C Level Execs Reveal UK Business Still Not Prepared for GDPR

Trend Micro’s recently published survey has revealed a worrying lack of recognition that GDPR is going to seriously impact UK business if left unmanaged.  The results revealed a lax attitude about the severity of what is around the corner if data protection is not diligently overseen for compliance to ensure that employees, directors and decision makers all use data correctly.  The survey stats revealed the following:

•    Senior execs shunned GDPR responsibility in 57% of businesses.
•    Only 21% of businesses surveyed currently have a senior executive involved in the GDPR process.
•    66% were dismissive about the amount they could be fined.
•    42% of businesses do not know that email marketing databases contain PII.

•    In an example given, businesses were very uncertain as to who was accountable for the loss of EU data by a US service provider – with only 14% correctly identifying it is the responsibility of both parties.

•    Businesses were broadly found to lack the expertise to combat threat:

o   Only 34% have implemented advanced capabilities to detect intruders
o   Only 33% have invested in data leak prevention
o   Only 31% have employed encryption technologies

JP Norman, Amicus ITS Director of Technology, Security & Governance urged a proactive response without delay for anyone not already taking steps.  “Any organisation that does not recognise the importance of GDPR compliance and data protection responsibility needs to wake up fast.  A data breach after next May will no longer result in the organisation facing a slap on the wrist, some reputational damage and a manageable fine.  We have worked closely with the ICO and recommend their 12 step guide as a starting point for review.  Whatever challenges businesses think we may face through Brexit, GDPR has the potential to wipe businesses off the map entirely.  For the public sector, where the purse is controlled by Government and ringfenced locally, this will become even more damaging – personally, financially and politically.  However, whereas the cap is currently £500,000 till May 2018, this corporate penalty will rise to up to 4% of global turnover or a €20 million fine plus the potential of criminal prosecution thereafter.  I would urge all organisations who have not begun their information audit to start now”.

 

ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

Disaster for Three Mobile as huge data hack is disclosed

three-logo

News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here

‘Panama Papers’ – a wake up call for the legal sector

April’s data breach legal, trust and accounting firm victim Mossack Fonseca of Panama, offers a perfect storm warning for law firms.  As reported in last week’s blog (see link), the legal sector is a highly attractive and potentially susceptible target for the armies of cyber attackers due to the sensitive data held by law firms about their clients.

All law firms should take the Panama breach as a major wake-up call,” says founder and executive chairman of IT Governance, Alan Calder. “Law firms have notoriously been targets for cyber criminals because of the sensitive information they possess. More recently, the scale and devastation that cyber breaches cause means that law firms need to consider their cyber security posture right now.”

The swift changes in cyber attack and swopping focus on market sectors makes trying to defend your crown jewels (ie. your data) ever more critical.  Law firms were ranked the seventh highest target for cyber criminals in CISCO’s 2015 Annual Security Report and in midsummer 2015, CISCO’s 2016 Annual Security Report noted that Professional firms were one of four sectors (Government, Electronics, Professional and Healthcare), most hit by Trojan related attacks, while the Professional Services vertical was hit with a high number of iFrame attacks.  Add to this, the UK’s Information Commissioner’s Office (ICO) investigated 173 law firms two years ago over data protection breaches.  It is not a comforting picture.  But there are good things that can be done by taking a proactive stance on security.

The ICO acknowledges ‘There is no “one size fits all” solution to information security, as the security measures that are appropriate for a particular organisation will be different to another. However, given the pressures facing the legal sector, companies would be well advised to adopt a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from the third party contractors and suppliers they use.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through the organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, a law firm which creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

As with all things technological these days, it’s not just about knowing what’s in your estate to protect, it’s about strategically identifying for the business what you might need to consider adding to your infrastructure, to build peace of mind for your Board and customers.  That journey will ultimately be better travelled with an expert MSP which has ISO 27001, a passion for data security, a keen eye on cyber security – and one which can not only advise but is able to deliver 24×7.

ISOIEC 27001 with UKAS

EU data privacy rules – Impact across the pond

A new European privacy directive is about to be signed, one which could see US tech firms fined millions of dollars if they don’t comply.

The directive regulates how tech companies obtain and use user data. According to USA Today, companies must get a clear consent from the user and have to explain just what their data will be used for. Companies must also explain to the user how the data was obtained, and in case the user wants that data changed or completely deleted, the company must do so.

As an example, if they choose to delete their Facebook account, Facebook would have to also delete all the information it had collected about them. The directive has been in production for several years and will replace a patchwork of laws from the 1990s.

“A lot of the language in this regulation has been sharpened in response to US companies walking very close to the line as far as complying with EU data protection regulations,” said Danny O’Brien, the international director of the Electronic Frontier Foundation, a San Francisco-based cyber rights group for USA Today.

The Age of Data Consent will also be raised from 13 to 16 years old, meaning all younger than 16 will have to get their parents’ approval before giving their data to companies.

The European Commission and the European Parliament could not agree on the size of the penalty in case a company fails to comply, but it seems that 4% of the company’s global revenue could be the sweet spot. For companies the size of Google or Facebook, that is a lot of money.

As an IT Managed Service Provider, data controller and data processor, Amicus ITS has had to be proactive in looking at the impact of these changes for us and our customer base.  These changes, which will become law in the member states, reflect positively on individuals as we all obtain more rights over our data.  However, for any organization that holds or processes data these changes will have an impact that cannot be ignored.

eulaw

No Safe Harbour for data in European eyes

The European Court of Justice ruled this week that the Safe Harbour agreement, in place since 2000, is now invalid.  This story was originally covered in our blog in March 2015.

This is likely to create a sea change in where and how organisations hold their data.  With clear guidance yet to follow in what could be a confused few months of local and conflicting regulation, there may yet be a scramble to create urgent interim measures both within Europe and US businesses (of which about 5,000 US businesses make use of the arrangement), relying on Safe Harbour for the freeflow of information between the territories.

Designed to be a “streamlined and cost effective” way for US firms to get data from Europe without breaking the rules, the Safe Harbour agreement allowed US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security were upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).   With the security agencies exerting surveillance pressure revealed in the Snowden leaks, the safeguards were viewed as not being carried out.

It is not just about Facebook (who through a lawsuit brought a privacy campaigner Max Schrrems challenged their use of private data), though the news will have a big impact for the tech giants such as Facebook, Google and Twitter who may have to build new data centres in Europe to counter this decision.  It reflects the differences between the two cultures:  in the EU, data privacy is treated as a fundamental right, whilst in the US, other concerns which might conflict are sometimes given priority.

The patchy interim to authorise the “export” of the data will require for the two bodies involved to draw up new “model contract clauses” setting out the US organisation’s privacy obligations.
For Data Controllers, this will be something of an administrative nightmare and will likely push up costs and cause delays.   Managed Service Providers had better be thinking about their customer’s data with a sharper eye this week.

SafeHarbor Logo-Lines

This week’s technology news – 27th June 2014

Supreme Court ruling for mobile phone privacy does not answer Cloud issue
Forrester report an emphatic decision by the Supreme Court in the US this week, which has endorsed the fundamental right of the individual to safeguard the privacy of data held on a mobile phone and that the only way for 3rd party agencies to access this, would be to seek a warrant.

The sheer variety of applications now available on mobile phones (cameras, video players, Rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, newspapers, forums etc.) reveal much about its owner as well as what can be shown through the browsing history.  Consequently it was felt this would give 3rd parties too personal an insight about things we would prefer to keep private, even from our partners.  The crossover impact for this in business is in BYOD where corporate employers may not yet have taken steps to assess and implement data security policies to safeguard corporate privacy.

With the increase of devices and wearable technology, much of the content will inevitably be stored in the Cloud and what is not revealed through the phone as its conduit, will be accessible once it hits storage sites like Dropbox, Evernote etc.   So as soon as you have connected, you are no longer able to control that privacy, or that right.   This ruling is insufficient therefore in the wider context of cloud content and management of personal (and customer data), so expect more rulings in future as the further legal ramifications are reviewed.  As an MSP, it is your responsibility to be a privacy advocate.

Stop thief – you are turning me off!

Research by Glasgow Caledonian University into the way we hold and use smartphones, is leading to a new form of security being developed, to identify abnormal patterns which could trigger a “kill switch”. The software logs, monitors and profiles “normal” behaviour, carriage mannerisms, application access and timing, plus geolocation and browsing. Subtle changes to this information could indicate unauthorised use and prompt a shut down. The profiles take a few days of average use to build up a coherent picture and current versions of logging software are detecting illegal use within a couple of minutes which will no doubt get far quicker.

Lead scientist, Professor Lynn Baille notes that a further development of this software could be in authenticating identity. Research indicates users wiping or tapping in their pin up to 100 times a day to unlock their handset, which for some users is putting them off using security measures, if they have that choice. This new software could sanction access simply because the device is “in the right hands” and keeps a phone unlocked in normal use, except where a user needed to purchase something, or log in to a corporate network. Yet again, there are implications about privacy for such monitoring and whether this is managed centrally, or locally on the device.