SRM Blog

Promoting and Protecting your Identity

How much control is too much when it comes to social media?

Organisations spend millions on their marketing campaigns in the hope and expectation of raising brand awareness and increasing publicity. However, one seemingly innocuous tweet sent by an employee has the potential to give an organisation all the publicity and attention they could ever want – just with the spotlight focusing in the wrong area.

Managing employee usage of social media is a growing concern for organisations worldwide. Many social media platforms give users the option of stating where they work. If an employee decides to share this information, their behaviour could be considered reflective of the who they work for. The information could provide an insight as to what kind of people that organisation hires and what they find acceptable, thus reflective of their morals and culture. Essentially, this gives employees the leverage to make or break a brands image. This topic is just as important whether or not an organisation has a social media presence too – effectively, their employees create a presence by the virtue of their own online activity.

In 2013, a single tweet ended Justine Sacco’s career as Communications Director of the New York-based internet empire IAC. She posted the tweet before boarding an 11 hour flight to South Africa, which received over 2000 retweets whilst she was in transit – she’d become an internet phenomenon before she’d even landed. Justine was subsequently fired by IAC, a move taken in order to protect their own brand image.

Sacco’s story is an extreme case, but the incident has become a byword for the need for people to be cautious about what they post on social media. However, seemingly innocuous posts could still do a lot of damage to an organisations brand image. Complaining about working conditions could deter future applicants; posting sensitive information could affect the company strategically; and general online behaviour could reflect badly on the company’s culture.

Many social media users are now keen to highlight the fact that “all views are my own”, however these kind of disclaimers will not prevent your employer from firing you if you say something that reflects badly, and it’s not going to prevent people from associating your views with your employer.

Social media policies are being introduced throughout organisations large and small, and we’ve listed a few things to consider when creating these policies:

  • Creating a safe space for employees to speak about concerns goes a long way. Having an outlet for discrepancies within the organisation reduces the chances that employees will express any negative information online.
  • It is worth defining what is considered to be confidential/sensitive information. The assumption that all employees will generally know this is a dangerous assumption to make.
  • It may also be worth discussing involvement in illegal online activity. Warn employees against engaging in any illegal activity. Remind employees to respect others’ copyright, trademarks when online for both personal and professional reasons.

If the UK votes to leave the EU, will we still have to comply with GDPR?

The 23rd June referendum is fast approaching and it is getting increasingly difficult to get simple answers to simple questions. As we think about how we will vote, just one of the things to consider is the raft of regulations and directives in the EU pipeline which could have a significant effect on us in the UK. The most high profile on the cyber security agenda is the General Data Protection Regulation (GDPR). This is due to come into effect on the 25th May 2018 when it will become law across all 28 member states, without the need for member states to pass local legislation. But will we be bound by GDPR if we leave the European Union?

Most businesses are looking for a simple answer. Yes or No. If Britain votes to remain in the EU then it’s very simple indeed: the GDPR will become law in the UK as well as all other member states and we will have to comply.

But what happens if Britain votes for Brexit and leaves the EU? Will we then be able to ignore the regulation and just adhere to the 1998 UK Data Protection Act? The answer to this is equally simple: no. Because GDPR applies to any country processing EU data, regardless of the outcome of the referendum, it will impact on virtually every UK business. For the vast majority of us, there is simply no avoiding it: we will need to get into a position of compliance.

Because, when it comes to GDPR, it’s not about where data is held that matters, it’s whom the data is about. If the data is about EU citizens then companies have to comply with the regulation no matter where they are in the world.

So the fundamental questions all organisations need to ask are:

  • Do we do business with anyone in the EU?
  • Do we store or process any personal data as part of that?
  • Do we employ any EU citizens within our organisation?

If the answer to any of these questions is yes then it’s a yes to GDPR compliance. But even if the answer is no, there are some additional political factors to take into account which make GDPR compliance unavoidable. Consider the following scenarios:

The first scenario is that the Brexit process takes several years to come into effect, meaning that on 25th May 2018 the GDPR will be invoked into national law and every organisation will have to comply regardless. This will only change if the Government subsequently passes new legislation repealing the GDPR and creates a UK specific Data Protection law.

In the second scenario, the process of separation is swifter than expected and we effectively leave the EU before 25th May 2018. In this case, it’s likely that the GDPR will not become law but other factors will come into play. Namely, whether the UK remains a member of the European Economic Area (EEA). If we do then there will be a mandated requirement to comply with GDPR as prescribed in the Treaty of the Function of the European Union.

Even if we choose to not remain part of the EEA, any transfer or processing of EU data will only be permitted if the EU Commission deems the UK to have adequate Data Protection regulations in place. This is often referred to as “Safe Third Country” status. If we are deemed not to be a “Safe Third Country” then any UK organisation processing the personal data of EU citizens will need to examine ways to change how they operate to ensure they comply with EU law. Which means we’re back to GDPR.

So, the answer is simple. Whatever the outcome of 23rd June 2016, UK organisations need to ensure they are prepared and in a position to comply with the GDPR. Professional advice will ensure that you do this in the most cost effective and efficient way possible.

The Unreliability of Technology

“Technology is so unreliable” is a phrase you often hear following something going wrong at a critical moment. One of the greatest misconceptions is that our day to day devices are designed to be reliable.  Due to this misconception, organisations are often strategically unprepared when breaches and system failures occur despite considerable investment in sophisticated IT departments. If senior management took the time to understand the foundations of the platforms their businesses are based on, they would understand that it is almost impossible for technology to be completely reliable.

Understanding the history of the Internet will tell you that it was not built with business in mind. It was a solution for researchers who wanted a cheap, fast and easy way to communicate and share data. Like many developers, they worked to solve their own problem, and didn’t think what else might be possible with their achievements. They could never have imagined that ordinary businesses and consumers would rely on it every day. Furthermore they could never have thought that this technology would become critical to the competitiveness of some of the most powerful organisations in the world. We are often so dazed by the benefits the Internet can offer us, that we forget the fact that it was not designed for what we use it for today. It was not built with security or privacy in mind, this being the source of all the threats we face.

Simply put, the Internet is a network of connected computers. If we accept that a chain is only as strong as its weakest link, then we must accept the fact that the internet can never be completely safe. The internet connects powerful, up to date and secure computers with poorly managed, outdated and unsecure computers. Hackers will deploy attacks through the weakest link. Tyler the intern, who brings his own laptop to work, doesn’t think it’s a big deal to put off that security update for a couple more days. What he doesn’t realise though is that he’s left the door wide open for a hacker to take advantage of – most exploits are designed to take advantage of unpatched computers.

No matter how much time and resource you dedicate to cyber security, your organisations security is only as strong as Tyler’s laptop. However, if you don’t allow home devices on the network and you think this gets you off the hook, think again!

Attackers focus on data flows from one part of a computer to another, thus both hardware and software need to be managed well. The hardware you use to conduct day to day operations isn’t always built for safety or reliability.

A lot of hardware companies aim to build cheap quick and profitable solutions, and once new models are introduced, some companies accept that left over bugs are not worth investing any more time on and move on to their next product. Thus old machinery is a threat to your organisation.

It is no longer a matter of if a breach will occur, but when. Not only is it important to protect yourselves now, but it is also important to protect the ability to protect yourselves.

Up to £1,500 available to Scottish SMEs to develop Cyber Resilience

Businesses in Scotland can receive up to £1,500 to help develop their cyber security as part of a Cyber Resilience Programme. The Digital Scotland Business Excellence Partnership (DSBEP) has delivered a number of projects over the years, mainly designed to encourage Digital Participation. Its last project is the Cyber Resilience Programme to help businesses participate in a safe manner.

According to Digital Scotland vulnerability applies to: ‘Any company that relies on computerised systems for payroll, marketing via social media or a website, booking systems, databases of customer details including payment details and/or any Intellectual Property or Patent information that could be of value. Companies can also be targeted as a route in to businesses who they supply goods or services to.

‘A business does not need to be specifically targeted to become a victim; cyber criminals constantly scan websites, systems and/or devices to detect vulnerabilities. Therefore, if you are not taking the appropriate steps, you will flag up as an easy target during this scanning process.’

The first element of the programme is the Cyber Resilience Toolkit which brings together current information for businesses on how to be cyber resilient. Workshops promoting the Toolkit will be run from June 2016 to September 2016.

The second element is the Cyber Resilience Voucher which delivers up to £1,500 to eligible companies to secure the services of an industry expert to help them develop a cyber security strategy together with assistance in the self-assessment required for Cyber Essentials UK Government Standard.

The Cyber Resilience Voucher is available to businesses that are based in Scotland, meet the definition of an SME and are VAT registered. For more information see http://www.etag.org.uk/wp-content/uploads/2016/05/Cyber-Resilience-FAQs.pdf

Home grown talent makes SRM European leader in cyber security

Newcastle-based Security Risk management (SRM) Ltd is addressing the national shortage of top level qualified cyber security consultants by employing individuals with potential and then providing training in house.

Ken Rutherford (56) is the latest successful in-house candidate, gaining Quality Security Assessor (QSA) accreditation by the Payment Card Industry (PCI) Security Standards Council this month. Because Ken also has deep rooted digital forensic experience, and was already an accepted PFI Employee, his QSA qualification made him eligible to become a PCI Forensic Investigator (PFI) with immediate effect. SRM Ltd now boasts the largest number of QSAs and PFIs of any cyber security company in Europe.

QSAs are certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance. The process of qualification is rigorous and requires five years’ industry experience prior to any formal study programme.

Ken was allocated time within his work schedule at SRM to study and took the QSA PCI fundamentals course in March which then guaranteed him a place on the final QSA course in London. He is the sixth member of the SRM to gain this level of qualification.

Brian Fenwick, Director, says: “We are one of only 19 companies worldwide accredited by the Payment Card Industry to investigate breaches of credit card data and as one aspect of maintaining this standard we prioritise recruitment and training.

“We run an internal training programme as well as ensuring that those studying to become QSAs attend numerous client sites with an experienced QSA to assist with the practical elements of the course.”

The company also runs its own SRM Academy, delivering elements of cyber security training to colleges in the North East and providing employment opportunities for students.