GDPR One Year On – What’s Changed?

GDPR

GDPR has been with us now for just over a year – so what has changed during this period?

Businesses are now much more proactive in their approach to cyber security instigating robust systems and procedures to combat the threat of hackers.

http://cyberbrokers.co.uk/gdpr-data-protection-but-not-as-we-know-it/

The ICO have just published a report “GDPR – One Year On” which sets out a review of its first year in operation.

https://ico.org.uk/media/about-the-ico/documents/2614992/gdpr-one-year-on-20190530.pdf

Countering the Cyber Security Threat

The risk of a data breach is also now higher than ever with the changing cyber risk landscape. New ransomware strains and malware are evolving so keeping up to date protections in place is vitally important. GDPR is a clear driver of the approach that the C Suite has to instigate to protect and secure their businesses.

Among the many areas that IT Security has focused upon is back-up which is essential in protecting data. This makes it retrievable in the event of a compromise of data due to a cyber-attack.

Change in Philosophy

GDPR was a long time coming and businesses have struggled to find the resource to put in place processes to achieve compliance. Some were ahead of the game and some struggled to meet the deadline of 25th May 2018.

The philosophy to cyber security has also reached an engagement point where businesses are looking beyond GDPR. Businesses are now seeking cyber security accreditation’s such as ISO27001.

Global Effect

Other countries are also taking note of the impact that GDPR is having and bringing in similar legislation of their own.

For example the California Consumer Privacy Act (CCPA) which comes into force on 1st January next year.This provides consumers with certain rights over their personal data which is held by businesses  and is an obvious parallel with GDPR.

GDPR Fines

Regulators to date have issued in excess of 200.000 fines of which 65,000 were related to data breaches . Fines totalled E56M which includes the E50M levied against Google by the Irish Data Protection Commissioner. In this case new users were inadequately advised how personal data was collected and how this was subsequently used.

The fear of potential fines being issued of up to 4% of global turnover of a business by the regulators has not materialised yet. However from a speech made by Elizabeth Dunham , the U.K. Commissioner of the ICO recently stated in a speech that this may be about to change later in the year. The ICO it is understood have a couple of very large cases that are currently being reviewed.

Both Equifax and Uber have been fined over the past twelve months but this was under previous legislation and not GDPR.

The impact of GDPR  does appear to have improved cyber security standards. We are however waiting to see how regulatory bodies will impose the full force of non-compliance in the event of a cyber-attack that results in a significant data breach.

Image : Shutterstock

Is Our Data Safer Under GDPR?

GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock

Ransomware : The Modern Day “Stand and Deliver”

Ransomware

Ransomware : It you didn’t know what ransomware was a few weeks ago….. it is almost certain that you do now in the wake of the WannaCry cyber attack that occurred earlier this month.

What is Ransomware? 

This is a form of malicious software that is designed to block access to a computer system until a sum of money is paid. It is not possible to use the data and in some cases the hackers threatens to publish the data until a ransom is paid, there is of course no guarantee that once the ransom has been paid that the encryption code will be provided or if the hacker will still delete the data. If the ransom is paid it is possible that the hacker will return to carry out a further attack.

This form of malware effectively employs scare tactics not unlike that which have been seen in the days of a highway man in Victorian times who would hold a coach of unsuspecting passengers at gunpoint until they had handed over a ransom representing their wealth. Ransomware can be compared to the modern day “stand and deliver” threats that a highwayman posed.

The Impact of a Ransomware Attack 

Ransomware attacks have increased four fold over the past two years with the UK being one of main targets for ransomware attacks as we are perceived to be a destination that will readily pay the ransom.

One report has collected data which reveals that 54% of UK businesses have been targeted with a ransomware attack where revenue has been lost and in extreme circumstances the businesses have had to close. The impact of a ramsomware attack can also cause reputational issues to a business that they may never recover from.

With the General Data Protection Regulations (GDPR) coming into force on the 25th May next year the emphasis of protecting personal data is increasing. If a ransomware attack encrypts personal data and the business is unable to restore the data it is conceivable that the ICO would consider that the business has not taken appropriate measures to keep the data safe and as a result in breach of the Data Protection Act.

The WannaCry Attack

The ransomware attack affected approximately 200,000 computers in 150 countries on 12th May . The most high profile organisation hit by this attack in the UK was the NHS . Outside of this, Renault, Nissan, FedEx and Telefonica were also hit by this indiscriminate cyber attack that appear to target legacy software that had not been updated. Organizations that still utilized Windows XP were particularly hard hit as this contained certain software vulnerabilities.

Managing the Ransomware Cyber Risk

Businesses should consider the following:-

  • Adequate Back Up and Recovery of computer systems
  • Patch Management of all systems with particular attention to older systems
  • Staff Training to raise awareness of what to look for in a ransomware attack
  • Regular Firewall Management
  • The Purchase of Cyber Insurance

The National Cyber Security Centre offer some excellence guidance on their website entitled “Protecting your organization from ransomware” at the attached link :-

https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

How Cyber Insurance Can Help 

Cyber Insurance is a modular policy and it is possible to purchase specific areas of coverage tailored to a businesses requirements.

Cyber Extortion Coverage

This includes the negotiations with hackers and payment of the actual ransom

Forensic Investigation

This determines what data was compromised and how the systems were accessed

Data Restoration

This covers costs associated with trying to unencrypt data and to assist with the back up of data.

Business Interruption

This module provides coverage for costs associated with costs incurred with increased costs of working and possible loss of profits.

There are now many strains of ransomware which are becoming increasing harder to manage , presenting a constant challenge for businesses to manage. Business do need to constantly review their cyber security risk management processes and procedures which will go some way in alleviating this evolving threat that this poses.

CiSP – Cyber Security at your finger tips

CiSP

CiSP stands for the Cyber-security Information Sharing Partnership and has been formed jointly by industry and government which sits in CERT-UK.

What is CiSP?

It is an online social networking tool that was established in 2013 which allows members to exchange information on threats and vulnerabilities as they take place. CERT – UK is the national computer emergency response team with a number of responsibilities that stem from the UK Cyber-Security Strategy. It is used by many businesses across industry and provides reports that help its members to improve their awareness of cyber security threats.

www.cert.gov.uk/cisp

Recently the South West Regional Group launch of CiSP took place , this was the 12th and final launch carried out in the UK. This was jointly sponsored by the SW Regional Cyber Crime Unit (RCCU) , CERT-UK and J.P. Morgan (Regional Champion). The profile of the sponsors demonstrates the importance that attaches to CiSP and the impact that is perceived that it can make in developing the cyber security programs of businesses.

Why should you become a member of CiSP?

  • Early warning of cyber threats that may affect businesses
  • Collaboration between businesses and government in a secure environment
  • Ability to help businesses protect their livelihood from cyber threats
  • Businesses can learn from the experiences of others….both mistakes and the successes
  • Availability of specific sector content on cyber threats and incidents that have taken place
  • Businesses that have a small or non-existant cyber security budget can avail themselves of the information
  • Any business can join and benefit from the scheme
  • It costs nothing to become a member and can help a businesses prepare for a cyber attack

CiSP Membership Link

How CiSP can help a Business?

  • Alerts and advisory papers on cyber security
  • Reports om trend threats
  • Malware and phishing e-mail analysis
  • Guidance and best practice on common areas on both a national and global basis

One of the key features is the Fusion Cell that consists of a team of analysts taken from government and industry who provide source analysis of cyber threats and vulnerability updates.

The scheme is aimed at SME’s who are considered one of the most vulnerable business sectors with varying degrees of cyber maturity. It is therefore important that they understand how to protect themselves from cyber attacks and the resulting cyber crime that can occur.

Industry Endorsement

The British Insurance Brokers Association ( BIBA) is going to sponsor its members to join the scheme in order to help improve awareness about cyber cyber risks that exist.

This will no doubt become a common theme within other industries in the future.

Insurance has a role to play 

Cyber insurers and specialist insurance brokers can also contribute to CiSP by providing current data and information of cyber security attacks and data breaches that they have been involved with and managed.

 

Cyber breaches hit UK businesses

Cyber Breaches

Cyber breaches are hitting UK businesses according to a recently released commissioned report by the UK Government.

Two thirds of large businesses UK hit by cyber attack in past year

Following the high profile targeting of  TalkTalk , Vodafone , Weatherspoons it is no surprise that large businesses are still the focus of cyber breaches …… the underlying message to these businesses is that they need to improve their cyber security programs in order to combat these threats.

Main Report Findings

  1. 1 in 4 large businesses encountered a breach once a month
  2. Only one-third of all firms had a written security policy
  3. Only 10% of all businesses had an incident response plan in place should a cyber attack occur
  4. 13% of all businesses set cyber security minimum standards for their suppliers
  5. Only 20% of firms validate the providers of cloud computing services.
  6. 7 out of 10 of the attacks involved compromises by viruses, spyware or malware

Why has this happened ?

The report also highlighted the fact that many firms do not have cyber security programs in place that are in accordance with government guidance such as the Cyber Essentials Scheme and the “10 Steps Guide to Cyber Security”. This is must be a major concern to the Government as these two measures alone would install a good level of cyber security.

Cyber Essentials is generally more difficult to achieve for larger businesses as their systems tend to involve the use of bespoke software and its management. This certification is geared more to standardized systems which is more akin to SME’s . There is therefore a question here whether Cyber Essentials needs to be adapted to larger businesses?

Cyber Insurance

The report also makes reference to 37% of firms having in place some form of cyber insurance , this is either in the form of extensions to professional indemnity insurance policies or stand alone policy specific cyber insurance policies.

A concern raised by the report is that there is a lack of knowledge about what was covered under a cyber insurance policy and the insurance industry therefore has a role to play in helping businesses understand this form of insurance.

Cyber breaches will continue to impact on businesses unless they have a formal cyber security program in place to protect them from the increasingly sophisticated cyber attacks that can compromise a businesses.