Opinion

The key to GDPR is common sense

by Tom Fairfax, Managing Director

It is not often that EU-wide legislation is likened to a children’s story. Consider, however, the story of Goldilocks and the three bears. When it comes to the General Data Protection Regulation there are three types of organisation. There are those who are running around in a state of panic, going completely over the top, deleting all their data and sending frenzied emails to their databases. There are others who are simply doing nothing. Then there is the third group which is following and communicating a measured plan and, in short, doing it just right. The key is common sense.

The fact is that most people probably need to be doing something. There is a clear obligation to act and doing nothing is simply not an option. The policy of ‘let’s wait and see’ or corporate procrastination will only lead to tears at bedtime. GDPR builds on existing Data Protection legislation, protecting the rights of individuals and their data and this means that every organisation from a small voluntary group to a large multinational must have an enacted plan or risk falling foul of the regulation.

Organisations and individuals alike should already have a clear idea of what they need to do. If they haven’t they should step back and think about what personal data they hold and why.  Many of us may still be holding unnecessary levels of personal data; many of us will have failed to consider what data we actually need and many may have failed to get appropriate permissions.  For the majority of organisations it may be necessary (and possibly desirable) to have a robust data weeding project.  Some data, however, is likely to be held for legitimate operational purposes, and in some cases, its wanton destruction may disenfranchise stakeholders.

Common sense should prevail. Data collection, storage and processing should be driven by a business need and supported by appropriate permissions.  It is also necessary to think hard about when information actually becomes redundant and to have a sensible process to pick this up and delete it.  This is not new: we should really have been doing this anyway.  The ‘just right’ group will have worked out what they need to do and will have made a plan.

The important thing to remember is that whilst GDPR does not actually have an explicit compliance programme, its key intent is to ensure the safety of personal data.  For those wrestling with widespread compliance, those following the compliance guidelines of regulatory bodies such as the Payment Card Industry, Mifid II (for the financial industry) or the international standards such as ISO 27001 will have done much of the work already and will just need to understand the gaps that exist.

If a system is properly safeguarded with an inbuilt process of compliance, maintenance and development through these recognised compliance processes then many of the principles of GDPR will likely be adhered to. The job of the Data Protection Officer (DPO) or Chief Information Security Officer (CISO) is to complete due diligence to ensure this is the case. Professional expert guidance will provide these key individuals with the support they require in making these judgement calls.

It is not sufficient to simply draw up a policy, however, no matter how detailed, informed or expert it may be. Plans and policies simply demonstrate management intent. If the plan is not disseminated and implemented and if clear, understandable guidelines are not provided in a timely way, even those with a meticulous plan will simply be left with cold porridge.

 

How PCI compliance puts you on course for GDPR

For a long time the General Data Protection Regulation has been looming on the horizon but in just a few short days it will arrive; a permanent aspect of the data protection landscape. From 25th May 2018 this European-wide data protection will be a legal requirement for virtually every UK organisation. The task should not be overwhelming; particularly for those who are already PCI compliant, or working towards it. This is because the PCI compliance process means they are already well on course for GDPR. All that remains is an identification of gaps to bring systems and policies in line with GDPR.

The important thing to bear in mind at this stage is that the GDPR, although aimed at the entirety of an organisation and largely enforceable, is less prescriptive than the PCI DSS standard that already exists. GDPR provides detail about what needs protecting but very little in the way of a solid action plan.

PCI DSS on the other hand offers a detailed framework upon which to build, specifying what needs to be done and how, and even giving regular updates and guidance on reviews. The two complement each other and therefore the GDPR will be best enacted alongside the existing PCI DSS. A further aspect to note, is that a PCI breach will also be a GDPR breach, since the information on your cardholder data environment is subject to regulation by GDPR.

GDPR should not be seen in a negative way. It is a positive piece of legislation which will help to build trust. Similarly, PCI DSS compliance provides you and your customers with peace of mind that data is secure. This is the metaphorical carrot. There is also a stick: those who do not comply and suffer a breach will face loss of customer trust, enforced PFI investigations and fines.

For those that are already compliant with the PCI DSS, an annual review of the data being processed should form an integral part of the project. This ensures that any new technologies or processes are not excluded and ongoing compliance is maintained. Once you have identified the data that GDPR affects, applying the PCI approach to the implementation of the GDPR will assist greatly as the framework is already there. There will still be a few gaps to fully adhere to GDPR so professional advice will be of benefit.

And for those who aren’t PCI compliant? Seeking guidance from a qualified advisor and reviewing the gaps in their documentation, policies, training, IT systems and processes should be a pressing matter.

With one of the largest QSA teams in Europe, SRM provide unrivalled technical and compliance expertise within the PCI arena. Our GDPR team provide a business-focused service to organisations at all ends of the GDPR-readiness spectrum. For help and support, or to discuss any aspect of PCI DSS compliance or GDPR contact Mark Nordstrom at mark.nordstrom@srm-solutions.com or 03450 21 21 51.

To gauge your level of GDPR readiness, complete our free GDPR Self Assessment Questionnaire

For more information on our GDPR services, visit our GDPR page.

To view a recording of our webinar GDPR: the roles of manual and automated penetration testing, click here.

Read more on GDPR related blogs.

What we can all learn from the NHS response to WannaCry

To be truly resilient against potential attacks, it is not enough to simply look at patching the last one, but to anticipate the next. When commenting on the news that the NHS had not fared well in the recent round of cyber security checks, Matt Hancock, Secretary of State for Digital, Culture, Media and Sport summed up the issue.

He said on BBC Radio 4 last month that ‘The NHS has made improvements since the WannaCry attack last year, but one of the challenges in cyber security is that the criminals and the malicious actors who are trying to harm our space are moving fast, and you have to run to stay still. You can’t just make one update, you’ve got to constantly be updating’. NHS cyber security chiefs described their existing practices as ‘relatively unsophisticated’, and admitted that 88 of the 236 trusts that were assessed by NHS Digital failed to pass the required cyber security standards.

In spite of the negative publicity surrounding the event, the report did state that WannaCry’s lasting effect would have been significantly more widespread, had it not been so quickly disabled. With this issue front of mind, the Former Chairman of NHS Digital still blamed ‘a lack of focus and a lack of taking it seriously’.

So what actions are in the pipeline in order to safeguard the UK’s health service? Of course, every hospital authority will be ensuring that all software update patches are installed, after this proved to be the crippling weakness of the 80 trusts affected in last year’s cryptoworm attack. The majority of trusts had acted on this but the hesitation came from the potential implications and disruption to other IT and medical equipment.

Along with praising the initial response, it should be said that the robust plans going forward are setting the bar for others to follow. A cyber security ‘handbook’ is being issued to all employees, along with ongoing staff training and development; bringing the issue to the forefront and ensuring that everyone has their part to play.

Robust Incident Response, Business Continuity and Disaster Recovery plans are soon to be in place, reducing disruption to the operations even further in the event of an attack. This is to be reviewed and changed annually, in line with industry best-practice. It will work in tandem with both an annual ‘cyber incident rehearsal’ and Red Team-style engagements using ethical hacking teams that will consistently carry out both manual and automated penetration testing to the NHS networks. Finally, this links to their plans to appoint a CISO, after recognising that cyber security is indeed a board level issue and should be dealt with as such, as soon as possible.

It is these key practises that businesses across the globe should be looking to adopt into their next information security strategies. If your organisation is looking to mirror the proactive efforts of the NHS, SRM’s specialist solutions encompass the full scope of the governance, risk and compliance agenda. The trusted partner of government agencies, high street brands and SMEs alike, our bespoke and consultative approach enables our clients to achieve peace of mind.

To discuss how our services can help you stay safe in cyberspace, contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or 03450 21 21 51. Or visit our website.

Read more:

Three stages to building a robust defence against external threats

How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks

Three stages to building a robust defence against external threats

The news has been full of concerns that foreign powers are using state-sponsored hacking as a means to undermine the infrastructure of foreign powers. While it is irresponsible to scaremonger or imply that all UK organisations are at risk from a targeted hostile cyber security campaign by state sponsored hacking, it is worth every organisation taking a moment to imagine how it might fare if it were indeed attacked and use these principles to guide their defence strategy.

At the outset, however, we must consider what we are being told. In an unprecedented joint statement last week the US Department of Homeland Security, the FBI and the UK National Cyber Security Centre warned of malicious cyber activity orchestrated by state-sponsored Russian hackers who are targeting everything from network infrastructure devices to social media and even small businesses.

In November 2017, in a speech in the defence resource debate in the House of Lords, dot com entrepreneur Martha Lane Fox, who now sits in the Lords as Baroness Lane-Fox of Soho and recently joined the Joint Committee of National Security, quoted the academic John Naughton. His theory of modern warfare discusses the use of hacking as a weapon against an enemy society, identifying Russia, China and to a lesser degree North Korea as the nations most threatening to our security.

Of course, for most organisations, it is not an international super power that threatens their security, but reward-orientated hackers looking for financial gain or valuable intelligence. The same principles, however, apply whether defending against a Russian state-sponsored hacking campaign, an organised criminal hacking outfit or a lone individual.

Firstly, the only way to build a robust defence is to identify an organisation’s weaknesses and vulnerabilities. This is done through advanced penetration testing, using a synergy of automated testing, to identify potential vulnerabilities, and manual testing to exploit and develop those weaknesses so the gaps can be plugged.

Secondly, to go a level deeper, organisations should consider Red Team engagement. This is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations to not only identify where a potential attack might take place but also builds in a level of resilience because the Red Team will identify where future vulnerabilities may lie.

The third level of defence is perhaps counter-intuitive: it is to plan for a successful attack. Where a Retained Forensics team has been engaged, through the process of developing robust defences, they will be completely familiar with a system and, as an aspect of this, will be able to develop a strategy in the event of defences being breached. This will include the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. In this way any damage and disruption will be swiftly minimised and mediated.

SRM has an unrivalled reputation in all aspects of Test and Exercise and Retained Forensics as well as delivering Red Team engagement. Our team includes individuals who are CREST ethical security testers as well as those with OSCP qualifications, having undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mind-set of a genuine hacker.

For more information on SRM’s Penetration Testing, Red Team and Retained Forensics services contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or 03450 21 21 51. Or visit our website.

Read more:

How attack is the best form of defence when it comes to protecting against the rising trend in phishing and social engineering attacks

Penetration testing: man vs machine

What is Red Team engagement?

 

 

 

Cyber resilience: it’s a board level issue

The problem with cyber resilience is in the name. When it comes to managing the risk posed by potential hackers and the requirement for robust testing and defence protocols, it is often frequently parked under the responsibility of the IT department. But cyber resilience is not simply something for the IT department to worry about: it should be a cause for concern for the whole board. It is a business consideration, not simply an IT one, affecting business continuity and the bottom line as well as having the potential to damage an organisation’s reputation and the very core of its business operation.

Yet recent research by management consultancy Deloitte reveals that only one in five FTSE 100 companies share detail of their testing and online business protection plans with their boards on a regular basis. In fact, the research shows that only 21 per cent of UK Blue Chip businesses regularly share security updates with their boards.

There may be good reason for this. At first glance, providing details of their penetration testing strategy, which identifies vulnerabilities within their IT systems, may be thought to provide potential hackers with valuable information. But this outlook is simplistic. Boards and investors require the reassurance that a meticulous and robust cyber resilience strategy is in place, even though they do not, and should not, require precise detail.

A more likely reason for the low profile of cyber resilience planning is the much-publicised skills shortage of cyber expertise within organisations. Deloitte found that only 8 per cent of companies had a member of the board with specialist technology or cybersecurity experience. A similar figure applies to the number of companies that also disclose having a Chief Information Security Officer (CISO) within their executive team. But if the IT department is not equipped or does not have C-Suite influence, then there is a huge potential problem. Boards should therefore look to supplementing their resource with skilled professional expertise with the required skillset and the capability of engaging board level involvement.

This is simply applying the same resource to the IT department which other departments already have. The financial department has board level representation and external expertise in the form of professional accountancy firms. No one expects the legal department to handle all the organisation’s legal requirements; professional and specialist expertise is required. A similar level of resource should be provided when it comes to cyber security. Not only should the CISO have board-level influence, but they should be supported by experienced professionals. Cyber resilience specialists have a much wider range of knowledge and experience than just one organisation, and are able to add significant value. This is not only because they can direct expenditure to meet precise requirements, but also because they can anticipate future threats.

While IT departments may currently be adequately resourced to manage on a day-to-day basis, it is not enough to simply protect against known threats. Penetration testing must go several steps further because organisations are vulnerable to a vast range of threats which are unknown and unforeseen. Experienced professionals will use a combination of automated testing, to identify the threat areas, and manual testing to develop, explore and investigate these vulnerabilities. Only in this way can organisations have any level of defence against unknown threats.

Every member of the board has an invested interest in the development and delivery of a robust cyber resilience strategy. If in doubt, each and every member of the board should ensure that it is on the agenda at every board meeting.

SRM has an unrivalled reputation in the delivery of all types of information security, including cyber resilience. With a keen awareness of how organisations operate, our team works with minimal disruption and maximum effect, providing an outstanding level of defence. However, no one can (or should) provide total guarantees; but be assured that having a retained expert with a detailed working knowledge of an organisation’s systems, means that meticulous mitigation plans will be in place and swift remedial action taken in the event of an attack, reducing its impact and minimising its disruption.

For more information on our consultancy services see our website.

Our see our blog:

Shipping news: how to manage a ransomware attack

It’s not a question of if, but when

What is Red Team engagement?

For a no obligation discussion about how SRM can support your business, contact Mark Nordstrom on mark.nordstrom@srm-solutions.com or phone 03450 21 2151.

SRM Blog