Data Data Every Where

You’d have to be comatose not to notice the massive increase and proliferation of data devices.  Those of you who know me know I am a huge fan of the Glastonbury Festival.  Even at Glastonbury this year you could see crowds of people drudging through the mud glued to the screen of their smart-phone.  EE cleverly deployed 4G WiFi cows painted in their branding to connect up 250,000 festival goes and workers.  It didn’t work.  I could see telecom masts on each hillside, we had 4G WiFi cows and yet I still couldn’t effectively get online.

This was of course due to the insatiable demand of the consumer for more data, more devices – “we need more power Scotty”. Well, the shift has moved from processing power to pure volume of data.  From the device to the data-centre of course.  The other power needed was of the 5 volt DC type and EE had another cleaver idea – a swap out charging cell for your phone.  Neat idea but AGAIN – hugely oversubscribed and they couldn’t recharge them fast enough.

So, what I observed was a huge number of avid music fans in a very muddy field all struggling with their addiction… no, not that, their addiction to data.  This is a huge change in just a few years.  We are addicted to our data-fix and yet there is something really strange.  We don’t have a clue and don’t really seem to care where our data actually is.  We just push it out in to the cloud and expect it to be there and safe for when we require it.

It’s a small wonder the heavens opened twice over the weekend with an electrical storm which stopped the festival for 40 minutes.  I think it was all the data and the cloud just couldn’t cope and this caused the storm.  It simply has to let go of some of that energy.

But seriously; who is keeping track? Why don’t we care? How can it be managed if we don’t really know or care where our data is held?  We seem to go through a huge change sometimes called growth, then realise we didn’t consider the consequences and then catch up trying to put things right after the event.  It’s a massive technology change and social change and yet we take the security and even location of data for granted.

Typical Blogger P**s Poor Performance

Oh, what a fail!  It cannot be January since my last post.  I have fallen in to that age old trap of starting off so well and then letting time slip away beneath me.

I apologise!  However, SO much has been happening.  Those who follow my micro-blog tweets (What? You don’t! https://twitter.com/iLifecycle) will have seen a lot of it.

As a business it’s been a pronominal start to 2014.  What a great time to be growing a business. We completed a huge network infrastructure deal with a major OEM in March.  It sucked up a huge amount of time and resources but was delivery without hitch a full 8 days early and under budget.  I am extremely proud of my team for this achievement.

We also secured a major hard drive recovery project utilising a truly unique technical process which I would dearly love to tell you about but I can’t.  Again our technical team have done a fantastic job. 

Outside; the ICO have reported that data breaches have doubled in half a year.  The Target databreach just goes on and on and on. Possibly costing Target up to $18Bn… yes Bn.  We have also seen Experian the trusted custodian of our personal credit data embroiled in a scandal where they allegedly sold sensitive data to criminals.

Barclays fell afoul of a cleaver but simple breach where persons pretending to be IT staff attached a wireless KVM to a branch PC and then sat back watching everything that was going on on the screen from a safe distance.

Aviva staff appeared to have sold accident data to unscrupulous operators and a Pregnancy advice charity were finned £200k for failing to secure registered user data on their web site.

Perhaps even more important than the plethora of data breaches is the European Parliament voting to adopt its draught version of a reformed data protection Directive.  MEPs also increased the fines to be imposed on firms that break the rules to up to €100m or 5% of global turnover.

In my opinion this changes the data protection landscape for ever.  In the late 1990’s and early naughties I worked through the changes and impact of the Waste Electrical and Electronic Equipment Directive (WEEE Directive).  I actually think this will have a larger and more profound affect.

The Directives are issued to all 28 European members as an instruction to go away and put in place laws and regulations as set out in the directive.  This means we end up with 28 differing interpretations of the directive all implemented at different times however the core principles are maintained… or should be.

Ministers broadly supported the principle that non-European companies when offering goods and services to European consumers, will have to apply the EU data protection law in full. The next meeting of Justice Ministers on the data protection reform will take place in June 2014.

OK; so this will have an impact similar to Sarbanes Oxley did to business who do business with the USA.  If you wish to do business with the EU you will have to comply.  This will be huge.  Watch this space (I promise it will be updated in a timely manner from now one)!!

BYOD – Bring you own Databreach

I have worked closely with companies who have quite relaxed policies on BYOD (Bring your own Device).  They liked the idea that if an employee wants an iPhone, this was OK, as long as they paid for it.  Personally; I blame Ryanair. People are always telling me what a clever business Ryanair is.  They even charge their employees for training and uniforms.

I’ll resist the Ryanair tangent for fear of this turning in to a customer service rant and I have strong views on business culture.  My point, however, is a simple one.  A BYOD device is another device on your network.  It’s a MAC address with a set of permissions.  Allowing a BYOD access to a network or allowing access to your corporate email system can be little different from allowing an uncontrolled device to connect up remotely to your business critical data.

Socially it is expected.  It might be small and hugely featured but it’s easily lost and exposes the weak underbelly of your whole business system.  In short; it’s a disaster waiting to happen.  Your BYOD is possibly linked to a cloud service such as Dropbox or iCloud.  It’s a high resolution camera which might be used to photograph that White Board so you can write up the notes later. 

Remember James Bond with his mini cameras in the classic Bond movies?  Well now we all carry one.  Ours are better actually as they don’t need developing and they transmit and sync our images almost instantaneously to the cloud whilst our phone is in our pocket.

Now let’s look at email.  I know of situations where member’s of staff have had both personal and work email accounts on the same BYOD.  This enabled them to forward work email to their home account (with attachments) with no record on the business exchange server other than the email had been read!  This is a security haemorrhage point and nobody really seem that bothered.

Of course you will be thinking that the Cloud services, email policy and even the camera could be controlled in a switched-on company.  You are probably right and of course they should be.  My point is really one of attitude.

We all carry these devices with Gigabytes of data on them in and then out of our business worlds.  They soak up data and information about our habits and movements and they record highly sensitive data. 

BYOD need to be controlled – just like any other business critical device.  Ownership actually complicates the situation.  They need to be controlled, audited and the risk assessed.  Staff need to be trained.  Ownership of the data needs to be considered with great care and attention.  Policies need to be written, implemented and measured.  People need to be trained.  BYOD is not a panacea to cheap technology infrastructure.  BYOD could become your worst nightmare.

Lastly; what happens when the employee leaves? Is the demarcation of personal data and business data a clear one? – probably not.  If their personal iPhone has been linked to their home PC (and it probably will have been) then you don’t just have the challenge of you data being on one device but probably many.  Not only that but you probably have no idea where your business data is.

By its very nature BYOD puts your data in an uncontrolled environment.  Phones and tablets are lost and stolen in huge numbers every day.  On average a London taxi has a phone left it in once every day!  The disposal of data and devices upon leaving the business is an HR minefield and a risk most businesses haven’t even considered. 

Bring you own device? - Bring your own Databreach!

A Fictional Data Breach Scenario

In 20 years in the technology industry, I have yet to find a business who has their data under control.  It’s a really tough challenge!  It slips through your fingers like water due to human nature.  It’s human nature to take a path of least resistance to achieve an objective especially when you add pressure to a circumstance.

I’m going to give a fictional circumstance to a data breach which is in the public domain but a data breach which I commented on at the time.  In May 2009; a disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system’s manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers.

Based on other information found on the disk it was probable that an employee or supplier or perhaps a consultant took valuable highly confidential data home and worked on his or her home computer.  He (for brevity) might have even deleted local copies although he probably forgot.  He certainly failed to securely erase data which in the wrong hands could be invaluable.

We’re going to call him John in my fictional scenario.  John is under a huge amount of pressure.  He’s consulting for his aerospace client having been bought in to cover the sudden sickness of a key member of a program team.  This is a bit of a stroke of luck for John as he’s been without a contract for a few months.

At home John is a family man but he has pressure from this side of his life too.  Financial pressure has been building up.  His wife has been working longer hours to try to cover the shortfall.  This has meant John has been helping with the kids and the school run.

John’s in that horrible stage of a new contract where he doesn’t know all the team and he needs to build relationships.  He’s completed his induction but the pressure is now on full to catch up for the lost time.  The project didn’t plan for the key man sickness and its John’s job to catch up.

Today John has to get home on time as his wife’s at work but he must also complete an urgent report.  Frustratingly John’s not got his new work laptop yet. He’s getting in to the office as early as he can but today he must leave on time for child care.  His new boss and the person who decides his future needs the report “on his desk at 8am, without fail”.

John can’t win.  He can’t leave his children and he can fail in his new job.  The pressure is unbearable.  His only option is to pull out of his briefcase a USB flash drive.  He plugs it in and tries to copy the files. Frustratingly his aerospace client has disabled the USB ports.  Then he has a brainwave.  He logs on the webmail of his personal consulting business.  Hotmail and Gmail are blocked but his consulting domain works.  He emails his work to himself, presses send and then logs off.  John rushes to collect his kids.

At home John cooks his kids their diner, puts them in front of an x-box and settles down to his evening’s work.  It’s half 12 at night by the time john finishes. He emails the work back to the office and goes to bed.

Two years later his home PC is upgraded and he recycles the old one at a local civil amenities site.  The hard drive along with the memory are scavenged by a temporary employee at the site and are sold on eBay for a few extra dollars.

This scenario is made up but I hope it makes you think just a little.  How waterproof (dataproof?) are your processes and procedures?  Have you tested for leaks?  Do you record and track when data is accessed and copied?  Is your “bring you own device” (BYOD) policy and control in place?

Confidential data is like water.  It finds a way if it’s not contained.