Tag Archives: business

Webinar – Outsource Magazine – March 16th

Outsource magazine: thought-leadership and outsourcing strategyWe want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.

This is the program in the words of the Editor,  Jamie Liddell…

Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.

Mike Gillespie_headshotWe are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…

http://outsourcemag.com/time-to-talk-talks/

 

 

Advertisements

Data Protection Day 2016!

As it is Data Protection Day, we thought we would take a look at the current state of play when it comes to business impact from data breach and its not pretty reading…

With increasing levels of data being collected every year, now more than ever we need to ensure very high quality processes and practice in our businesses. It is certainly not something to be taken lightly and the changes to EU DP regulations which could result in penalties of  5% of global turnover for serious data breaches, it could actually mean some of the worst offenders face a very uncertain future.

If you are unsure or need some support with Data Protection, don’t leave it to chance; get some proper guidance. Data Protection done well can be a business-enhancing function; raising everyone’s game and awareness of security. It can also mean closer examination of the need to keep all of the data a business currently stores in order to comply with the Data Protection Act.

Here are some of the latest findings on the cost to UK of Data Breach.

data protection day 2016

SAFE HARBOUR RETURNS…

From Dale Penn, Advent IM Security Consultant

Safe Harbour was a process by which US companies could comply with the  EU Directive 95/46/EC on the protection of personal data when transferring data “across the pond”

Intended for organizations within the European Union or United States which store customer data, the Safe Harbour Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program, as long as they adhere to seven principles and 15 frequently asked questions and answers (FAQs) outlined in the Directive.

These principles must provide:

Notice – Individuals must be informed that their data is being collected and about how it will be used.

Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

Security – Reasonable efforts must be made to prevent loss of collected information.

Data Integrity – Data must be relevant and reliable for the purpose it was collected for.

Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

Enforcement – There must be effective means of enforcing these rules.

Businesses have been using Safe Harbour for the past 15 years to help them get around the cumbersome checks to transfer data between offices on either side of the Atlantic.

However earlier this month the Court of Justice of the European Union (CJEU) stuck down Safe Harbour largely due to the ability of US intelligence service to gain access to transferred personal data. It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.

Do not despair! On the 29th October 2015 Reuters reported the following comments from the U.S. Secretary of Commerce, Penny Pritzker:

               “The so-called “Safe Harbour 2.0” agreement currently being negotiated will meet                               European concerns about the transfer of data to the United States, a solution is within hand”   

               “We had an agreement prior to the court case. I think with modest refinements that are                being negotiated we could have an agreement shortly”.

iStock_000014878772MediumSo there you have it Safe harbour will be modified and reborn as Safe Harbour 2.0. And as the CJEU have imposed a 3 month deadline to find an appropriate solution, it should be here by early next year.

Banking on Good Cyber Security

Julia McCarron reflects on the news that regulators are almost at the point of requiring major financial services companies to participate in a cyber security testing programme, according to the Bank of England.

It was nice to see the Bank of England talking about cyber security recently, and the importance it sees in testing awareness and resilience amongst the financial sector.

iStock_000015672441MediumIn May 2015, the CBEST scheme for firms and FMIs considered core to the UK financial system, was launched to test the extent to which they are vulnerable to cyber attacks and to improve understanding of how these attacks could undermine UK financial stability.

The scheme is currently voluntary and testing services are delivered by an approved list of providers regulated by CREST, a not for profit organisation that represents the technical information security industry.

The voluntary aspect of this is arguably what could make, what appears on the face of it to be a worthwhile initiative, ultimately unsuccessful. That said vulnerability scanning, assessments and penetration testing should frankly already be part of a financial institutions make up. So, if it’s not, the Bank of England is right be “expressing concern”.

The most interesting element of the Bank of England’s discussions though was that when talking cyber security they acknowledged that it’s not all about technical controls. I quote in respect of them keeping their own house in security order,

“Technical controls put in place had strengthened the Bank’s ability to prevent, detect and respond to attacks. But no technical fix could guarantee security 100%, so at the same time significant effort had been made to improve security awareness among all staff, and incident handling procedures had been strengthened“.

iStock_000013028339MediumThis is something we have evangelised about for years. Technical controls are not the answer. They are only part of the answer. We all know that the majority of security beaches are caused by staff, mostly unintentionally, due to lack of security awareness and training. It’s all very well having a state of the art lock on the front door but if no one knows how to use it what is the point in it being there? You might as well invite the burglar in for a cup of tea and a slice of cake.

The Bank also jumped on the Advent band wagon by mentioning that regulators have been discussing the importance of cyber security being a board room issue for companies particularly in relation to governance. Again, check our archives. We’ve worn down the drum from beating that point so hard and for so long. A security culture will only be successful if it’s supported from the top down. Otherwise it’s a constant uphill walk on the down escalator.

phishOne initiative the Bank took to improve security awareness is one which is growing in popularity, especially amongst large organisations and data centres – ‘Phishing Attack Testing’. This is where a fake phishing email is sent to staff and monitored a) as to how many times its opened, b) as to how many times its reported c) as to how many times the link is clicked and by whom. This helps to raise awareness of the issues of suspicious emails and target staff training. The Bank claims it is personally seeing a decline in staff “taking the bait” and an increase in security incident reporting. A report by Verizon in 2014 stated that as many as 18% of users will visit a link in a phishing email which could compromise their data. This against a backdrop of phishing being not only on the rise but getting more sophisticated in its presentation. So more should follow in the Bank of England’s footsteps when it comes to raising awareness against this type of attack.

iStock_000015534900XSmallSo there are a number of positives we can take away from the Bank of England’s discussions on cyber security:

  1. Technical vulnerability testing is encouraged;
  2. It’s not all about the technical controls; don’t forget to train you staff;
  3. A security culture must start in the boardroom;
  4. Make staff aware of the perils of phishing emails through fake attack testing.

No more Safe Harbour…or Harbor

European Court of Justice has ruled that transatlantic data sharing agreement is invalid. What does this mean for UK businesses that utilise US datacentres or Cloud services?

Advent IM Director Mike Gillespie, “There are issues arising from this ruling that require the urgent attention of UK businesses and they need to be aware of the legislative implications of how they plan to store and manage data”.

For some time now, hosting companies, system support and system management companies, contact centres and most recently cloud providers have been selling their services, some or all of which reside in the US, into the EU. These companies have consistently cited Safe Harbor as the assurance that EU citizen data would be afforded the commensurate level of protection that it would receive from an EU/EEA member state.

The inception of Safe Harbor predates the US Patriot Act, legislation which, many people feel made a nonsense of Safe Harbor. This has been widely documented and discussed by Data Protection practitioners for some time now and, whilst there have been ongoing negotiations, the European Commission appears to have made little progress. Meanwhile any EU Citizen data resident in US servers remained vulnerable to release to US authorities.

In one fell and rather final swoop, the Court removed the blanket approval for data transfers to the US. This now allows for individual national Data Protection Authorities (ICO in UK) to scrutinise any proposed transfers to ensure that transfers guarantee the rights to privacy and freedom from surveillance afforded each of us by the Charter.

Of course one way to attempt to get round the issue could be by following the EU Model Clauses route, an option often deployed by organisations in the past wanting to transfer data to/allow data processing in non-EEA or other trustworthy countries ie India. This option required the inclusion of a series of model clauses into contracts which effectively bind the Data Processor to abide by the principles of EU Data Protection. However, which takes precedence, contract law or the Patriot Act? Can a commercial contact ensure the privacy of EU Citizens personal data and guarantee it to be free from disclosure to US Authorities? This seems highly unlikely.

A further option could be implementing Binding Corporate Rules (BCRs) which are “designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA”. So far so good as this sounds just the ticket especially for multinational hosting providers and cloud computing providers?

However for BCRs to work, applicants must demonstrate that their BCRs “put in place adequate safeguards for protecting personal data throughout the organisation”.

How can any company hosting data inside the US offer this? In reality they probably cannot.

The truth is, EU Citizens data protection cannot be guaranteed once it’s transferred to the US, this has been acknowledged so finally that the EU Commission and member states’ Data Protection Authorities have an imperative to do something about it.

The fallout from the decision is yet to be felt but could have far reaching for some organisations. The ICO has been at pains to point out that the ruling does not mean there is an increase in threat to people’s personal data. However, companies will need to review how they ensure that data transferred to the US complies with legislation. Safe Harbor was not the only regulation available for transfers between the US and EU but it was the most widely used.

So what does this mean in the short term? Immediately little will probably happen. The ICO are considering the judgement and will be issuing guidance in due course. A new Safe Harbor agreement is also currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. Once various authorities have cogitated over the ruling we will then need to assess the full impact on organisations moving forward as more guidance is released. In the meantime, a review of current practices is recommended by those organisations transferring data to the US.

Issued:  08.10.15                             Ends                                     Ref: safeharbor-01-Advent -MG

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

DDoS attacks cause an average jump of 36% in customer complaints

According to research commissioned by BT through Vanson Bourne, on average customer complaints to businesses increase by 36% in the aftermath of a Distributed Denial of Service (DDoS) attack.

It seems like a staggering uplift but when you consider that in the UK alone the same research revealed that almost 60% of businesses admitted DDoS attacks had bought down their systems for six hours or more…a whole working day, it becomes less staggering. Around half (49%) of UK organisations to not have a response plan in place, so in actual fact the damage from a DDoS attack could potentially continue for a considerable period after the event.Add to that the reputational damage and you can start to see why it is so vital for businesses to really get to grips with what they are dealing with.

So if a DDoS attack takes out a network or possibly a data centre for six hours and this is apparently increasing and becoming more sophisticated, surely this should be much higher up the boardroom agenda than it is? I recently read that Cyber security ranked third in importance in boardrooms (KPMG). This initially seemed a little ambitious to be honest. Though when I examine the statement more carefully…third in importance in the boardroom, so that means of the businesses that actually have cyber security represented in the board room (alongside other business functions such as HR or Finance), it is averaging in third place. However we know that around half of organistions don’t ever discuss Information Security at the top level of their organisation.(Ponemon Institute). So effectively what we are actually saying is that we have a handful of organisations discussing this as a Business critical function but even they don’t have it as top priority despite the fact it could effectively be a deal breaker in terms of customers and reputation…

Advent IM Cyber Security Experts

 

 

 

Cyber Security on BBC Radio 5 Live (update)

Our MD, Mike Gillespie, whom some of you will have met at various Security events, is due to appear live on Radio 5 Live on Monday 31st March at 10am. (subject to the issues that live broadcast can throw up and that no one can control, of course!)

The piece will be on Cyber Security and should also include a representative from The Cyber Security Challenge.

 Here is the Listen Live link http://www.bbc.co.uk/5live

Advent IM BBC Radio 5 Live

Mike Gillespie – Advent IM MD and Director for Cyber Strategy and Research for The Security Insititute

****UPDATE**** Thanks to everyone who tuned in. If you missed it, I am hoping we can host a digital copy soon. Watch this space*** 

http://www.professionalsecurity.co.uk/news/interviews/cyber-on-5-live/