Category Archives: GDPR

Network Security Observability & Visibility: Why they are not the same

Guest article by Sean Everson, Chief Technology Officer at Certes Networks

In today’s increasingly complex cyber landscape, it is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without network observability. Organisations can now see inside the whole network architecture to explore problems as they happen. Observability is a property of the network system and should not be confused with visibility which provides limited metrics for troubleshooting.

With observability, organisations can make the whole state of the network observable and those limitations no longer exist. Observability provides the contextual data operators need to analyse and gain new and deeper insights into the network. This enables teams to proactively make more informed decisions to improve network performance and to strengthen their overall security posture because context is now available to troubleshoot incidents and make policy changes in real-time.

Unfortunately, observability is often miscommunicated and misunderstood, as visibility is repackaged by some vendors and sold as observability, when the two are not the same. Visibility and monitoring have an important role to play but observability is different. Visibility and the metrics it provides limits troubleshooting, whereas observability provides rich contextual data to gain deeper insights and understanding based on the raw data collected from the network or system.

With research showing that the average lifecycle of a data breach is 279 days, it is clear that organisations are slowly putting observability into practice and adopting ‘observability as a culture’. In the case of some well-known breaches, however, the timescales were much longer than that. The Marriott International breach, which was discovered in November 2018, saw hackers freely access the network since 2014. During this time, no unusual activity was detected and no alerts of the hacker’s access were raised.

Additionally, in the British Airways data breach in 2018, data was compromised over a two-week period, affecting 500,000 customers. This resulted in the Information Commissioner's Office (ICO) announcing that it intended to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

These two examples alone demonstrate how essential it is for organisations to begin to value the ability to understand their systems and behaviour by making their network observable.

Understanding Observability
Simply defined, observability is a measure of how well something is working internally, concluded from what occurs externally. Observability is creating applications with the idea that someone is going to observe them with the aim of strengthening and making system access decisions. The right combination of contextual data can be used to gain a deeper understanding of network policy deployment and every application that tries to communicate across the network. With an observability capability, attackers will therefore have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in the data centre or across the WAN. In turn, observability can provide a global view of the network environment and visual proof that the security strategy is effective and working.

Unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. This means infiltrations are going undetected for longer and networks systems are more increasingly vulnerable. To effectively do this, all roles need to see inside the entire architecture. And, when this capability is built in, it is observability that enables greater insight into the overall reliability, impact and success of systems, their workload and their behaviour.

Conclusion
Research shows that companies who are able to detect and contain a breach in less than 200 days spend £1 million less on the total cost of a breach. That’s a figure no organisation can - or should - ignore. Organisations need a cyber security solution that can be measured and traced. Observability provides the contextual data so organisations can take measurable steps towards controlling system access of the network environment. With this type of observable analysis, organisations can gain deeper insights into how to enhance their security policy and detect unwanted access as it occurs.



Sean Everson, Certes Networks CTO

The Current State of CCPA – What You Need to Know

In the digital age, more often than not, you can be sure that some enterprise has hold of your personal information. This information could be your name, email, phone number, IP address, country and other details. This can come from submitting a form, subscribing to a newsletter, accepting cookies, accepting the privacy policy or terms […]… Read More

The post The Current State of CCPA – What You Need to Know appeared first on The State of Security.

Companies vastly overestimating their GDPR readiness, only 28% achieving compliance

Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance. This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: … More

The post Companies vastly overestimating their GDPR readiness, only 28% achieving compliance appeared first on Help Net Security.

Understanding five of the best algorithms leveraged to encrypt data

Estimated reading time: 2 minutes

With the advent of data protection regulations like the GDPR in the European Union, the Data Protection Bill in India and the POPI Act in South Africa, enterprises are turning to robust algorithms that build encryption solutions to keep valuable data safe.

Encryption is a process through which data is encoded in a unique way via which only authorized users can see this data – for unsolicited users this data will appear as gibberish. Encrypted data going outside an enterprise network can be set to be viewed by a decryption key.

Enterprises understand the importance of effective utilization of data and ensuring it remains safe and secure.

There are various different algorithms which are used to encrypt data.

AES (Rijndael)

Advanced Encryption Standard (Rijndael) is a type of encryption standard which is used by the government of the United States since 2001. The key sizes can come in 128, 192 or 256 bits. It replaced the earlier Data Encryption Standard (DES) which came into existence from 1977. The keys of 192 and 256 bits are used for encrypting extremely important information and is largely considered impervious to attacks from criminals.

RC6

RC6 is another type of symmetric cypher which was developed to meet Advanced Encryption Standard (AES) requirements. It was first published in 1998 with a block size of 128 bits and supports key sizes of 128, 192 and 256 bits. It is a proprietary algorithm patented by RSA Security.

Serpent

Serpent was also a finalist in the competition to replace the earlier Data Encryption Standard (DES) in 1998. It also has a block size of 128 bits and supports a key size of 128, 192 or 256 bits. It ranked second to Rijndael in the contest. It is a strong cypher but is considered slower than the AES. Since Serpent is in the public domain, it is free to be used by anyone.

Twofish

Twofish is considered among the fastest encryption standards and is hence favoured for usage among hardware and software enterprises. It is freely available and hence makes it popular. The keys used in this algorithm may be up to 256 bits in length and only one key is needed.

Blowfish

Blowfish is a flexible encryption algorithm which is widely used among different e-commerce platforms for various purposes, including password management tools. It is known for being fast and effective with criminals almost finding it impossible to decrypt the information. Since it is available in the public domain, it can be easily used.

Seqrite Encryption Manager (SEM) offers a robust encryption solution for business data by protecting corporate data residing on endpoints through the usage of strong encryption solutions like the ones mentioned above. Full disk encryption supports Microsoft Windows Desktops and Laptops and prevents data loss occurring from loss/theft of endpoint. Seqrite Encryption Manager encrypts the entire contents on removable devices such as Pen Drives, USB Drives and makes it accessible to only the authorized users.

The key major features of SEM include:

  • Full Disk Encryption – enabling encryption of entire hard disk inclusive of user files, system media files, operating system files, etc.
  • Secure Data Access – enabling access to encrypted files on the move through removable storage on a system with an encryption agent
  • Fail-Safe Mode – allowing blocking of a machine in the case of unauthorized access with the network admin also receiving a notification
  • Optional Suspension – Allowing an administrator to temporarily suspend client boot protection while keeping data encrypted

These are just a few of the powerful features which enable Seqrite Encryption Manager (SEM) to ensure data is protected from unauthorized access enabling privacy and efficiency.

The post Understanding five of the best algorithms leveraged to encrypt data appeared first on Seqrite Blog.

EU Court Limits “The Right to Be Forgotten”

The European Court of Justice ruled that the E.U.’s “right to be forgotten” privacy law only applies within the borders of its member states.

“Currently, there is no obligation under E.U. law, for a search engine operator who grants a request for de-referencing made by a data subject… to carry out such a de-referencing on all the versions of its search engine,” stated the ruling.

The court’s decision stemmed from a legal battle between online search giant Google and French privacy regulator CNIL. CNIL had called for Google to remove any references containing potentially damaging or libelous information worldwide, and attempted to impose a €100,000 fine for non-compliance.

This is the first major court decision to challenge the “right to be forgotten” online since it became effective in 2014. The right, also called the “right to erasure” grants E.U. citizens the ability to have data collected about them to be deleted. Google reports that it has received over 840,000 such requests, and has removed 45% of the referenced links. 

“Courts or data regulators in the U.K., France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see,” said the executive director of privacy group Article 19 in a statement.

 

The post EU Court Limits “The Right to Be Forgotten” appeared first on Adam Levin.

Organizations continue to struggle with privacy regulations

Many organizations’ privacy statements fail to meet common privacy principles outlined in GDPR, CCPA, PIPEDA, including the user’s right to request information, to understand how their data is being shared with third parties and the ability of that information to be deleted upon request, according to the Internet Society’s Online Trust Alliance (OTA). Organizations also have a duty to notify users of their rights in an easily understandable matter. OTA analyzed 29 variables in 1,200 … More

The post Organizations continue to struggle with privacy regulations appeared first on Help Net Security.

ISO 27701 unlocks the path to GDPR compliance and better data privacy

We have good news for those looking for help complying with the GDPR (General Data Protection Regulation): new guidance has been released on how to create effective data privacy controls.

ISO 27701 explains what organisations must do to when implementing a PIMS (privacy information management system).

The advice essentially bolts privacy processing controls onto ISO 27001, the international standard for information security, and provides a framework to establish the best practices required by regulations such as the GDPR.

Organisations that are already ISO 27001 compliant will only have a few extra tasks to complete, like a second risk assessment, to account for the new controls. If you’re not familiar with ISO 27001, now is the perfect time to adopt it.

ISO 27701 and ISO 27001: privacy vs security

The main difference between the two standards is that ISO 27701 deals with privacy and the implementation of a PIMS, whereas ISO 27001 addresses information security and an ISMS (information security management system).

These are related concepts – data privacy violations and information security violations are both generally categorised as data breaches. However, they aren’t identical.

  • Information security relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
  • Data privacy relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.

For example, if an organisation collects excessive amounts of information on an individual, that’s a privacy violation. The same is true if an unauthorised employee or cyber criminal gets hold of the data.

When building an information security framework, organisations must take extra steps to ensure that privacy concerns are accounted for alongside security issues.

ISO 27701’s approach recognises that by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy, as well as providing two additional sets of controls specific to data controllers and data processors.

It also builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100. These cover a wider range of privacy concerns, including those discussed in data protection regulations internationally.

ISO 27701 and the GDPR

Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.

However, as you will have learned when implementing the Regulation’s requirements, the GDPR doesn’t include guidance on how to do so. This is to prevent it from becoming outdated as best practices evolve and new technologies become available.

That’s all well and good for the long-term, but what are organisations supposed to do right now?

ISO 27701 answers that question, explaining how to ensure data privacy is addressed adequately.

It’s not your only option when it comes to compliance advice, though. ISO 27701’s framework is broad, so that it can help organisations comply with multiple privacy regimes. For example, many organisations might use the Standard to meet the requirements of the CCPA (California Consumer Privacy Act).

By contrast, BS 10012 is a British standard that’s designed to help organisations comply with the GDPR and the DPA (Data Protection Act) 2018.

If your organisation needs to conform only to the GDPR and DPA 2018, you might find BS 10012 a better option.

However, if you’re looking for something more flexible – perhaps you need to assure non-UK stakeholders that you have adequate privacy controls in place – then ISO 27701 is more suitable.

Download our guide to learn more

This article is based on our free green paper ISO 27701 – Privacy information management systems.

The guide is ideal for organisations that want to advice on how to strengthen their compliance posture and those that are familiarising themselves with privacy concerns and the GDPR.

It explains:

  • How ISO 27701 differs from and complements ISO 27001;
  • The structure and requirements of ISO 27701;
  • How ISO 27701 can help you achieve compliance with privacy laws like the GDPR and the DPA 2018; and
  • Which additional requirements will apply if you already have an established ISMS.

ISO27701 guide

The post ISO 27701 unlocks the path to GDPR compliance and better data privacy appeared first on IT Governance Blog.

What Does GDPR Mean for Your Organization?

GDPR ,or the General Data Prevention Regulation, is a new law that has been enforced by the European Union since May 25, 2018. The goal of this regulation is to update the Data Protection Directive of 1995; this was was enacted before the widespread use of the internet, which has drastically changed the way data is collected, transmitted, and used.

Another key component of the GDPR is to update regulations about data protection for sensitive personal information. It places an emphasis on the need to protect any and all collected data.

At the core of this new regulation, it aims to simplify, update, and unify the protection of personal data.

Why Does GDPR Matter to You?

The main changes from GDPR mean that companies can no longer be lax about personal data security. In the past, they can get away with simple tick-boxes to achieve compliance. This is no longer the case.

Here are the top points to consider regarding the General Data Prevention Regulation.

  1. A company does not have to be based in the EU to be covered by the GDPR. As long as they collect and use personal data from citizens of the EU, they must adhere to this regulation.
  2. The fines for violating the regulations set forth by the GDPR are huge. Serious infringements such as not having the right customer consent to process their data can net the violating company a fine of 4% of their annual global income, or 20 million Euros — whichever one is bigger.
  3. Personal data definition has become wider and now includes items such as the IP address and identity of their mobile device.
  4. Individuals now have more rights over the use of their personal data for security purposes. Companies can no longer use long-worded terms and conditions in order to obtain explicit consent from their customers to process their data.
  5. GDPR has made technical and organizational measures of protecting personal data to be mandatory. Companies now need to hash and encrypt personal data in order to protect them.
  6. Registries relating to data processing are now mandatory as well. What this means is that organizations need to have a written record (electronically) of all the activities they would do with the personal data, which captures that lifecycle of data processing.
  7. Impact assessments for data protection, such as data profiling, will now be required.
  8. Reporting any and all data breaches is now mandatory. Organizations have a maximum of 72 hours to report a breach in their security, which places personal data at risk. If it poses a high risk for individuals, then it should be reported immediately or without delay.
  9. If an organization processes a large amount of data, they will be required to have a Data Protection Officer, who is in charge of monitoring compliance with the regulation and reports directly to the highest management level of the company.
  10. The GDPR is mainly focused on data protection by design and by default.

There is no doubt that the legal and technical changes the GDPR requires in order to comply at an organizational level is big. Achieving compliance takes more than information security or legal teams alone. It takes the creation of a GDPR task force to find an organization that understands the changes and effects on its operation. They will work together in order to meet compliance requirements set forth by the new regulation.

Also Read,

GDPR: Non-Compliance Is Not An Option

GDPR Compliance And What You Should Know

How Will The GDPR Survive In The Jungle of Big Data?

The post What Does GDPR Mean for Your Organization? appeared first on .

GDPR One Year Anniversary: The Civil Society Organizations’ View

GDPR is a landmark in privacy jurisdiction. Through its 99 articles, it sets a framework for both businesses and individuals on their rights and responsibilities when it comes to protecting privacy. The most important element in my opinion is that privacy functions a fundamental human right and needs to be protected. The Authorities View Although […]… Read More

The post GDPR One Year Anniversary: The Civil Society Organizations’ View appeared first on The State of Security.

Cyber Security Roundup for July 2019

July was a month of mega data privacy fines. The UK Information Commissioners Office (ICO) announced it intended to fine British Airways £183 million for last September's data breach, where half a million BA customer personal records were compromised. The ICO also announced a £100 million fine for US-based Marriot Hotels after the Hotel chain said 339 million guest personal data records had been compromised by hackers. Those fines were dwarfed on the other side of the pond, with Facebook agreeing to pay a US Federal Trade Commission (FTC) fine of $5 billion dollars, to put the Cambridge Analytica privacy scandal to bed. And Equifax paid $700 million to FTC to settle their 2017 data breach, which involved the loss of at least 147 million personal records. Big numbers indeed, we are seeing the big stick of the GDPR kicking in within the UK, and the FTC flexing some serious privacy rights protection punishment muscles in the US. All 'food for thought' when performing cybersecurity risk assessments.

Through a Freedom of Information request, the UK Financial Conduct Authority (FCA) disclosure a sharp rise of over 1000% in cyber-incidents within UK financial sector in 2018. In my view, this rise was fueled by the mandatory data breach reporting requirement of the GDPR, given it came into force in May 2018. I also think the finance sector was reluctant to report security weakness pre-GDPR, over fears of damaging their customer trust. Would you trust and use a bank if you knew its customers were regularly hit by fraud?

Eurofins Scientific, the UK's largest forensic services provider, which was taken down by a mass ransomware attack last month, paid the cybercrooks ransom according to the BBC News. It wasn't disclosed how much Eurofins paid, but it is highly concerning when large ransoms are paid, as it fuels further ransomware attacks.

A man was arrested on suspicion of carrying out a cyberattack against Lancaster University. The UK National Crime Agency said university had been compromised and "a very small number" of student records, phone numbers and ID documents were accessed. In contrast, the FBI arrested a 33 old software engineer from Seattle, she is alleged to have taken advantage of a misconfigured web application firewall to steal a massive 106 million personal records from Capital One. A stark reminder of the danger of misconfiguring and mismanaging IT security components.

The Huawei international political rhetoric and bun fighting has gone into retreat. UK MPs said there were no technological grounds for a complete Huawei banwhile Huawei said they were 'confident' the UK will choose to include it within 5G infrastructure. Even the White House said it would start to relax the United States Huawei ban. It seems something behind the scenes has changed, this reversal in direction is more likely to be financially motivated than security motivated in my rather cynical view.

A typical busy month for security patch releases, Microsoft, Adobe and Cisco all releasing the expected barrage of security updates for their products. There was security updates released by Apple as well, however, Google researchers announced six iPhone vulnerabilities, including one that remains unpatched.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE

Four Key Questions to ask following a Cyber Attack

Guest Article by Andy Pearch, Head of IA Services at CORVID

Cyber attacks are inevitable, but it’s how an organisation deals with them that can make or break their business. Have they got all the answers, and do they fully understand the implications? Can they be sure the attack won’t happen again?

Swift and comprehensive incident response is a critical step to ensuring the future security of a business and protecting its reputation. It’s not enough to be aware that an attack is taking (or has taken) place. There are four key questions organisations need to be able to answer following a cyber security breach – if a single answer is missing, the security team won’t have the full picture, leaving the business vulnerable to impending attacks. Not having this level of insight can also damage an organisation’s relationships with suppliers and affect customer confidence, as it means the business itself is not in control of the situation.

Andy Pearch, Head of IA Services at CORVID, outlines four key questions all organisations must be able to answer after a cyber attack.

1. How and where did the Security Breach take place?The first step of an effective incident response strategy is to identify how the attackers got in. Quite simply, if an organisation misses this first crucial step, attackers will exploit the same vulnerability for future cyber attacks. Guesswork won’t cut it – any security professional can hypothesise that “it was probably an email”, but security teams need clear evidence so they can fully analyse all aspects of the problem and devise an appropriate solution.

2. What Information was Accessed?
Understanding specifically what information was accessed by the attacker is paramount to knowing what impact the attack will have on the organisation. Identifying which departments were targeted or what types of information might have been stolen isn’t good enough; organisations need to be able to articulate exactly which files were accessed and when. 

Headlines about attackers stealing information are common, but just as importantly, you need to know the scope of the information they’ve seen, as well as the information they’ve taken. Not only will this inform the next steps that need to be taken, and shed light on which parts of the business will be affected, but it will also enable the organisation to remain compliant with legal obligations, for example, identifying if a data breach needs to be reported under GDPR.

3. How can Systems be Recovered Quickly?
Organisations will understandably want to get their IT estate back to normal as soon as possible to minimise damage to their business, service and reputation. If the compromise method is identified and analysed correctly, IT systems can be remediated in seconds, meaning users and business operations can continue without downtime for recovery.

4. How do you prevent it from happening again?
Knowing the IT estate has been compromised is useless without taking steps to make sure it doesn’t happen again. Managed Detection and Response (MDR) is all about spotting the unusual activity that indicates a potential breach. If a user is accessing files they would never usually touch, sending unexpected emails or reaching out to a new domain, for example, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to enable such detection, but also the time and skills to undertake thorough analysis to determine whether it is a breach or a false positive.

A managed approach not only takes the burden away from businesses, but also enables every company to benefit from the pool of knowledge built up as a result of detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised asset which can then be remediated.

Shifting Security Thinking
Clearly, GDPR has raised awareness that the risks associated with a cyber attack are not only financial, as hackers are actively seeking to access information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential to accept the fundamental shift in security thinking – protection is not a viable option given today’s threat landscape. When hackers are using the same tactics and tools as bona fide users, rapid detection and remediation must be the priority.

UK Pub Chain ‘Greene King’ Gift Card Website Hacked

Major UK pub chain, Greene King (Bury St. Edmunds), had its gift card website (https://www.gkgiftcards.co.uk) compromised by hackers. The personal data breach was discovered on 14th May 2019 and confirmed a day later. The pub, restaurant and hotel chain informed their impacted customers by email today (28th May 2019).


Greene King said the hackers were able to access:
  • name
  • email address
  • user ID
  • encrypted password
  • address
  • post code
The pub chain did not disclose any further details on how passwords were "encrypted", only to say within their customer disclosure email "
Whilst your password was encrypted, it may still be compromised". It is a long established good industry coding practice for a website application's password storage to use a one-way 'salted' hash function, as opposed to storing customer plaintext passwords in an encrypted form.

No details were provided on how the hackers were able to compromise the gift card website, but there is a clue within Greene King's email statement, which suggests their website had security vulnerabilities which were fixable, "
we have taken action to prevent any further loss of personal information"

The number of customer records impacted by this data breach has also not disclosed. However, as this was a breach of personal information, Greene King was obligated under the DPA\GDPR to report the breach to the Information Commissioner's Office (ICO) as well as its impacted customers. Both Greene King and ICO are yet to release a press statement about this data breach.

This is not the first data breach reported by Greene King in recent times, in November 2016 2,000 staff bank details were accidentally leaked.

Greene King Personal Data Compromise Email to Customers
Dear Customer,
I am writing to inform you about a cyber-security breach affecting our website gkgiftcards.co.uk.

Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, post code and gift card order number. Whilst your password was encrypted, it may still be compromised. It is very important that you change your password on our website, and also any other websites where this password has been used.

When you next visit our website, using the following link (https://www.gkgiftcards.co.uk/user) you will be prompted to change your password. As a consequence of this incident, you may receive emails or telephone calls from people who have obtained your personal information illegally and who are attempting to obtain more personal information from you, especially financial information.

This type of fraud is known as 'phishing'. If you receive any suspicious emails, don't reply. Get in touch with the organisation claiming to have contacted you immediately, to check this claim. Do not reply to or click any links within a suspicious email and do not dial a suspicious telephone number given to you by someone who called you. Only use publicly listed contact details, such as those published on an organisation's website or in a public telephone directory, to contact the organisation to check this claim. At this stage of our investigation, we have no evidence to suggest anyone affected by this incident has been a victim of fraud but we are continuing to monitor the situation. We have reported the matter to the Information Commissioner's Office (ICO).

As soon as we were made aware of the incident, our immediate priority was to close down any exposure, which has been done, and then confirm which customer accounts have been affected. I recognise that this is not the sort of message you want to receive from an organisation which you have provided your personal information to. I want to apologise for what has happened, and reassure you that we have taken action to prevent any further loss of personal information, and to limit any harm which might otherwise occur as a result of this incident.

Phil Thomas
Chief Commercial Officer of Greene King Plc.

Advice
  • Change your Greene King account password immediately, use a unique and strong password.
  • Ensure you have not used the same Greene King credentials (i.e. your email address with the same password) on any other website or app, especially with your email account, and with banking websites and apps. Consider using a password manager to assist you in creating and using unique strong passwords with every website and application you use.
  • Always use Multi-factor Authentication (MFA) when offered. MFA provides an additional level of account protection, which protects your account from unauthorised access should your password become compromised.
  • Check https://haveibeenpwned.com/ to see if your email and password combination is known to have been compromised in a past data breach.
  • Stay alert for customised messages from scammers, who may use your stolen personal information to attempt to con you, by email (phishing), letter and phone (voice & text). Sometimes criminals will pretend to represent the company breached, or another reputable organisation, using your stolen personal account information to convince you they are legit.
  • Never click on links, open attachments or reply to any suspicious emails.  Remember criminals can fake (spoof) their 'sender' email address and email content to replicate a ligament email.

Top Tips On Cyber Security for SMEs

Guest article by Damon Culbert of Cyber Security Jobs

Cyber criminals are a part of modern life, from Uber account hacks to major business data breaches, our online identities are rarely safe. And, while big-name companies under threat often make the news, it’s small and medium-sized enterprises who are actually their biggest targets.

Large businesses and government departments may seem like more obvious hacking targets with bigger payoffs, but these organisations can afford much more robust, well-kept and successful IT security measures and cyber security professionals working round the clock. Due to this, cyber criminals are much more likely to swing for easy targets like family businesses.

With the introduction of GDPR across Europe, all businesses are now much more responsible for the personal data they keep, meaning companies of all size can’t really afford to not have at least the basic security measures in place. The UK National Cyber Security Centre (NCSC) have created a list of five principles as part of their Cyber Essentials Scheme. These include:

1. Secure your internet connection
2. Protect from viruses and other malware
3. Control access to your data and services
4. Secure your devices and software
5. Keep your devices and software up to date

All small businesses should know these principles and be putting them into practice, no matter how many staff they employ. In addition to this, here are a couple of other tips to keep hackers at bay which can be simply implemented into your business practices and keep the ICO (Information Commissioner’s Office) from the door.

Invest in Software and Hardware
While just functioning from day to day might be your only priority as a small business owner, investing in your technology will undoubtedly help in the long run. Keeping your software, such as virus software and operation systems, will ensure that any vulnerabilities identified by the creators are covered and there are no gaping holes in your cyber defences.

It might also be a good idea to invest in a good-quality back-up server and cyber insurance, so that if any personal data is every compromised, your operations can simply switch to the back-up server without affecting your business. Cyber insurance will also help keep you covered in case any clients’ personal data is lost and costs are incurred.

Staff Awareness Without the awareness of your staff, no manner of cyber security measures will keep your business safe. 90% of breaches happen because of user interaction, most commonly through phishing scams. Sophisticated phishers can impersonate senior members of staff in your organisation and trick other employees into handing over login details, authorising bogus payments or redirecting bank transfers.

Ensuring that staff are made aware of how to identify phishing scams and even having experienced trainers come in to guide them through cyber security best practice may seem like a cost you can spare but will go far in keeping the walls around your business impenetrable.

Compliance
The GDPR states that businesses who suffer a breach must alert the ICO and any customers who may have been affected within 72 hours of discovery. This is vital, and although fines could still be handed out for failure to prevent a breach, these fines will be much higher if the ICO discovers that you kept the information to yourself for longer than the 72 hour period.

The average time it takes for an organisation to discover a breach is 229 days, so the actual time it takes for the breach to come to your attention isn’t going to work too poorly in your favour. However, regular reporting is likely to result in earlier identification which will not only help you save time and money, but will also be a great trust signal to your clients that you take protecting their data seriously.

Pre-emptive planning
Security breaches are a ‘when’ not ‘if’ problem, so planning ahead is a necessity of modern business. 74% of SMEs don’t have any money saved to deal with an attack and 40% wouldn’t even know who to contact in the event of a breach. Having comprehensive disaster management plans in place will help keep you and your clients safe, keep your reputation in top shape and make sure you don’t have to pay out major money in the worst case scenario.

Plan of Action
The best thing for SMEs to do is to start small and keep building their defences as time goes on, helping keep costs down and customers happy. Here’s a plan of action to get started:

1. Start with the basics: follow the Cyber Essentials Scheme and bake these principles into your daily operations
2. Get an understanding of the risks to your business: check out the NCSC’s ’10 Steps to Cyber Security’ for further detail than the Cyber Essentials
3. Know your business: if you still feel your data isn’t safe, research more comprehensive frameworks like the IASME standard developed for small businesses
4. Once you have a complete security framework in place, develop on the NCSC’s advice with more sophisticated frameworks, such as the NIST framework for cybersecurity.

Learning from the Big Data Breaches of 2018

Guest article by Cybersecurity Professionals

What can we learn from the major data breaches of 2018?
2018 was a major year for cybersecurity. With the introduction of GDPR, the public’s awareness of their cyber identities has vastly increased – and the threat of vulnerability along with it. The Information Commissioner’s Office received an increased number of complaints this year and the news was filled with reports of multi-national and multi-millionaire businesses suffering dramatic breaches at the hand of cybercriminals.

2018 Data Breaches
Notable breaches last year include:

5. British Airways
The card details of 380,000 customers were left vulnerable after a hack affected bookings on BA’s website and app. The company insists that no customer’s card details have been used illegally but they are expected to suffer a major loss of money in revenue and fines as a result of the attack.

4. T-Mobile
Almost 2 million users had their personal data, including billing information and email addresses accessed through an API by an international group of hackers last August.

3. Timehop
A vulnerability in the app’s cloud computing account meant that the names and contact details of 21 million users were affected on Timehop. The company assured users that memories were only shared on the day and deleted after, meaning that the hackers were not able to access their Facebook and Twitter history.

2. Facebook & Cambridge Analytica
One of the most sensationalised news stories of the last year, Facebook suffered a string of scandals after it was released that analytics firm Cambridge Analytica had used the Facebook profile data of 87 million users in an attempt to influence President Trump’s campaign and potentially aid the Vote Leave campaign in the UK-EU referendum.

1. Quora
After a “malicious third party” accessed Quora’s system, the account information, including passwords, names and email addresses, of 100 million users was compromised. The breach was discovered in November 2018.

GDPR
As the UK made the switch from the Data Protection Act to GDPR, businesses and internet users across the country suddenly became more aware of their internet identities and their rights pertaining to how businesses handled their information.

With the responsibility now firmly on the business to protect the data of UK citizens, companies are expected to keep a much higher standard of security in order to protect all personal data of their clients.

How many complaints to the ICO?
Elizabeth Denham, the UK’s Information Commissioner, said that the year 2017-18 was ‘one of increasing activity and challenging actions, some unexpected, for the office’.

This is shown in an increase in data protection complaints by 15%, as well as an increase in self-reported breaches by 30%. Since this is the first year of GDPR, it is expected that self-reported breaches have increased as businesses work to insure themselves against much higher fines for putting off their announcement.

The ICO also reports 19 criminal prosecutions and 18 convictions last year and fines totalling £1.29 million for serious security failures under the Data Protection Act 1998. The office has assured that they don’t intend to make an example of firms reporting data breaches in the early period of GDPR but as time goes on, leniency is likely to fade as businesses settle into the higher standards.

What does it mean for SMEs?
With 36% of SMEs having no cybersecurity plan, the general consensus is that they make for unpopular targets. However, with the GDPR, the responsibility is on the business to protect their data so being vulnerable could result in business-destroying costs. Considering the cost to businesses could total the higher of 2% of annual turnover or €10 million, data protection is of paramount importance to small businesses.

How exposed are we in the UK?
At 31%, our vulnerability rating is higher than the Netherlands, Germany, Estonia (30%) and Finland (29%), but the UK is a more likely target for cybercriminals looking to exploit high tech and financial services industries, which are some of the most vulnerable across Great Britain.

Despite a higher level of vulnerability, the UK has one of the largest cyber security talent pools, showing there is time and manpower being dedicated to the protection of our data online.

https://www.cybersecurity-professionals.com/blog/2019/03/01/cybercrime-in-the-uk-infographic/