Protecting personal data is now a top priority alongside physical measures needed to help people feel safe. How do you protect your reputation when their details are stolen from you?

How much personal information would you be willing to give away for a pint and a bhaji?

Suddenly, in the COVID-19 world in which we now live, surveillance and monitoring technology will be vital in helping to thwart the virus – and against our better natures we are being forced to give away basic details just to be able to do day-to-day activities such as visiting a restaurant or pub.

The hooha around the adoption of the EU’s General Data Protection Regulation (GDPR) in 2018 meant the public became far more aware of how their data could be used. Certainly, in the UK, the ever-increasing number of cyberattacks on organisations and individuals have given rise to a noticeable reluctance to share details because of concerns about security.

Your data is valuable

Data is big business for hackers, particularly sensitive health information. According to CISCO’s Benchmark Report 2020, the number of organisations reporting reputational damage from data breaches has risen from 26% to 33% in the last three years. As we’ve seen with high profile attacks, it is not so much the breach itself but the way in which it is handled that can rapidly turn it into a reputational and financial disaster.

When Uber realised that hackers had accessed personal data of 57 million customers and drivers in 2016, they made the costly mistake of trying to cover it up. Instead of reporting it, they paid the hackers $100,000 to delete their ill-gotten gains and keep the breach quiet. Not only did this not work, it was against the law. They were fined £900k by the British and Dutch regulators and suffered a huge blow to their reputation.

The GDPR allows you 72 hours to disclose the breach and fines are now much bigger. Last year British Airways faced a record £183m fine from the Information Commissioner’s Office (ICO).

In addition to losing trust in an organisation, outraged customers will be quick to go online and share their experiences with others. This in turn will attract negative press, impact brand value and result in customers going elsewhere. In Uber’s case, their reputation suffered further when customers launched their #DeleteUber campaign and competitors were quick to challenge their marketplace lead.

Acknowledge the risk of a cyberattack

Data breaches are occurring every day, and all of us – whether an individual, SME or global organisation – need to acknowledge that a cyberattack is almost inevitable. You will not only need IT solutions to protect the data; you also need a robust Crisis Media Strategy (CMS) to help protect your reputation.

When sensitive data is stolen

All your staff should know what constitutes a breach and, as part of your Business Continuity Plan (BCP), should know what to do if there is one. They should also understand the need to communicate what is happening as quickly and truthfully as possible with the help of your CMS.

A section on cyber breaches should have its own templates and procedures for communicating the incident internally and externally, as well as up-to-date contact details for all stakeholders and any external agencies that need to be alerted.

It is vital that you are seen to care about your customers. Once you have contacted them, you need to immediately issue a public statement via your website explaining what has happened, what data has been affected and how you are handling it. Most importantly, you need to explain what customers should do to protect themselves.

Your phonelines, network connections, software etc. can all be compromised in an attack, so make sure you have back-up lines of communication so that you can talk to those affected and they can talk to you. These can include using the press and social media.

Monitor and respond as necessary to any negative online chatter to nip rumour and speculation in the bud. Your CMS should also detail how and when to respond to press inquiries; I recommend as soon as possible to avoid an information gap and ensure that you are the source of the most up-to-date details on the situation. Transparency goes a long way in the reputation stakes.

Tips for the future

Review your BCP to ensure that new cyber risks from increased remote working, video conferencing, personal devices and Wi-Fi and use of corporate emails for social activities are thought through and explained to your staff.

Communication is key to providing reassurance that your customers’ data is safe:

• Make it clear that you are compliant with GDPR on your website and other communiqués.
• Unless you are exempt, no matter the size of your organisation you must pay a data protection fee to the ICO if you collect any personal data.
• Where possible make data security part of your values to demonstrate you can be trusted.
• Let your customers have control over what information you keep, how it will be used, the advantages to them and for how long it will be stored.
• Ensure you have their consent to share it with third parties.

Invest in proper media training and regular resilience tests for all spokespeople and public-facing staff such as telephonists, receptionists and security. A media-trained cyber expert can explain often complex detail in layman’s terms.

As for giving YOUR details to strangers, be wise. If it feels like they are asking for too much, they probably are!

If you are uncertain about GDPR, your obligations and how much information to provide, the ICO website (https://ico.org.uk/) is an excellent resource.

Anna Averkiou

Journalism TV Radio Online Training Media Strategy Crisis Management

www.averkioumedia.co.uk

For further reading on data security, see our Cyber Security category of articles.

The post Protecting your data in the COVID-19 world appeared first on City Security Magazine.

The General Data Protection Regulation (GDPR) is certainly leaving its mark on the data protection field by being the first legislation of its kind to tackle present-day dangers to data security and companies’ accountability to their customers in the face of these threats. But what are the implications of the GDPR and Data Protection in 2019?

The post-GDPR world is one full of anxiety and opportunity. Many companies are struggling to put in place the infrastructure needed to respond to incidents and data requests as laid out in the GDPR, while entrepreneurs are profiting by building tools that enable companies to more easily manage visitor and customer consent.

Non-compliant companies are hoping that they will never incur the wrath of their customers and data protection agencies, but with data breaches continuing regardless, through the ingenuity of perpetrators or the neglect of employees and customers, who have the right to request their data at any time, it won’t be long before they will find themselves on the wrong side of the GDPR unless they take action and grab the opportunity this legislation offers them.

We know from reports published from the Information Commissioner’s Office (ICO) that data breaches continue to happen, and with 500 breach-related calls received weekly by the ICO, it will just be a matter of time before businesses will feel the financial impact, and that is before we even consider the reputational impact of such breaches.  Whether it’s a breach of confidentiality, integrity or availability of data it’s going to have an impact, so how good are we in the UK when it comes to GDPR compliance?

One hundred days plus after GDPR was implemented, I find it alarming to discover from research undertaken across 600 UK- based companies that only 20% of the companies believed themselves to be GDPR compliant. Whilst 53% say they are in the implementation phase, surprisingly 27% have not yet started. Looking in a more positive direction, 74% of respondents expected to be compliant by the end of 2018.

Surprisingly, more than 51% of organisations have not yet documented their technical and organisational security measures on how they process personal data. If this is the case, how can they demonstrate compliance or accountability in accordance with GDPR?

Improved data protection compliance should encourage innovation and continuous improvement. It should not be perceived as a cost overhead but more as an investment in your people, business and future security.

The key to a stable, secure work environment is continued personal development through training, education and awareness.

Data Protection should be the driver to do things better in 2019.

Irene Coyle, Former Chief Inspector, Police Scotland; Data Protection, Officer, OSP Group Ltd.; Training Director, OSP Cyber Academy

The post GDPR and Data Protection in 2019? appeared first on City Security Magazine.

On May 25 2018, the General Data Protection Regulation (GDPR) came into effect. For many, this shouldn’t have come as a shock.

Since the European Union announced the GDPR mandate over two years ago, many businesses have implemented tighter controls to protect people’s personal data. In fact, according to a recent survey by Coleman Parkes Research, 72% of organisations worldwide believe they will be ready for GDPR compliance. While this is great news, there are still many businesses that struggle to fully understand how these regulations impact their organisation or what they need to do to comply.

From a physical security perspective, there’s much to consider. That’s because most organisations collect and store personal identifiable information through the security solutions that safeguard their business. For instance, public video surveillance is considered a high-risk operation, and protecting this data is just one side of the coin. Under GDPR legislation, consumers also have greater levels of consent. This means that at any point in time, an EU resident has the right to access and view their personal information, including any images or video of them. If a company fails to deliver, not only will they face hefty fines but the damage to their reputation could be immense.

The public demand for more protected and private data – as played out in the recent Facebook revelations – along with the threat of serious financial penalties, has thus accelerated the motivation and urgency for organisations to implement security technologies that are designed, from the start, with data privacy and protection in mind. This approach is known as Privacy by Design. Below, we’ll explore how this strategy helps businesses acclimatise to changing data regulations to protect people’s privacy and keep information safe over the long term.

Building a system that respects privacy

Designing compliance into existing security technologies is difficult. Many businesses with legacy security equipment or older proprietary systems will have a harder time attaining GDPR-compliance. Some security systems simply cannot enable and support the fundamentals of data security and privacy which ensure confidentiality, integrity and availability of data. While an organisation could try to patch solutions onto existing systems and infrastructures to help mitigate risks and become compliant, vulnerability could still lurk.

For instance, if a retail shop receives a request from a customer to see collected video footage, will that retailer be able to safely share those video files while protecting the identities of other individuals in the frame? Or, what would happen if a hospital’s busy security team failed to notice a camera going offline, and that one device becomes the pathway to a breach of patient information?

Implementing a unified security solution that is built with the latest privacy features in mind is a must. It allows each organisation to design a security platform that empowers their team to effectively do their job –safeguarding people and assets – while protecting video data and individual privacy.

Each business must be able to hand-pick and enable privacy protection capabilities which are best suited for their unique environment. These can include:

• Encrypted data and video communication which extends from the device to the user application and to archiving. Encryption essentially protects an organisation’s information by using an algorithm to translate readable text and video into an unreadable format, making data undecipherable to prying eyes.
• Automatic anonymisation capabilities which obscure individuals’ identities in a video frame. This feature transfers high-risk data to the low-risk category, allowing operators to see what is happening in video footage without violating anyone’s privacy.
• Digital evidence management which helps companies securely deliver data to EU citizens on request. Instead of burning copies of video on to a CD or USB stick, a manager could send an email to the recipient which would include a link to the file. This would include set permissions to only view the video. Built-in redaction obscures any other individuals’ faces to uphold privacy.
• User privileges and audit trails which ensure integrity of the data stays intact. Organisations can provide access rights to groups or individuals for specific resources, data or applications and define what users can do with these resources. Audit logs show who accessed the files, either validating or disproving any suspicions of tampering.
• Built-in health monitoring which alerts operators to devices going offline, or any other system vulnerabilities. When they know about these events, they can immediately take action to ensure the system is optimised and safe from bigger threats. After all, only the most resilient security system can ward off cybercriminals and guarantee the highest levels of privacy.

Prioritising Privacy by Design

The days of complacency are over. Data laws are changing, and organisations must be able to adapt. GDPR legislation will continue to evolve, which means protecting privacy will also be an ongoing discussion and process. In today’s climate of big data, deep learning, machine learning, and artificial intelligence (AI), organisations require solutions that must be designed with privacy protection as a default. Stringent-yet-flexible solutions will help these organisations adjust and adapt their protection methods to meet mandates, but also to deliver a greater trust demanded by public and private customers.

Paul Dodds

Country Manager, UK & Ireland, Genetec

www.genetec.com

The post Privacy by design – A security strategy for GDPR compliance appeared first on City Security Magazine.

The new General Data Protection Regulation may have serious implications for those in the business of Mergers and Acquisitions. Richard Dutton highlights the risks.

Data on the Dark Web

Lurking beneath the world-wide-web which has become such an integral part of everyday business life is its sinister relative – the dark web. Here you will find a marketplace where traders have no identity and a product for sale that will potentially cost UK Plc billions of pounds.

Data is that product up for sale on the dark web – unlawfully obtained data. One such example might include the personal login details of the CEO to the network of his Company ‘ABC’, along with over a hundred other items of data providing access to different parts of Company ABC’s network.

Historically, the hacker responsible for this breach might have uploaded a malware package, virus or Trojan horse. More recently these cyber thieves have demanded some Bitcoin in exchange for not shutting down the network or deleting the entire customer database. This is ransomware.

A new liability dimension with GDPR

‘The GDPR,’ says Dave Johnston, UK head of cyber security specialist BlueVoyant, ‘with its draconian sanctions and breach reporting requirements, introduces another dimension.

‘Once you are aware the data has been leaked to the dark web, all you need to do is threaten Company ABC with disclosure to the Regulator or sell the data back to them.’

Imagine the scenario though if Company ABC was the acquisition target of Company DEF and the latter became aware of the data breach. Apart from potentially destroying shareholder value in Company ABC, how does the acquiring Company DEF assess its contingent liabilities?

Dean Armstrong QC, author of ‘Cyber Security; Law and Practice’ and Chairman of Elias Partnership believes that the potential for liability under the GDPR has not yet been fully considered or assessed.

A contingent liability is a potential liability that may occur, depending on the outcome of an uncertain future event. A contingent liability is recorded in the accounting records if the contingency is probable and the amount of the liability can be reasonably estimated.

‘A data breach is certainly probable but under GDPR can the amount of liability be reasonably estimated?’ asks Armstrong.

‘How would a warranty which is often limited to a fixed amount,” continues Armstrong, “cater for fines under the GDPR which could stretch up to 4% of global turnover? This is going to make it extremely difficult for purchasers to assess their contingent liabilities. Inevitably the GDPR will challenge the construction of effective and acceptable disclosure letters. It is going to have a profound effect on M&A activity.’

Impact on share price

Johnston suggests that the consequences could be even more ominous, as knowledge of these dark web data breaches will provide opportunities for threat actors to manipulate share prices (and markets) at just the right time to suit a corporate predator. ‘There are significant amounts of data on the dark web that, when used in conjunction with the relevant articles in the GDPR, have the potential to become a formidable agent in a new form of corporate warfare’.

Armstrong warns that it won’t just be the threat of the sanctions the Regulator can impose under Article 83 that the Company CEO needs to worry about. Article 82 provides for any person who has ‘suffered material or non-material damage as a result of a breach of the regulation’ to seek compensation. ‘This provision,’ maintains Armstrong, ‘will certainly be tested in the courts by proactive claims management companies and consumer interest groups – representing individuals as well as bringing class actions.’

Both Johnston and Armstrong agree that the nature of these threats to UK Plc is very real. ‘It is not just the threat of the fines; the disruption to business as usual in having to respond to a complaint when the ICO come knocking at the door will consume the Board and senior managers for months,’ says Johnston.

GDPR readiness – what’s the right question?

Armstrong is equally candid. ‘CEOs that are asking their organisation: “Are we GDPR ready?” are asking the wrong question. The proper exam question should be “Do we have a legally defensible position?”‘

‘In the cyber world we now live in,’ says Johnston, ‘it is commonly accepted that there are only two types of companies – those that have been breached and those that will be’.

Whichever category you fall into, the way you have prepared for and are monitoring your business under the GDPR will have a significant impact on the future value of your company.

Richard Dutton

Director, Elias Partnership

www.eliaspartnership.com

The post GDPR: the implications for Mergers and Acquisitions appeared first on City Security Magazine.

The General Data Protection Regulations (GDPR) comes into force in May 2018. The security industry has to understand, interpret and practise the intention of GDPR: it should not inhibit the gathering and sharing of data, providing cyber security hygiene measures are in place. Technological advances and business imperatives will mean there is ever more data, and ever more sharing, but this must be done abiding by the rules around the security and retention of data.

We asked leading security professionals on their views: will this bring about a step change in our approach to securing data? What other factors will impact cyber security in 2018? We had responses from the following:

• John Unsworth, Chief Executive, London Digital Security Centre (LDSC)
• Jean-Philippe Deby, Business Development Director,Genetec
• Vicki Gavin, Chair, Women’s Security Society
• Adam Bannister, Editor, IFSECGlobal.com
• Sean Kelly, Chief Information Officer, Wilson James

John Unsworth, Chief Executive, London Digital Security Centre (LDSC)

The implementation of GDPR can only be a good thing for the protection of data and helping to drive a shift in how many organisations obtain, store and use personal information.

Will GDPR be the step change in our approach to securing data? On its own, I don’t think so. The security of personal information requires more than just a new regulation; it requires consumers and organisations to realise just how valuable data is to the ever-increasing number of cyber criminals and to take all precautions within their power to protect it.

It requires businesses to appreciate the role they have in keeping consumers safe, and looking after the sensitive information they request from every consumer. It requires consumers to demand from businesses, What are you doing with my data?

How are you using it? How are you storing it? How are you keeping it safe?

It needs all procurement processes to have the security of information as a key consideration before entering into contracts with third parties.

The security of data requires everyone to do their bit, and not just leave it with the IT department.

Jean-Philippe Deby, Business Development Director,Genetec

Given the unique challenges involved in terms of GDPR, surprisingly little has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. Any public or private organisations using CCTV to monitor public accessible areas should be concerned and operators need to focus on adopting privacy by design.

Under the terms of the EU GDPR, data that is anonymised or pseudonymised is classified as lower risk. The appropriate use of encryption and automated privacy tools is, therefore, a logical first step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces.

Don’t forget, owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities and significantly reduce the scope of activities required to ensure compliance. It is also highly cost-effective.

Nevertheless, it is important to realise that it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.

Vicki Gavin, Chair, Women’s Security Society

GDPR is the marriage of privacy and security,  where privacy covers all aspects of the use and maintenance of personal information and security ensures the personal data has been appropriately protected.

Achieving this will require a diverse set of skills, and while convergence to a single point of control would seem to be the answer, it doesn’t really address the variety of different specialist skillsets required to deliver such a complex set of controls.

An holistic approach is required with close partnership between all of the security functions. I am sure this will lead to contention for the small number of individuals who are able to demonstrate that they already have both cyber security skills and privacy skills. As there are clearly not enough of these people to go around, we really need to get a lot smarter about recruiting and retaining talent.

If we look at the world of cyber security today, we can extrapolate and get a picture of what the future will likely hold. But this doesn’t have to be. If we look at today’s practices, we can identify a number of opportunities for improvement:

• Avoid qualification creep, identify the minimum qualifications required,
• Review the minimum qualifications for bias and eliminate it,
• Review CVs to include rather than exclude candidates,
• Assemble a diverse interview panel, and
• Retain good candidates through ongoing development.

Look at the problem holistically. Not every job is suited to every person. Get the skills right and there will be lots of diverse candidates to choose from. In short, there is no shortage of talented people, only short-sighted hiring managers.

Adam Bannister, Editor, IFSECGlobal.com

Cybersecurity would have become a hot topic in the physical security sector even without GDPR looming. No longer written off as a separate discipline, data security is now inextricably bound up with security systems that connect to the internet, each other and non-security systems. The 2013 theft of credit card data from US retailer Target via its HVAC system demonstrated the consequences of negligence.

But the GDPR lifts the stakes higher still. Fines for breaches could be up to 79 times greater than those levied under the existing regime. Embedding ‘security by design’ into product development is essential if the industry is to properly protect customers.

But its customers must protect themselves too. The entire supply chain must abandon the silo-based approach and collaborate more closely in this hyper-connected world.

Expect GDPR to also spur already strong growth in the cloud market too, since delegation to data-storage experts can help organisations meet compliance obligations.

Seldom do I have a conversation with a security professional who doesn’t mention data security – which at least shows that the industry is keenly aware of its primacy.

Sean Kelly, Chief Information Officer, Wilson James

The step change which GDPR will bring to securing data requires an accompanying paradigm shift in data management. The consequence to business realities in 2018 may well result in GDPR negatively impacting wider cybersecurity delivery.

GDPR follows the good data governance concepts espoused by the Information Commissioner and practised by many blue-chip companies. Regrettably, most companies in the UK are smaller and have systems that are not even close to these standards. Data discovery projects alongside the creation of GDPR-compliant systems represent a very considerable expense. Even though GDPR requires data to be stored securely, smaller companies with tight IT budgets will face a stark choice: GDPR compliance or cybersecurity improvements.

In mid-2018, customers, clients, contractors and employees, past and present, will seek to enjoy their new ‘rights’. The novelty of submitting ‘Subject Access Requests’, at no cost, is likely to produce a flurry of activity.  The inevitable failure of the unfortunate few to comply in a timely manner will result in well publicised fines, and a subsequent panic of redirected IT resources.

It is the redirection of IT resources toward GDPR administrative processes and away from planned upgrades which will most impact cybersecurity in 2018.

The post GDPR and its implication for security – a range of views appeared first on City Security Magazine.

Information security versus digital marketing

All the major social media platforms tell us our data is safe, with several layers of encryption ensuring our personal information is snugly stored behind an iron fortification of ones and zeroes.  Yet, exactly where that fortified information goes isn’t up to us.

We often consider the internet a gift, given to us by hopeful and aspiring web designers, who develop sites for large companies to use as advertising platforms. Yet, despite recent events such as the allegations about Cambridge Analytica, it’s never been a secret that our personal data is subject to a digital marketing free-for-all the moment we sign up to any major social media account.

It’s no coincidence that Amazon sees our recent humidifier purchase as merely the inaugural move in a newfound hobby of humidifier collecting. Since Facebook was fully established, our data has always been sold to ethically ambiguous marketers.

Every word we type, every image we search, every item we purchase goes towards a complex digital algorithm to develop a pseudo-Orwellian character evaluation. It’s called psychographic micro-targeting: it turns our persona and our habits into statistics and correlates them with certain attributes of our buying habits. Our risk habits, our background, our income, even our sexual orientation are numerated, graphed, stored and monitored to establish who we are and what we’ll buy.

This information is then sold to companies and marketing agencies who have free marketing rein over our digital presence. Our entire identity is worth exactly £12.

Young people respond

So, what does this mean to young people today?  Unfortunately, we have accidentally accepted profile marketing as the norm. We’ve established that we’re happy with either not paying with money or paying with identity.

No youth will pay money towards an app that can give them the same platform as a free site such as Instagram or Facebook, but the founders have to make their millions somehow.

Unfortunately, unless there is some kind of mass migration to a very cheap app that prides itself on ethical moneymaking (such as text platform Signal), youths will continue to consume the free techno culture and continue to subject themselves to free viewing from major corporations, with over ten million websites currently using the same tactic.

I’ve asked my peers for their opinions:

One says, ‘It’s disgraceful that we’re the currency of a massive marketing scheme, but the reality is that ethical ambiguity is always inevitable with deceptively free websites. When it seems too good to be true, it

usually is.’ Another simply doesn’t care: ‘It makes no difference to me, and I don’t mind when I get adverts about what I consume. It’s a far too conservative approach to a decision that won’t really affect your life.’

But one other was less passive: ‘Nobody ever reads the terms and conditions on the site – it’s an unrealistic expectation. It needs to be more explicit.’

It takes approximately 76 hours to read the entirety of Facebook’s terms and conditions, meaning that you are liable to surveillance that you’ve accidentally given consent to.

Keeping safe online

The reality is young people will continue to use social media. So how can we be as safe as possible and have a full understanding of what we’re signing up to? There’s plenty of advice available online, including these nuggets from Get Safe Online on data privacy:

• Learn how to use the site properly. Use the privacy features to restrict strangers’ access to your profile. Be guarded about who you let join your network.
• Be wary of publishing any identifying information about yourself – either in your profile or in your posts – such as phone numbers, pictures of your home, workplace or school, your address or birthday.
• Set up a separate email account to register and receive mail from the site. That way, if you want to close down your account/page, you can simply stop using that mail account. Setting up a new email account is very simple and quick to do using such providers as Hotmail and Yahoo!
• Be aware of what friends post about you, or reply to your posts, particularly about your personal details and activities.
• Remember that many companies routinely view current or prospective employees’ social networking pages, so be careful about what you say, what pictures you post and your profile.

Sean Harmon. Journalism Student

Currently with City Security magazine for work experience.

The post Young people’s approach to personal data appeared first on City Security Magazine.

It was a wake-up call when the Information Commissioner warned a room full of senior executives at the beginning of the year that data protection was, “not just an issue for the IT guy down the corridor… if you want all the benefits of digital you must manage the risk. It is the responsibility of the Chief Executive”.

Since then Christopher Graham has been vocal in highlighting that there is no excuse for organisations not taking action on data protection and maintaining an effective Cyber Security capability. Referring to the cyber attack on TalkTalk last October as a “car crash”, he stated that, “Any other company with half a brain should be checking their systems now to make sure they don’t land up in the same situation.”

When a watchdog uses this language in front of MPs, as Christopher Graham did during his evidence to the Culture Media and Sport Select Committee, you know a line has been crossed. It is understandable when you accept that it was a preventable attack, and since the October “car crash” TalkTalk has experienced a further breach in the security of its customer records after three people were arrested in connection with making scam calls from an Indian call centre used by the telecoms group.

GDPR

And if the above isn’t a “wake up and smell the coffee” moment, then the European General Data Protection Regulation (GDPR), which has just been ratified by the European Council, should certainly make General Counsels, lawyers and senior Directors start to twitch. This new EU Regulation (not simply a Directive) places specific obligations on all large companies and introduces an eye-watering maximum penalty for non-compliance set at €20m or 4% of global turnover, together with the potential of criminal prosecution of executives for the most serious of data breaches.

It was the risk of multi-billion dollar regulatory fines for money laundering that put the subject of “compliance” on Boardroom tables and we can see that Data Protection may soon be following. And in all fairness it’s not before time; technology has offered huge growth potential through the manner in which information can be accessed and stored but the thirst for new business hasn’t always been followed by sensible precautions for data security or protection.

That is all likely to change when the new GDPR is phased in over the next year-and-a -half (no matter what happens in the UK’s referendum on EU membership, GDPR will affect UK businesses). Amongst other changes, the new provisions require all personal data stored to have a defined life cycle. Businesses will have to document their Data Protection risk and consider this in all new technology, products and services.

What should companies be doing?

So what should companies “with half a brain” be doing about this? Everything, unsurprisingly, starts with the Board but too few are wrestling with this challenge in an effective manner, that in itself could become a personal risk for Board members. A recent published article by security law expert Thomas Bennett reviews personal liability in the event of a breach and concludes that for the Directors of listed businesses it is a “material possibility”. The pragmatic response is for Board Members to look to their senior staff to provide reassurance that the Threat is being managed. Unfortunately, all too often, those staff are getting it wrong and that is often due to an over-reliance on technology as a solution.

In some ways the term “Cyber” hasn’t helped and it naturally leads some into detailed and often complex conversations about patches, firewalls and IT networks. Of course the technical protection must be in place but the new Data Protection requirements will also place obligations on organisations to think more broadly about their information assets, particularly when you consider that over half of all major data breaches involve people and processes, not technology.

Effective solutions require cultural change and that means a plan including re-training staff and re-configuring important policies and procedures. Some organisations won’t need to do much but others will need to invest substantially. The place to start is with an independent information security health check. It is second nature to have auditors look at our books and Boards can get reassurance that they have discharged their fiduciary responsibilities by doing so. Well, the same applies with Cyber Security; the health check, or a more formal audit, assessment does need to be independent and authoritative and Boards should resist an over-reliance on their own people telling them everything is fine.

Leadership and creating an effective governance accountability framework is next, to ensure that those who control the business operationally also own the information risk. All of this is achievable and good Boards are introducing “Information Assurance” as a standing agenda item, with effective performance information balancing costs against business risk.

Get in order

The new EU General Data Protection Regulation will be formally implemented next year; there is still time to get your house in order. Ambitious companies will grab this risk and turn it into an opportunity. Smart businesses with big brains are already recognising market differentiation and the enablement of the business they can achieve by investing in good Information Assurance and Cyber Security.

Adrian Leppard QPM, Board Director, Templar Executives

www.templarexecs.com

The post Cyber Security: data protection reaches the boardroom appeared first on City Security Magazine.

‘Don’t talk to strangers’, ‘Don’t share your PIN’, ‘Always keep your passwords secret’

Regardless of who we are and what we do, protecting our personal information is often at the forefront of our minds.

However, as we continue to invite the latest advancements of technology into our lives, we perhaps forget that what may make our lives easier may also compromise our privacy.  Facebook, Twitter, Instagram and many other social media tools can ‘leak’ our private lives to greater and lesser degrees. This could be your holiday photos, your personal thoughts on current affairs, or even posting videos of your ALS Ice Bucket Challenge. We can communicate widely with the simple click of a button.

We want an easier life and to take advantage of the available technology and, at the same time, to vigilantly maintain our privacy. However, how many of your Facebook friends or Twitter followers do you actually know or have even met? Is your account properly protected from anyone potentially seeing your posts? Have a look. It might surprise you.

With our willingness to ‘share’, someone can easily undertake a ‘lifestyle’ survey on you, under the banner of Open Source Intelligence (OSINT) gathering. Can we truly complain about intrusion to our privacy, when we’re not perhaps hiding it as well as we could?

What is tracking?

This leads to the debate and discussion of the privacy of ‘tracking’. This technology has been around for many years and where it was originally extremely bulky and expensive, most smart phones today come with some variation of ‘findmyphone’ already loaded, and for free.

There are many elements within our day-to-day technology use that ‘leak’ information on our whereabouts, which we may often not even be aware of. So why is ‘conscious’ tracking important and how can we retain privacy from those we wish not to know our whereabouts?

About 20 years ago, pre-smartphone, tracking required the individual to carry a separate device. Those companies that ‘imposed’ these trackers on their executives would often meet considerable resistance. Yes, the executive knew that it was for their personal safety, but it was something else they had to pack and administrate, making sure it was plugged in overnight. As a result, many of these devices would go ‘missing’ or lost, or be left in the hotel, thrown out of a window, etc. The technology then evolved to mobile phone applications. The first versions of these were as much of a problem. Furious executives having their Blackberries rinsed of battery power within only a few hours was a common complaint. The other main issue was their company being able to track them whenever they wanted. ‘No thank you’ was the frequent response. ‘Not when I’m at home, with my lover, sneaking off to the golf course’. So the companies had to introduce the ‘switch-on/switch-off’ option.

You can imagine what happened. Tracking became a ‘black or white’ option. Either the company would demand the executive had a ‘live’ tracker or they couldn’t travel. Or they couldn’t enforce a tracker at all.

With current technology,  there are trackers that can remotely switch on the phone’s microphone and camera. How many executives are aware their companies can do this? So, we’re back to the privacy issue and how much we’re willing to relinquish.

There is still a debate to be had to consider what is realistic in our expectations and demands for privacy, when we’re all potentially leaking like sieves anyway?

Will Geddes

MD at ICP Group & TacticsOn Limited

www.tacticson.com

The post Data privacy: the ‘tracking’ debate appeared first on City Security Magazine.