007 in ‘For your GDPR Only’

MI6 headquartersWhen “M” has finished spymastering for the day, or pops out for a cheeky Nandos, we always see M locking the “Top Secret” files away in the office  safe. We know that’s so that no secrets will be discovered, even if an enemy spy (or the tea person) manages to gain access to the empty office.

In business, we need to be like “M”.

In a previous post I looked at Data Protection and the forthcoming General Data Protection Regulations (GDPR). However, I didn’t make it clear that the regulations don’t just apply to digital data stored on your IT systems and network but also apply to paper records too.

Anything that contains personal data, whether paper or digital, falls under the auspices of the Act, including the recordings from your CCTV cameras, phone systems (think “this call may be recorded for training purposes”) and biometric data – such as fingerprint or iris recognition systems used to unlock systems or grant access.

Keyboard with the word 'Privacy' overlaid

This means the files on your desk, the files in your filing cabinet, your paper archives as well as your electronic records, anything that includes personal data.

To start with, you need to ask yourself

  • Who has overall responsibility for the data you have and/or use?
  • What data are you holding, why are you holding it and where is it held?
  • Are your Privacy and Data Use Policies as good as they need to be?
  • How long do you need to keep data & how will you securely destroy it when you no longer need to keep it?
  • Who has legitimate access to it and who else can access it?
  • How secure is your building, your paper records and IT systems?
  • What happens out of normal business hours?
  • Can data be exported and removed without authorisation (to a USB key for example)?
  • Is your network connected to the internet and how secure is your connection?
  • Can your network be accessed remotely – is this secure?
  • Is your electronic data encrypted so, in the event of a breach, data cannot be accessed and used?
  • Can your network prevent unauthorised intrusion (hacking)?
  • How do you manage Subject Access Requests, (when someone requests to see the data you hold about them)?
  • How will you manage a data breach, whether it’s a hack, unauthorised file copy or unauthorised removal of paper records?

So, how can I help?

I can put you in touch with reliable IT companies and trusted partners 

  • Blob figure staring, "James Bond like" down the barrel of a gunthat will be able to inventory all of your IT and data assets.
  • who’ll test your network to see how secure it is and whether hackers are likely to be able to gain access
  • who will secure your network from external threats (hacking) and ensure that your remote access requirements are reliable, easy to use and secure.
  • who will help you secure your data inside the organisation and set things up so that only appropriately authorised employees can access the data they need to do their job and no more.
  • who will secure your network so that it’s almost impossible for data to be copied onto a USB key or external hard drive and removed from the organisation
  • who will put transparent encryption in place which means that it doesn’t slow anything down but is so strong that only GCHQ or the NSA would be likely to crack it.

Take the first step now, by giving me a call on 01793 238020 or emailing andy@enterprise-oms.co.uk to find out how I can help mitigate data security risks and start preparing for GDPR guidelines.

How much did your last cup of coffee cost?

Cybercrime is everywhere these days, in 2016 the cost to the UK was over £1bn with more than 5.5m cyber offences taking place in the UK every year. That’s almost 50% of ALL UK crime.

There’s lots of advice on passwords, I regularly write about them, and other security measures that you can take but did you know that even a trip to your favourite coffee shop could end up being far more expensive than the price you pay for your Triple Grande Decaf Soy Latte Macchiato and blueberry muffin.

Cup of coffee and coffee beansImagine the scene, you’re between meetings and decide to drop into your favourite coffee shop for a cup of coffee, a cake and to tap into their Wi-Fi to read your emails, refresh your knowledge in time for your next meeting or simply to surf the web.

Spoof Wi-Fi Hotspot
Sign fro free wifi hotspot
When you sit down and try to log-on to the Wi-Fi there’s frequently a selection of hot-spots to choose from. How do you know which is the free service provided by the venue and which is a spoof.

It’s very easy to set up a Wi-Fi hot-spot using a mobile phone, Mi-Fi type of device or laptop and allow other users to connect through this free connection. This means that all of the traffic can then be intercepted by the person providing the spoof account – what sort of important information is passed from your laptop through this connection? It could be your details to access your online banking, the log-in to your company network or the necessary information required to access your corporate email account.

Time for a comfort break

Laptop and cup of coffeeThen the urge hits, you look around and see that everybody seems respectable enough so you head off to the toilet thinking that your laptop is safe on the table. After all, nobody would nick in sight of all those customers, staff and CCTV cameras would they?

You’d be wrong. Laptop tracking service provider, Prey, found that areas offering free Wi-Fi were the second most common target for opportunistic laptop thefts – the only riskier place being left in a visible place in your car.

If stolen, it’s not only the inconvenience of replacing the laptop, reinstalling your applications and copying back your data [you do back-up your data don’t you?] it’s the additional costs that aren’t covered by your insurance.

The Ponemon Institute, a US cyber crime consultancy, put the real cost of the loss of a laptop and it’s data at nearly £31,000. This was broken down into £4,000 for the loss of Intellectual Property, forensics and legal bills adding around £1,500 with a staggering £24,500 attributable to the loss of income, customers and competitive advantage associated with a data breach

So, the next time you stop off for a cup of coffee and decide to log-on using their free Wi-Fi, just make sure you know which network that you’re connecting to and that you don’t leave your laptop unattended.

Why worry about Accreditations?

I do a lot of work for an IT support company in Bristol – Bristol IT Company – and at the bottom of their website is a list of badges, icons and logos, there’s a couple of ISO related ones and the rest come from well known (and less well known) brands in the IT sector but why are they there and why should you be concerned?

Bristol IT Company accreditationsWell, ISO’s easy, it’s a way of demonstrating a certain credibility by being assessed every year to ensure that we remain up to scratch. A lot of businesses have ISO9001 which is a quality management certification that demonstrates their commitment to consistently provide products and services that meet the needs of our clients. ISO27001 is an information security standard that demonstrates commitment to information security, both their own and that of clients.

The other accreditations come from manufacturers such as Cisco, Microsoft, Dell, Aruba, Cyberoam, VMWare and Veeam and demonstrate that the Bristol IT Company has the necessary skills to not only supply their equipment but to ensure that it is properly installed, configured and supported.

Why is this important
Let’s take a look at the security of your network – they have 2 vendors that are accredited with in this area, Cisco and Sophos. You can buy some Cisco & Sophos equipment on Amazon at competitive prices, have it delivered pretty much the next day and get it up and running very quickly. This might make you feel secure, after all Cisco are a market leader in networking and security – right?

Is this the right way to do things?
Probably not! Even assuming that you order the most appropriate device for your needs, installing equipment using the default settings could cause you a whole heap of pain.

Most hackers worth their salt know, and understand, these default settings making it really easy for them to penetrate your business’s network. It’s almost like advertising that you’ve installed the best locks in the world but have left a key under the doormat.

Not only that but the default settings are a “one size fits all” option that are unlikely to be best suited to the way your business works and could actually slow your network, and internet connectivity, down if left untouched.

You could probably find hundreds of internet forums where people discuss the settings but which ones are the best for your particular needs? Which ones speed things up without compromising security and which ones increase security without compromising speed and which ones are actually posted by hackers looking to lure you into making your network even more insecure?

Accreditation
That’s where accreditation comes into play. By buying your equipment from an accredited supplier, Bristol IT Company will first of all advise you on the correct product that most closely matches your existing and future needs, possibly saving you money – certainly saving you pain.

They then ensure that your network is made as secure as possible by changing default settings to something much more secure and applying their training, experience and skill to ensure that your network is as secure as it can be by optimising the setup and performance of your kit.

Still think accreditation’s just an icon on a website? Well, give them a call on 01173 700 777 or email andy.poulton@bristolitcompany.com to find out that there’s much more to it than a pretty picture

Are we already at war?

Are we already at war?
This is the first (of two) articles taking a look at the hacking and cybercrime that’s taken place in 2015. Part 2, to be published soon, looks at the simple steps we can take to enhance our security and minimise the threats from cybercrime.

2015
Cost of Cyber Crime in 2014Although we’ve yet to reach the end of 2015, there’s already been an unprecedented number of data breaches and hacks compared to previous years, measured by both the number of breaches and the amount of data exposed.

The graphic on the right shows the estimated cost of cybercrime for 2014. In 2015 the cost has increased by 14% according to the “Cost of Cyber Crime Study: UK“, conducted by the Ponemon Institute and sponsored by HP.

The institute conducted 326 interviews with personnel from 39 UK companies to assess the incidence and cost of cybercrime for businesses. and the latest news is that the very recent TalkTalk hack has cost the company £35m so far

Major data breaches in 2015

FebruaryBillion dollar cyberheist
Up to 100 banks were penetrated and more than $1bn stolen
  US health insurer Anthem
80 million patient and employee records including date of birth, social security
numbers, home and email addresses, employee information and more
May 2015 – BlueCross, US Health Insurance provider
11.2 million names, birth dates, email addresses stolen
    US office of Personnel Management
21.5m US Federal employees confidential data was accessed and presumed
stolen
June 2015Kasperski Labs (yes, the security vendor) was hacked
Technical information was stolen, thought to be industrial espionage by a
sovereign Nation State
July 2015 – Harvard University
One of 8 universities hacked in 2015 but it’s not known what information was
accessed (and stolen)
   Hacking Team
Hacking Team develop spy tools for government agencies and the breach
exposed 1 million emails including those of a sensitive nature from a number
of security agencies around the world
US Army National Guard
850,000 social security numbers, home addresses, names and other
personal information stolen
August – Ashley Madison
32m member’s data stolen and posted on the dark web for sale. The
ramifications are ongoing
September – John Brennan
CIA Director had his personal AOL email account hacked
October – TalkTalk
Major hack of the TalkTalk website and a lot of user data was stolen

In the US it is a legal requirement that all hacked companies make a report to the appropriate government department, however similar legislation has yet to be enacted in Europe so the reported incidents may just be the tip of the iceberg – and that’s assuming that hacked companies know that they’ve been hacked.

So who was behind these hacks and what was their goal?
hacker at laptop?At the time of writing, 4 people had been arrested, and bailed, for the The TalkTalk hack – 3 teenagers and a young adult although no charges have been brought.

Some hacks might be carried out by the stereotypical “spotty teenager in a bedroom” just doing it for fun, however the majority are likely to be carried out by more worrying groups, ranging from organised crime to extort money to government organisations.

The Ashley Madison hack looks to have been for the purpose of extortion, of both Ashley Madison themselves and their members (pay us £xx or we’ll let your friends and family know where you spend your time” etc).

Others will be industrial espionage, companies looking to gain a competitive advantage whilst the remainder might have been carried by departments acting for “state security” and it’s believed, although almost impossible to prove, that the Kasperski, US National Guard, US Office of Personnel Management & Hacking Team hacks were conducted by sovereign Nation States, believed to be North Korea and/or China.

These attacks by non-friendly sovereign nation states on infrastructure may even be attacks seen as acts of war.

Safer Internet DayWhy do hacks occur?
For some, it’s simply for fun, the challenge and the bragging rights.

However, there’s a lot of money to be made from the theft of intellectual property and business sensitive materials, and nations stand to learn a great deal about their friends and enemies. It’s widely believed, for example, that China has been “inside” US military design systems for many years which could explain why their military have made extremely rapid advances with the design and manufacture of new military equipment, including stealth planes, missile defence systems and drones in recent years.

Towards the end of 2015 we’re seeing that China is negotiating two way, anti-hacking, arrangements with a number of major economic partners, including the UK, USA and Germany, theoretically enshrining in law that the countries won’t attempt to hack China and China won’t try to hack them. However, even if the above is true they don’t need to hack any further if they already have access to core systems.

A cynic might also say that history indicates that China may not stick to it’s side of the deal, and even if they do – they can always ask their friends to do it for them.

Protecting your business and yourself.
Although I’ve mentioned high-profile attacks,  SMEs are also at great risk and so in Part Two I’ll be looking at some simple steps that you can take to maximise your security and minimise the risk that you are exposed to.