backed up by a solid incident response plan.” 

*The Risk:Value Executive Summary report can be downloaded here

Leave a comment

Filed under Risk UK News, Uncategorized

CESG Certified Training rebranded as GCHQ Certified Training

CESG Certified Training (CCT) was established in November 2014 to deliver training which satisfies the high standards set by CESG, the information security arm of GCHQ. APMG International is announcing that the scheme has been rebranded as GCHQ Certified Training (GCT). Effective as of 1 January 2016, the name change has been enacted to drive market recognition of the scheme and improve access to professional and relevant cyber security training.

APMG is GCHQ’s independent certification body, responsible for ensuring that training providers meet GCHQ standards. GCT helps professionals and organisations navigate the increasingly saturated cyber training market, and quickly identify training courses that meet the highest standards in terms of both content and delivery.

GCT certifies high quality cyber security training and trainers and is based on the IISP Skills Framework. This includes training suitable for those aspiring to certification under the CESG Certified Professional (CCP) scheme. The criteria for GCT are also aligned with the standards GCHQ uses for the GCHQ Certified Cyber Security Master’s degrees.

SilverShadowCyberSecurityPage13

CCT has been rebranded as GCT in recognition that GCHQ is a more widely known brand and is already used to certify cyber security Master’s degrees while also recognising high quality cyber security research. The instantly recognisable brand of GCHQ will increase awareness of the scheme for those working within cyber security, ultimately improving the availability of – and access to – cyber security training that’s fit for purpose.

Building cyber skills

A GCHQ spokesperson told Risk UK:  “One of the biggest challenges for the UK in cyber space is developing enough skilled people. Vital to building cyber skills is having relevant and high quality cyber security training. GCHQ Certified Training helps to deliver that by providing confidence in cyber security training providers and the courses they offer.’’

Commenting on the name change, Richard Pharro (CEO of APMG) said: “GCHQ is widely recognised as the pre-eminent authority on cyber intelligence and data security, which is why we fully support changing the name of the scheme. By bringing CCT under the GCHQ banner, training providers that have certified against the scheme will benefit greatly from the rebranding. This move will make it easier for end users to better understand what the certification signifies: quality, assurance and security.”

Andrew Fitzmaurice, CEO of Templar Executives (one of the first training companies to have achieved CCT certification for its courses) added: “The rebranding to GCT is a positive step for training providers and clients alike. In a market with a plethora of products, the GCHQ brand immediately helps delegates recognise which training and trainers have been rigorously assessed to deliver the highest quality learning and development, in turn reflecting Best Practice in cyber security.”

Sarah Rudge, information assurance manager at Ofqual (the Office of Qualifications and Examinations Regulation), found that the GCT-certified course she recently attended to be of a high quality, confirming the scheme’s value in the market.

Rudge commented: “I cannot recommend highly enough the information risk management course from Ultima Risk Management, which has been certified under the GCT scheme. I found it to be the perfect mix of tuition and practical exercises. It was so refreshing to find a course which is so relevant and directly applicable to my work.”

Leave a comment

Filed under Risk UK News, Uncategorized

SANS Institute returns to Brussels for delivery of “vital” training and education on information security

SANS Institute, the world’s largest cyber security training provider, will be returning to Belgium in early 2016 to host five essential information security training courses.

Entitled ‘SANS Brussels Winter 2016’, the training event offers security, penetration testing and forensics tracks including the popular SEC401: Security Essentials Bootcamp taught by Dr Eric Cole, a SANS faculty Fellow, course author and member of the Commission on Cyber Security for the 44th President.

“Demand for security expertise is outstripping supply, making this a great time for both individuals and organisations to benefit from strengthening and gaining new skills,” urged Cole, “Events like ‘SANS Brussels Winter 2016’ and other SANS training opportunities around Europe are vital to help combat what’s now an increasingly complex threat landscape.”

‘SANS Brussels Winter 2016’ takes place from Monday 18 January-Saturday 23 January at the Radisson Blu Royal Hotel in the heart of Brussels, and includes a programme of evening talks and networking opportunities.

Training courses scheduled to run at the event are as follows:

  • SEC542: Web App Penetration Testing and Ethical Hacking (Tutor: Raul Siles)
  • SEC401: Security Essentials Bootcamp Style (Tutor: Dr Eric Cole)
  • SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (Tutor: Steve Armstrong)
  • FOR572: Advanced Network Forensics and Analysis (Tutor: George Bakos)
  • FOR408: Windows Forensic Analysis (Tutor: TBC)

Each course has an associated GIAC certification. Discounted rates for the certification attempt are available when purchased with a training course.

*For more information on ‘SANS Brussels Winter 2016’ visit: https://www.sans.org/event/belgium-2016/

Leave a comment

Filed under Risk UK News

Southwest Microwave awarded CPNI certification for INTREPID MicroPoint II perimeter security sensors

Southwest Microwave, the developer of integrated electronic perimeter intrusion detection systems, has recently received Government certification from the UK’s Centre for the Protection of National Infrastructure (CPNI) for its INTREPID MicroPoint II intelligent fence-mounted perimeter intrusion detection sensor.

Focused on the protection of national security and reducing the UK’s vulnerability to terrorism or criminal threats, the CPNI provides protective security advice spanning physical, personnel and cyber/information security. Tasked with recommendation and specification of specific security measures and protocols that deter, detect or minimise the consequences of attack, CPNI employs a range of stringent professional standards to rigorously test and approve physical security equipment for the protection of Critical National Infrastructure (CNI) sites.

Certification of INTREPID MicroPoint II by CPNI qualifies the system as a reliable perimeter fence detection solution for the fortification of CNI installations.

All MicroPoint II system components, including Processor Module (PM II), Control Module (CM II), MicroPoint MC115 (standard) and MC315 (armoured) sensor cables, JB70A Lightning and Surge Protection Module and PS49 Power Supply are now itemised in CPNI’s Catalogue of Security Equipment, published to support key public and private sectors partners in the selection of equipment approved to protect essential national services and assets.

“Our INTREPID MicroPoint II fence-mounted perimeter intrusion detection system has been deployed worldwide to secure critical energy, transportation, Government and industrial sites along with many other facilities linked to CNI,” explained Martin Lomberg, Southwest Microwave’s European general manager.

“The successful accreditation of the MicroPoint II by CPNI reinforces its capabilities as an effective counter-terror solution for the highest security applications, both here in the UK and abroad.”

Leave a comment

Filed under Risk UK News

UNION tackles unauthorised key duplication in healthcare facilities thanks to keyULTRA solution

UNION – part of ASSA Abloy Security Solutions (a division of ASSA Abloy UK) – is tackling unauthorised key duplication in healthcare facilities with its keyULTRA master key system. 

Last year alone, NHS departments reported 498 data breaches to the Information Commissioner’s Office, in turn showing how data protection has become an increasing concern within hospitals.

Facilities and security managers in healthcare establishments need to safeguard confidential information and expensive medical equipment. On that basis, managing security and access control requirements are critical.

The keyULTRA master key cylinders possess one of the longest patents in the market, expiring in 2028. DuraPIN technology protects both the key and cylinder assembly from illegal duplication and permits access to authorised personnel only.

This system has successfully been installed in a number of healthcare facilities including Arnold Lodge, a medium secure psychiatric unit in Leicester, and Good Hope Hospital in Birmingham.

Craig Birch, category manager for cylinders at ASSA Abloy UK, said: “Unauthorised copies of keys and an unknown number of keys distributed to people, both within and outside organisations, are common problems for hospitals with large numbers of personnel and a high staff turnover. A copied or a lost key is an immediate security threat that could lead to data breaches and costly civil monetary penalties. Investing in keyULTRA is an effective way of ensuring that no unauthorised keys are cut, meaning that facilities and security managers are fully aware of everyone with access to each area of the building. That helps to eliminate the costly problems that could occur from compromised security.”

keyULTRA boasts enhanced features including the highest key-related security, as per BS EN 1303:2005, along with resistance to bumping, drilling, picking and plug extraction. The solution is also approved for use on FD30 and FD60 fire doors in accordance with BS EN 1634-1.

Featuring self-lubricating materials designed to enhance its resistance to wear and tear, UNION’s keyULTRA is ideal for busy environments and can also help to reduce maintenance costs.

The product has been successfully tested to over half a million cycles to guarantee performance. It employs a strong and durable key, with an easy-to-grip, oversized key bow to facilitate product use.

*For further information on keyULTRA visit: http://www.unionkeyultra.co.uk/

Leave a comment

Filed under Uncategorized

‘Security Integration moves beyond PSIM’ (by John Davies, md, TDSi)

In a guest blog for Risk UK’s readers, John Davies reviews developments that have been taking place beyond the initial hype around Physical Security Information Management (PSIM) and how the integration of physical and information security is now offering benefits in the real world.

A few years ago, PSIM – the acronym for Physical Security Information Management – became a popular ‘buzzphrase’ in both the physical and logical security sectors. In its broadest sense, the term sought to describe the increasing unification between IT security and physical security systems which really became inevitable given the increased adoption of IP services throughout the business world and, indeed, society as a whole.

In the case of physical security, this phenomenon has revolutionised the approach the industry takes to its products and services. Manufacturers, specifiers and installers have had to adapt and evolve to meet the expectations of the market (and, in many cases, the wider public).

However, the security sector as a whole has moved on and the expectation of an IP connection is now simply a basic necessity rather than a defining characteristic.

Full integration between often complex and crucial systems is now the goal of security operators and providers alike. Paradoxically, while the technology is undoubtedly becoming more and more complex, the overall goal is to provide operators and installers with solutions that are actually simpler to use and install.

John Davies: managing director at TDSi

John Davies: managing director at TDSi

Bringing together all of the elements

PSIM has been highly successful in bringing together physical and logical security systems, but the expectations placed on integration have also grown significantly. The security market now demands more joined-up physical security technology.

Common integration components include:
• Access control (physical locks and doors)
• CCTV systems
• Intruder alarms
• Firefighting systems
• Building services controls (including environmental systems and lifts)
• Centralised business systems (and Schools Information Management Systems)
• HR systems

While physical and logical security were traditionally isolated from one another, so too were many of the individual physical security and management applications. The inability of these various facets to work directly together was a frustration when it was clear that the overall management of a facility could be enhanced and made considerably simpler and more efficient by doing so.

Bringing together the various elements has been made achievable by two improvements: the ability of many security and management systems to be connected to a universal Internet connection and the development of systems and software capable of administering and simplifying the operator’s task of running multiple functions from a single portal.

True security integration has only really been made possible with the advent of systems which are highly compatible with one another (often using shared/agreed standardised protocols) and offer the ability to network these previous disparate elements. The second hurdle has been to understand the popular standards and create software systems able to bring the strands together as a whole.

Continuous surveillance and control of facilities

While security systems are traditionally used to combat intruders and protect against attacks or thefts, some organisations actually face a substantial threat from what’s sometimes termed ‘insider theft’. Modern integrated security systems can be used as an effective deterrent against such threats.

Take the example of a busy warehouse. With items being moved in and out on a rapid basis, it can be easy for a worker to remove items (especially small ones) without necessarily being noticed by colleagues or human security operators. In this example, CCTV surveillance may not be enough to detect a problem in standalone mode. However, in combination with an integrated stocktaking system and monitoring of access to the facility it’s much easier to investigate unaccounted losses and to check video footage for the missing items. Equally, it can be a powerful tool to defend the honesty of staff members where there is suspicion or doubt.

Visual verification: monitoring of staff movements

With a truly integrated combination of security and business/building control systems there are fresh opportunities to use these existing investments. A good example is the administration of facilities management resources. Visual verification from CCTV and security software systems can be used to monitor the movements of authorised staff as well as intruders.

A practical application for this could be the intelligent use of environmental temperature control and lighting. An integrated security system can detect the use of designated areas within a facility and intelligently manage the use of resources – and especially outside normal working hours – to reduce any wastage in unoccupied areas.

Equally, this visual verification technology could be used to monitor human and vehicular traffic around a facility and analyse any congestion or influence planning decisions.

Emergency situations and fires

Integrated systems can also play an important role with regards to the safety of people on site. Fire alarms are far from a new technology, but when used in combination with all the other buildings control systems, the combined solution can play a vital role in safety.

In the event of a fire the alarm will probably be the first system to activate. In a modern integrated system this can alert the security team and, if required, automatically escalate the warning to the emergency services.

Proactively, it can automatically restrict access to dangerous parts of the building and consult HR records or check ID restricted access logs to see who has entered and left the facility. This provides a more accurate account for the emergency services and security teams to assess the situation.

CCTV systems can then be used to assess whether people are trapped within the facility and even to investigate dangerous areas and the spread of the emergency without putting lives at risk.

Time and attendance: shift-based business models

For organisations that run strict time-keeping and shift-based business models, security systems can be used to administer accurate time and attendance recording and secure access control records when staff enter or leave a facility as well as enforce security.

It can also measure when staff visit different parts of the facility (for example the WC or food service areas) to ascertain an accurate record of the actual working patterns.

When linked to CCTV and logical access of IT systems, the HR Department or security system operators can see exactly what’s happening.

Using legacy systems and offering the best ROI

Intelligently installed integrated physical security systems can offer an attractive return on investment. First, they allow the ‘mix and match’ purchase of systems to best suit requirements and budgets. Second, they also permit the use of existing legacy systems and the inclusion of components that are either very specific to their role or, from a financial standpoint, would be problematic to replace.

A good example is the use of CCTV cameras where the best solution may be a healthy mix of modern megapixel cameras are other legacy or specific environment systems. In the past, it would have been harder to use different specifications of camera on the same network but integrated systems are specifically designed to cater for this eventuality.

Integrated systems: greater flexibility than ever before

While PSIM has undoubtedly bridged the gap between physical and logical security, the developments that have taken place since have arguably been more helpful to security operators and installers. The connection of physical security to IP-based systems was a vital development in the security industry as a whole, but the synergy between physical systems is bringing the evolution of truly self-aware solutions even closer.

Traditionally, organisations and installers dealt with a complete solution which was mutually exclusive to other solutions and offered little in the way of upgrades and evolution options. Making any changes required serious contemplation and often involved large budgetary commitments that were usually untenable.

The combination of physical security and IP systems has also radically altered the installer market. Installation specialists increasingly have to understand both IT and physical security disciplines in order to offer the best solutions for their clients. The trade-off is that, as an industry, the security sector is able to grow and offer exactly the solutions that customers require.

Those customers now have greater control over their investments and a greater confidence that it’s a wise investment in a wider economic landscape that will help achieve sustained growth.

John Davies is managing director at security solutions specialist TDSi

Leave a comment

Filed under Risk UK News

“Remote working places business data at risk” reveals Imation Corporation Survey

According to new research initiated by global data storage and information security company Imation Corporation, poor security and impugned responsibility are placing business data at risk for those working remotely. Staff are taking confidential information away from the office, often without the knowledge of their employer, and losing unsecured and unencrypted business data in places such as pubs, on trains and in hotels.

According to the survey of 1,000 office workers* from the UK and Germany, nearly two-in-five of respondents (or someone they know personally) have lost or had a device stolen in a public place. Three quarters of these devices – among them laptops, mobile phones and USB sticks – contained work-related data. This included confidential e-mails (37%), confidential files (34%) and customer data (21%).

Around one-in-ten interviewees had lost financial data or access details such as login and password information, potentially exposing even more confidential information to the risk of a data breach.

What makes these findings even more concerning is that a large proportion of data removed from the workplace isn’t adequately secured. As many as three quarters of respondents said they had taken digital files with them outside of work, yet many do not use standard security measures such as encryption, password protection or remote wiping to protect that data from unauthorised access.

One-in-four employees interviewed for the Imation Corporation’s survey admitted breaking security policies to work remotely while the majority were not concerned about losing confidential business data

One-in-four employees interviewed for the Imation Corporation’s survey admitted breaking security policies to work remotely while the majority were not concerned about losing confidential business data

Nearly half (44%) of respondents said that data is never encrypted when taken out of the office. Three out of every ten respondents admitted they don’t protect their data with passwords, while nearly one-in-ten workers who take digital files outside of the office do not secure them at all.

Office workers, it seems, are not losing any sleep over losing confidential business data when they take work home, with only one-in-16 worrying about this massively important issue.

Lack of understanding around corporate data security

“Companies may not be aware of the amount of data that’s leaving offices unsecured,” said Nick Banks, vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions. “In addition, half of respondents said that, at least some of the time, nobody would notice if they were to take data away from the office and lose it. It’s obvious that poor security and lack of understanding of what happens to corporate data are placing organisations at risk of a data breach.”

Even though eight-in-ten of the employees interviewed read or write work e-mails on the move, and around seven-in-ten work on electronic documents away from the office, businesses are failing to provide their employees with secure tools for remote working and not putting the right security policies in place.

Fewer than six out of every ten respondents said their organisation had a remote working policy in place. Of those employees working for companies that do have a policy, more than a quarter of interviewees admitted they’d broken that policy in order to work remotely. Of those staff questioned, 8% had knowingly broken the policy and a further 18% say they’d unknowingly broken it.

Equally, of those individuals who do secure data that they take outside of the office, just over half said that their employer or a third party supplier provides the remote working security measures. One-in-five respondents reported that just they themselves provide the security measures.

“These figures emphasise the urgent need for businesses to ensure that their employees have the necessary systems in place to work flexibly and securely without further hindering productivity,” asserted Banks. “The reality is that people are working in cafes, on aeroplanes, in their GP’s waiting room and even while they take their children to the park. Organisations are tasked with a monumental challenge of providing secure access to corporate networks and data. Data protection is now a huge concern for employers who are battling to manage security and privacy for employees on the move.”

Nearly half (44%) of survey respondents said that data is never encrypted when taken out of the office

Nearly half (44%) of survey respondents said that data is never encrypted when taken out of the office

Key highlights of the research

Other research highlights are as follows:
• As many as 41% of interviewees suggested that they either do not have the right tools available to work remotely or that their solutions for doing so could be improved
• Three-in-five respondents would tell their boss if they lost a storage device with company data on it. However, nearly one-in-ten would do nothing. Less than one third of survey respondents said they have policies that dictate who should be notified depending upon the type and sensitivity of the data lost
• Almost a quarter of respondents have looked over the shoulder of someone working on a laptop/tablet in a public place or noticed someone looking over their shoulder while 6% would let someone else use their work laptop, tablet or smart phone outside of the office
• Around half (48%) of respondents that take digital files with them outside of the office do not fully separate their work and personal data, in turn placing their personal data at risk of being wiped when business data is compromised
• Only 70% of respondents report that they protect their data with passwords and only 36% encrypt their data. A small proportion of respondents are using biometric technology (14%) or remote wiping (7%) to secure their data
• Public areas such as pubs, cafes and restaurants (22%) and public transport (29%) are some of the most common locations for respondents to read or write work e-mails when outside of their home

Nick Banks: vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions

Nick Banks: vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions

*The research consisted of 1,000 online interviews carried out this summer and involving office workers in businesses of at least 250 employees and covering a range of industry sectors. 500 respondents emanate from the UK and 500 respondents work in Germany. 80% of respondents were required to work remotely for at least part of their working week. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate

Leave a comment

Filed under Risk UK News