Author: Robert Broxup

Insecurity questions (Part 1 of 3)

Robert Broxup

‘Can we take you through security?’ is a question we are all familiar with these days, but just how secure are the answers? There must be a point at which some become irrelevant such as mother’s maiden name and date of birth. With many companies asking for this information, it must sooner or later become challenging to remember who has what information. If we limit specific security questions to a particular profile of the company, such as mother’s maiden name only used for banking security, then its use would be somewhat limited and have more value.

While participating in an extensive information security improvement programme in the financial services sector, I met someone who had a creative solution to security questions. This lady had different mother’s maiden names for every company, and an alternative date of birth for any company she deemed didn’t have the right to know when she was born. As information security consultants, no doubt we all have variations on this theme.

Professionals in our field have endeavoured to diversify security questions but not without their own set of concerns and voiced frustrations. I refer to many instances where banks have called petrol stations to verify payment ownership and placed customers in a situation where they are unable to answer the questions; after the petrol tank is full. It certainly makes the account more secure, but there is a trade-off between security and availability/usability for the genuine customer. What shows up on the bank statement isn’t always the same as what the customer expects to see.  For example, a purchase from a store with a recognised brand name, but the transaction shows up as a registered company name. Customers asked about transactions from a company are unable to answer the questions. These types of security questions do make it harder to breach using a set of immutable facts, but the answers might not be readily available to be useful.

In one case, I knew I had purchased something from a pharmacy. The caller told me all the details of the transaction except the name of the chemist and wanted me to confirm the business name as a security question. There was no doubt in this case that the call was genuine, but I was not able to answer the question to their satisfaction. At a later date, I was able to see that on the bank statement it showed the personal name of the pharmacist and not the business name.

How often does someone call you, then asks to take you through security questions, followed by shock and surprise if you say ‘What? You called me! I need to take you through security’. In most cases, people respond by answering security questions; leaving them open to potential phishing attacks.

Understandably, many choose to store different mother’s maiden names, dates of birth and other random information for every service provider. Can you imagine the response you would get if asked for your date of birth and you said, ‘Give me a second, just opening my vault to check’, followed by ‘It’s a security question remember, everyone gets a different date’.

General observations are:

  • Security questions reflect facts about someone, facts which never change. Use of these facts on a website which is subsequently compromised, the security questions become permanently insecure.
  • Businesses request too much personal information which far exceeds the legitimate need for gathering and processing, and for the most part, people feel compelled to answer
  • Security questions a far more valuable than passwords as they are often used to override the need for a password, such as when people forget their passwords
  • Answers to the most popular security questions are often available through a combination of public records and social media websites
  • There is so much personal information out there that it undermines the very notion of security questions
  • Security questions are often so insecure that the only real solution is to use made-up answers and treat them like passwords

Using varied security questions based on very recent activity will improve security. However, in the case of creatures of habit, the correct answer as it was six months ago could still be valid today.

The birth of GDPR claims management

Robert Broxup

With the introduction of the General Data Protection Regulations (GDPR), how close are we to a culture of GDPR compensation claims? With so many companies within the EU holding personal data, and an unprecedented challenge to adhere to the regulations, how vulnerable will companies be to future claims? Individuals may not have the time or energy to deal with litigation. Many many failures will go unchallenged, but delegating such activity to law firms and new businesses established for this very purpose could place an increased amount of stress on firms to comply with requests. Also, how will cyber insurance policies will be adapted to protect against such claims; a new level of litigation in the making perhaps.

The traffic accident compensation culture has evolved quite significantly in the UK, and the number of personal injury claims is at an all-time high. They have increased to the point that almost immediately following an accident, claims management companies are lining up to take on cases. Television channels and websites inundate with commercials offering no-win-no-fee arrangements and insurance policies either include legal support or make it available to customers as an add-on option. The following are indicators of what is emerging, although the coffee machine chatter on the subject shows a difference of opinion on what the market place will look like two years from now.

  • Businesses are increasingly using a thought leadership approach to demonstrating understanding and credibility in data protection related issues, particularly in the insurance and litigation spaces. Generally, companies and individual professionals are positioning themselves as experts in the field.
  • Published reports and surveys indicate that large numbers of businesses are unprepared for GDPR compliance, suggesting the number of potential claims will be high
  • Issues which lead to businesses being open to litigation are highly likely to involve many customers and less likely to be one or a handful of individuals. The lack of compliance is more likely to be systemic. Rather than an individual making a claim and approaching a law firm, litigation is more likely to be driven by events taking place or failures identified, then finding the customers willing to jump on the bandwagon.
  • There is a growing compensation culture within the UK. Not to say that people are not entitled to claim if they have suffered a loss, but rather it illustrates a change in attitude. What was once (in my lifetime) a ‘get up and move on’ approach, it is more likely now that someone suffering a loss will first be thinking ‘can I claim compensation’.
  • Politicians have complained about the adverse effects of excessive litigation on the economy and society. Politicians have also given undertakings that if elected into government, they would ‘cut out the cancer of litigation’.
  • Many new pieces of legislation are being introduced, which gives people the right to compensation if they suffer a loss. It is reasonable to expect that people will exercise such legal rights, and depending on the magnitude at which this happens, the process will need effective management.

These are indicative of a growing risk to companies who manage large quantities of personal data. Also, there is an increasing opportunity for existing companies and new companies to emerge to deal with both protecting organisations and to deal with litigation against failures to comply.

How much info is too much? (Part 4 of 4)

Robert Broxup

Address the issue of what information to provide by defining the overall process for dealing with new clients. This process doesn’t need to be complicated and having a process to follow will prevent digression into off-topic discussions; importantly, avoiding all conversations about previous clients and focussing on what the client needs now and in the future. Having your process in place reduces the risk of being drawn into following someone else’s.

  1. The client shows an interest in your services because they need help to solve a specific problem
  2. Ask specific questions about what services are required and what problems the client faces, which require attention. Depending on the complexity, it may be necessary to arrange a consultation to discuss the specific requirements.
  3. Provide a summary of discussion points and conclusions, a proposal to deliver, along with costs and timescales
  4. Further consultation and refinement of the proposal may be necessary
  5. Client accepts or rejects the proposal

The point with this process is to gain credibility from taking a professional approach to solving the potential client’s problems, not by demonstrating what you delivered to previous clients. Although lots of companies and individuals have similar issues, clients don’t want their laundry washed and dried in public.

Companies understandably want to undertake a measure of supplier due diligence, so it stands to reason that suppliers should apply the same level of scrutiny to potential clients. In the above process, if followed through, you can quickly filter out phishing attempts, and the discussion on requirements will have taken place, and done so without discussing confidential information.

In parallel to discussing requirements, acquire additional information to verify that the client and their needs are genuine. Client due diligence is more than checking to make sure you are likely to get paid for the services provided. Gather facts about the client to make sure they are who they claim to be and assess risks such as money laundering, terrorist financing, impersonation and identity fraud. Check sources such as public brochure websites, due diligence websites and public registers such as companies house.

To conclude on confidential information, potential clients whose primary interest is in understanding what services you delivered to previous clients and no interest in discussing their current predicaments, should be treated with a level of suspicion. However, not all will be fraudulent with malicious intent; there are plenty of market research companies that are skilled at extracting information while pretending to be potential customers.

How much info is too much? (Part 3 of 4)

Robert Broxup

In the previous two parts, the general conclusion is that within the IT sector, so much emphasis is on past clients and past projects, which could be a phishing exercise to extract information about previous clients.  People bidding will feel compelled to answer because they will believe that not to do so will exclude them from an opportunity; in other words, psychologically coerced to be unprofessional through fear of loss.

  • Discussing previous clients with potential future clients is unprofessional, we have covered this in detail. However, in a sector where it has become a de facto standard, it is the case that people willing to disclose vast amounts to confidential information about previous clients are awarded contracts for being seen as more cooperative. Professionalism, or lack thereof, doesn’t often come into it.
  • There are no regulations which protect client confidentiality in IT. Unlike other professions, IT and IT security don’t have licences that could be revoked by failing to take confidentiality seriously or any sanctions at a regulatory level. There are terms of business and non-disclosure agreements which provide protection, but the onus is on clients to enforce such contracts.

What is professional and unprofessional is somewhat subjective.  The majority of solicitors care deeply about client confidentiality as part of their profession, but the same is not in Information Technology. Consequently, it becomes challenging to compare the two as the definitions of professionalism are kilometres apart.

At a time when news articles are published daily about cyber threats and data breaches, is it time for a behaviour change when it comes to client confidentiality? Gone are the days where someone has a job for life, and here are the days where large numbers of IT practices offer valuable services to large numbers of individual businesses. Professionals in the IT sector have often participated in 100s of projects and accumulated vast knowledge about the inner workings of their own or their employers’ clients.