Data loss and security breaches happen every day, but these days the loss of a million or so personal records will probably make the news for a day at best. Back in 2007 when the HMRC lost a couple of CDs containing personal information, the largest reported data loss at the time, it was in the news for weeks and resulted in high level resignations.

So what has changed?

Compliance has tightened, financial penalties increased and enforced, both household names and global businesses have been publically embarrassed. Cybercrime is now worth more on a global scale than the illegal drugs trade, and the activities of politically motivated ‘hactivists’ now compete in terms of the number and sophistication of attacks with their financially motivated counterparts.

However, many people still view information security as someone else’s issue, as long as they are not directly affected, and act in a reactive way rather than proactive. Human nature, I guess.

If we go back a couple of years, interest in end point security grew following a period when lost USB memory sticks and unencrypted laptops were frequently at the centre of reported data breaches. However, security measures were often implemented after the event to demonstrate compliance and win back customer confidence. It would have been more effective, cheaper and less damaging to put something in place before data was compromised, as once it is out who knows where it goes?

Recently, a member of the Information Security Community group on LinkedIn started a discussion, asking people to use one word to describe the biggest challenge facing information security today. Some appeared to struggle counting, but the results were revealing in what they showed, if not entirely suprising.

Just taking a snapshot of comments posted over a month[1], the consistent themes of people, awareness and attitude accounted for half the challenges identified. The discussion continues to attract posts daily, so if you are a LinkedIn user you can see the trend for yourself, but the underlying message is clear.

The PCI Security Standards Council has issued new guidelines on how to comply with the PCI standard in a virtualised environment.

With the drive to reduce operational cost and improve efficiency, and the related growth in cloud services in general, virtualisation technology has become a key area of interest, particularly to those that manage large database applications including card holder data environments. But whilst it provides many benefits, virtualisation also introduces new risks that must be properly and carefully considered prior to deployment.

The council has offered to provide further assistance to ensure all affected parties understand the implications of these guidelines, including:

• Explanation of the various classes of virtualisation that may be deployed in payment environments, including virtualised operating systems, hardware/platforms and networks.

• Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each.

• Practical methods and concepts for deployment of virtualisation in payment card environments.

• Suggested controls and best practices for meeting PCI DSS requirements in virtual environments.

• Specific recommendations for mixed-mode and cloud computing environments.

• Guidance for understanding and assessing risk in virtual environments.

Imerja is a specialsit in compliance, certified to ISO27001, N3 approved and with proven experience in advising customers on PCI DSS and Code of Connection. Our consultants can work with you to identify compliance gaps, develop your IT strategy to address these, and provide relevant solutions and services to ensure you continue to support your business operations.

Researchers at University of Ulm in Germany have discovered a weakness in the Android operating system that means it is possible to tap into the transfer of information between the phones and the internet, and thereby gain access to personal data.

The story was reported by the BBC earlier today, and news of the security weakness has quickly spread causing concern to users of the technology. The researchers went on to report that alarmingly most versions of the Android operating system pass unencrypted authentication tokens, and were therefore vulnerable. Although this vulnerability was fixed in version 2.3.4 of the operating system, official figures suggest that only 0.3% of Android phones are currently running this software.

If you are an Android user and haven’t done so yet, upgrade to the new operating system quick!

As businesses beome more accepting of mobile working practices, and in turn reliant on their employees using tablet and smartphone technology to stay in touch and remain productive (either corporate devices or personal handsets), it is importnat they design and implement robust security policies that will protect the user and data they may access with these devices.

Adding encryption solutions to protect corporate applications and information accessed on mobile devices is an essential step, such as that offered by Good Technology, providing an effective and easy to deploy measure to safely bridge the gap between social and secure usage, protecting business and personal information so that users can connect and collaborate safely.

For more on the story and Imerja’s comment on the news, read: http://www.dailymail.co.uk/sciencetech/article-1388107/New-smartphone-privacy-alert-Android-handsets-prone-leaking-data.html#ixzz1MeKSCnCw