GDPR – Are You Ready?

Posted on : 30-04-2018 | By : kerry.housley | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , ,

0

It is less than a month until the General Data Protection Regulation (GDPR) comes into force, but after two years of preparation, how many businesses are GDPR ready? The latest flurry of figures suggest that many businesses are nowhere near prepared for the new legislation’s demands that they: re-establish a legal basis for using people’s data (whether that’s consent or otherwise), are able to quickly respond to subject access requests, can delete people’s data if asked to, the list goes on!

So, what does all this mean for your organisation? Well, firstly, there is no need to panic. Hopefully, you have made a start on your compliance journey, even if you’re not going to make the deadline.  Any business that deals with personal data in the UK is currently bound by the terms of the Data Protection Act.  If you comply with the Data Protection Act, then you will have made a great to start towards GDPR compliance. Regardless of GDPR, any business that takes the needs of its customers seriously will already be taking all the appropriate steps to protect its customers information.  Cyber crime and data theft is ever increasing, and organisations must be prepared for a breach and be confident they can deal with it quickly with minimum fall out. Reputational damage can lose you customers and seriously dent your profits.

There has been much GDPR hype over the last few years with talk of extortionate fines and punitive actions should your business fail to comply. The frenzy whipped up by the media and the new GDPR “experts” is unfounded says Elizabeth Denham, the Information Commissioner.  The Information Commissioners Office (ICO) do not intend to start dishing out harsh fines as soon as the regulation comes into place and neither will they target smaller organisations because they will be easier to catch.  The purpose of the ICO has always been to protect peoples’ data and to help business to do this by providing policy and guidance. It follows the carrot before the stick approach and has always viewed issuing large fines as a large resort. Ms Denham has been quoted as saying the implementation of GDPR will not alter this business-friendly approach.

That said, there is no denying the new regulation and the obligations placed upon all business to comply. At this late stage with a round a month to go, all organisations who have not yet addressed GDPR should try to achieve as much as possible in the run up to the 25th May deadline, to build up their compliance and demonstrate that information security is a priority for their business.

  • It is important to show that your organisation takes GDPR seriously and has taken action and has a plan in place to become GDPR ready.
  • Evidence of action taken is crucial.
  • Review all the personal data you hold, where is it, what is it, why do you need it, how long you need to hold it for, and who do you share it with.
  • Identify whether you are the data controller or data processor of this data.
  • Review of all policy and procedures in place around data protection and identify any gaps.
  • Review all contracts, who process personal data on your behalf, update all contracts with a data privacy clause which shows that processor is protecting the data on your behalf as the controller.
  • Demonstrate that you have a tried and tested Incident Response and Data Recovery plans in place should a breach occur.

You’re far less likely to suffer a significant fine if you show documentation of the GDPR compliant processes you have implemented and show a detailed roadmap of achieving anything that you still need to do.

GDPR isn’t all about the race to comply. Once you have tackled your data protection issues your customers will be happy, and you will have minimised the breach of data risk for your organisation. Everyone’s a winner!

Insurance companies and their Cyber Insecurity

Posted on : 26-02-2016 | By : kerry.housley | In : Cyber Security, Finance

Tags: , , , , , , , , ,

0

In October 2015 all UK insurers were asked to provide details of their cyber resilience to the Prudential Regulation Authority. The Bank of England has been concerned about UK financial institutions’ cyber resilience for some time now and has extended their concern to the focus on the insurance sector.  The regulator is keen to understand the current policies and capabilities of the insurers and the steps they are taking to protect their information. Should they be found to have inadequate measures in place, strong action will be taken against them.

Information security is also a key focus for the FCA (Financial Conduct Authority). They are particularly worried about insurance companies due the nature of their business which involves large volumes of personal data. The biggest fines for data breaches so far imposed by the FCA are on insurance businesses, highlighting the reason for the regulator’s intense concern.

Insurance information is particularly attractive to hackers because of the number of highly personal individual details they hold. The Anthem healthcare insurer was breached last year and it is reported to have lost the personal information records of 80 million customers and employers.

Health care breaches are particularly on the rise as there is a lucrative resell market for these types of records. While credit card details typically trade at $10, insurance data typically trades at $100.  The US government is so concerned about its US insurance companies’ lack of preparedness that the National Association of Insurance Commissioners has set up a Cyber Security Taskforce to tackle the issue.

European policymakers are yet to agree the final provisions of the new General Data Protection Regulation. However, the new Regulation means that data privacy issues should now be a key concern for all insurers and they should be prepared to review and amend their data protection programmes. In general, regulation is likely to become increasingly formalised and more rigorous in its application.

The rise of big data presents opportunities to offer more creative, competitive pricing and, importantly, predict customers’ behavioural activity.  This is great news for insurers but a concern for the Information Comissioners Office (ICO). The ICO monitors how firms respond to subject access requests and complaints handling and firms will be invited to do an audit if the ICO has concerns. Compared with other EU Member States, such as France and Italy, the UK carries out relatively few audits.

However this too is changing. The FCA has announced that it is conducting a market study into how insurance firms use big data. Big data raises the possibility that an individual’s circumstances may not be factored in to an insurance risk assessment. As part of its market study, the FCA may examine whether such an approach is contrary to Principle 6 of its Principles for Businesses which requires that firms treat their customers fairly. Depending on the outcome of the review, the FCA may introduce specific consumer protection measures for the use of big data in underwriting.

Compliance measures will need to be reviewed and a risk assessment undertaken in order to implement appropriate security measures. These measures need to be documented and made available to regulators on request.

An insurance professional was recently reported as saying that most companies in the global market are not compliant with international standards. Many firms have no incident response plans in place to let their customers know that a breach has occurred. They are simply ill prepared for a data breach incident that is inevitable. A survey by technology company Xchanging in Nov 2015 reported that only one third of insurers in the London market believed that they could withstand a major cyber attack.  As in all areas of business, customers will be increasingly concerned about the cyber security of a company offering services.  Failure to demonstrate good cyber security will mean failure to win new customers.

2016 looks like this will be the year that insurance industry will be forced to take cyber security more seriously and make it a top priority for their board.

NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.

 

Cybercrime: The 9 basic threat patterns for data breaches

Posted on : 29-04-2014 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , ,

1

This week is a big one for the security industry, with the annual European Infosecurity Conference (Infosec) kicking off for 3 days in London. Anyone with an interest in Information Security will descend onto Earls Court keen to find out the latest in process, technology and organisational techniques to try and keep up with the cyber criminal methods of operation.

Indeed, the community of interest is growing. Where once it would only be the “traditional” IT Security experts that went along (and, some outsiders would have considered a bit “geeky”), now the spectrum of attendees is vast and varied. Indeed, in 2013 the visitors travelled from 71 different countries with 10% members of their organisation at a corporate board level and 24% at or above senior executive.

Countering cyber crime, data breaches and related security threats is now firmly on the executive agenda as well as that of sovereign states. In March this year the UK government launched its UK Computer Emergency Response Team (CERT-UK) as part of its strategy in the fight against cyber crime. Launched by Chris Gibson, director of CERT-UK the unit is considered to be one of the most important parts of the government’s £650m cyber security strategy.

In general, like most of information technology, it comes down to data…in this case, breaches of.  So, what are the main sources of data security breaches?

Well, Verizon have just released their 2014 Data Breach Investigations Report. As always, it gives some really useful insight into the security landscape over the last year, taking data from over 50 global organisations in 95 countries and over 63,000 confirmed incidents!

The report analyses these in some detail, but there are a couple of areas we thought we’d just highlight.

The first is some analysis over 10 years regarding the threat actions leading to data breaches (below):

Whilst the sample set has grown over a 10 year period, what it does illustrates well is the explosion in Hacking and Malware exploits from 2009 and the increase in Social tactics from around the similar time frame.

The other area we’d like to explore is the fact that even with over tens of thousands worth of breach incidents over the period of the report, we can effectively describe them in nine basic patterns.

  1. Point-of-Sale (POS) Intrusions: Not surprisingly most prevalent in Accommodation, Food Services and Retail although trending down recently. “RAM Scrapers” collect and exfiltrate payment card information.
  2. Web App Attacks: Exploiting application weaknesses, often through inadequate input validation or impersonation through stolen credentials.
  3. Insider and Privilege Misuse: Crimes that, in the most part, have been perpetrated for individual financial gain. The last year saw an increase in insider espionage targeting data and trade secrets. Interestingly, whilst staff and end users were still the prominent in committing internal breaches, there was an increase in managers perpetrating (including some in the C-suite).
  4. Physical Theft and Data Loss: Pretty much as described. The key industries here are Healthcare, Public and Mining with most losses/thefts actually being reported as a result of mandatory disclosure regulations, rather than fraud.
  5. Miscellaneous Errors: People mess up…fact. Misdelivery of documents (physical and email) and Publishing errors count for two thirds of this category. Indeed, we’ve all seen press reports of sensitive data leaked unintentionally. Organisations who are not addressing Data Loss Prevention (DLP) need to as a priority.
  6. Crimeware: Goal is to gain control of platforms to use for stealing credentials, DDoS attacks, spamming etc. Web drive-by and Web download are the most common vectors for malware actions within this category.
  7. Payment Card Skimmers: Predominant in Finance and Retail with criminal groups installing skimmers on ATM’s and other card reading devices (indeed, ATM’s accounted for 87% of incidents).
  8. Cyber-Espionage: The report from Verizon showed this as having tripled in number from the previous year, which was already up. The US still represents over half of the victims but the targets are diversifying, with State-Affiliated at 87% and Organised Crime accounting for 11%. In terms of the former, Eastern Asia still accounts for nearly half the location for command centres seeking to gather sensitive data.
  9.  Denial of Service Attacks: Although a little out of place in terms of data breach, there were a significant number of attacks in the last year, specifically against the Financial Services industry. Often used as a “smokescreen” for other illicit activity.

The report goes into a lot of data including recommended controls (you can download a copy here).

We will be continuing to strengthen the Broadgate Security Service throughout this year. If you’d like to explore further, please contact jo.rose@broadgateconsultants.com.

Or, of course, see you at Infosec!