cyber risk

GDPR – Data Protection But Not As We Know It

by
Manufacturing

On the 25th May the General Data Protection Regulations ( GDPR ) comes into force which will change the whole world of how personal data is managed for individuals that live within the EU member states.

The concept behind this is to give people back control of their data which imposes strict data protection obligations on businesses and provides individuals with the right of redress should their data not be managed in accordance with these regulations.

Despite the fact that the UK will be leaving the EU next year, the regulations will apply to UK businesses after which these will then be replaced by the proposed Data Protection Bill that will impose similar data protection regulations.

GDPR is arguably long over due, in the UK we currently have the Data Protection Act 1998, to put this into context at the time that this was implemented , there are analogue television and dial – up internet…. .. The increase in the use of personal data has increased dramatically since then due to the advances in technology and how people interact with the many modes of communication such as social media.

In the UK the Information Commissioners Office (ICO) will monitor and regulate the GDPR. The ICO website provides a guide to businesses explaining their obligations and to help those individuals who have day to day responsibility for data protection within their organisation.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

In order to help businesses prepare for for these new regulations the ICO have published “Preparing for the GDPR – 12 Steps to take now

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

What types of data does this apply to ?

This relates to any information which is personally identifies an individuals and includes the following :-

Names & addresses

Passport Number

National Insurance Number

Photographs

Biometric data such as fingerprints , iris scanning and voice recognition

The Dangers of Non-Complaince 

The profile of GDPR is gathering moment and no doubt individuals will wish to be aware of the amounts data that is held against their name. With this will bring about situations where individuals request details and these are unavailable due to non-compliance with business being unable to produce the information at all or within the required time limits.

The other issue and the one with the most significant consequences is where a business suffers a data breach as a result of a hacker attack or an perhaps an error or deliberate act by an employee, the details are then disseminated into the public domain or used for ill gotten gains. The ICO has powers to issue fines of up to 4% of  worldwide turnover of a businesses or 20 million Euros whichever is the greater. This is an uplift from GBP500,000 under the current regulations, this therefore represents a significant increase and demonstrates that a serious non-compliance will have severely consequences.

Managing GDPR

It will be essential that the correct processes and procedures are in place and in the event of a data breach it is important that an incident response plan is readily available whether this having been drawn up internally or with the help of a specialist consultancy. The incident response plan will consists of various vendors to help manage the breach such as lawyers and public relations consultants.

A cyber insurance policy provides such resources and is offered by insurers on a 24/7 basis should the policyholder be subject to a data breach.

The management of these new regulations within a businesses is going to be a fundamental focal point going forward with personal at all levels needing to be aware of their day to day obligations in the processing and handling of data.

Image : Shutterstock

The Challenges Facing Cyber Security

by

What are the challenges facing cyber security in 2018?

These will involve the development of existing threat vectors and the emergence of new ones, keeping up with the evolving capabilities of hackers will never be more difficult to repel and prevent.

General Data Protection Regulations (GDPR)

This presents a major challenge to all organisations with time marching towards the 25th May deadline. Many businesses in the SME space are behind the curve in their preparations for this and will do well to meet this deadline. If missed they will face the wrath of the ICO and possible fines for non-compliance.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Artificial Intelligence (AI) 

AI and machine learning is now available to hackers to conduct cyber attacks providing a challenging new cyber threat landscape that will need to be navigated. Machine learning will also be used for the good as it can assist the cyber security sector in analysing and monitoring new and existing threats.

Internet of Things (IoT)

The IoT theat is likely to develop further with possible focus on critical infrastructures and home devices. With it now being possible to purchase botnet kits on the dark web it is becoming easier to set up DDoS attacks.

State Sponsored Cyber Attacks

These do not look they will be alleviating any time soon and are likely to grow eminating from countries that look to install government instalibility or to carry out cyber espionage.

Ransomware

Ransomware will continue to be a major cyber security threat with new strains being developed by hackers focusing on businesses that have immature cyber risk management.

Mobile Breaches

The threat of mobile breaches is still very much with us and this could be the year that a substantial breach occurs. This could happen via a vulnerability in an app which may itself contain considerable amounts of data that a hacker could gain access to for ill gains.

Bitcoin and Blockchain

Bitcoin, the leading cryptocurrency made the headlines at the end of last year with its value increasing by leaps and bounds before coming back down to a more sensible valuation. Blockchain is not very well understood , but is now recognized as method in which fraud can be prevented and will gain in popularity as it becomes more mainstream.

Trust

Trust is emerging as a side issue in the development of cyber security. Trust that business are safe to trade with and that in the event of a data breach they will act in an honorable fashion and in the best interests of their employees and shareholders. This will impact on future trading and the reputation of a business.

What Will Cyber Criminals focus on?

  • Supply Chain

Cyber threats are being targeted on supply chains as their computer systems do not always have the same standard of cyber security as the main contractor this presenting oportinuties for hackers to exploit inferior systems as a gateway to compromising the main contractors systems. This is likely to continue.

  • The Healthcare Sector

This sector has always been a principal focus for hackers as the stolen data can be used for a number of things.With the standard of cyber security not being considered the most robust this presents this sector as being vulnerable to hackers.

SME businesses

The general immaturity of SME’s computer systems and lack of cyber risk management makes them a prime target for hackers . The mentality of “ it won’t happen to us “ does not hold true and is a dangerous game to play.

Adequate levels of cyber security risk management and the emergence of cyber insurance will play an important part in managing a cyber attack on a businesses’s computer systems. The challenges that lay ahead in the coming year will be huge and defending a business against such a varied threat landscape will be demanding.

Image : Shutterstock

The Cyber Threat to Critical Infrastructure

by
Cyber Threat

The operation of Critical Infrastructure in the UK is pivotable in the safety and economic prosperity of the country…. but what protection is being provided to mitigate the cyber threat posed by hackers ?

We are seeing increasing threats to key infrastructure such as airports and power stations with the cyber threat now emerging as a very real risk. This concern is also now at the forefront of governments on both sides of the Atlantic with initiatives being put in place to protect our critical infrastructure.

Europe – The Network and Information Systems (NIS) Directive 

The European Commission agreed to implement the Network and Information Services Directive in late 2015 as reported in our post http://cyberbrokers.co.uk/cyber-security/   

This Directive needs to be complied with by May 2018 however according to a report by Corero Network Security suggests that it may prove difficult for certain sectors of the UK’s critical infrastructure to achieve this. The report found that 39% of the critical infrastructure in the UK did not reach basic cyber security standards. Key sectors were the NHS and the police.

https://www.corero.com/company/newsroom/press-releases/uks-critical-infrastructure-skipping-basic-cyber-security-checks-and-ignoring-ddos-threats-/

The main reason for the Directive is to increase the security of Network and Information Systems within the European Union with the aim to bring the following:-

  •  Minimum standards of cybersecurity for banks, energy, transport , health and water utilities.
  •  EU-wide rules on cybersecurity.
  •  Cooperation between EU companies on cyber security
  •  The sharing of information of breaches
  •  Best practices in cyber security
  •  Mutual help in securing a country’s critical infrastructure

In addition to critical infrastructure these regulations will apply to certain technology firms and it is possible that this will also be applicable to major online marketplaces, such as eBay and Amazon, and search engines such as Google.

Last month the Government launched a consultation paper which sets out the proposed implementation in the UK which will also reflect the UK departure from the EU. The consultation will ascertain the views from industry, regulators and other relevant parties

The consultation will cover the following :-

  • The essential services the directive needs to cover
  • The possible penalties that could be applied
  • The authorities that will regulate and audit specific sectors
  • The security measures that will be imposed
  • Appropriate timelines for incident reporting
  • Assessment of the impact on Digital Services Providers

https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive

USA – Homeland Security – The Presidential Policy Directive /PPD-21

The main purpose of this directive is to provide the provision of strategic guidance and to promote the security and resilience of the US’s critical infrastructure.

Within this directive Homeland Security will support the following:-

  • Identify and prioritize critical infrastructure, considering physical and cyber threats and vulnerabilities.
  • Maintenance  of national critical infrastructure centers in order to provide a situational awareness capabilities  about emerging trends and imminent threats
  • The coordination of appropriate bodies and Federal departments to provide analysis, expertise, and other technical assistance to critical infrastructure businesses
  • Facilitate the exchange of information and intelligence necessary
  • Work to improve the resilience of critical infrastructure against cyber threats
  • Annual review of the protection required by statute to protect national critical infrastructure.

The critical infrastructure of a country’s is a prime target for hackers and it is therefore essential that appropriate cyber security standards are in place and that this continues to keep place with the changing cyber threat landscape.

Image : Shutterstock

Is BYOD an acceptable Cyber Risk?

by
BYOD

BYOD know as Bring Your Own Device is a practice whereby businesses permit the use of employees own laptops, notebooks or smartphones in the working environment.

The cyber risk associated with this philosophy is very real and it is vitally important that this is managed within the businesss.

A survey carried out by Information Security last year reported that 1 in 5 businesses around the world suffered a mobile security breach. The survey also identified that the main concern of usage of BYOD’s was data leakage or loss.

Did you know that 35% of employees store their work password on their smartphone (Source : SecureEdge Networks)

BYOD Policy

It is crucial that the business has a clear and robust BYOD policy which should include the following:

1.An acceptable use policy that reflects appropriate guidance and accountability with input from other stakeholders of the business.

2.Management of Social Media as it is likely that there will an an increased use of this.

3.The type of personal data that can be processed on the device.

4. Ensure that a back up plan is in place as mobile devices can fail or be compromised.

5.Reporting of incidents in a prompt fashion in order to comply with company policy and to meet any legal obligations.

The Information Comissoners Office provides guidance notes on BYOD which are a good reference point for businesses.

https://ico.org.uk/media/for-organisations/documents/1563/ico_bring_your_own_device_byod_guidance.pdf

What are the risks?

The main feature of BYOD is that the user owns, maintains and supports the device. As a result of this the data controller will not have as much control as they would should the device be provided by the business.The main concern is the security of the data and this is monitored over a number of devices.

With the focus on data the business should be aware of the following:-

The type of data held on the device

What application data will be held on

How the data will be transferred and asssessment of any possible leakage.

The type of security that is operated under the device.

The line between personal use and business use.

Can Cyber Insurance help?

It is possible for a cyber insurance to provide coverage for cyber risks arising from BYOD devices within a business. Insurers will ask certain risk management questions in order to assess the risk and if acceptable will include this aspect of coverage under the policy.

Image : Shutterstock

What is a Denial of Service Attack?

by
Denial of Service

What is a Denial of Service attack?

A denial of service attacks is a form of cyber attack where a hacker aims to make a computer or network unavailable to its user.

It’s full description is described as a Distributed Denial of Service (DDoS) attack and is carried out by disrupting the services of a host that are connected to the internet by flooding the target with bogus requests which will overload the computer making it inaccessible by the users.

The UK is only second behind the US as being the most targeted country for DDoS attacks. The UK is subject to just under 10%of the world’s DDoS attacks, whereas the US boasts 50.30% of the total of attacks.

Over the last year DDoS attacks have increased by 211% as reported by cyber security consultants Imperva. The main source of the attacks is South Korea over taking China .

In recent months the size of attacks have started to become much larger. An average attack is around 200 Gigabits per second but attacks of between 600Gbps and 1 Terrabit per second are now evident. An attack of this magnitude would cause serious disruption to a businesses computer systems.

Consequences of a DDoS Attack

Business Interruption

A business could be severely disputed for a period of  time which prevents the business from trading normally.On-line retailers for example could loose a high volume of sales.

Reputational Harm

The business may suffer reputational issues following a DDoS attack and the perception by it customers that its cyber security procedures are not of a sufficiently robust standard

Common Types of DDoS Attacks

UDP Flood

User Datagram Protocol is where random ports are attacked on a computer system by packets which cause it to listen for applications on those ports and signal back with a ICMP packet.

Ping of Death

This is known as a “POD” that manipulates IP protocol by sending packets larger than the maximum byte allowance. As a result this causes the computer servers to crash.

Peer to Peer

This is where a peer to peer server is compromised to route traffic to a target website. Users are resultantly sent to the target website where it is eventually overwhelmed and is taken off line.

https://www.rivalhost.com/12-types-of-ddos-attacks-used-by-hackers

Dyn – The Largest DDoS Attack – Case Study 

This DDOS attack heralded a new dawn of what these forms of cyber attacks can achieve as it bought down a huge chunk of the US internet.

It was called the Mirai bonnet and targeted the servers of Dyn which is a company that controls a large proportion of the the DNS infrastructure.This occurred in October last year and took place for almost a day. In its wake it bought down household names such as Twitter, the Guardian and Netflix in Europe and the US.

A network of computers were infected with malware know as a “botnet” and coordinates into bombarding a sever with traffic until it gives way under the weight of the traffic that it is being hit with.

What was unusual with the Mirai botnet which normally consists of a number of computers but this consisted of Internet of Things devices that included digital camera and DVR players.

Due to the fact that so many devices connected to the internet this enabled the attack to be so much larger than any other previous DDoS attack. The attack was thought to be the strength of 1.2 Tbps and twice as powerful of  the next most powerful attack.

It is good business for hackers ….

Kaspersky Labs have carried out studies on Denial of Service attacks exploring the business model and its popularity. A DDos attack can costs as little as $7 an hour with the average rice being $25 an hour . The profit margin can be as much as 95%.

https://www.thecsuite.co.uk/cio/security-cio/ddos-attacks-the-hackers-profit-margin/

Cyber Insurance 

Cyber Insurance can provide assistance in the event of DDos attack by providing the following policy coverage :-

Business Interruption

Cyber Extortion

Incident Response Services

Businesees need to be prepared for the threat that a DDos attack can bring and it important that their cyber security risk management procedures are effective to combat attacks of this nature which are being bought about with increasing severity by hackers.

Image : Shutterstock