GDPR – A Never Ending Story

Posted on : 28-06-2018 | By : richard.gale | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , , , ,

0

For most of us, the run up to the implementation of GDPR meant that we were overwhelmed by privacy notices and emails begging us to sign up to mailing lists. A month on, what is the reality of this regulation and what does it mean for businesses and their clients?

There was much agonising by companies who were racing to comply, concerned that they would not meet the deadline and worried what the impact of the new rules would mean for their business.

If we look at the regulation from a simple, practical level all GDPR has done is to make sure that people are aware of what data they hand over and can control how it’s used. That should not be something new.

Understanding where data is and how it is managed correctly is not only fundamental to regulatory compliance and customer trust, but also to providing the highly personalised and predictive services that customers crave. Therefore, the requirements of regulation are by no means at odds with the strategies of data-driven finance firms, but in fact are perfectly in tune.

Having this knowledge is great for business as clients will experience a more transparent relationship and with this transparency comes trust. Businesses may potentially have a smaller customer base to market to, but this potential customer base will be more willing and engaged which should lead to greater sales conversion.

The businesses that will see a negative impact on their business will be the companies that collect data by tricking people with dubious tactics. The winners will be the companies that collect data in open and honest ways, then use that data to clearly benefit customers. Those companies will deliver good experiences that foster loyalty. Loyalty drives consumers to share more data. Better data allows for an even better, more relevant customer experiences.

If we look at the fundamentals of financial services, clients are often handing over their life savings which they are entrusting to companies to nurture and grow. Regardless of GDPR, business shouldn’t rely on regulation to keep their companies in check but instead always have customer trust at the top of their agenda. No trust means no business.

The key consideration is what can you offer that will inspire individuals to want to share their data.

Consumers willingly give their financial data to financial institutions when they become customers. An investment company may want to ask each prospect how much money she is looking to invest, what her investment goal is, what interests she has and what kind of investor she is. If these questions are asked “so we can sell to you better,” it is unlikely that the prospect will answer or engage. But, if these questions are asked “so that we can send you a weekly email that describes an investment option relevant to you and includes a few bullets on the pros and cons of that option,” now the prospect may happily answer the questions because she will get something from the exchange of data.

Another advantage of GDPR is the awareness requirement. All companies must ensure that their staff know about GDPR and understand the importance of data protection. This is a great opportunity to review your policies and procedures and address the company culture around client information and how it should be protected.  With around 50% of security breaches being caused by careless employees, the reputational risks and potential damage to customer relationships are significant, as are the fines that can be levied by the ICO for privacy breeches.

Therefore, it is important to address the culture to make sure all staff take responsibility for data security and the part that they play. Whilst disciplinary codes may be tightened up to make individuals more accountable, forward thinking organisations will take this opportunity to positively engage with staff and reinforce a culture of genuine customer care and respect.

A month on, it is important to stress that being GDPR ready is not the same as being done! Data protection is an ongoing challenge requiring regular review and updates in fast moving threat environment.

With some work upfront, GDPR is a chance to clean your data and review your processes to make everything more streamlined benefiting both your business and your clients.

Everyone’s a winner!

 

kerry.housley@broadgateconsultants.com

 

GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

5 Minutes with Isabella De Michelis Di Slonghello, founder and CEO of Hi Pulse

Posted on : 28-06-2016 | By : richard.gale | In : 5 Minutes With, Featured Startup, Innovation

Tags: , , , ,

0

Isabella De Michelis Di Slonghello, CEO and founder of Hi Pulse, a fintech firm focusing on privacy preferences management. Isabella previously was Vice President for Technology Strategy at Qualcomm.

What gets you out of bed in the morning?

I’m a Mum on duty and an entrepreneur launching a new technology business. It’s a real challenge to match and deliver on both fronts. As (at High Pulse) we are in the development phase of the product and it’s an internet service, which will boost consumers privacy, I have taken a lot of inspiration in talking to my children when we designed the requirements. Not surprisingly, they returned very constructive feedback showing they are fully aware of the internet economics and of the so called free-internet model functioning. They are 9 and 13 years old. So I take this as a good sign of maturity of how younger generation are looking at the internet: a wonderful experience on condition to remember what the rules of the game are.

For several years you have worked in Government Affairs… the EU is now taking major steps to strengthen data protection, such as the GDPR – what changes should we expect in the next couple of years? In your opinion, is GDPR sufficient?

I consider the adoption of GDPR a pivotal step in the construction of the digital world of the future. Many are the challenges to its implementation, however the goals set forth in the Regulation are achievable and companies shall start immediately looking into what the new requirements set. I hope other jurisdictions in the world will get inspired from the GDPR. I sense that some players in the market may feel uncomfortable with some of the provisions and in particular, with those which relates to “enforcement”. However, a strong enforcement scheme is what will trigger a much more solid and consumer friendly environment and this is really highly welcome.

Based on your experience as Vice President and Managing Director at Qualcomm Europe and VP Technology Policy Strategy (EMEA) at Qualcomm Technologies, what advice would you offer to women aspiring to leadership positions within the IT/tech industries?

Leadership positions are always open for women who want to take on opportunities in IT/tech as in every other industry. But it requires a high level of commitment, a great dose of energy and the openness to understand that finding a mentor and building your own network of influence are as important steps as distinguishing yourself by skills like executing, partnering and communicating.

In your opinion, how can we get more girls into IT?

It’s a public policy imperative. Computer science programming should become a basic competence from elementary schools onward and be taught to boys and girls at the same time. There would be lot more girls in IT if coding would be treated for what it is – a basic learning tool like, maths and physics.

Which tech innovations/trends are you the most excited about?

Bringing internet connectivity to the next 4 bn people in the world is one of the greatest objectives which I would like to see realized in coming years. Technology innovation in that space has lot of potential. Applications in personalized health have also strong potential. I expect big data to be a big contributor to future trends and financial technology to really take a boost in coming years.

Insurance companies and their Cyber Insecurity

Posted on : 26-02-2016 | By : kerry.housley | In : Cyber Security, Finance

Tags: , , , , , , , , ,

0

In October 2015 all UK insurers were asked to provide details of their cyber resilience to the Prudential Regulation Authority. The Bank of England has been concerned about UK financial institutions’ cyber resilience for some time now and has extended their concern to the focus on the insurance sector.  The regulator is keen to understand the current policies and capabilities of the insurers and the steps they are taking to protect their information. Should they be found to have inadequate measures in place, strong action will be taken against them.

Information security is also a key focus for the FCA (Financial Conduct Authority). They are particularly worried about insurance companies due the nature of their business which involves large volumes of personal data. The biggest fines for data breaches so far imposed by the FCA are on insurance businesses, highlighting the reason for the regulator’s intense concern.

Insurance information is particularly attractive to hackers because of the number of highly personal individual details they hold. The Anthem healthcare insurer was breached last year and it is reported to have lost the personal information records of 80 million customers and employers.

Health care breaches are particularly on the rise as there is a lucrative resell market for these types of records. While credit card details typically trade at $10, insurance data typically trades at $100.  The US government is so concerned about its US insurance companies’ lack of preparedness that the National Association of Insurance Commissioners has set up a Cyber Security Taskforce to tackle the issue.

European policymakers are yet to agree the final provisions of the new General Data Protection Regulation. However, the new Regulation means that data privacy issues should now be a key concern for all insurers and they should be prepared to review and amend their data protection programmes. In general, regulation is likely to become increasingly formalised and more rigorous in its application.

The rise of big data presents opportunities to offer more creative, competitive pricing and, importantly, predict customers’ behavioural activity.  This is great news for insurers but a concern for the Information Comissioners Office (ICO). The ICO monitors how firms respond to subject access requests and complaints handling and firms will be invited to do an audit if the ICO has concerns. Compared with other EU Member States, such as France and Italy, the UK carries out relatively few audits.

However this too is changing. The FCA has announced that it is conducting a market study into how insurance firms use big data. Big data raises the possibility that an individual’s circumstances may not be factored in to an insurance risk assessment. As part of its market study, the FCA may examine whether such an approach is contrary to Principle 6 of its Principles for Businesses which requires that firms treat their customers fairly. Depending on the outcome of the review, the FCA may introduce specific consumer protection measures for the use of big data in underwriting.

Compliance measures will need to be reviewed and a risk assessment undertaken in order to implement appropriate security measures. These measures need to be documented and made available to regulators on request.

An insurance professional was recently reported as saying that most companies in the global market are not compliant with international standards. Many firms have no incident response plans in place to let their customers know that a breach has occurred. They are simply ill prepared for a data breach incident that is inevitable. A survey by technology company Xchanging in Nov 2015 reported that only one third of insurers in the London market believed that they could withstand a major cyber attack.  As in all areas of business, customers will be increasingly concerned about the cyber security of a company offering services.  Failure to demonstrate good cyber security will mean failure to win new customers.

2016 looks like this will be the year that insurance industry will be forced to take cyber security more seriously and make it a top priority for their board.

THE NEXT BANKING CRISIS? TOO ENTANGLED TO FAIL…

Posted on : 29-10-2015 | By : Jack.Rawden | In : Finance

Tags: , , , , , , ,

0

Many miles of newsprint (& billions of pixels) have been generated discussing the reasons for the near collapse of the financial systems in 2008. One of the main reasons cited was that each of the ‘mega’ banks had such a large influence on the market that they were too big to fail, a crash of one could destroy the entire banking universe.

Although the underlying issues still exist; there are a small number of huge banking organisations, vast amounts of time and legislation has been focused on reducing the risks of these banks by forcing them to hoard capital to reduce the external impact of failure. An unintended consequence of this has been that banks are less likely to lend so constricting firms ability to grow and so slowing the recovery but that’s a different story.

We think, the focus on capital provisions and risk management, although positive, does not address the fundamental issues. The banking system is so interlinked and entwined that one part failing can still bring the whole system down.

Huge volumes of capital is being moved round on a daily basis and there are trillions of dollars ‘in flight’ at any one time. Most of this is passing between banks or divisions of banks. One of the reasons for the UK part of Lehman’s collapse was that it sent billions of dollars (used to settle the next days’ obligations) back to New York each night. On the morning of 15th September 2008 the money did not come back from the US and the company shut down. The intraday flow of capital is one of the potential failure points with the current systems.

Money goes from one trading organisation in return for shares, bonds, derivatives, FX but the process is not instant and there are usually other organisations involved in the process and the money and/or securities are often in the possession of different organisations in that process.

This “Counterparty Risk” is now one of the areas that banks and regulators are focussing in on. What would happen if a bank performing an FX transaction on behalf of a hedge fund stopped trading. Where would the money go? Who would own it and, as importantly, how long would it take for the true owner to get it back. The other side of the transaction would still be in flight and so where would the shares/bonds go? Assessing the risk of a counterparty defaulting whilst ensuring the trading business continues is a finely balanced tightrope walk for banks and other trading firms.

So how do organisations and governments protect against this potential ‘deadly embrace’?

Know your counterparty; this has always been important and is a standard part of any due diligence for trading organisations, what is as important is;

Know the route and the intermediaries involved; companies need as much knowledge of the flow of money, collateral and securities as they do for the end points. How are the transactions being routed and who holds the trade at any point in time. Some of these flows will only pause for seconds with one firm but there is always a risk of breakdown or failure of an organisation so ‘knowing the flow’ is as important as knowing the client.

Know the regulations; of course trading organisations spend time & understand the regulatory framework but in cross-border transactions especially, there can be gaps, overlaps and multiple interpretations of these regulations with each country or trade body having different interpretation of the rules. Highlighting these and having a clear understanding of the impact and process ahead of an issue is vital.

Understanding the impact of timing and time zones; trade flows generally can run 24 hours a day but markets are not always open in all regions so money or securities can get held up in unexpected places. Again making sure there are processes in place to overcome these snags and delays along the way are critical.

Trading is getting more complex, more international, more regulated and faster. All these present different challenges to trading firms and their IT departments. We have seen some exciting and innovative projects with some of our clients and we are looking forward to helping others with the implementation of systems and processes to keep the trading wheels oiled…

NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.

 

The security threat: Do you know your real business risk?

Posted on : 31-03-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , , , , ,

0

We are asked by our clients increasingly to assist in helping them assess the current threats to their organisation from a security perspective. Indeed, this is now a core part of our services portfolio.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate we take a very different approach. It starts with two very simple guiding principles;

  1. What is the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top down lens over these questions and then looks at the various inputs into them. We also consider the threats in real world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  1. Top Down – we start with the board room. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C’Level executives who need the data on which to make informed decisions.
  2. Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the board room.
  3. Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.
  4. Maturity Based – we map the key security standards and frameworks, such as ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.
  5. Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response. At Broadgate we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber attack or data breach and this experience forms a cornerstone of our methodology.

At Broadgate our mantra is “The Business of Technology”. This applies across all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact myself or kerry.housley@broadgateconsultants.com.

Bitcoins: when will they crash and what is coming next?

Posted on : 29-11-2013 | By : richard.gale | In : Innovation

Tags: , , , , , , , ,

3

Bitcoin is the first implementation of decentralised money controlled by cryptography rather than any central authority…

What this really means is it is a currency independent of any one government’s control and the supply is limited (by a set of algorithms) which govern the speed new coins can be generated. Transactions are verified by a third party (known as ‘miners’) to eliminate fraud and there is an upper limit  (around 21 million Bitcoins) to control the supply of the currency. Bitcoin transactions are like cash in the sense that they can be anonymous with the seller having no knowledge of the buyer’s identify & visa versa. Bitcoins are also a payment system like Visa or Paypal (via the miners) as well as a currency.

The origins of Bitcoins are slightly murky (the architect’a name ‘Satoshi Nakamoto’ is a pseudonym) and emerged from a convergence of cryptology and the open source movements in 2008. As with most new technology, early adopters of Bitcoins used the currency for illegal activities on the ‘Dark Web’ such as Silk Road, laundering and as payments for electronic blackmail. Now the currency is gaining more acceptance with a wide range of on-line and other businesses accepting it as a valid alternative payment method.

Governments, central banks & law enforcers are concerned about the emergence of Bitcoins for two main reasons;

  • Loss of control – controlling the value of a currency (through supply, interest rates etc.) is a mechanism to control demand and so impacts inflation, balance of payments and so on. If a new payment mechanism outside of this starts to gain popularity then these levers become less effective;
  • Criminal opportunities  – anonymous transactions allow opportunities for criminals to safely transaction between themselves, and to provide a secure mechanism to extract money from legitimate businesses and individuals through blackmail, extortion in addition to the potential for exploiting the public’s lack of knowledge of Bitcoins. It is starting to make inroads into the criminal’s oldest friend – high value currency notes.

After a relatively quiet introduction in 2009 the value of Bitcoins rose relatively steadily until 2013 when the first boom and crash was experienced in April with the value doubling and then halving in a month. At the present time a Bitcoin is worth $1,100+ dollars which is over 10 times the value it was in January and more significantly 5 times what it was worth in October…

 

 

 

 

Even criminals are affected by this currency inflation. Cryptlocker – a popular piece of ‘ransom-ware’ (which infects and encrypts a person’s files and only then provides the password for a fee) used to charge 2 Bitcoins for the release of the key and now has a 1 and also a 1/2  Bitcoin version to cope with the rising value and to make it viable for people and business to pay.

Looking at the graph it seems likely that a correction in value for Bitcoins is overdue but, assuming acceptance of them continues to grow then the upward rise of the value may well continue upwards at a fast pace before slowing. The Bitcoin community recognise this as likely with the limited supply and increasing demand. They are fully expecting to break each Bitcoin into  millibitcoins (0.001 of a Bitcoin). We think there will be a major correction soon but, as long as confidence in the currency is not knocked too significantly, then the upward valuation of Bitcoins will continue to gather pace.

So what can stop the onwards march of the Bitcoin? We see a number of risks before Bitcoin becomes mainstream;

  • Distrust – The concepts of  cash, currencies and banks have existed for hundreds of years. A new model built on obscure algorithms and codes without any obvious ‘owner’ may take some time to resonate with the public
  • Reputation and moral obstacles – Bitcoins have been tainted with the utilisation by criminals and this may reduce or slow down take up of the currency. This has been highlighted by press and law enforcement agencies and could limit it’s acceptance
  • Governments, central banks and police forces are generally against Bitcoins. Some are trying to limit it’s growth and others are trying to ban the currency. It will be an interesting battle to watch
  • Competition from other new forms of currency. Bitcoins are the dominant cryptology currency but there are many other electronic ‘Coins’ out there. There is no reason why one or some of the others will not increase in popularity
  • Other payment mechanisms have very deep pockets and will not give up without a fight. Paypal & Visa will embrace the concept but will want to take advantage and build their own currency businesses out. How they do that is a work in progress but they have the transaction value and trust of consumers and businesses.
  • Technology – there must be the ‘next big thing’ waiting in the wings to supersede Bitcoins – Quantum computing is the obvious direction for this as the levels of complexity and so encryption & security would go up immensely. Also emerging technology may be able to break the encryption so destroying trust and so value in the Bitcoin.
  • Volatility – this is probably the oldest but most likely impact to acceptance of Bitcoins. We are currently in a phase of Bitcoin ‘hyper-deflation’ where 1 bitcoin in October would buy $200 and  now it would buy $1,100. This is a major positive if you are a holder of Bitcoins but the cost of purchasing Bitcoins has risen 5 fold. If this continues or stabilises as the Bitcoin community expects then all will be fine. But if there was a decline in value it would likely be accelerated given the volatile nature of the currency which may trigger ‘hyperinflation’ and a crisis of confidence….

Whatever the future of Bitcoin itself it looks like there will be significant growth in alternative currencies and payment mechanisms. In time this will have major impacts on how nation’s economies are run and controlled. There will be opportunities for many new forms of businesses to take advantage of these electronic currencies; new forms of gaming, selling and treasure hunting for lost Bitcoins.

Exciting times! – and unlike cash you are less likely to lose a Bitcoin down the back of the sofa but don’t forget to  backup your Bitcoin wallet!

 

 

The next Banking crisis? Too entangled to fail…

Posted on : 30-10-2013 | By : richard.gale | In : Finance

Tags: , , , , , , , , , , ,

0

Many miles of newsprint (& billions of pixels) have been generated discussing the reasons for the near collapse of the financial systems in 2008. One of the main reasons cited was that each of the ‘mega’ banks had such a large influence on the market that they were too big to fail, a crash of one could destroy the entire banking universe.

Although the underlying issues still exist; there are a small number of huge banking organisations, vast amounts of time and legislation has been focused on reducing the risks of these banks by forcing them to hoard capital to reduce the external impact of failure. An unintended consequence of this has been that banks are less likely to lend so constricting firms ability to grow and so slowing the recovery but that’s a different story.

We think, the focus on capital provisions and risk management, although positive, does not address the fundamental issues. The banking system is so interlinked and entwined that one part failing can still bring the whole system down.

Huge volumes of capital is being moved round on a daily basis and there are trillions of dollars ‘in flight’ at any one time. Most of this is passing between banks or divisions of banks. One of the reasons for the UK part of Lehman’s collapse was that it sent billions of dollars (used to settle the next days’ obligations) back to New York each night. On the morning of 15th September 2008 the money did not come back from the US and the company shut down. The intraday flow of capital is one of the potential failure points with the current systems.

Money goes from one trading organisation in return for shares, bonds, derivatives, FX but the process is not instant and there are usually other organisations involved in the process and the money and/or securities are often in the possession of different organisations in that process.

This “Counterparty Risk” is now one of the areas that banks and regulators are focussing in on. What would happen if a bank performing an FX transaction on behalf of a hedge fund stopped trading. Where would the money go? Who would own it and, as importantly, how long would it take for the true owner to get it back. The other side of the transaction would still be in flight and so where would the shares/bonds go? Assessing the risk of a counterparty defaulting whilst ensuring the trading business continues is a finely balanced tightrope walk for banks and other trading firms.

So how do organisations and governments protect against this potential ‘deadly embrace’?

Know your counterparty; this has always been important and is a standard part of any due diligence for trading organisations, what is as important is;

Know the route and the intermediaries involved; companies need as much knowledge of the flow of money, collateral and securities as they do for the end points. How are the transactions being routed and who holds the trade at any point in time. Some of these flows will only pause for seconds with one firm but there is always a risk of breakdown or failure of an organisation so ‘knowing the flow’ is as important as knowing the client.

Know the regulations; of course trading organisations spend time & understand the regulatory framework but in cross-border transactions especially, there can be gaps, overlaps and multiple interpretations of these regulations with each country or trade body having different interpretation of the rules. Highlighting these and having a clear understanding of the impact and process ahead of an issue is vital.

Understanding the impact of timing and time zones; trade flows generally can run 24 hours a day but markets are not always open in all regions so money or securities can get held up in unexpected places. Again making sure there are processes in place to overcome these snags and delays along the way are critical.

Trading is getting more complex, more international, more regulated and faster. All these present different challenges to trading firms and their IT departments. We have seen some exciting and innovative projects with some of our clients and we are looking forward to helping others with the implementation of systems and processes to keep the trading wheels oiled…