Category Archives: data protection directive

Data Protection Day 2016!

As it is Data Protection Day, we thought we would take a look at the current state of play when it comes to business impact from data breach and its not pretty reading…

With increasing levels of data being collected every year, now more than ever we need to ensure very high quality processes and practice in our businesses. It is certainly not something to be taken lightly and the changes to EU DP regulations which could result in penalties of  5% of global turnover for serious data breaches, it could actually mean some of the worst offenders face a very uncertain future.

If you are unsure or need some support with Data Protection, don’t leave it to chance; get some proper guidance. Data Protection done well can be a business-enhancing function; raising everyone’s game and awareness of security. It can also mean closer examination of the need to keep all of the data a business currently stores in order to comply with the Data Protection Act.

Here are some of the latest findings on the cost to UK of Data Breach.

data protection day 2016

Advertisements

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

SAFE HARBOUR RETURNS…

From Dale Penn, Advent IM Security Consultant

Safe Harbour was a process by which US companies could comply with the  EU Directive 95/46/EC on the protection of personal data when transferring data “across the pond”

Intended for organizations within the European Union or United States which store customer data, the Safe Harbour Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program, as long as they adhere to seven principles and 15 frequently asked questions and answers (FAQs) outlined in the Directive.

These principles must provide:

Notice – Individuals must be informed that their data is being collected and about how it will be used.

Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

Security – Reasonable efforts must be made to prevent loss of collected information.

Data Integrity – Data must be relevant and reliable for the purpose it was collected for.

Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

Enforcement – There must be effective means of enforcing these rules.

Businesses have been using Safe Harbour for the past 15 years to help them get around the cumbersome checks to transfer data between offices on either side of the Atlantic.

However earlier this month the Court of Justice of the European Union (CJEU) stuck down Safe Harbour largely due to the ability of US intelligence service to gain access to transferred personal data. It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.

Do not despair! On the 29th October 2015 Reuters reported the following comments from the U.S. Secretary of Commerce, Penny Pritzker:

               “The so-called “Safe Harbour 2.0” agreement currently being negotiated will meet                               European concerns about the transfer of data to the United States, a solution is within hand”   

               “We had an agreement prior to the court case. I think with modest refinements that are                being negotiated we could have an agreement shortly”.

iStock_000014878772MediumSo there you have it Safe harbour will be modified and reborn as Safe Harbour 2.0. And as the CJEU have imposed a 3 month deadline to find an appropriate solution, it should be here by early next year.

EU Data Protection Changes – What You Need To Know

Thank you to Dale Penn, one of the talented Advent IM Security Consultants for this informative guest post.

Folder

GDPR (General Data Protection Regulation)

Introduction

This January the European Commission revealed a draft of its GDPR. The European Commission is hoping to introduce the GDPR by this end of 2015 to replace the outdated EU Data Protection Directive 95/46/EC as this current standard is not really inadequate to deal with issues such as globalization, Social networks, Cloud Computing etc etc.

 The GDPR is a Regulation and not a directive and so this means it will have immediate effect on all 28 EU member states after a 2 year transition period.

The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.

What should it achieve?

The GDPR should provide a single set of regulations for data protection across the EU which deal with the current global environment and the advances made in communication technology and foster a baseline standard of data protection across the EU.

Key Changes

  1. Non EU Businesses may still have to comply with the Regulation.

Non EU controllers (and possibly non-EU processors) that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Although regulation beyond EU borders will be a challenge given the huge proposed fines, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

  1. The definition of personal data will become broader, bringing more data into the regulated perimeter.

The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as the genetic, mental, economic, cultural or social identity of an individual. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

  1. Rules for obtaining valid consent will change.

The consent document should be laid out in simple terms, and there is a proposal that the consent have an ‘expiry date’. Silence or inactivity should not constitute consent.

  1. The appointment of a data protection officer (DPO).

At the moment, there is still no agreement on the thresholds for appointing a DPO. There have been proposals to appoint a DPO for each company over 250 employees, and, in other instances, where companies process more than 5,000 data subjects a year.

  1. The introduction of mandatory privacy risk impact assessments.

A number of proposals have suggested conditions under which a privacy risk impact assessment will be required. What seems to be clear is that a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.

  1. The Introduction of data breaches notification

The Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is still subject to negotiations at present. The reporting of a data breach is not subject to any minimum standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. Individuals have to be notified if adverse impact is determined.

  1. The right to erasure.

The right to be forgotten has been replaced by a more limited right to erasure. A data subject has the right to request erasure of personal data related to him on any one of a number of grounds.

  1. Data Portability

A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system.

Aspirationally Paperless?

First published in Tomorrow’s FM February 2013 as part of the Water Cooler regular feature with FM experts: Lee Haury, Liz Kentish, Wendy Mason, Martin Pickard, Lucy Jeynes, Iain Murray and John Bowen. The discussion was inspired by Health Secretary Jeremy Hunt’s desire to see the NHS go paperless by 2018….

The Advent IM response to a paperless NHS.

Data Protections Advent IM

Yay! Paperless was easy!

Paperless as a concept, has been around for a long time. Look around the average office and you will see varying degrees of success in its implementation. For many it is still largely aspirational. Removing  paper records does have some security benefits, presuming they were securely disposed of, of course! By this I mean you are removing one potential source of data loss, but how many of us can commit  to never printing off information or emails for instance? One security eye would always have to be on the possibility of employees doing this and valuable assets being put at risk or marching out of the door. Information is an asset, however it is stored. The NHS (for it is they and Jeremy Hunt who have inspired this discussion) has had a fairly disastrous year with Information Security and received huge monetary penalties. These breaches were not generally the result of hacks or other cyber-criminal activities but the result of poor security awareness and  people doing daft things with both paper records and electronic devices.

Bottom line is, if you are going to use mobile devices and remove the need for paper records, then Security policies have to be watertight and thoroughly trained through all users, they need to know they are accountable. That means if someone decides to load a laptop with thousands of patient records, they should be challenged or potentially prevented, by policy, from doing so. For instance if the device were used merely for securely accessing patient records as and when they were required, it would remove  the need for either paper or local digital storage. Hopefully the NHS are thinking a little further than merely paperless and thinking about how the replacement digital information is going to be stored and accessed. Significant and ubiquitous awareness training is required to make a success of any such initiative and prevent patient data risk.

9 out of 10 TMTs think they are not vulnerable to cyber attack…think on..

According to the latest Deloitte Global Technology, Media and Telecomms (TMT) survey, 88% of respondents felt their organisation was not vulnerable to cyber attack, despite almost 60% of them having already experienced at least one security breach. (you can download the full report here)

Employees – Insider Threat

Companies also said that employee mistakes were the top threat when it comes to Information Security. Whilst it isn’t a surprise that this is the top threat, the reluctance to face the insider threat (let’s face it, it doesn’t have to be malice aforethought) has seemed hard to shake. It is something we have discussed on this blog before. It’
s disappointing that having acknowledged that employees are a real issue, only 48% of businesses offer Security Awareness training. This is creating vulnerability needlessly. Security Awareness should be an integrated part of business. Having said that the tendency to push Security onto IT is part of the problem. IT can look after IT security but information has to be safeguarded in all its forms and that means anyone who uses it has to be responsible for its security. That means all employees have a part to play. This also explains why employees are the top threat to security.

Advent IM Security Experts

Can’t happen to us….

BYOD

There is a growing awareness of the potential threat from increased use of mobile devices.

The Human Effect on Data Protection 2

The co-existence of personal and business data and applications make mobile devices highly prized for theft and also marvelous new entry points for a cyber attack. Figures from a previous survey from Ponemon Institute showed that the majority of respondents carried sensitive data on mobile devices ‘frequently or very frequently’ , yet the same survey showed that over a third of data breach had come from lost or stolen devices and that almost 60% of employees spent no time whatsoever on data protection activities.

The Human Effect on Data Protection 3

Given these figures, a firm grip on your organisation’s Risk Appetite and Tolerance is a must  before an informed decision can be made on BYOD…

Deloitte TMT visual 3

Top Down Security (or “How To Learn To Love Information Security And Get It Into The Boardroom”)

Originally published on the Darlingtons Solicitors Blog 23.11.12

You say the word ‘security’ to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe.  Others go a bit ‘Mission Impossible’ and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon. And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it’s a bit more useful.

“Yeah, IT does Security”

According to the Ernst & Young Global Information Security Survey 2012, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom. Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System – image Ecology.com

As we are talking about Information Security (IS) let’s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation’s use of Information were the Milky Way for instance, IT might be our solar system– see picture). The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of…) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that “IT do security….”

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT – important as they may be.

An organisation’s IS needs to be aligned to its Risk Appetite – but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based. At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can’t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.  Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

“Place your bets! Place your bets!”

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review. So understanding your organisation’s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project – which won’t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business’s overall appetite. So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user’s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation’s information assets open up to that user.

InfoSecurity – share the love

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start. Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months. But on reflection, if this is going to be mainly directed by IT departments – unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation’s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce. What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend. The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.


All data sourced from Ernst & Young Global Information Security Survey 2012, all visual representation copyright of Advent IM and not to be reproduced without express permission.