PCI DSS

What does GDPR mean to SMEs?

by Melanie Taylor, Information Security Consultant

“With less than a year to the deadline for compliance with the General Data Protection Regulation, all companies should have assessed what they need to do and should be working on that”. So says the Information Commissioner’s Office. Anyone wondering about their company’s preparedness should prioritise the appointment of a data protection officer (DPO) to ensure compliance from 25th May 2018.

When it comes to the appointment of a DPO there is no exemption for small to medium-sized enterprises (SMEs). In the final version of the GDPR, all organisations that carry out large-scale systematic monitoring of individuals, such as online behaviour tracking or large-scale processing of data, are required to appoint a DPO either in the form of an in-house employee or a contractor

While there is a general derogation for SMEs this only applies to record-keeping and processing activities, and does not apply if an organisation is processing personal data that could result in a risk to the rights and freedoms of an individual, or the processing of special categories of data or criminal convictions and offences.

In all companies good data governance is an issue which should be addressed at board level. It is not simply the task of the IT department to ensure compliance. Everyone in an SME needs to understand the importance of GDPR compliance; not least because it makes good business sense. Research by the ICO shows that 77 per cent of consumers are concerned about their personal data, 20 per cent would move their business elsewhere in direct response to a breach.

But for added leverage, it is worth pointing out the significantly larger fines that can be imposed for non-compliance under GDPR. It has been estimated that the ICO fines imposed after the implementation of GDPR in May 2018 will be 79 times higher than they were under the Data Protection Act.

The good news is that those companies that are already compliant with current UK data protection law will not have much to do to comply with the GDPR. But they will at least have to check that they are able to comply with what is new, such as the right to be forgotten, right to data portability and the new consent rules for processing

SMEs should also note that data breach notification is another important requirement to be introduced by the GDPR. Organisations need to ensure they have the procedures in place to detect, investigate and report personal data breaches. In fact, failure to report a personal data breach within 72 hours of identifying it will result in a fine as well as the breach itself.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

Phishing and GDPR compliance

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Data protection – the gap widens across the Atlantic

Data protection is a global issue. Yet it is being approached in very different ways on either side of the Atlantic. While Europe and Britain will embrace the more stringent rules of the General Data Protection (GDPR) regulation from May 2018, the situation in the USA is going the other way. On 3rd April President Trump signed a new law making more personal data legally available. Overturning the previous legislation, ISPs are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers.

While the global super power Google already grows its business through targeted online advertising, this will open up the practice in the US to a host of other players in the ISP market. Its advocates say this availability of data helps advertisers to target consumers more effectively thereby helping them to make better decisions. Its detractors see it very differently.

Whatever your view, Personal Information Management Services (PIMS) are already huge revenue generators and not just in the United States. A study estimates the value of the UK PIMS market to be currently worth £16.5 billion. But from this moment on, the paths diverge and when it comes to the future of personal data protection, it appears that the differentiator will be regional legislation.

The change in law in the US, with its permissive approach to personal data, will open up the PIMS market and along with it many associated problems. It certainly seems likely that this will create a need for privacy-enhancing tools and services. In Europe, on the other hand, the legislative market under the GDPR might drive online advertising businesses to invest in new models which create value from mining personal data in legal ways. There is little that can be done to prevent opportunism in the world of PIMS and digital advertising, but the American model is fraught with problems and risks, both financial and on a moral basis. We in the UK must be grateful for the very different approach mandated by GDPR.

When GDPR comes into effect, UK companies will be legally obliged to observe new procedures and take even greater responsibility for how they collect, share, and use consumers’ data. Some businesses will complain that the new regulation is burdensome and bureaucratic but they are wrong. Those who shirk it will certainly feel some pain as enforcement will be strict and fines extremely severe. But many will embrace it as an opportunity; as a competitive differentiator. If in any doubt, the complainers will only have to keep an eye on how the permissive data protection laws impact across the Atlantic.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

 

If Brexit means Brexit, what does GDPR mean?

A data breach damages more than your reputation

Being known as the source of the largest data breach in history is probably not how Yahoo would like to be remembered. The reputations of eBay, Linkedin, MySpace, Talk Talk and Ashley Maddison also took a hit in recent years. Yet these high profile cases are just the tip of the iceberg. A new survey by the British Chamber of Commerce (BCC) reveals that 42 per cent of big businesses have been the victim of cybercrime. The figure for smaller companies is lower with only 18 per cent being attacked which probably reflects the current priorities of hackers.

No one should be complacent, however. In the BCC survey only 24 per cent of the businesses questioned (regardless of size) said they had security measures in place. This means that three quarters have no defence against a data breach. The impact of these, even to smaller companies, cannot be underestimated. Even more worrying is that fact that the vast majority of companies that have suffered a data breach were not aware of it until they were notified by either their customers or industry bodies.

Adam Marshall of the BCC says ‘cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity’.

We know this to be the case. But while a Government spokesman has used the BCC report to advise companies to take advantage of its Cyber Essentials scheme to protect against attacks, we do not believe this goes far enough. Cyber Essentials accreditation is certainly an extremely useful starting point and is now a requirement of any business bidding for a new Government contract. But the rules for the protection of customer data will soon become significantly stricter with the arrival of the General Data Protection Regulation in May 2018. And, besides, protection is not just about compliance; it is about having a robust defence in place as well as a considered strategy to minimise the impact of any potential breach.

This is where we come in. When a data breach occurs that involves payment card data the Payment Card Industry (PCI) calls in a forensic investigator (PFI) to identify and resolve the situation. At SRM we are one of a handful of companies in the UK retained by the PCI to carry out these investigations. But we also offer a bespoke Retained Forensic service, which uses this expertise to proactively manage systems before an attack occurs. In this way, organisations can use our Data Forensic Investigations team to meet compliance requirements but also to build robust defences and test those strategies in a controlled manner, before the worst actually happens.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business compliant and as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that a system might still be attacked. With a robust plan in place, however, remedial action will be swift, minimising financial and reputational damage. Demonstrating a proactive approach to protecting your customer’s data also puts you in a stronger position when dealing with acquiring banks or any other regulatory authorities.

Cyber Essentials

PCI PFI

How to protect your business from account data compromise (ADC)

How to protect your business from account data compromise (ADC)

The fact is that all too often the first someone knows that their system has been breached is when they receive a call from their acquiring bank. Someone has reported that they are the common point of purchase for fraudulent activity. It is a conversation every business owner dreads.

The repercussions are serious, triggering a mandatory Payment Card Industry forensic investigation (PFI) which the vendor must pay for. The breach needs to be stemmed and an analysis made of the security issue. If there is culpability, a significant penalty may follow. In addition to that are the financial repercussions to the company’s bottom line and its reputation. So what can be done to anticipate a breach at its earliest stage or, even better, prevent such a breach from occurring?

What are the indications of an Account Data Compromise?

Sometimes it is obvious: a key-logger or a card-skimming device is found. Because malicious attackers are highly skilled, however, more frequently it is a subtle change in activity which is easily overlooked by the vendor until it is too late. Examples of these are:

  • Unexpected internet connections: from non-business-related IP addresses or from countries the business has no dealings with;
  • Log in by unknown or inactive user IDs; or an unusual level of activity from a recognised user ID;
  • Multiple instances of remote access tools present on a system in an ‘always on’ mode;
  • The presence of malware, suspicious files, executables or programs;
  • SQL injection or other suspicious activity on web-facing systems;
  • POS terminals and ATM devices showing signs of tampering;
  • Lost, stolen or misplaced sales receipts or payment card data.

What can be done to protect against such attacks?

  • Use PFI skills to your advantage: working with a respected PCI company with forensic investigation capability is a great starting point. They already have the forensic skills and tools and can use these to help you to build a robust defence;
  • Do not simply tick the annual PCI compliance box but ensure that your compliance is ongoing; continually updated and improved. Working with a PCI compliance expert will help you to do this cost effectively and robustly;
  • Get ahead of the game: go a step further than straight forward compliance and conduct a thorough review, including a penetration test and vulnerability scan to highlight your specific potential threats and vulnerabilities;
  • Be aware of your future obligations: the General Data Protection Regulation (GDPR) comes into effect in May 2018 and you will need to comply. You responsibilities increase and so do the potential penalties if a breach occurs.
  • Consider outsourcing the role of Information Security Officer (ISO): smaller companies will struggle to recruit suitably qualified individuals with the right skill set but working with a Virtual ISO team provides expert strategic input as well as practical input and training.
  • Engage with a company that specialises in forensic investigations. They will be able to test your incident response strategy and ensure that you are able to respond quickly and efficiently if the worst ever happens. Be prepared!

What happens in the event of a breach?

Breaches happen. But having the right team on hand to identify, analyse, correct and report on incidents saves money and reputation while reducing future risk and freeing you to continue to trade. SRM’s dedicated response team is on hand 24/7 x 365, providing professional, pragmatic and strategic support in the event of any type of incident, enabling you to focus on your business activities.

What next?

In the context of the damage an ADC breach can cause any investment is worthwhile. SRM offers a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation and ensure rapid remediation and minimal disruption in the event of a breach.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that your system might still be attacked. With a robust plan in place, however, including relevant compliance, then remedial action will be swift and acquiring banks will mitigate their stance.

For more information see:

PCI PFI

Bespoke Penetration Testing

The technology gap which leaves organisations vulnerable to attack

Does outsourcing card processing make you PCI compliant?