The start of a new year is an exciting time. The reports of the previous year’s security incidents are published and numerous suppliers, having gazed into their crystal balls, provide warnings of the threats we face in the year ahead.

One report that stood out was the Breach Level Index Report. It provided analysis of all of the major and minor losses of data by organisations during 2014. The type of data breach the report covers includes the theft or compromise of personal identifiable information such as names, addresses,

national insurance numbers, as well as the theft of financial information such as credit cards. In 2014 there was a marked increase in incidents relating to personal identifiable information compared to 2013, when there were more incidents relating to financial information.

What will not come as a surprise to most people is that the number of global data breaches in 2014 was up 46% from 1,056 in 2013 to 1540 in 2014. Over 55% of the incidents occurred in the retail sector with the financial sector accounting for another 20%.

Whilst globally this may not sound like many, when you consider the number of data records affected by the breaches increased by 78%, to more than one billion, it will make many C-Level executives take notice. To put that in context, in 2014, approximately 32 data records were either lost or stolen every second.

Within Europe there were 190 data breaches reported with over 60% of them occurring in the UK, which after the United States, was the second highest in the world. This does not necessarily put the UK in a favourable light. However, we may need to take into account that the Breach Level Index was compiled from reported incidents and information on incidents in the public domain. Is the UK really that bad or is the UK in fact better at identifying and more open about reporting data breaches than the rest of Europe?

It will be interesting to see the trends for 2015 and how the UK will fare in next year’s report.

Is the UK really that bad?

Bridewell Consulting LLP, Soane Point, 6-8 Market Place, Reading, Berkshire, RG1 2EG, tel: +44 (0)1189 255 084

To discuss what Bridewell Consulting can do for you please e-mail bc@bridewellconsulting.com

www.bridewellconsulting.com

Ongoing update on developments in security and risk assurance

Promoting discussion between business leaders and security professionals

Celebrating the value information security brings to business

Objective perspective on current issues

Building awareness and understanding

Dispelling fear

May 2015

And the winner of the election is… If you are a resident of the UK you will have been living a hermit-like existence not to realise there is a looming general election. However, for many, the countdown to the 7th May is somewhat less exciting than the music charts countdown.

The logistics, planning and administration that go into a general election are something to admire. It is estimated that the cost to simply administer the election is in the order of £150m. Given the investment and complexity, what are the risks of electoral fraud?

In recent years reports of electoral fraud have become commonplace around the world. Globally it is estimated that 80% of elections come under the scrutiny of international observers. One of the main areas of abuse and therefore challenge for scrutinisers is verifying the identities of voters at polling stations.

In the recent Nigerian presidential election a registration and voter biometric identification system was introduced to verify voter identity. Whilst the introduction of the new system was a partial success, there were many instances of the biometric readers failing and the polling stations having to revert back to traditional manual methods. We therefore need to recognise that adopting new voting

technologies has risks. However, it does have clear benefits in validating voter’s identities as well as offering the potential for results to be announced soon after polling stations close.

A report on electoral fraud in the UK was published 2014. It set out that although electoral fraud is not widespread there were cases of fraud focused in specific electoral wards in England. The report published a number of recommendations that will come into effect in the imminent general election. Sadly the report did not categorically recommend the introduction of new voting technologies.

If new voting technologies are introduced an obvious benefit may be a less sleep deprived nation. It may well be the last election night where large swathes of the population stay up all night waiting for the result.

INFORMATION &TECHNOLOGY RISK

CYBERSECURITY

SECURITYTESTING

DATAPRIVACY

INFORMATIONSECURITY &ASSURANCE

CLAS Consulting, ISO27001 Advisory and

PCI Compliance

Security Operations, Security Architecture and

Network Security

Risk Management, Risk Assessment and

Risk Treatment

Application and Infrastructure

Penetration Testing

Data Protection Consultingand Audits

Who has the keys to my encryption door?

To discuss what Bridewell Consulting can do for you please e-mail bc@bridewellconsulting.com www.bridewellconsulting.com

The Bridewell of knowledgeMay 2015

Ongoing update on developments in security and risk assurance

Promoting discussion between business leaders and security professionals

Celebrating the value information security brings to business

Objective perspective on current issues

Building awareness and understanding

Dispelling fear

And finally… Sleep well and don’t have nightmares The 1980’s saw the birth of a film franchise that spawned 5 sequels with a 6th pencilled in for release later this year. The film franchise was Childs Play and introduced us to the main character, a child’s toy doll called Chucky. All sounds very cute until you realise that voodoo is at play. The doll has been possessed by the soul of a serial killer and comes to life.

If a talking responsive child’s doll in the 1980’s was a horror writers work of fiction what do people think of Cayla?

My Friend Cayla is a child's doll that is able to respond to questions, strike up a conversation and tell stories. My Friend Cayla is like “a real friend” connecting to the internet via wireless and synchronises with iOS or Android smart devices via Bluetooth. The toy does come with some safety features and a “naughty word” black list. But is Cayla all sweetness and light once a hacker gets hold of her? Apparently not when and she has been recoded quoting Hannibal Lector as well as reading extracts from 50 Shades of Grey. There are a number of videos that have been posted on YouTube where Cayla could be sent to the naughty step.

This is not the first example of hackers exploiting a system and looking to scare the owners. In 2013 an American couple heard a stranger’s voice over their baby monitor seemingly calling their child’s name and talking to the child. The couple naturally were convinced there was an intruder in the house talking to their child and ran upstairs in a state of panic. In reality a hacker had broken into their wireless baby monitoring system and manipulated the cameras to see the child’s name and then proceeded to talk to the child. The couple disconnected the system permanently after this scare.

But interestingly this is one of many cases of parents and nanny’s being frightened by hackers tampering with baby monitoring systems.

In many cases hackers are motivated by the sense of achievement having broken into a system that has clearly not been designed with robust security controls.

With the growth of the internet of things do not be too shocked if you are woken up one night by one of your house hold appliances calling your name or playing the musical score from the film Psycho…Sleep well.

As an interesting foot note to the Data Breach Index Report revealed that only 58 of the data breach incidents reported in 2014 (less than 4% of all incidents) involved data that was encrypted either in part or in full. This highlights that encryption technologies can reduce data breaches.

Encryption technologies have been in the news in recent months. The UK government has announced plans for new anti-terror laws, including plans to crack down on anti-surveillance techniques; in other words, a crack down on the use of end-to-end encryption technology.

The government’s announcement prompted Phil Zimmerman (the creator of PGP the most widely used e-mail encryption software) to comment that he felt the proposals were absurd. He claimed that any such proposals would be unworkable.

Bridewell Consulting conducted a survey at a recent ISC2 event to gather opinion on the subject. Firstly the poll asked if participants believed they have adequate levels encryption within their organisation and secondly instead of banning encryption technologies how should the government address the use of cryptography?

53% of respondents felt their business did not have adequate cryptographic solutions and needed better solutions to address new and emerging threats. However, 45% believed the solutions they had in place did meet their current business requirements. 30% of the respondents believed the government’s proposal resulted from a lack of

understanding of what encryption does and why. They felt a combination of better education on the use of cryptography together with better licensing of cryptographic technologies would address the governments concerns. 15% did however believe there should be two forms of cryptographic solutions; tightly controlled commercial solutions and publically available ones. Another 15% believed it was far easier just to give the government a backdoor into any cryptographic solution.

One respondent did question that if it was such an issue for the government and the security services, what was the scale of the problem they actually faced? Another jokingly responded that if they knew the answer to this dilemma they would be a millionaire.

It will be interesting to see the impact on business and consumer on-line habits if the government’s proposals become law.