Beware the GDPR Hackivist DDoS Threat

Posted on : 28-02-2018 | By : Tom Loxley | In : compliance, Cyber Security, Data, data security, GDPR, Uncategorized

Tags: , , , , , ,

0

Getting GDPReady is on most organisations agenda at the moment, however, what if, after all the effort, cost and times spent becoming compliant with GDPR I told you that you could have opened your organisation up to a serious distributed denial-of-service (DDoS) threat?

Whilst we all know that GDPR is a requirement for all businesses it is largely for the benefit of the public.

For instance, with GDPR individuals now have the right to have their personal data held by organisations revealed or deleted forgotten. Now imagine if masses of people in a focused effort decided to ask for their information at once overwhelming the target organisation. The result could be crippling and in the wrong hands be used as DDoS style attack

Before we go any further let’s just consider for one moment the amount of work, manpower, cost and time involved in processing a request to be forgotten or to produce all information currently held on a single individual. Even for organisations who have mapped their data and stored it efficiently and created a smooth process exactly for this purpose, there is still a lot of effort involved.

Hacktivism is the act of hacking or breaking into a computer system, for a politically or socially motivated purpose, so technically speaking your defences against other cyber attacks would normally protect you. But in this case, hacktivist groups could cause serious damage to an organisation without the need for any technical or cyber expertise and there is even uncertainty as to whether or not it would be illegal.

So, could GDPR requests for data deletion and anonymity be used as a legal method to disrupt organisations? I am not suggesting the occasional request would cause an issue but a coordinated mass of requests, which legally organisations will now be obliged to process, resulting in a DDoS style attack.

Organisations will be trapped by their compliance. What are the alternatives? Don’t comply with GDPR and there are fines of 4% of annual turnover or 20,000,000 euros (whichever is greater). The scary thing here is what is stopping the politically or morally motivated group who takes issue with your company from using this method? It’s easy and low risk for them and potentially crippling to some organisations so why not?

How will the ICO possibly select between the complaints of those organisations genuinely failing to comply with regulation and those which have been engineered for the purpose of a complaint?

With so many organisations still being reported as unprepared for GDPR and the ICO keen to prove GDPR will work and make some early examples of a those who don’t comply to show they mean business; my worry is that there will be a bit of a gold rush of litigation in the first few months after the May 2018 compliance deadline is issued in much the same way as PPI claims have affected the finical services lenders.

For many companies, the issue is that the prospect for preparing for GDPR seems complicated, daunting and the information on the ICO website is sometimes rather ambiguous which doesn’t help matters. The truth is that for some companies it will be far more difficult than for others and finding the help either internally or by outsourcing will be essential in their journey to prepare and implement effective GDPR compliant policy and processes.

Broadgate Consultants can advise and assist you to secure and manage your data, assess and mitigate your risks and implement the right measures and solutions to get your organisation secure and GDPReady.

For further information, please email thomas.loxley@broadgateconsultants.com.

 

INTERNET 1 – INTERNET OF THINGS 3

Posted on : 28-02-2018 | By : richard.gale | In : Cyber Security, data security, IoT

Tags: , , ,

0

Each month we will be taking a more in depth look at our Broadgate Predictions for 2018.

Is there anything left which is not internet connected? Two years ago, there were very few people that had any interest in communicating with a lightbulb – apart from flicking a light-switch. Now IoT connected lightbulbs appear be everywhere and the trend will grow and grow. The speed at which this is happening is accelerating and the scope of connected devices is expanding beyond belief. Who would have thought we needed a smart hairbrush!

Use of IoT Devices Surges to 49%

Consequently, in the same way the Internet of Things has transformed our home lives, it has proved to be highly beneficial for organisations speeding up business processes, improving efficiency, service and process management. Gartner predicts the use of IoT devices will have surged to 49% by the end of this year.  As companies race ahead to become more connected in this way, few organisations are pausing to think about the enormous risks they face by embracing this technology. We are allowing these devices to listen, see, control parts of our lives and the data they gather has value both for good and bad reasons. There is no ‘culture of security’ for IoT. Many of the devices are cheaply designed and manufactured with no thought towards security or data privacy. We are allowing these devices into our lives and we don’t really know what they know and who knows what they know.

Devices Poorly Protected

For business the danger is that the adoption of these mobile devices creates an influx of additional entry points into the corporate network, using WiFi or Bluetooth technology creating a major security risk. These devices are poorly protected with little or no security measures applied. It is not always easy or even possible to install anti-virus software on all your IoT devices and there are no common security standards to follow which makes it very difficult for organisations to create an end to end security solution.

Hackers New Target

It is estimated that by 2020 25% of all cyber attacks will be via IoT.  In most cases hackers aren’t targeting the user, instead they use this lack of security loophole as a gateway into an organisations wider corporate network. This scenario was used in the well known Target attack where hackers stole valuable personal customer data by gaining access to the Target store system network via the internet enabled store heating system. Not all attacks are of this scale but it illustrates how easy it is to use these devices to gain unauthorised access to an organisation.

The  “Gold Rush”

The IoT is inherently insecure as the convenience far outweighs the security concerns. The current IoT landscape can be compared to the early days of the internet, when viruses, worms, and email spam plagued users. Many companies raced to join the internet ‘gold rush’ without necessarily considering the importance of internet security. We are now in a world where firms may need to double or treble their IT security budget, just to protect against the threat from wireless light bulbs and thermostats.

These maybe clichéd examples, but there are essential applications that organisations use IoT for, which include managing heating across locations and financial transactions. IoT is also be used in manufacturing, where devices operating in a machine-to-machine (M2M) environment, without underlying security, have the potential to cause major security breaches.

Standardisation

So, we can see that the very technology that can greatly improve the performance of your business is the same technology that if exploited poses a great security threat to your information. It is crucial that steps are taken to tackle this security issue but this is unlikely unless government, industry and consumers work together to drive forward the necessary changes to provide much needed safeguards.

In 2017, the United States proposed a new bill that would introduce standards for IoT devices purchased by the US government. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require IoT vendors to ensure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that devices are free from known vulnerabilities when sold. This is a good start but many people think that legal enforcement of the bill maybe difficult with a great deal of reliance on individual users to adhere to the legislation.

Some industry leaders are also starting to take the issue seriously such as Cisco who are proposing an IoT’s Framework. 

Secure the IoT Revolution

There is no doubt that IoT can revolutionise the way we work, bringing many benefits to the way organisations operate. However, it’s crucial that the security concerns are addressed to prevent them from doing more harm than good.

For 2018, standardisation of IoT devices is a must. It is essential that devices are secure by design, rather than included as an afterthought. The failure of any business to act now to protect themselves is incomprehensible. If they don’t, they are sleep-walking into a security crisis.

Are you ready to take advantage of Robotic Process Automation?

Posted on : 28-02-2018 | By : richard.gale | In : Innovation, Uncategorized

Tags: , , , , , , ,

0

Robotic Process Automation or RPA is growing fast. We were initially sceptical as to how innovative it actually is but are always looking for ways to help our clients (and Broadgate!) work more efficiently.

RPA technology, sometimes called a software robot or ‘bot’, mimics a human worker, logging into applications, entering data, calculating and completing tasks, and logging out.

RPA software isn’t really part of an organisation’s IT infrastructure. It sits above, enabling a company to implement the technology quickly and efficiently without changing the existing infrastructure and systems.

RPA could be seen as a ‘tactical’ approach to solving a business problem. In the long term the ‘bots’ should be replaced by strategic solutions but the advantages of quickly being able to make a process more efficient and remove human error can make immediate efficiency gains. And we all know how long these tactical solutions can remain in place….

The evolution of RPA

Although the term “robotic process automation” can be traced to the early 2000s, it had been developing for a number of years previously. We worked on screen scraping applications in the early ’90s to help turn ‘green screens’ into newly fashionable GUI applications.

RPA evolved from three key technologies: screen scraping (mimicking user interaction), workflow automation and artificial intelligence.

Screen scraping is the process of collecting screen display data from a legacy application so that the data can be displayed by a more modern user interface. The advantages of workflow automation software, which eliminates the need for manual data entry and increases order fulfilment rates, include increased speed, efficiency and accuracy. Lastly, artificial intelligence involves the ability of computer systems to perform tasks that normally require human intervention and intelligence.

Benefits of RPA

Robotic process automation technology can help organisations on their digital transformation stories by:

  • Creating cost savings for manual and repetitive tasks
  • Enabling employees to be more productive
  • Enabling better customer service
  • Ensuring business operations and processes comply with regulations and standards
  • Allowing processes to be completed much more rapidly
  • Providing improved efficiency by digitising and auditing processes

Applications of RPA

Some of the applications of RPA include:

  • Financial services: Companies in the financial services industry can use RPA for foreign exchange payments, automating account openings and closings, managing audit requests and processing insurance claims.
  • Customer service: RPA can help companies offer better customer service by automating call centre tasks, including verifying e-signatures, uploading scanned documents and verifying information for automatic approvals or rejections.
  • Accounting: Organisations can use RPA for general accounting, operational accounting, transactional reporting and budgeting.
  • Supply Chain:  RPA can be used for procurement, automating order processing and payments, monitoring inventory levels and tracking shipments.
  • Healthcare: Medical organizations can use RPA for handling patient records, claims, customer support, account management, billing, reporting and analytics.
  • Human resources: RPA can automate HR tasks, including onboarding and offboarding, updating employee information and timesheet submission processes.

 

What’s so different from regular automation?

What distinguishes RPA from traditional IT automation is the ability of the RPA software to be aware and adapt to changing circumstances, exceptions and new situations.
Once RPA software has been trained to capture and interpret the actions of specific processes in existing software applications, it can then manipulate data, trigger responses, initiate new actions and communicate with other systems autonomously.
RPA software is particularly useful for organisations that have many different and complicated systems that need to interact together fluidly.
For instance, if an electronic form from a Compliance system (such as know your customer) is missing a postcode, traditional automation software would flag the form as having an exception and an employee would handle the exception by looking up the correct postcode and entering it on the form. Once the form is complete, the employee might send it on to Compliance so the information can be entered into the approved customer system.
With RPA technology, however, software that has the ability to adapt, self-learn and self-correct would handle the exception and interact with the payroll system without human assistance.

What to look for in RPA software

When enterprise leaders look for RPA technologies, they should consider a number of things, including:

  • Simplicity: Organisations should look for products that are simple enough that any employee in the business can build and use them to handle various kinds of work, including collecting data and turning content into information that enables leaders to make the best business decisions.
  • Speed: Enterprises should be able to design and test new robotic processes in a few hours or less, as well as optimise the bots to work quickly.
  • Reliability: As companies launch robots to automate hundreds or even thousands of tasks, they should look for tools with built-in monitoring and analytics that enable them to monitor the health of their systems.
  • Intelligence: The best RPA tools can support simple task-based activities, read and write to any data source, and take advantage of more advanced learning to further improve automation.
  • Scalability: Organisations shouldn’t select RPA software that requires them to deploy software robots to desktops or virtualised environments. They should look for RPA platforms that can be centrally managed and scale massively.
  • Enterprise-class: Companies should look for tools that are built from the ground up for enterprise-grade scalability, reliability and manageability.

Prerequisites for robotic process automation

  1. Are you able to describe the work? This doesn’t mean your documentation exists or is current. The task could be described by recording a user performing their work on a computer including how they handle exceptions.
  2. Is the work rules-based rather than subjective? Robots need to be prepared (aka, taught, trained, configured) to perform specific actions on your systems. Current technology is insufficient for a robot to determine on its own what to when faced with a new situation.
  3. Is the work performed electronically? It doesn’t matter how many different applications are required or whether they are in-house, cloud-based, Citrix, desktop or mainframe.
  4. Is the required data structured (or could it be structured)? If not, you may be able to utilise an OCR and/or cognitive application capable of structuring the file.  Alternatively, you could have people enter the data into a structured format.

Disqualifiers for robotic process automation use cases​​

  1. Process stability. If your organisation keeps changing the process (e.g., responding to competitive factors or new sources of information), then it may not be the right time to automate it. Despite investing resources to stabilise the current activity, you may end up with too much maintenance to keep your automation aligned to business needs.
  2. Target applications suitability. Some applications are harder for robots to use than others. It’s a fact that vendors don’t really like to highlight in the sales process. Starting with an especially challenging target application could delay the whole program, cause fatigue in leadership and put your credibility at risk. If you have to do it, make sure that you build in an accurate view of the time required.

Organisational impacts of RPA

Though automation software is expected to replace up to 120 million full-time employees worldwide by 2024, many high-quality jobs will be created for those who maintain and improve RPA software.

When software robots do replace people in the enterprise, managers need to be responsible for ensuring that business outcomes are achieved and new governance policies are met.

Robotic process automation technology also requires that the CIO take more of a leadership role and assume accountability for the business outcomes and the risks of deploying RPA tools.

Additionally, the COO, CIO and HR, as well as the relevant executive who owns the process being automated, should all work toward ensuring the availability of an enterprise-grade, secure platform for controlling and operating bots across systems.

Where the robotic process automation market is heading

One report expects the RPA market to reach $5 billion by 2024. The increased adoption of RPA technologies by organisations to enhance their capabilities and performance and boost cost savings will reportedly drive the growth of the robotic process automation market most during that time.

We are excited that the mix of technologies and domain business expertise will enable this growth and we are focusing on growing our skills in this area.