Recently the most used passwords were announced by Splashdata. You can follow the link to see the list - https://www.teamsid.com/worst-passwords-2015/.
The top three being password, 123456 and 12345678.
Passwords used to be simple 6-8 character words but with so many software packages able to crack simple passwords, we need to ensure that the most common source of security works for us. Here are some basic rules. At a recent security seminar, a speaker was suggesting that a password needed to be at least 25 characters long to be effective! (try remembering numerous 25 character passwords)
1. Make sure you use a password that is not linked to you personally, so no names, birthdates, addresses, pet names, children names, etc.
2. The best passwords are a mixture of lower case and upper case characters, numbers and symbols and should be at least 10 characters long.
3. The longer the password, the more difficult you make it for a hacker to access your information.
4. Make sure you have different passwords for different things. Your work passwords should be different from your personal ones.
5. Change passwords regularly, at least every three months and more regularly for sensitive information access. Work based computer systems can be set to prompt the change of password on a regular basis and this should be part of your password policy.
6. Do not write your passwords down on a sheet of paper or on a post it note stuck by the desk - I have been to a number of organisations where this was the case!
7. For businesses, do not share passwords between colleagues. Each member of staff should have their own individual login and you shouldn't share your passwords with someone else.
8. Do not use characters which are adjacent to each other on the keyboard. So no qwerty, zxcvbnm, etc.
9. One of the best ways to create a password is either to use a phrase, song lyric or opening sentence of a book.You could use the initials of the sentence instead of the whole sentence if you want, even better if you add punctuation as well.
10. If you are using your web browser to store your passwords for websites make sure you use the master password option, otherwise anyone who has access to your machine has access to all your passwords.
11.There are online security services which can help users safeguard passwords, these include LastPass, DashLane, and 1Password. These store passwords and user names in the cloud and are secured with a master password (make sure it is a strong password). Additionally, there are ones which will store passwords on your computer, these include Roboform, PasswordSafe or Keepass. If you can't remember the master password you are pretty much out of luck.
As your password is one of the key lines of security for your information, make it the best it can be.
Monday 28 March 2016
Sunday 20 March 2016
The unencrypted hard drive - missing from a prison…
The Information Commissioner’s Office really had no choice
but to come down hard on the National Offender Management Service recently,
after a portable hard drive used to back up the prisoner intelligence database
went missing from a prison security department.
Although nobody knew when it had actually gone missing, it
could have been gone for almost a week since it had last been used on 18 May
2013 for the weekly back up - but was missing when staff went to back up six
days later. It had not been locked in the fireproof safe afterwards, contrary
to policy. Not only was it missing, it
was also unencrypted and had not been password protected. It contained
sensitive information about almost 3000 prisoners, including names and dates of
birth, length of sentence, offence(s), physical descriptions and distinguishing
marks, plus intelligence information about drug use and links to other
prisoners or organised crime - certainly not the sort of details you’d want to
lose.
Although only nine staff members had access to the area
where the hard drive was used and the area was controlled by a keypad system,
the door to the Security Department could be opened by anyone on the prison
staff.
To make matters worse, this wasn’t the first time something
like this had happened. Back in October 2011, an almost identical breach
involving 16,000 prisoners in another establishment had taken place, and the
ICO had been told that because of this, encrypted hard drives had been supplied
to 75 prisons that had been using unencrypted portable hard drives to back up prisoner
intelligence information. Unfortunately, nobody realised that the encryption
software required manual activation and the IT provider was never asked to
check that the encryption software was working, so all the 75 prisons carried
on using insecure portable hard drives for at least a year afterwards.
The software has now been activated and automatic upgrades
enabled. The hard drive was never recovered although it doesn’t appear to have
been accessed and there was no evidence that it fell into the wrong hands.
Because there had already been a virtually identical serious
breach, the Commissioner considered that this was a very serious contravention
of the seventh data protection principle;
“Appropriate technical
and organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or
damage to, personal data”
The National Offender Management Service was fined £180,000.
It just underlines the fact that even though you think you’re doing everything
you can to comply with the rules, sometimes it can be the simplest thing you
overlook that can lead to a damaging security breach.
Do you know where your backup drives are kept, and have
official policies in place to ensure that they don’t go missing? Are the drives encrypted? Can you
imagine what would happen if the personal information you keep backed up were
to be lost, either for your business or your clients? If you’re unsure of how
to make sure that this sort of faux pas doesn’t ever happen to you, contact me
and I will be delighted to provide you with guidance and advice.
Sunday 13 March 2016
Why hire a Data Protection Specialist?
When I am out networking, one of the questions I frequently get asked is "why do I need to hire a data protection specialist?".
There are lots of skills that an organisation is happy to buy in because they recognise that there is a need for specialist knowledge. You would always ask for legal advice when entering into a contract or lease, you obtain insurance advice as to the level of cover you require and the type of insurance that best suits your business, when implementing a new software package you would seek the advice of the software developers to ensure it meets your needs. So what stops you seeking qualified advice for your data protection compliance?
The Data Protection Law is a complex piece of legislation and has been around for about 18 years; additionally over the years good practice guides and enhancements have been made. I have been a Data Protection Officer for about 12 years and I have studied for and gained the qualification to show that I have the skills and knowledge to provide advice to organisations.
There is lots of advice on the Information Commissioners Website (the regulator for data protection in the UK) and you can find out the basics there. If your business is complex, has more than 25 employees or holds personal information about an individuals health, well-being or criminal convictions, then you really need to get specialist advice.
A data protection specialist, like me, will look at your organisation and the information you are collecting and holding. They'll also provide tailored advice to protect the information you hold and also help you identify how to use it more efficiently. The requirements of the Data Protection Act should not be onerous as they are based on good practice for information security.
The cost of getting advice is likely be far less than any monetary cost that your organisation might suffer as a result of the loss of information, either through accidental or malicious means.
If you want to have a discussion with me about your organisation and how we can help, we offer a free initial discussion so contact us to see how we can help improve your use of the information you collect.
There are lots of skills that an organisation is happy to buy in because they recognise that there is a need for specialist knowledge. You would always ask for legal advice when entering into a contract or lease, you obtain insurance advice as to the level of cover you require and the type of insurance that best suits your business, when implementing a new software package you would seek the advice of the software developers to ensure it meets your needs. So what stops you seeking qualified advice for your data protection compliance?
The Data Protection Law is a complex piece of legislation and has been around for about 18 years; additionally over the years good practice guides and enhancements have been made. I have been a Data Protection Officer for about 12 years and I have studied for and gained the qualification to show that I have the skills and knowledge to provide advice to organisations.
There is lots of advice on the Information Commissioners Website (the regulator for data protection in the UK) and you can find out the basics there. If your business is complex, has more than 25 employees or holds personal information about an individuals health, well-being or criminal convictions, then you really need to get specialist advice.
A data protection specialist, like me, will look at your organisation and the information you are collecting and holding. They'll also provide tailored advice to protect the information you hold and also help you identify how to use it more efficiently. The requirements of the Data Protection Act should not be onerous as they are based on good practice for information security.
The cost of getting advice is likely be far less than any monetary cost that your organisation might suffer as a result of the loss of information, either through accidental or malicious means.
If you want to have a discussion with me about your organisation and how we can help, we offer a free initial discussion so contact us to see how we can help improve your use of the information you collect.
Sunday 6 March 2016
Put on your dancing shoes - or not!
I have been receiving emails about dance classes for the last few months, I don't remember signing up for them and anyone who knows me will testify to the fact that I have no sense of rhythm at all.
Anyway, somehow I have been added to this mailing list for dance classes. I started receiving emails about three months ago and on average I get three a week. On occasion I have had two a day. There is no method to unsubscribe from the emails. Having got bored with receiving the emails I decided to respond to an email by asking to be removed from the mailing list. I did this on two occasions a week apart. I didn't receive a reply. The other day another email pinged into my email inbox and I decided I needed to take direct action so I rang the telephone number shown. It went to an answerphone giving me details of the classes available (Was there no escape?).
I decided I would call back again later. Just after I put the phone down, a text came in - guess what - it was a text to tell me about dance classes from the number I had just called. I was furious. I rang the number again, this time it was answered. I explained that I was very angry that I was receiving these emails and to receive a text was just too much - I had not given her permission to send me marketing by text message. The response - "Well people call me all the time wanting to know the times of dance classes so I don't answer the phone and send them a text" - really, you don't think that sending emails and the answer phone message giving information about dance classes is enough, you decide to send spam texts as well. "Nobody else has complained" (that old chestnut).
I asked about the previous emails asking to be unsubscribed and she told me she hadn't received them. I asked her to remove me from her mailing list, so I gave her my email address and she searched, only to tell me it wasn't there. I said it must be, you are sending me three emails a week on average. "Oh no that isn't possible as that would mean you were on three lists". She rechecks and finds I am on her database and on three lists (big surprise!). She said she had been hacked about a month ago and the hacker must have put me on the lists (so a hacker breaks into her email account and adds my name to three of her mailing lists so she can send me emails about dance classes, what a helpful hacker!). She tells me she cannot delete me from her database, "it won't let me". I reinforce the fact I wish to be removed from the mailing lists and how she does it is not my problem, I say goodbye and hang up. A little while later another email comes in from her to tell me she has removed me from her mailing lists but she had to remove 10 other people to be able to do it.
What did I learn?
- the dance class provider is not registered with the ICO - potentially a £5k fine and criminal record from not being registered.
- the emails she is sending breach PECR (Privacy and Electronic Communication Regulations) by not having a means to easily unsubscribe.
- Failing to remove me from her mailing list on the two previous occasions is another PECR breach.
- Sending me an unsolicited marketing text is a data protection breach - The ICO has recently fined a company £200k for unsolicited marketing texts.
- the most important thing to her was using the personal information she had gathered to further the spread of her message and the need for security and professionalism that comes from having a client list was lost on her.
If I was advising her, what should she be doing?
- Register with the ICO - a £35 annual fee
- Use a proper mailing package such as mailchimp, madmimi, constant contact etc so that she can properly manage her mailing list and those people who are desperate to unsubscribe can do so without the hassle I had.
- a proper mailing package would also be less likely to be hacked, providing she has a decent security password.
- Stop sending texts to people automatically, she is potentially raising the risk of the ICO investigating her. To be able to send marketing texts you have to have the specific permission of the individual.
- Think about the security of the information she is holding. Would she be happy with her personal information being dealt with in this way?
This is the worst case of failing to find out the requirements for running a business with a marketing list that I have come across in a while, that is unless you know better. Let me know.
Anyway, somehow I have been added to this mailing list for dance classes. I started receiving emails about three months ago and on average I get three a week. On occasion I have had two a day. There is no method to unsubscribe from the emails. Having got bored with receiving the emails I decided to respond to an email by asking to be removed from the mailing list. I did this on two occasions a week apart. I didn't receive a reply. The other day another email pinged into my email inbox and I decided I needed to take direct action so I rang the telephone number shown. It went to an answerphone giving me details of the classes available (Was there no escape?).
I decided I would call back again later. Just after I put the phone down, a text came in - guess what - it was a text to tell me about dance classes from the number I had just called. I was furious. I rang the number again, this time it was answered. I explained that I was very angry that I was receiving these emails and to receive a text was just too much - I had not given her permission to send me marketing by text message. The response - "Well people call me all the time wanting to know the times of dance classes so I don't answer the phone and send them a text" - really, you don't think that sending emails and the answer phone message giving information about dance classes is enough, you decide to send spam texts as well. "Nobody else has complained" (that old chestnut).
I asked about the previous emails asking to be unsubscribed and she told me she hadn't received them. I asked her to remove me from her mailing list, so I gave her my email address and she searched, only to tell me it wasn't there. I said it must be, you are sending me three emails a week on average. "Oh no that isn't possible as that would mean you were on three lists". She rechecks and finds I am on her database and on three lists (big surprise!). She said she had been hacked about a month ago and the hacker must have put me on the lists (so a hacker breaks into her email account and adds my name to three of her mailing lists so she can send me emails about dance classes, what a helpful hacker!). She tells me she cannot delete me from her database, "it won't let me". I reinforce the fact I wish to be removed from the mailing lists and how she does it is not my problem, I say goodbye and hang up. A little while later another email comes in from her to tell me she has removed me from her mailing lists but she had to remove 10 other people to be able to do it.
What did I learn?- the dance class provider is not registered with the ICO - potentially a £5k fine and criminal record from not being registered.
- the emails she is sending breach PECR (Privacy and Electronic Communication Regulations) by not having a means to easily unsubscribe.
- Failing to remove me from her mailing list on the two previous occasions is another PECR breach.
- Sending me an unsolicited marketing text is a data protection breach - The ICO has recently fined a company £200k for unsolicited marketing texts.
- the most important thing to her was using the personal information she had gathered to further the spread of her message and the need for security and professionalism that comes from having a client list was lost on her.
If I was advising her, what should she be doing?
- Register with the ICO - a £35 annual fee
- Use a proper mailing package such as mailchimp, madmimi, constant contact etc so that she can properly manage her mailing list and those people who are desperate to unsubscribe can do so without the hassle I had.
- a proper mailing package would also be less likely to be hacked, providing she has a decent security password.
- Stop sending texts to people automatically, she is potentially raising the risk of the ICO investigating her. To be able to send marketing texts you have to have the specific permission of the individual.
- Think about the security of the information she is holding. Would she be happy with her personal information being dealt with in this way?
This is the worst case of failing to find out the requirements for running a business with a marketing list that I have come across in a while, that is unless you know better. Let me know.
Subscribe to:
Posts (Atom)