The Information Commissioner’s Office (ICO) has published advice to help SMEs deal with requests from individuals for access to information held about them. The Data Protection Act gives us all important rights, enabling us to check the personal information that is held about us and to correct that information where necessary.
This guidance sets out clear advice for small and medium sized businesses to help them deal with requests from individuals for access to information an SME might keep about them. The advice distinguishes between requests that SMEs can treat as part of normal business practice and those that should be dealt with formally under the Data Protection Act. It includes information on checking a person’s identity and what SMEs should do if the information requested includes details about other people.
There are also practical examples explaining information that should not be released. A fee of up to £10 can be charged unless the information is a medical or educational record. Where a charge is levied the information must be supplied within 40 calendar days of receiving payment.
This good practice note is part of a series published by the Information Commissioner’s Office to help explain data protection in simple terms. To download a copy, please click here (PDF).
Wednesday, 28 February 2007
Friday, 23 February 2007
When is 8Mbps not 8Mbps?
When it's a claimed internet connection speed, and is usually preceded by the small print "up to"
Read here for some interesting observations.
Read here for some interesting observations.
Broadband switching eased
As of last week it should now be much easier to switch broadband providers - see here for the BBC's article.
Friday, 16 February 2007
How to combat image-based spam
Spammers are a sneaky lot, and their latest innovation, image-based spam, presents yet another security and management concern for small businesses. Here I explain the dangers of image-based spam and what you can do to try to combat it.
The tidal wave of unsolicited commercial email, or spam, ending up in user inboxes shows no sign of slowing. Estimates of just how much email is spam range anywhere from 66% to more than 90%, depending on who's counting and when. This translates into a lot of wasted bandwidth, wasted storage and lost productivity, as users struggle to separate legitimate emails from spam.
The dramatic increase of image spam has only made the problem worse. During 2006, 25% of spam email used images to deliver messages, up from less than 5% in 2005 (Source: IronPort Systems Inc).
Image spam messages are typically made up of two parts: First, some random text intended to fool filters into thinking that the message is legitimate, and second, the actual advertising message in the form of an attached or embedded image. Spammers count on the invisibility of their advertising message to the filter to allow it to slip through and end up in your users' mailboxes - in other words the random text makes it look genuine.
There is a definite cost to image spam. Messages containing images are larger than their text-only counterparts. The average size of a spam message in 2005 was just under 9 KB. By 2006, the average size jumped to 13 KB, thanks in part to image spam. This means transmitting and storing spam took up 40% more of an organization's bandwidth and storage capacity in 2006 than in 2005.
The battle between spammers and antispam vendors is like an arms race. For instance, some vendors have added optical character recognition (OCR) to their filtering products, allowing them to read the content of image spam to identify it before it hits user mailboxes. To counter this, some spammers have started adding background patterns or using distorted fonts in their images to make them unreadable by OCR programs but legible to email recipients.
So what can we do to keep the volume of spam in our inboxes as low as possible?
The tidal wave of unsolicited commercial email, or spam, ending up in user inboxes shows no sign of slowing. Estimates of just how much email is spam range anywhere from 66% to more than 90%, depending on who's counting and when. This translates into a lot of wasted bandwidth, wasted storage and lost productivity, as users struggle to separate legitimate emails from spam.
The dramatic increase of image spam has only made the problem worse. During 2006, 25% of spam email used images to deliver messages, up from less than 5% in 2005 (Source: IronPort Systems Inc).
Image spam messages are typically made up of two parts: First, some random text intended to fool filters into thinking that the message is legitimate, and second, the actual advertising message in the form of an attached or embedded image. Spammers count on the invisibility of their advertising message to the filter to allow it to slip through and end up in your users' mailboxes - in other words the random text makes it look genuine.
There is a definite cost to image spam. Messages containing images are larger than their text-only counterparts. The average size of a spam message in 2005 was just under 9 KB. By 2006, the average size jumped to 13 KB, thanks in part to image spam. This means transmitting and storing spam took up 40% more of an organization's bandwidth and storage capacity in 2006 than in 2005.
The battle between spammers and antispam vendors is like an arms race. For instance, some vendors have added optical character recognition (OCR) to their filtering products, allowing them to read the content of image spam to identify it before it hits user mailboxes. To counter this, some spammers have started adding background patterns or using distorted fonts in their images to make them unreadable by OCR programs but legible to email recipients.
So what can we do to keep the volume of spam in our inboxes as low as possible?
1. You could outsource the job to an antispam service provider: providers get to see and analyse much more spam than most people, and use their enhanced knowledge to benefit all of their customers.
2. Use virus-scanning services: most antispam vendors also provide other services such as virus scanning of inbound and outbound email, message archiving and disaster recovery. Combining an antispam solution with these types of services can help small and medium-sized enterprises (SMEs) concentrate on their core business instead of spam.
3. Another option is to turn the problem on its head. Rather than trying to exclude spam, some antispam products work by allowing only the delivery of messages from sources that have been verified as legitimate. Such products allow users to set up lists of valid email addresses and domains from which they expect to receive email. When an email arrives from an address or domain not contained on the "whitelist," the message is held. It then replies to the sender with a link to a web page, where they are asked to read and enter a verification code presented as an image. The aim of this process is to verify that the email is being sent by a human, not a "spambot", and the verification process has to be done only once. These products have simplicity on their side. They eliminate the need to analyse each email and decide whether it is spam or not. New spammer techniques that bypass filters, then, don't affect their performance. These whitelisting products do eliminate spam in inboxes, but they also have some downsides: some users are confused by the verification email. Because of the prevalence of phishing, other users may think the verification process is somehow trying to scam them out of personal information. Also, when signing up for new web accounts that cause an email to be sent, users have to go and look for the "unverified" email and manually mark it OK to have it delivered. Users have to decide whether the benefits outweigh the drawbacks.
Sadly image-based spam is just the latest escalation in the spam wars. As long as there is money in unsolicited commercial email, we can expect the spammers to continue to innovate their "product" and continue to present new challenges to SMEs.
Thursday, 15 February 2007
What a way to make Valentine's Day special........
Every special day on the calendar is an excuse for those who create viruses and malware to spread yet more pain and nuisance to innocent users.
The latest such attack was as a result of Valentine's Day: a "worm" disguised as a Valentine greeting spread rapidly across the internet. The Dref-AB worm was spread via e-mail in readiness for office workers and home computer users to find the malicious Valentine e-mail in their inbox first thing on Valentine's Day.
During February 14th it accounted for 76.4% of all malware. Subject lines used in the attack were many and varied, but all pose as a romantic message. Some of them include A Valentine Love Song, Be My Valentine, Fly Away Valentine, For My Valentine, Happy Valentine's Day, My LuckyValentine, and My Valentine. The point with this is to tempt people to open the email.
The worm is attached to the e-mails in files called flash postcard.exe, greeting postcard.exe, greeting card.exe, or postcard.exe.
Opening the attached files on a PC activates the worm, which then sends itself to other e-mail addresses found on the now infected computer. Security giant Sophos believes the worm code is designed to download further malicious code from the internet in an attempt to take over the PC, convert it into part of a zombie network, and use it to send spam on behalf of hacking gangs.
Just what you need on Valentine's Day.
So stay alert at all times but particularly when any special calendar days are approaching.......
The latest such attack was as a result of Valentine's Day: a "worm" disguised as a Valentine greeting spread rapidly across the internet. The Dref-AB worm was spread via e-mail in readiness for office workers and home computer users to find the malicious Valentine e-mail in their inbox first thing on Valentine's Day.
During February 14th it accounted for 76.4% of all malware. Subject lines used in the attack were many and varied, but all pose as a romantic message. Some of them include A Valentine Love Song, Be My Valentine, Fly Away Valentine, For My Valentine, Happy Valentine's Day, My LuckyValentine, and My Valentine. The point with this is to tempt people to open the email.
The worm is attached to the e-mails in files called flash postcard.exe, greeting postcard.exe, greeting card.exe, or postcard.exe.
Opening the attached files on a PC activates the worm, which then sends itself to other e-mail addresses found on the now infected computer. Security giant Sophos believes the worm code is designed to download further malicious code from the internet in an attempt to take over the PC, convert it into part of a zombie network, and use it to send spam on behalf of hacking gangs.
Just what you need on Valentine's Day.
So stay alert at all times but particularly when any special calendar days are approaching.......
Wednesday, 14 February 2007
Ten clues that your website may not be working effectively.....
1. You think the internet is a coming revolution.
2. You don't have a web site.
3. You don't know how to change your web site.
4. If fewer than half of your customers can find you online, you're dead.
5. You think your business is local.
6. You think your web site is just for new customers.
7. You think your web site is just for customers.
8. Your Web site is your only internet strategy.
9. You think being small is a disadvantage.
10. You'll fail if you do what I say - challenge conventional approaches, learn and adapt.
How many of these apply to your business?
2. You don't have a web site.
3. You don't know how to change your web site.
4. If fewer than half of your customers can find you online, you're dead.
5. You think your business is local.
6. You think your web site is just for new customers.
7. You think your web site is just for customers.
8. Your Web site is your only internet strategy.
9. You think being small is a disadvantage.
10. You'll fail if you do what I say - challenge conventional approaches, learn and adapt.
How many of these apply to your business?
Monday, 12 February 2007
Do you dispose of PCs securely?
Security experts have warned recently that many companies fail to dispose of old PCs securely, leaving potentially sensitive data available to whoever buys the machines on the second hand market.
A survey released by security firm Pointsec said that the problem is exacerbated by the fact that many used corporate PCs are being shipped to third world countries where the information on the drives can be used in ID theft scams. Numerous reports have surfaced of private and valuable information being discovered on a hard drive or computer bought from eBay, the study warned.
Pointsec said that fewer than half of major corporations use professional disposal companies to destroy old computers. Many sell them to second hand dealers or staff which often means that the next recipient has access to all the old data. Some 17 per cent destroy them in-house, which is arguably the safest approach as companies can witness that the right procedure has been followed to adequately destroy the data.
The survey was conducted among 329 companies, over half of which employ more than 2,000 staff. Martin Allen, managing director of Pointsec, said: "We have all heard about PCs thrown away in council tips that have ended up in West Africa with local extortionists and opportunists selling the contents such as bank account details for less than £20. "Many corporations also fall victim to this sort of scam by selling their old PCs to second hand dealers who often do not have the skills or resources to reformat and clean them adequately. We recommend thoroughly reformatting the hard drive or encrypting the data on all mobile devices as this ensures that no-one can get at the data unless they know the computer's password both during the PC's lifetime and beyond."
Ultimately though, firms with really sensitive data on their devices should burn or smash the hard drives - which can of course be immensely satisfying on some ways!!
A survey released by security firm Pointsec said that the problem is exacerbated by the fact that many used corporate PCs are being shipped to third world countries where the information on the drives can be used in ID theft scams. Numerous reports have surfaced of private and valuable information being discovered on a hard drive or computer bought from eBay, the study warned.
Pointsec said that fewer than half of major corporations use professional disposal companies to destroy old computers. Many sell them to second hand dealers or staff which often means that the next recipient has access to all the old data. Some 17 per cent destroy them in-house, which is arguably the safest approach as companies can witness that the right procedure has been followed to adequately destroy the data.
The survey was conducted among 329 companies, over half of which employ more than 2,000 staff. Martin Allen, managing director of Pointsec, said: "We have all heard about PCs thrown away in council tips that have ended up in West Africa with local extortionists and opportunists selling the contents such as bank account details for less than £20. "Many corporations also fall victim to this sort of scam by selling their old PCs to second hand dealers who often do not have the skills or resources to reformat and clean them adequately. We recommend thoroughly reformatting the hard drive or encrypting the data on all mobile devices as this ensures that no-one can get at the data unless they know the computer's password both during the PC's lifetime and beyond."
Ultimately though, firms with really sensitive data on their devices should burn or smash the hard drives - which can of course be immensely satisfying on some ways!!
Thursday, 8 February 2007
Did you notice?...............
.........Hackers attempted to topple key parts of the internet's backbone, in one of the most significant attacks of recent years on Tuesday this week (February 6th 2007)
The target was servers that help to direct global internet traffic. In the early hours of Tuesday three key servers were hit by a barrage of data in what is known as a distributed denial-of-service attack. There is no evidence so far of damage, which experts are saying is testament to the robust nature of the internet.
Read about it here
The target was servers that help to direct global internet traffic. In the early hours of Tuesday three key servers were hit by a barrage of data in what is known as a distributed denial-of-service attack. There is no evidence so far of damage, which experts are saying is testament to the robust nature of the internet.
Read about it here
Wednesday, 7 February 2007
More about data storage..........
The article on data storage trends here is more aimed at the home user with growing collections of music or video, but has some interesting parts.
As regards the advent of the terrabyte drive (1,000GB) they make the point that losing 1TB of data would be painful and most corporate environments will continue to opt for a number of smaller drives using the technology known by the cumbersome name of Redundant Array of Independent Disks (RAID). For example Seagate produce a 1.5TB device that is actually made up of two 750GB drives. A continuous backup is created by the same data being written to both drives simultaneously - though this does mean that half the drive space is occupied by the backup data. It might well save your life. Well, your digital one.
As regards the advent of the terrabyte drive (1,000GB) they make the point that losing 1TB of data would be painful and most corporate environments will continue to opt for a number of smaller drives using the technology known by the cumbersome name of Redundant Array of Independent Disks (RAID). For example Seagate produce a 1.5TB device that is actually made up of two 750GB drives. A continuous backup is created by the same data being written to both drives simultaneously - though this does mean that half the drive space is occupied by the backup data. It might well save your life. Well, your digital one.
Tuesday, 6 February 2007
Networking: five ways to end the conversation politely..........
We've all been to networking events or even just social occasions where we want to find a way of moving on. Mike Page of the Growing business has supplied the following:
1. Ask for the other person's card if you do not yet have it. Thank them and move on.
2. Set up a time to call or meet with the other person.
3. Excuse yourself shortly after another person has joined the conversation.
4. It has been nice talking with you and ...
o I will keep your card on file for when I need ...
o It's my first time here, and I would like to meet some of the other members, too.
o I haven't been here for six months, and I want to rekindle some acquaintances.
o I can only stay for an hour, and I want to say "hi" to several other people.
o I'd like to continue this conversation. May I call you next week?
o I'll e-mail you that referral tomorrow.
o Would you like to have lunch sometime?
And when all else fails:
5. If you’ll excuse me I want to get something else to eat (or drink).
How to secure a laptop
Many users these days have a laptop and indeed rely on it as their main PC. But what if the machine falls into the wrong hands? What would happen if someone else had access to your data?
You need to employ some form of securiy - having a password to access Windows is only minor protection. You could create encrypted "partitions," which, basically, are files that mount as a regular drive. However, I'm not a big fan of that. It all boils down to the fact that you cannot trust either yourself or other users to store sensitive information on the secured partition every time - we all forget things. People will store things on their desktop, in their email application, and in local temp directories that may not be protected. Additionally, if someone is able to obtain a laptop and crack various Windows passwords, what do you think the odds are that the encrypted partition uses one of those same passwords? Based on experience, I'd say the chances are pretty good!!
Many people are installing laptop-tracking software such as LoJack for Laptops which can certainly aid in recovery. The problem is that by the time the system is recovered, sensitive information on the laptop could have been compromised. So, good solution but just a little too late in the security breach time window for me.
The only truly secure solution (although still not 100% - nothing is) to keep information from being compromised is to use a whole disk encryption technology such as PGP Whole Disk Encryption and TrueCrypt. They're independent of the operating system and use much stronger encryption technologies and some can even be centrally managed reducing administrative burdens. Even if stolen computers are powered on, as long as the entire drive is encrypted and the screen is locked, the only option for the criminal is to reboot the system to try and get in. Once he does that, he'll be prompted for a passphrase to unlock the drive. As long as the passphrase to encrypt the drive is strong he's in a dead-end.
Remember that policies enforced by technologies - not just trusting users to do the right thing - will keep sensitive information on your computers from being compromised. Agreed it will cost money (up front and ongoing) in both software licenses and operational costs. But that seems like a better alternative than losing credit card merchant privileges, explaining to one or more government regulatory bodies why your stolen systems weren't protected or having to notify every single person whose information is believed to be compromised.
You need to employ some form of securiy - having a password to access Windows is only minor protection. You could create encrypted "partitions," which, basically, are files that mount as a regular drive. However, I'm not a big fan of that. It all boils down to the fact that you cannot trust either yourself or other users to store sensitive information on the secured partition every time - we all forget things. People will store things on their desktop, in their email application, and in local temp directories that may not be protected. Additionally, if someone is able to obtain a laptop and crack various Windows passwords, what do you think the odds are that the encrypted partition uses one of those same passwords? Based on experience, I'd say the chances are pretty good!!
Many people are installing laptop-tracking software such as LoJack for Laptops which can certainly aid in recovery. The problem is that by the time the system is recovered, sensitive information on the laptop could have been compromised. So, good solution but just a little too late in the security breach time window for me.
The only truly secure solution (although still not 100% - nothing is) to keep information from being compromised is to use a whole disk encryption technology such as PGP Whole Disk Encryption and TrueCrypt. They're independent of the operating system and use much stronger encryption technologies and some can even be centrally managed reducing administrative burdens. Even if stolen computers are powered on, as long as the entire drive is encrypted and the screen is locked, the only option for the criminal is to reboot the system to try and get in. Once he does that, he'll be prompted for a passphrase to unlock the drive. As long as the passphrase to encrypt the drive is strong he's in a dead-end.
Remember that policies enforced by technologies - not just trusting users to do the right thing - will keep sensitive information on your computers from being compromised. Agreed it will cost money (up front and ongoing) in both software licenses and operational costs. But that seems like a better alternative than losing credit card merchant privileges, explaining to one or more government regulatory bodies why your stolen systems weren't protected or having to notify every single person whose information is believed to be compromised.
Subscribe to:
Posts (Atom)
