The ‘hokey kokey’ of the Referendum debate

graph 2

With June 23rd closing in upon us, political ping pong seems to be the order of the day.  With so many mixed messages in the market, it is difficult to see the wood from the trees.

As we are all aware this is obviously a personal decision, but I believe one that should be based upon facts not political point scoring around the pros and cons of a Brexit decision.

We are given some estimates suggesting the total economic cost of EU membership is around 11% of our annual GDP at around £200 billion.  Some say this money would be better spent on new British industries.  It is also stated that the EU is one of the world’s largest markets, accounting for 25% of global GDP.

The interesting point is that it is said that the EU is our biggest trading partner, with 45% of the UK’s exports to the EU, and 50% of all imports are from the EU.  You could argue that our membership makes us a more attractive destination for foreign investment.  Figures from 2012 show we received around £937 billion of Foreign Direct Investment, while 50%  of UK FDI is EU-related.

It is thought by ‘Brexiters’, we can independently pursue international trade deals with China, India and the US, this may well be true, but there is nothing stopping us today, or is there?

It is said that the EU has many layers of bureaucracy and regulatory issues.

I see that Nigel Farage believes we could strike an agreement with the EU that is similar to Norway’s, having access to the EU but not being bound by it.

And not to mention the most charged debate around the immigration effect on the country.

When I questioned my professional colleagues, it is very clear to me that they all have differing opinions, some to stay in and some to exit, both parties putting up convincing arguments and as far as I can see neither is wrong and there is value in both.

One thing that is understood is that we are all aware of where the EU has taken us as a country since 1972, but what will exiting deliver and where would this untrodden ground take us?    In reality, nobody knows.

map 1

I therefore question what the real issues are and whether we are being given all the correct facts, plus what are the motives? Will we ever understand what it will mean to us before we are asked to vote in 27 days time, or will we all be simply voting upon minimal information based on a favoured approach by our local MP’s – and on the basis of a set of reforms negotiated by Prime Minister David Cameron, be they weak or strong?

As an IT Managed Services Provider we could sit on the fence, however for a few of our customers, it could have major repercussions if we left the EU.

What do you think?  How might it affect your business?

The UK Referendum – Macro and Micro events impacting on your IT environment

_88531589_86624272

The Macro Picture
On 23rd June 2016, all British, Irish and Commonwealth citizens resident in the UK will be able to exercise their democratic right to vote for the UK to remain a member of the European Union, or leave the EU.

As you would expect in a modern democracy, all eligible citizens will be free to vote as heart or mind dictates and it’s no surprise that such an economically seismic event of this nature is leading to much debate and consideration by politicians, pundits, colleagues and friends alike.

However you vote on the day, this event can rightly be classed as a genuine macro event which happens not every 5 years, but potentially once a generation and both outcomes from the vote have the potential to profoundly impact the UK business environment.

As an organisation that provides integral support to businesses both within the UK and across the world, we have been keeping a keen eye on the implications for staying in or exiting and we know a number of our customers have been doing the same. We are aware that customers across industries have been undertaking discrete assessments of their business footprint, trading parameters and their IT infrastructure in order that policies and processes are developed to accommodate both outcomes. Amicus ITS’ regulatory and compliance teams have been very active with a number of customers to ensure the implications of data management and the storage of data offshore from the UK are clearly known and managed.

At Amicus ITS, our position on the need to assess, review and prepare your IT and data management infrastructure to ensure it is ready for any outcome is clear – TAKE ACTION, however discretely, to provide reassurance to the stakeholders in your business that you can manage and thrive in the unknown environment to come. Depending upon your perspective, macro events can be dealt with as minor bumps in the road or full on roadblocks. Your position on this should be determined by action and not inaction.

The Micro Picture
So what about micro events? These exist all around us and are multiple within the commercial environment that all companies operate. This is the same whether this is within the UK, EU or across the globe and within Amicus ITS we see the impact of these every day. Invariably, our everyday policies, procedures and good common sense ensure that micro events are managed and dealt with in a clean and efficient manner. However, at such a critical time as a major referendum, macro and micro events are inexorably drawn towards each other and this is something we are already starting to see within the IT managed services support environment.

As 23rd June approaches, we are starting to see a rise in the number of micro cyber security related incidents within our customer base, ranging from CryptoLocker attacks, to targeted DDoS attacks. More worryingly, we are seeing refined and highly complex preparation and targeting of brands and institutions for whom the macro outcome of the election could be doubly impacted by a breach of their security thresholds. A complex and high profile breach of cyber defences at the time of our Referendum could damage both commercial performance and reputation to companies and brands who may need to support a new direction within their chosen business space.

The simple truth is that macro or micro events happen all the time. By focusing on the right sort of preparation and planning to ensure IT infrastructure and security is kept at the front of your mind, alongside doing what you do best, will means that you can successfully adapt to any outcome and take some time to embrace the outcome – whichever way things go.

plan_perform

 

The 53rd State of IT

epa05133258 A Union Jack flag flutters next to European Union flags ahead a visits of the British Prime Minister David Cameron at the European Commission in Brussels, Belgium, 29 January 2016. Cameron arived in Brussels for unscheduled talks on a Brexit referendum. EPA/LAURENT DUBRULE

Research has suggested that British technology companies are significantly in favour of remaining within the EU, but Matt Warman, Conservative MP for Boston and Skegness, told a debate about the UK’s digital future that if the sector was so passionate about that position, it should speak up and hope to influence public opinion.

“The tech community is very, very strong in the opinion [that technology] is global,” said Warman, who is also in favour of staying in the EU and is former consumer technology editor of The Telegraph and chair of the all-party parliamentary group For Broadband and Digital Connectivity.

“If you guys believe this stuff, get out there and say it. It’s a hard task for politicians because we are often not the most trusted people in the room.”

Tech and politics
He noted that US-based technology figures, such as Apple CEO Tim Cook and Mark Zuckerberg, hold strong political views as well, particularly with regards to the Republican party frontrunner Donald Trump’s hopes of becoming the next president of the USA.

Indeed, Box CEO Aaron Levie opened his keynote speech at an event in London last week to “apologise” for Trump’s views, which have proved divisive both at home and abroad. However Warman accepted that technology firms had to balance their political beliefs with commercial sensitivities.

“Businesses need to find a way to get it out there. They need to … publically say it rather than hope [the Referendum] goes one way.”

Industry support for EU
Research from industry body techUK suggest that 70% of its members want to stay in the EU, 15% want to leave and 15% don’t know. The majority support the UK’s membership because it makes the country more attractive to international investment, makes the UK more globally competitive and gives it a more favourable trading relationship with other members.

“There is a strong message from the tech industry that Europe is good for business. Tech leaders are clear that the UK needs to be holding the pen on the laws that affect their businesses,” said Julian David, techUK CEO.

“A vote to remain is a vote to ensure the UK voice is at the heart of policies that support the UK’s most innovative sector to continue to grow and create jobs. A vote leave would mean that the UK tech industry would lose its voice on the issues that matter most.”

Tech London Advocates surveyed its members and found that 87% of its members oppose Brexit (the Leave campaign), because they believe that membership of the EU boosts the UK economy by making it more attractive to international businesses looking to operate in Britain.

It seems that just 3% of respondents favoured the UK leaving the EU. The remaining 10% reportedly declined to express their opinion on the matter.

It is clear there is concern within the tech industry about the impact of losing access to the European market. The survey found that nearly three in four (71%) feel Brexit would make it harder to reach customers in EU countries, and threaten existing relationships with suppliers based in Europe.

And more than four out of five (81%) believe that Brexit would make it harder to employ people from EU countries.

“London has established a global reputation as the digital capital of Europe,” Russ Shaw, the founder of Tech London Advocates said. “There is significant concern within the digital community that Brexit would undermine this position and threaten relationships with the European market.

“Attracting international companies to the capital has been one of the great success stories of London’s digital economy,” said Shaw. “Brexit could see global businesses locating in emerging digital hubs in Berlin, Paris and Stockholm rather than London.”

Besides the above reasons, it seems that the London tech sector is not keen on the uncertainty that could be generated by a British exit.

“There are things I don’t agree with in the EU, but no can tell us what the alternative will be like,” said Michael Seres, founder, 11Health. “I have an investment round coming up and looking to hire 14 new people in the next 2 years, I can’t make those decisions if my access to markets and the regulation in this and those markets is unknown.”

Business Risk

“The business risk of leaving the EU is on balance too high,” said Nick Thomson, Chief Revenue Officer at Workshare. “The business risk of leaving the EU is on balance too high. Not just for us but for all businesses engaged in the sharing of data securely.”

And Thomson pointed out Europe’s role in tackling America over recent data protection concerns.

“As a large trading block the EU was able to secure the EU Data Protection Regulation against US pressure,” said Thomson. “The UK may well have to compromise this level of data to protection in the negotiation for its new trade concession from the US. Leading not only to less data security for people and businesses based in the UK, but also making it vastly more complicated to share data with the he rest of Europe – our main trading partners.”

There is a real possibility that the UK could vote to leave, as recent polls have suggested that almost seven in 10 pensioners want to leave the EU, while young people were more likely to be pro-European, but are less likely to cast a vote.

Thoughts

It is clear that the UK Referendum will have a potentially significant impact on IT and Data which is quickly becoming, and always should have been, the “crown jewels” of every company.    If you consider what transpired with Safe Harbour and with the European General Data Protection Regulations (GDPR) on the horizon, would the UK be in such a strong bargaining position outside the EU – or would we be caught in-between the US and the EU?

Added to this, the European GDPR will come into effect before the UK can legally depart the EU, so data controllers and data processors need to think ahead for this anyhow.   Let alone the question of what would the Data Protection and Handling Policy of the UK post referendum look like if we exited?

Technology is global.  Manufacturers are producing to global standards – and yet we still have geographic data protection regulations to adhere to.  Would a global data protection standard work?  Could nation states agree to subsume their local preferred interests against a global framework and would this mean watering it down to gain agreement?

What do you think?

size_500x500

 

The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation introduces crucial data protection requirements for companies with data subjects in the European Union. This page offers a breakdown of the key provisions that will come into force May 2018.

Final text
The final text of the EU General Data Protection Regulation (GDPR) is now available and has been approved by the European Parliament.

Penalties
The Regulation will enforce tough penalties: breached organisations can expect fines of up to 4% of annual global revenue or €20 million, whichever is greater. Fines will be imposed within two years of the Regulation being ratified.

Below is a breakdown of the key changes introduced by the Regulation:

1. If your business is not in the EU, you will still have to comply with the Regulation
Non-EU organisations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

2. The definition of personal data is broader, bringing more data into the regulated perimeter
Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

3. Consent for Children’s Data Processing.
Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.

4. Changes to the rules for obtaining valid consent
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

5. The appointment of a data protection officer (DPO) will be mandatory for certain companies
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

6. The introduction of mandatory privacy risk impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.

7. New data breach notification requirements
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

8. The right to be forgotten
Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.

9. The international transfer of data
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

10. Data processor responsibilities
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

11. Data portability
Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

12. Privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.

13. One-stop shop
A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.

Organisations should take action NOW to implement appropriate measures for improved data security.

teaserbox_53378034

 

‘Panama Papers’ – a wake up call for the legal sector

April’s data breach legal, trust and accounting firm victim Mossack Fonseca of Panama, offers a perfect storm warning for law firms.  As reported in last week’s blog (see link), the legal sector is a highly attractive and potentially susceptible target for the armies of cyber attackers due to the sensitive data held by law firms about their clients.

All law firms should take the Panama breach as a major wake-up call,” says founder and executive chairman of IT Governance, Alan Calder. “Law firms have notoriously been targets for cyber criminals because of the sensitive information they possess. More recently, the scale and devastation that cyber breaches cause means that law firms need to consider their cyber security posture right now.”

The swift changes in cyber attack and swopping focus on market sectors makes trying to defend your crown jewels (ie. your data) ever more critical.  Law firms were ranked the seventh highest target for cyber criminals in CISCO’s 2015 Annual Security Report and in midsummer 2015, CISCO’s 2016 Annual Security Report noted that Professional firms were one of four sectors (Government, Electronics, Professional and Healthcare), most hit by Trojan related attacks, while the Professional Services vertical was hit with a high number of iFrame attacks.  Add to this, the UK’s Information Commissioner’s Office (ICO) investigated 173 law firms two years ago over data protection breaches.  It is not a comforting picture.  But there are good things that can be done by taking a proactive stance on security.

The ICO acknowledges ‘There is no “one size fits all” solution to information security, as the security measures that are appropriate for a particular organisation will be different to another. However, given the pressures facing the legal sector, companies would be well advised to adopt a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from the third party contractors and suppliers they use.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through the organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, a law firm which creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

As with all things technological these days, it’s not just about knowing what’s in your estate to protect, it’s about strategically identifying for the business what you might need to consider adding to your infrastructure, to build peace of mind for your Board and customers.  That journey will ultimately be better travelled with an expert MSP which has ISO 27001, a passion for data security, a keen eye on cyber security – and one which can not only advise but is able to deliver 24×7.

ISOIEC 27001 with UKAS

The Panama Papers, an expensive lesson in having unsecured data

The ‘Panama Papers’ data breach of Panamanian legal, trust and accounting firm Mossack Fonseca revealed on 3 April 2016, consisted of a whopping 2.6TB of data covering over 11.5 million scanned and electronic files dating back to the 1970s and the fallout has been substantial globally and continues to grow day by day.

The hack of an email server which occurred at the start of 2015 was taken to German newspaper Süddeutsche Zeitung (“SZ”), however due to the immense scale of data for analysis, SZ brought US-based International Consortium of Investigative Journalists (ICIJ) on board.  400 journalists from 107 news organisations have pored over the documents and used special software OCR (Optical Character Recognition) and new graph database technology including Neo4j to help index and analyse the content.  The journalists then lifted connections such as people who share the same address who are not formally married, with material connections to suspicious bank accounts used for money laundering or other financial crimes and misdemeanours.

Whilst the announcement related to a mere 149 files out of the 11.5 million, the revelation that Mossack Fonseca was creating shell corporations in tax havens around the world for a substantial list of politicians and world figures, has increased the distrust of those in public positions who have either accessed and abuse public purse funds or sought tax avoidance for personal gain.

Who’s Who in the world spotlight?  In a swift snapshot from this initial reveal, Iceland’s Prime Minister Sigmundur Davíð Gunnlaugsson had to step down sharply following the news, whilst Argentinian President Macri and Ukranian President Petro Poroshenko await their fate.  Friends of Syrian President Bashar Assad Putin associates are facing scrutiny, whilst a number of FIFA officials have been implicated, along with soccer star Lionel Messi.  Celebrity producers include Hollywood’s David Geffen and Simon Cowell, plus singer Tina Turner and actor Jackie Chan. Meanwhile, in UK politics, PM David Cameron (through the tax affairs of his late stockbroker father and estate family gifts), has been forced to fend off accusations of immorality and lack of transparency by publishing personal tax returns.

So what for these people?
There will be massive consequences for any individual whose private financial affairs have been made public.  Their confidential business structures are now public, reputations will be damaged, no doubt lawsuits will be an end result and policy is likely to change.

So what for data controllers?
The breach highlights once again, this time on a massive scale, that organisations holding any personal data have no choice but to sit up and take acute note, re-review their own organisation’s security perimeters, policies, up to date licences, patch management and back up arrangements.

mossack-fonseca

Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes