GDPR – Are You Ready?

Posted on : 30-04-2018 | By : kerry.housley | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , ,

0

It is less than a month until the General Data Protection Regulation (GDPR) comes into force, but after two years of preparation, how many businesses are GDPR ready? The latest flurry of figures suggest that many businesses are nowhere near prepared for the new legislation’s demands that they: re-establish a legal basis for using people’s data (whether that’s consent or otherwise), are able to quickly respond to subject access requests, can delete people’s data if asked to, the list goes on!

So, what does all this mean for your organisation? Well, firstly, there is no need to panic. Hopefully, you have made a start on your compliance journey, even if you’re not going to make the deadline.  Any business that deals with personal data in the UK is currently bound by the terms of the Data Protection Act.  If you comply with the Data Protection Act, then you will have made a great to start towards GDPR compliance. Regardless of GDPR, any business that takes the needs of its customers seriously will already be taking all the appropriate steps to protect its customers information.  Cyber crime and data theft is ever increasing, and organisations must be prepared for a breach and be confident they can deal with it quickly with minimum fall out. Reputational damage can lose you customers and seriously dent your profits.

There has been much GDPR hype over the last few years with talk of extortionate fines and punitive actions should your business fail to comply. The frenzy whipped up by the media and the new GDPR “experts” is unfounded says Elizabeth Denham, the Information Commissioner.  The Information Commissioners Office (ICO) do not intend to start dishing out harsh fines as soon as the regulation comes into place and neither will they target smaller organisations because they will be easier to catch.  The purpose of the ICO has always been to protect peoples’ data and to help business to do this by providing policy and guidance. It follows the carrot before the stick approach and has always viewed issuing large fines as a large resort. Ms Denham has been quoted as saying the implementation of GDPR will not alter this business-friendly approach.

That said, there is no denying the new regulation and the obligations placed upon all business to comply. At this late stage with a round a month to go, all organisations who have not yet addressed GDPR should try to achieve as much as possible in the run up to the 25th May deadline, to build up their compliance and demonstrate that information security is a priority for their business.

  • It is important to show that your organisation takes GDPR seriously and has taken action and has a plan in place to become GDPR ready.
  • Evidence of action taken is crucial.
  • Review all the personal data you hold, where is it, what is it, why do you need it, how long you need to hold it for, and who do you share it with.
  • Identify whether you are the data controller or data processor of this data.
  • Review of all policy and procedures in place around data protection and identify any gaps.
  • Review all contracts, who process personal data on your behalf, update all contracts with a data privacy clause which shows that processor is protecting the data on your behalf as the controller.
  • Demonstrate that you have a tried and tested Incident Response and Data Recovery plans in place should a breach occur.

You’re far less likely to suffer a significant fine if you show documentation of the GDPR compliant processes you have implemented and show a detailed roadmap of achieving anything that you still need to do.

GDPR isn’t all about the race to comply. Once you have tackled your data protection issues your customers will be happy, and you will have minimised the breach of data risk for your organisation. Everyone’s a winner!

Beware the GDPR Hackivist DDoS Threat

Posted on : 28-02-2018 | By : Tom Loxley | In : compliance, Cyber Security, Data, data security, GDPR, Uncategorized

Tags: , , , , , ,

0

Getting GDPReady is on most organisations agenda at the moment, however, what if, after all the effort, cost and times spent becoming compliant with GDPR I told you that you could have opened your organisation up to a serious distributed denial-of-service (DDoS) threat?

Whilst we all know that GDPR is a requirement for all businesses it is largely for the benefit of the public.

For instance, with GDPR individuals now have the right to have their personal data held by organisations revealed or deleted forgotten. Now imagine if masses of people in a focused effort decided to ask for their information at once overwhelming the target organisation. The result could be crippling and in the wrong hands be used as DDoS style attack

Before we go any further let’s just consider for one moment the amount of work, manpower, cost and time involved in processing a request to be forgotten or to produce all information currently held on a single individual. Even for organisations who have mapped their data and stored it efficiently and created a smooth process exactly for this purpose, there is still a lot of effort involved.

Hacktivism is the act of hacking or breaking into a computer system, for a politically or socially motivated purpose, so technically speaking your defences against other cyber attacks would normally protect you. But in this case, hacktivist groups could cause serious damage to an organisation without the need for any technical or cyber expertise and there is even uncertainty as to whether or not it would be illegal.

So, could GDPR requests for data deletion and anonymity be used as a legal method to disrupt organisations? I am not suggesting the occasional request would cause an issue but a coordinated mass of requests, which legally organisations will now be obliged to process, resulting in a DDoS style attack.

Organisations will be trapped by their compliance. What are the alternatives? Don’t comply with GDPR and there are fines of 4% of annual turnover or 20,000,000 euros (whichever is greater). The scary thing here is what is stopping the politically or morally motivated group who takes issue with your company from using this method? It’s easy and low risk for them and potentially crippling to some organisations so why not?

How will the ICO possibly select between the complaints of those organisations genuinely failing to comply with regulation and those which have been engineered for the purpose of a complaint?

With so many organisations still being reported as unprepared for GDPR and the ICO keen to prove GDPR will work and make some early examples of a those who don’t comply to show they mean business; my worry is that there will be a bit of a gold rush of litigation in the first few months after the May 2018 compliance deadline is issued in much the same way as PPI claims have affected the finical services lenders.

For many companies, the issue is that the prospect for preparing for GDPR seems complicated, daunting and the information on the ICO website is sometimes rather ambiguous which doesn’t help matters. The truth is that for some companies it will be far more difficult than for others and finding the help either internally or by outsourcing will be essential in their journey to prepare and implement effective GDPR compliant policy and processes.

Broadgate Consultants can advise and assist you to secure and manage your data, assess and mitigate your risks and implement the right measures and solutions to get your organisation secure and GDPReady.

For further information, please email thomas.loxley@broadgateconsultants.com.

 

GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

GDPR – Don’t be afraid!

Posted on : 28-02-2017 | By : kerry.housley | In : Cyber Security, Data

Tags: , , , , , ,

0

GDPR comes into effect in May 2018. Type “GDPR” into LinkedIn and you will find a deluge of posts from “experts” offering advice as to how you need to act NOW! Fail to do so and your business will suffer catastrophic consequences.  Some commentators have made comparisons to the Millennium Bug which had consultants jumping over themselves to fix your Y2K problem!

It does seem that maybe we are somewhat being taken in by the FUD again. As organisations ring-fence budgets and on board their new, and often costly, experts I wonder if a lot of them are either frantically reading up or collectively thumb twiddling? (it would be interesting to track how many profiles have been updated to add it as a specialism…)

However, it is of course a serious thing. If we look behind the headlines, there is no doubt that there are some hard facts which make disturbing reading for any business. Take the Talk Talk data breach last year, and the implications of GDPR become clear. Talk Talk was fined a record amount of £400,000 by the Information Commissioner’s Office (ICO), but had the breach happened after May 2018 when the new GDPR rules apply then the fine would potentially have been 70 million euros (under GDPR rules fine is 20 million euros or 4% global annual turnover, whichever is greater).

Traditionally, the ICO has not been keen to impose large fines so the EU rules show a major change in this respect where business will be harshly punished should they fail to comply. Also, GDPR states that should a company suffer a data breach it must be reported in 72 hours.  This will be a tall order for many companies.  According a recent FireEye Report it takes an average of 146 days to discover a breach, and in many cases, it could be years. It took Yahoo 5 years to report a breach!

So, compulsory breach notification and onerous fines will have a significant impact on the business community and should not be taken lightly.

However, if we look behind the headlines, GDPR offers a great opportunity for businesses to review their information security strategy and close any gaps in systems and processes to protect data.

Irrespective of the legislation, clients are increasingly concerned about the security of their data. Any business that cares about its reputation and the needs of its clients and employees should be paying attention anyway to protecting its data. Data privacy and protection should be part of business as usual operations and not viewed as just another compliance requirement.

The first thing any company should do is find out exactly what data they hold and where it is stored.  You need to know how this data is used and who is using it. Processes must be in place to ensure easy access and the ability to delete when you no longer have the authority to retain it.

If you have any suppliers that use your data, then they too must comply. For companies with a large supply chain it is important to have systems and processes in place to manage the data risk. Having a supplier management system in place to manage this risk is essential.

In order to comply with Data Protection legislation, it is imperative that companies can demonstrate that they take data protection seriously and can show clearly the steps they take to safeguard that data. Having data protection policies and processes in place is a good start. Using a GDPR audit tool or a supplier management system are an effective way of demonstrating the steps you have taken whilst providing an audit trail which can be reviewed at any point in time.

Information security is an ever-moving target. It is not possible to guarantee breach prevention, but there are many ways in which the likelihood and impact can be significantly reduced.

If you would like a balanced view on the impacts of GDPR (without any doomsday predictions), the practical steps to be ready or discuss governance and tooling which can help, please contact us.

5 Minutes with Isabella De Michelis Di Slonghello, founder and CEO of Hi Pulse

Posted on : 28-06-2016 | By : richard.gale | In : 5 Minutes With, Featured Startup, Innovation

Tags: , , , ,

0

Isabella De Michelis Di Slonghello, CEO and founder of Hi Pulse, a fintech firm focusing on privacy preferences management. Isabella previously was Vice President for Technology Strategy at Qualcomm.

What gets you out of bed in the morning?

I’m a Mum on duty and an entrepreneur launching a new technology business. It’s a real challenge to match and deliver on both fronts. As (at High Pulse) we are in the development phase of the product and it’s an internet service, which will boost consumers privacy, I have taken a lot of inspiration in talking to my children when we designed the requirements. Not surprisingly, they returned very constructive feedback showing they are fully aware of the internet economics and of the so called free-internet model functioning. They are 9 and 13 years old. So I take this as a good sign of maturity of how younger generation are looking at the internet: a wonderful experience on condition to remember what the rules of the game are.

For several years you have worked in Government Affairs… the EU is now taking major steps to strengthen data protection, such as the GDPR – what changes should we expect in the next couple of years? In your opinion, is GDPR sufficient?

I consider the adoption of GDPR a pivotal step in the construction of the digital world of the future. Many are the challenges to its implementation, however the goals set forth in the Regulation are achievable and companies shall start immediately looking into what the new requirements set. I hope other jurisdictions in the world will get inspired from the GDPR. I sense that some players in the market may feel uncomfortable with some of the provisions and in particular, with those which relates to “enforcement”. However, a strong enforcement scheme is what will trigger a much more solid and consumer friendly environment and this is really highly welcome.

Based on your experience as Vice President and Managing Director at Qualcomm Europe and VP Technology Policy Strategy (EMEA) at Qualcomm Technologies, what advice would you offer to women aspiring to leadership positions within the IT/tech industries?

Leadership positions are always open for women who want to take on opportunities in IT/tech as in every other industry. But it requires a high level of commitment, a great dose of energy and the openness to understand that finding a mentor and building your own network of influence are as important steps as distinguishing yourself by skills like executing, partnering and communicating.

In your opinion, how can we get more girls into IT?

It’s a public policy imperative. Computer science programming should become a basic competence from elementary schools onward and be taught to boys and girls at the same time. There would be lot more girls in IT if coding would be treated for what it is – a basic learning tool like, maths and physics.

Which tech innovations/trends are you the most excited about?

Bringing internet connectivity to the next 4 bn people in the world is one of the greatest objectives which I would like to see realized in coming years. Technology innovation in that space has lot of potential. Applications in personalized health have also strong potential. I expect big data to be a big contributor to future trends and financial technology to really take a boost in coming years.