Data Protection

Remote Working – Is Your Data Safe?

by
Data Safe

Keeping data safe in the current climate with a significant proportion of the workforce still working from home is one of the biggest challenges faced by individuals and the business world.

Covid-19 has bought about many changes to our daily lives and highlighted how important it is that data is adequately protected from being compromised inadvertently or from a cyber-attack.

We deal and handle enormous amounts of data at home and at our workplace and this is now concentrated at one place in our remote locations.  The security of this data is therefore more vulnerable with reliance on individuals as to how they take precautions to protect this data.

The ICO have recently posted their top ten tips to help make data secure whilst working from home.

https://ico.org.uk/for-organisations/working-from-home/how-do-i-work-from-home-securely/

  • Follow your organisations policies, procedures and guidance
  • Only use approved technology for handling personal data
  • Consider confidentiality when holding conversations or using a screen.
  • Take care with print outs
  • Don’t mix your organisations data with your own personal data.
  • Lock it away where possible
  • Be extra vigilant about opening web links and attachments in e-mails or other messages
  • Use strong passwords
  • Communicate securely
  • Keep software up to date

Phishing

It is very easy to inadvertently provide data and one of the most common methods that hackers use is that of phishing. Keeping data safe from such techniques means that you have to be extremely vigilant. Clicking on an e-mail link where you are uncertain of it’s origin could lead to your personal details being divulged.

With this data it is possible for hackers to build up a comprehensive profile of an individual. This can lead to identity theft and subsequently fraudulent activity on bank accounts, the application for jobs and a whole variety of scams that could lead to financial loss to an individual.

Keeping data safe is a constant challenge – our mobiles are used as much if not more that our wallets or purses and we tend to use our mobiles far more and with this increases the dangers of safeguarding data.

Image : Shutterstock

What is the CCPA ?

by
CCPA

The California California Consumer Privacy Act (CCPA ) is a new consumer protection law which comes in effect from 1st January 2020 and is yet another sign that data protection is now taken very seriously. This follows closely in the steps of the General Data Protection Regulations ( GDPR) which were launch in May 2018.

Who does this apply to ?

  • This law is applicable in the state of California where organisations carry our business that involves collecting and processing the personal information of individuals.
  • Where an organisation has gross revenues of over $25,000,000
  • If an organisation buys / sells at least 50,000 consumers personal records for commercial gain
  • If an organisation earns more than 50% of their revenue from the selling of a consumers personal records.

If all any of this criteria is met then the CCPA will be applicable and the business will have to adhere to these regulations.

What are the consequences of non- compliance?

Should this be the case it is possible that the business could face the following penalties :-

  • Civil Penalty up to $7,500 for each intentional violation and $2,500 for other violations
  • In addition to this  the victims of a data breach may obtain $100 to $750 per consumer, per incident.

The importance of how a business manages its data is therefore of the utmost importance in order that these regulations are complied with and to avoid any penalties that stem from a breach of these regulations.

Some guidelines to the management of data 

  • Ensure that all employees are updated with this legislation and carry out training as applicable.
  • Ensure that all processes and procedures are aligned to comply with the new legislation and if not introduce new ones to cater for this.
  • Carry out a review of cyber security within the organisation and implement upgrades and improvements where necessary in order to mitigate a possible data breach.
  • Where necessary bring into line privacy notices and policies on websites and other public facing forums.

The protection of data is becoming a core value within businesses as in the event of a data breach the costs to manage this and the impact on their reputation can be severe.

Image : Shutterstock

GDPR One Year On – What’s Changed?

by
GDPR

GDPR has been with us now for just over a year – so what has changed during this period?

Businesses are now much more proactive in their approach to cyber security instigating robust systems and procedures to combat the threat of hackers.

http://cyberbrokers.co.uk/gdpr-data-protection-but-not-as-we-know-it/

The ICO have just published a report “GDPR – One Year On” which sets out a review of its first year in operation.

https://ico.org.uk/media/about-the-ico/documents/2614992/gdpr-one-year-on-20190530.pdf

Countering the Cyber Security Threat

The risk of a data breach is also now higher than ever with the changing cyber risk landscape. New ransomware strains and malware are evolving so keeping up to date protections in place is vitally important. GDPR is a clear driver of the approach that the C Suite has to instigate to protect and secure their businesses.

Among the many areas that IT Security has focused upon is back-up which is essential in protecting data. This makes it retrievable in the event of a compromise of data due to a cyber-attack.

Change in Philosophy

GDPR was a long time coming and businesses have struggled to find the resource to put in place processes to achieve compliance. Some were ahead of the game and some struggled to meet the deadline of 25th May 2018.

The philosophy to cyber security has also reached an engagement point where businesses are looking beyond GDPR. Businesses are now seeking cyber security accreditation’s such as ISO27001.

Global Effect

Other countries are also taking note of the impact that GDPR is having and bringing in similar legislation of their own.

For example the California Consumer Privacy Act (CCPA) which comes into force on 1st January next year.This provides consumers with certain rights over their personal data which is held by businesses  and is an obvious parallel with GDPR.

GDPR Fines

Regulators to date have issued in excess of 200.000 fines of which 65,000 were related to data breaches . Fines totalled E56M which includes the E50M levied against Google by the Irish Data Protection Commissioner. In this case new users were inadequately advised how personal data was collected and how this was subsequently used.

The fear of potential fines being issued of up to 4% of global turnover of a business by the regulators has not materialised yet. However from a speech made by Elizabeth Dunham , the U.K. Commissioner of the ICO recently stated in a speech that this may be about to change later in the year. The ICO it is understood have a couple of very large cases that are currently being reviewed.

Both Equifax and Uber have been fined over the past twelve months but this was under previous legislation and not GDPR.

The impact of GDPR  does appear to have improved cyber security standards. We are however waiting to see how regulatory bodies will impose the full force of non-compliance in the event of a cyber-attack that results in a significant data breach.

Image : Shutterstock

Sign Of The GDPR Fines To Come…?

by
GDPR Fines

It was announced last week that the credit reference agency Equifax has been fined by the ICO in  the sum  of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

http://cyberbrokers.co.uk/equifax-the-anatomy-of-a-data-breach/

The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach

The joint ICO and FCA report highlighted the following :-

  • Data was retained for longer than was necessary
  • Inadequate measures were in place to manage personal information
  • IT security was not of the highest standard with the compromise of data being likely.
  • The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
  • Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

 

Image : Shutterstock

The Holiday Cyber Risk Landscape

by
Holiday

The holiday season is now in full swing where people travel to far off destinations to enjoy a well earned break and to spend time with their families. Unfortutely the cyber threat remains with us …… and arguably is increased as people’s guard is somewhat down due to the relaxed environment that being on holiday promotes.

A survey carried out by Keeper Security Inc last year showed that the US posed to the greatest threat to holiday makers from hackers, however more worryingly the UK came in a second place with France, Spain and Italy also featuring in the top ten.

https://www.marieclaire.co.uk/entertainment/technology/cyber-security-holiday-destinations-523668

Some of the cyber threats that exist to indivuals and businesses are as follows :-

Insecure Wi-Fi Networks

A hotel wi-if network may be vulnerable if not secured with the latest security encryption software. This could also be said of restaurants or cafes. Attacks know as “Man in the Middle” where a third party is listening and changing information pretending to both the user and the application can intercept highly sensitive data and use this to compromise a users details.

GCHQ regularly warn travellers of the threats posed by insecure wi-fi networks and the holidayseason is when these threats become more prevalent. It is therefore important to check that the wi-if has the appropriate safety protocols in place in particularly when money is being transacted.

Holiday Scam E-mails 

It is conceivable that an individual could fall foul of a hacker before they leave their house .Holiday scam e-mails may portray a bogus website that offers a holiday deal which is too good to be true and the likelihood is that this could well be the case. Funds could be stolen by an on-line transaction with debit or credit card details also being compromised by a hacker.

Being Aware

Leaving a laptop or smart phone on your beach towel of on a cafe table opens opportunity for a speculative hacker to steal an electronic device and use data themselves or to post on the dark web to be sold at a later date.

Keeping a tight ship

The same principle applies to businesses during the holiday season who may not have their usual numbers in their cyber security team which creates an environment where threats could be missed or not acted upon as quickly as normal. A greater reliance therefore is imposed on everyday users to carry out good cyber hygiene in their everyday work schedule. Watching out for phishing e-mails and dubious website links which could lead for example to an incident of fraud or a ransom ware attack.

Back Home

Once back home it is good housekeeping to to check matters such as bank statements to ensure that no fraudulent transactions have taken place and that you can account for everything spent.

At work looking for any unusual e-mail activity or change in the functionality of your computer in case a virus may have downloaded itself whilst you were away.

Wherever you are on holiday cyber threats exist in many forms , hackers do not go on holiday so it is vitally important that you maintain the same cyber security posture.

Is Our Data Safer Under GDPR?

by
GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock