Are you ready for GDPR?

Information-Commissioners-Office

As we know, the UK voted to leave the EU on 23rd June 2016.

The UK is required to serve notice under Article 50 of the Lisbon Treaty and this carries a two year notice period.

The General Data Protection Regulation is due to be implemented in less than two years – 25th May 2018.   GDPR applies not just to organisations established within the EU but to any organisation which processes the data of EU citizens. Or an organisation which offers goods and services to EU members.  It also serves to monitor online behaviour.

Even standing outside the EU, the long arm of GDPR will apply to any UK organisation handling the data of EU citizens.  The UK will need to prove ‘adequacy’ for data protection.

Countries globally are preparing now for GPDR.

For full details of the 12 steps your organisation is guided to take to prepare for GPDR, Amicus ITS invites you to read the ICOs PDF white paper “Preparing for the General Data Protection Regulation (GDPR) attached here:  ico-preparing-for-the-gdpr-12-steps

I strongly recommend all organisations to be actively researching what they need to do to comply with GDPR, as once released it automatically becomes law in all EU Member states.

United Airlines hit in further power outage for airline industry

1024px-united_airlines_logo_svg

The world’s third largest airline, United Airlines has been a dealt a serious blow today as a reported ‘systems issue’ has delayed flights worldwide this morning.

At 8.15am London time, United said: “As of 3 am ET [Eastern Time], the system issue has been resolved. Any delayed flights are resuming”.

As we reported in our blog of 6 September, the previous month, Delta, the world’s largest carrier experienced a worldwide ‘systems failure’ and in September, BA passengers suffered long delays after what was described as ‘a problem with our check-in system’.

So what was to blame?  Cyber security experts remain sceptical about the public attributions of the airlines to causes other than cyber attack, however with airlines heavily dependant on their computer systems for almost every aspect of their operations there still remain a number of possibilities .  Yes, cyber attack by a malicious actor could be one possibility, however it could also have been a patching issue; a lack of immediate failover to their back up system; or even a third party to blame in the chain.  Yet, Delta is huge – and an organisation of its size is going to have pretty substantial IT systems and robust security measures in place to protect its infrastructure and passenger safety.

Ultimately, we may have suspicions but will have to wait and see if any further details come to light about these incidents. In the end it is unlikely that the airlines themselves will choose to disclose the root cause for fear of giving anyone any insight into any potential system vulnerabilities.

ICO fine on TalkTalk revealed

talktalk_logo_0

The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015.  As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.

The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.

In nearly 16,000 cases, the attacker was able to steal bank account details.  Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection.  TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.

The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website.  Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.  Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”.  These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.

The next Amicus ITS cyber security event will be held on 24th November 2016.  Further details will be posted on the main Amicus ITS events page

Bad Vibrations at Ing Bank Leads to Damaging Outtage

logo_hd
Dutch multinational banking and financial services organisation, Ing, reported recently that a fire extinguisher test in one of its Romanian branches, had set off an unprecedented and disastrous chain of events, resulting in cash machines, online banking and its website going down for over ten hours on Saturday 10th September 2016.

The bank, which has over 48 million individual and institutional clients in over 40 countries, could not explain the situation to its customers as the outtage had affected the bank’s main communication systems as well.

Ironically, it was not the fire extinguisher’s gases that caused the problem, rather, the loud sound emitted by the inert gases released at over 130 decibels which destroyed dozens of hard drives, according to tech magazine Motherboard.

A Siemens report in 2015 warned of the risk of fatal damage to hard drives through sound wave vibrations which concluded:

•         above 110dB, most hard disks would deliver a degraded performance
•         above 130dB most disks would stop delivery data
•         above 140dB, most disks would suffer permanent damage and there could also be other unpredictable faults

Whilst it may have been unprecedented for Ing, it is not unknown.   In 2013, French media reported that accountancy software used by the French Government became temporarily ‘unavailable’ after a fire protection system was accidentally triggered at a data centre issuing a loud noise and causing an outage there.  Whilst more locally, in Glasgow in December 2015, a fire suppression system triggered by an air conditioning unit was blamed for bringing Glasgow City Council to its knees for several days affecting council tax and benefits systems, disabling MS Outlook email services and the Cisco telephone switchboard system.

For any organisation therefore, there are some easy precautions to check and apply:
1.       Review the physical security of your server systems and their environment.
2.       Protect the full integrity of your data by scrutinising all your equipment
3.       Ensure you have failover availability with full back up and replication systems in place to keep your business up and running.