Tag Archives: business continuity

ISNow – Data Loss & Data Leakage

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2009 issue (Volume 3, Issue 4), which was on the topic of Data Loss and Data Leakage:

Data Loss
Data loss prevention should be less about deploying the latest technology that claims unrivalled capabilities in securing all the data you value, rather it should be about having the right data policies, procedures in place along with suitably educated and motivated people, who can act as your data guardians.

The lack of universal technical control will always leave gaps for data to be deliberately exfiltrated or accidently exposed, but without comprehensive and effective data policies and procedures, and the people to support and enforce it, technology cannot provide a solution to your data management ills.
It is key that data procedures cover at least:

  1. how the organisation assigns a value to its data and information, i.e. values its assets;
  2. how its categorises and marks data, in relation to its value or sensitivity;
  3. how it assigns rules for handling data throughout its whole lifecycle, especially for personal information.

In a recession, the impact of the loss of corporate or customer data can be amplified and leave your organisation more vulnerable to disaster than before. The actual or suspected loss of information should be covered by your organisation’s incident response or business continuity plan.

Data Leakage
People can be shocked and concerned when media-friendly volumes of data are lost or exposed, even though only a tiny proportion may directly relate to or affect them, yet they volunteer personal information to near strangers when using the Internet and think very little about the implications of doing so.

With their photos, blogs, CVs, social networks, and contributions to online discussions individuals can provide the greatest insight and intrusion into their online and real world lives, and also the lives of their friends and family who may not have consented to their information being shared so openly.

Maybe each Internet connection should come with a health/wealth warning…”

A PDF version of the magazine is available online at:


Accountancy Magazine – Flirting with Disaster

I was quoted by Accountancy Magazine in an article covering Disaster Recovery. I was talking about the potential business impact for those that did not adequately plan and budget for disasters and how difficult, if not impossible, it would then be for them to survive one.

The article is available online at:


ISNow – Business Continuity

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2006/2007 issue (Volume 1, Issue 2), which was on the topic of Business Continuity:

Business Continuity
Businesses need to plan and prepare for the worst – and survive, it if it happens. This should be embedded in every part of the organisation that is relied upon for continued business, as it is only as strong as the weakest part.

There needs to be a formal approach to identifying and managing any risk to the organisation, and this is especially true where it is business affecting. Unlike some policies, which are dusted off when there is an infraction, business continuity management (BCM) needs a constant presence.

This means that the business must adequately identify and assign a value to its critical assets, and assess both the threats to those assets and the impact if those threats are realised.The output of this process should be a business impact assessment (BIA), which can then inform prioritisation and mitigations.

The BIA might also be used as a risk assessment for information security management, if the relevant information has been gathered. Either way, the business now has some numbers to crunch and use to identify the risks that are above its risk tolerance and which must therefore be addressed.

A BCM programme needs to work on reducing unacceptable risks in line with the business’s continuity strategy, develop continuity plans and responses, building and embedding a continuity culture, and exercising, maintaining and auditing the plans. This is a process of continual improvement and there are now standards to help.

When events do occur, a proper response must be made, in a timely fashion. People on the ground need to be empowered to make those difficult, business affecting decisions and should be suitably senior, or authorised and trained.

New Threats
Apparently 2006 was the year of zero day (0-day) vulnerabilities.That is, vulnerabilities were used or released before the vendors with either advised or prepared with a fix. Reasons are varied but, like the attempted auction of the Windows Metafile (WMF) vulnerability, are likely to be financially motivated.

In 2007, expect this area to grow, with vulnerabilities hunters seeking fortune over fame.To defend against vulnerabilities unknown, apply the old but effective defence in depth – and don’t expect the vendor to keep you safe.

Other things that may emerge this year, are increased targeting of different operating systems (e.g. Mac OS X), new platforms (e.g. games consoles with online capabilities), online games, along with more targeted phishing and malware which will be harder to identify and block.”

A PDF version of the magazine is available online at: