Home » Posts tagged 'People'

Tag Archives: People

Cultural Differences

28 February, 2017 / Leave a comment

I have had the honour of working with the US Secret Service in the past, a role that involved moments of tension, good humour, a fair bit of coffee drinking, and some very intelligent conversations.

One related to the difference of approach to Protection work based on the cultural background of the host country. For a Presidential Visit, the USSS work with the local security teams to agree how the President will be protected – this is a balance between the expectations of the USSS and the local knowledge of the hosts. For example what is ideal in the US may be problematic for the host country and a better alternative suggested.

Most of this is a pragmatic conversation between experts, however culturally there may be fundamental differences that lead to certain responses.

  • In some countries, if a VIP is attacked they will be moved away from the threat.
  • In other countries, if the VIP is attacked they will defended at the scene.

Culturally, running away may not be seen as acceptable and to expect it may therefore meet with resistance. The planned response may not be followed.

The existence of these cultural differences also applies within companies, especially multinationals or companies formed by mergers, where different teams have different cultures that may in the event of an emergency clash with the preplanned corporate responses. In the worst cases, you can find that not only are reacting to an attacker but also your own side.

Running exercises to identify the issues is important, as is clearly defining expectations and roles in handling an incident.

Silver Cyber Security Commander is probably one of the greatest job titles I’ve ever had.

Financial Services Information loss report

19 September, 2016 / Leave a comment

Bitglass have released their latest report into Information Breaches. It addresses the current ways in which information is being compromised. These reports are useful as they provide input into developing both the risk models for companies, and in selecting appropriate security controls to manage those risks.

Some of the results are unsurprising:

  • The trend of an increasing amount of data being subject to an unauthorised release is continuing.
  • Most organisations have had an incident.
  • Many organisations have had multiple incidents, often repeats of the same problem.
  • Attackers aim for where the money is.

The interesting part is in how information is released.

Since 2006:

  • A third of incidents were directly a result of human action, evenly split between accidental and malicious action.
  • A quarter of incidents related to lost or stolen devices; laptops, company phones, USB sticks, private phones and so forth.
  • A fifth of incidents were caused by external attacks against the IT systems, this includes phishing attacks where the initial compromise is inadvertently aided by someone inside the company.
  • The rest was a mix of mislaid paperwork, payment card fraud and a worryingly large amount of “we don’t know what happened”.

In the US, where the study was done, the average cost of a lost record (one person’s details) was $260. This is about 20% higher than the typical non-financial cost/record impact. One key reason for this is the increasing impact of regulatory fines – PCI-DSS penalties alone can reach half-a-million dollars per incident.

So:

  • Information Security is a People issue, not solely an IT issue. Appropriate and relevant awareness among individuals handling the information is critical.
  • Methods should be in place to ensure that data on devices that can be lost or stolen is adequately protected.

Simon Barton