I’m confused

cd-443032_1920
Computing and technology is as delicate and fallible today as it was 30 years ago!

In the last 3 weeks we have experience 2 major public IT failures.  I am slightly confused how they could both become so massive.

 

I entered the IT industry nearly 30 years ago.  Like so many in those days, I entered from a previous career and  fell into the profession.  Falling into it, we brought experiences with us from previous careers.  One thing we all acknowledged was the fallibility of technology, or anything mechanical.  We made sure we reduced risk wherever we could and where we couldn’t we had a fall back process. So what  is happening in this world today? (oh ‘eck I’m sounding like me Dad!).

This weekend, we saw British Airways (BA) grounding all its flights because of a catastrophic computer failure.  It is reported that this was caused by a massive power surge at their data centre.  We saw images of airports crammed with disappointed passengers and what looked like confused employees.  As I sat watching the news, my only thought was how could a massive power surge cause such damage?

30 years ago when I was involved in setting up my first data centre for a 1,500 bed hospital, we knew that a power surge on our delicate computing equipment could cause a failure we could find it difficult to recover from.  So we installed a clean supply and a bank of Uninterruptible Power Supplies to smooth out that supply and maintain us long enough for generators to power up in the event of loss of power.  I can only assume that BA didn’t do this in their data centre. One that controls thousands of passenger journeys every day!  We also anticipated that a failure could result in loss of important patient data, so we had a ‘hot fail over’ where we could pick up normal IT services, albeit on a reduced capacity, but a service nevertheless.  And that ‘hot fail over’ was housed away from the main computer facility.  Finally we had manual fallback procedures which we had practised.  These procedures included staff assigned the responsibility of communicating with system users and hospital users. I didn’t see any of this on the news reports.

The measures we put into place were not cheap at the time and took some justification, weeks of writing business cases I remember.  When we lost power to the computer suite and no users noticed, it was justified.

Since then, technology has moved on and many of the things that were expensive then, are now pennies now.   Especially when you put them against the cost of initial implementation and the cost of losing systems businesses have become to rely on. Finally there is the reputation damage, which is not always acknowledged.  This is anecdotal, but the view in my local on Saturday was heavily toward avoiding flying with BA for the foreseeable future.  Sure this will be forgotten over time but what will be the immediate cost?

Have we become complacent?  With our always on society and IT Service companies offering 99.999999% up time are we forgetting the fallibility of these devices?  I would suggest we probably are and it is time to re-evaluate.

One of the first lessons I learned about managing IT was three letters C I A .  No not the US intelligence agency, but maintaining Confidentiality, Integrity and Availability.  Those three letters stand as much today as they did all those years ago, even now, whenever I consider changes to IT or assessing risk, I recite CIA.  In fact they are probably more poignant. Risks haven’t reduced, they have changed and in some areas increased.  I don’t know how much this failure will have cost BA or how much WannaCry will have cost the NHS.  One thing that is certain, it will be more than putting technology, people and processes in place to reduce and manage the risks!

My final though this morning was:  what will the ICO make of both of the NHS and BA incidents?  They both involved personal data.  One involved damage through encryption and the other non availability at the point of need.  Watch this space.  There could be even more cost winging its way.

I’m confused

257 days and counting

fear-1172407_192025th May 2018 is now only 257 working days away.  Some reading this may wonder what the significance of that date is.  Actually, according to a survey I conducted recently, probably about 33% of readers will be asking that question.  Friday 25th May 2018 is GDPR day.  The day our current Data Protection Act is retired in favour of the European Data Protection Regulation.

257 days sounds quite a lot.  5 days in business can be a lot, but when it comes to GDPR, 257 days isn’t much time at all.  In the days left businesses need to:

  • Know what data they hold and what they hold it for.  They will need to take time to document and audit data.  Recording the data held, where it came from and where it is send to.  Even for small businesses, this is not a small task.  In this day and age small businesses can hold masses of data.  This could however be an opportunity for a cull of unwanted and out of data.
  • Review all current privacy notices.  This could included development time on websites.  Get in quick web developers are going to get very busy and costs could start to increase as we get closer to 2018.
  • Ensure that procedures are in place to support the rights of the data subjects.  There have been changes, such as the right to be forgotten and portability of data.  Processes should be put into place now.  It is too late once a request is received!
  • Understand, if appropriate, how the business will deal with child consent.  Again this is likely to require changes to the websites.  I will repeat the warning about getting in quick.  Costs will rise next year.
  • Put in processes to monitor for and manage data breaches.  There will be a legal requirement to report data breaches that compromise personal data within 72 hours of noticing them.  Delays in reporting will not be looked on favourably by the ICO.  Neither will data breaches that are not discovered for prolonged periods.
  • Review business processes to ensure that data protection processes are built in.  Here the business has a great opportunity to modernise and streamline processes.  This will take time though.
  • Appoint a Data Protection Officer if one is required.  These will be in short supply initially and recruiting for such a key position could take some time.

Looking down the list, it becomes clear that 257 days is not long.  So for the other 46% of my survey that said they didn’t understand the implications of GDPR, you do now.  For the 35% that said they didn’t know when they would start implementation, now would be a good time and for the 37% that have not committed and resource to this yet, do it.

The EU gave businesses two years to comply with this new regulation.  Admittedly, communication hasn’t been brilliant from the various quarters.  However, ignorance will be no defence and penalties will be harsh.  Don’t get caught out start your compliance activity now.

257 days and counting

GDP…What?

I must confess.  Until last summer I didn’t know much about GDPR.  I had heard a new data protect regulation was on the way, but that was the sum of my knowledge.  I felt that was a little shameful, as a person who specialises in assisting businesses understand information risk management.  After all data protection is about managing your risks around the data you hold.

I went off and searched for information and found an abundance, probably too much and too complex and much of it aimed to scare, talking about fines of 4% of global turnover.  But I recall that I had to go and find information.  Nothing at that point had been ‘pushed’ to me.  Not that I can recall anyway.

Now I have an interest in understanding the regulation, but what about the general business population, how much do they understand?  I have been doing a few seminars on GDPR recently; whenever I ask the audience how many know about it, there is normally less than 10% who admit to knowing anything.  Then they appear almost embarrassed to be in a minority.  This prompted me conduct a short survey amongst local businesses to understand the level of understanding and preparedness.  I can’t admit to it being scientific, but the findings are quite concerning.

The questionnaire was sent to local businesses, randomly selected from the Chamber of Commerce membership database and my own contacts.  It included a combination of small, medium, large and public sector organisations.  There was a 24% response rate, with 81% saying that they currently hold data that can identify individuals.  The responses were completely anonymous.

The first question asked how aware businesses were aware of GDPR?  32.5% declared no awareness at all, but 46.5% said they were aware of GDPR but did not understand how it would affect the business.  That is 79% of businesses who, as yet, have done nothing to prepare or don’t even know about it.  We are now only a year off the deadline for compliance!

Some businesses have started to examine the implications, but 34% of the respondents said they didn’t know when they would start.  This coupled with the fact that 37% of the organisations have not yet defined or allocated any resource to the implementation.  Even more concerning when 42% indicated that they thought implementation would take between 6 months to 1 year or even longer.

Why aren’t businesses prepared?  Why is knowledge of GDPR so low?  Well I take you back to my first paragraph.  I think businesses still have to go in search of the information.  When you find it, for most business leaders, it can be scary.  Some generating the FUD (Fear Uncertainty and Doubt) that we had with cyber a few years ago.

There has been little information pushed from the powers that be.  When I compare GDPR to Auto Enrolment, I think every business leader in the country got personal correspondence from the DWP clearly telling them what they needed to do, however there has been nothing similar on GDPR.

The ICO has some excellent publications: ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’, being just one.  Isn’t it time to the Government started pushing this information out to businesses and not expect them to stumble upon it?  This is a big change for many businesses and they need support.

GDP…What?

I do get fed up!

directory-466935_1920

I’m not the sort of person who is naturally overflowing with optimism. I’m cautious with my optimism.  That way I’m rarely disappointed.  However I do get increasingly fed up with our society’s tendency to see only the negative side of things (I must be getting old).  Something which has recently come to a head as I work more on implementing the new European General Data Protection Regulation.

This regulation comes into force in May 2018.  Just over a year off. It isn’t being dropped on us at short notice. Actually we are given two years notice.

Let’s put GDPR into context. It replaces a piece of legislation that is 20 years old. Legislation that was put in place to protect our privacy in the technological world that existed at the time.  That world has changed beyond recognition.  In 1998 there was 147million users of the internet worldwide, actually when the laws were written between 1994 and 1996, there was more like 16million. Today there are in excess of 25 times that amount, over 3billion (information source Internet World Stats).  The amount of data being transmitted every minute is colossal and the current laws governing the management of that data are outdated.  GDPR has been developed to protect this data: Data that belongs to you and me.

In 1998 Biometrics were a thing of the future, science fiction.  Genetics data was something only considered by healthcare and high level research.  This form of data, our most private, has no protection under current data laws.  So we have to move on.

In recent weeks I have presented to a number of business leaders.  I have received a mixed response, very little of it positive.  Some complete overreaction stating that it will prevent business.  GDPR isn’t meant to stop businesses doing what they do, just ensure they do it in a way that protects the data subject and makes the laws universal across Europe.  That has got to be positive.

One area of negativity is around consent.  And particularly having to re-consent.  This is a great opportunity to not only clear out obsolete data from systems but also validate that the people you are communicating with are reading your communications and you have the correct details.  Why would anyone want to put effort into communicating with people who don’t want to hear your message or not longer exist?  Over time that is more wasted effort than an exercise of validating the data you have.

I was recently at a presentation by Lord Digby Jones.  It was enlightening.  He talked at length about how great British industry is, but how now more than ever it needs to embrace and be positive about the challenges we face.  Let’s start looking at this new legislation as an opportunity not an obstruction.  We have to embrace it and it will be much easier embraced positively.

It is at times like this I think of the Charles Darwin quote:  ‘It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.’  This is as true for business as it is the animal world.

In future blogs I will consider some of the impacts of GDPR and ways that I thing businesses could benefit from it.

I do get fed up!

Easy does it GDPR could be a gentle stroll

countdown-small

I haven’t written a blog for a while because I have been busy.  Busy preparing for the future.  I have, hopefully, secured my website, made better provision for the security of my tech and got a couple of certifications to show my customers I’m serious about this stuff.  But that was not the only reason.  As I sat down to write this blog there were 464 days 14 hours and 41 minutes to the implementation of the General Data Protection Regulation (GDPR).  Oh that is now 464days 13hrs 34mins, so we better get a move on.

The GDPR is probably one of the most significant pieces of legislation to affect UK businesses this century (I’ve always wanted to write that!).  It will, in some way affect all businesses.  464 days 13 hrs and 32 mins (time is ticking) in business terms seems an age, but in GDPR terms it isn’t.  I’m a small business and implementing the basics has taken me since Christmas.  OK that hasn’t been full time. I had to earn a bit of money as well, like all businesses,  but there are still things to do.

After completing the GDPR practitioner course in December 2016, I thought I ought to get my own ‘house in order’.  In January full of new year spirit and flu, I set off to be a beacon of compliance.  I don’t hold personal data, so I thought I would sail through the process but I wanted to take the opportunity to do things properly and look at how I worked. Implementing GDPR is a great opportunity to look at the way you work and whether it’s for compliance or not, question your processes and take the opportunity to make improvements.  This is not a message I’m hearing amongst the scare stories of fines 4% of global turnover.  This could be, if looked positively be a great business opportunity, one that could save money as well.

I will confess.  some of my practices had slipped.  First I set about examining what security of my information meant to me as a business.  My risks are probably in line with most small to medium businesses, so I decided to look at the Cyber Essentials certificate and also the IASME governance framework.  Working through these made me think about the what I had in place to protect my data.  I wasn’t too bad, but needed to tighten up in a few areas to achieve certification.  In doing this though I have laid a great foundation for the rest of the GDPR work.  That has to be good.

As I said I still have things to do.  I have to examine how I am going to manage the cookie policy on my website (I drop one security cookie) and also develop a privacy policy and a few other bits and pieces. These I will do over the coming months.  Another key message: start now and pace yourself, implementing GDPR will be a cross country run not a sprint.  Start early and it could even be a gentle stroll.

When I was thinking about implementation of GDPR, for some reason the Millennium Bug issue came to mind.  Eradicating the bug was incredibly successful, as someone who was involved in getting a significant piece of software compliant, I know that the work was really necessary.  On 1 January 2000 the press where stating that it had been over hyped.  It hadn’t what had happened was that businesses had planned and taken time to look at and correct the issues.  Some had even improved their applications.  Time, that is what is needed with GDPR.  And you now have 464 days 13 hours and no minutes.

Easy does it GDPR could be a gentle stroll

There are 3.5 billion internet users!

And I read the this morning that in 2016, 1.6 billion personal records have  been leaked, breached, stolen call it what you will.  It also appears that the trend is only set to increase.

I did a little digging around and found that there are approximately 3.5 billion internet users about 40% of the world population.  This means that potentially 45% of the internet users could have had their records leaked.  OK you say, some will be duplicates and there will be other statistical anomollies that I don’t really understand which  will reduce the percentage; but even reducing this number to 35%, it is an alarming statistic.  If 35% of the world population were to suddenly be struct by the same disease would we be so calm?  No there would be mass hysteria.  Would governments be working together to resolve the issue?  Yes, I’m sure they would.

It appears to me that the cyber-crime is not being tackled in a coordinated way.  All governments seem to take an independent approach.  Our own government has a Cyber-Security strategy based on making the UK the safest place to be online.  Whilst well intentioned, this is surely wrong.  Internet based crime is a world wide problem and can only be managed with a coordinated approach across the world.  It is no use the UK being the safest place to access the internet when my records travel across the world, way outside of our jurisdiction, just to travel a few miles to my insurance broker for example.

Europe is going some way to tackle the issue with the introduction of the European General Data Protection Regulation (GDPR). This is due to be implemented in 2018.  It standardises the measures across Europe that businesses should take to protect personal data.  It also stipulates what measures need to be put into place if data is being shared outside of the participating countries.

The GDPR is a great step and it is clear that considerable thought has gone into it and tying it into security frameworks.  There will be some teething problems I’m sure, but it will be a massive step forward.  Now we need to turn to law enforcement.  The GDPR will deal with the processors of data if they get it wrong, but why can’t the law enforcement agencies start to do something similar?  Where there is a common approach to hunting down and prosecuting the perpetrators of internet crime.  It has taken 10 years to develop the GDPR, getting 28 member countries to agree a single approach takes time.  If it can be done for the data protection laws surely we can agree some standards for co-ordinating criminal investigation and prosecution of the culprits.  That would start to have a massive affect, currently the chance of getting caught are low and if caught the chances of being convicted are also low.  Anything we can do to improve this has to be good.

Featured Image by: frankieleon used under Flickr Commons Licence

 

There are 3.5 billion internet users!

Gone Fishin’

Or did I mean Phishing?

I read that this Friday 25 November is the official start of the shopping ‘silly season’.  Black Friday and then Cyber Monday, more American import to our shores, kick off the spending frenzy to Christmas.

But it appears that shopping is not the only frenzy that this season brings.  According to a recent ITGovernance blog, the Anti-Phishing Working Group (That is for real)report an increase in Phishing during the Christmas period.  Last year there was a 250% increase in Phishing attacks between December 2015 and March 2016.

I would suspect this will increase this year if my personal experience is anything to go by.  Already this week I have seen 100 emails in my spam folder offering me ‘too good to be true’ Black Friday offers and as I write, it is only pale grey Tuesday (PM).  I don’t know what my mail box will look like on Thursday!

Taking a look at the latest Phishing trend analysis one can see why this is probably a popular time of year.  43% of Phishing attacks are targeted at the Retail/Service sectors and 13% at Payment Services, a total of 56% covering the most popular sectors at this tome of year.

The increase indicates that this approach to spreading malware or gaining access to data and/or networks is effective.  This has to raise concerns for business.  How many business owners have trained their staff to spot potential Phishing scams?  I bet is not many.  Most will assume that by employing intelligent adults they are safe.  Not true. Phishing is getting sophisticated and some are not easy to spot.

If I employed staff, I would expect to

  • Brief my staff on relevant health and safety annually;
  • Brief them on the fire procedure annual and have at least one practice;
  • Brief my staff on how to stay safe on-line.

On this latter point there are loads of resources on-line, but for a few hundred quid isn’t it worth getting an expert with up to date knowledge in to your organisation to give proper guidance?  No! Well here are a some people who would probably now pay that:

  • A small soft furnishing company who clicked on an invoice link in an email.  It was a malicious link containing ransom ware.  All their files were encrypted and it cost the over £2000 to recover their data.
  • The not-for-profit organisation the head of finance received an email from the CEO asking for urgent payment to a supplier.  The CEO’s email had been spoofed, he never sent it and £10,000 was transferred to a fraudster.
  •   The world leading heart hospital that narrowly missed a ransom ware attack.  A nurse unwittingly clicked on a link in an infected email. Thanks to the ‘lucky’ timing of a backup they escaped, but it was luck not judgement.
Featured Image by Snuzzy used under creative commons licence
Gone Fishin’