Is Our Data Safer Under GDPR?

GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock

Are You Prepared For A Data Breach?

Data Breach

Are you prepared for a Data Breach ?

Every business should be prepared for a data breach …… hackers act indiscriminately and any business could be a legitimate target.

An incident response plan is essential part of the jigsaw in managing cyber risks and does play a very important role in being prepared for a data breach.

The plan should be constantly updated on at least an annual basis with consideration given to the following:-

  • Breach experience of a businesses peer group
  • Independent third party review of the incident response plan
  • Tabletop exercises to ensure effective implementation of the plan
  • Appropriate employee training
  • Crisis management scenarios played out in order to address changing cyber risk landscape
  • Ensure that effective communication is practiced at all levels of the business in the event that the plan becomes operative.

What makes a good Incident Response Plan?

1.Buy in of implementation of plan by all relevant stakeholders to include the legal team , IT , risk management , HR    Public relations and facilities management.

2.Board level support lead by CISCO.

3. An on-going synopsis of cyber threats to the business so the plan can be adapted or revised

4. Assessment of any third parties cyber exposures that may impact on the businesses with checks carried out on their own cyber risk posture.

5. Minimum security standards implemented with third party providers

6. The purchase of cyber insurance to support the business and avail assistance of insurers incident response team of professionals.

The Experian Data Response Guide is an annual report that provides plans and processes to implement when a data breach occurs within a business.

The most recent report shows that the awareness is now at a much higher profile that it ever has been with senior management more involved with being data breach prepared. There is still however a lack of confidence in actually being able to manage a data breach. The report also showed that incident response plans were not regularly updated with 35% of businesses not updating this since the plan was first instigated. It was also discovered that very few businesses have a “dry run” to see how the plan would work in practice.

http://www.experian.com/assets/data-breach/white-papers/2016-2017-experian-data-breach-response-guide.pdf

The stakeholders of the incident response plan need to be at all levels from senior board members, finance and HR directors and employees representing different sectors of the business.

General Data Protection Regulations (GDPR)

The GDPR comes into force on 25th May 2018 and with this brings an obligation to protect personal data of individuals with the onus to report any data breach that may impact on such individuals.

It is important therefore that businesses have robust systems in place to manage the appropriate handing of data but also how cope with a data breach should this occur.

This includes who to report the breach to and what to report and make reference to such matters as the nature of the breach, the consequences of the breach and measures taken to address the breach. Systems therefore need to be in place so that this information can be provide to the ICO or other relevant regulatory body.

Experian Data Breach Resolution and Ponemom Institute released an industry study on 27th June this year which revealed that whilst most businesses are aware of global and data security regulations they have not yet have addresses the necessary organizational changes in order to achieve compliance.

The study carried out on 550 IT security and compliance officers entitled “Data Protection & Regulations in the Global Economy” ascertained that only 32% of the respondents still didn’t have an incident response plan in place. Furthermore only 9% of business stated that they were ready to comply with the GDPR next year with 59% stating that they did not know how to comply……

https://www.experianplc.com/media/news/2017/experian-data-breach-resolution-and-ponemon-institute/

Cyber Insurance

Cyber insurance can help with managing and mitigating a data breach, the following services are included when a cyber insurance policy is purchased :-

  • Legal assistance in notifying data subjects that may have lost data
  • Forensic Investigation is provided to help ascertain how the breach was caused and if the hacker is still able to infiltrate the computers systems.
  • Public Relations to help manage the impact that this might have on the public’s perception of the breach.
  • Credit Monitoring services to monitor individuals bank accounts should their date be used to carry out fraudulent transactions.

The appointment of such specialists on an individual basis can be very expensive and it is worth considering this form of insurance for this reason alone.

To sum up an incident response plan is a key piece of armoury to help protect a business from the consequences of a data breach and should be an integral part of the overall cyber risk management procedures and practices.

 

Image : Shutterstock

The Human Factor in Cyber Risk

Deep Fake

The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……

Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.

The Facts

  • The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.

http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world

  • The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.

https://www.mimecast.com/resources/press-releases/Dates/2016/8/malicious-insiders/

A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..

1.Malicious 

Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.

As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.

The attacks consist of deliberate acts such as :-

Infection of Computer Systems with Malware  

An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.

Selling of Passwords

This could lead to corporate data being being stolen and passed to a competitor

Abuse of Internal Logins

The Ponemon Institutes’study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.

https://www.ponemon.org/

2. Accidental

These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.

Negligence 

An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system

The leaving of a laptop   on a train or in shop

Uploading of sensitive information that may be sent out into the public domain.

Social Engineering

An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.

Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.

Poor Password Housekeeping

An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.

Examples of Insider Attacks in the UK 

Tesco

40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.

Sage

The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.

Morrisons

An insider published details of the entire Morrison 100,000 employee database which appeared to be motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s

Ten ways to help manage the Human Factor  

1.Ensure that cyber security policies and procedures are in place

2.Introduce staff awareness of current cyber security threats

3.Robust training of staff on all aspects of cyber security

4.Employee conduct review prior to joining company

5.Monitoring of employees that are leaving the company in terms of their on-line activity

6.Monitoring of internal network activity and review of unusual activity

7.Assessment of large amounts of data being accessed or moved

8.Sharing of best practices

9.Restriction of  administrator login

10.Purchase of cyber insurance to help mitigate losses

The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.

Image : Shutterstock

10 Reasons to buy Cyber Insurance

cyber insurance

10 reasons to purchase Cyber Insurance – Here are some reasons why businesses should consider this form of insurance.

In arriving at the decision to purchase cyber insurance a business will need to carry out a full cyber risk management analysis detailing vulnerabilities and how the businesses wishes to manage their cyber exposures which may impact on its day to day trading activities.

Once this has been determined the outcome to purchase cyber insurance could be driven by the following factors :-

1.Balance Sheet Protection

Helping to help mitigate a catastrophic compromise of computer systems and network that may endanger the livelihood of a business.

2.Risk Transfer Mechanism

To cover cyber security risks that cannot be managed within the business or where the businesses chooses to insure these rather than to retain.

3.Management “Sleep Easy”

Due diligence assurance for the Board of Directors and members of staff that there is a “layer” of coverage outside of the cyber security measures that are already in place.

4. Contractual Requirements

Coverage may be required by clients being part of contractual obligations to trade with a business. Businesses entering into government contracts are required in some instances to purchase cyber insurance. This requirement is likely to increase within the business community.

5.The Regulatory Environment

The forthcoming General Data Protection Regulation will impose compulsory notification of all data breaches and regulatory scrutiny.

6. Own Experience of a Cyber Attack

A business who has already suffered from a cyber attack my require comfort going forward from the coverage provided by this specialist form of insurance.

7. Substitute for further Security Spend

Cyber insurance could be seen as a lower cost alternative rather than investing further in cyber security within the business.

8 Competitive Advantage

The purchase of this form of insurance should sit alongside Cyber Essentials and ISO 27001 accreditation and a sign to other businesses that cyber exposures are taken seriously to its clients.

9. Business Continuity

Help to get a business up and running again post breach to cover increased cost of working and loss of profits so that they maintain their trading position in their business sector.

10. Vendor Proposition

The vendor proposition included under a cyber insurance policy provides post breach legal services , forensic investigation and public relations consultancy.

Cyber insurance is an evolving form of insurance with policy coverage developing on a regular basis. The coverage provided by the insurance market does vary considerably, with over 30 insurers to choose from , it is important that you utilize the services of an insurance broker who possess the requisite knowledge and expertise to guide a business through the coverage options and has the influence within the market to negotiate bespoke policy wordings.

CiSP – Cyber Security at your finger tips

Artificial Intelligence

CiSP stands for the Cyber-security Information Sharing Partnership and has been formed jointly by industry and government which sits in CERT-UK.

What is CiSP?

It is an online social networking tool that was established in 2013 which allows members to exchange information on threats and vulnerabilities as they take place. CERT – UK is the national computer emergency response team with a number of responsibilities that stem from the UK Cyber-Security Strategy. It is used by many businesses across industry and provides reports that help its members to improve their awareness of cyber security threats.

www.cert.gov.uk/cisp

Recently the South West Regional Group launch of CiSP took place , this was the 12th and final launch carried out in the UK. This was jointly sponsored by the SW Regional Cyber Crime Unit (RCCU) , CERT-UK and J.P. Morgan (Regional Champion). The profile of the sponsors demonstrates the importance that attaches to CiSP and the impact that is perceived that it can make in developing the cyber security programs of businesses.

Why should you become a member of CiSP?

  • Early warning of cyber threats that may affect businesses
  • Collaboration between businesses and government in a secure environment
  • Ability to help businesses protect their livelihood from cyber threats
  • Businesses can learn from the experiences of others….both mistakes and the successes
  • Availability of specific sector content on cyber threats and incidents that have taken place
  • Businesses that have a small or non-existant cyber security budget can avail themselves of the information
  • Any business can join and benefit from the scheme
  • It costs nothing to become a member and can help a businesses prepare for a cyber attack

CiSP Membership Link

How CiSP can help a Business?

  • Alerts and advisory papers on cyber security
  • Reports om trend threats
  • Malware and phishing e-mail analysis
  • Guidance and best practice on common areas on both a national and global basis

One of the key features is the Fusion Cell that consists of a team of analysts taken from government and industry who provide source analysis of cyber threats and vulnerability updates.

The scheme is aimed at SME’s who are considered one of the most vulnerable business sectors with varying degrees of cyber maturity. It is therefore important that they understand how to protect themselves from cyber attacks and the resulting cyber crime that can occur.

Industry Endorsement

The British Insurance Brokers Association ( BIBA) is going to sponsor its members to join the scheme in order to help improve awareness about cyber cyber risks that exist.

This will no doubt become a common theme within other industries in the future.

Insurance has a role to play 

Cyber insurers and specialist insurance brokers can also contribute to CiSP by providing current data and information of cyber security attacks and data breaches that they have been involved with and managed.