News emerged this week of an alleged data breach at the Qatar National Bank. On the face of it, it’s yet another large multi-national with inadequate security getting hacked and exposing the details of its customers. But on closer inspection the details revealed in the data dump tell us more – that the hacker was using the breached bank data to build up profiles on specific individuals in order to launch follow-on attacks.
It’s another fascinating insight into the shadowy world of cybercrime which should remind us all, businesses and individuals, that personal information is a valuable online commodity that should be protected at all times. Continue reading →
Last week, the much-anticipated European General Data Protection Regulation (GDPR) passed its final regulatory hurdle. There’s no going back now: on 4 May 2018 all UK organisations will be bound by the new laws – which introduce a series of rigorous requirements designed to enhance privacy protections for EU citizens and harmonise rules across the region.
But with potential fines of 4% of annual turnover for transgressors, how many UK IT leaders really know what they need to do to comply? Concerning new figures from Trend Micro suggest widespread ignorance of the new laws is putting organisations right in the firing line.
Heads in the sand The GDPR will introduce several key changes, which UK organisations need to start thinking about now. May 2018 might sound a long way off, but it’s little more than 700 working days away. Key among these new elements are:
Mandatory appointment of data protection officers for large firms
Mandatory breach notification within 72 hours of an incident
Fines of €20m or 4% annual global turnover – whichever is higher
Right to be forgotten
Right to data portability
Multinationals will only need to report to one national privacy regulator – in the country they’re headquartered
So exactly how low is awareness of the forthcoming regulation among IT leaders? Worryingly, a fifth (20%) of those Trend Micro spoke to in a new piece of research are still unaware of its existence. Of those that are, nearly a third (29%) don’t think that the regulation will apply to their organisation, or are unsure. Even worse, a quarter of IT leaders (26%) don’t know how much time they have to become compliant, and nearly one in 10 don’t know what steps to take to do so.
Getting ready for 2018 The truth is that the regulation is far from prescriptive in what it requires from organisations and their IT departments. It demands they do business a certain way in order to better protect the privacy rights of their customers, but doesn’t specify particular data loss prevention tools, or encryption technologies, for example. On the one hand this presents challenges for the IT department. But it is also designed to encourage a more holistic approach to information security, which fits with a best practice, strategic approach.
With that in mind, here are just a few steps organisations should be thinking about now, in order to prepare for May 2018:
Conduct a data audit to find out what data you hold and how you are using it
Classify data according to sensitivity and your organisation’s risk appetite
DLP technologies can help prevent accidental and deliberate data leaks
Staff awareness and user education training programs to focus on data protection
Restrict number of privileged accounts and roll-out strong authentication (eg 2FA) for those accounts
Regular pen testing to check the resilience of systems to attack
Develop an incident response plan to ensure you can report within 72 hours. Involve key stakeholders including legal, HR, PR teams etc
Advanced server-side technologies like Deep Security can help lock down risk across physical, virtual and cloud environments from a single console
A new Wall Street Journal news story this week claims that Amazon Web Services is beginning to make headway in the banking sector. If it’s true it’ll be a major breakthrough for the public cloud provider in an industry which has long been too risk averse and highly regulated for its brand of multi-tenant cloud computing. What the piece doesn’t mention explicitly is that if the notoriously conservative financial services industry is signing up to the public cloud, it’s most likely to be as part of hybrid deployments.
Yet even with a mix of private and public cloud installed to limit risk, organisations must remember that cloud computing brings with it a whole new set of security and management challenges. Forward planning, as always, is everything. Continue reading →
They must have put something in the water round the EU negotiating table this month. Barely a week after a landmark deal was agreed to implement the Network and Information Security (NIS) Directive, the European Parliament and Council have cleared the way for an imminent final agreement on the much-anticipated EU General Data Protection Regulation (GDPR). As it stands, the new region-wide law will have a major impact on the way UK organisations handle and protect their customers’ data.
The message for CISOs is clear: it’s time to get serious about compliance plans. Continue reading →