Are you ready for GDPR?
It is one thing knowing that the General Data Protection Regulation is coming and that compliance is mandatory from 25th May 2018. It is quite another to know exactly what you need to do in order to be fully compliant. This Self Assessment Questionnaire has been developed to outline the key areas that need to be addressed and to provide a guide as to your current state of GDPR readiness.
GDPR: a question of confidence
In a recent interview with SC Media, Amazon Web Services (AWS) Chief Information Security Officer (CISO) Stephen Schmidt explains how his organisation is set up for full General Data Protection Regulation (GDPR) compliance. Not only does Schmidt say that 72 hour reporting holds no fears for Amazon but that all other requirements of GDPR are well in hand. Yet, leading up to 25th May 2018, few others can have such self-belief. So how can other organisations achieve similar levels of confidence?
In short, professional CISO support will provide expert guidance on building GDPR compliance into an organisation’s systems in the most cost-effective and robust manner. The first step is to know your environment and to scope what data you hold and where it is. This is a major component of then being able to move forward and determine what needs to be done and where. SRM offers both strategic level CISO support and a Virtual CISO (vCISOTM) service for smaller organisations unable to employ a resident CISO.
So, as the implementation of the General Data Protection Regulation draws closer and organisations across the UK consider their state of preparedness, it is perhaps worth considering why Stephen Schmidt is so confident that his company is ready.
A former FBI intelligence analyst, Schmidt’s confidence is not the only unusual thing about him. Firstly, he has held the CISO post at AWS for over ten years which, considering the average CISO is only in post for 2.2 years, is remarkable in itself. The second notable thing about him is that he considers it a ‘wonderful job’; not the view expressed by many resident CISOs who feel acute stress knowing that when it comes to security and compliance the buck really does stop with them. The fact is, however, that resident CISOs of this calibre are hard to find and expensive to retain.
To read the full interview with Stephen Schmidt, see here. In summary, however, he makes (among many others) the following points:
- ‘We comply with the law in every jurisdiction in which we operate… Unlike some other folks, we don’t have to bolt privacy controls onto our services afterwards – they’re built from the beginning. Which means it’s much easier for us to be compliant with things like GDPR.’
- ‘The guiding principle here is, our customers own their data. It’s something that we give them a lot of tools on how to protect. It’s an area where we give them a lot of opportunity to encrypt, appropriately, and control their own encryption keys if they wish, and it’s up to the customer then to choose “How do I want to manage my privacy?” and “how do I want to manage access to information?”’
- ‘We do the same things that anybody else should be doing, that is, know your environment intimately, monitor it thoroughly, alarm when things exceed your normalcy thresholds, and most importantly, have a very narrowly confined long term blast radius so that if something does go wrong it can find the critical error.’
What can be learned from this? Well, firstly that GDPR compliance goes far deeper than simply a tick box exercise. Secondly, that unless you are as experienced as Mr Schmidt, it is advisable to seek professional CISO support.
SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from GDPR compliance to disaster recovery.
If you would like to find out more about gaining GDPR confidence, contact Mark Nordstrom at email@example.com or phone 03450 21 21 51.
Visit our website:
Or read our blog:
UK research highlights the lack of Chief Data Officers at C-Suite level
After GDPR, what will happen to ICO notification fees?
How a CISO can exert influence at board level
Shipping news: how to manage a ransomware attack
Disproving the idea that there is no such thing as bad publicity, the shipping company Clarksons is doing its level best to limit the PR damage caused by a recent ransomware attack. They have so far done an admirable job, demonstrating that transparency is key in the early days of a breach.
Firstly, the world’s largest ship broker has admitted to the fact that the breach has taken place and that data is soon to be released. Secondly the company has clearly setting out the steps they are taking to minimise the potential damage. They have announced that they have taken immediate steps to manage the incident and are working with specialist police and data security experts. The initial investigation has shown that unauthorised access was gained via a single and isolated user account which has now been disabled.
At the moment, the exact extent of the data stolen is unknown but, having refused to pay a ransom to the hacker who carried out a criminal attack on the company’s computer systems, a large scale leakage of private data is to be expected.
In the short term, the company has been hit by the announcement. Shares in Clarksons fell by more than 2 per cent, despite the company’s insistence that the hack would not affect its ability to do business. In the longer term, however, their diligent and principled stance should stand them in good stead. Hiding a breach from the media and even more importantly, those who have potentially been affected, is much more damaging in the longer term. Consider Uber’s recent exposure for having tried to cover up a large scale breach.
Issues of cybersecurity are now at the forefront of most board agendas. The imminent enactment of the EU General Data Protection Regulation (GDPR) in May is bringing the issue into even sharper focus. Under the terms of GDPR and the proposed UK Data Protection Bill, fines will be significantly higher if an organisation is considered to have been negligent in the event of a breach. Investments in providing support and resource to Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is now considered a cost-effective investment.
Yet in today’s digital and commercial landscape even the best-resourced companies will be prey to this type of criminal attack. The most important thing is to recognise this probability and ensure that a proactive approach is taken to both defence and, in the event of an attack, incident response.
A robust defence will include an expert scoping of the system which identifies gaps in compliance and security. This is likely to include advanced penetration testing as well as retained forensics. Having a cyber security specialist involved in the correct mapping and identification of data means that, in the event of an unforeseen attack, they have the knowledge and capability to minimise and mitigate the effect of the incident swiftly. As the Clarksons incident demonstrates, the ability to deploy an immediate response is an important element of damage limitation.
For more information:
Or see some of our blogs:
What is Red Team engagement?
It’s not a question of if, but when
US statistics warn of new trends in cybercrime: how retained PFI can mitigate the risks
Law practices are prime targets for criminals
PWC’s 25th Annual Law Firms Survey found that 73 per cent of respondents had suffered a security incident in 2016. These ranged from insider threats to the phishing of login credentials and ransomware. Routinely keeping large amounts of extremely sensitive data on file for long periods of time, law firms need to be particularly vigilant. Yet awareness, training and a top-of-the range technology solutions will only go some way in providing a defence. Given the ingenuity of hackers, they are unlikely to be sufficient in the long term.
The good news is that the solution is not about buying lots of additional products or simply throwing money at the problem. A strategic approach will provide a more robust and more cost-effective solution. The effective scoping of the risks and vulnerabilities to which an individual firm is exposed means that defences are maximised using only precisely-targeted and relevant services.
When the EU General Data Protection Regulation (GDPR) becomes effective in May 2018 the regulatory obligations of any organisation which holds data on EU citizens becomes even stricter. The new legislation will not just apply to those with European customers. The current UK Data Protection Bill, which is also due to be enacted in May, enshrines the principles of GDPR into UK law. In addition to new reporting requirements, there will be a greater emphasis on mapping data, knowing exactly what information is held and where.
A specialist consultancy has the experience and expertise to ensure that top level security is provided in the most cost-effective way possible. From advanced penetration testing to compliance and regulatory issues; from data mapping to ensuring there are no gaps anywhere in the system; it is important to have an overall strategic and correctly scoped plan.
While Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) take on the day-to-day responsibility, every member of the board or partnership is also responsible for compliance. To ensure that the ever-changing cyber threat landscape is fully understood, additional support and resource is required. Just as a finance director receives support from accountants, a consultancy which operates at all levels of the cyber security spectrum will be able to provide additional expert guidance to DPOs, CISOs, boards and partners. The reputational and financial consequences of a breach can have devastating effect on the whole firm. Board or partner level support for information security and compliance is therefore essential.
SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.
Our eDiscovery team is also on hand to provide technical expertise and resource for all aspects of eDiscovery, from the reduction and redaction of data to the presentation of evidence in a legally acceptable manner. SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.
For a no obligation chat, contact Mark Nordstrom or call 0345 21 21 51
Find out more:
Test and exercise
Read our other blogs:
eDiscovery: the issues facing law firms
Client files on home computers must be encrypted
The technology gap which leaves organisations vulnerable to attack
GDPR has been developed to protect us from breaches like Uber
The term ‘reputational apocalypse’ has been used about the recent news of the Uber data breach cover-up. It’s no exaggeration. 57 million sets of customer and driver data were stolen back in 2016 including email addresses, names and phone numbers of customers and the license details of some 600,000 Uber drivers. But while the breach alone is damaging enough, what has escalated Uber’s reputational damage to an apocalyptic dimension is the manner in which they handled it.
Rather than follow correct procedures for reporting a breach, Uber’s executive team at the time allegedly decided to identify the hackers concerned and pay them $100,000 to provide assurances that the downloaded data had been destroyed. Going to considerable lengths to hide the loss of personal data from customers and staff, Uber’s C-suite might have thought they were avoiding the negative publicity other brand names have encountered during similar breaches. By taking a stance that was neither transparent nor informative, what they actually did was to damage the company’s reputation still further.
Thankfully, Uber’s new CEO recognised the seriousness of the situation when he arrived and has undertaken full disclosure. The 2016 breach followed on from a less serious breach in 2014 which Uber also failed to disclose. They were fined $20,000 on that occasion and may have considered, in the light of this modest fine, the risk of non-disclosure in 2016 was worth taking. It is not yet known what penalties will be imposed for the latest breach and its consequent cover up but it is likely the sums involved will be punitive.
Under the EU General Data Protection Regulation (GDPR) the fines for this type of breach will be even higher. After May 2018, when GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher). The intention behind the legislation, which is being enshrined into UK law through the new Data Protection Bill, is to prevent another Uber type breach.
For a start, if a breach does occur GDPR requires the organisation to investigate and inform victims within 72 hours. But GDPR is not simply about reporting times and fines. The essence of the legislation is for organisations to develop a more intelligent, data-centric approach to security. They will have to know exactly where their data resides, who can access it and how it is transferred. They will need to be clear about when and where data is encrypted and decrypted. They must be seen to understand the differences between the private versus public clouds and the cybersecurity threats specific to each. To be GDPR compliant will require many organisations to improve their data systems significantly. If they do not, they must be aware of their accountability.
Uber claimed that their ‘corporate systems and infrastructure’ were supplied by a ‘third party cloud-based service’ and that this service was the target of the breach. This is no excuse under current legislation and the responsibility of Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is made even clearer under GDPR. They have a responsibility to the people whose data they hold and it is never possible to outsource their accountability.
When it comes to CISOs, the buck really does stop here. But that does not mean that they should not be provided with expert professional support. SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.
For a no obligation chat, contact Mark Nordstrom.
Bespoke penetration testing
After GDPR what will happen to ICO notification fees?
Client files on home computers must be encrypted
It’s not a question of if but when
How a CISO can influence at board level
Time running out for GDPR compliance