Easy does it GDPR could be a gentle stroll

countdown-small

I haven’t written a blog for a while because I have been busy.  Busy preparing for the future.  I have, hopefully, secured my website, made better provision for the security of my tech and got a couple of certifications to show my customers I’m serious about this stuff.  But that was not the only reason.  As I sat down to write this blog there were 464 days 14 hours and 41 minutes to the implementation of the General Data Protection Regulation (GDPR).  Oh that is now 464days 13hrs 34mins, so we better get a move on.

The GDPR is probably one of the most significant pieces of legislation to affect UK businesses this century (I’ve always wanted to write that!).  It will, in some way affect all businesses.  464 days 13 hrs and 32 mins (time is ticking) in business terms seems an age, but in GDPR terms it isn’t.  I’m a small business and implementing the basics has taken me since Christmas.  OK that hasn’t been full time. I had to earn a bit of money as well, like all businesses,  but there are still things to do.

After completing the GDPR practitioner course in December 2016, I thought I ought to get my own ‘house in order’.  In January full of new year spirit and flu, I set off to be a beacon of compliance.  I don’t hold personal data, so I thought I would sail through the process but I wanted to take the opportunity to do things properly and look at how I worked. Implementing GDPR is a great opportunity to look at the way you work and whether it’s for compliance or not, question your processes and take the opportunity to make improvements.  This is not a message I’m hearing amongst the scare stories of fines 4% of global turnover.  This could be, if looked positively be a great business opportunity, one that could save money as well.

I will confess.  some of my practices had slipped.  First I set about examining what security of my information meant to me as a business.  My risks are probably in line with most small to medium businesses, so I decided to look at the Cyber Essentials certificate and also the IASME governance framework.  Working through these made me think about the what I had in place to protect my data.  I wasn’t too bad, but needed to tighten up in a few areas to achieve certification.  In doing this though I have laid a great foundation for the rest of the GDPR work.  That has to be good.

As I said I still have things to do.  I have to examine how I am going to manage the cookie policy on my website (I drop one security cookie) and also develop a privacy policy and a few other bits and pieces. These I will do over the coming months.  Another key message: start now and pace yourself, implementing GDPR will be a cross country run not a sprint.  Start early and it could even be a gentle stroll.

When I was thinking about implementation of GDPR, for some reason the Millennium Bug issue came to mind.  Eradicating the bug was incredibly successful, as someone who was involved in getting a significant piece of software compliant, I know that the work was really necessary.  On 1 January 2000 the press where stating that it had been over hyped.  It hadn’t what had happened was that businesses had planned and taken time to look at and correct the issues.  Some had even improved their applications.  Time, that is what is needed with GDPR.  And you now have 464 days 13 hours and no minutes.

Advertisements
Easy does it GDPR could be a gentle stroll

There are 3.5 billion internet users!

And I read the this morning that in 2016, 1.6 billion personal records have  been leaked, breached, stolen call it what you will.  It also appears that the trend is only set to increase.

I did a little digging around and found that there are approximately 3.5 billion internet users about 40% of the world population.  This means that potentially 45% of the internet users could have had their records leaked.  OK you say, some will be duplicates and there will be other statistical anomollies that I don’t really understand which  will reduce the percentage; but even reducing this number to 35%, it is an alarming statistic.  If 35% of the world population were to suddenly be struct by the same disease would we be so calm?  No there would be mass hysteria.  Would governments be working together to resolve the issue?  Yes, I’m sure they would.

It appears to me that the cyber-crime is not being tackled in a coordinated way.  All governments seem to take an independent approach.  Our own government has a Cyber-Security strategy based on making the UK the safest place to be online.  Whilst well intentioned, this is surely wrong.  Internet based crime is a world wide problem and can only be managed with a coordinated approach across the world.  It is no use the UK being the safest place to access the internet when my records travel across the world, way outside of our jurisdiction, just to travel a few miles to my insurance broker for example.

Europe is going some way to tackle the issue with the introduction of the European General Data Protection Regulation (GDPR). This is due to be implemented in 2018.  It standardises the measures across Europe that businesses should take to protect personal data.  It also stipulates what measures need to be put into place if data is being shared outside of the participating countries.

The GDPR is a great step and it is clear that considerable thought has gone into it and tying it into security frameworks.  There will be some teething problems I’m sure, but it will be a massive step forward.  Now we need to turn to law enforcement.  The GDPR will deal with the processors of data if they get it wrong, but why can’t the law enforcement agencies start to do something similar?  Where there is a common approach to hunting down and prosecuting the perpetrators of internet crime.  It has taken 10 years to develop the GDPR, getting 28 member countries to agree a single approach takes time.  If it can be done for the data protection laws surely we can agree some standards for co-ordinating criminal investigation and prosecution of the culprits.  That would start to have a massive affect, currently the chance of getting caught are low and if caught the chances of being convicted are also low.  Anything we can do to improve this has to be good.

Featured Image by: frankieleon used under Flickr Commons Licence

 

There are 3.5 billion internet users!

Gone Fishin’

Or did I mean Phishing?

I read that this Friday 25 November is the official start of the shopping ‘silly season’.  Black Friday and then Cyber Monday, more American import to our shores, kick off the spending frenzy to Christmas.

But it appears that shopping is not the only frenzy that this season brings.  According to a recent ITGovernance blog, the Anti-Phishing Working Group (That is for real)report an increase in Phishing during the Christmas period.  Last year there was a 250% increase in Phishing attacks between December 2015 and March 2016.

I would suspect this will increase this year if my personal experience is anything to go by.  Already this week I have seen 100 emails in my spam folder offering me ‘too good to be true’ Black Friday offers and as I write, it is only pale grey Tuesday (PM).  I don’t know what my mail box will look like on Thursday!

Taking a look at the latest Phishing trend analysis one can see why this is probably a popular time of year.  43% of Phishing attacks are targeted at the Retail/Service sectors and 13% at Payment Services, a total of 56% covering the most popular sectors at this tome of year.

The increase indicates that this approach to spreading malware or gaining access to data and/or networks is effective.  This has to raise concerns for business.  How many business owners have trained their staff to spot potential Phishing scams?  I bet is not many.  Most will assume that by employing intelligent adults they are safe.  Not true. Phishing is getting sophisticated and some are not easy to spot.

If I employed staff, I would expect to

  • Brief my staff on relevant health and safety annually;
  • Brief them on the fire procedure annual and have at least one practice;
  • Brief my staff on how to stay safe on-line.

On this latter point there are loads of resources on-line, but for a few hundred quid isn’t it worth getting an expert with up to date knowledge in to your organisation to give proper guidance?  No! Well here are a some people who would probably now pay that:

  • A small soft furnishing company who clicked on an invoice link in an email.  It was a malicious link containing ransom ware.  All their files were encrypted and it cost the over £2000 to recover their data.
  • The not-for-profit organisation the head of finance received an email from the CEO asking for urgent payment to a supplier.  The CEO’s email had been spoofed, he never sent it and £10,000 was transferred to a fraudster.
  •   The world leading heart hospital that narrowly missed a ransom ware attack.  A nurse unwittingly clicked on a link in an infected email. Thanks to the ‘lucky’ timing of a backup they escaped, but it was luck not judgement.
Featured Image by Snuzzy used under creative commons licence
Gone Fishin’

Can you afford to ignore cyber security

A quick scan of the Information Commissioner’s Office (ICO) website shows that since the beginning of August to 13 October, 17 enforcement notices have been made.  These range from a small fine for processing personal data when not registered with the commissioner, to the TalkTalk decision.  In total since August £840,650 has been levied in fines. Nearly a million pounds in just short of three months.  The TalkTalk decision makes up almost half of this amount, but two things are evident:  The ICO is looking at all types of business, small businesses are not immune; the TalkTalk decision sends a clear message to businesses of all sizes to take their IT security seriously.

In summary of the case the ICO states:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.  TalkTalk should and could have done more to safeguard its customer information.  It did not and we have taken action.”

The ICO found against TalkTalk on the 7th Data Protection Principle: Security.  This states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data”.

As a result, by 2 November TalkTalk will have to hand over a cheque for £400,000 to the ICO. Ouch.  But added to this profits have reduced by 56% and according to The Register in the month after the breach 9,000 customers did the WalkWalk.  It isn’t just the fine that hurts

There is no doubt that the fines are increasing.  Hampshire Council have been fined £100,000 for leaving details of 100 people in a disused building. A GP surgery has been fined £40,000 for revealing details on one patient.  When the new General Data Protection Regulation is implemented the maximum fine that can be levied will increase to 4% of turnover.  That could be the ruin of some organisations.  It is clear from the ICO that they will not simply accept that a business has been hacked and that is a crime.  They will expect businesses to demonstrate they have done all they can to prevent unauthorised access.  This latest finding almost puts Cyber Security on a level with Health and Safety and all organisations should begin to take it seriously.

Reading the ICO statement, how many organisations can honestly say they do ‘all’ they can to avoid data loss?  When I, as a consumer share my details, how can I be sure that the organisation I am sharing with has done all it can?

I suppose the first step for most organisations is Cyber Essentials.  Launched by the UK government in 2014, some experts suggest that implementing the 5 basic controls could reduce the risk of simple commodity attacks, such as the one against TalkTalk by 80%.  One blogger, an early implementer of Cyber Essentials suggested that even though they held the ISO27001 certification (a much more complex assessment), they still learned from implementing Cyber Essentials. When the scheme was launched in 2014 Christopher Graham the Information Commissioner of the time was quoted as saying “Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”. Now it doesn’t say that they would be exempt from prosecution, but there are demonstrable mitigations to the risks.  A few hundred pounds on Cyber Essentials and time implementing and monitoring it annually has to be a reasonable investment.

Cyber Essentials may go some way to satisfying the ICO, but what about the customers of a business?  The Cyber Essentials badge should also go some way to satisfying the customer that the business takes security seriously.  However, the badge isn’t everything.  Before trusting it completely ask the business when they were last certified.  One weakness of the certification is a lack of an expiry date.  Technically a business who certified at the start of the scheme can still say they have Cyber Essentials today, even though they haven’t done anything since. It isn’t a one-off process, to keep current businesses should renew yearly, just like a Cyber MoT.

Featured image by Alexander Baxevanis (used under Flickr Creative Commons Licence)
Can you afford to ignore cyber security

Tech-NO!

The title of this blog is possibly a little misleading.  I’m not advocating no technology. For a start, I couldn’t write this blog without it. I just want to make the point tech isn’t the answer to everything and particularly that solutions to Cyber-Crime are not purely technical.

In a speech at the Billington Cyber Security Summit last week, Ciaran Martin, the incoming CEO of the National Cyber Security Centre set out how this new organisation will work.  I applaud the establishment of this organisation.  Cyber defences in the UK are currently disparate, competitive and confusing.  You can’t fight a war with an army that is competing internally so to bring all functions under ‘one roof’ has to be a good start.  Providing a ‘one stop shop’ for Cyber Security advice and guidance is great.  However will it be a ‘one stop shop’?

After reading Mr Martin’s speech, I was concerned that there appears to be little or no focus on the softer side of Cyber Security.  Nearly all of the speech concentrates on the technology solutions the organisation will put into place.  There is no doubt that the solutions are innovative and as such possibly a little controversial, but even the best technology solutions cannot be the complete solution.

Let’s use an analogy of a secure building.  We may build big walls and high fences, to ensure that these are not scaled we install anti-climb technology.  We put access control on the doors with pin code assess for added security.  The alarm systems cover any eventuality and there are cameras covering every perceivable angle.  Shatterproof windows and break alarms are also a must.  At great cost, we have it all covered.  But we fail to tell staff the importance of keeping their access cards and details safe and the reasons why.  Someone’s access card is stolen and because the pin code is difficult to remember they have written it on the card.  Suddenly all the security mechanisms are redundant a potential villain has the keys to the castle.

This analogy can easily be aligned to Cyber-Crime.  We can put all the security technology in place, but if one of the system users gives away the keys to the ‘IT Castle’ it will be in vain.  Kevin Mitnick, probably the world’s most famous hacker stated in his book The Art of Deception: ‘the human factor is truly security’s weakest link’.  This view is supported by the rise in social engineering attacks taking place in an attempt to circumvent the increases in technical security.

It is for this reason I was very disappointed not to see a ‘human’ element to the National Cyber Security Centre.  UK businesses not only need technical advice, but they need to know how to educate their staff and what to educate their staff in.  Let’s hope that tech is seen as a higher priority at this point and the Human Factors will soon follow.

Featured image by: Charles Stanford Flickr Commons

Tech-NO!

Let’s reduce the use of the ‘C’ Word

JCB Backhoe Loader
An Asset – Picture by Ramesh NG

Prior to acquiring a new asset like the lovely digger in the picture above, a business would assess:

  • Can we afford it?
  • Do we buy outright or lease?
  • What will be the on-going costs be?
    • insurance;
    • maintenance; etc.
  • Do we have the skills in the organisation to us it?
    • Can anyone use it or do we need to train a specific cohort of people to use it?
  • What risk come with owning it?
    • Could it be stolen?
    • What happens if it breaks down?
    • Could it increase the damage we could do,over a man and a spade? (I don’t work in construction)
    • if we become reliant on it what will be happen if it is no longer there?

So why don’t these similar questions get asked about the information assets a company owns. But would the company who buy the digger necessarily think the same way about their information assets?  Do they view information as an asset?  It appears that many business, large and small don’t and don’t view the tools they use to access information as an asset either.  What would they do though if the information they have come to rely on and take for granted was unavailable?

Without access to information, how long would the average company last? There is a massive amount of information about this on the internet,  some ‘facts’ I have found include:

  • 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine).
  • 60% of companies that lose their data will shut down within 6 months of the disaster.
  • 93% of companies that lost their data centre for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington).
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute).

So why would an organisation spend time and effort assessing the business risk around a asset like a digger and not do the same for their information assets.  It is no more difficult is it?

Well it probably is.  For one thing information is not tangible any more. Pre-computers it was , one could hold it, see it know where it was.  Today it is a bit mysterious.  But there is more of it and we are actually more reliant on it. Secondly, for years the technology industry has been selling the message – information is safer stored electronically.

A whole industry has grown up around information security and with it a culture.  One that is cloaked in mystery and techno speak.  Language that is not aligned to business. A language that can generate massive amounts of FUD (Fear Uncertainty and Doubt) and this is probably the major issue.

Nearly 30 years ago when I first ventured into IT we revelled in our own language.  A language that made us feel special, aloof and expensive!  After many spectacular IT failures the profession realised that to achieve success it had to align to business needs and work alongside the business to deliver goals.  I see parallels emerging with the Security Industry.  We need to better align with business and make the risks associated with information relevant to the business.  Understand what the business wants to achieve and help them do that safely, easily and cost.  We need to work alongside the business. The ‘C’ word – Cyber (oh heck I’ve said it), it  scares many businesses leaders into inertia, so let’s reduce the use of it and speak our cutomers’ language and we where that get us.

Feature image by: www.gotcredit.com

Let’s reduce the use of the ‘C’ Word

Password INCORRECT

Art of Deception

I have just finished reading The Art of Intrusion’  by Kevin Mitnick and William M. Simon.  Some may remember the name Mitnick, he is probably one of the most famous hackers of all time.  In this book Mitnick and Simon present real life cases of computer hacking.  Whilst it is now ten years old, many of the stories told in the book are, sadly, still relevant today.  What took my attention was the statement at the very end of the book: pages 258 & 259 to be precise, which I hope Mr Mitnick and Mr Simon don’t mind me reproducing here:

And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight — and not leave new passwords in some easy-to-find place — then tomorrow morning, we would suddenly find ourselves living in a much more secure world.

We hope that will be an action message for every reader of this book.”

I’m sure the book has had success, but how many people have taken note of that last paragraph and actioned it?  The message about passwords is forever being talked about.  Every year SplashData produce a list of the top passwords used worldwide. In 2015 the number 1 position was held by the password ‘123456’ closely followed in second position by ‘password’ and then ‘12345678’.  One of the first things hackers want, is to get hold of a password.  Once they have one of these, their task is much easier and it looks like the users of computers are not making this too difficult.

Passwords are a pain though.  I think I have over 70 now and trying to dream up new passwords for every site/system and then changing them regularly is even harder.  It is recommended that passwords are complex, between 8 and 12 characters and also contain special characters such as #^&? etc.. So personally, I am expected to remember:

  • 840 characters;
  • the associations of those characters to sites/systems;
  • the reminders that will help me remember my password!

And change them all regularly.  If I follow security recommendations of changing passwords every 90 days, that means annually I am having to remember 3,360 characters just in connection with my computer activity.  That’s hard and is probably the reason people reuse, write them down or have ridiculously simple ones. But until something more reliable comes along we are stuck with the dreaded things and we have to make the best of them.

When reading Mitnick’s final paragraph, I remembered the work that had recently been published by CESG in cooperation with CPNI – Password Guidance Simplifying your Approach.  In what seems to be a very well written and straightforward document they recommend, amongst other things, lightening the burden on users.  Specifically they state:

  • Users have a whole suite of passwords to manage, not just yours.
  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help users, but carries risks.

This seems sound practical advice.  So I would recommend that if tomorrow, every business looks at their password policy and revises it in line with the CESG advice then we could find ourselves living in a much more secure world.

Reducing the risk of the risk of this:

Password - Incorrect

Featured image by: Eric Schumuttenmaer

Password INCORRECT