GDPR

PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.

The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.

So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.

Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.

For more information on SRM’s PCI services please visit our website.

Or visit our blog:

Network intrusions are on the increase: time to engage a Retained Forensic specialist

 

Penetration testing: man vs machine

We already know that the concept of thinking like a potential hacker is the basis of penetration testing. But merely thinking like a hacker is not enough. We must also act like a hacker. They do not simply rely on their own intuitive genius to breach the systems of target organisations. They use a combination of automated tools and human intelligence to deliver their devastating results. So we must emulate this approach to secure our own defences. It is not a question of man or machine; like the hackers we must use a synergy of both.

When the whole HBO Game of Thrones attack occurred last August Mr Smith of the so-called White Hat Hackers issued a statement which made the point that his organisation invested $400 – $500,000 dollars a year on purchasing automated exploit tools. They then used the information this provided to arm their human hackers with the information required to further develop and exploit the weaknesses they discovered.

So when we at SRM develop a penetration testing strategy we use both automated tools and manual testing to deliver the best results.

Automation has a vital role to play and lays the groundwork for the penetration test. No human can deliver the rapid results that an automated tool can. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, it identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.

To take the analogy a step further, the penetration test, conducted by highly-trained and experienced individuals, then opens the doors that have been identified and explores deep into the underlying infrastructure to examine what is lurking behind them. At the most sophisticated level of penetration testing (Red Team engagement) we then turn that thought process on its head and also test the procedural, social and physical components to replicate the wider view of an attack. Using an adversarial mind set, we think like a motivated hacker and help to develop strategy and policy making which anticipates as yet unconsidered vulnerabilities.

To find out more about the synergy of automated and manual penetration testing, see our pre-recorded webinar in conjunction with AppCheck, our automated tool partner. In this 30 minute webinar which took place on 8th March, Andrew Linn of SRM and James Nelson of AppCheck explain how both man and machine have a role to play in a resilient defence strategy.

To log in to the webinar GDPR: the roles of manual and automated penetration testing, click here.

Or visit our blog:

What is Red Team engagement?

If prevention is to be an achievable goal we cannot rely on static defences

Or see our website Test and Exercise pages.

 

GDPR: 10 key issues facing UK higher education

The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.

True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.

1. Awareness

It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.

2. Information life cycle audit

Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.

3. Incident Response

Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.

4. Data Protection by Design

GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.

5. Demonstration of consent

Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.

6. Considering the necessity of data collection

Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.

7. Reviewing privacy notices

When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.

8. Increased consumer expectations

High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.

9. Ensuring an individual’s rights can be upheld

Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.

10. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Higher Education istitutions therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness in-house training for staff is a vital element of this process. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

 

SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our GDPR page or our Virtual CISO service page.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

How does GDPR differ from the UK Data Protection Bill?

How a CISO can exert influence at board level

 

How does GDPR differ from the UK Data Protection Bill?

Discussions with clients in recent months have revealed that there is some confusion over the General Data Protection Regulation (GDPR) and the new UK Data Protection Bill (DPB) which are both due to come into effect in May 2018. Why should organisations focus on GDPR when the UK is also bringing in its own data protection legislation at the same time?

Firstly, it is important to note that in spite of the UK government triggering Article 50 of the Lisbon Treaty stating our intent to leave the European Union, Britain will still be a Member State when GDPR comes into effect on 25th May 2018. As such, all UK organisations will need to comply with GDPR until the exit process is complete. Those organisations which hold the personal data of even one single EU citizen after the UK’s exit will continue to need to adhere to the requirements of GDPR. For these reason, GDPR compliance is the main focus for UK organisations.

The new DPB, which is due to come into effect in May 2018, is the UK’s updating of the existing data protection laws to bring them into line with the needs of today’s digital marketplace. The DPB contains all the main principles of GDPR and compliance with one will almost certainly ensure compliance with the other. The DPB also includes details of how GDPR will apply in the UK, specifically where Member States have been given some flexibility, otherwise known as derogations.

After Britain’s exit from the EU, the DPB (which will be known as the DPA 2018) will replace GDPR for organisations operating within the UK. It is, however, highly probable that the UK will continue to be able to trade with EU citizens. Because the DPB contains the essence of GDPR, it is expected that the UK will be awarded an adequacy decision from the European Commission. This would mean that data can flow freely between an EU member state and the UK while providing data subjects with the reassurance and confidence that an adequate level of data protection is in place.

Going forward, both the GDPR and DPA 2018 will apply to UK organisations depending on where they operate but a breach will be considered under the legal system of the country in which that breach occurs. In addition to the potential issues relating to Britain’s status when it comes to sharing data with EU partners post Brexit, there are the individual country’s derogations to consider so the best course of action is for companies that operate in several countries to ensure that they are compliant with each country’s data protection laws.

As this is a complex issue, it is advisable for organisations based in the UK to consult experts in data protection requirements. SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the DPB and GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our website.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

For information on the testing requirements for GDPR register for our free webinar.

Or read our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: 10 key issues facing UK retailers

GDPR: 10 key issues facing UK retailers

The law regarding personal data will change on 25th May 2018 when the EU General Data Protection Regulation (GDPR) comes into effect. Replacing the UK Data Protection Act 1998, which was drafted long before the exponential growth of the internet, GDPR reflects the new data landscape and sets out to protect the fundamental rights and freedoms of individuals and their data. With fewer than 100 days until GDPR becomes law, the pressure is on to ensure compliance is achieved and maintained into the future.

SRM has operated in the information security environment for many years. Our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification and are able to advise on the strategic management of GDPR compliance. While GDPR applies across all sectors and services, addressing the key issues of consent, security and access rights, there are a number of key issues which will directly affect retailers.

1. What is considered personal data?

In short: anything and everything. From mobile telephone numbers to individually named email addresses. Generic email addresses are not considered personal data because they could belong to multiple individuals.

GDPR also includes ‘sensitive personal data’ which includes information on, for example, biometric data, race, political opinion, physical or mental health conditions or sexual orientation. This may not be information commonly held on customers but may frequently be held on company employees by HR departments.

If personal data is unidentifiable, under the rules of GDPR retailers may keep that information for as long as they like. Anonymising data is not sufficient: pseudonymisation or encryption  of personal data are the best security measures.

2. Consent

When any form of personal data is collected – from customers and employees – the legal basis of its processing must be considered. In the vast majority of cases where customer data is collected, consent must be given.

Customers: many retailers ask their customers for their email addresses at the point of purchase. This data is then used for marketing purposes but under GDPR retailers will need to ensure an individual’s consent is fully informed, actively and freely given. That is, they must positively affirm their willingness to be contacted. Pre-ticked boxes are not allowed.

Employees: the issue of consent also relates to the people who work for you. GDPR has made clear that the same rules of consent apply to employees and customers. Retailers should update their employee consent procedure to be fully compliant when it comes to the processing of their personal data for which consent is required

3. Profiling

Retailers profile customers in a number of ways. Data can be collected through automated forms, loyalty cards or through the use of Cookies. While this information is a valuable tool when targeting online advertising, if it includes ‘legal effects’ – perhaps deals are restricted to certain behavioural types – then the customer must have the right to object.

Note that the profiling requirements of GDPR are separate from the current e-privacy rules (Privacy and Electronic Communications Regulations – PECR) which still require consent to place Cookies on an individual’s device. This regulation is also being updated at the same time as GDPR is implemented.

4. Loyalty programmes

As part of the profiling process, many retailers use loyalty cards. Where rewards under a loyalty programme might involve a customer’s data being shared with the applicable reward provider, this arrangement is likely to involve data sharing. Not only does a detailed agreement need to be in place with all parties but the ICO’s Code of Data Sharing should be considered too.

5. Data processing

The responsibility for data processing extends to all suppliers. For example delivery logistics providers as well as marketing agencies. Data processors have a responsibility for security under GDPR and all agreements should be reviewed and, where necessary, renegotiated.

Under GDPR both the retailer and its data processor suppliers must adhere to specific security requirements. This is a change from the current law where processors do not have direct liability.

6. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Retailers therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness among suppliers and in-house training for staff is a vital element of this process. Retailers which trade across geographical borders will have to ensure that they are compliant in different jurisdictions. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

7. Access (rights of the individual)

At the moment, an individual who makes a written request is entitled to know what personal data is held on them by a retailer for a £10 fee. This charge will be removed after 25th May. In addition, once GDPR is in place there are likely to be large awareness campaigns, supported by the EU, to increase awareness of this right. These requests must be answered within one month. Retailers running loyalty programmes can start preparing for this by creating a form for these type of requests, reviewing what personal data is held and removing anything which has no purpose.

8. Third party suppliers

In addition to the other responsibilities relating to third party suppliers under GDPR, retailers should know that they are ultimately responsible and address some fundamental questions: if third party processors are based in the EU, do they have a safeguarding contract in place? Are these suppliers ready for GDPR? If the answer is no, alternative suppliers may need to be considered.

9. Cross border data flow

An essential element of GDPR compliance is identifying international data flow (including employee data) within a group of retail companies or their third party suppliers. Those operating stores or online sales across geographical borders must comply with the rules on international data transfers. The retailers lead regulator will be in the country where the controller or processor is based.

10. DPOs and CISOs

GDPR compliance requires the majority of organisations to have a Data Protection Officer (DPO) or a Chief Information Security Officer, whose responsibility it is to manage and drive the GDPR compliance process. When GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher) so these officers are under a lot of pressure to deliver. SRM can support and resource in-house DPOs and CISOs or can take on the full responsibility through our VirtualCISO service.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our website.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

How a CISO can exert influence at board level

SRM Blog