Power corrupts: risks from new US wiretap laws

New, expanded, wiretapping rules are being discussed. What are the privacy issues this raises? What are the other personal liberty implications of such rules, differences between monitoring voice and data and some potential solutions that balances national security and privacy requirements?

Farming at work: social media in the enterprise

How do you make social networks safe for work? Also some key risks and strategies for tracking productivity. Joins my recent article on the Twitter virus and previous article on Data loss prevention

Twitter hacks: lessons for users and Twitter

What are the risks - to both consumers and companies - of social media-borne hacks, attacks, malware, etc.? Was this latest Twitter attack a wakeup call? Also what users could do to protect themselves and what Twitter could do to avoid future incidents

Security metrics: If you do not measure something why even bother doing it?

If those in the IT/Information security industry applied the concept of if you do not measure why even bother doing it, we would all be out of a job! This especially includes all those CISO's and top management: going to meetings, conferences and replying to emails provides no value unless you can measure it and demonstrate where it does. Security metrics is relegated to the trough with awareness and policy, usually pushed to the new starter or female (just j/k) in team. This is unfortunate though because if there is one thing that the success of something like Google Adwords and the revolution in A/B testing should have taught us is that: there is great value in being able to measure the effectiveness of something. There is a good reason why you are not considered Capability Maturity Model (CMM) level 4 until you can measure how well your process or capability is at delivering the desired results. The old adage still holds true: you can't improve what you cannot measure.

There are plenty of articles on security metrics but this one as true to form will be simple, practical and contrarian. Although according to Jennifer from securitymetrics.org "I am not sure there is much contrarian in the post, other than that an random engineer will be better at security metrics than a security person. That may be worth a lightning". Other than WTF is a lightning, maybe it is not contrarian but just common sense but definitely not as common as I would like to see. Read on....

Privacy in an Age of Augmented Humanity

Source badscience.net

The inspiration for this post was the key note from Eric Schmidt (CEO of Google). Some of the things that Eric is talking about are straight from Minority Report but some are with us right now or will be within the next couple of years. I find a lot of these technology enhancements incredibly exciting but I know many will have concerns over privacy and security. So to mitigate some of  the FUD that I'm sure will come, let me present a way the majority of concerns can be placated upfront. I will analyse some of these innovations against the EU privacy principles and the laws of identity with the view that, being early in the piece, security and privacy can be baked in and this can be done right to avoid problems later on.

This joins my other privacy and identity related articles: social location services and review of corporate identity management against the identity laws

Your data centre has just blown up

Source Flikr

Just as 9/11 passes I thought this was a pertinent time to say: the fact that your primary data centre will fail is not a question of IF but WHEN (ok that sounded a bit like FUD). Still, it pays to be prepared and unlike most security risks this real not theoretical and the business actually cares if your systems are working (as opposed to secure).

This joins my other non security pieces: a smarter more social bank, preparing for chrome living without Windows and turning bankers into engineers in a decade.

I wrote this as a response to a question on help a reporter on my iPhone on the tube returning from work, and thought it maybe of interest to you also.

3 Million reasons to encrypt your Blackberry

Source Flikr. Creative Commons

The next major security control to become a norm will be full disk encryption of mobile devices, especially Blackberry’s.

This is another chapter in the lessons learned series joining: email encryption, removable media control and Data Loss Prevention (DLP). Also a companion piece to securely using iPhones, iPads and Android devices in the enterprise

Ten years ago and maybe even five years ago in some countries, laptop whole disk encryption and removable media encryption would not have been a priority. After a number of high profile data losses, including a £3 Million fine by the FSA of HSBC for loosing customer data, most organizations view this as a critical security control one of the few that needs to be explicitly specified in contracts.