Monthly Archive November 2017

GDPR has been developed to protect us from breaches like Uber

The term ‘reputational apocalypse’ has been used about the recent news of the Uber data breach cover-up. It’s no exaggeration. 57 million sets of customer and driver data were stolen back in 2016 including email addresses, names and phone numbers of customers and the license details of some 600,000 Uber drivers. But while the breach alone is damaging enough, what has escalated Uber’s reputational damage to an apocalyptic dimension is the manner in which they handled it.

Rather than follow correct procedures for reporting a breach, Uber’s executive team at the time allegedly decided to identify the hackers concerned and pay them $100,000 to provide assurances that the downloaded data had been destroyed. Going to considerable lengths to hide the loss of personal data from customers and staff, Uber’s C-suite might have thought they were avoiding the negative publicity other brand names have encountered during similar breaches. By taking a stance that was neither transparent nor informative, what they actually did was to damage the company’s reputation still further.

Thankfully, Uber’s new CEO recognised the seriousness of the situation when he arrived and has undertaken full disclosure. The 2016 breach followed on from a less serious breach in 2014 which Uber also failed to disclose. They were fined $20,000 on that occasion and may have considered, in the light of this modest fine, the risk of non-disclosure in 2016 was worth taking. It is not yet known what penalties will be imposed for the latest breach and its consequent cover up but it is likely the sums involved will be punitive.

Under the EU General Data Protection Regulation (GDPR) the fines for this type of breach will be even higher. After May 2018, when GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher). The intention behind the legislation, which is being enshrined into UK law through the new Data Protection Bill, is to prevent another Uber type breach.

For a start, if a breach does occur GDPR requires the organisation to investigate and inform victims within 72 hours. But GDPR is not simply about reporting times and fines. The essence of the legislation is for organisations to develop a more intelligent, data-centric approach to security. They will have to know exactly where their data resides, who can access it and how it is transferred. They will need to be clear about when and where data is encrypted and decrypted. They must be seen to understand the differences between the private versus public clouds and the cybersecurity threats specific to each. To be GDPR compliant will require many organisations to improve their data systems significantly. If they do not, they must be aware of their accountability.

Uber claimed that their ‘corporate systems and infrastructure’ were supplied by a ‘third party cloud-based service’ and that this service was the target of the breach. This is no excuse under current legislation and the responsibility of Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is made even clearer under GDPR. They have a responsibility to the people whose data they hold and it is never possible to outsource their accountability.

When it comes to CISOs, the buck really does stop here. But that does not mean that they should not be provided with expert professional support. SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.

For a no obligation chat, contact Mark Nordstrom.

Learn more:


Bespoke penetration testing


Related blogs:

After GDPR what will happen to ICO notification fees?

Client files on home computers must be encrypted

It’s not a question of if but when

How a CISO can influence at board level

Time running out for GDPR compliance


UK research highlights the lack of Chief Data Officers at C-suite level

Research by the data science and marketing services company Profusion has revealed that UK businesses are falling behind their European counterparts. The report highlights the lack of Chief Data Officers at board level at a time when GDPR, Brexit and the new Open Banking standards (due to come into effect in January 2018) should be top of the corporate agenda.

The Chief Data Officer: Today, Tomorrow, Always? report analyses the role of the Chief Data Officer, finding that only 2 per cent of FTSE100 companies has elevated this position to senior level. This is in spite of the fact that research from global marketing intelligence firm IDC reveals that 77 per cent of FTSE100 company executives consider data and analytics to be the most important technology trend of the next three years.

So why is this the case? At a time when UK businesses need to put effective organisational structures in place to maximise the benefits of ‘datafication’ while ensuring that all regulatory, legal and security procedures are in place, why are the big corporates not acting? Of course, they are not alone; the dearth of board level data officers extends into all businesses, from public sector organisations to SMEs.

One of the key issues is recruitment. There are few individuals with the right skill set required for this challenging role. A Chief Data Officer needs to combine a degree of technical skill with a highly tuned commercial agenda. He or she is required to communicate with authority with their board level peers, putting forward innovative strategies for developing the benefits of properly managed data to create new revenue streams. They must drive business efficiencies while enhancing customer relationships and improving company performance and growth. Add to the lengthy job description the need to ensure the security of all data in line with all regulatory and legal requirements. No wonder there are so few about.

With such a tall order, it is not surprising that there is an increasing trend toward organisations looking to external partners to provide resource and support for specific aspects of the role. In this way they are able to supplement the wider experience of the individual with specific expertise. The role of Chief Information Security Officer (CISO) is an aspect of the CDO role; they are often one in the same person. Providing CISO support, or even fulfilling the CISO role in entirety, is a way to enhance the CDO’s role, while also allowing him or her to focus on the wider picture.

SRM has extensive experience of providing CISO support for businesses of all scales. Our service is entirely bespoke, delivering as much or as little as is required. From board level engagement to scoping and conducting penetration tests. From Red Team engagement which provides a hacker’s eye view of an organisations’ frailties to GDPR compliance. For smaller businesses we can provide a Virtual CISO (vCISO) with access to our specialist team whenever needed.

Given the fact that GDPR is yet to be enacted and some of the fine detail is still being confirmed, SRM’s GDPR expertise adds particular value to the CDO’s role. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance or take on the full Data Protection Officer (DPO) role.

For a no obligation conversation about SRM’s CISO, vCISO and GDPR contact Mark Nordstrom.

Learn more

GDPR – The General Data Protection Regulation


Related blogs

After GDPR, what will happen to ICO notification fees?

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?

VirtualCISO: the philosophy of product development

How a CISO can exert influence at board level


Yes, someone actually said that to me in an interview!

SRM’s GDPR specialist Melanie Taylor explains some of the challenges faced by women trying to get into the world of IT

‘I don’t understand why a woman with a family would want to work in IT’…

Is just one of the things an IT Solutions company in Catterick said to me during an interview.

To start at the beginning! In August 2012 I had an operation to fuse 2 of my vertebrae in my lower back and insert some ‘scaffolding’ to support the once above due to collapsed discs. I knew the operation was coming and had decided that once I could go back to work it would be in IT. I was not going to settle for less, having always enjoyed dabbling in IT and taking PCs, Xboxes and mobile phones apart to fix or clean them it seemed like a logical choice. Getting into Information Security was the ultimate goal but I needed to start with IT in general.

“An apprenticeship! that’s what I’ll do” I told my husband. So I started to apply for any IT apprenticeships I could find, sometimes 5-10 per week and then….. Nothing! Nothing at all. Not even a ‘sorry this place was filled’. I kept going and did, now and again, receive a reply, TOO OLD! You see I was 34. When a company wants an apprentice they want a young one so that they will be fully funded. I still kept going. Applying and chasing with telephone calls. Too old.

But then finally, an interview!

It was for a Network Technician Apprentice role for an IT solutions company in Catterick. I was currently living in Bishop Auckland and was more than happy to travel 25 miles to work each day.

On the day of the interview, I was extremely nervous and also excited at the possibility, this could be it…. The beginning. I arrived in plenty of time and smartly dressed with a little makeup on and hair done, anxious to meet with my interviewers.

Now I can tell you that when someone walks into the room, sees you, and their face drops, you do not get a good feeling, that sinking feeling. That feeling of dread. I was asked to have a seat and was made a cup of coffee. The interview started in an unstructured way and I remember being asked why I wanted the role. “Since leaving school I have wanted to get into IT but just didn’t know how back then. I have had a few years away from work due to a back injury but am now able to work again and decided to go for my career of choice” I said some other stuff and waited for a response. Awkward silence. Then one of the men said, “I just can’t understand why a woman with a family would want a job like this, it gets cold in server rooms you know”. I said I would wear a coat if I was cold. This seemed to be the theme of the interview and I was enlightened with some interesting statistics about how many women worked in IT or rather didn’t work in IT. On the plus side, I was told that the clients would love me although I’m not entirely sure that it was meant as a compliment. Near the end, I was asked if I would not rather take a position in admin! As a last attempt to convince these people (clutching at straws) I blurted out that having my hair done and wearing makeup was not me and I really wanted this opportunity. After I left it didn’t take long for the recruiter to ring to break the news to me, I was not experienced or knowledgeable enough for the position and the learning curve would be too steep, an interesting point considering that the interviewers had already told me that the role needed no experience being an apprentice role and that the last apprentice they had was completely starting from scratch with their knowledge and experience.

Desperately wanting to prove myself I emailed one of the directors that interviewed me and offered to do voluntary work so that they could see my work ethic and how quickly I would pick things up. Nothing! Not a thing back.

I was absolutely determined to keep going, everything happens for a reason right? and looking back at the interview I was beginning to think that maybe it was not the best place to work, for a woman anyway.

Thank you! Thank you so much for not taking me on! I would not be where I am today if you had.

After around 8 months of applying, I had an interview with Newcastle College which was successful and my journey began, but that is another story.

The point of telling you this is to say never give up on your dream career and never stop searching for your perfect employer. You’ll know when you get there and you may not stay forever but it’ll be right at the time.

I am so lucky to have found a company that not only let me fly, they give me wind beneath my wings. Thank you SRM!

Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


After GDPR, what will happen to ICO notification fees?

When the General Data Protection Regulation (GDPR) comes into effect in May next year it will not require organisations to notify the ICO about what data they hold or to pay notification fees. However, little will change in reality. A provision in the new Digital Economy Act 2017, which addresses policy issues relating to electronic communications infrastructure and services, means that notification and fees to the ICO will still be a legal requirement for data controllers after GDPR is enacted. What is more, the fees themselves are likely to increase.

Under the current Data Protection Act (DPA), organisations which process personal information must, as data controllers, notify the ICO about what personal data they collect and what they do with it (unless an exemption applies). They are also required to pay the ICO a notification fee. This is either £35 or £500, depending on size.  These fees are currently used to fund most of the ICO’s work.

The Digital Economy Act 2017 paves the way for a new funding system for the ICO with the new model going live on 1 April 2018. As is currently the case, notification fees will be used to fund the ICO’s data protection work and any money the ICO receives in fines will be passed directly back to the Government.

What is still unknown is exactly what these fees will be, although we now have a clear indication of what is being considered. An update from the ICO on 31st October, confirms the range of fees which are currently being considered in consultation with the Department for Digital, Culture, Media and Sport. The draft proposal is for a three tier system, differentiating between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

  • Tier 1: small and medium sized firms that do not process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and fewer than 10,000 records processed. Annual fee up to £55.
  • Tier 2: small and medium sized firms that process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and more than 10,000 records processed. Annual fee up to £80.
  • Tier 3: large firms. Applies to those with a staff headcount of more than 250 and turnover of more than £50m a year. Annual fee up to £1,000.
  • Direct marketing top up: applies to organisations that carry out electronic marketing activities as part of their business. Top up fee £20.

Once approved by parliament, the ICO has undertaken to communicate the new fees to data controllers. In the meantime, organisations should continue to renew their notification as usual. It remains a criminal offence not to notify if an organisation is required to. Those who pay an annual notification fee will only need to pay the new fee once their existing notification, under the old model, expires. It is also expected that the exemptions will still operate and these are expected to be similar to those under the current regime.

Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


SRM Blog

SRM Blog