The two major determinants of a successful Governance, Risk and Compliance (GRC) Project.

The GRC Market has noticeably matured in the past 2 years.  The UK’s leading User Awareness, Risk and Policy Management Software solutions provider Metacompliance was recently ranked in first place in The Hypatia Research report on the Global GRC Market, “Best Practices & Drill Down GRC Q1 2012: Data Access & Security”.  The report looked at 48 global GRC vendors and 440 companies GRC in their future business strategies, if not already doing so.

The report concluded that vendors and customers alike agree that government and industry regulation show no signs of abating.  If anything, the recent fall out from lack of regulation in the Financial Services sector, has added to general acceptance that compliance needs to become a “business as usual” issue.  The FSA lists a staggering £66 million in fines handed out to financial organisations in 2011, a sure sign that regulation continues to become more stringent.

For me, two of the major determinants of success for an organisation’s Governance, Risk and Compliance (GRC) Strategy are organisational culture, and people.  By the latter I do not mean all of the people in an organisation (these are indeed important but not at the strategic level of GRC planning), but rather that particular group of people that are required to be in place for a successful GRC strategy to be possible. These people must have seniority within the organisation, and have the relevant expertise, experience, personal standing and persistence that is required to drive organisational change and strategic success.

The Information Assurance Maturity Model (IAMM) is an excellent method of determining where an organisation sits in relation to its compliance obligations.  The model allows an organisation to get an idea of what should be in place by way of process, policy, technology and people, and provides a solid baseline for a GRC strategy. However; this brings me back to the people and culture issue.  In order to develop and embed a successful GRC programme, the organisation needs to have executives and management who recognise firstly that compliance is a business imperative, and secondly, have a realistic understanding of where their organisation sits on the IAMM.  The question for them is how close are we to making governance, risk and compliance part of their businesses norms?

The greatest challenge for this team of people will be to look at the core issue of honestly determining their company’s culture of compliance and security. Unlike other business functions, such as sales for example, compliance and risk have no natural origin within most companies.  Meaning that those norms have to be created, nurtured, developed and managed for the long term.  Other industries have had to undertake similar evolutions, for example the requirement for safety within the oil and gas industry.  It took at least a number of decades for safety to become part of their culture, to become embedded in the “organisational DNA”, and it will take time for GRC to become business as usual.  I feel that Success means beginning the process now

In their report, Hypatia researched the top reasons for organisations to invest in GRC Software and Consulting Services..  “When asked for the top three reasons organisations invested in GRC tools, survey results spanned a wide range of motivations.  The highest percentage of respondents (43.5%) cited “industry regulations require it”, while 28.7% said “Our CEO insisted upon it” and 23.1% said “Our lawyers insisted on it”.

Sometimes the CEO has to be the executive sponsor of the team of people who are tasked with changing the company’s culture.  Often, nothing short of this type of emphasis is required to cut through the interdepartmental politics that get in the way of necessary change. For a GRC Project to be successful there has to be an alignment of the irrefutable driver of regulation, the resourcefulness of a capable management team and the backing of a “C” Level Executive. Would you agree?

Robert O’Brien

User Awareness and Policy Management key to dealing with proposed changes to EU Data Protection Law.

EU Justice Commissioner Vivian Reding

How can Policy Management Software help you deal with proposed changes to EU Data protection law?

The proposed changes to EU Data Protection laws, has caused much media attention since the live EU debate on Wednesday. At Metacompliance, we agree with the Justice Commissioner, Viviane Reding’s argument that changes will “help build trust in online services because people will be better informed about their rights and more in control of their information.” One thing is certain, you cannot afford to ignore the debated changes if you hold electronic customer records. Companies who are found in breach of the proposed new regulation face a fine of up to 2% on annual turnover.

So, what key changes to the 1995 Data protection laws are the Commission proposing?

• People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.
• Users will have the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.
• Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”.
• In cases where consent is required, organisations must explicitly ask for permission to process data, rather than assume it.
• Companies with 250 or more employees will have to appoint a data protection officer.

This is just the natural evolution of the rules associated with data usage and its safe guarding.

What has user awareness and policy management got to do with this?

It’s the people issue!

There are still too many organisations treating data protection as “someone else’s problem”. Data Governance should have the same standing in the organisation as Financial Governance. However, it took at least a few decades for Financial Governance to reach the priority within an organisation that it now enjoys. It will be the same with Data Protection and Governance.

Ultimately your organisational Data Protection culture needs to match existing and proposed responsibilities. These proposed changes to EU Data Protection Law provide the incentive to ensure the organisational journey and culture change commences and stays on course.

The culture of best practice Data Protection begins with user awareness. Should there be a Compliance incident, then your IT Security policies become the baseline for any discussions. A combination of User Awareness and IT Security policy management needs to be at the center of an organisation’s response to this increased regulatory environment. Obviously, at Metacompliance we would recommend the use of Policy Management Software to automate these repetitive Compliance processes. Do you agree?

 Lynn Jennings

“Solicitor, you should know better!” – Policy Management and Data Protection awareness in the professional services industry.

Policy Management Software

Once again, all eyes are on the public sector on the issues of data protection and privacy, with the latest (record) fine from the ICO reflecting the sensitivity of the information involved.  

However, these problems extend further, into those private sector businesses that also provide our services and hold our information; businesses  such as Solicitors and Barristers, Estate Agents, Pension Firms, Accountancy Practices;  businesses who hold as much, if not more, of our sensitive information than our local council.  This is an area in which the Metacompliance partner community can add real value in improving organisational awareness of Data Protection issues.

Many of these organisations have no concept of the behavioural responsibility they have for data protection.  They view privacy and information security as an IT problem, which amounts to securing the firewall, updating the anti-virus, essentially keeping the bad guys out.  They would never think that an inadvertent conversation with a colleague, or in the case below a diligent report back to the office, can be a serious breach of privacy and data protection laws.  

Case in point, a telephone conversation I overheard on a train out of London this week.  I’ve saved you the full extent of my “rant,” but here is a snapshot of the information I, and 30 odd other people, are now aware of:

• The names of the defendants in a mortgage arrears case
• The address of their property
• The name of their estate agents
• The amount outstanding on their mortgage, and how much arrears they owe
• The amount the house is valued for
• The mother’s occupation and monthly net earnings, including how much child support she receives for her two daughters, aged 10 and 14
• The fact that the father is out of work, has mental health issues, however refuses to claim benefits as he won’t admit to his health issues
• The mother has a restraining order out against the father
• The outcome of the case ie. how much longer the judge has granted that this desperate family can remain in the house before paying the arrears or selling

The regulators are aware that this is a problem.  Representatives of the ICO have, in recent times, been very vocal in their desire to push for an extension of their powers to the private sector to combat lax attitudes to data protection.

But, it’s not the fines that are the issue for the private sector, it’s the reputational damage.  A fine is a one off cost. Incident investigation costs, whilst extensive, are finite.  Even legal costs can be quantified and belts tightened to absorb these.  However, the loss of revenues due to a breach of privacy and data protection laws is infinite, can extend far into the future, and could very easily shut an SME down.

 The MetaCompliance partner community have evolved the required skill sets needed to help professional services companies change attitudes to data security issues.  With Policy Management Software such as MetaCompliance, our partners can review and update key policies, can recommend methods for distributing to employees and can even carry out adhoc, face to face training on information protection, privacy and data protection. 

Any company, public or private, will be found seriously wanting, if lack of user awareness has resulted in data breach involving sensitive information.  The only way to combat a lack of user awareness is through ongoing education and communication.  Most organisations have natural inertia that restricts the type of change necessary to avoid the risks of compliance failure.

By using an outside organisation to act as a catalyst, management can enable the implementation of the continual awareness communication programme that is necessary to change employee behaviours towards privacy and data protection. Third party specialists can provide the expertise and knowledge to analyse the information generated by the Policy Management and Risk software and remediate against this to maintain a culture of privacy and data protection for their customer. 

All our MetaCompliance partners have seen a significant increase in the levels of interest in compliance management from their customer base. Professional services organisations looking to start the process of culture change in relation to data protection and computer use policies can link up with our partner community by contacting me on thutton@metacompliance.com.

Tara Hutton.

#Infosec Awareness…begins at home.

Louise and I were e-mailed the following Infographic from Creditsesame which appeared in Tech Republic this week, by our colleague Bernard. It considers the risks to our homes from criminals on Social Network Sites. An interview with 50 burglars revealed a staggering 78% use Social Networking Sites to find out information about their targets!

What struck me about this was how much information we readily give away on social network sites on a daily basis; perhaps sometimes without considering how the information could be used by a criminal. An innocent comment about staying with relatives over Christmas, tells people your house will be empty during the festive period, a picture of your shiny new 50” Plasma TV, shows the unscrupulous what tasty wares can be picked up chez nous. Just add a link to your house on Google Maps and we have a burglar’s invite.

The infographic, from Creditsesame, offers the following practical tips to protect your home:
• Set your Facebook Privacy Settings to allow only friends to see your content
• Only add actual friends to your network
• Never announce you are going to be away from your home for periods of time
• Never post information regarding your address
• Don’t post photos of expensive items in your home

We can all relate to protecting our homes, it affects us on a deep personal level. In the same way, we are becoming more aware of the dangers of identity fraud occurring on social network sites by revealing Personally Identifiable Information (PII), through our innocent on-line conversations. “Happy 30th Birthday everyone” instantly reveals your date of birth, “took Snoopy to the vet yesterday” and you let people know your pet’s name. The social network sharing culture will hopefully tighten up as people become more aware of the dangers through awareness campaigns such as this.

So, how do we apply this information to the workplace? How do we raise awareness of best practise infosec at the organisation level. How do we ultimately change the culture to that of vigilance and accountability? Well, perhaps if we start by delivering personal best practise Information Security messages to staff. Maybe using the market leading policy management software  By educating people to protect themselves outside the organisation from the bad guys, they will surely be better equipped to protect your company from cybercriminals?

You can download Free Social Network Information Security Posters on our website here. Contact me directly if you would like to order personally branded copies for your organisation: ljennings@metacompliance.com or contact Lynn Jennings on 02079179527. Or follow us on Twitter @metacompliance.

Check out the following video by Louise Baxter on Top Tips to Practice Safe Social Networking.

Lynn Jennings.

A Human Firewall, what a way to deal with IT Security and Data Protection

Human Firewall

As MetaCompliance Channel Manager, I am constantly talking to our partners about InfoSec Awareness and the opportunity that it presents for the channel.

As InfoSec Awareness is becoming recognised as a growth sector, the conversations have been changing, and they are now more focused on how businesses can integrate infosec awareness into their Risk and Compliance strategies. So, I thought I’d share some of points in those conversations….

The first step in understanding where infosec awareness will fit in a partner’s “go to market” strategy is an acceptance of some key truths.

• Firstly , there are 3 types of companies in this world; those who have experienced a data breach, those who have yet to experience a data breach, and those unfortunates who have experienced multiple breaches (thanks to our MD for putting this so succinctly in a meeting last week). I see lots of heads nodding in agreement.

• All companies are struggling with compliance policy management and user awareness. Less heads nodding in agreement? Think about it. We’ve all been preaching about awareness and education as a core component of infosec for a long time. When anything goes wrong, everyone falls back on policies and process, be that a data protection incident or an employee tribunal.

Take the concept of employees as a “human firewall” (thanks Pete Wood, and whoever allowed you to borrow that idea originally). Right now, most customers would say that they would love to achieve the “human firewall” and have their people “on the ball” when it comes to real data protection.

Educate employees as to the tangible consequences of lax infosec practices (high costs, loss of revenues, frozen salaries, suspended bonuses, even job losses) and they will be more than happy to participate. The problem is corporate commitment. A lack of executive backing results in companies failing miserably at implementing even the most basic of InfoSec Awareness programmes. Without the backing from on high it’s difficult to cut through the corporate inertia.

However, that’s where the real change is occurring. Whilst the fines from the ICO are a major stimulus, there is a growing acceptance that the reputational damage caused by a compliance incident is a real financial threat to the organisation. Once Executives accept this proposition, they realise that they need to work on changing the culture of the organisation in order to mitigate these compliance risks.

That’s where MetaCompliance comes into its own. InfoSec awareness technologies will fit nicely into the gap between consultancy and product in any channel business. They are perfect for resellers pursuing a more “value add” strategy that generates services and product margin.

For more information on MetaCompliance and the MetaPartner programme, please contact Lynn Jennings on 0207 917 9527 ljennings@metaCompliance.com.

Tara Hutton.

Employees: the First Line of Defence.

In my last Blog Post I discussed the importance of training and awareness in IT security. Many of us in the industry have realised that IT security failures are more often the result of a human error than a technical one. An article in SC Magazine ‘new starts and contractors are biggest targets of social engineering attacks’ caught my eye recently.

The following video highlights the findings of the survey carried out by Check Point on Social Engineering and includes some startling statistics you need to be aware of.  Not surprisingly, new employees are most susceptible to attack, followed by contractors, executive assistants and HR employees.

The message here is we are only as strong as our weakest link. User Awareness of IT Security must start at induction, include third parties and reach all levels and departments, it needs to be refreshed at intervals and tested to identify the weakest links in your organisation.

Louise Baxter.

Charities: how do you avoid the Reputational Damage a Data Breach would entail?

Charities have managed to escape a fine from the ICO for publicised Data Breaches to date as the nature of those breaches has been deemed to not cause substantial harm to the individuals affected. Breaches which have reached the glare of the media have luckily not included lost data such as sensitive payment card details. People tend to get a bit prickly when such information is leaked from a trusted source. Given so many charity donations are now digital transactions, and human error is the main cause of data loss, user awareness of information security policies and guidelines must surely be a priority for IT Directors and HR Managers in charitable organisations? The reputational risk a public Data Breach of this nature would entail would surely have much further reaching consequences than an ICO fine?

Awareness

Charities, like other organisations who hold sensitive customer information,  have a variety of high and low tech methods of increasing user awareness at their disposal. A Blended User Awareness Strategy is the best option to engage learners and sustain knowledge. The ICO have a great resource section on their website specifically tailored to help Charities understand their legal obligations under The Data Protection Act when handling information and marketing to the general public. You will find details of their excellent TH!NK PRIVACY campaign which advises people to ‘press the mental pause button’ when handling personal data in this section.

Metacompliance have produced a number of videos and posters designed to help your users learn best practice information security practices and policies. Our customers have taken a pro-active approach to their Data Protection responsibilities. They use these free resources alongside our User Awareness and Policy Management Software to create and sustain a Best Practice Information security posture and culture in their charitable organisation.

CCitDG Conference.

We are delighted to be sponsoring the CCitDG Conference 6th & 7th October. If you are attending please call to our stand for a chat where we will be giving away free glossy A3 information security posters and pointing you in the direction of other fantastic free resources which are out there for you to use.

 ( and If you happen to be a judge in The Lion’s Den event at the CCitDG Conference….please be gentle on Robert Pickett and I!)

Lynn Jennings.

Is the IT Department the Achilles heel of your IT Security?

The words ‘Cyber Warfare’ has entered everyday language, as have words like ‘Cyber Threats’ and ‘Cyber Criminals’.  Things have really changed from ten years ago when virus attacks were largely ego plays, with the objective of showing how smart the programmer was.  Now we have a much more sophisticated world and the stakes are much higher. 

The evolution of Advanced Persistent Threat (APT) reminds me of a game of chess.  In that sense the new security threats are like warfare in that you have the obvious attack, feint and hidden, real attack.  With the current high profile attacks there was careful planning and information gathering, if not spying.  Once the target was identified there might have been a DDOS attack to obfusticate the organisation.  Meanwhile the real person targeted would receive an email with a link from a known source (although originated from a spoof email source).  On clicking this link a piece of crafted malware would enter the organisation bypassing all perimeter security.   This malware would lie dormant for a period of time as to arouse no immediate suspicion by the person who clicked the link.  Then, later, this intruder would throw open the gates to the castle and provide the bad guys with access.  As Mr Spock would say: “its war Jim, but not as we know it”.

In chess, real success occurs when you can obtain an opponent’s “man” that has a high relative value.  Simply put, securing a Queen during an exchange has a higher value than taking a pawn.  Similarly, in the APT world of cyber chess, securing control of a profile that has various levels of administration access is more important than that of someone who has an email account and a locked down PC. 

I’m not saying that the Network Administrator is more important to the organisation than the Health and Safety Manager.  What is obvious is that the Network Administrator is going to be of more interest to the bad guys.  So as a minimum the Network Administrator should be aware of all aspects of Information Security.  From our experience this role is pretty clued in as they are constantly involved in perimeter defence. 

The problem lies with those people within the IT Department that are not involved in “Walking the Wall”.  What about the guys who do in-house application development, infrastructure support, first line help desk, application support, database administration etc.  Within the IT Department we have extensive specialisms and little cross over.  The people that look after Active Directory do not touch Oracle databases and vice versa. 

Information Security awareness within the IT Department is often taken for granted.  The old chestnut of us against them, users versus IT Department, does not help.  It leads to the generalisation that the insider threat exists within the overall user base.  That IT people know better. 

I’m not sure that is the case.  IT people may be in the industry, but they are not all focused on InfoSec. However, it is this group of people that have the real capability to bypass process and controls.  My contention is that the cyber bad lads know this and it is a cornerstone of their strategy for penetrating the security of their victims.  The IT department is the Achilles heel of the organisation when it comes to cyber threat.  They are the people being profiled so that a sophisticated attack can happen.  They have the keys to the citadel.                              

So what’s to be done?

If this message rings true, then an emphasis has to be placed on changing the culture within your IT department.  Information Security awareness has to be scripted into the DNA of your IT teams.

Now I am sure some people are saying that they have standards, ISO27001, PCI DSS, and SAS70 etc.  Of course it’s important that an outside certification entity says you passed your test.  But these standards are minimums; they exist to provide a level of comfort. 

True protection starts when the mantra of your IT department is “paranoid by design”. Information Security is the responsibility of everyone in the organisation.  However this focus has to be within the IT department at a minimum.

Robert O’Brien

The Importance of Training and Awareness for Information Security

Training and awareness is becoming a hot subject in the world of information security and compliance, why I hear you ask? Well the need for education is becoming more apparent as many experts in the industry have realised information security is more of a people problem than a technical one!

We all know it is difficult to hold people (employees) accountable for policies and procedures they don’t fully understand. Organisations can have policies and procedures in place but if employees don’t understand them they won’t be followed, remember you can build a car but we still need the driver to drive it safely! MetaCompliance have produced a series of Compliance Aware Posters and Videos to help you communicate best practise Information Security. Contact ljennings@metacompliance.com for your complimentary resources.

The following video highlights the importance of training and awareness for Information Security. Louise Baxter.

 

The Importance of Training and Awareness for Information Security from Metacompliance Media Team on Vimeo.

5 Reasons Why User Awareness is the Next Big Thing in the Channel

The summer months have passed, and it looks like “silly season” has officially ended, given the significant increase in calls and email I’ve received today. From this week onwards, all channel personnel will have the foot firmly back on the accelerator, preparing either for the half year or end of quarter, and most will also begin looking ahead and planning for next year.

So what is on the horizon for next year, what is the next “big thing” for channel? What are our customers talking to us about? What problems do they need to solve? And more importantly, what will they buy? The Simple answer, User Awareness. Yes, “mobile.” Yes, “The Cloud.” But, hand in hand with any new technology or revolutionary new way of working, must be “Infosec awareness.”

The reason for this? Companies have spent the last 10 years dealing with the “technology” in compliance. A lot of money has been spent (and made by channel) on protecting the perimeter. And now, a lot of companies are scratching their heads and asking what else can be done about that rogue element in all of this, “The User.” As the MetaCompliance Partner Manager, I am immersed in “the channel” on a daily basis, and the feedback from all of our partners is the same; they never fail to have a conversation, or get a meeting, about user awareness and policy compliance, either with their current customer base or with prospective new customers.

Some of you will already agree with me, some of you won’t. By the end of this blog, I hope the majority fall into that enlightened former group. So, for this week’s MetaCompliance focus on channel, I will give you 5 Reasons Why User Awareness is the Next Big Thing for the Channel.

1. Compliance Now Bites. Just ask any of the local authorities that have been fined by the ICO, or the companies that have been on the receiving end of recent FSA fines. Now, if you find yourself in a compliance pickle, not only do you have to show that everyone signed up to your data protection policies, but also that they all understood it. The word on the street is that, within the NHS, the Care Quality Commission will bring in onsite spot checks on user awareness. How many other regulators will follow suit do you think?

2. It’s the IT security market, but not as we know it. A lot of companies made a lot of money on the “technology” side of compliance. However, their IT security market has become very mature, and with this many technologies have become commoditised. There is still lots of activity, still lots of deals, but massive competition and price sensitivity. Infosec awareness is in the early stages of growth (see point 3). Those ahead of the pack will add user awareness to their product offering, become experts in awareness technologies at the early stages, and will reap the benefits for the next 10 years.

3. Compliance is not a business as usual activity……..….but the regulators say it should be. Look at other legislation that has passed into our culture over the last 30 years. Health & Safety, no smoking, seatbelts and child car seats. I remember vividly being taken to my brother’s football matches, in the back of the family Golf, with my brothers and sisters……and the whole football team! My point is this, it will start with user awareness being mandated, fines will be handed out. Most companies will address it, others will be careless. More fines will be handed out. And before you know it, user awareness technology will be standard in any information governance toolkit.

4. Your customers need help on the path to enlightenment. In these leaner times, many companies, when faced with payroll reductions, looked at the compliance department and thought “ Well, we’ve never had a breach, so we obviously don’t need them.” (It’s a perverse world we live in when doing your job properly leads to redundancy, but as we all know, compliance done well, goes unnoticed. But I digress). So, the compliance department now consists of 1, but the burden of compliance and user awareness is increasing. You can’t cut employees in half, so what can you do? Cue the channel. Companies will turn to those IT security specialist with whom they have trusted relationships to help advise on user awareness, supply technology to assist in user awareness, and in many cases, manage user awareness.

5. The only way is User Awareness (TOWIUA!). Six years ago it was rare that the Channel would be asked about automation for InfoSec awareness. However today, across both the public and private sectors, customers have gone through tender processes and are in the process of procuring Policy Management solutions, or have already bought and implemented awareness technology. This market has very definitely been established and customers are now beginning to invest in/buy product. Infosec Awareness technologies represent high product margins and significant pull through professional services for Channel. For those enlightened companies, it also presents an opportunity to set up stall as an early industry expert on InfoSec awareness. My question is “Why Wouldn’t You?”

Looking for the next solution piece to add to your go to market strategy? Look no further www.metacompliance.com

Tara Hutton