And that raises some quite basic questions about pretty basic security as to how an employee (or group of employee's) were able to steal the data.
As the blog states insider threats can almost always be prevented (if you have the right controls in place) i.e. really basic stuff such as segregation of access to information (doesn't prevent conspiracy of course) and I've never worked at a real sized company where USB ports are not disabled, emails are monitored by a dedicated security team and email attachments are not allowed.
It just annoys me that companies can turn around and say it's not us, the employee did it. Are they saying that this one employee could see things that their entire security division that one would hope would have many years of experience accross multiple industries was unable to foresee.
My view is that there is never any real excuse for this sort of thing and employee data theft happens because the employer did not have adequate controls in place to prevent it.
Whilst this is in no way defending Sage, it has to be said that they are not the first and they will certainly not be the last which makes it almost (almost) wrong to name and shame them as all of the others are just looking at it as "phew, all attentions on Sage, lets get our own security checked out properly whilst they're being crucified".
__________________
Shaun
Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.
I had some issues replying to this thread as well.
I know that I hit post but it took me to the advanced editor without posting and when I went back a page it indicated that it had already posted (which it hadn't).
The issue seems to have resolved itself now but I'll log it for next time that I'm chatting with Steve.
__________________
Shaun
Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.
Okay, I *think* the problem may have been because I'd started the subject line with a normal quotation mark (a bug of some sort in the forum software?). I had to re-input the subject line in the test reply, and I've since edited it to an apostrophe/single quote. Replying now works.
Now to what I attempted to say before...
When I initially posted that link, I hadn't read any of the details, but I'd seen references to this breach in a couple of places. I've now read it.
It's Sage's payroll service that has suffered the breach, and "up to" 300 *large* companies possibly affected, with the data that may have been pilfered including employee personal information - names, dates of birth, NI numbers, bank account details, etc.
A word that is conspicuous by its absence is "cloud" - for the above sort of information to have been vulnerable, though, I think it must be their cloudy payroll.
The breach is said to have been through an "internal login" - most likely, therefore, the result of a careless employee, perhaps a victim of phishing.* I've always said that possibility is a risk, and it's one of the many reasons I don't like the idea of cloud.
* I actually read a different link to the one I posted; that one does say it appears to have been conducted by an employee.
Edited to add the strike out and footnote.
-- Edited by VinceH on Monday 15th of August 2016 11:15:00 AM
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)
I'm not convinced its the cloud this time Vince as they use the word large when refering to the companies concerned and why would any serious sized company ever use cloud payroll? That seems like finding a graphics design company is using a ZX spectrum.
My impression was that this is good old fashioned plug in a USB drive, dump an Excel spreadsheet then straight out the door with it sort of crime.
Truth is we'll probably never know as what the actual breach was or which country it was performed in as it will be glossed over with a generic "data was stolen".
__________________
Shaun
Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.
Oops, responded pre edit. but I stil don't think that its cloud based in this instance.
Certainly not defending the cloud but just going on the article stating that the information was from large companies and to my mind large = desktop solutions, small = propably doesn't realise that they should be using desktop solutions.
__________________
Shaun
Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.
Actually, reading that article again, I can see he talks about "The data that Sage are likely to hold on many UK companies and their staff will consist of" - so, yeah, you could be right. I conflated that with the breach itself, rather than seeing it as the writer making a point.
__________________
Vince M Hudd - Soft Rock Software
(I only came here looking for fellow apiarists...)