GDPR Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit Security IT Summit Security IT Summit Security IT Summit Security IT Summit

Posts Tagged :

GDPR

GDPR

The data dichotomy and the vital importance of effective self-regulation

960 640 Guest Post

The data privacy debate that has raged for the past decade has patently failed to meet the needs of either industry or consumers. Legislative change continues to challenge digital marketing models – and has had little impact on consumer trust: Edelman’s 2021 Trust Barometer cites an era of “information bankruptcy”, with global trust levels at an all-time low. What has to change? John Story Vice President, Deputy General Counsel Global GTM, Acoustic, EMEA, explains why effective self-regulation is a vital step in rebuilding consumer trust...

Ethical Challenge

Data privacy is once again, front and centre of the advertising and marketing debate. From the imminent demise of third-party cookies, to ever-increasing privacy regulations including GDPR, UK DPA 2018 (essentially the post-Brexit version of GDPR), and the Privacy and Electronic Communication Regulations (PECR)—as well as the latest Apple / Facebook ad tracking row–it’s easy to see how consumers and marketers alike might be scratching their heads over where, how and why data can be used.

Marketers are justified in bemoaning the impossibility of doing an effective job or meeting customers’ desires for better, more relevant and personalised messaging given the increasing constraints placed by legislative change. But the industry needs to face facts: it has been too slow and too reactive. 

Just consider the inadequate industry response to scandals such as Cambridge Analytica’s data misuse. Effective self-regulation should have become an absolute priority, yet little happened. When the industry fails to step in and address its problems, when companies sit and wait for a major issue to emerge and only then attempt to address the fall out, legislators feel they have little option but to intervene. The results are more often than not to the detriment of everyone in the ecosystem.

Effective Self-Regulation 

For marketers, consumer trust is essential to survival – and the onus is on the industry to rebuild and sustain that trust. Which is why, however the motives are perceived, Apple’s recent move is a positive step in reinvigorating the debate and, hopefully, accelerating the adoption of the effective self-regulation that will rebuild consumer trust and confidence.

Improving the way companies – of every size – notify consumers, then request and honour consent is an indispensable step in the creation of an industry that truly recognises the importance of ethical behaviour. By finding a way to convey a commitment to data privacy without confusing or overwhelming the end customer, the industry can avoid the risk of further inappropriate or clumsy legislation – legislation that is both implemented inconsistently and fails to improve consumer confidence.  

Legislation takes too long to devise and ratify – making it technologically out-of-date by the time it is enforced. Even worse, once in place, it’s incredibly hard to change. It also rarely achieves the essential change in attitude to data ethics and data privacy that’s required. Legislators may hope fines encourage organisations throughout the data ecosystem to modify behaviour, but when the culture is one of enforcement the modification in behaviour is often the minimum required to avoid future sanction.  

Take Ownership of Data Ethics

Public trust can be rebuilt and maintained if the industry takes appropriate, ethically sound, self-regulatory steps that evolve with technology and public perception. There should then be little call for regulators and governments to step in and impose stifling legislation.

However, it’s important to recognise that this affects every company, every marketer, and every MarTech provider. This is not just an issue for the large technology companies. Indeed, given the fact that Apple remains a lone voice and there has been little sign from Google or Facebook of a willingness to put effective self-regulation ahead of revenue generation goals, unless marketers and MarTech companies highlight the ethical data privacy debate and take action, change won’t occur.

This is nothing new: the marketing and advertising industry has always worked together on self-regulation – from the development of advertising standards onwards. The only change is the technological context. Abdicating responsibility for data privacy and a commitment to data ethics will only erode public trust further and lead to the imposition of additional legislation.

Conclusion

We have seen the changes that can be achieved as a result of high-profile debate. With recent concerns about hateful content and misinformation online, for example, social media providers took positive steps to self-regulate;  they recognised that working effectively together was important to create a long-term future for their platforms. The next step must be to encourage the same levels of effective self-regulation around data usage and advertising.

Apple has nudged open the debate on data privacy and data ethics. The onus is now on players throughout the industry to push that door wide. Public trust is imperative – and that means effective self-regulation and the creation of a data ecosystem built on transparency and informed consent.

GDPR post Brexit: What will the impact be on hosting and cloud providers?

960 640 Stuart O'Brien

By Güneş Ilgüy, Head of Data Protection at A City Law Firm

The UK needed to upgrade its data privacy laws and bring it in line with the rest of the world. The main reason for the GDPR was to assist in harmonising the data privacy laws across Europe, setting a standard that the nations could adhere to. 

The GDPR was exactly that change. It was designed to ensure that a high standard was implemented, a code if you like, for businesses to be held more accountable for the data they collect and process. It also gave more power to the people by allowing them to have a say in how their data can be used. 

The question remains however: Will GDPR still be relevant post Brexit? 

In England and Wales, The Data Protection Act 2018 (DPA) came into force replacing the old one of 1998. The DPA mirrors the GDPR and where the GDPR is vague in some areas, the DPA adds more meat to the bone. 

Also, remember, the GDPR applies to all EU member states and any business collecting data of an EU national has to be GDPR compliant. It is also worthy of noting how far the GDPR reaches out in the international community. Any data processing by businesses outside of the EU, who process the personal data of individuals in the EU, are also subject to the GDPR. 

The Information Commissioner has stated that the GDPR “will send an important signal about the UK’s commitment to a high standard of data protection post-Brexit. This in turn will play a role in ensuring uninterrupted data flows between the UK and the EU.” 

The position of the UK post Brexit 

The GDPR is a directive and whilst the UK is still a member of the EU, it had a duty to implement this directive into domestic law. The DPA allows the UK to hold itself up to the same standard as the GDPR. It is not likely that the UK will now abandon the GDPR and amend its own laws, given the amount of money public bodies and businesses have invested into ensuring they are compliant. Changing the law would not make sense given that it has been brought up to date and implemented, with businesses winning over their customers

Keeping its current law in line with the GDPR will also pay dividends post Brexit as businesses will hope to maintain good relations with their EU counterparts. 

Hosting companies and Cloud providers 

Online data collection is probably most popular method of collecting data. Hosting companies and cloud providers have spent a lot of time and money ensuring that they can meet the demands of being compliant in terms of providing server security and processing data they handle.

Data transfer in itself does not have any boundaries. There is some uncertainty of how the UK will react to data privacy post Brexit however it would not make sense to go backwards and change the current regime to render it incompatible with the GDPR.

Developing strong ties with the EU in the terms of trade is of utmost importance and any change post Brexit will not be welcomed by companies.

Hosting and cloud providers, as data controllers or processors, have already been pushed to ensure they operate in line with the GDPR by their customers. If there was to be a different standard implemented by the UK, this could see UK providers losing customers to EU based providers who will be able to conform to the standards needed.

Companies outside of the UK are also looking at the current market. Where they have business operation in the UK, they are likely to use UK hosting companies. Post Brexit, using UK based hosting services might be more cost effective, depending on the value of the pound sterling, as opposed to using EU hosting providers who may look to increase the price of their services. 

One case that makes the crossover unclear is the Google Breach – in the future Post-Brexit can this scenario arise? As surely the reach of an EU country into the UK to this extent will no longer apply? There is no answer to this question, but it is something to watch.

The French Data Regulator, CNIL, fined Google a record £44 million (50 million Euros) for breaching the EU’s data protection laws. This made headline news because what makes this case remarkable is that the complaints against Google in May 2018 were raised by two privacy rights groups in France, and against a company whose headquarters were and are based in Ireland. 

Generally, you would expect the Irish regulator to have addressed this however, the CNIL found that the overarching decisions about the processing operations complained of were not made by Google’s Irish offices, or by anyone in the EU. It was discovered those were made by the US company. As this case was not about a data controller’s main EU establishment, CNIL was at liberty to take its own action. This conclusion was reached following communications with other EU supervisory authorities, including the Irish DPC. 

What can be learned from this? 

The Google case sends a strong message about data protection which should be received loud and clear. Regulators have powers to levy huge fines on companies found to be in breach and they are willing to use it even outside of the companies housed jurisdiction. whether an EU country would have this right post Brexit is something to watch? 

Conclusion

Focus is now on how an effective deal can be negotiated however any hard Brexit or no deal will have consequences on the economy, and this will affect how business choose to operate. It is hoped that the current data legislation is adequate enough not to be changed or significantly amended. Any changes that are incorporated would mean businesses in the UK and EU would need to adapt to ensure they maintain their customer base. What happens after Brexit is anyone’s guess. 

Under EU regulations an EU based data controller has to ensure that when data is passed to a country outside of the EU (which the UK will be upon Brexit even to Ireland) that the country housing the data has adequate levels of protection comparable to those of the EU. 

Whilst we don’t expect a significant shift given the UK is currently having to comply with GDPR and its own Data Protection legislation so harmonized, we do not know how the EU will view this in the future, especially since at the time of writing we may still be looking at a ‘hard Brexit’. It is likely EU based controllers will have to deal with the UK as it does for any non-EU countries – with established data protection mechanisms in place, such as the United States. 

Just a third of UK firms will be GDPR compliant by May 25

960 640 Stuart O'Brien

UK companies are hugely ill-prepared for this week’s General Data Protection Regulation (GDPR) enforcement deadline, according to new research.

Less than a third (29%) of organisations surveyed by USB drive specialist Apricorn felt confident they would comply, and when questioned further and asked whether there were any areas they might be likely to fail, 81% could think of some area of the new requirements that might cause them to fail when it comes to GDPR compliance.

Fifty per cent of organisations who know that GDPR will apply to them admit that a lack of understanding of the data they collect and process is their number one concern relating to non-compliance.

On top of this, almost four in ten (37%) believe they are most likely to fail because of gaps in employee training, and almost a quarter (23%) say their employees don’t understand the new responsibilities that come with the GDPR.

While one in ten still regard the GDPR as a mere tick box exercise, a substantial proportion do view it as being of some benefit to their organisation – for example 44% agree that the new regulation is a welcome opportunity to overhaul their organisation’s data handling and security processes.

The most commonly taken step so far, for those who say they will be at least somewhat prepared for the GDPR, is to review and update their security policies for mobile working (67%). However, 30% still worry they could fail to comply due to mobile working, and almost a quarter (22%) of respondents are concerned they may fail due to a lack of encryption.

“Data or personally identifiable information (PII) is at the heart of GDPR and mapping and securing it should be every organisation’s number one priority. By now, all employees, from the top down, should have an understanding of the importance of GDPR and the role they play in keeping this data safe,” said Jon Fielding, Managing Director, EMEA Apricorn. “While we know that many organisations have provided some form of employee training, clearly in some cases this hasn’t been effective and organisations should address these gaps urgently.”

GUEST BLOG: Having the right connections – Are VPNs really fit for purpose?

960 640 Stuart O'Brien

Stuart Sharp, Global Director of Solutions Engineering at OneLogin

Remote working has fast become commonplace in today’s business landscape. Free from the stress of the modern-day workplace, employees are increasingly keen to opt for the laptop and crack on with work uninterrupted, all from the comfort of their own home.

In fact, the Office for National Statistics (ONS) last year predicted that half of the UK workforce will be working from remote locations by 2020, many of whom cited how the increased flexibility can benefit their private lives. Not all business owners are convinced. Many tech goliaths, such as HP, IBM and Yahoo, have recently rescinded the option for their employees to work from home, inciting an ‘if you don’t like it, leave’ approach.

The reality is that for many companies, having a high percentage of employees working from home just isn’t the same as having an office full of busy employees, and it’s mostly down to the ease with which employees can access corporate applications remotely. The Virtual Private Network (VPN) was created to resolve this issue and provide a secure link between an employee, at home or on the road, to the corporate network. In fact, almost half (48%) of UK IT professionals surveyed by OneLogin require employees to use VPNs when working remotely. However, with 30% receiving frequent complaints that the use of a VPN slows down remote network access, many organisations are struggling to find a balance between productivity and security. The survey also found that half of remote workers spend up to one day per week connected to unsecured networks in an effort to circumnavigate VPNs and get on with their job, leaving organisations open to a host of cyber threats.

With ‘not fit for purpose’ VPNs, organisations are inadvertently making remote working impossible. The creativity, productivity and efficiency benefits that remote working originally boasted are being buried under a sea of stressed remote employees and IT teams battling complaints.

Organisations have outgrown the outdated tech they still rely on and can no longer afford to use unreliable VPNs that encourage employees to flaunt security best practices. If employees continue to favour unsecured networks, a cybersecurity catastrophe is just around the corner, particularly with the deadline looming for the EU’s General Data Protection Regulation (GDPR) on May 25th, 2018. Under GDPR, if data gets into the hands of cybercriminals as a result of neglect or employee ignorance, businesses could be faced with penalties that start at €10 million and can go up to as much as €20 million or 4% of a business’s annual turnover, whichever is higher [1].

While having a fully cloud-based strategy seems ideal for many, it isn’t always easy to realise. Many organisations, and particularly enterprises, are battling with a hoard of on-premise legacy IT systems. But the reality is that they simply can’t just move everything into the cloud overnight. IT policies and end-point management strategies need to account for both cloud and on-premise IT infrastructures. Neglecting either of them is not an option.

In order to evolve, businesses are on the hunt for a low-maintenance solution that handles employee provisioning and deprovisioning (when employees leave a company), while also improving security and reporting. To meet this demand, Identity and Access Management (IAM) providers need to step-up to the plate and offer solutions that manage both on-prem and cloud environments from one unified platform.

So how can companies make this a reality?

Regardless of whether companies deploy more on-premise or cloud applications, having one unified access management platform will simplify and manage access in real-time. Coupling this with a smart IAM system that can power intelligent authentication tools, bolster security measures and increase functionality for end users will only propel industries towards digital transformation in a safe and secure fashion. In today’s competitive landscape, business efficiency and agility are necessities — and safe and effective remote working has a key role to play going forward.

Only 40% of UK businesses ready for GDPR

960 640 Stuart O'Brien

New data from Crowd Research Partners indicates only 40 per cent of UK organisations are either GDPR compliant or well on their way to compliance by the May 2018 deadline.

The report highlights the lack of GDPR expertise and an overall underestimation of the effort required to meet GDPR, which represents the most sweeping change in data privacy regulation in decades.

The key findings of the study include:

  • A whopping 60% of organisations are at risk of missing the GDPR deadline. Only 7% of surveyed organizations say they are in full compliance with GDPR requirements today, and 33% state they are well on their way to compliance deadline.
  • While 80% confirm GDPR is a top priority for their organization, only half say they are knowledgeable about the data privacy legislation or have deep expertise; an alarming 25% have no or only very limited knowledge of the law.
  • The primary compliance challenges are lack of expert staff (43%), closely followed by lack of budget (40%), and a limited understanding of GDPR regulations (31%). A majority of 56% expect their organization’s data governance budget to increase to deal with GDPR challenges.
  • Approximately a third of surveyed companies report that they will need to make substantial changes to data security practices and systems to be in compliance with GDPR. The highest ranked initiative for meeting EU GDPR compliance is to make an inventory of user data and map it to protected EU GDPR categories (71%), followed by evaluating, developing, and integrating solutions that enable GDPR compliance.

The 2018 GDPR Compliance Report has been based on a comprehensive online survey of IT, cybersecurity and compliance professionals in the 400,000-member Information Security Community on LinkedIn, and has been produced in partnership with Alert Logic, AlienVault, Cavirin, Data443, D3 Security, Haystax Technology, and Securonix.

To download a copy, click here.

GDPR

GUEST BLOG: GDPR and CCTV – This will impact your business!

960 640 Stuart O'Brien

By 2020 CCTV

Is your business prepared for the implementation of the General Data Protection Regulation (GDPR)?

Set to be introduced on the 25th May 2018, considering what actions you must take is essential to ensuring your company does not face the tough consequences that have been set out.

GDPR is set to replace the Data Protection Act (DPA), so if you think your business is still covered — it’s not. Even though it is a piece of European Union legislation, it is likely that Britain will adopt this even after Brexit — meaning that your company should be preparing for the worst.

4% Global Annual Turnover Penalty: How To Avoid It

Businesses could find themselves paying a hard fee of 4% of their global annual turnover — so making sure that you’re compliant with the changes GDPR has regarding CCTV is essential. Here are some of the key things you need to know:

  • You need a strong and valid reason for the placement of CCTV around your perimeter.
  • You can’t use CCTV to ‘watch over’ your employees.
  • You must not place CCTV in places where employees expect privacy i.e. canteens.
  • You must notify surrounding people that they are being recorded as employees and site visitors become data subjects.
  • You shouldn’t keep data for over 30 days — under different circumstances, this can
  • You have a duty to protect the data that you collect.

GDPR Requirements: What Your Business Needs To Do To Avoid Prosecution

Corresponding with the bulleted list above, we’ve teamed up with 2020 Vision, which are consultants regarding CCTV security IP CCTV and access control systems, to give you the solutions that you need to know to avoid prosecution by the European Parliament:

  • A reason for CCTV could be to help protect your employees when it comes to health and safety and capture any incidents that could potentially occur — such as a robbery.
  • Compile an operational requirement, which should support your decision for CCTV placement.
  • Highlight a security risk which could be minimised through CCTV — whether this is being placed in canteens or smoking areas. An operational requirement can be made in this instance too.
  • Notify the public that you are recording them for CCTV and security purposes by putting up signs that signal this — include a contact number too, so anyone can contact if they incur any issues.
  • Dispose of your data after 30 days of retainment — it can be kept for longer if the local authorities have a written request and must view it on your own premises.
  • Avoid data breaches by drafting up a contract with your security supplier (who will become your data processor under GDPR legislation) and highlight what they can and can’t do with any footage that they obtain from your surveillance.

If you need further help understanding the implementation of GDPR, contact security consultants 2020 Vision today to ensure that you don’t leave it too late before May 25th. Make sure that you’re covered at all costs by clicking here and avoid facing tremendous penalties for non-compliers.

GDPR

Good news everyone! ‘72% of organisations worldwide are GDPR ready’

960 640 Stuart O'Brien

An EfficientIP X-Day study says average global spend on GDPR compliance tops $1.5 million, with less than 100 days to go before the deadline for EU GDPR compliance on 25th May this year.

EfficientIP, through independent market research firm Coleman Parkes, asked over 1,000 companies worldwide about their preparation plans for GDPR. Among the key findings were:

  • Over two-thirds of global businesses at 72% are confident they will have all required GDPR compliance processes in place by 25th May 2018.
  • North America is the most confident region in world, with American and Canadian organisations saying they will be prepared at 84% and 75% respectively.
  • Despite the on-going Brexit negotiations and uncertainty looming over the enforcement and effectiveness of the EU GDPR regulation on local businesses, the UK is the most confident nation in Europe, with 74% saying they will be ready by deadline day.
  • In comparison, Spanish businesses are a close second to the UK at 73%, dropping to 66% of French respondents. German organisations are the least confident in Europe at 61%.

Businesses worldwide believe there will be a variety of benefits they will gain from being GDPR compliant. Nearly half of all organisations surveyed, at 46%, say the most important benefit from being GDPR compliant is gaining customer trust to handle sensitive data.

31% of businesses believe the most important value from compliance is enhanced brand awareness. 18% of respondents felt GDPR compliance will increase customer loyalty is the most important benefit.

APAC, North America and Europe businesses believe the biggest positive impact from compliance is increased trust in handling customer data at 53%, 46% and 41% respectively.

European organisations lead the study in saying increased customer loyalty is the biggest impact at 22%, with North America and APAC following respectively at 15%, 14%.

On average, global organisations have so far spent $1,583,000 (£1,145,000) on GDPR compliance. Globally, European businesses have spent the most on average on compliance with Germany leading at $1,969,000 (£1,424,000), followed by the UK with $1,798,000 (£1,300,000), with France completing the top three at $1,781,000 (£1,288,000).

USA and Singapore tops regional spending in North America and APAC, investing $1,568,000 (£1,134,000) and $1,521,000 (£1,100,000) respectively on average. Small and Medium Business have spent on average $1,263,000 (£893,000) so far on compliance, whereas large businesses have spent up to $5 (£3.5) million on compliance.

A key element in EU GDPR is for businesses to provide adequate data protection. In response to this regulatory requirement, 38% of global organisations are convinced that better monitoring and analysis of DNS traffic is the best option to provide data protection in their networks, whilst 35% think securing network endpoints is best and only 21% choose to add more firewalls.

EfficientIP says this shows organisations are finally realising, after the various successful data breaches over the last year, that firewall technology is no longer adequate.

APAC, North America and European organisations are confident in DNS monitoring and analysis technology at 40%, 37% and 36% respectively.

Commenting on the study figures, Herve Dhelin, SVP Strategy at EfficientIP, said: “As organisations enter the final straight of GDPR compliance with 100 days to go, our research shows they have never been so close to regulatory compliance. There is still some work to do, but it is encouraging to see nearly three-quarters of businesses are ready and most organisations see monitoring and analysis of DNS traffic, not firewalls nor endpoints, is the best way of preventing data breaches.”

Top 10 IT security predictions for 2018

960 640 Stuart O'Brien

Ian Kilpatrick, executive vice president for cyber security company, Nuvias Group, offers his top 10 IT security predictions for the year ahead…

1. Security blossoms in the boardroom

Sadly, security breaches will continue to be a regular occurrence in 2018 and organisations will struggle to deal with them. New security challenges will abound and these will grab attention in the boardroom. Senior management is increasingly focusing on security issues and recognising them as a core business risk, rather than the responsibility of the IT department alone. The coming year will see further commitment from the boardroom to ensure that organisations are protected.

2. Ransomware has not gone away

Too much money is being made from ransomware for it to disappear – it won’t. According to Cyber Security Ventures, global ransomware damage costs for 2017 will exceed US$ 5 billion, with the average amount paid in ransom among office workers around US$ 1400. Companies can help prevent ransomware by tracking everything coming in and out of the network and running AV solutions with anti- ransomware protection. And, of course, you should do regular backups to a structured plan, based around your own business requirements – and make sure you test the plans.

3. IoT – A security time-bomb

IoT is a rapidly growing phenomenon which will accelerate in 2018, as both consumers and businesses opt for the convenience and benefits that IoT brings. However, manufacturers are not yet routinely building security into IoT devices and 2018 will see further problems generated through the use of insecure IoT. IoT is a major threat and possibly the biggest threat to businesses in the coming years. Unfortunately, it is not easy, and in some cases impossible, to bolt on security as an afterthought with IoT, and many organisations will find it challenging to deal with the consequences of such breaches. As IoT cascades through organisations’ infrastructures, it is likely to become the ultimate Trojan horse.

4. More from the Shadow Brokers

The Shadow Brokers, a hacker group which stole hacking tools from the American National Security Agency (NSA), created havoc in 2017 with the Wannacry ransomware episode. The group has already stated that it will soon release newer NSA hacking tools, with targets that might include vulnerabilities in Windows 10.

There will certainly be further episodes from them in 2018, so patch management, security and regular backups will be more crucial than ever. A major target of these hackers is the data that organisations hold, including PII (Personally Identifiable Information) and corporate data, so protecting the data ‘crown jewels’ inside the network will become ever more crucial.

5. GDPR – Have most businesses missed the point?

The arrival of GDPR in May 2018 will, of course, be a big story. However, many organisations are missing the main point about GDPR. It is about identifying, protecting and managing PII – any information that could potentially identify a specific individual. This will become more important in 2018 and there will be considerable focus on identifying, securing and, where required, deleting PII held on networks.

6. GDPR Blackmail – The new ransomware?

Unfortunately, GDPR will give a great opportunity to criminals, hackers, disgruntled staff and anyone who might want to do an organisation harm. They simply have to ask you to identify what data you hold on them, ask for it to be erased, and ask for proof that it has been done. If you can’t comply, they can threaten to go public – exposing you to the risk of huge fines – unless you pay them money. Watch out for that one!

7. DDoS on the rise

It is now possible for anyone to ‘rent’ a DDoS attack on the internet. For as little as US$ 5, you can actually pay someone to do the attack for you! https://securelist.com/the-cost-of-launching-a-ddos-attack/77784/. This is just one of the reasons DDoS threats will continue to escalate in 2018, alongside the cost of dealing with them. The dangers of DDoS for smaller companies are that it will leave them unable to do business. For larger organisations, DDoS attacks can overwhelm systems. Remember that DDoS is significantly under-reported, as no-one wants to admit they have been under attack!

8. Cloud insecurity – It’s up to you

Problems with cloud insecurity will continue to grow in 2018 as users put more and more data on the cloud, without, in many cases, properly working out how to secure it. It is not the cloud providers’ responsibility to secure the information – it is down to the user. With the introduction of GDPR in 2018, it will be even more important to ensure that PII stored in the cloud is properly protected. Failure to do so could bring serious financial consequences.

9. The insider threat

Historically, insider threats have been underestimated, yet they were still a primary cause of security incidents in 2017. The causes may be malicious actions by staff or simply poor staff cyber-hygiene – i.e. staff not using the appropriate behaviour required to ensure online “health.” In 2018, there will be growth in cyber education, coupled with more testing, measuring and monitoring of staff behaviour. This increasingly involves training and automated testing, such as simulated phishing and social engineering attacks.

10. Time to ditch those simple passwords

In 2018, simple passwords will be even more highlighted as an insecure ‘secure’ method of access. Once a password is compromised, then all other sites with that same user password are also vulnerable. As staff often use the same passwords for business as they use personally, businesses are left vulnerable. While complex passwords do have a superficial attraction, there are many challenges around that approach and multi-factor authentication is a vastly superior method of access.

CCTV

GUEST BLOG: Will GDPR impact CCTV?

960 640 Stuart O'Brien

By 2020 CCTV

25th May 2018 will mark the day where GDPR (General Data Protection Regulation) is implemented by the European Union. With this new legislation, the way we capture and handle CCTV footage will change to fit with the new guidelines presented by the European Union.

With the implementation date closer than we think, businesses should be preparing to comply with changes and be aware of the penalties if they don’t.

In this article, we discuss how you can make sure that your business is working within the framework of the GDPR rules once they’re introduced and help your business avoid the 4% global annual turnover penalty.

What you need to know once GDPR has been introduced:

Viable reasoning is needed for those who have CCTV around your business. An example of this would be to help protect employees when it comes to health and safety or to capture footage of any incidents that occur within the company.

Compiling an operation requirement (OR) is important when it comes to having CCTV in your business property as you can’t use CCTV to spy on your employees – and you need to justify your reasoning.

CCTV that is placed within a public space where someone would expect privacy could face reports the public. This can range from places such as canteens, break areas and public spaces. If you are able to highlight a security risk that could be minimised through using CCTV, it is more likely that the CCTV will be accepted in these places, again think of the OR.

Personal data is being collected constantly through video surveillance. To inform people who operate in and around your business, you should have a disclosure to tell them that CCTV is in use and that they could be captured on any footage that is obtained. A common method is to have signs that are clear and feature a number for those who want to contact the CCTV operators if they have any queries.

Footage that has been collected from CCTV operations can be kept for 30 days. If you need to keep it for a longer time period, you need to carry out a risk assessment that explains the reasons why. Images and videos that you acquire through your CCTV system might be requested by the police, but make sure that they have a written request. Police will usually view the CCTV footage on your premises and this would not warrant any concerns for the leak of the data.

2020 Vision, who provide access control systems, found that your security supplier will be your data processor under the GDPR law. This means that those who are using security companies should put an abiding contract in place that states what the security company can do with the footage that is collected from your premises. Data breaches are a possibility when sharing data with a third party, so you need to be extra careful when it comes to handling.

DNS-based attacks costs businesses $2m+ a year

960 240 Stuart O'Brien

Research by network services provider Efficient IP has revealed that poorly designed network solutions cost businesses more than $2 million a year.

The 2017 Global DNS Threat Survey Report explored the technical and behavioural causes of the rise in DNS threats and their potential effects to businesses across the world. Major issues highlighted by the study in its third year include a lack of awareness as to the variety of attacks, a failure to adapt security solutions to protect DNS and poor responses to vulnerability notifications. These concerns will not only be subject to regulatory changes, but also create a higher risk of data loss, downtime or compromised public image.

According to the report, carried out among 1,000 respondents across APAC, Europe and North America, 94% of respondents claim DNS security is critical for this business. Yet 76% of organisations have been subjected to a DNS attack in last 12 months and 28% suffered data theft. The Global DNS Threat Survey Report also estimates the annual average costs of the damages caused by DNS attacks to be $2.236 million (for organisations with 3,000+ employees). The leading causes were Malware (35%), DDoS (32%), Cache Poisoning (23%), DNS Tunnelling (22%) or Zero-Day Exploits (19%).

“The results once again highlight that despite the evolving threat landscape and the increase in cyber-attacks, organisations across the globe and their IT departments still don’t fully appreciate the risks from DNS-based attacks,” said David Williamson, CEO at EfficientIP.

“In less than a year, GDPR will come into effect, so organisations really need to start rethinking their security in order to manage today’s threats and save their business from fines of up to £20 million or 4% of global revenue.”

Globally, the results varied widely. 39% of respondents from the UK and US demonstrated more awareness of the top 5 DNS-based attacks than Spain (38%), Australia (36%), Germany (32%) and France (27%), but less than India (50%) and Singapore (47%). In the UK, the attacks organisations are the most aware of include: DNS-based Malware (52%), DDoS (43%), DNS Tunnelling (39%), Cache Poisoning (34%) and Zero-Day Exploits (28%).

The full report and recommendations can be read here