What does GDPR mean to SMEs?

by Melanie Taylor, Information Security Consultant

“With less than a year to the deadline for compliance with the General Data Protection Regulation, all companies should have assessed what they need to do and should be working on that”. So says the Information Commissioner’s Office. Anyone wondering about their company’s preparedness should prioritise the appointment of a data protection officer (DPO) to ensure compliance from 25th May 2018.

When it comes to the appointment of a DPO there is no exemption for small to medium-sized enterprises (SMEs). In the final version of the GDPR, all organisations that carry out large-scale systematic monitoring of individuals, such as online behaviour tracking or large-scale processing of data, are required to appoint a DPO either in the form of an in-house employee or a contractor

While there is a general derogation for SMEs this only applies to record-keeping and processing activities, and does not apply if an organisation is processing personal data that could result in a risk to the rights and freedoms of an individual, or the processing of special categories of data or criminal convictions and offences.

In all companies good data governance is an issue which should be addressed at board level. It is not simply the task of the IT department to ensure compliance. Everyone in an SME needs to understand the importance of GDPR compliance; not least because it makes good business sense. Research by the ICO shows that 77 per cent of consumers are concerned about their personal data, 20 per cent would move their business elsewhere in direct response to a breach.

But for added leverage, it is worth pointing out the significantly larger fines that can be imposed for non-compliance under GDPR. It has been estimated that the ICO fines imposed after the implementation of GDPR in May 2018 will be 79 times higher than they were under the Data Protection Act.

The good news is that those companies that are already compliant with current UK data protection law will not have much to do to comply with the GDPR. But they will at least have to check that they are able to comply with what is new, such as the right to be forgotten, right to data portability and the new consent rules for processing

SMEs should also note that data breach notification is another important requirement to be introduced by the GDPR. Organisations need to ensure they have the procedures in place to detect, investigate and report personal data breaches. In fact, failure to report a personal data breach within 72 hours of identifying it will result in a fine as well as the breach itself.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

Phishing and GDPR compliance

Not all publicity is good, especially when it comes to data breaches

While most businesses are pleased to receive free publicity, spare a thought for Berkshire-based Boomerang Videos. Not only did the firm’s website suffer a cyber attack in 2014, but last month they were the subject of an Information Commissioner’s Office (ICO) press release following its investigation into the attack. The ICO’s release cited the £60,000 fine they had imposed on Boomerang as well as providing details of the company’s failure to protect its 26,331 customers. Now we are all aware of the significant gaps in the company’s defences. The long term impact on the firm’s reputation can only be guessed.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors;
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex;
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure;
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.

Sally Anne Poole, ICO enforcement manager said: ‘Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.’

So what can be done to prevent such damage to a company’s reputation and its bottom line? The ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.

There are also a number of standards which can provide guidelines for good practice, including Cyber Essentials and PCI compliance but a discussion with an experienced information security professional is an even better start. As we get ever closer to GDPR’s enactment next May (yes just 285 days away), every business that has any level of customer data needs to go even further in developing its cyber defences. Simple adherence to existing standards does not go far enough.

SRM has a wide range of knowledge and practical experience. Our teams are GDPR trained by GCHQ and work with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur, however, but with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

The new Data Protection Bill and GDPR

Phishing and GDPR compliance

No breach too small – the ICO takes action against charities

The new Data Protection Bill and GDPR

It’s official. It was widely expected that the EU data protection rules contained within the General Data Protection Regulation (GDPR) would be implemented by the UK, regardless of the exact status of our relationship with Europe on 25th May 2018. In the Queen’s Speech, on the 21st June 2017, the government confirmed that this will be the case, to help the UK maintain ‘its ability to share data with other EU member states and internationally after we leave the EU’.

In addition, a new Data Protection Bill will also be introduced to parliament, reflecting the plans outlined in the Queen’s Speech and helping to ease the way through the Brexit negotiations and into the future. The new bill, replacing the Data Protection Act 1998, together with the adoption of the GDPR, will enable the UK to retain its ‘world class’ data protection regime.

Regardless of Brexit, the 1998 DPA needed an overhaul. Technology has moved on and the attitude towards secure data handling has also changed, especially in the recent light of the Wannacry and Petya incidents. Alongside the government’s general aim to ensure data protection rules are ‘suitable for a digital age’ will come some more specific requirements which will have legal authority and the potential for punitive action if they are not complied with.

Exactly what those requirements will be are not fully clear but they will include the ‘empowering [of] individuals to have more control over their personal data’ and the ‘right to be forgotten’ if they no longer want a company to process their data.

The announcement is what many companies have been waiting for to accelerate their GDPR compliance programme. With less than ten months before it becomes law, however, acceleration (and rapid acceleration at that) will be necessary for those who have not yet started the process. Those who already have a robust information security strategy in place will not find the adjustment too onerous. Every business, from SME to large corporate will need to ensure that they will comply because the GDPR has sharp teeth.

At the moment the Information Commissioner’s Office (ICO) can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR becomes effective, there will be a two-tier sanction regime with the most serious violations resulting in fines of up to 20 million Euros or 4 per cent of turnover.

It has been estimated that ICO fines would be 79 times higher under GDPR. That would mean a fine like Talk Talk received for £400,000 would be around £59 million once the GDPR had been adopted. It is also worth noting that under GDPR any third parties which process data on someone’s behalf will be just as accountable as the data processor.

SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.

NotPetya – does society need to start thinking differently?

Talking to a well-respected and hitherto successful businessman at an event recently, he mentioned the NotPetya malware attack and then dismissed it as  “another one of these spotty teenagers misbehaving – something I leave to my technical boys”.  It was very clear from his comments that his perception of cyber risk is that it is, at most, peripheral.  I will not identify his business out of courtesy, but I would have said he is likely to be a pretty high value target, and is probably custodian of a huge amount of valuable information belonging to 3rd parties.

One of the most striking things about the recent series of global cyber attacks is what appears to be a subtle shift in motivation for some of these events…. Whilst the analysis continues and our understanding will continue to develop, there is a clear shift in some of these attacks from cyber banditry to strategic attack. Whilst this is not necessarily a new phenomenon, it is now something that should be understood as mainstream operational risk by those running organisations.

Even if we set aside many of the practical and technical implications (which are widely covered elsewhere), the moment we become part of a strategic target, valuable for our collective value, rather than as an individual target, valuable for our own intrinsic value, then we can expect to see a very different attack tempo. Where attacks are motivated by anarchy rather than theft, the rules change significantly. When the rules change, our response may need to change too.

This shift is analogous to the evolution of the doctrine of asymmetric warfare over the past two decades where it has become clear that the fundamental differentiator is not the way that protagonists behave, but the fundamental value set and drivers that shape their strategy, behaviours and decisions. If, for example, our security strategy is based on the assumption that we can remain safe by creating conditions which are too unsafe for a potential attacker, we become vulnerable to attackers who either care little for safety, or perhaps define it differently to us. This, of course, is the paradigm that underpins suicide bombing as an attack strategy in the physical and space.

Where does this leave us?

As individuals and organisations, we need to think a little about those who might seek to compromise us and what drives them. It is no longer viable to dismiss these attackers as vandals those who behave badly; just as it is no longer sensible to repeatedly hit the “update later” button when our machines ask us whether we would like to update them. Senior decision makers dismiss cyber security as something purely for the technicians to manage at their peril.

Wherever we sit in society or in the workplace, we all need to make a little effort to understand a little about the digital environment and how to stay safe in it. Specifically, we need to think a little about those who may be using this environment to exploit us or do us harm. Whether we read e-books, tablets, hardbacks or red tops – there is material out there to suit most tastes. If that fails there are increasing numbers of people and companies who are able to advise.

Whilst we are not all expected to be experts, we should all have an informed view that is consistent with our role!

The environment we live and survive in is changing, and we either embrace that changing environment, and take responsibility for our own safety, or we should expect to be exploited as a a commodity.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Phishing and GDPR compliance

By Paul Brennecker, Principal Consultant, CISM | PCI QSA | PCI PFI | PCIP

There is a saying that a chain is only as strong as its weakest link. This, unfortunately, is true. When a company manages and handles sensitive customer data it does not matter how robust the security measures if one unsuspecting employee inadvertently opens up the system to hackers. Yet the danger this presents is sometimes underestimated.

Failure to protect customer data adequately already results in serious sanctions and fines under the current Data Protection Act (DPA) legislation. In 2016 twenty-one fines were levied in the UK totalling £2.1 million. When the General Data Protection Regulation (GDPR) comes into effect next May, however, things will become even tougher. With a theoretical maximum fine of up to £500,000 or 4 per cent of global turnover, these sanctions alone have the potential to bring a company down.

A common data security breach is through what is known as phishing. Defined as an attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy entity in an electronic (or telephone) communication. They mislead unsuspecting individuals into giving hackers a foothold in a corporate system.

Typically, they will appear to come from a popular, well-known or reputable-sounding company. Microsoft, LInkedin and Google Drive have been subject to their names being hijacked for fraudulent purposes. Then the cybercriminal will set out a fictitious issue with a user account, threaten that action will be taken if it is not remedied and provide a link to click. At first glance the corporate branding, email address and link will look genuine. This type of phishing email is indiscriminate in its approach and is out to catch any unwary soul who takes the bait.

A more worrying trend is the ‘Spear Phishing’ attack, where a specific individual or number of individuals is targeted within an organisation. These people are often in positions where they will have access to company sensitive information or records, such as the finance or marketing teams. With a little research, the source of the spear phishing attack can ascertain the name of a senior member of staff within the company and trick the recipients into believing it has originated from the boss. These emails will be positioned to members of the team further down the chain in order to gain further information or even to directly ask for payments to be made. Once you understand the anatomy of a spear phishing attack, you can see why having an organisational chart and email book becomes invaluable data to the attacked. This may have been gathered as part of the initial phishing attack, through the use of malware injected onto email or active directory servers.

So – If an unsolicited email of any type appears, it should not be opened. If it is, it is worth checking the spelling and grammar. Unlike professional companies who use copy editors to check their content, cybercriminals are not known for written English. Links should also be checked.  By hovering a mouse over the link (while not clicking through) an entirely different web address may appear. All requests which lead to requests for sensitive account information should be treated as phishing attempts. Genuine companies never request password or bank account information online. Yet, if an employee has got to this stage it is likely that a malicious attack will already be underway.

Training staff how to recognise and deal with suspicious emails is just one element of a robust information security plan. SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.