I do get fed up!

directory-466935_1920

I’m not the sort of person who is naturally overflowing with optimism. I’m cautious with my optimism.  That way I’m rarely disappointed.  However I do get increasingly fed up with our society’s tendency to see only the negative side of things (I must be getting old).  Something which has recently come to a head as I work more on implementing the new European General Data Protection Regulation.

This regulation comes into force in May 2018.  Just over a year off. It isn’t being dropped on us at short notice. Actually we are given two years notice.

Let’s put GDPR into context. It replaces a piece of legislation that is 20 years old. Legislation that was put in place to protect our privacy in the technological world that existed at the time.  That world has changed beyond recognition.  In 1998 there was 147million users of the internet worldwide, actually when the laws were written between 1994 and 1996, there was more like 16million. Today there are in excess of 25 times that amount, over 3billion (information source Internet World Stats).  The amount of data being transmitted every minute is colossal and the current laws governing the management of that data are outdated.  GDPR has been developed to protect this data: Data that belongs to you and me.

In 1998 Biometrics were a thing of the future, science fiction.  Genetics data was something only considered by healthcare and high level research.  This form of data, our most private, has no protection under current data laws.  So we have to move on.

In recent weeks I have presented to a number of business leaders.  I have received a mixed response, very little of it positive.  Some complete overreaction stating that it will prevent business.  GDPR isn’t meant to stop businesses doing what they do, just ensure they do it in a way that protects the data subject and makes the laws universal across Europe.  That has got to be positive.

One area of negativity is around consent.  And particularly having to re-consent.  This is a great opportunity to not only clear out obsolete data from systems but also validate that the people you are communicating with are reading your communications and you have the correct details.  Why would anyone want to put effort into communicating with people who don’t want to hear your message or not longer exist?  Over time that is more wasted effort than an exercise of validating the data you have.

I was recently at a presentation by Lord Digby Jones.  It was enlightening.  He talked at length about how great British industry is, but how now more than ever it needs to embrace and be positive about the challenges we face.  Let’s start looking at this new legislation as an opportunity not an obstruction.  We have to embrace it and it will be much easier embraced positively.

It is at times like this I think of the Charles Darwin quote:  ‘It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.’  This is as true for business as it is the animal world.

In future blogs I will consider some of the impacts of GDPR and ways that I thing businesses could benefit from it.

Advertisements
I do get fed up!

Easy does it GDPR could be a gentle stroll

countdown-small

I haven’t written a blog for a while because I have been busy.  Busy preparing for the future.  I have, hopefully, secured my website, made better provision for the security of my tech and got a couple of certifications to show my customers I’m serious about this stuff.  But that was not the only reason.  As I sat down to write this blog there were 464 days 14 hours and 41 minutes to the implementation of the General Data Protection Regulation (GDPR).  Oh that is now 464days 13hrs 34mins, so we better get a move on.

The GDPR is probably one of the most significant pieces of legislation to affect UK businesses this century (I’ve always wanted to write that!).  It will, in some way affect all businesses.  464 days 13 hrs and 32 mins (time is ticking) in business terms seems an age, but in GDPR terms it isn’t.  I’m a small business and implementing the basics has taken me since Christmas.  OK that hasn’t been full time. I had to earn a bit of money as well, like all businesses,  but there are still things to do.

After completing the GDPR practitioner course in December 2016, I thought I ought to get my own ‘house in order’.  In January full of new year spirit and flu, I set off to be a beacon of compliance.  I don’t hold personal data, so I thought I would sail through the process but I wanted to take the opportunity to do things properly and look at how I worked. Implementing GDPR is a great opportunity to look at the way you work and whether it’s for compliance or not, question your processes and take the opportunity to make improvements.  This is not a message I’m hearing amongst the scare stories of fines 4% of global turnover.  This could be, if looked positively be a great business opportunity, one that could save money as well.

I will confess.  some of my practices had slipped.  First I set about examining what security of my information meant to me as a business.  My risks are probably in line with most small to medium businesses, so I decided to look at the Cyber Essentials certificate and also the IASME governance framework.  Working through these made me think about the what I had in place to protect my data.  I wasn’t too bad, but needed to tighten up in a few areas to achieve certification.  In doing this though I have laid a great foundation for the rest of the GDPR work.  That has to be good.

As I said I still have things to do.  I have to examine how I am going to manage the cookie policy on my website (I drop one security cookie) and also develop a privacy policy and a few other bits and pieces. These I will do over the coming months.  Another key message: start now and pace yourself, implementing GDPR will be a cross country run not a sprint.  Start early and it could even be a gentle stroll.

When I was thinking about implementation of GDPR, for some reason the Millennium Bug issue came to mind.  Eradicating the bug was incredibly successful, as someone who was involved in getting a significant piece of software compliant, I know that the work was really necessary.  On 1 January 2000 the press where stating that it had been over hyped.  It hadn’t what had happened was that businesses had planned and taken time to look at and correct the issues.  Some had even improved their applications.  Time, that is what is needed with GDPR.  And you now have 464 days 13 hours and no minutes.

Easy does it GDPR could be a gentle stroll

There are 3.5 billion internet users!

And I read the this morning that in 2016, 1.6 billion personal records have  been leaked, breached, stolen call it what you will.  It also appears that the trend is only set to increase.

I did a little digging around and found that there are approximately 3.5 billion internet users about 40% of the world population.  This means that potentially 45% of the internet users could have had their records leaked.  OK you say, some will be duplicates and there will be other statistical anomollies that I don’t really understand which  will reduce the percentage; but even reducing this number to 35%, it is an alarming statistic.  If 35% of the world population were to suddenly be struct by the same disease would we be so calm?  No there would be mass hysteria.  Would governments be working together to resolve the issue?  Yes, I’m sure they would.

It appears to me that the cyber-crime is not being tackled in a coordinated way.  All governments seem to take an independent approach.  Our own government has a Cyber-Security strategy based on making the UK the safest place to be online.  Whilst well intentioned, this is surely wrong.  Internet based crime is a world wide problem and can only be managed with a coordinated approach across the world.  It is no use the UK being the safest place to access the internet when my records travel across the world, way outside of our jurisdiction, just to travel a few miles to my insurance broker for example.

Europe is going some way to tackle the issue with the introduction of the European General Data Protection Regulation (GDPR). This is due to be implemented in 2018.  It standardises the measures across Europe that businesses should take to protect personal data.  It also stipulates what measures need to be put into place if data is being shared outside of the participating countries.

The GDPR is a great step and it is clear that considerable thought has gone into it and tying it into security frameworks.  There will be some teething problems I’m sure, but it will be a massive step forward.  Now we need to turn to law enforcement.  The GDPR will deal with the processors of data if they get it wrong, but why can’t the law enforcement agencies start to do something similar?  Where there is a common approach to hunting down and prosecuting the perpetrators of internet crime.  It has taken 10 years to develop the GDPR, getting 28 member countries to agree a single approach takes time.  If it can be done for the data protection laws surely we can agree some standards for co-ordinating criminal investigation and prosecution of the culprits.  That would start to have a massive affect, currently the chance of getting caught are low and if caught the chances of being convicted are also low.  Anything we can do to improve this has to be good.

Featured Image by: frankieleon used under Flickr Commons Licence

 

There are 3.5 billion internet users!

Gone Fishin’

Or did I mean Phishing?

I read that this Friday 25 November is the official start of the shopping ‘silly season’.  Black Friday and then Cyber Monday, more American import to our shores, kick off the spending frenzy to Christmas.

But it appears that shopping is not the only frenzy that this season brings.  According to a recent ITGovernance blog, the Anti-Phishing Working Group (That is for real)report an increase in Phishing during the Christmas period.  Last year there was a 250% increase in Phishing attacks between December 2015 and March 2016.

I would suspect this will increase this year if my personal experience is anything to go by.  Already this week I have seen 100 emails in my spam folder offering me ‘too good to be true’ Black Friday offers and as I write, it is only pale grey Tuesday (PM).  I don’t know what my mail box will look like on Thursday!

Taking a look at the latest Phishing trend analysis one can see why this is probably a popular time of year.  43% of Phishing attacks are targeted at the Retail/Service sectors and 13% at Payment Services, a total of 56% covering the most popular sectors at this tome of year.

The increase indicates that this approach to spreading malware or gaining access to data and/or networks is effective.  This has to raise concerns for business.  How many business owners have trained their staff to spot potential Phishing scams?  I bet is not many.  Most will assume that by employing intelligent adults they are safe.  Not true. Phishing is getting sophisticated and some are not easy to spot.

If I employed staff, I would expect to

  • Brief my staff on relevant health and safety annually;
  • Brief them on the fire procedure annual and have at least one practice;
  • Brief my staff on how to stay safe on-line.

On this latter point there are loads of resources on-line, but for a few hundred quid isn’t it worth getting an expert with up to date knowledge in to your organisation to give proper guidance?  No! Well here are a some people who would probably now pay that:

  • A small soft furnishing company who clicked on an invoice link in an email.  It was a malicious link containing ransom ware.  All their files were encrypted and it cost the over £2000 to recover their data.
  • The not-for-profit organisation the head of finance received an email from the CEO asking for urgent payment to a supplier.  The CEO’s email had been spoofed, he never sent it and £10,000 was transferred to a fraudster.
  •   The world leading heart hospital that narrowly missed a ransom ware attack.  A nurse unwittingly clicked on a link in an infected email. Thanks to the ‘lucky’ timing of a backup they escaped, but it was luck not judgement.
Featured Image by Snuzzy used under creative commons licence
Gone Fishin’

Can you afford to ignore cyber security

A quick scan of the Information Commissioner’s Office (ICO) website shows that since the beginning of August to 13 October, 17 enforcement notices have been made.  These range from a small fine for processing personal data when not registered with the commissioner, to the TalkTalk decision.  In total since August £840,650 has been levied in fines. Nearly a million pounds in just short of three months.  The TalkTalk decision makes up almost half of this amount, but two things are evident:  The ICO is looking at all types of business, small businesses are not immune; the TalkTalk decision sends a clear message to businesses of all sizes to take their IT security seriously.

In summary of the case the ICO states:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.  TalkTalk should and could have done more to safeguard its customer information.  It did not and we have taken action.”

The ICO found against TalkTalk on the 7th Data Protection Principle: Security.  This states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data”.

As a result, by 2 November TalkTalk will have to hand over a cheque for £400,000 to the ICO. Ouch.  But added to this profits have reduced by 56% and according to The Register in the month after the breach 9,000 customers did the WalkWalk.  It isn’t just the fine that hurts

There is no doubt that the fines are increasing.  Hampshire Council have been fined £100,000 for leaving details of 100 people in a disused building. A GP surgery has been fined £40,000 for revealing details on one patient.  When the new General Data Protection Regulation is implemented the maximum fine that can be levied will increase to 4% of turnover.  That could be the ruin of some organisations.  It is clear from the ICO that they will not simply accept that a business has been hacked and that is a crime.  They will expect businesses to demonstrate they have done all they can to prevent unauthorised access.  This latest finding almost puts Cyber Security on a level with Health and Safety and all organisations should begin to take it seriously.

Reading the ICO statement, how many organisations can honestly say they do ‘all’ they can to avoid data loss?  When I, as a consumer share my details, how can I be sure that the organisation I am sharing with has done all it can?

I suppose the first step for most organisations is Cyber Essentials.  Launched by the UK government in 2014, some experts suggest that implementing the 5 basic controls could reduce the risk of simple commodity attacks, such as the one against TalkTalk by 80%.  One blogger, an early implementer of Cyber Essentials suggested that even though they held the ISO27001 certification (a much more complex assessment), they still learned from implementing Cyber Essentials. When the scheme was launched in 2014 Christopher Graham the Information Commissioner of the time was quoted as saying “Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”. Now it doesn’t say that they would be exempt from prosecution, but there are demonstrable mitigations to the risks.  A few hundred pounds on Cyber Essentials and time implementing and monitoring it annually has to be a reasonable investment.

Cyber Essentials may go some way to satisfying the ICO, but what about the customers of a business?  The Cyber Essentials badge should also go some way to satisfying the customer that the business takes security seriously.  However, the badge isn’t everything.  Before trusting it completely ask the business when they were last certified.  One weakness of the certification is a lack of an expiry date.  Technically a business who certified at the start of the scheme can still say they have Cyber Essentials today, even though they haven’t done anything since. It isn’t a one-off process, to keep current businesses should renew yearly, just like a Cyber MoT.

Featured image by Alexander Baxevanis (used under Flickr Creative Commons Licence)
Can you afford to ignore cyber security

Tech-NO!

The title of this blog is possibly a little misleading.  I’m not advocating no technology. For a start, I couldn’t write this blog without it. I just want to make the point tech isn’t the answer to everything and particularly that solutions to Cyber-Crime are not purely technical.

In a speech at the Billington Cyber Security Summit last week, Ciaran Martin, the incoming CEO of the National Cyber Security Centre set out how this new organisation will work.  I applaud the establishment of this organisation.  Cyber defences in the UK are currently disparate, competitive and confusing.  You can’t fight a war with an army that is competing internally so to bring all functions under ‘one roof’ has to be a good start.  Providing a ‘one stop shop’ for Cyber Security advice and guidance is great.  However will it be a ‘one stop shop’?

After reading Mr Martin’s speech, I was concerned that there appears to be little or no focus on the softer side of Cyber Security.  Nearly all of the speech concentrates on the technology solutions the organisation will put into place.  There is no doubt that the solutions are innovative and as such possibly a little controversial, but even the best technology solutions cannot be the complete solution.

Let’s use an analogy of a secure building.  We may build big walls and high fences, to ensure that these are not scaled we install anti-climb technology.  We put access control on the doors with pin code assess for added security.  The alarm systems cover any eventuality and there are cameras covering every perceivable angle.  Shatterproof windows and break alarms are also a must.  At great cost, we have it all covered.  But we fail to tell staff the importance of keeping their access cards and details safe and the reasons why.  Someone’s access card is stolen and because the pin code is difficult to remember they have written it on the card.  Suddenly all the security mechanisms are redundant a potential villain has the keys to the castle.

This analogy can easily be aligned to Cyber-Crime.  We can put all the security technology in place, but if one of the system users gives away the keys to the ‘IT Castle’ it will be in vain.  Kevin Mitnick, probably the world’s most famous hacker stated in his book The Art of Deception: ‘the human factor is truly security’s weakest link’.  This view is supported by the rise in social engineering attacks taking place in an attempt to circumvent the increases in technical security.

It is for this reason I was very disappointed not to see a ‘human’ element to the National Cyber Security Centre.  UK businesses not only need technical advice, but they need to know how to educate their staff and what to educate their staff in.  Let’s hope that tech is seen as a higher priority at this point and the Human Factors will soon follow.

Featured image by: Charles Stanford Flickr Commons

Tech-NO!

Let’s reduce the use of the ‘C’ Word

JCB Backhoe Loader
An Asset – Picture by Ramesh NG

Prior to acquiring a new asset like the lovely digger in the picture above, a business would assess:

  • Can we afford it?
  • Do we buy outright or lease?
  • What will be the on-going costs be?
    • insurance;
    • maintenance; etc.
  • Do we have the skills in the organisation to us it?
    • Can anyone use it or do we need to train a specific cohort of people to use it?
  • What risk come with owning it?
    • Could it be stolen?
    • What happens if it breaks down?
    • Could it increase the damage we could do,over a man and a spade? (I don’t work in construction)
    • if we become reliant on it what will be happen if it is no longer there?

So why don’t these similar questions get asked about the information assets a company owns. But would the company who buy the digger necessarily think the same way about their information assets?  Do they view information as an asset?  It appears that many business, large and small don’t and don’t view the tools they use to access information as an asset either.  What would they do though if the information they have come to rely on and take for granted was unavailable?

Without access to information, how long would the average company last? There is a massive amount of information about this on the internet,  some ‘facts’ I have found include:

  • 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine).
  • 60% of companies that lose their data will shut down within 6 months of the disaster.
  • 93% of companies that lost their data centre for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington).
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute).

So why would an organisation spend time and effort assessing the business risk around a asset like a digger and not do the same for their information assets.  It is no more difficult is it?

Well it probably is.  For one thing information is not tangible any more. Pre-computers it was , one could hold it, see it know where it was.  Today it is a bit mysterious.  But there is more of it and we are actually more reliant on it. Secondly, for years the technology industry has been selling the message – information is safer stored electronically.

A whole industry has grown up around information security and with it a culture.  One that is cloaked in mystery and techno speak.  Language that is not aligned to business. A language that can generate massive amounts of FUD (Fear Uncertainty and Doubt) and this is probably the major issue.

Nearly 30 years ago when I first ventured into IT we revelled in our own language.  A language that made us feel special, aloof and expensive!  After many spectacular IT failures the profession realised that to achieve success it had to align to business needs and work alongside the business to deliver goals.  I see parallels emerging with the Security Industry.  We need to better align with business and make the risks associated with information relevant to the business.  Understand what the business wants to achieve and help them do that safely, easily and cost.  We need to work alongside the business. The ‘C’ word – Cyber (oh heck I’ve said it), it  scares many businesses leaders into inertia, so let’s reduce the use of it and speak our cutomers’ language and we where that get us.

Feature image by: www.gotcredit.com

Let’s reduce the use of the ‘C’ Word