David Lacey's IT Security Blog

The subject of Employee Monitoring is currently at the forefront of my mind as I polish up my notes on for a talk on this subject at a CISO dinner tonight at the London Capital Club. I’ve been thinking deeply about this issue for a long time. Not that I’m any kind of dangerous radical or extreme conservative. In fact I’ve always aimed to strike a healthy balance between the interests of the individual and the needs of an increasingly heavily regulated business community. And I know I’m not the only one thinking about these issues. A few years ago I aired a few comments on the breakdown of the boundary between business and personal lifestyles in Computer Weekly and was immediately contacted by Dr Peter Skyte, leader of Amicus, the top white collar union. I was impressed to be able to discuss some of these issues with a union leader with a good understanding of IT. Too often we associate trade unions with the Industrial Age, but they also have an important role to play in the new Information Age.

Things were much simpler in the old Industrial Age workplace when every aspect of business life was standardised, separated and synchronised. Employees did business in a dedicated building during set hours. Outside of that it was no concern of your employer how you spent your time. Now it’s all mixed up. People simply grab the nearest communication channel to conduct personal or business transactions at any time, any place, anywhere. You can’t easily separate business and private activity. But we do have to monitor and archive the communications activity on our business networks for three good reasons. Firstly, to keep out any bad content that might be damaging or illegal. Secondly, to detect and immediately stop any unauthorised access or leakage of confidential information. And thirdly, to meet the increasingly demanding legal and compliance requirements, which might for example require all customer communications and staff emails to be reconstructed many years hence.

Technology is not a constraint these days. The devices available today are extremely powerful and easy to install. You can buy a tiny box called netReplay from Chronicle Solutions, plug it in to your network and it will immediately begin scanning and recording the web traffic and emails of tens of thousands of users. The real issue is not capturing the information but figuring out just what is sensible to record and how best to manage the process. No responsible organisation wants to snoop on their employees’ behaviour. In fact you can’t do this without also complying with a raft of complex and occasionally contradictory legislation concerning human rights, privacy, data protection and communications interception. Just keeping up with this legislation and framing the “acceptable use” policies is starting to become a full-time job in itself. The real problem today is not keeping up with the mass of communications coming into and out of the organisation, it's controlling the policemen and securing the monitoring equipment. Because anyone can now play Big Brother at work if they want to.

Two unrelated news items caught my eye today, one an obscure case about a cheque modification fraud based on erasable ink pens, which I picked up from Bruce Schneier's blog, and the other one a high profile news item about the bugging of Royal conversations by journalists. It’s always helpful to get occasional reminders of the vulnerability of written and spoken information to short-range physical attacks, even though such attacks are generally rare and a relatively low priority for most organisations.

The interesting thing I’ve always found about these threats is that they often seem to be counter-intuitive for many people. Most of us have a high confidence in the providence of paper and ink documents, even though they are extremely easy to forge. We are too trusting when it comes to the written word because forgeries are outside our everyday experience. Bugging is also an arcane practice that is not well understood by the average person. A paranoid executive might think that a crackly telephone line suggests a bug, when in fact the opposite is more likely, i.e. eavesdroppers prefer clear lines. And I know some executives that worry that their office might be bugged but still feel confident to pull out confidential papers on a train or plane, or perhaps talk openly in bars.

There's nothing more instrusive than a planted bug or line tap, but fortunately such incidents are rare. These attacks are tricky to mount, as they present risks to the perpetrator and they require inside information and frequent access to the target office. The results can also be unpredictable and time-consuming to process. There are often cheaper and easier methods of gaining inside information, such as bribing a member of staff or hacking into an insecure database. The trick, of course, when considering potential attacks on information is always to put yourself in the attacker's shoes.

One of my colleagues drew my attention to a recent posting on the GetSafeOnline blog pointing out the lack of IT security training at MI6. In the new James Bond film, Casino Royale, a Swiss banker asks Bond to enter a password for a bank account that will hold the $150m winnings from a poker game. What password does he use? The name of his girlfriend. Stupid you might say? But on the the contrary it merely illustrates the daring risk appetite we associate with these bucaneering chaps at MI6. Unfortunately the reality of HMG Security is quite the opposite, as illustrated by the non-memorable 12 random character user identifier needed to prevent anyone else attempting to pay my VAT returns. Of course, a normal commercial organisation would never be able to afford this luxury, given the negative impact on customers and the high cost of help desk transactions to handle their complaints. But there's a simple solution. Just charge the tax payer for the phone call.

The need to manage perception seems to be a hot topic these days. Stuart King’s blog posting earlier this month got me thinking about the importance of personal perception. But managing perception across an organization is an issue that crops up whenever I give a talk on the human aspects of security. Influencing people is especially important in security because it's subect that's rarely in the forefront of peoples’ minds. And many aspects of security are either hidden or outside of their personal experience.

Managers, users and customers all need to be more aware of potential risks and the impact of security incidents. They need to understand their responsibilities and how to use the controls at their disposal. They also need to be deterred from even contemplating unauthorised activities. All of this requires more than education. It requires changes of attitude and behaviour. And as any psychologist will tell you, if you wish to change behaviour, you will have more success if you focus on the perceived consequences of peoples’ actions, rather than the corporate policies and rules that attempt to influence them.

It's no easy task, though there are some techniques and methodologies to help this problem. Typically, you can’t always argue the facts directly with people because many of them will adopt a defensive attitude. It’s always more effective if people can discover the importance of security for themselves. This requires imaginative scenarios, games or storylines to encourage people to at least temporarily suspend their disbelief and consider the fuller implications of security risks or incidents. This is the basis of many classic learning techniques such as scenario planning. The trick is not to stray too far from the real world. Unless for example you really want people to “think the unthinkable” (which might be useful for contingency planning).

Because any serious attempts to change perception need to be firmly grounded in reality. Mere spin or fantasy will never be as effective in the long run. Perception management is a powerful amplifier - but never a substitute – for the truth.

For some years I’ve been observing the quiet infiltration of Neuro-Linguistic Programming (NLP) into many respectable professions. I’m not an expert on NLP but it seems to me to be a rather bizarre mixture of science, ancient religion and new age thinking. Lately, I’ve noticed it being used in the IT Security field, mainly for social-engineering exercises.

NLP is a highly controversial field that offers practical benefits, though it lacks a reliable scientific basis. Even the Wikipedia entry is disputed. If you believe its practitioners, you can read peoples' subconscious signals and manipulate their behaviour. With a bit of practice you might even be able to hypnotize people into carrying out your suggestions. Of course the problem is that it’s not guaranteed to be 100% reliable, so you can easily be wrong or perhaps fooled by someone sending out false signals. So don’t try it for poker unless you’re certain your opponent is not an exponent.

So what should we do with this strange new tool? Exploit it or consign it to the dustbin? Some professional psychologists assure me it’s one of the most powerful tools in their armoury. Others tell me it is dangerous, to be avoided. It’s your choice. Because the jury will always be out on tools that only work some of the time.

I was highly impressed with the company and the discussion at a CIO dinner in London last night. A main topic of conversation was Second Life, the new virtual reality world that seems to have captured everyone's attention and imagination.

Many people are investing serious amounts of time and money, creating avatars to explore and enjoy this mysterious new world. Even my Welsh Terrier has developed an alter ego. These identities are now becoming so valuable that even top CIOs are suggesting that they might be a good reference site for understanding the issues around Identity Management. It's a very interesting idea. They're an obvious target for Identity Theft. But we haven't yet heard any reports of problems. How do they do it? I think we should be told.

Charles Pask's comments on my recent blog postings raise an interesting and realistic new threat: that our industry might lose credibility due to non-events, because we are simply too good at what we do, and the bean counters are out to squeeze our budgets. It's a good point. I've certainly noticed the mounting pressure from accountants as we aim to spend increasing amounts of money on yet more point solutions that all sound very similar - generally a variation on “network security” - to counter threats that rarely materialise. You can also see this fatigue in the area of staff awareness, whenever we ask to put out yet another staff circular on the importance of password selection. So what can be done? Here are some practical tips.

Firstly, explain what's changed. You won't get a bigger budget unless you can point to something new that demands it. There's certainly plenty of evidence to suggest the risks have increased.

Secondly, don't cry wolf, or at least place a realistic quantification on your risk assessment. If you assess the risk of a major incident in 2007 as 20%, there's a good chance it won't happen and you can pat yourself on the back. If you think it's 80% then you have a good case to immediately go out and spend money to reduce this to an acceptable level.

Thirdly, use a richer vocabulary for countermeasures that sounds plausible and doesn't lump them all together in a single category, such as "network security" or "access control”. Any accountant worth his salt will quickly spot that you've already bought a product under that heading. So why should you need a new one?

Fourthly, explain the need for defence-in-depth. Most managers quickly get this and it makes sense. It also suggests that you will need more than one level of countermeasure, so the accountants will expect further spend to be forthcoming. I've used this one myself quite successfully.

Fifthly, take a course in Neuro-Linguistic Programming (NPL) so you can at least try to manipulate or even hypnotise the Board and the bean counters. But check out my earlier posting on this first.

Tonight I’m again debating the subject of Employee Monitoring at a CISO dinner. I’ve already posted some thoughts on this subject. But I’ve noticed quite a lot of interest and debate now being generated as CISOs and journalists begin to consider the impact of new technology from Chronicle Solutions that enables any organisation to mount blanket surveillance on their employee’s communications.

The quintessential issue is just how far we should go in exploiting this unprecedented capability. Because it has tremendous potential for business efficiency but it can also trample all over your employee’s human rights.

Most responsible organisations will only examine staff emails as part of a formal, authorised security investigation. There should be no random fishing for potential wrongdoings. But security investigations can be broad in scope. And once you have the capability to search across all staff communications there is a clear potential for scope creep. You’re not restricted by a need to request access to each individual user’s emails.

And when you look at what’s actually going on in any organisation, you’ll find an awful lot of disturbing things that you wished you hadn’t seen.

Those of you in the medical profession might be familiar with a UK publication called Primary Care Today. I was recently approached via the BCS to contribute a short article for this on-line magazine about the importance of IT security in a primary care setting. Like all such pieces it had to be short (700 words), comprehensive and cater for a varied readership. Not an easy task. But one that all security organisations face from time to time, usually with the added difficulty that it has to be repeated on a regular basis with a fresh perspective. You can read my attempt on the Primary Care Today website. There’s certainly an art in conveying user awareness given the constraints of any popular medium and the competition for space. You need an eye-catching introduction, a memorable end-line and in between a list of points that must sound interesting despite the act that though not all of them will be relevant to each reader. It’s an interesting exercise that all security professionals should tackle every now and then, if for no reason than to remind ourselves that effective communications are not as easy as we might sometimes imagine.

Microsoft's failure to detect the animated cursor bug in Vista has encouraged critics to speculate that its highly-acclaimed secure development process might not be working as advertised. They have a point. One would certainly expect its code review process to have spotted and eliminated this particular vulnerability. It's remarkably similar to an earlier flaw in the same section of code.

But this is not so much a failure of Microsoft's new development process as a reflection of the fact that you can't eradicate years of insecure practice through a single business transformation. It takes a long time to achieve the highest levels of process maturity. And software development is a complex process full of uncertainties and pitfalls, and managed by humans who are bound by ambitious targets. Perfect, secure software is a pipedream. What really counts is an organization's capability to recognize, correct and learn from its mistakes. And that is how we should really judge the quality of Microsoft's software development process.

One would have thought that by now every company would have got the message that they need to have an effective and up-to-date acceptable use policy (AUP) in order to protect their interests from illegal or inappropriate Internet use by employees. Unfortunately that's not the case. A recent survey carried out by Chronicle Solutions, a leading UK vendor of communications monitoring products, has revealed that 31% of British firms don't have an AUP. And of the ones that did, only around one in twenty had read it recently. Only a third asked new hires to read, agree and sign it off. And 80% of respondents weren't certain if there were penalties for breaching the policy. On top of that very few policies included IM and Web mail. And none addressed blogging.

These are serious failings which must be fixed quickly if employers and employees are to prepare themselves for the onslaught of the current revolution in social computing. We need an education drive to bring managers and employees up to speed. It also makes me wonder whether larger, more experienced organizations are being put at risk by smaller suppliers who may have little or no control over their employee's behaviour. It wouldn't be the first time that we've found that poorly supervised supply chains are the soft underbelly of our security defences.

Earlier this week I gave a talk to Intellect's excellent Security and Privacy Group on the subject of how to manage the risks associated with portable devices. It's a hot topic because the risks are growing and they're very difficult to manage.

Portable devices are getting more powerful and proliferating. It's an unstoppable trend. As Neil Gershenfeld of MIT Media Lab observed many years ago, there's a tendency for computers to progressively de-fragment. They keep getting smaller, more numerous and better connected. We've moved from mainframes to minis, to micros, to laptops, to PDAs. Personal area networks are next. Eventually we will be working with clouds of smart dust.

The blog postings have been a bit thin over the last week as I've been fly-fishing for wild brown trout in North West Sutherland. (Not Sunderland, I should add, as a journalist once misquoted.) Mobile reception is weak in this part of the UK but you can just about get a GPRS signal if you sit in a car directly below an aerial mast.

You might think that fly-fishing has little in common with Information Security. But you'd be wrong. The competition for secret information is intense, as people from all walks of life - engineers, builders, sea captains, diplomats, company directors and knights of the Realm - contend for the satisfying honour of catching the most impressive fish of the week.

It takes a lifetime to master the hill lochs of North West Sutherland. There are many hundreds of lochs and lochans. Some have big fish, some have small fish and many have no fish. Beginners are usually given a few tips and than left on their own to discover the best fishing by trial and error, logical deduction or espionage. Keen regulars will search out out-of-the-way lochans with no fish and breed their own private stock fish within them. It takes years to grow trophy trout specimens. Secrecy is paramount and intelligence of the locations of these vintage stock ponds is priceless.

This is the Great Game of fly-fishing. Espionage, fraud, bluff and double-bluff are rife. Conversations are in hushed tones to prevent eavesdropping. Successful fisherman are tracked or tailed. Maps are secretly stolen and copied. And information security is the tightest I've ever encountered. That's because the motivation to behave securely is always highest when the consequences of success or failure are personal, immediate and certain.

Today the Department of Trade and Industry unveiled their latest research awards aimed at addressing the thorny (and under-researched) subject of the human risk element in network security. With £4 million of research grants already awarded, it's clearly a serious programme. Will it deliver? Yes, in my view it looks set to deliver some innovative outputs. And that's not just because I'm involved. We have four very interesting and complementary projects, from consortia including experienced universities and organisations. Participants include BAE Systems, Loughborough University, HP, Merrill Lynch, University of Bath, University of Newcastle, University College London, Chronicle Solutions, University of Plymouth, National Computing Centre and the University of Manchester. What's interesting and different is that all projects contain a significant input from professional behavioural science experts. And in my opinion that's the key. Because security is long overdue for a technology transfer from other scientific areas.

Yesterday I was presenting to the Information Security Council of a large international company on the subject of information security awareness. It’s currently a hot topic as more and more organisations wake up to the fact that people are a major cause of breaches, yet not enough has been invested in this area, and much of it has been ineffective.

There are many reasons why security awareness initiatives fail to hit the spot. Often the material is dull, people have difficulty relating to it, it’s poorly designed and presented, and the consequences of following (or not) the advice are not sufficiently personal, immediate or certain. Security managers and in-house communications staff are not the best designers of educational material. I’ve always found it pays to get external professional assistance.

One question put to me was: "What percentage of security budget should be spent on security awareness?" A good question, which deserves more than the obvious answer of “a lot more”. My immediate response was that it depends where you are in terms of process maturity and other factors that might shape your priorities, but in my view it should be 10-20% of security budget, i.e. at least 10% and no more than 20%. This might sound a lot to many organisations but it reflects the importance of the subject, the need to do it properly and the substantial return on investment from reducing the numerous incidents caused by ignorance and bad practices.

The importance of anticipating - or at the very least keeping abreast of - emerging threats is illustrated by a report by Carole Theriault, a senior security consultant with Sophos, highlighting a huge increase in the number of malicious Web sites. She points out that the number has risen from 5,000 a day back in April to nearly 30,000 a day. This indicates an escalation in the threats from malware and a shift in tactics from hackers, with more and more legitimate sites being hacked and embedded with malware.

What does it mean for organisations? Amongst other things, it's increasingly likely that users will get infected with malware when visiting innocent sites. Organisations need to raise their game to mitigate this risk by educating users about the risks and discouraging unnecessary visits to personal sites from work. Like many things in security today, the immediate answer lies primarily with enhancing human factors rather than implementing technology. But we also need to develop better technology solutions to achieve a more reliable response to this continually growing threat.

It’s good that organisations are now coming clean about breaches of customer credit card data, though it’s worrying that there are so many of these incidents. Yesterday Newcastle City Council announced an “inappropriate release” of up to 54,000 credit and debit card details covering transactions earlier this year. The Council became aware of this breach when they hired an external security specialist to test its security. The testers discovered that a file had wrongly been placed on an insecure server and had been uploaded to an address registered outside the UK. Fortunately, some of the most sensitive data items (the credit card numbers) were encrypted. But this breach should never have happened.

On the surface, it might appear that it was human error that triggered this breach. But the root cause of such incidents is always deeper. Organisations should take special care when designing and implementing systems that process sensitive customer data, especially those that connect to the Internet. Controls should be designed to take account of human failings. People make mistakes from time to time, so compensating measures are needed to prevent control lapses from turning into breaches. Crossed fingers are not good enough. Regular penetration testing is essential but not sufficient to monitor security. Such tests need to be backed up with real-time vulnerability scanning.

As the safety community has long understood, behind every major incident there are likely to be, on average, around thirty minor incidents and three hundred near misses. And perhaps many more bad practices.

I always smile when I hear security consultants advising that organisations should create a security culture. Why? Because quite simply there is no such thing. Security means entirely different things to different people. And of course there’s more than one way to skin a cat. No single approach works best across every situation and community. People respond differently according to their religion, culture, background, location, ambitions and motives. Amongst many other things.

As Douglas Macgregor, a famous MIT social psychologist, pointed out in his classic 1960 book "The Human Side of Enterprise", there are fundamentally different approaches to managing people. It’s all a matter of taste. Some managers favour an authoritarian management style. Others prefer a more participative approach. And in practice you can achieve effective security either by instilling fear, paranoia or suspicion into your staff, or by building on positive motivators such responsibility, trust and empowerment.

Great minds do not think alike on this subject. Galileo, for example clearly favoured an educational approach, declaring that “You cannot teach a man anything. You can only help him discover it within himself.” Other revolutionary leaders, such as Uncle Joe Stalin, preferred to wield the lash. “Trust is good, but control is better”, he was heard to say. So you have a choice. You can be nasty or nice. Which one should it be? Impossible for me to say. Because the most appropriate approach depends on you, as well as the nature of the community you’re trying to change, and its chosen management style.

Checking out the excellent FIRST Global News postings, my attention was drawn to a feature from the Telegraph Web site on “Top Web sites for Spies and Spying”. This article, amongst other things, comments on the new Jason Bourne film pointing out that it’s a “thinking man’s spy series…praised for it’s gritty style and widely credited with influencing the down-to-earth portrayal of James Bond in the remake of Casino Royale starring Daniel Craig”.

I have to disagree. Jason Bourne is an assassin, not a spy. He is aggressive rather than charming, as real spies should be. He would have been hopeless at gathering useful information from reluctant targets. Spies have to be friendly and charismatic to persuade people to give them secrets. From this perspective Daniel Craig is badly cast as James Bond. It was a mistake to switch from the excellent Pierce Brosnan, who was without doubt the definitive example of a top charmer and super spy. Ira Winkler will tell you that James Bond is not a great spy because he regularly gets caught. He also misses the point. That’s just an occupational hazard. The real trick is to come out on top, which Bond of course always did.

Cyberspace has an unusual effect on our perception of acceptable behaviour. For example there’s a phenomenon researchers term “the disinhibition effect” that encourages Internet users to behave in ways they wouldn’t dare contemplate in real life. There’s also an unfortunate tendency to glamorize hi-tech crime, to the extent that a successful hacker or fraudster can make a fine living out of security consultancy and appearance fees. So it was no surprise to find Frank Abagnale, a one-time convicted fraudster, giving a keynote address at last week’s RSA Conference in London, which boasts “keynotes delivered by the industry’s most respected leaders and innovators”. It’s a sign of the times.

They say that a week is a long time in politics. But changing public sector strategy can take a lifetime. So it’s unrealistic to expect civil servants to turn on a sixpence and immediately revise budgets and scorecards to implement the recommendations of a single study. It takes a bit more effort than that. So I was a little surprised by the reaction of Richard Clayton, a researcher from Cambridge University, to the rather inadequate Government response to the House of Lords Science and Technology Committee’s recent recommendations on personal Internet security.

Richard’s posting on the Cambridge University Security Research blog accuses the Government of being stupid or ignorant because they did not immediately implement his recommendations. Welcome to the reality of politics and business. Change cannot be achieved through good ideas alone. It requires convincing evidence, a sound business case and patient lobbying. And when you don’t get your own way, the smart response is to refine your arguments, not criticise the decision makers.

I've always stressed the importance of strong visual images in security programmes and awareness campaigns. It's surprising how much leverage a strong, well-thought-through image can generate. Professional advice helps. In the past I've hired award-winning ex Saathchi & Saathchi creative teams to help design themes, images and straplines. And I once hired Judith Hann of Tomorrow's World to help create a forward-looking image for a new security function.

So I can only admire the enterprise that prompted the CIA to adopt it's latest terrorist-buster logo. It certainly creates an impact. Any suggestions on a suitable hacker-buster version?

Yesterday Andrew Yeomans of Dresdner put a risk management challenge to me and fellow blogger Stuart King. The issue arose from a discussion about Get Safe Online, the educational site aimed at citizens and SMEs. Andrew favours the idea of such training but feels that the information given is too detailed and contains too much jargon. He asks “What are the 2, 3 or 4 key measures that are proven to significantly reduce the risk to your PC?”

It’s an interesting and an important problem, but it’s the wrong question. You need context to assess risks and priorities properly. One size doesn’t fit all. There’s a huge difference in user practices, the value of their data and the security of their environment. And it’s further complicated by the increasing number of alternative security solutions and the growing range of platforms of varying vintage out in the field. So let’s rephrase the challenge to “How can we simplify the security advice to PC users?” Now that’s easier to answer.

Start by asking questions to establish the context for the advice. This will help prioritise and filter down the recommended controls. Then it becomes easy. For example, if you do your banking online, then up-to-date advice on phishing would be a high priority. And if you let your family share your business laptop then you’ll probably need “the works”. But if you just use a PC for email to family and friends, then switching on your firewall and installing a good AV package is probably all you need. Building intelligence into systems is always a smarter move than dumbing them down

I couldn’t resist a smile at Bruce Schneier’s blog posting of a New Yorker cartoon, with a de-perimeterisation theme. I've always liked New Yorker cartoons, especially the dog ones, and you can buy the rights to use them in presentations at a reasonable price. They’re also a nice company to deal with, as I found out last year when I tried to order some goods online but was blocked by their anti-fraud measures. I sent an email of complaint, and was impressed to receive an apologetic telephone message from their Director of Sales offering to take my order in person. It just goes to show that good service can go hand in hand with good taste.

Earlier this week I gave the closing keynote address at Kable’s Information Security in the Public Sector conference in London. The subject, requested by Kable, was “Creating a Security Conscious Culture”. It’s another indication of the growing importance of human factors in today’s security and IT problem space. And it’s not just in user education. The key obstacles and enablers to aligning security with business goals, or in joining up Government IT, are politics, perception and relationship management.

A year or two ago there was much less interest in human factors. Today it’s the most requested topic for advice, research or presentations. The UK Technology Programme is investing millions of pounds in research in this area. Leading universities are building more human factors content into their courses. And sales of security education services are at an all time high. I’m already booked to give presentations on the subject next year in UK and USA.

Will this trend continue? Yes, it has a long way to go. The major obstacle at present is the shortfall of budget and resources assigned to the subject. It can take years for such vital enablers to catch up with the latest challenges. But there is a compelling business case because it reduces incidents and, more importantly, their associated costs. If your organisation is not spending at least 10% of its security budget on security awareness and behaviour change, then it's probably got the balance wrong.

I was interested to read my fellow blogger Stuart King’s posting on Psychology and Security. In particular he raises the tricky question about what a member of staff should do when confronting a visitor. Should they be suspicious and ask intrusive questions? Or should they be helpful?

It’s not that easy in practice. In fact, the more you encourage a service-oriented culture, the more vulnerable you are likely to become to social engineering attacks. Professional attacks are exceptional. It’s not what staff expect to encounter. It catches them off-guard. Most people want to be helpful. And it can be career-limiting to provide a bad experience to a senior person or an important customer.

From time to time I’ve been involved in interviews of applicants for security manager posts. I’ve always found it interesting to ask what they would do if the CEO arrived without an office pass. Would they let them in or would they turn them away? Generally it’s one or the other and both answers are unsatisfactory, either from a security or business perspective. You’re damned if you do, and damned if you don’t. It’s rare to hear an imaginative compromise answer. Just once I heard one: “Sir, of course I recognize you and this time I will let you in, but next time you forget your pass I will turn you away”. I was impressed with this answer, though not everyone would be. Because there is no perfect solution.

At the end of the day it all depends what sort of security culture you prefer, and how much of a nice guy, control freak or bully you are. Do you like to make other people paranoid or servile? Do you like to punish people for getting things wrong? Or do you want to encourage positive characteristics such as openness, trust, forgiveness and empowerment? The choice is yours.

One of my predictions for 2007 was that this would be the year that CISOs would finally get tough with business units, tightening corporate firewall policies and closing down insecure connections. The context was the need to respond to zero day exploits that introduce numerous sources of risk across enterprise infrastructures.

It hasn’t quite happened in the way I imagined. But the need to get tough is becoming pressing following the run of high-profile, avoidable breaches of personal data.

Sometimes a CISO needs to be a perfect diplomat, building good business relationships with a reassuring bedside manner. At other times a CISO need to be hard and uncompromising. The pendulum is now swinging towards the latter. Forget your popularity. It’s time for all CISOs to crack the whip.

It’s interesting to discuss root causes of data breaches such as the recent HMRC breach with other security professionals. Most agree with my general suspicion that when something like this goes wrong it’s more likely to be down to a cock-up rather than a conspiracy. In fact the most popular theory is that the discs never got sent. Because we’ve all experienced that situation when the phone rings and someone tells you they haven’t received that package you promised to send a few weeks ago. “It’s in the post” is the natural reaction. And once you’ve painted yourself into a corner it’s not that easy to get out.

Of course this is all just speculation. But it’s remarkable to imagine that tiny human oversights can trigger major crises. That’s often the nature of organisational crises. They’re usually caused by long-standing, deep-seated flaws, but they can be triggered by unconnected, perhaps minor events that attract media attention to the flaw. The art of crisis management is to understand and tackle the underlying flaw not focus on the trigger. But it’s easier said than done. And of course, it’s also important to remember and respect the second rule of holes: if you’re in one stop digging.

Digital cash wallets seems to be a long time coming. It must have been about fifteen years ago when I saw Bob Fletcher of NatWest Bank presenting the concept of the Mondex electronic money card to a highly amused I-4 audience of CISOs. (It was the corny cowboy music on the video that had them rolling in the aisles.) Unfortunately Mondex sank with little trace. But now the concept is being trialled again in London using Nokia phones modified to make travel payments through Oyster travel card technology. These mobile phones will double as a travel pass and a wallet for making small value payments.

From a security perspective it’s interesting to speculate on the opportunities and threats presented by portable digital wallets. What else can they be used for? Are they as reliable or as safer as cash? I have to admire the optimism of the O2 marketing people who claim that the mobile wallet is an idea whose time had come because mobile phones are already seen as many people’s most valuable possession. They point to research showing that more people are likely to go back home and get their phone if they leave it behind rather than return for their wallet. Perhaps so, but research also shows that a staggering 885,000 mobiles, worth around £342 million, are accidentally flushed down the lavatory each year.

After all the shocks and finger-pointing following the HMRC breach it’s disturbing to hear that a laptop with unencrypted, sensitive MOD data could be stolen from the boot of a parked car. The data of course should have been encrypted. But that’s not enough, because every lost laptop has a business impact.

All organisations experience laptop losses, so security managers should aim to minimise the risk. Experience shows that proactive efforts make a substantial difference. I've covered this issue before but it's worth repeating and expanding the advice. Here are some practical tips.

1. Ensure your IT Helpdesk reports cases of stolen laptops to a security manager.

2. Conduct an immediate damage assessment for every laptop that goes missing.

3. Establish where and how laptops are being lost. Is it from particular offices, models of cars or hotels?

4. Get professional advice from the local police on how best to avoid theft. For example are some car boots more at risk than others? Are there local hot spots for vehicle thefts?

5. Review your policies to ensure you have major sources of loss covered.

6. Send out warnings and advice to all executives at risk. Tailor this information as far as possible to take account of local threats and vulnerabilities.

7. Take special measures for business units and functions that handle sensitive information.

8. Monitor incidents and report them regularly to senior management. Advertise this fact to business managers.

9. Send out regular reminders to executives, especially at high risk times for thefts and losses such as the lead up to Christmas.

10. Benchmark your performance against other similar organisations. If you’re experiencing more losses, find out why and take further remedial action.

Persistency helps. Keep hammering away at the problem and it will progressively reduce. With good policy, advice and constant reminders you can reduce the level of losses to zero. That should be your target.

The newspapers are full of coverage about the amazing case of Jerome Kerviel, the rogue trader at Societe Generale, alleged to have gambled $73 billion and cost the bank $7 billion. It’s a staggering loss, yet it’s a classic risk faced by all big banks. In fact some have suggested that there is no defence against this type of insider threat. Can that really be the case?

Yes and no. In theory it should have been easy. This was a man, like Nick Leeson, with knowledge of back office systems and their checks and controls. That is a clear risk. It’s claimed he didn’t take holidays and refused to allow colleagues to cover his desk. These are classic signs associated with insider fraud that should ring alarm bells.

Why was he not uncovered earlier? Because it’s not that easy in practice to challenge company staff. Most people don’t expect fraud. It’s outside their experience. They’re trusting and they respect other peoples’ privacy. It’s not nice to point suspicious fingers at colleagues. Managers defend their staff. And their initial reaction to a suspected fraud is to disbelieve accusations. It’s human nature. That’s why insider threats are hard to detect.

HM Treasury has just published Sir James Crosby’s report on Challenges and opportunities in identity assurance. It’s a document that all security professionals should read, not only because it's a hot topic, but because it’s not often that we get to hear the views of a former top banker on a major public policy issue.

The report considers both public and private sector uses of identity. It rightly emphasises that “every aspect of an ID card scheme should be designed from the consumer’s perspective”. And it sets out some good principles regarding trust, ownership, informed consent and the need for quick repair of compromised accounts.

The report favours a more rapid roll-out. It even recommends that enrolment and tokens should be provided free of charge to encourage citizen buy-in and quick uptake. I’m sure the Treasury loves that one!