Beware the GDPR Hackivist DDoS Threat

Posted on : 28-02-2018 | By : Tom Loxley | In : compliance, Cyber Security, Data, data security, GDPR, Uncategorized

Tags: , , , , , ,

0

Getting GDPReady is on most organisations agenda at the moment, however, what if, after all the effort, cost and times spent becoming compliant with GDPR I told you that you could have opened your organisation up to a serious distributed denial-of-service (DDoS) threat?

Whilst we all know that GDPR is a requirement for all businesses it is largely for the benefit of the public.

For instance, with GDPR individuals now have the right to have their personal data held by organisations revealed or deleted forgotten. Now imagine if masses of people in a focused effort decided to ask for their information at once overwhelming the target organisation. The result could be crippling and in the wrong hands be used as DDoS style attack

Before we go any further let’s just consider for one moment the amount of work, manpower, cost and time involved in processing a request to be forgotten or to produce all information currently held on a single individual. Even for organisations who have mapped their data and stored it efficiently and created a smooth process exactly for this purpose, there is still a lot of effort involved.

Hacktivism is the act of hacking or breaking into a computer system, for a politically or socially motivated purpose, so technically speaking your defences against other cyber attacks would normally protect you. But in this case, hacktivist groups could cause serious damage to an organisation without the need for any technical or cyber expertise and there is even uncertainty as to whether or not it would be illegal.

So, could GDPR requests for data deletion and anonymity be used as a legal method to disrupt organisations? I am not suggesting the occasional request would cause an issue but a coordinated mass of requests, which legally organisations will now be obliged to process, resulting in a DDoS style attack.

Organisations will be trapped by their compliance. What are the alternatives? Don’t comply with GDPR and there are fines of 4% of annual turnover or 20,000,000 euros (whichever is greater). The scary thing here is what is stopping the politically or morally motivated group who takes issue with your company from using this method? It’s easy and low risk for them and potentially crippling to some organisations so why not?

How will the ICO possibly select between the complaints of those organisations genuinely failing to comply with regulation and those which have been engineered for the purpose of a complaint?

With so many organisations still being reported as unprepared for GDPR and the ICO keen to prove GDPR will work and make some early examples of a those who don’t comply to show they mean business; my worry is that there will be a bit of a gold rush of litigation in the first few months after the May 2018 compliance deadline is issued in much the same way as PPI claims have affected the finical services lenders.

For many companies, the issue is that the prospect for preparing for GDPR seems complicated, daunting and the information on the ICO website is sometimes rather ambiguous which doesn’t help matters. The truth is that for some companies it will be far more difficult than for others and finding the help either internally or by outsourcing will be essential in their journey to prepare and implement effective GDPR compliant policy and processes.

Broadgate Consultants can advise and assist you to secure and manage your data, assess and mitigate your risks and implement the right measures and solutions to get your organisation secure and GDPReady.

For further information, please email thomas.loxley@broadgateconsultants.com.

 

Data Breach – What’s the cost?

Posted on : 17-01-2017 | By : admin | In : Cyber Security, Data, Uncategorized

Tags: , , , , , , , , , , , , ,

0

It’s a common question. Our clients are continually grappling with quantifying the actual cost of a potential data breach to their organisation, whether to understand risk profile, build a business case for investment plans, price cyber insurance and so on.

How do you do it and what factors should companies keep in mind? Firstly, there are a many industry statistics available which are useful as a reference point, be it from industry bodies, consultancies or vendors. Let’s start with a recent study from IBM which found that the average cost of data breach was up to $4m (from $3.8 in 2015), with the cost incurred for each record stolen increasing to $158 and a likelihood of a breach involving 10,000 lost or stolen records in the next 2 years at 26%.

These are significant numbers, but of course, as with all disclaimers “can go up as well as down” based on the respective business profile. So, what should organisations consider when and quantifying data breach risk? Here are some of the factors that we cover when assessing and assigning a cyber value at risk;

  • Size and Scale – naturally, the amount of data that an organisation processes is a key factor, but also other factors such as numbers of employees, business locations and currency can impact the data breach cost
  • Company profile – the type of business and data is one of the major factors in determining a value. If an organisations data is sensitive, such as private health information (PHI), personally identifiable information (PII), or payment card (PCI) then the impact can vary significantly in terms of regulatory fines and the like
  • Board Profile – not only will the company profile have an impact but also that of the board. From whether the business activities may draw unwanted attention to that of individuals themselves, it is important to understand the risk that this might engender
  • Operational Impact – what would be the impact of a partial or complete cessation of business operations over various time periods? These are normally easier to quantify and, in many organisations, should have been addressed to some extent through a Business Impact Assessment (BIA) as part of business continuity planning
  • Cause of breach – it is important, if possible, to understand the root cause of the breach whether externally targeted or internal though malicious activity, insufficient process, employee error or supply chain/3rd party (indeed, the latter are often the most difficult to manage and the costliest)
  • Breach Restoration – the material impact of restoring services, both in terms of the immediate resumption of business operations which may involve resource, software and hardware, but also the cost post breach to shore up any potential deficiency in people, process or technology
  • Forensics – data breaches can often be difficult to assess not only in terms of the impact but also the penetration and scale. Often, organisations will need to bring in a third party specialist to perform these activities, which can be at a significant cost. The value of this, alongside any cyber insurance, needs to be considered
  • Reputation and Disclosure – a difficult one to calculate pre-breach but nevertheless one which should be an input when determining a cyber value at risk. The impact of losing customer confidence in products or services to the bottom line (or the stock price). Historic data helps both in quantification and lessons learned as to how executives should react

By looking at these factors organisations can build as good a view as possible in terms of how much a data breach will cost. Each should be thought through carefully and weighted appropriately to give business leaders an assessment of the likelihood and impact. This also allows for a more targeted discussion regarding mitigating actions and subsequent investment profile.

It’s a difficult question to answer, but not impossible.

If you would like to understand your companies cyber at risk profile, please email assurity@broadgateconsultants.com

Cyber Insurance – What Every Business Needs To Know

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , ,

0

Cyber insurance is a growing market in the UK.  Although it has been on the rise in the last few years, it still lags way behind the US who have a far more advanced cyber insurance market. The main reason for this is legislation. In the US most states are required by law to publicly disclose a security breach. As we all know the financial consequences of having to declare a breach publicly are far reaching so US companies seek to mitigate their losses using dedicated stand alone cyber  insurance.

In the UK it is a rather different story:

  • Only public sector companies are required to disclose a security breach with no specified time limit to do so

However, the situation is about to change with implementation of the new European Directive on Data Protection expected to come in to effect in 2016. This reform will radically alter the security landscape in Europe;

  • It states that all data breaches must be disclosed within a specified time limit of 72 hours
  • Failure to do so will incur a heavy fine of 5% of annual turnover or EUR 100M, whichever is the greatest

Some see this EU Directive as the silver bullet for the growth of the UK cyber insurance market.  It changes significantly the rules of the game and UK businesses will be looking at ways to deal with potential devastating effects of this public admission. The fact is that no company can ever completely protect itself from suffering a breach. What they can do is take measures to limit the chances and mitigate the potentially financially crippling effects.

This is where cyber insurance comes into play.

Many business make the mistake of thinking that their current insurance policy will cover them for a cyber incident – in many cases it will not. Companies need a dedicated stand alone cyber insurance policy that is right for them.  However, taking out a cyber insurance policy may not mean that they fully covered for all eventualities.

One of the problems with cyber insurance is that the business looking for the insurance does not know what it is that it needs to insure in the first place. Every company must establish its “Crown Jewels”  – i.e. know what its most critical information assets are. This is an absolutely essential first step to ensuring the right insurance cover is applied for.

It is critical too, on the other side of the deal, that the insurance company must be clear on what it is actually insuring against and understands its liabilities.  Insurance companies are not experts in Information security or the technology involved.  Couple that with the fact that they actually have very little data statistics on cyber incidents, making it very difficult to build an accurate risk profile.

Question is, how does an insurer find out that a business is risky in terms of cyber insurance?

With the absence of data on cyber incidents the onus is therefore on the  client to establish how prepared they to protect their information,  how likely they are to suffer a breach in the first place and what measures they have in place to reduce the financial impact.

  • Robert Hartwig, President of the Insurance Information Institute, described assessing cyber insurance risk as “this is like insuring aircraft in 1915!”

The result of this difficulty and sometimes vagueness in policy language are disputes in the courtroom as policy holders make a claim.

An information security audit is the key. This way both the insurer and the client can see exactly what it is they need to cover. As a business looking for insurance you must show that you have done everything you can to limit the possibility of a security breach and limit the effects when it happens.

Demonstrating that a company takes information security seriously is all about good governance and best practice. In the absence of any legally binding compliance or regulation, companies must look to the various types of guidance available and adopt an approach which best suits the needs of their business. The UK Government was so concerned about this lack of common guidance that it published its 10 Steps to Cyber Security an easy to follow checklist that any business can adopt to improve it information security.

Subsequently, this has been followed with the launch of its Cyber Essentials Scheme. This is a recognised cyber assurance certificate which the government hopes business will use as a baseline standard for its information security. By undertaking the Cyber Essentials Assessment and passing, companies can demonstrate to the insurer that they have adopted an effective good governance strategy and take cyber security seriously (if we adopt a baseline against which insurance companies can risk assess this will greatly improve the insurance process for both sides).

The cyber security challenge is something that crosses many parties and is firmly on the agenda of world leaders. Recently, President Obama was quoted as saying;

Just as we’re all connected like never before, we have to work together like never before, both to seize opportunities but also meet the challenges of this information age

Of course, cyber insurance alone is not enough to win the information security war.  What is needed is a broader strategy that companies must adopt in managing the risk and regularly reviewing the process and procedures and the technologies in place to ensure that they are keeping with changing times.

Insurance must sit alongside to be there when all else has failed!

Broadgate Predictions for 2015

Posted on : 29-12-2014 | By : richard.gale | In : Innovation

Tags: , , , , , , , , , , , ,

1

We’ve had a number of lively discussions in the office and here are our condensed predictions for the coming year.  Most of our clients work with the financial services sector so we have focused on predictions in these areas.  It would be good to know your thoughts on these and your own predictions.

 

Cloud becomes the default

There has been widespread resistance to the cloud in the FS world. We’ve been promoting the advantages of demand based or utility computing for years and in 2014 there seemed to be acceptance that cloud (whether external applications such as SalesForce or on demand platforms such as Azure) can provide advantages over traditional ‘build and deploy’ set-ups. Our prediction is that cloud will become the ‘norm’ for FS companies in 2015 and building in-house will become the exception and then mostly for integration.

Intranpreneur‘ becomes widely used (again)

We first came across the term Intranpreneur in the late ’80s in the Economist magazine. It highlighted some forward thinking organisations attempt to change culture, to foster,  employ and grow internal entrepreneurs, people who think differently and have a start-up mentality within large firms to make them more dynamic and fast moving. The term came back into fashion in the tech boom of the late ’90s, mainly by large consulting firms desperate to hold on to their young smart workforce that was being snapped up by Silicon Valley. We have seen the resurgence of that movement with banks competing with tech for the top talent and the consultancies trying to find enough people to fulfil their client projects.

Bitcoins or similar become mainstream

Crypto-currencies are fascinating. Their emergence in the last few years has only really touched the periphery of finance, starting as an academic exercise, being used by underground and cyber-criminals, adopted by tech-savvy consumers and firms. We think there is a chance a form of electronic currency may become more widely used in the coming year. There may be a trigger event – such as rapid inflation combined with currency controls in Russia – or a significant payment firm, such as MasterCard or Paypal, starts accepting it.

Bitcoins or similar gets hacked so causing massive volatility

This is almost inevitable. The algorithms and technology mean that Bitcoins will be hacked at some point. This will cause massive volatility, loss of confidence and then their demise but a stronger currency will emerge. The reason why it is inevitable is that the tech used to create Bitcoins rely on the speed of computer hardware slowing their creation. If someone works around this or utilises a yet undeveloped approach such as quantum computing then all bets are off. Also, perhaps more likely, someone will discover a flaw or bug with the creation process, short cut the process or just up the numbers in their account and become (virtually) very rich very quickly.

Mobile payments, via a tech company, become mainstream

This is one of the strongest growth areas in 2015. Apple, Google, Paypal, Amazon, the card companies and most of the global banks are desperate to get a bit of the action. Whoever gets it right, with trust, easy to use great products will make a huge amount of money, tie consumers to their brand and also know a heck of a lot more about them and their spending habits. Payments will only be the start and banking accounts and lifestyle finance will follow. This one product could transform technology companies (as they are the ones that are most likely to succeed) beyond recognition and make existing valuations seem miniscule compared to their future worth.

Mobile payments get hacked

Almost as inevitable as bitcoins getting hacked. Who knows when or how but it will happen but will not impact as greatly as it will on the early crypto-currencies.

Firms wake up to the value of Data Science over Big Data

Like cloud many firms have been talking up the advantages of big data in the last couple of years. We still see situations where people are missing the point. Loading large amounts of disparate information into a central store is all well and good but it is asking the right questions of it and understanding the outputs is what it’s all about. If you don’t think about what you need the information for then it will not provide value or insight to your business. We welcome the change in thinking from Big Data to Data Science.

The monetisation of an individual’s personal data results in a multi-billion dollar valuation an unknown start-up

Long Sentence… but the value of people’s data is high and the price firms currently pay for it is low to no cost. If someone can start to monetise that data it will transform the information industry. There are companies and research projects out there working on approaches and products. One or more will emerge in 2015 to be bought by one of the existing tech players or become that multi-billion dollar firm. They will have the converse effect on Facebook, Google etc that rely on that free information to power their advertising engines.

Cyber Insurance becomes mandatory for firms holding personal data (OK maybe 2016)

It wouldn’t be too far fetched to assume that all financial services firms are currently compromised, either internally or externally. Most firms have encountered either direct financial or indirect losses in the last few years. Cyber or Internet security protection measures now form part of most companies’ annual reports. We think, in addition to the physical, virtual and procedural protection there will be a huge growth in Cyber-Insurance protection and it may well become mandatory in some jurisdictions especially with personal data protection. Insurance companies will make sure there are levels of protection in place before they insure so forcing companies to improve their security further.

Regulation continues to absorb the majority of budgets….

No change then.

We think 2015 is going to be another exciting year in technology and financial services and are really looking forward to it!