Posts by: SRM

Promoting and Protecting your Identity

How much control is too much when it comes to social media?

Organisations spend millions on their marketing campaigns in the hope and expectation of raising brand awareness and increasing publicity. However, one seemingly innocuous tweet sent by an employee has the potential to give an organisation all the publicity and attention they could ever want – just with the spotlight focusing in the wrong area.

Managing employee usage of social media is a growing concern for organisations worldwide. Many social media platforms give users the option of stating where they work. If an employee decides to share this information, their behaviour could be considered reflective of the who they work for. The information could provide an insight as to what kind of people that organisation hires and what they find acceptable, thus reflective of their morals and culture. Essentially, this gives employees the leverage to make or break a brands image. This topic is just as important whether or not an organisation has a social media presence too – effectively, their employees create a presence by the virtue of their own online activity.

In 2013, a single tweet ended Justine Sacco’s career as Communications Director of the New York-based internet empire IAC. She posted the tweet before boarding an 11 hour flight to South Africa, which received over 2000 retweets whilst she was in transit – she’d become an internet phenomenon before she’d even landed. Justine was subsequently fired by IAC, a move taken in order to protect their own brand image.

Sacco’s story is an extreme case, but the incident has become a byword for the need for people to be cautious about what they post on social media. However, seemingly innocuous posts could still do a lot of damage to an organisations brand image. Complaining about working conditions could deter future applicants; posting sensitive information could affect the company strategically; and general online behaviour could reflect badly on the company’s culture.

Many social media users are now keen to highlight the fact that “all views are my own”, however these kind of disclaimers will not prevent your employer from firing you if you say something that reflects badly, and it’s not going to prevent people from associating your views with your employer.

Social media policies are being introduced throughout organisations large and small, and we’ve listed a few things to consider when creating these policies:

  • Creating a safe space for employees to speak about concerns goes a long way. Having an outlet for discrepancies within the organisation reduces the chances that employees will express any negative information online.
  • It is worth defining what is considered to be confidential/sensitive information. The assumption that all employees will generally know this is a dangerous assumption to make.
  • It may also be worth discussing involvement in illegal online activity. Warn employees against engaging in any illegal activity. Remind employees to respect others’ copyright, trademarks when online for both personal and professional reasons.

If the UK votes to leave the EU, will we still have to comply with GDPR?

The 23rd June referendum is fast approaching and it is getting increasingly difficult to get simple answers to simple questions. As we think about how we will vote, just one of the things to consider is the raft of regulations and directives in the EU pipeline which could have a significant effect on us in the UK. The most high profile on the cyber security agenda is the General Data Protection Regulation (GDPR). This is due to come into effect on the 25th May 2018 when it will become law across all 28 member states, without the need for member states to pass local legislation. But will we be bound by GDPR if we leave the European Union?

Most businesses are looking for a simple answer. Yes or No. If Britain votes to remain in the EU then it’s very simple indeed: the GDPR will become law in the UK as well as all other member states and we will have to comply.

But what happens if Britain votes for Brexit and leaves the EU? Will we then be able to ignore the regulation and just adhere to the 1998 UK Data Protection Act? The answer to this is equally simple: no. Because GDPR applies to any country processing EU data, regardless of the outcome of the referendum, it will impact on virtually every UK business. For the vast majority of us, there is simply no avoiding it: we will need to get into a position of compliance.

Because, when it comes to GDPR, it’s not about where data is held that matters, it’s whom the data is about. If the data is about EU citizens then companies have to comply with the regulation no matter where they are in the world.

So the fundamental questions all organisations need to ask are:

  • Do we do business with anyone in the EU?
  • Do we store or process any personal data as part of that?
  • Do we employ any EU citizens within our organisation?

If the answer to any of these questions is yes then it’s a yes to GDPR compliance. But even if the answer is no, there are some additional political factors to take into account which make GDPR compliance unavoidable. Consider the following scenarios:

The first scenario is that the Brexit process takes several years to come into effect, meaning that on 25th May 2018 the GDPR will be invoked into national law and every organisation will have to comply regardless. This will only change if the Government subsequently passes new legislation repealing the GDPR and creates a UK specific Data Protection law.

In the second scenario, the process of separation is swifter than expected and we effectively leave the EU before 25th May 2018. In this case, it’s likely that the GDPR will not become law but other factors will come into play. Namely, whether the UK remains a member of the European Economic Area (EEA). If we do then there will be a mandated requirement to comply with GDPR as prescribed in the Treaty of the Function of the European Union.

Even if we choose to not remain part of the EEA, any transfer or processing of EU data will only be permitted if the EU Commission deems the UK to have adequate Data Protection regulations in place. This is often referred to as “Safe Third Country” status. If we are deemed not to be a “Safe Third Country” then any UK organisation processing the personal data of EU citizens will need to examine ways to change how they operate to ensure they comply with EU law. Which means we’re back to GDPR.

So, the answer is simple. Whatever the outcome of 23rd June 2016, UK organisations need to ensure they are prepared and in a position to comply with the GDPR. Professional advice will ensure that you do this in the most cost effective and efficient way possible.

The Unreliability of Technology

“Technology is so unreliable” is a phrase you often hear following something going wrong at a critical moment. One of the greatest misconceptions is that our day to day devices are designed to be reliable.  Due to this misconception, organisations are often strategically unprepared when breaches and system failures occur despite considerable investment in sophisticated IT departments. If senior management took the time to understand the foundations of the platforms their businesses are based on, they would understand that it is almost impossible for technology to be completely reliable.

Understanding the history of the Internet will tell you that it was not built with business in mind. It was a solution for researchers who wanted a cheap, fast and easy way to communicate and share data. Like many developers, they worked to solve their own problem, and didn’t think what else might be possible with their achievements. They could never have imagined that ordinary businesses and consumers would rely on it every day. Furthermore they could never have thought that this technology would become critical to the competitiveness of some of the most powerful organisations in the world. We are often so dazed by the benefits the Internet can offer us, that we forget the fact that it was not designed for what we use it for today. It was not built with security or privacy in mind, this being the source of all the threats we face.

Simply put, the Internet is a network of connected computers. If we accept that a chain is only as strong as its weakest link, then we must accept the fact that the internet can never be completely safe. The internet connects powerful, up to date and secure computers with poorly managed, outdated and unsecure computers. Hackers will deploy attacks through the weakest link. Tyler the intern, who brings his own laptop to work, doesn’t think it’s a big deal to put off that security update for a couple more days. What he doesn’t realise though is that he’s left the door wide open for a hacker to take advantage of – most exploits are designed to take advantage of unpatched computers.

No matter how much time and resource you dedicate to cyber security, your organisations security is only as strong as Tyler’s laptop. However, if you don’t allow home devices on the network and you think this gets you off the hook, think again!

Attackers focus on data flows from one part of a computer to another, thus both hardware and software need to be managed well. The hardware you use to conduct day to day operations isn’t always built for safety or reliability.

A lot of hardware companies aim to build cheap quick and profitable solutions, and once new models are introduced, some companies accept that left over bugs are not worth investing any more time on and move on to their next product. Thus old machinery is a threat to your organisation.

It is no longer a matter of if a breach will occur, but when. Not only is it important to protect yourselves now, but it is also important to protect the ability to protect yourselves.

Cyber Security Accountability Does Pay

Cybercrime in 2015 was nothing short of epic. No one could have anticipated headline news stories such as Sony Pictures Entertainment hacked by a group allegedly sponsored by North Korea; a 15 year old member of a group behind the TalkTalk hack; and the FBI’s advice on ransomware – just pay the ransom!

So what can we expect in 2016?

Expect the typical cyber-criminal to be someone who is sophisticated, intellectual and aggressively innovative.  They are armed with intelligence and the mental capacity to constantly adapt, making them incredibly hard to track and control.

Expect organisations, not individuals, to be the targets of organised cyber-crime. Cyber-criminals are now seeking million dollar pay days. It can also be expected that cyber criminals will convert any stolen funds into crypto-currencies such as Bitcoin.

Expect more integrity and social engineering attacks – hacks with the purpose of gathering information. These hacks arm the hacker with the details required to launch a large and sustained attack in the future. These kind of attacks may go unnoticed initially, but can cause the wrong decisions to be made, including invoices being paid into the wrong accounts (usually those of the hackers).

Expect more malware attacks on portable devices like mobile phones and tablets. Malicious apps are being sold on the Dark Web – apps that mimic the graphic user interface of banking, eCommerce and other popular apps with the intention of tricking the user into providing card details.

Expect more ransomware attacks. The United States of America have seen a huge increase in the number of ransomware attacks in the last 12 months, and the numbers only look set to increase. The Cryptolocker gang grossed over $30 million with a very simple attack within just 100 days, with approximately 40% of Cryptolocker victims ending up paying the ransom. Unlike many other ransomware gangs, Cryptolocker does actually delete your files if you do not pay. You can say goodbye to you customer details, financial plans and other important documents. Thankfully, unlike other ransomware companies, if you do pay they restore your files within 48 hours.

There is also an expected increase in the number of users on the Dark Web, which will result in an increased volume of crime. As access to the Dark Web using a free, specialist browser allows users to mask their location, the likelihood of being caught buying or selling services is near enough impossible.

After all the news in 2015, what are organisations now doing differently?

Well according to recent reports, not much.

A recent study of 1,530 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers from organisations across the United States, United Kingdom, Germany, Japan, Denmark, Norway, Sweden, and Finland, found that:

  • 91% of organisations that had a high level of vulnerability also had board members that could not interpret a cyber security report;
  • Only 10% of organisations with a high level of vulnerability are regularly updated with information about the types of threats to cybersecurity that are pertinent to their organisation;
  • Only 9% of organisations with a high level of vulnerability have their systems regularly updated in response to new cyber threats.

Events in 2015 have made it very apparent that Cyber-security should be a board level concern.  It threatens both the  financial capital and integrity  of companies, therefore it is worrying that the C-Suite play a small part  in decision making concerning Cyber-security. Hackers are only getting bolder – embarking on harsher attacks, some unrecoverable. For companies that continue to overlook the importance of Cyber-security,the risk is getting bigger and the consequences – less forgiving.

The Digital Economy

Decentralized cryptocurrencies and Dark Web cartels challenge the effectiveness of legislation, jurisdiction and law enforcement. This poses the question, when the economy is becoming more and more dependent on the internet, is the government losing control?

I’ll leave you to make that decision.

The government uses laws and theories to control and protect economic activity. But what is the significance of the Proceeds of Crime Act 2002 when funds are being stolen and converted into Bitcoin – a decentralized currency that no government has control over? What is the significance of international indictment agreements when the Dark Web conceals the location of the criminals?

Untraceable. Unrecoverable.  Unidentifiable. These are all terms cyber incompetent businesses should get used to. Those are the consequences of negligence on the ever dynamic scene.

Arguably, more intelligence could assist in finding and bring criminals to justice as we have seen in many other high profile cybercrime services. When police budgets are being cut, what is the likelihood that petty cybercriminals will be caught when resources are so limited? As traffic to the Dark Web is increasing due to its exposure in the media and on primetime television shows, this pressure is likely to increase.

Furthermore, perpetrators are not limited by national borders. The UK has one of the strongest digital economies in the world, accounting for more than 25% of its GDP. Naturally, all this noise makes it a prime target for cyber criminals around the world. We would normally depend on our government to take the necessary steps to protect our economy, however, the freedoms provided by the internet make this more difficult. Thus being aware of the threats is not only beneficial to you, but the entire digital economy.

The internet has reformed the way we do business. The playing field is filled with opportunity, but is more dynamic, volatile and uncertain than ever before, and is starting to have a big role within economies around the world. Whether that worries you or not depends on whether you are prepared!

SRM Blog

SRM Blog