Monthly Archive July 2017

Network intrusions are on the increase: time to engage a Retained Forensics specialist

This month Visa has reported an increase in the number of network intrusions involving service providers. It also reports increases in re-breaches of merchant payment environments and skimming incidents (July 2017). The company has therefore issued an alert to remind merchants of their obligations if a compromise occurs and to advise on the need to engage a Retained Forensics specialist.

It is not uncommon for card processors to send out emails warning of heightened risks. Yet it appears these are often overlooked in busy inboxes. In this instance, the warning is very real as card usage in the UK continues to rise.

The most recent statistics from Visa reveal that in April 2017 1,386 million purchases were made in the UK. That is a total spend of £58 million in one month alone and represents a number of ongoing upward trends including an overall increase in the usage of cards. Contactless payments now account for 30 per cent of total purchases compared to 16 per cent a year ago. It is not surprising that ingenious criminal minds are ramping up their activity in the card payment environment.

The message in Visa’s warning is that prevention is better than cure. If a suspected or confirmed data compromise occurs the PCI will compel the merchant to engage a PCI Forensic Investigator (PFI) at their own cost. If failure to protect the card environment is discovered, then fines are inevitable. In this instance the cost of mitigation together with the damage to a business’ reputation will be considerable.

Visa’s alert specifically mentions the recommendation to engage a Retained Forensics specialist to prevent a potential breach occurring in the first place. In today’s card processing environment, never has engaging a Retained Forensics team made better business sense.

This is where we come in. At SRM we are one of a handful of companies in the UK retained by the PCI to carry out PFI investigations. But we also offer a bespoke Retained Forensic service, which uses this expertise to proactively manage systems before an attack occurs. In this way, organisations can use our Data Forensic Investigations team to meet compliance requirements but also to build robust defences and test those strategies in a controlled manner, before the worst actually happens.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business compliant and as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that a system might still be attacked. With a robust plan in place, however, remedial action will be swift, minimising financial and reputational damage. Demonstrating a proactive approach to protecting your customer’s data also puts you in a stronger position when dealing with acquiring banks or any other regulatory authorities.

Retained PCI Forensic Investigation (PFI) Service

Time running out for GDPR compliance

Time is running out for UK businesses. By 25th May 2018 every business, charity and organisation needs to be ready for the General Data Protection Regulation (GDPR). Because from that date, EU regulators will start enforcing compliance. Yet a recent survey found that only 11 per cent of companies said their preparations are ‘well underway’ while 61 per cent admitted they had not even started the task of GDPR implementation. There are just 300 days to go.

GDPR compliance requires commitment and action and with only ten months to go the pressure is on to take it very seriously indeed. An estimate by Gartner states that only 50 per cent of companies will be ready by the end of 2018, let alone May. With the power to impose much larger fines, GDPR needs to be taken very seriously indeed. To put it in context, the fines imposed on UK organisations by the Information Commissioner’s Office (ICO) last year totalled £880,500. Under GDPR those fines would be closer to £69 million.

So, why are British companies lagging behind? Perhaps some feel that the challenge and expense of embedding GDPR in their organisation is mitigated by the fact that only a few will be caught by regulators during the early bedding-in period. This may be true to an extent. We are unlikely to see thousands of cases being brought. But it is possible that EU regulators will go for shock and awe tactics in the first few months, imposing bold enforcement actions and large fines on a few transgressors to serve as a lesson to all. No one wants to be made an example of.

In the end, however, it is not fear of punishment but pressure from within that will push GDPR compliance forward. With processors, vendors, data controllers and suppliers all tied in to each other’s compliance, those that do not comply will be dropped in favour of those that do.

To support GDPR readiness, the ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes  website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. The practical realities of assessing your existing level of readiness together with a targeted schedule of actions is best produced in partnership with a specialist information security consultant. In this way, you can prioritise and plan according to your organisation’s unique requirements.

SRM has a wide range of knowledge and practical experience. Our teams are GCHQ approved and GDPR practitioners, working with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur. However, with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

GDPR: the impatient tiger

 

What does GDPR mean to SMEs?

by Melanie Taylor, Information Security Consultant

“With less than a year to the deadline for compliance with the General Data Protection Regulation, all companies should have assessed what they need to do and should be working on that”. So says the Information Commissioner’s Office. Anyone wondering about their company’s preparedness should prioritise the appointment of a data protection officer (DPO) to ensure compliance from 25th May 2018.

When it comes to the appointment of a DPO there is no exemption for small to medium-sized enterprises (SMEs). In the final version of the GDPR, all organisations that carry out large-scale systematic monitoring of individuals, such as online behaviour tracking or large-scale processing of data, are required to appoint a DPO either in the form of an in-house employee or a contractor

While there is a general derogation for SMEs this only applies to record-keeping and processing activities, and does not apply if an organisation is processing personal data that could result in a risk to the rights and freedoms of an individual, or the processing of special categories of data or criminal convictions and offences.

In all companies good data governance is an issue which should be addressed at board level. It is not simply the task of the IT department to ensure compliance. Everyone in an SME needs to understand the importance of GDPR compliance; not least because it makes good business sense. Research by the ICO shows that 77 per cent of consumers are concerned about their personal data, 20 per cent would move their business elsewhere in direct response to a breach.

But for added leverage, it is worth pointing out the significantly larger fines that can be imposed for non-compliance under GDPR. It has been estimated that the ICO fines imposed after the implementation of GDPR in May 2018 will be 79 times higher than they were under the Data Protection Act.

The good news is that those companies that are already compliant with current UK data protection law will not have much to do to comply with the GDPR. But they will at least have to check that they are able to comply with what is new, such as the right to be forgotten, right to data portability and the new consent rules for processing

SMEs should also note that data breach notification is another important requirement to be introduced by the GDPR. Organisations need to ensure they have the procedures in place to detect, investigate and report personal data breaches. In fact, failure to report a personal data breach within 72 hours of identifying it will result in a fine as well as the breach itself.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

Phishing and GDPR compliance

Not all publicity is good, especially when it comes to data breaches

While most businesses are pleased to receive free publicity, spare a thought for Berkshire-based Boomerang Videos. Not only did the firm’s website suffer a cyber attack in 2014, but last month they were the subject of an Information Commissioner’s Office (ICO) press release following its investigation into the attack. The ICO’s release cited the £60,000 fine they had imposed on Boomerang as well as providing details of the company’s failure to protect its 26,331 customers. Now we are all aware of the significant gaps in the company’s defences. The long term impact on the firm’s reputation can only be guessed.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors;
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex;
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure;
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.

Sally Anne Poole, ICO enforcement manager said: ‘Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.’

So what can be done to prevent such damage to a company’s reputation and its bottom line? The ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.

There are also a number of standards which can provide guidelines for good practice, including Cyber Essentials and PCI compliance but a discussion with an experienced information security professional is an even better start. As we get ever closer to GDPR’s enactment next May (yes just 285 days away), every business that has any level of customer data needs to go even further in developing its cyber defences. Simple adherence to existing standards does not go far enough.

SRM has a wide range of knowledge and practical experience. Our teams are GDPR trained by GCHQ and work with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur, however, but with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

The new Data Protection Bill and GDPR

Phishing and GDPR compliance

No breach too small – the ICO takes action against charities

The new Data Protection Bill and GDPR

It’s official. It was widely expected that the EU data protection rules contained within the General Data Protection Regulation (GDPR) would be implemented by the UK, regardless of the exact status of our relationship with Europe on 25th May 2018. In the Queen’s Speech, on the 21st June 2017, the government confirmed that this will be the case, to help the UK maintain ‘its ability to share data with other EU member states and internationally after we leave the EU’.

In addition, a new Data Protection Bill will also be introduced to parliament, reflecting the plans outlined in the Queen’s Speech and helping to ease the way through the Brexit negotiations and into the future. The new bill, replacing the Data Protection Act 1998, together with the adoption of the GDPR, will enable the UK to retain its ‘world class’ data protection regime.

Regardless of Brexit, the 1998 DPA needed an overhaul. Technology has moved on and the attitude towards secure data handling has also changed, especially in the recent light of the Wannacry and Petya incidents. Alongside the government’s general aim to ensure data protection rules are ‘suitable for a digital age’ will come some more specific requirements which will have legal authority and the potential for punitive action if they are not complied with.

Exactly what those requirements will be are not fully clear but they will include the ‘empowering [of] individuals to have more control over their personal data’ and the ‘right to be forgotten’ if they no longer want a company to process their data.

The announcement is what many companies have been waiting for to accelerate their GDPR compliance programme. With less than ten months before it becomes law, however, acceleration (and rapid acceleration at that) will be necessary for those who have not yet started the process. Those who already have a robust information security strategy in place will not find the adjustment too onerous. Every business, from SME to large corporate will need to ensure that they will comply because the GDPR has sharp teeth.

At the moment the Information Commissioner’s Office (ICO) can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR becomes effective, there will be a two-tier sanction regime with the most serious violations resulting in fines of up to 20 million Euros or 4 per cent of turnover.

It has been estimated that ICO fines would be 79 times higher under GDPR. That would mean a fine like Talk Talk received for £400,000 would be around £59 million once the GDPR had been adopted. It is also worth noting that under GDPR any third parties which process data on someone’s behalf will be just as accountable as the data processor.

SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.

SRM Blog

SRM Blog