Strategic Security Seminar – Tower of London

Good food, good company and great seminar

by Michael Smith (Veshengro)

The Strategic Security Seminar was held Wednesday July 2, 2008, at the Tower of London and was organized by CM Logic in conjunction with IBM Partners and the venue chosen with reference to securing your assets.

What the presentations showed and what we recently have come to realize with regards to lost data on CDs and such is that too many companies, government departments, organizations, and many others, take far too a lackadaisical attitude to database and general computer information security and security of (critical) data.

We do not even want to talk about in this instance about the ordinary home and or even small business users of computers, including those that have sensitive data on their PCs and small networks.

Other important and sensitive computers that are so often also unsecured, as we have noticed recently with the loss of a number of laptops of members of the military and security forces.

During the seminar it was mentioned that a survey had found that:

10% of all websites that accept payment details do not encrypt them.

35% of all companies and institutions have no control over staff use of instant messaging.

67% of all companies and institutions do nothing to prevent confidential data leaving on USB sticks and similar devices.

78% of all companies and institutions that had computers stolen did admit that those computers did not have encrypted hard drives.

84% of all companies and institutions do not scan outgoing emails for confidential data.

I am sure now everyone is really feeling secure and that their data held by others is safe – hardly.

The Strategic Security Seminar was held in the “New Armouries” of the Tower of London and the venue and the food was brilliant.

The presentations of the speakers of the various companies were most informative and it might have been good if more CIOs and CEOs from more companies would have attended this seminar and would attend other such seminars.

There does, however, seems to be the attitude about that while it may happen to others it could never happen to them. False security and a false sense of security is no security at all.

I know we not only find this attitude as regards to computer and data security. In many cases people and organizations who should know better also treat perimeter and site security, as well as personal security, with this “it won't ever happen to us because we have this or that in place.” Right! And? Has it actually be tested as to whether it works. I mean tested as in “properly tested”, as in “penetration tested” and this applies equally to computers, computers systems and networks, as it does to perimeter and site security.

Military sentries can get into deep and hot water for waving an officer through even without checking his or her credentials. “But I know you, Sir!”, I was once told by a young PFC on guard who I challenged when I entered the base in civilian dress as to why he had not asked to see my ID, “I have seen you many times in uniform.” Wrong answer that was and the sentry was lucky that I was in a good mood.

This attitude, however, prevails everywhere, and also and especially in regards to access to sensitive data with people having far too many privileges than necessary to do their job. This even includes temporary staff in many cases. Why should a temp have the permission to access data, of whatever kind, and transfer same to, say, a USB stick or similar.

How do you know where your data goes from there?

© M Smith (Veshengro), July 2008