CISO

Webinar Wednesday 30th May 3pm: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?

Register for the free SRM webinar here.

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, it is time to question if you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach.

Join us for this informative free webinar where Alan Batey, Head of the SRM forensic team, will take you through:

  • What is a retained Incident and Forensic response service? 
  • Why do organisations need it?
  • What is the impact of not having it?
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A.

Register for the free webinar here.

What we can all learn from the NHS response to WannaCry

To be truly resilient against potential attacks, it is not enough to simply look at patching the last one, but to anticipate the next. When commenting on the news that the NHS had not fared well in the recent round of cyber security checks, Matt Hancock, Secretary of State for Digital, Culture, Media and Sport summed up the issue.

He said on BBC Radio 4 last month that ‘The NHS has made improvements since the WannaCry attack last year, but one of the challenges in cyber security is that the criminals and the malicious actors who are trying to harm our space are moving fast, and you have to run to stay still. You can’t just make one update, you’ve got to constantly be updating’. NHS cyber security chiefs described their existing practices as ‘relatively unsophisticated’, and admitted that 88 of the 236 trusts that were assessed by NHS Digital failed to pass the required cyber security standards.

In spite of the negative publicity surrounding the event, the report did state that WannaCry’s lasting effect would have been significantly more widespread, had it not been so quickly disabled. With this issue front of mind, the Former Chairman of NHS Digital still blamed ‘a lack of focus and a lack of taking it seriously’.

So what actions are in the pipeline in order to safeguard the UK’s health service? Of course, every hospital authority will be ensuring that all software update patches are installed, after this proved to be the crippling weakness of the 80 trusts affected in last year’s cryptoworm attack. The majority of trusts had acted on this but the hesitation came from the potential implications and disruption to other IT and medical equipment.

Along with praising the initial response, it should be said that the robust plans going forward are setting the bar for others to follow. A cyber security ‘handbook’ is being issued to all employees, along with ongoing staff training and development; bringing the issue to the forefront and ensuring that everyone has their part to play.

Robust Incident Response, Business Continuity and Disaster Recovery plans are soon to be in place, reducing disruption to the operations even further in the event of an attack. This is to be reviewed and changed annually, in line with industry best-practice. It will work in tandem with both an annual ‘cyber incident rehearsal’ and Red Team-style engagements using ethical hacking teams that will consistently carry out both manual and automated penetration testing to the NHS networks. Finally, this links to their plans to appoint a CISO, after recognising that cyber security is indeed a board level issue and should be dealt with as such, as soon as possible.

It is these key practises that businesses across the globe should be looking to adopt into their next information security strategies. If your organisation is looking to mirror the proactive efforts of the NHS, SRM’s specialist solutions encompass the full scope of the governance, risk and compliance agenda. The trusted partner of government agencies, high street brands and SMEs alike, our bespoke and consultative approach enables our clients to achieve peace of mind.

To discuss how our services can help you stay safe in cyberspace, contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or 03450 21 21 51. Or visit our website.

Read more:

Three stages to building a robust defence against external threats

How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks

Cyber resilience: it’s a board level issue

The problem with cyber resilience is in the name. When it comes to managing the risk posed by potential hackers and the requirement for robust testing and defence protocols, it is often frequently parked under the responsibility of the IT department. But cyber resilience is not simply something for the IT department to worry about: it should be a cause for concern for the whole board. It is a business consideration, not simply an IT one, affecting business continuity and the bottom line as well as having the potential to damage an organisation’s reputation and the very core of its business operation.

Yet recent research by management consultancy Deloitte reveals that only one in five FTSE 100 companies share detail of their testing and online business protection plans with their boards on a regular basis. In fact, the research shows that only 21 per cent of UK Blue Chip businesses regularly share security updates with their boards.

There may be good reason for this. At first glance, providing details of their penetration testing strategy, which identifies vulnerabilities within their IT systems, may be thought to provide potential hackers with valuable information. But this outlook is simplistic. Boards and investors require the reassurance that a meticulous and robust cyber resilience strategy is in place, even though they do not, and should not, require precise detail.

A more likely reason for the low profile of cyber resilience planning is the much-publicised skills shortage of cyber expertise within organisations. Deloitte found that only 8 per cent of companies had a member of the board with specialist technology or cybersecurity experience. A similar figure applies to the number of companies that also disclose having a Chief Information Security Officer (CISO) within their executive team. But if the IT department is not equipped or does not have C-Suite influence, then there is a huge potential problem. Boards should therefore look to supplementing their resource with skilled professional expertise with the required skillset and the capability of engaging board level involvement.

This is simply applying the same resource to the IT department which other departments already have. The financial department has board level representation and external expertise in the form of professional accountancy firms. No one expects the legal department to handle all the organisation’s legal requirements; professional and specialist expertise is required. A similar level of resource should be provided when it comes to cyber security. Not only should the CISO have board-level influence, but they should be supported by experienced professionals. Cyber resilience specialists have a much wider range of knowledge and experience than just one organisation, and are able to add significant value. This is not only because they can direct expenditure to meet precise requirements, but also because they can anticipate future threats.

While IT departments may currently be adequately resourced to manage on a day-to-day basis, it is not enough to simply protect against known threats. Penetration testing must go several steps further because organisations are vulnerable to a vast range of threats which are unknown and unforeseen. Experienced professionals will use a combination of automated testing, to identify the threat areas, and manual testing to develop, explore and investigate these vulnerabilities. Only in this way can organisations have any level of defence against unknown threats.

Every member of the board has an invested interest in the development and delivery of a robust cyber resilience strategy. If in doubt, each and every member of the board should ensure that it is on the agenda at every board meeting.

SRM has an unrivalled reputation in the delivery of all types of information security, including cyber resilience. With a keen awareness of how organisations operate, our team works with minimal disruption and maximum effect, providing an outstanding level of defence. However, no one can (or should) provide total guarantees; but be assured that having a retained expert with a detailed working knowledge of an organisation’s systems, means that meticulous mitigation plans will be in place and swift remedial action taken in the event of an attack, reducing its impact and minimising its disruption.

For more information on our consultancy services see our website.

Our see our blog:

Shipping news: how to manage a ransomware attack

It’s not a question of if, but when

What is Red Team engagement?

For a no obligation discussion about how SRM can support your business, contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or phone 03450 21 2151.

GDPR: 10 key issues facing UK higher education

The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.

True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.

1. Awareness

It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.

2. Information life cycle audit

Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.

3. Incident Response

Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.

4. Data Protection by Design

GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.

5. Demonstration of consent

Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.

6. Considering the necessity of data collection

Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.

7. Reviewing privacy notices

When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.

8. Increased consumer expectations

High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.

9. Ensuring an individual’s rights can be upheld

Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.

10. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Higher Education istitutions therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness in-house training for staff is a vital element of this process. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

 

SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our GDPR page or our Virtual CISO service page.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

How does GDPR differ from the UK Data Protection Bill?

How a CISO can exert influence at board level

 

Cyber Security Breaches Survey 2018 – shows that size matters and that numbers never lie

As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.

The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.

Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).

As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.

The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998.  Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.

Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.

Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.

SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.

 

SRM’s step by step self-assessment guide to GDPR readiness

For full details of the HM Government survey report see the Cyber Security Breaches Survey 2018.

 

Or see our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

After GDPR, what will happen to ICO notification fees?

 

SRM Blog