GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

Battle of the Chiefs

Posted on : 25-01-2018 | By : Tom Loxley | In : Predictions, Uncategorized

Tags: , , , , , ,

0

2018 Prediction – Deep Dive

Chief Information Officer 1 – Chief Digital Officer 0

Digital transformation is undeniably the main driving force for change in businesses today. We have seen the financial sector being completely transformed by new technologies that offer the ability to engage customers in very different ways, driving more profits. Originating in the marketing department, digitally morphed into E-commerce where it gained more budget and more power. This led to the establishment of a new executive role of the Chief Digital Information Officer (CDiO). The more traditional role of the Chief Information Officer (CIO) faded in many organisations as CIO’s concentrated on their legacy systems, often accused of being slow to change in this new fast-paced environment. The CDiO rose as the star of the transformation show moving at lightening digital speed, propelling the competitive advantage and adding value to the business.  The two Chiefs have been working alongside each other uncomfortably over the past few years, neither understanding the boundaries between them. Not for much longer ….

We are starting to see some CDiOs come adrift as the main power point, with the promised world of digital failing to emerge. They too are being slowed down and unseated by the weight of legacy systems and legacy ideas in many organisations. Business leaders are getting impatient with the time to deliver ‘revolutionary’ change. Is it that these changes take time or is there a hint of the ‘Emperor’s new Code’ about this?

Broadgate believes that 2018 will see the resurgence of the CIO as the leading force. The digital buzzword is fading as digital is increasingly seen as a core part of any business strategy, intrinsic to the organisation. The development of the CDiO was a good short-term fix to turbo charge the digital roadmap, taking some of the weight off the CIO shoulders and enabling change. It could be said that the CDiO role developed as a result of an early division of labour between old and the new as digital models emerged. However, recently we have seen a considerable shift across all major sectors with four trends leading the charge for change: cloud, mobility, IoT and big data. It is this technological innovation that has enabled the role of the CIO rise once more.

This is the big moment for the CIO essentially becoming the hero of the digital age, not only embracing the new but also connecting the old with the new and really enabling organizations to move forward. That said, we must not underestimate the scale of the challenge CIO’s face, there is a level of complexity in this new age of digital transformation that isn’t going away. Compounding this issue, business processes are often overlooked when technology is being rapidly applied. In many cases the CIO needs to reach out to their business counterpart in the area where technology is going to be deployed to ensure not only that there is complete connection but also that, working together, they understand how the business will function in that new environment and how orchestrating business technology will produce and deliver a strong result. CIOs must now take ownership of both to ensure they are not locked out of future technology decisions. The CIO who can keep up with the pace of new technology adoption can stay ahead of potential CDiOs encroaching on their territory.

The 2018 Broadgate Predictions

Posted on : 19-12-2017 | By : richard.gale | In : Predictions

Tags: , , , , , , , , , ,

1

Battle of the Chiefs

Chief Information Officer 1 –  Chief Digital Officer 0

Digital has been the interloper into the world of IT – originating from the Marketing Department through the medium of Website morphing into Ecommerce. The result was more budget and so power with the CDiO than the CIO and the two Chiefs have been rubbing along uncomfortably together, neither fully understanding the boundaries between them. 2018 will see the re-emergence of CIO empire as technology becomes more service based (Cloud, SaaS, Microservices etc) and focus returns to delivering high paced successful transformational change.

 

Battle of the Algorithms

Quantum 2 – Security 1

All the major Tech companies now have virtual Quantum computers available (so the toolkits if not the technology). These allow adventurous techies to experiment with Quantum concepts. Who knows what the capabilities are of Quantum but through its enormous processing power it will have the capability to look at every possible combination of events for a giving situation at once. That is great in terms of deciding which share to buy or how people interacting on Facebook but it will also have the potential to crack most current encryption mechanisms. Saying that it will enable another level of secure access too!

 

Battle of the Search Engines

Voice 2 – Screen 0

OK Google, Alexa, Siri…. There’s a great video of Google talking to Alexa on infinite loop. That’s all fun but in 2018 Voice will start to become a dominant force for search and for general utility. Effectively stopping what you are doing and typing in a command or search will start to feel a little strange and old-fashioned. OK in the office we may not all start shouting at our computers (well not more than normal) but around the home, car using our phones it is the obvious way to interact. This trend is already gathering momentum. VR and especially AR will add to this, the main thing holding it back is the fact you look like an idiot with the headset on. Once that is cracked then there will be no stopping it.

 

RoboWars – to be continued…

Robots 1 – People 1

AI and ‘robot process automation’ RPA are everywhere. Every services firm worth its salt has process automation plans and the hype around companies such as Blue Prisim is phenomenal.  This is all very exciting and many doomsayers have been predicting the end of most jobs (and some the end of most people!). Yes. Automation of processes is here. It’s been here for years – that is what most ERP (aka workflow) systems do. It makes absolute sense to automate mundane processes and if you can build in a bit of intelligence to deal with slight differences in the pattern then all the better. Will it result in the loss of millions of jobs… well maybe and probably in the short-term but once again, as every time in the past, technology will replace human endeavour whilst humans will be busy building the next creative, innovative wave.

 

The Lightbulb Moment

Internet 1 – Internet of Things 3

Is there anything left which is not internet connected? Two years ago, there were very few people that had any interest in communicating with a lightbulb – apart from flicking a light-switch. Now IoT connected lightbulbs appear be everywhere and the trend will grow and grow. The speed this happening is accelerating and the scope of connected devices is expanding beyond belief. Who would have thought we needed a smart hairbrush? This is all fine and will enrich our lives in ways we probably haven’t even thought about yet but there is a cost. We are allowing these devices to listen, see, control parts of our lives and the data they gather has value both for good and bad reasons. There is no ‘culture of security’ for IoT. Many of the devices are cheaply designed and manufactured with no thought towards security or data privacy. We are allowing these devices into our lives and we don’t really know what they know and who knows what they know. This may be a subtler change for 2018 – the securing of ‘the Thing’ – well lets hope so!

 

Welcome to our ESports Day

Call Of Duty 2 – Premiership Football 1

Sport is a big business. From Curling to Swimming to Indy Car racing it has a thousand differing forms, millions of participants and billions of armchair viewers. Top class athletes in a popular sport can earn millions of dollars a year both from performing and through product endorsements.

Video games have been popular for years. They started as single, two player games and now are worldwide multiplayer extravaganzas where you can battle, race or fight against people throughout the world. A number of superstars or EAthletes have emerged, first through winning competitions and then through youtube etc where their tournaments are recorded and watched again and again. This business has now broken the $1B mark – still way off ‘real’ sport but its growing massively and some point soon will become part of the mainstream.

Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

Data Breach – What’s the cost?

Posted on : 17-01-2017 | By : admin | In : Cyber Security, Data, Uncategorized

Tags: , , , , , , , , , , , , ,

0

It’s a common question. Our clients are continually grappling with quantifying the actual cost of a potential data breach to their organisation, whether to understand risk profile, build a business case for investment plans, price cyber insurance and so on.

How do you do it and what factors should companies keep in mind? Firstly, there are a many industry statistics available which are useful as a reference point, be it from industry bodies, consultancies or vendors. Let’s start with a recent study from IBM which found that the average cost of data breach was up to $4m (from $3.8 in 2015), with the cost incurred for each record stolen increasing to $158 and a likelihood of a breach involving 10,000 lost or stolen records in the next 2 years at 26%.

These are significant numbers, but of course, as with all disclaimers “can go up as well as down” based on the respective business profile. So, what should organisations consider when and quantifying data breach risk? Here are some of the factors that we cover when assessing and assigning a cyber value at risk;

  • Size and Scale – naturally, the amount of data that an organisation processes is a key factor, but also other factors such as numbers of employees, business locations and currency can impact the data breach cost
  • Company profile – the type of business and data is one of the major factors in determining a value. If an organisations data is sensitive, such as private health information (PHI), personally identifiable information (PII), or payment card (PCI) then the impact can vary significantly in terms of regulatory fines and the like
  • Board Profile – not only will the company profile have an impact but also that of the board. From whether the business activities may draw unwanted attention to that of individuals themselves, it is important to understand the risk that this might engender
  • Operational Impact – what would be the impact of a partial or complete cessation of business operations over various time periods? These are normally easier to quantify and, in many organisations, should have been addressed to some extent through a Business Impact Assessment (BIA) as part of business continuity planning
  • Cause of breach – it is important, if possible, to understand the root cause of the breach whether externally targeted or internal though malicious activity, insufficient process, employee error or supply chain/3rd party (indeed, the latter are often the most difficult to manage and the costliest)
  • Breach Restoration – the material impact of restoring services, both in terms of the immediate resumption of business operations which may involve resource, software and hardware, but also the cost post breach to shore up any potential deficiency in people, process or technology
  • Forensics – data breaches can often be difficult to assess not only in terms of the impact but also the penetration and scale. Often, organisations will need to bring in a third party specialist to perform these activities, which can be at a significant cost. The value of this, alongside any cyber insurance, needs to be considered
  • Reputation and Disclosure – a difficult one to calculate pre-breach but nevertheless one which should be an input when determining a cyber value at risk. The impact of losing customer confidence in products or services to the bottom line (or the stock price). Historic data helps both in quantification and lessons learned as to how executives should react

By looking at these factors organisations can build as good a view as possible in terms of how much a data breach will cost. Each should be thought through carefully and weighted appropriately to give business leaders an assessment of the likelihood and impact. This also allows for a more targeted discussion regarding mitigating actions and subsequent investment profile.

It’s a difficult question to answer, but not impossible.

If you would like to understand your companies cyber at risk profile, please email assurity@broadgateconsultants.com

Hey, Let’s Be Careful Out There!

Posted on : 10-06-2016 | By : Maria Motyka | In : Cloud, Cyber Security, Data, Innovation, IoT

Tags: , , , , ,

0

In the context of accelerated digitisation, especially the adoption of innovations in the areas of cloud computing, IoT and the growth of social networking, as well as with increased mobility of the workforce, organisational security and risk management need to be rethought.

The way we work is constantly changing; according to recent research by Gartner, within the next 1.5 – 2 years, ’25 per cent of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls’. Digital users now spend 30% of all connected time, 2 hours a day, on social media (Global Web Index) – let’s not fool ourselves, some of it (whether it’d be using the seemingly innocent Messenger app or the boring meeting savior Instagram) is within the office environment. And it’s definitely not just the Millennials who are guilty of the Social Media at work crime! The Bring Your Own Device (BYOD) trend is also becoming more and more popular, even within the traditionally conservative work environments (employees who get to work on their own laptops/tablets are said to be happier and thus more productive than the company devices-strained ones). While (according to Code42’s 2016 Datastrophe study) 87% CIO and CISOs claim that their companies have a clearly defined BYOD policy in place, a shocking 67% of knowledge workers (organisation’s end users) disagree (Infosec Magazine). When things go wrong and the freedom to connect/work anyplace, anytime compromises organisational security, it is the company that takes the hit.

At the same time, organisations often primarily rely on CXOs to deliver enterprise security, managing the increasingly sophisticated threats, in times when companies (and devices used by employees, often at work and at home) are being constantly compromised. This is not sufficient. All employees, across all functions, are responsible for securing the organisations they are part of. As highlighted by Gartner in the Managing Risk and Security at the Speed of Digital Business report, it is crucial for organisations to apply resilience to not only processes and technology, but also people. We cannot afford to overlook the ‘human’ element of security. Best practices include regular training and digital security awareness campaigns for everyone, as well as extending protections to company’s employees within their home environments (Gartner), in response to the blurring of the tech we use for personal and professional purposes, as well as the flexible work trend. Gartner proposes a ‘people-centric security’, which is about aiming for a perfect balance between protecting the company with the need to allow increased employee agility and adopt new and often risky new tech to stay competitive.

For now, it seems like ‘seeking’ a balance and regular employee education is the best companies can do.

Laptops and smartphones get and will get lost or stolen (whether in a club on the way to work). Data which is stored on or can be accessed through these devices can often be worth a thousand times more than the actual device. This is not an exaggeration; one obvious example being the infamous iPhone, which stirred the Apple-FBI encryption dispute. Moreover, the punishment doesn’t seem to fit the crime – charges for stealing a phone or a laptop usually fail to take into account the value of potentially compromised data. This is going to have to change in the future, especially when the devices we carry will store more and more data (not only confidential due to being work-related but also highly intimate, for example health-related).

Striving for the sweet spot between data security and taking advantage of the opportunities offered by the new tech/following the new working trends also means being clever about WHAT to protect. Not all data needs to be equally secure. As stressed by Richard Gale during ISITC’s General Meeting‘s security panel, companies need to focus on protecting their ‘crown jewels’. Utilising cloud tech and allowing employees the freedom to work flexibly won’t stop you from identifying and investing in protecting crucial data. Detection and response is yet another element which ought not to be overlooked. What would be the worst-case scenario and what your organisation do if the CEO’s mobile phone/laptop went missing? What steps is your company going to take if a Social Media app sends out phishing messages to employees? While it’s impossible to perfectly protect all the data, it’s worth having an action plan for when things go wrong.

Let your employees bring your own devices and go on, embrace the cloud – when doing so however, train, educate, invest more in protecting what’s most valuable and be prepared for when data does get compromised!

 

Talking about BYOD and training your employees about how to be digitally secure – a few months ago we shared a Cybersecurity Manual with 10 hands-on security tips, which you can read here.

A Few More Thoughts on Data Security and Data Privacy in the ‘Golden Age of Surveillance’

Posted on : 30-03-2016 | By : Maria Motyka | In : Cyber Security, Data, General News, Innovation

Tags: , , , , , , , , ,

0

In the era of unparalleled tech innovation and global terrorism threats, 1) more and more of our sensitive data is being collected and 2) sophisticated surveillance measures are put into practice. We are being gradually deprived of (or perhaps willingly giving away) our privacy. Security guru Bruce Schneier goes as far as referring to current times as the ‘Golden Age of Surveillance’.

We previously discussed the issue of data security and privacy in the context of top 2015 hacks as well as innovations such as A.I. toys and healthcare wearables in our December blog post: Data Privacy/Security You Can Run But You Can’t Hide.

Here’s some more food for thought on the topic.

Governments and corporations not only collect much larger and more wide ranging datasets on us as individuals, but are also, now more than ever, able to compile it, make sense of it and take action based on in-depth big data insight. As noted by Chief Data Scientist of an admired Silicon Valley company during an interview with Jemand mit Eiern, the goal is to “change people’s actual behaviour at scale” through capturing their behaviors and identifying the ‘good’ versus ’bad’ behaviours to then create ways to reward the ‘good’ and punish the ‘bad’. The ultimate goal? Profit and control.

The application of big data to alter behaviours is very clear on both the corporate and government side; from Google, which announced that its maps will no longer merely provide users with a route they search for, but also suggest a destination, to China, which is now building a ‘pre-crime’ big data platform. China’s new tool will allow predictive policing, identifying individuals who ‘have the potential’ to engage in suspicious activities, based on complex data derived from citizens’ online and offline activity (including transactions, locations, who they engage with etc.) and thus to prevent crime, altering the way individuals behave.

Schneier finds what happens a ‘at the back-end’ in terms of big data rather disturbing. During Forbes’s first tech podcast ‘The Premise‘ he spoke about ‘dossiers’ that are built up with multiple inputs, such as “face recognition plus miniature cameras, plus Facebook’s database of tagged photos, plus the credit card database of your purchasing habits data… all of that put together…” The data privacy thought leader stresses that while on the corporate side big data and surveillance are used to get people to consume things, on the government side it is a tool for a variety of things: law enforcement, social control, terrorism, and political manipulation, making sure that ‘certain’ ideas don’t spread and silencing ‘certain’ people.

Knowledge is power and it is important to consider whom these surveillance/intelligence powers can be used against. Snowden recently reminded us of the case of UK Government Communications Headquarters (GSCHQ), which has previously used their ‘powers’ to spy on journalists and human rights groups such as Amnesty International.

How much of our data do we agree to ‘give away’? Is it at all possible to ensure that only the ‘good guys’ can access all this big, big data which, as we discussed, can be used to alter our behaviours?

During one of his recentAsk Me Anything Reddit sessions, Bill Gates himself drew the attention to the issue of data security. Microsoft’s founder demanded more public debate around bulk data collection and stressed that there are currently insufficient safeguards in place to make sure that information on us is only used for – what he called – the ‘proper’ reasons.

How do you even define ‘proper’ reasons?

The issue is highly relevant to the UK. In an interview for the Guardian, UN privacy chief Joseph Cannataci stated that “UK surveillance is worse than 1984″, “a rather bad joke at its citizens’ expense” and criticised the government for its approach to the Investigatory Powers Bill  In the case of the bill proceeding into statute, the Snooper’s Charter will have significant ramifications for Brits’ collective privacy.

Edward Snowden, during a talk he gave in Poland in mid-March, summarised the surveillance vs. security ‘dilemma’ (one, which the British MPs are currently facing) as follows:

 “Do we want liberty or do we want sort of a sense of total order where you may feel that life is a little bit more predictable but you are reliant upon some great authority that really has the extraordinary power to interfere in your life and tell you where to go what to do and how (…) and watch you at all times in exchange for a feeling of safety that in practical way is not delivered in any more reliable way today than it was before?”.

Schneier agrees with this view and stresses that surveillance with no probable cause is not compatible with liberty:

“the whole point of democracy is that we are willing to live with some amount of crime because we realise that a totalitarian police state is much worse”.

At the same time, the security champion discredits the ‘myth’ that surveillance is good for security: “There is no evidence for that. It has been stated as a truism and we’re expected to believe”. Whenever we see counter-terrorism success it is based on targeted, not mass surveillance.

Big data will get bigger, there is no question to it. However, “we need comprehensive laws that regulate all forms of data: collection, storage, use, sale, destruction. The whole process”, Schneier argues. Let’s hope that sooner or later we will learn to appreciate our privacy and put in place systems to protect it.

Data privacy/security – you can run but you can’t hide?

Posted on : 18-12-2015 | By : Jack.Rawden | In : Cloud, Cyber Security, Data, General News, Innovation

Tags: , , , , , , , ,

0

Security and privacy are among some of the top themes discussed throughout 2015 and will likely remain an equally popular topic in 2016.

On one hand, consumers’ private data is increasingly being revealed through major security breaches and hacks, causing widespread outrage. On the other, in the face of terror, many are willing to voluntarily give up more and more of their privacy to be (or at least feel) more secure.

At the same time, new technologies offer solutions in healthcare, payments and entertainment, to name a few, with the potential to have a highly positive impact on the quality of our everyday lives. Their adoption however is often almost synonymous with sharing highly intimate data, raising concerns of many.

All of the above stir the data privacy/security debate. How much privacy are we willing to give up and in exchange for what?

data

Your kids’ A.I. frenemies

In many cases it’s not even just about our data and our security…

For example, the scandal over the recent V-Tech hack, exposing data of 6.4 million children and the launch of the widely boycotted A.I., Wi-Fi enabled Barbie, designed to engage in dialogue with kids and ‘treasure’ their secrets, beg the question whether we are really willing to risk not only ours, but also our children’s sensitive data being revealed, in exchange for more interactive play experience.

Data collected via high-tech toys could not only be used for commercial reasons, but also for example to identify the times you leave home to drop off your kids to school.

 

‘Terrorised’ into sharing data?

In the wake of Paris attacks, European parliament civil liberties committee dropped its opposition to EU counter-terror plan to collect air passengers’ data. Data protection watchdogs described this as “the first large-scale and indiscriminate collection of personal data in the history of the European Union”.

The passing of laws allowing the EU to collect and store our personal data in the name of terrorism prevention means irreversible changes to the extent to which we are invigilated, taking us yet another step closer to the Big Brother reality scenario.

Nevertheless, it seems like privacy becomes irrelevant to the scared masses.

The UK media is heating up the atmosphere with warnings that a UK terror attack is only a matter of time and escalating fear through falsely labelling tube fire alarm incidents ‘terrorist’ scares; the Brits are concerned with safety. According to Dr David Purves, psychologist specialising in trauma “When something dramatic happens, such as the attacks in Paris, something called the ‘availability heuristic’ kicks in”. This means that certain things, such as a terrorist attack, seem more likely than they really are. The UK national counter-terrorism security office (NACTSO) publishing official advice on how to behave in case of a terror attack, including to ‘run or hide rather than lie down and play dead’, doesn’t necessarily contribute to our sense of security.

In this context, we either chose to turn a blind eye or even support governments’ and EU institutions’ steps depriving us from our privacy. The question is whether there is an end to this? Under more severe terrorist threats, how much surveillance are we willing to agree to?

 

IT health-care?

According to Health Minister Dr Dan Poulter, Britain is on ‘the brink of a personalised healthcare revolution that could scarcely have been predicted a few years ago.’; the NHS is soon to go high-tech with new proposals announced in mid-2015. Within the next five years, UK patients are very likely to be able to use the Internet to order prescriptions or access their health records, as well as speak to their GP. Wearable healthcare devices are also going mainstream, with estimates of 70% of us using them by 2025 (IDC).

A world in which we are much more in control over our wellness by being able to constantly track and monitor the state of your health and reach the expertise of our doctor through video calling does sound idyllic.

However, healthcare digitisation also has serious data security implications. Hacked healthcare data could be used for several purposes; imagine your potential employer or insurer could use it to assess the state your health? What if a hacker could tweak your health records?

A NHS spokesman said: ‘Ensuring patient confidentiality is of upmost importance to everyone working in the NHS and the robust processes already in place to ensure that patient data is protected extends data held electronically’, but let’s be realistic – if self-driving cars and Pentagon are being hacked, wearable health & wellness devices and the NHS are far from ‘unhackable’.

Cyber security: The threat from within

Posted on : 30-04-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , , , , , , ,

0

Cyber security, as ever, has been a widely discussed topic in Broadgate over the past few weeks.  Numerous cyber-attacks have made the news, from the TV5Monde hack to the recent article in the financial times stating that cyber criminals are some of the fastest innovators currently in technology.

However, with the focus of attention being outside, the question is, is there an enemy within? Organisations have spent big money and devoted a lot of resource to protect itself against external threats and have built strong defences with firewalls, anti-virus software, mail filters and numerous other filters used extensively to protect itself.  But have they left themselves vulnerable from the inside?

What if an employee’s password has been hacked and an intruder is stealing information?
What if an employee was accessing sensitive information that they shouldn’t?
Are you able to track malware that has already made it past the external defences?

Once a person is past the external defences the level of access they might get and the potential for misuse is often worrying.  Organisations can find it difficult to identify such inside threats, or by the time they have recognised them it may be too late and the leak has already happened. This is made ever more difficult to monitor by the increasing complexity of an organisations network. The amount of data stored and number and type of devices connecting to it makes it harder than ever to monitor usage.

Evidence of this can be found in the 2014 Information security breaches survey conducted by PWC.  Almost 60% of organisations have encountered staff related security breaches with 20% caused by deliberate misuse of computer systems.

55% of large businesses were attacked by an unauthorised outsider in the last year
73% of large organisations suffered from infection by viruses or malicious software in the past year
58% of large organisations suffered staff-related security breaches
31% of the worst security breaches in the year were caused by inadvertent human error
20% of the worst security breaches were caused by deliberate misuse of computer systems

More significant and what can’t be tracked is the damage that may occur to an organisation if a leak does occur.  Reputational damage for private organisations could be the most damaging, especially if the breach is widely publicised in the press.  With this could come a monetary loss though loss of clients or potential fines from regulators – the information commissioner’s office has the power to fine organisations up to £500,000 for the misuse of personal data on UK citizens.

With this threat looming over organisations, what can be done to protect itself?  Solutions present themselves as policy, procedure and innovative technologies that can monitor and identify such misuse. Here are a few pointers;

Effective IT usage policy – Simpler, shorter implementations

  • Establish a person responsible for security
  • Classify data into confidential, internal and public data
  • Limiting and tracking access to important documents/files should be a deterrent to anyone trying to steal data from inside the network.
  • Limiting the use of external storage devices such as USB sticks and limiting access to file sharing sites including webmail
  • Identify the data “Crown jewels” – the data that if it were to leak would have the biggest financial/reputational damage.  Ensuring these types of files are encrypted with limited access
  • Customised role based training of staff

Monitoring – Medium/long term implementation

  • Use specialist security software to track files and malware entering/leaving the network.  Tools such as Fire eye or Dark trace can use advanced tracking functionality to spot unusual behaviour on a network. Tools like this have the ability to track unusual network behaviour as well as unusual user behaviour.
  • Consider tools such as Dtex deployed on an individual’s PC to monitor behaviour.  Capturing changes in user patterns (e.g. an employee getting ready to leave the organisations), High risk pattern behaviour or finding what information was lost on a laptop left on a train.
  • Other monitoring solutions such as Digital Shadows to track data that has left the internal boundary to calculate the amount of exposure you have outside the organisation.  Even tracking data on social media and the “Dark web”.
  • Controlled environment – Four Eyes check of files leaving the network to ensure sensitive files are not being sent externally

These types of attack are difficult to stop completely as they revolve around the people using the systems.

However, with better controls, methods to identify unusual activity and misuse the objective is that potential losses are captured and remediated as quickly as possible.

————————-

Sources

http://journalofaccountancy.com/issues/2014/sep/improve-data-security-201410183.html