Posts by: Julia Wailes-Fairbairn

What does GDPR mean to SMEs?

by Melanie Taylor, Information Security Consultant

“With less than a year to the deadline for compliance with the General Data Protection Regulation, all companies should have assessed what they need to do and should be working on that”. So says the Information Commissioner’s Office. Anyone wondering about their company’s preparedness should prioritise the appointment of a data protection officer (DPO) to ensure compliance from 25th May 2018.

When it comes to the appointment of a DPO there is no exemption for small to medium-sized enterprises (SMEs). In the final version of the GDPR, all organisations that carry out large-scale systematic monitoring of individuals, such as online behaviour tracking or large-scale processing of data, are required to appoint a DPO either in the form of an in-house employee or a contractor

While there is a general derogation for SMEs this only applies to record-keeping and processing activities, and does not apply if an organisation is processing personal data that could result in a risk to the rights and freedoms of an individual, or the processing of special categories of data or criminal convictions and offences.

In all companies good data governance is an issue which should be addressed at board level. It is not simply the task of the IT department to ensure compliance. Everyone in an SME needs to understand the importance of GDPR compliance; not least because it makes good business sense. Research by the ICO shows that 77 per cent of consumers are concerned about their personal data, 20 per cent would move their business elsewhere in direct response to a breach.

But for added leverage, it is worth pointing out the significantly larger fines that can be imposed for non-compliance under GDPR. It has been estimated that the ICO fines imposed after the implementation of GDPR in May 2018 will be 79 times higher than they were under the Data Protection Act.

The good news is that those companies that are already compliant with current UK data protection law will not have much to do to comply with the GDPR. But they will at least have to check that they are able to comply with what is new, such as the right to be forgotten, right to data portability and the new consent rules for processing

SMEs should also note that data breach notification is another important requirement to be introduced by the GDPR. Organisations need to ensure they have the procedures in place to detect, investigate and report personal data breaches. In fact, failure to report a personal data breach within 72 hours of identifying it will result in a fine as well as the breach itself.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

Phishing and GDPR compliance

Not all publicity is good, especially when it comes to data breaches

While most businesses are pleased to receive free publicity, spare a thought for Berkshire-based Boomerang Videos. Not only did the firm’s website suffer a cyber attack in 2014, but last month they were the subject of an Information Commissioner’s Office (ICO) press release following its investigation into the attack. The ICO’s release cited the £60,000 fine they had imposed on Boomerang as well as providing details of the company’s failure to protect its 26,331 customers. Now we are all aware of the significant gaps in the company’s defences. The long term impact on the firm’s reputation can only be guessed.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors;
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex;
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure;
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.

Sally Anne Poole, ICO enforcement manager said: ‘Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.’

So what can be done to prevent such damage to a company’s reputation and its bottom line? The ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.

There are also a number of standards which can provide guidelines for good practice, including Cyber Essentials and PCI compliance but a discussion with an experienced information security professional is an even better start. As we get ever closer to GDPR’s enactment next May (yes just 285 days away), every business that has any level of customer data needs to go even further in developing its cyber defences. Simple adherence to existing standards does not go far enough.

SRM has a wide range of knowledge and practical experience. Our teams are GDPR trained by GCHQ and work with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur, however, but with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

The new Data Protection Bill and GDPR

Phishing and GDPR compliance

No breach too small – the ICO takes action against charities

The new Data Protection Bill and GDPR

It’s official. It was widely expected that the EU data protection rules contained within the General Data Protection Regulation (GDPR) would be implemented by the UK, regardless of the exact status of our relationship with Europe on 25th May 2018. In the Queen’s Speech, on the 21st June 2017, the government confirmed that this will be the case, to help the UK maintain ‘its ability to share data with other EU member states and internationally after we leave the EU’.

In addition, a new Data Protection Bill will also be introduced to parliament, reflecting the plans outlined in the Queen’s Speech and helping to ease the way through the Brexit negotiations and into the future. The new bill, replacing the Data Protection Act 1998, together with the adoption of the GDPR, will enable the UK to retain its ‘world class’ data protection regime.

Regardless of Brexit, the 1998 DPA needed an overhaul. Technology has moved on and the attitude towards secure data handling has also changed, especially in the recent light of the Wannacry and Petya incidents. Alongside the government’s general aim to ensure data protection rules are ‘suitable for a digital age’ will come some more specific requirements which will have legal authority and the potential for punitive action if they are not complied with.

Exactly what those requirements will be are not fully clear but they will include the ‘empowering [of] individuals to have more control over their personal data’ and the ‘right to be forgotten’ if they no longer want a company to process their data.

The announcement is what many companies have been waiting for to accelerate their GDPR compliance programme. With less than ten months before it becomes law, however, acceleration (and rapid acceleration at that) will be necessary for those who have not yet started the process. Those who already have a robust information security strategy in place will not find the adjustment too onerous. Every business, from SME to large corporate will need to ensure that they will comply because the GDPR has sharp teeth.

At the moment the Information Commissioner’s Office (ICO) can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR becomes effective, there will be a two-tier sanction regime with the most serious violations resulting in fines of up to 20 million Euros or 4 per cent of turnover.

It has been estimated that ICO fines would be 79 times higher under GDPR. That would mean a fine like Talk Talk received for £400,000 would be around £59 million once the GDPR had been adopted. It is also worth noting that under GDPR any third parties which process data on someone’s behalf will be just as accountable as the data processor.

SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.

Phishing and GDPR compliance

By Paul Brennecker, Principal Consultant, CISM | PCI QSA | PCI PFI | PCIP

There is a saying that a chain is only as strong as its weakest link. This, unfortunately, is true. When a company manages and handles sensitive customer data it does not matter how robust the security measures if one unsuspecting employee inadvertently opens up the system to hackers. Yet the danger this presents is sometimes underestimated.

Failure to protect customer data adequately already results in serious sanctions and fines under the current Data Protection Act (DPA) legislation. In 2016 twenty-one fines were levied in the UK totalling £2.1 million. When the General Data Protection Regulation (GDPR) comes into effect next May, however, things will become even tougher. With a theoretical maximum fine of up to £500,000 or 4 per cent of global turnover, these sanctions alone have the potential to bring a company down.

A common data security breach is through what is known as phishing. Defined as an attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy entity in an electronic (or telephone) communication. They mislead unsuspecting individuals into giving hackers a foothold in a corporate system.

Typically, they will appear to come from a popular, well-known or reputable-sounding company. Microsoft, LInkedin and Google Drive have been subject to their names being hijacked for fraudulent purposes. Then the cybercriminal will set out a fictitious issue with a user account, threaten that action will be taken if it is not remedied and provide a link to click. At first glance the corporate branding, email address and link will look genuine. This type of phishing email is indiscriminate in its approach and is out to catch any unwary soul who takes the bait.

A more worrying trend is the ‘Spear Phishing’ attack, where a specific individual or number of individuals is targeted within an organisation. These people are often in positions where they will have access to company sensitive information or records, such as the finance or marketing teams. With a little research, the source of the spear phishing attack can ascertain the name of a senior member of staff within the company and trick the recipients into believing it has originated from the boss. These emails will be positioned to members of the team further down the chain in order to gain further information or even to directly ask for payments to be made. Once you understand the anatomy of a spear phishing attack, you can see why having an organisational chart and email book becomes invaluable data to the attacked. This may have been gathered as part of the initial phishing attack, through the use of malware injected onto email or active directory servers.

So – If an unsolicited email of any type appears, it should not be opened. If it is, it is worth checking the spelling and grammar. Unlike professional companies who use copy editors to check their content, cybercriminals are not known for written English. Links should also be checked.  By hovering a mouse over the link (while not clicking through) an entirely different web address may appear. All requests which lead to requests for sensitive account information should be treated as phishing attempts. Genuine companies never request password or bank account information online. Yet, if an employee has got to this stage it is likely that a malicious attack will already be underway.

Training staff how to recognise and deal with suspicious emails is just one element of a robust information security plan. SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.

No breach too small – the ICO takes action against charities

In December 2016 the Information Commissioner’s Office (ICO) fined a historical society £400 after a laptop containing personal data was stolen while a member of staff was working away from the office. The data was not encrypted and contained details of donors and the artefacts they had gifted. The ICO investigation found ‘the organisation had no policies or procedures around homeworking, encryption and mobile devices which resulted in a breach of data protection law’. So, it is not just big business that needs to comply with data protection law. It applies to everyone, regardless of size or motive. In fact, some well-loved charities ran into trouble with the ICO this year.

In April 2017 an ICO report revealed that thirteen charities have been fined for non-compliance. The ICO is the independent authority set up to ‘uphold information rights in the public interest’. They have the power to take action when data rules are breached, regardless of scale.

Between 2015 and 2017 the ICO carried out an investigation into the practices of charity fundraising. The thirteen charities which were fined included Battersea Dogs’ and Cats’ Home, Cancer Research UK, Great Ormond Street Hospital, Macmillan Cancer Support, Oxfam, NSPCC, The Royal British Legion and Guide Dogs for the Blind Association. Fines ranged from £6,000 – £18,000 depending on the non-compliance identified. The breaches fell into three distinct areas:

Finding information about you, that you didn’t provide. The ICO asserts that the individual has the right to choose what personal information is provided. The practice of using external companies to find missing information or update out of date information is not permitted. Battersea Dogs’ Home received a £9,000 for using this approach in 740,181 cases between 2011 and 2015.

Sharing your details with other charities, no matter what the cause. It is common for some charities to exchange donor information. The practice of sharing donor information is not illegal but using an external organisation and not knowing with which other charities it is being shared is. Cancer Support UK was fined £16,000 for failing to follow data protection rules.

Ranking based on wealth. Some charities profile their donors based on wealth. External companies can also identify donors they believe charities should target because they are most likely to leave money in their wills. It is called legacy profiling. The Guide Dogs for the Blind Association was fined £15,000 for this and for sourcing information they did not have permission to access.

The important message is that it does not matter what size the organisation or whatever its status, the same rules apply. It is also worth noting that the rules regarding personal data will become significantly stricter when the General Data Protection Regulation (GDPR) becomes UK law in May 2018. To find out about your obligations and how to comply, including protecting personal information, see the ICO’s Data Protection Self Assessment Toolkit.