<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class="">On 6 Oct 2016, at 10:46, Shaw K.C. <<a href="mailto:k.c.shaw@soton.ac.uk" class="">k.c.shaw@soton.ac.uk</a>> wrote:</div><div class=""><div class=""><br class="">Perhaps even more sobering is the ICO penalty notice issued upon Talk Talk which echoes many of the sentiments I hear at the University - and cost them a £400,000 fine and a completely trashed reputation.<br class=""></div></div></blockquote><div><br class=""></div>Hang on; that’s a completely different issue. Those TalkTalk customer details were compromised by an exploit of a vulnerability that was older than the perpetrator that executed it. That the fine was only £400,000 is somewhat derisory, given the number of people affected, and the impact it had on many of them. And I believe the CEO is still in post, on their £4m+ p.a. salary.</div><div><br class=""></div><div>Anyway, on the one hand there’s the security model applied by the university. I don’t think that’s made clear to staff (from my own past experience) in a pragmatic way. I think that’s something you could help improve Kevin; put out the right messages, in a digestible format, where the advice makes sense.</div><div><br class=""></div><div>On the other hand there’s how staff / students carry out their work in the proscribed environment, given the set of tools the university gives them. If the security model makes what should be simple tasks cumbersome, it’s no big surprise that people will take short cuts. You could speak to Neil MacEwan about that, who I was previously co-supervising as a PhD student on this very subject. If Neil’s still around, I think you’d enjoy a coffee together :)</div><div><br class=""></div><div>An example is the University “electronic communications policy”; it’s long-winded, and not pragmatic, e.g. how many people do you think, today, send personal emails from their Soton account and put PERSONAL in the subject line? (see 3.3.3 of <a href="http://www.southampton.ac.uk/assets/sharepoint/intranet/iSolutions/publicdocuments/Electronic Communications Policy.pdf.docx" class="">http://www.southampton.ac.uk/assets/sharepoint/intranet/iSolutions/publicdocuments/Electronic%20Communications%20Policy.pdf.docx</a>). I would guess the figure is well under 10%; perhaps even less than 1%. We probably don’t need to do too much detailed research to understand why.</div><div><br class=""></div><div>I know a previous Head of Information Security looked at the percentage of systems on campus that exchanged data with DropBox, and I recall the figure was something like 70%; it was certainly surprisingly high. It wouldn’t be too hard to get the telemetry on the scale of the shadow IT “problem” from netflow or similar data. Of course the bulk of those devices are BYODs; and increasingly staff and students use their own devices. But it would be interesting to know the current shadow IT figures.</div><div><br class=""></div><div>Tim</div><div><br class=""></div><div><blockquote type="cite" class=""><div class=""><div class="">I would recommend you read the notice.<br class=""><br class=""><a href="https://ico.org.uk/action-weve-taken/enforcement/talktalk-telecom-group-plc-mpn/" class="">https://ico.org.uk/action-weve-taken/enforcement/talktalk-telecom-group-plc-mpn/</a><br class=""><br class="">An anecdote from one of the most senior people within the University telephoned a cloud based storage provider (and was not verified by the provider) who in an attempt to sell a "Corporate Solution" to the University described how they had examined all of the data stored by the University, knew what it was, described password strength usage and continued for the next 30 minutes to explain many of the security considerations we should be making but failing to recognise the paradox they were describing.<br class=""><br class="">I won't name names but can you guess who it was?<br class=""><br class="">Kevin Shaw<br class="">Head of Information Security<br class=""><br class=""><br class="">-----Original Message-----<br class="">From: Christopher Gutteridge [mailto:cjg@ecs.soton.ac.uk] <br class="">Sent: 06 October 2016 10:23<br class="">To: List for users of Mac OS X <osx-users@ecs.soton.ac.uk>; Shaw K.C. <K.C.Shaw@soton.ac.uk><br class="">Subject: Re: [OSX-Users] OneDrive vs DropBox<br class=""><br class="">We're literally having some meetings as a result of the previous discussion.<br class=""><br class="">cc iSolutions Kevin Shaw who's our lead on this work.<br class=""><br class="">It's a work in progress, but the current thinking is to help staff categorise information security requirements from "freely allow 3rd party reuse (open data)" at one end and "a leak would result in significant loss of life or long term damage to the economy" at the other extreme. Then provide a guide to popular tools like dropbox and their suitability.<br class=""><br class="">What I'm keen to do is provide a bit of a conduit between iSolutions and real users of these systems. We can't address the "shadow IT" question properly without knowing what people are doing, and more importantly<br class="">*why* they are doing it, which is why questions like this are very important.<br class=""><br class="">On 06/10/2016 09:43, Hugh Davis wrote:<br class=""><blockquote type="cite" class="">Following on from my post about using OneDrive, I wondered if perhaps I should stop paying Dropbox and start using Onedrive for my entire backup/sync, given that University accounts now get 1TB of OneDrive data - which is the same as I get from Dropbox for an annual payment of around £50.<br class=""><br class="">Reasons Against:<br class="">1. I’m not sure I want all my data to be in University hands?<br class="">2. I’m not sure that Onedrive allows sharing outside the University ??<br class="">3. I’m pretty sure OneDrive does not have the ability to get a URL for a directory or File?<br class="">4. I don’t know how well OneDrive does at keeping versions of files and deleted files - I think Dropbox now gives you one month to go back to old files?<br class="">5. I’m not far off retirement and then I’ll have to go back to Dropbox anyway!<br class="">6. Given MS’s record in this space I’m not sure I trust them to keep OneDrive working on a Mac. Dropbox has been perfect.<br class=""><br class="">Any thoughts, answers to my questions, or further reasons against?<br class=""><br class="">/h.<br class="">Hugh Davis<br class=""><br class=""><br class=""><br class=""><br class=""><br class=""></blockquote><br class="">--<br class="">Christopher Gutteridge -- http://users.ecs.soton.ac.uk/cjg<br class=""><br class="">University of Southampton Open Data Service: http://data.southampton.ac.uk/ You should read our Web & Data Innovation blog: http://blogs.ecs.soton.ac.uk/webteam/<br class=""><br class=""><br class=""></div></div></blockquote></div><br class=""></body></html>