STAR toolkit – autism and online safety


Some more news from the Safer Internet team, this time helping to increase online safety knowledge. Anything to boost awareness has got to be good news, especially for some of the more vulnerable in society.

Last week, partners within the UK Safer Internet Centre, Childnet launched a new online safety resource that offers practical advice and teaching activities to help secondary schools explore internet safety with young people with autism spectrum disorders (ASD). Developed in partnership with Leicester City Council and schools in Leicester, the STAR Toolkit aims to increase the online safety knowledge of educators and empower them to support their learners to use the internet safely and positively.

The toolkit was launched officially at an event in Leicester on 3 June and has been supported by vocal coach and TV presenter Carrie Grant, herself a mum of two children with autism spectrum conditions.

To find out more and download the resource, visit Childnet’s website here.


UK Government launches new Cyber essentials scheme

The Department for Business, Innovation and Skills (BIS) has launched Cyber Essentials – a scheme aimed at highlighting security controls that will help organisations mitigate the risk to their IT systems from internet-based threats.

The scheme focuses on five essential mitigations. It provides organisations with guidance on implementation, as well as offering independent certification for those who need it. The five mitigations are:

1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

It has been produced in support of the UK Government’s National Cyber Security Strategy objective to make the UK a safer place to conduct business online. However, determining the benefits of cyber security and knowing where to start are a significant challenge for many organisations.

Further information on the scheme can be found here.

EBay hack – yet another example of the risk to personal data

I’m concerned about the recent attack on personal data where eBay announced on its website that hackers penetrated its system and gained access to over 145 million eBay users’ names, passwords, email addresses, physical address, phone numbers and dates of birth. You can read more here.

Apparently a probe is ongoing into eBay’s business and security practices after this attack where a considerable amount of customers’ personal data was accessed.

Yes eBay have told customers to change passwords on accounts, but this won’t help with names, physical addresses and dates of birth which have also been compromised. I’m not a customer, but now I’m even more certain I won’t become one of a company that can lose this sort of information and take such a long time to report it.

I’m sure eBay is large enough to weather the storm but think about your business and how you safeguard your customer’s information – would you still have customers if you exposed it?

And meanwhile, if you are an eBay user, you can be looking at not only changing your eBay password, but also any others where you have reused the same password (you shouldn’t do this anyway but maybe you have). Make sure it’s a strong one whilst you’re at it.

Choices, choices, which antivirus product should you choose?

These days there are quite a few antivirus packages to choose from and it’s difficult to know which is best. On top of that you need to consider whether you want to pay for Antivirus software when there are free packages available.

A recent report placed Microsoft Security Essentials at the bottom of the list for Home computers based on industry tests. Products tested included:

Kaspersky Internet Security 2014
Norton Internet Security
ESET Smart Security
McAfee Internet Security
Avast! Free Antivirus 9
AVG Anti-Virus Free 2014
Trend Micro Titanium Internet Security
BitDefender Internet Security
Avira Internet Security
Microsoft Security Essentials

However, this doesn’t mean it doesn’t protect your computer against threats, just that there are packages that do it a little bit better.

Read the story here and if you want to read further go to the reports page at Dennis Technology labs here where you will find the reports for Enterprise, Small Business and Home products.

Good, up-to-date antivirus software is just one measure in the fight to keep your information secure.

Innovative ways to raise cyber security awareness

I was particularly interested in the various ways we can promote awareness of cyber security, especially as we are reliant on the good practice and vigilance of staff members in the fight against cyber crime. The article here looks at different ways in which the message can be presented to staff.

I quite liked the alternative method suggested by Bill Walker, technical director at QA Training, which involves creating an app that appears to shut down employees’ machines, then informs them that they have just been attacked and that all of their emails and data have been lost. “When you then tell them that this was a drill, they would sit up and listen. It’s one of those things that people only take seriously when they see the consequences directly,” he says.

This reminded me of one method employed by an old boss of mine to enforce a clear desk policy. When an unfortunate member of his staff left papers on their desk at the end of the day (instead of locking them away as they should have) he would sweep the whole lot into the waste paper basket, to be collected and removed by the cleaner that night. When the staff member arrived next day to find their papers gone, they would be reminded of the importance of a clear desk policy. To my recollection, the papers were indeed gone forever and the staff member never did it again. This was over 20 years ago and I still remember it.

Now I’m sure this may be a little extreme for most people but sometimes just repeating the same message does not work and a more active demonstration of why things are done in certain ways may just go in that bit better.

What more innovative ways can you think of to raise awareness of cyber security issues in your organisation?

Study shows most security professionals helpless to stop data theft

A global study has uncovered the deficient, disconnected and in-the-dark conditions that challenge IT security professionals.

The top finding of the report is that 63% of more than 4,800 IT security practitioners polled doubt they can stop data theft, because of deficiencies in security systems.

Read the story here.

The study is the first of two conducted by the Ponemon Institute, aimed at exposing weaknesses in cyber security and sponsored by security firm Websense

Areas of focus include the effectiveness of security systems, the perceived value of confidential data and visibility into cyber criminal activity.

The report reveals that security professionals are using systems that fall short in protecting organisations from cyber attack and data leaks.

The study also revealed a disconnect between management and the perceived value of confidential data, with 80% of respondents saying their company’s leaders do not equate losing confidential data with a potential loss of revenue.

This is in contrast to recent Ponemon Institute research, which indicates that data breaches have serious financial consequences for organisations.

I’m not surprised by this, it’s a bit like a householder leaving their front door open, being burgled and then complaining that the police haven’t stopped it happening and being surprised when the insurance company ask for a list of things stolen. It’s the householder’s responsibility to seek advice, take effective preventative measures and work with expert agencies to minimise the risk.

In the information world, prevention is better than cure. Identify your key information assets, the risks they face, then set in place a plan to protect them. What’s more, make sure someone at Senior level is responsible for those assets – the security professional is there to advise, but the risk remains with the responsible owner.

Security Incident Reporting – why it’s important to encourage openness

A key part of maintaining secure information is to report security events and weaknesses. This allows you to properly assess both the threat and the most appropriate response and to learn from experience. But for some companies it doesn’t operate this way.

More than half of IT staff said they will only inform managers when the threat is “serious”, and will also try to filter out negative results, according to a report by US cyber expert Dr Larry Ponemon who surveyed almost 600 individuals working in various sectors of IT. However, the perception by technical staff of serious was often in stark contrast to that of senior management.

Read the story here.

I wonder if a culture of under reporting stems from an unwillingness to expose problems that may reflect badly on support staff. The only way around this is to educate staff to report more and for this to be used as a learning experience, not a stick to beat them with.

For your company, do you have a clear, published and well-communicated incident management process that encourages all information security events and weaknesses to be recorded, assessed and responded to? Do you have a culture of openness for this reporting? Do you celebrate rather than punish staff for being more open about security weaknesses? Do you learn from this process?

The value of information

So, you go to a lot of trouble to get information, keep it up-to-date and to use it to further your business. And then… someone comes along and steals it. Not only that, but they then blackmail you in an attempt to extort money.

Implausible? Well this clinic suffered just such an attack, read more here.

Make sure you don’t suffer in the same way, develop a robust technical environment and process for capturing and saving information – don’t leave it on a public web server to gather dust. Rather save it, use it and delete it from publicly accessible places. Treat it like you would treat your own personal information – with great care!

It’s too late to do this once it has been attacked, best think about it now!

My Heartbleeds.… practical tips to cope with this nasty bug

By now most people are aware of the Heartbleed bug – a nasty exploitation of a vulnerability in OpenSSL which means that usernames and passwords to secure websites may have been captured.

If you want a straightforward read about this suggest you try the techradar article here, which also contains advice for owners of websites.

Advice is to change all your passwords, but to check that the site is clear of heartbleed first. The link above contains a few suggestions on places to go to check, but you can also use the Mcafee heartbleedtest here.

Sadly, due to the media coverage, this vulnerability is now more likely to be exploited, so the best protection is to practice good password management:
• Set strong, memorable passwords (see earlier post on this)
• Set different passwords for different sites you visit
• Change your passwords regularly

If you find you will not remember all these passwords, then my advice is to write down something about the password only you will remember. Or else you can invest in a password management tool, see a review of the top 10 here.

Data Protection Audits

The Information Commissioners Office (ICO) have issued a report here providing a snapshot of organisations providing secondary health care and how they are complying with the Data Protection Act.

The report summarises key findings from 19 audits carried out primarily with NHS Trusts by the ICO. The audits looked at how personal data is handled by the organisation, and fit alongside NHS information governance guidelines.

The organisations voluntarily agreed to work with the ICO to identify good practice and, where necessary, improve procedures relating to the handling of personal data.

The Audits found:

• All the organisations had data protection policies and procedures in place, though compliance with the policies wasn’t always effectively monitored, for instance through spot checks.
• All the organisations had a system in place to track health records, though some did not conduct audits for missing files. The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.
• There was also a lack of simple password controls, notably forcing regular password changes.
• Some organisations had little in the way of fire or flood protection in place for paper records.
• All organisations had appropriate information governance related risk registers and risk assessments that were regularly reviewed.
• Concern was raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.

So what about your organisation? Do you have data protection policies and procedures in place? More importantly, do you check that they work and that people adhere to them? Do you apply them to paper as well as electronic information? And do you consider physical loss as well as compromise of data?