Security Features - October 2011

Facilitating Secure Data Destruction
By Russell Harris, Chairman, BSIA Information Destruction (ID) Section
It is imperative, when facilities managers go out to tender for an information destruction service, that is ultimately going to be tasked with the handling and disposal of the most confidential and sensitive of their organisation's data - and the media it is held on - that they resist the obvious temptation to appoint the lowest priced provider, particularly, given the extent of the dangers that are out there, with the cost of identity fraud to the UK economy estimated by the Home Office to be in the region of £1.7 billion per year. The reality is that once information gets into the wrong hands - and there are plenty of criminals out there who will engage in activities such as data fraud - there can really be little control exercised over how it is ultimately used.
Recent research, undertaken on behalf of the BSIA's ID Section, and announced for the first time at the Total Workplace Management event, has taken a closer look at the experience of public and private sector organisations across the UK with regards to secure data disposal and discovered that nearly a fifth (19 per cent) have been the victim of a serious information breach. The survey also underlined that there can be no room for complacency with the vast majority of respondents - 79 per cent - believing that the threat posed by the loss of confidential information to their organisations had either increased or remained the same over the past 12 months.
A Question of Standards
When it comes to the handling and safe disposal of confidential waste in a professional manner, and to meet their corporate and personal liabilities under the Data Protection Act, facilities managers really need to look to waste management companies that actually specialise in this area and adhere to a structured code of ethics, comply with the security requirements set out in the European Standard EN 15713 which covers key elements such as: site security, material specific shred sizes, the actual recording of the destruction process and the vetting of their staff who will be handling the sensitive material to BS 7858.
For our part at the BSIA's ID Section we have been promoting best practice, and helping to develop industry standards, for over a decade now and we were heavily involved, through a Code of Practice and a British Standard, in what ultimately became EN 15713.
Addressing the Data Disposal Gap
Unfortunately, the adoption of a 'sticking plaster' approach by some organisations to measures such as shredding, when dealing with their confidential material, whether it be paper-based information or stored on computer hard-drives, and who they ask to handle it has created what we would see as a worrying data disposal gap. Although cost can be a legitimate concern for facilities managers when outsourcing disposal, in these tougher economic times, price should only ever be judged as one of a number of factors, and not as the prime driver when a decision is being made to implement an information destruction service. We would argue instead that when searching questions are being put to prospective providers, a request for concrete evidence of EN15713 compliance should be at the very the top of the list rather than in many instances being an afterthought, or not mentioned at all.
Cutting corners may appear attractive at first glance but taking risks with information destruction stores up future problems, issues which are liable to come back to hit organisations when they least expect it. The 2009 study by BT and the University of Glamorgan where they bought up 300 second hand computer hard-drives and found that 34% still contained sensitive data - from patient details to a missile defence programme - starkly illustrates this point. A growing number of organisations are suffering at the hands of unscrupulous providers only finding out later, when data is exposed, that hard-drives they thought were wiped, or documents shredded, had not been processed professionally but simply sold-on, dumped with normal waste, or disposed of through fly-tipping. One worrying statistic that emerged from our recent ID Section survey is that a third of those who replied are still relying on standard municipal waste disposal to deal with even the most sensitive of their data, with all the dangers which this entails.
It was also disturbing to discover that whilst 50 per cent of those questioned claimed that their organisation used a professional service for information destruction, in reality only half of this number were able to confirm that their provider met the EN 15713. So the bottom-line is that only a quarter of organisations actually have a service in place which, in our experience, could be deemed to be appropriate. Given that our own members who all meet stringent best practice standards destroy in excess of 300,000 tonnes of confidential waste every year, the amount of waste that is not being handled correctly, and open to criminal exploitation, at a conservative estimate could run into hundreds of thousands of tonnes.
Detailing Data Breaches
In terms of where data breaches are actually happening, we discovered in the ID Section research, for instance, that half of these involved paper and the rest where attributed to computer hard-drives. Sadly data breaches, by their very nature, are not going to be flagged up ahead of time so when they do occur, critically, there can be serious ramifications for the organisations involved, their employees and their customer base which can take months or even years to resolve. The financial impact and reputational damage are likely to be considerable. To put this into context, the average cost of a data breach reached £1.9 million in 2010, having risen for three successive years (according to an annual UK study sponsored by data protection firm PGP Corporation).
This is not withstanding, of course, the potential for fines that can be imposed as a consequence of failing to comply with the Data Protection Act. The Information Commissioner's Office (ICO) now has the ability to issue penalty fines of up to £500,000 to those who do not meet their obligations. Surprisingly, of those questioned in the ID Section research, only 41 per cent knew about the toughening of the ICO's enforcement powers so there is still much work to do in communicating the message regarding the action that can be taken against those who are failing to comply. 
Avoiding the Pitfalls
There really is little sense in such a security-critical area of making a choice based on a single criteria like price, when choosing the wrong provider can have such far reaching ramifications. The question that needs to be asked, if your organisation is using a provider that has not instituted appropriate security measures to handle your sensitive waste, is what are you really achieving from having such a service in the first place? It is certainly not providing the peace of mind that information is being disposed of professionally or will convince the authorities that you and/or your data controller are acting in an appropriate manner.
Of course some will counter that they have been using an information destruction company that is not accredited without any problems. The response to this would be that without the right framework in place it is likely the positive outcome to date will have been more the result of luck rather than design. Where confidential information is concerned the last thing you should be doing is gambling given how high the stakes are if things go wrong.
The customer facing end of a prospective supplier may seem convincing with smart uniforms, a slick website and vehicles, but if there is not the substance behind this shiny facade and, critically, they are not actually working to the EN 15713 standard, then there can really be no confidence that they are in a position to deliver a secure service.
Another major issue which organisations need to be aware of when they go down the route of using cut price, sub-standard, suppliers is the serious lack of staff vetting taking place to pick-up on criminal elements who may seek employment at such firms so they can gain access to data, and sell it on, before it is disposed off.
Securing Disposal
The message therefore has to be to facilities managers, who are increasingly playing a pivotal role in the decision making process on secure data disposal, to remember why such a service is needed in the first place. They should have uppermost in their minds the far-reaching implications if the process is handled in a less than professional manner, and, crucially, the importance that the information destruction provider selected complies with the EN 15713 standard.
For more information about secure data destruction please log on to www.bsia.co.uk/shredding. A video interview with Russell Harris on the findings of the ID Section's research can be found on the BSIA's YouTube Channel at: http://youtu.be/7ieh03Vhp30

OSID by Xtralis Scores Its Third Accolade in 2011 – ASIS Industry’s Most Innovative Product Award
Xtralis proves itself again as the foremost industry innovator with its eleventh victory within the life safety and security space
(Hemel Hempstead, UK, 7th September 2011) Xtralis, a leading provider of early warning fire detection and security solutions worldwide, announced today it was named the recipient of the top product award in the 2011 ASIS Accolade competition for its revolutionary new Open-Area Smoke Imaging Detection (OSID) product. Xtralis has shipped and installed over 400,000 Early Detection products in most mission-critical locations, protecting lives and valuable assets in over 100 countries worldwide for the past 25 years. The revolutionary OSID solution has been installed, tested and proven in such challenging environments as metro tunnels and stations, bus depots, manufacturing facilities and warehouses throughout the world. The award is the latest in a string of accolades afforded Xtralis worldwide, the fifth for OSID since its launch in 2010, and third this year alone. OSID is the only life safety smoke detection product to receive three esteemed accolades in 2011.
ASIS Accolades are associated with the ASIS Exhibition, a comprehensive global event focused on successful security, which will be held this month in Orlando, FL, USA. It draws an audience of nearly 20,000 top professionals from the private sector, military, federal and state governments, and corporate decision-makers with enterprise-wide security on their minds. ASIS Accolades are prominent awards recognising innovative security solutions; over seventy products competed this year for the 2011 ASIS accolades, and a panel of judges selected 10 of them as winners. The panel of judges was made up from end-users and experts in security and safety technologies.  
Judges were impressed by OSID’s unique characteristics making it superbly tolerant to building movement, steam, insects, dust and solid object intrusions. Product innovations overcome the limitations of traditional optical beam detection solutions often used in open spaces where standard smoke sensitivity, standards-compliant detection is required. The patented combination of dual wavelength Emitters, a CMOS Imager, advanced detection algorithms and 3D coverage, delivers unrivalled reliability, high immunity to false alarms, and intuitive, low cost installation and alignment. OSID installation and alignment can be 50%-75% less than existing products. On top, OSID provides more than 50% increase in sensitivity over that of traditional beam detectors.
“OSID surpasses the expectations of end-users and system integrators alike when selecting an Xtralis product. The OSID innovation provides an advanced detection solution offering significant revenue to our customers and proven value to end-users and installers, coupled with lower total ownership cost and unparalleled performance,” says Ian Ehrenberg, Senior Vice President of Sales and General Manager - Americas for Xtralis.  
Xtralis reinforces its strong position as the global innovator in security and life safety technologies. The company is continuing to surpass the expectations of values and this prestigious award reaffirms the company’s commitment to delivering excellence and innovation in smoke detection and security solutions. Xtralis’ winning innovations have been recognised globally for their ability to solve real problems and dramatically enhance life safety and valuable asset protection, while delivering major economical advantages and opportunities.

Samsung introduce two new HD megapixel network vandal resistant domes with built-in IR LEDs
Samsung have added two new HD megapixel models with built-in IR LEDs to its network vandal-resistant dome camera range.
The SNV-5080R and SNV-7080R are able to deliver high definition images during both daylight hours and in pitch-black darkness, making them suitable for a wide range of applications requiring effective 24-hour surveillance, including car parks, industrial estates, petrol forecourts, schools, hospitals, retail parks, airports and ports.
The SNV-5080R incorporates a 1.3 megapixel camera with a motorised varifocal lens and, with its 15 built-in IR LEDs, is able to capture up to  1280 x 1024 (4:3 format) and HD 720p (16:9 format) images of objects up to 15 metres even in zero light.
The SNV-5080R features Samsung Techwin’s WiseNet1 DSP chipset to deliver a host of advanced functions such as license-free Intelligent Video Analytics (IVA), which includes optical tripwire and enter/exit direction detection, as well as an Appear/Disappear function to detect the movement of objects. IVA also has a scene change tampering function which creates an alert if, for example, paint is sprayed on a camera lens or there is unauthorised movement of a camera away from its usual field of view.
The H.264, MPEG4, MJPEG and JPEG compression methods incorporated into the SNV-5080R provides users with the ability to simultaneously transmit images to multiple locations at various frame rates and at different resolutions allowing different users, if authorised, to simultaneously monitor live images at one location, whilst recording video evidence at another. POE (Power over Ethernet) functionality reduces installation costs by providing both power and video/audio transmissions via a single Ethernet cable.

SecurEnvoy warns that DigiNotar hack affects millions of Internet users
Responding to reports that Dutch digital certificate service DigiNotar, part of VASCO Data Security International, was hacked by politically-motivated cybercriminals, SecurEnvoy has warned that the scale of the attack could be far larger than was originally thought and compromises the security of millions of Internet users
According to Steve Watts, co-founder of the tokenless two-factor authentication specialist, as the facts start to emerge about the hack, the various pieces of the digital jigsaw are now coming together - and, he says, it doesn't look good.
“Depending on who you talk to - and which newswire you read - there may be as many as 200 fraudulent digital certificates in circulation, and every one of them could be misused for financial gain, politically-motivated eavesdropping and all sorts of electronic hackery,” he said.
“The problem the global Internet faces is that such is the reliance on certificates as a means of authenticating that the entity at the other end of the IP connection is who they claim to be, the automated systems at the heart of the Internet have no means of knowing when they are being fooled,” he added.
Watts went on to say that the fact that a digital certificate issuer has been hacked into is of great concern to his company – and should be of concern to anyone interested in the ongoing security of the Internet.
This saga, he explained, is similar to the RSA Security hacking incident earlier this year - where stored security keys were compromised - in its potential to affect a large number of end users of Internet services. Unfortunately, whilst RSA has been able to re-issue new hardware tokens to its clients and so partially remediate the situation, this latest mega-hack cannot be resolved without a tree-and-branch restructuring of the Internet's architecture.
The SecurEnvoy co-founder says that initially he thought the hacking of DigiNotar's systems was driven by so-called hacktivists that simply wanted to prove that it could be done. Then, he adds, further facts started pointing towards financially-motivated cybercriminals who were looking for revenue.
But now, he said, the latest pieces of the jigsaw emerge with newswires reporting that political hacktivists were responsible - causing Watts' brow to furrow - as he added, politically-motivated hackers are the worst of the worst.
“The problem is that, whilst cybercriminals are in it for the money - and will move on if the going gets too tough - political hacktivists don't move on. They don't give up. They are fanatics and driven by forces far greater than human greed and avarice. This is what makes me think the scale of this problem may be far larger than previously thought,” he said.
“This latest digital certificate fiasco aside, however, the bottom line here is that authentication systems should not be reliant on third party manufactures storing any security keys. Some vendors - such as SecurEnvoy - have well-designed security offerings that do not require manufacturers to store any keys online, as the required keys are created within the customers’ own trusted environment,” he added.
“Incidents like this highlight the shortcomings of the current digital certificate architecture and also show that more innovative solutions could have prevented certification authority incursions like those affecting DigitNotar and RSA from causing problems for millions of users of the Internet.”

Security supplier subject to curfew after being found guilty of supplying unlicensed guards
A security supplier has been electronically tagged after being found guilty of supplying unlicensed security guards and failing to provide material to the Security Industry Authority.
Duncan Thorburn, 54, who traded as Thor Security, based in Bolsover, Derbyshire, was found guilty of 17 offences of supplying unlicensed security operatives, failing to provide material to the SIA, and making a false statement to the SIA.
Thorburn, of Newark, was in addition a director of Thor Security Services Limited. Seventeen additional counts of supplying unlicensed security guards against Thorburn as director of Thor Security Services Limited were dismissed because the court determined that this company was not the relevant company.
During their initial enquiries, SIA investigators uncovered irregularities in the paperwork submitted by Thorburn. The investigation went on to identify unlicensed security guards George and Kevin Hannah who were being deployed by Thorburn through Thor Security. George and Kevin Hannah were consequently prosecuted by the SIA and fined for working without an SIA licence. 
Thorburn attempted to hide the fact that he was using unlicensed security guards by failing to provide material to the SIA, altering documentation and falsely claiming that some material was routinely destroyed.
Thorburn entered a not guilty plea in June and this was maintained throughout the course of the trial the Court in Chesterfield, which concluded on 23 Aug. Thorburn argued that his sole trading entity Thor Security held SIA Approved Contractor status, as well as Thor Security Services Limited, and thus he was entitled to supply unlicensed guards under Licence Dispensation Notices. He also claimed he was unaware the guards were unlicensed. Both arguments were dismissed by the judge.
The prosecution was able to prove that Thorburn had knowingly and regularly deployed 10 unlicensed security guards to seven customers between Dec 2008 and Jun 2010, mainly at construction sites, industrial units and in providing a mobile security alarm response service.
Thorburn was sentenced to a six-month community order, during which time he is required to observe an electronic tagging curfew, and was ordered to pay £1000 towards prosecution costs.
Of Thorburn’s deployment of the unlicensed guards, Judge Goulborn said Thorburn was “in control of the company” and therefore had “ultimate responsibility.” Thorburn could not rely on the defence of not knowing the guards were unlicensed because he “had sole responsibility for hiring, firing and training”, and the evidence of witnesses was “overwhelming,” she added.
Of his failure to provide material to the SIA, Judge Goulborn said: “In my view, that was an attempt to try and hide the fact that his company was using unlicensed guards and I find no reasonable excuse for Thorburn’s non compliance. “Thorburn deliberately kept back information from the SIA and that documentation which had been available was deliberately destroyed, a serious offence.”
SIA Head of Investigation Sara Brennan said: “This investigation uncovered a large number of offences, which demonstrated a prolonged willingness to supply unlicensed security guards, presenting a potential risk to the public.
“A thorough investigation was not deterred by incriminating information being doctored by Duncan Thorburn prior to being handed to the SIA. A number of witnesses courageously provided evidence on behalf of the SIA, which led to this conviction.”

CCTV in fire verification
Developments in the technology and scope of CCTV systems have led to their use in a variety of applications that go beyond their traditional security function. Detection and visual verification of smoke and fire is a key example where CCTV can be utilised to protect businesses and minimise damage, but despite this fact, a BSIA survey has shown that few organisations are taking advantage of these additional capabilities. This is a missed opportunity for businesses, as making use of the added protection provided by CCTVs in addition to standard fire alarms is becoming increasingly important to ensure protection and response to fire incidents.  Few businesses in fact realise that if a fire alarm goes off in their building when unoccupied, they will have to verify it themselves or, if particularly lucky, rely on a fire officer to confirm the presence of the fire and only then call appliances to attend.
Fire and smoke can be massively disruptive for businesses. According to the Association of British Insurers, fire damage cost insurers up to £3.6 million every day in 2009, and the potential loss for the business itself is also considerable, taking into account the impact on business processes and the cost of unplanned downtime. Not only this, fire and smoke pose a significant threat to the health of staff and customers. In the worst cases, the short-term effects of such incidents are so severe that many affected businesses never recover, despite insurance payoffs.
Unfortunately, although still effective, traditional fire alarms are not necessarily enough to guarantee the immediate identification and response to fire incidents, especially when large premises are involved such as office spaces. According to the latest national statistics released in 2010, 75% of fires that took place in 2008 occurred where detectors were in place but did not operate, caused by the fire not reaching the detectors.
Video Content Analysis (VCA) systems automatically analyse CCTV images to generate useful information about the image content and issue alerts to security personnel should an incident occur. In theory, any action or 'behaviour' that can be seen and accurately defined on a video image can be automatically identified by a VCA system, and the scope of this technology has led to its use in a variety of applications including external and internal intruder detection; the monitoring of buildings for health and safety purposes; people counting; automatic event and incident detection; safety enhancements for public areas and smoke and fire detection. Unlike conventional smoke detectors, that react only once the smoke reaches the device, VCA systems can in fact identify smoke at any distance, as long as it is within the cameras’ visual reach.
Fast detection of smoke and fire is crucial to ensure speedy emergency service response and evacuations. Moreover, the fire service is increasingly reliant upon visual verification when responding to emergency calls, so CCTV can also help ensure their speedy response. It also enables visual verification to take place at a distance, without compromising the safety of individuals. This is what makes this technology so important in guaranteeing the safety of premises, equipment and staff. Moreover, once the emergency response has been guaranteed, CCTV systems can prove invaluable in guiding the fire service to the location of the fire without putting lives at risk.
Considering this vital function, it is important for staff with responsibility for the security of premises to understand the many ways in which CCTV systems can not only protect premises against security breaches, but also aid with the health and safety of staff and premises. A reputable supplier will be able to advise the people responsible for the procurement of the system on how to make best use of the technology available. BSIA members meet strict corporate requirements, so customers who source CCTV systems and developing technology from them can be confident that they will receive quality advice and an excellent service. For more information visit www.bsia.co.uk/cctv

US giant Apollo Security partners with Magenta Security for its UK operations
US based private security giant company, Apollo has partnered with Magenta Security, one of the UK’s leading private security companies, for its UK manned guarding operations. The partnership will give Magenta Security an opportunity to take up security activities for both US and non-US clients in the UK.
Magenta Security Services managing director, Abbey Petkar said: “The international partnership is an incredible achievement for Magenta Security. It is an acknowledgement of our track record for providing highly professional services across a number of sectors and industries across the UK. Our CSR and other green initiatives also influenced Apollo’s decision to choose us for their operations in Britain. We really look forward to working with Apollo.”
Apollo offers a variety of services and capabilities for both US and non-US clients. These activities include physical security surveys in the Middle East and Latin America, examining intellectual property and due diligence issues in Europe, Asia, Africa and the Americas, and providing advice and counsel to companies doing business from Australia to the Caribbean and beyond.
Magenta Security provides high quality, bespoke staffed security services to demanding and discerning customers throughout the United Kingdom.