Guest Blog Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Guest Blog

Coronavirus: Business Continuity During a Global Crisis

 960 640 Stuart O'Brien
By:
0
0

By Nicole Alvino, Cofounder and Chief Strategy Officer, SocialChorus

We’re living through an unprecedented time, globally and for how long, none of us are that sure. While the new coronavirus may seem like a singular threat, dealing with crises is a fact of doing business—one companies can expect to encounter with increasing frequency. According to PWC, 69% of businesses had experienced a crisis in the last five years even before COVID-19, and the most disruptive causes of crises in the U.S. were natural or environmental. 

Under these conditions, it’s likely that your company already has crisis management and business continuity plans in place. But what should you do to ensure your infrastructure is robust enough and capable of helping you to reach all your workers?

There are five critical challenges that CIOs will face as they try to utilise their stack to reach employees. If you’re a CIO, then you know that you’re the best equipped person in your executive team to plan for business continuity but to be successful you’re going to need every person, across the entire business to understand your plans. Ultimately, your company is looking to you to:

·       Establish a source of truth for your company and communicate with one voice, so employees can separate rumours from facts and trust what they’re being told

·       Reach every worker on every digital channel with the targeted, personalised information they need to respond in an emergency

·       Use intelligent automation to certify message delivery, prompt response, and make sure your crisis communications are not just read but understood

·       Track the success of crisis initiatives and measure the effectiveness of your communications using in-depth analytics

·       Be prepared for emergency situations during COVID-19 and beyond – your stack and your workforce need to prepared for every twist and turn during this pandemic.

As you and the senior leadership team implement your crisis communications strategy you (and they) will ask whether you can reach every employee on every digital channel, even those that are deskless. And can you reach them with personalised, up-to-the minute information that they need? You’ll need to ensure that whatever communications technology you use, whether it be SharePoint, Slack, Zoom, Teams, mobile apps or others, that you can consistently reach and broadcast your company’s messages to all.

One thing we’re hearing is that people are overwhelmed with communications. On average a worker receives 120 emails per day, that’s not counting the ones via other channels such as Slack, IM or Teams. Now consider that your people, like you, are also getting bombarded by emails from school, IM from friends and family and messages via Facebook and WhatsApp. There is an information overload going on so whatever you do, you need to make sure your messages reach people urgently and that they can review them promptly. Our latest paper on CIO Crisis Communications takes you through several steps on how to reach all employees, across all channels, consistently.

Consistency from your business will help to establish trust in your message, especially if you’re able to deliver it immediately to all. And that’s of paramount importance. You don’t want workers in the London office getting communications three hours later than those in Paris or Madrid, or the other side of the world for that matter. All employees are equal, and all deserve to be communicated with, no matter where they are. They may consume your communications in different ways so use your different channels to reach all.

You’ll also need to judge how many times you communicate. Don’t hassle people as we’ve said, they’re inundated with messages already. If you need to know that they’ve received a critical message or piece of advice, then track acknowledgements or read receipts. Then you can take further communications actions with those that are unresponsive and not send repeat messages company wide.COVID-19 is changing the way we live and the way we work. In a world where change seems to be the only constant be the consistent voice across your organisation. Your emergency plans may need to be tweaked over the coming weeks, your infrastructure might need to be extended to ensure your reach is truly companywide but remember it is the companies that manage this situation well that will thrive through the chaos.

Image by Thor Deichmann from Pixabay 

Make the Most of Your People with the Benefits of Automation

 960 640 Guest Post
By:
0
0

By Ofer Elzam, Vice President & GM, FireMon GPC

Gone are the days when IT leaders fretted that the benefits of automation would shove people out of jobs. If anything, it’s the opposite: 74% of cybersecurity professionals say that a skills shortage has affected their organizations, continuing a trend of concern over the past few years, according to the report “The Life and Times of Cybersecurity Professionals 2018.”

While the story around the labor shortage is more complex than it may appear, the current narrative around the advantages of automation has shifted away from labor concerns. But in a way, that erstwhile concern is a direct link to the underlying current of all the benefits of automation: the human factor.

Heightened productivity, consistency and keeping up with increasingly complex security needs are solid advantages of automation, but there’s more to the story. Here’s how all of those benefits of automation (and more) ladder up to protecting your company’s most precious resource—your people.

Ready to use automation to protect your team? Request a demo of FireMon Automation today.

Automation Allows People to Do What People Do Best

Machines can be rapid, agile and comprehensive. What they can’t be: creative. When security processes are automated, the flesh-and-blood members of your team are freed up to deploy their creativity to solve problems and build more robust security measures.

The current state of security operations (SecOps) teams doesn’t allow that creativity to thrive. FireMon’s 2019 State of the Firewall report revealed that 30.9% of survey respondents had an ad hoc or manual change management process. This exposes two critical issues: an underutilization of humans’ unique abilities and the inevitability of human error.

One of the top benefits of automation is that it gives your team members more time to focus on other security issues. At the same time, it’s an opportunity for your team to map out the very processes that enable successful automation. For example, in most companies automation works best when the processes behind them are strategically planned beforehandThis is the work that humans can do better than algorithms, as it requires judgment, creativity and insight.

As automation enables human capital to thrive, it also eliminates human risk. Through 2023, 99% of firewall breaches will be caused by misconfigurations, not firewall flaws, according to Gartner—something automation helps prevent. Human error also throws a wrench when integrating security systems. A comprehensive approach like FireMon Automation offers persistent security across networks while minimizing the potential for human error.

Learn more about FireMon Automation.

Automation Allows Your People to Work Better Together

IT teams frequently work in silos, leading to redundancy and opportunistic, one-off approaches to security. With a comprehensive system, companies can depart from the “hero culture” of employees writing automation scripts to solve an issue without looking at the holistic picture.

Amid worries that automation inhibits agility and innovation, decision makers sometimes hedge on implementing automation. But one of the benefits of automation in the workplace is how it organically supports both development operations and security operations, eliminating the friction that can exist between the needs of these groups. Planning for automation requires both teams to work together and understand the priorities of the other, leading to better communication—for the automation plan and beyond.

Automation Supports Your Company’s Ability to Work With—and Against—Third Parties

“Hackers today—they’re not even hacking, they’re using automation tools,” said FireMon’s Tim Woods, vice president of technology alliances, in the talk “Automation: One Giant Leap for Security.”

When criminals are exploiting the benefits of automation, security teams have an obligation to outpace them. Using automated systems frees up SecOps teams to anticipate and proactively develop rules to protect against hackers—again, leveraging the human creativity and critical thinking that successful crime prevention entails.

On the flip side, automation allows your team to work with the people who have your customers’ best interests at heart. Compliance regulations are changing quicker than you can say “GDPR,” and with the California Consumer Privacy Act coming into play January 1, 2020, security rules continue to be in flux.

Only 13.8% of survey respondents in FireMon’s State of the Firewall report say they’re 90% to 100% prepared for a compliance audit. Confidence is even lower among key decision-makers: Just 45.3% of C-level respondents said they felt 60% to 80% ready for an audit. In other words, one of the benefits of building an automation system is building faith among your company’s C-suite—consider it another form of security.

ABOUT THE AUTHOR

Ofer Elzam is responsible for the continued development of FireMon GPC, the industry’s first and only solution to deliver persistent policy enforcement for complex, hybrid network environments. Before joining FireMon, Elzam was VP of product at Dome9 Security. Under his headship, Dome9 became the leader in securing multi-cloud deployments, which led to its acquisition by Check Point Software. Prior to Dome9, Elzam was the director of Sophos’ network security product line, where he led the company’s transition to the next-generation XG Firewall platform. Earlier, Elzam worked at Cisco serving as both a strategic architect of security technologies and executive director of product management, where he led ScanSafe, which was acquired by Cisco in December 2009. Elzam also spent 10 years serving in a variety of product leadership positions, including as CTO at Gemalto.

GUEST BLOG: Future proof with a cloud solution before it’s too late

 960 640 Stuart O'Brien
By:
0
0

Agile business models have never been more important – and for most MSPs the on-premises business is rapidly turning from predictable income stream to concerning business constraint. When it comes to cloud-based versus on-premises, the writing is on the wall – from the opex versus capex argument to better disaster recovery (DR) and enhanced security, most client businesses are heading into the cloud. So just how much longer can your business hold out, asks Mike Wardell, CEO, Giacom..

Cloud is Mainstream

When the majority of new software investment is Software as a Service (SaaS) based, any company still tethered to an on-premises only business model is radically limiting its market. And yes, while the existing client portfolio may still have a few years left to run with on-prem contracts, this is an inevitably dwindling revenue stream.

The fact is that most MSPs are coming under increasing pressure from clients for a cloud-based offering – and for good reason. SME CEOs and CFOs are increasingly aware that traditional on-prem solutions represent not only a financial compromise but also a significant business risk.

In the current uncertain economic situation, financial flexibility is essential. Given the lack of business confidence, capex is rarely an option; yet companies can also not afford to avoid investment essential to maximise new business opportunities. The opex SaaS model is compelling. Rather than the ‘just in case’ investment in storage or capacity or software licenses, the pay as you use cloud model enables SMEs to avoid wasted expenditure while providing the chance to rapidly scale up should business growth demand.

Business Protection

In addition to safeguarding company finances, many SMEs are also looking to the cloud to safeguard business operations. One in five small firms experienced a cyber-attack in the two years up to 2019 – that’s 10,000 attacks every day. From phishing to malware and ransomware, the speed with which the cyber-attack community evolves new threats is astonishing. SMEs simply do not have the resources in people, money or time, to adequately secure the business; nor can individual MSPs, however expert, safeguard clients’ on-prem business infrastructure.

The only way to combat this threat is to leverage the pooled knowledge of thousands of securityexperts operating collaboratively. From the use of artificial intelligence to identify unusual behaviour to email security products that can automatically remediate an identified threat by instantly removing it from every mailbox globally, cloud-based security solutions are leveraging the combined expertise of world leaders in a way that simply cannot be achieved with individual on-prem deployments.

The estimated £4.5 billion cost of these security attacks has also intensified SME awareness of the need for better Business Continuity and Disaster Recovery (BCDR). Typically such strategies have focused on the difficult issue of data backup and restore, and the time it can take to provide employees with access to vital information required to service customers.

Cloud completely changes the focus: cloud-based backup solutions enable vast data resources to be backed up in seconds and restored immediately. Organisations can instead begin to focus on the relocation of the workforce and the way dispersed teams could work together in the event of a disaster. Indeed, the adoption of cloud-based productivity and collaboration tools not only enable a far more flexible BCDR plan, they will also deliver significant day to day benefits, including flexible working policies.

Business Expansion

For MSPs, the growing SME awareness of the benefits of cloud computing is changing the business outlook. When new services and solutions can be provisioned within hours, organisations are less and less willing to incur the cost and upheaval associated with months of on-premises deployment. Add in the importance of flexible financial models and better business protection and the writing is on the wall: most clients will want some, if not all, services to be provisioned through the cloud.

Of course, for MSPs, the change is significant: from commercial models to technical and sales skills, moving to a recurring revenue based model requires both investment and a shift in thinking. But it’s essential for MSPs to recognise the cloud as an opportunity, not a threat. Yes, there is a very real risk that customers will be lost if an MSP cannot offer a cloud solution. But this is not just about meeting a client’s immediate cloud needs.

Working with the right CSP will also enable an MSP to add valuable options to the portfolio, like adding cloud security to existing security audit services, enhancing BCDR solutions or adding collaboration tools. The cloud offers a chance not only to retain existing customers but also significant opportunities to extend the business model, adding much needed new revenue streams.

More than half of companies have over 1,000 exposed sensitive files

 960 640 Guest Post
By:
0
0

By Matt Lock (pictured), Director of Sales Engineers UK, Varonis

All an attacker needs to steal your valuable data is access.

Unfortunately, many companies unknowingly give attackers access to their critical data. Personal identifying information on employees and customers, intellectual property, and more can easily make their way from secured systems to unprotected files and emails. 

To make matters worse, companies don’t have time to update global access groups, fail to archive old data, and skip monitoring who has access to what information. Once attackers slip through the cracks, they — and corrupt insiders alike — have the access they need to steal your data.

To shed light on the state of overexposed data, we analysed a random sample of 785 Data Risk Assessments, including more than 54 billion files. The results, available in the report Data Gets Personal: 2019 Global Data Risk Report from the Varonis Data Lab reveal that companies are failing to shore up their sensitive data. 

Some key findings from the report include:

  • Every employee, on average, can access 17 million files.
  • More than half (53%)of companies had at least 1,000 sensitive files open to all employees. 
  • Over one in five (22%) of all folders were accessible, on average, to every employee. 
  • 38% of users had passwords that never expire, up from 10% last year. 
  • Six in 10 companies had over 1,000 enabled, but stale, “ghost” users — accounts belonging to former employees that can still access your network.
  • Financial services firms had the most exposed sensitive files, with an average of 3,791 exposed, sensitive files per TB.
  • Retail organisations had the lowest number of exposed sensitive files, with an average of 858 exposed, sensitive files per TB.

Despitedire warnings of heavy fines under the GDPR and the steady stream of breaches and attacks in the news, companies are not prioritising their data. Take action with a data-centric security approach to ensure you are not giving malicious insiders and external attackers an all-access pass to your data. 

Could your most trusted employee be your biggest threat?

 960 640 Guest Post
By:
0
0

95% of cyber security breaches are due to human error, which in reality means it could be any user, at any time. The best bit? They probably won’t even know they’re doing something wrong, but they have inadvertently just become an unintentional insider threat. As Andy Pearch, Head of IA Services, CORVID, explains, organisations need to stop playing the blame game and pointing fingers at users when the system is compromised and instead ensure they have the right technology in place to take back control of their security defences.

Unintentional insider threats

A person becomes an unintentional insider threat when they unwittingly allow a cyber attacker to achieve their goal – whether that’s a breach of systems or information, or diverting payments to a criminal’s account. This can be through negligence or lack of knowledge, but can also be a result of just doing an everyday job.

Unintentional insider threats are particularly dangerous because the traditional methods of identifying insider threats don’t work – they don’t try to hide emails or files, because as far as they’re aware, they’re not doing anything wrong. If an attacker presents themselves as a legitimate person with the right credentials to request a change, the unsuspecting employee will probably respond exactly as the attacker was hoping.

Trusted employees have access to company-sensitive information, assets, and intellectual property, and permission to make financial transactions – often without requiring any further approval. Threat actors target these privileged, trusted people – impersonating suppliers, regulators, and known colleagues – and try to encourage them to do something they have permission to do, but shouldn’t.

Removing reliance on users

Email allows threat actors to communicate with users with almost no defensive barriers between them. Even the most diligent employee gets distracted, rushed, or slightly too tired, which is all it takes for a malicious email to achieve its objective – whether that’s clicking a link, opening an attachment, or trusting the email’s source enough to reply. Employees don’t expect to be attacked in a safe office environment but threat actors prey on this perceived safety to catch them off guard and socially engineer them into doing something they shouldn’t.

Many people think they know what a spam email looks like, but 97% of people are unable to identify a sophisticated phishing email. This is hardly surprising when considering there are, comparatively, so few highly-convincing fake emails; because they aren’t seen every day, employees aren’t always looking out for them. Then there are some methods of impersonation that organisations can’t realistically be expected to detect – for example, spotting the difference between a 1, l, and I (1, L, and i, respectively). Attackers know that employees aren’t meticulously scanning every email for tiny details like this, so they take advantage. If an organisation’s email security currently relies on users correctly identifying malicious emails 100% of the time, quite simply, their defences are going to succumb to attack.

Preventing the unintended

Research shows that 90% of organisations feel vulnerable to insider attacks, so now is the time for change. Monitoring normal access and behaviour patterns can give early warning signs of potential intentionally malicious activity, but the same can’t be said for unintentional insiderthreats. The attacker’s request could be comfortably within the scope of an employee’s daily duties.

The information available to users is often insufficient for them to determine whether an email is legitimate. As such, they should be suspicious and challenge requests, especially if they’re unexpected or urgent. Checks should also be put in place for a second pair of eyes to confirm certain requests before any action is taken, for example, changing payment details or making unscheduled wire transfers. If the request is for a financial transaction or asks for sensitive or personal information, phone the person who made the request (or better still, speak to them face-to-face) to confirm it’s genuine.

There is only so much humans can do. By having technology in place that alerts users to potentially malicious content and enables them to make an informed decision about an email’s nature and legitimacy before acting on it, organisations can take back control of their security defences instead of playing the blame game and pointing fingers at users when the system is compromised.

Cybersecurity and Financial Services – How Can Organisations Combat the Threat?

 960 640 Guest Post
By:
0
0

By Genevra Champion, Sector Marketing Manager, IT Governance

The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers. 

The financial services industry is second only to retail in terms of the industries most affected by cyber crime –  the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial servicesorganisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.  

So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face? 

Mitigating the threat

Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security. 

Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cyber crime. 

The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared – scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.

Appropriate defence strategy

The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cyber crime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.

In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive.  As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy. 

Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.  

Conclusion

With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats. 

While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process. 

Image by Jason Goh from Pixabay

GUEST BLOG: SME collaboration delivering effective Public Sector IT security

 960 640 Stuart O'Brien
By:
0
0

Written by Bernard Parsons, CEO, Becrypt

When Becrypt began developing security technology for government more than a decade ago, relationships with Systems Integrators were the only viable route to understanding and accessing customer requirements.

Our experiences today are of a vastly more diverse supply chain, with some major government programmes consuming our services as part of a collaborative ecosystem of cyber security SMEs.

The public sector is under intense pressure to transform its services by delivering better, more reliable experiences, more efficiently for UK citizens. Technology is at the heart of that ambition.

User expectations increase exponentially as consumer tech evolves, added to which the opportunities emerging from private sector innovation in everything from Artificial Intelligence (AI) to big data analytics are so significant that the public sector has an obligation to establish how they can be deployed for public benefit.

Nevertheless, unlocking the advantages of flexible, mobile, data-driven services requires effective cyber security. Public sector data is incalculably valuable; from citizens’ personal identifiable information to highly classified government records, the risk of compromise by accident or malicious intent must be appropriately managed.

Within one major government programme, we are actively collaborating with ten innovative SMEs working directly with government to deliver cloud-based services and mobile platforms that have functional and performance characteristics more typical of our faster-paced private sector customers than government systems of old, whilst achieving the ‘high assurance’ requirements of sensitive government networks.

This new way of working has been driven in part by a convergence of public and private sector requirements, both in terms of technology expectations and cyber threat. To help drive the required innovation, government departments now engage directly with SME’s through agile sprint processes, supported by lighter-weight contracting vehicles, leveraging the agility of SMEs and their desire to align innovation with emerging customer requirements.

Whilst agile SME suppliers have flexibility to tailor solutions closely to public sector customer requirements, government’s relatively recent desire to avoid bespoke systems, combined with market convergence, allows the same R&D costs to meet the needs of broader markets.

For example, Becrypt has worked with the National Cyber Security Centre and other government departments to develop a ‘Cloud Client’ End User Device platform for accessing cloud and online services, leveraging open source components to develop a security-focused operating system. As a ‘born-in-government’ product, we have then been able to deploy the same technology across other security conscious organisations, such as those within the Critical National Infrastructure.

The wider marketing of products built for, or at least influenced by government is helped in part by the thorough technical due diligence or product assurance that government typically undertakes. Such activities are very resource intensive but can nevertheless be a very effective mechanism for an SME needing to establish its first market for a new product. Using product assurance or system accreditation as a meaningful differentiator, is more viable for an SME than the alternative of competing with the vast marketing budgets of multinationals, allowing a beachhead to be created within government, before ‘crossing the chasm’ to adjacent markets where requirements now overlap.

There will of course always be an important place for System Integrators as part of the cyber security supply ecosystem for government, and indeed many are evolving internal structures to promote greater agility, innovation and collaboration through mechanisms such as ‘Intrapreneurship’.

But in our experience, collaboration between cyber SMEs over recent years, combined with new public sector engagement models, has had a transformative effect on a number of key government IT programmes.

GDPR post Brexit: What will the impact be on hosting and cloud providers?

 960 640 Stuart O'Brien
By:
0
0

By Güneş Ilgüy, Head of Data Protection at A City Law Firm

The UK needed to upgrade its data privacy laws and bring it in line with the rest of the world. The main reason for the GDPR was to assist in harmonising the data privacy laws across Europe, setting a standard that the nations could adhere to. 

The GDPR was exactly that change. It was designed to ensure that a high standard was implemented, a code if you like, for businesses to be held more accountable for the data they collect and process. It also gave more power to the people by allowing them to have a say in how their data can be used. 

The question remains however: Will GDPR still be relevant post Brexit? 

In England and Wales, The Data Protection Act 2018 (DPA) came into force replacing the old one of 1998. The DPA mirrors the GDPR and where the GDPR is vague in some areas, the DPA adds more meat to the bone. 

Also, remember, the GDPR applies to all EU member states and any business collecting data of an EU national has to be GDPR compliant. It is also worthy of noting how far the GDPR reaches out in the international community. Any data processing by businesses outside of the EU, who process the personal data of individuals in the EU, are also subject to the GDPR. 

The Information Commissioner has stated that the GDPR “will send an important signal about the UK’s commitment to a high standard of data protection post-Brexit. This in turn will play a role in ensuring uninterrupted data flows between the UK and the EU.” 

The position of the UK post Brexit 

The GDPR is a directive and whilst the UK is still a member of the EU, it had a duty to implement this directive into domestic law. The DPA allows the UK to hold itself up to the same standard as the GDPR. It is not likely that the UK will now abandon the GDPR and amend its own laws, given the amount of money public bodies and businesses have invested into ensuring they are compliant. Changing the law would not make sense given that it has been brought up to date and implemented, with businesses winning over their customers

Keeping its current law in line with the GDPR will also pay dividends post Brexit as businesses will hope to maintain good relations with their EU counterparts. 

Hosting companies and Cloud providers 

Online data collection is probably most popular method of collecting data. Hosting companies and cloud providers have spent a lot of time and money ensuring that they can meet the demands of being compliant in terms of providing server security and processing data they handle.

Data transfer in itself does not have any boundaries. There is some uncertainty of how the UK will react to data privacy post Brexit however it would not make sense to go backwards and change the current regime to render it incompatible with the GDPR.

Developing strong ties with the EU in the terms of trade is of utmost importance and any change post Brexit will not be welcomed by companies.

Hosting and cloud providers, as data controllers or processors, have already been pushed to ensure they operate in line with the GDPR by their customers. If there was to be a different standard implemented by the UK, this could see UK providers losing customers to EU based providers who will be able to conform to the standards needed.

Companies outside of the UK are also looking at the current market. Where they have business operation in the UK, they are likely to use UK hosting companies. Post Brexit, using UK based hosting services might be more cost effective, depending on the value of the pound sterling, as opposed to using EU hosting providers who may look to increase the price of their services. 

One case that makes the crossover unclear is the Google Breach – in the future Post-Brexit can this scenario arise? As surely the reach of an EU country into the UK to this extent will no longer apply? There is no answer to this question, but it is something to watch.

The French Data Regulator, CNIL, fined Google a record £44 million (50 million Euros) for breaching the EU’s data protection laws. This made headline news because what makes this case remarkable is that the complaints against Google in May 2018 were raised by two privacy rights groups in France, and against a company whose headquarters were and are based in Ireland. 

Generally, you would expect the Irish regulator to have addressed this however, the CNIL found that the overarching decisions about the processing operations complained of were not made by Google’s Irish offices, or by anyone in the EU. It was discovered those were made by the US company. As this case was not about a data controller’s main EU establishment, CNIL was at liberty to take its own action. This conclusion was reached following communications with other EU supervisory authorities, including the Irish DPC. 

What can be learned from this? 

The Google case sends a strong message about data protection which should be received loud and clear. Regulators have powers to levy huge fines on companies found to be in breach and they are willing to use it even outside of the companies housed jurisdiction. whether an EU country would have this right post Brexit is something to watch? 

Conclusion

Focus is now on how an effective deal can be negotiated however any hard Brexit or no deal will have consequences on the economy, and this will affect how business choose to operate. It is hoped that the current data legislation is adequate enough not to be changed or significantly amended. Any changes that are incorporated would mean businesses in the UK and EU would need to adapt to ensure they maintain their customer base. What happens after Brexit is anyone’s guess. 

Under EU regulations an EU based data controller has to ensure that when data is passed to a country outside of the EU (which the UK will be upon Brexit even to Ireland) that the country housing the data has adequate levels of protection comparable to those of the EU. 

Whilst we don’t expect a significant shift given the UK is currently having to comply with GDPR and its own Data Protection legislation so harmonized, we do not know how the EU will view this in the future, especially since at the time of writing we may still be looking at a ‘hard Brexit’. It is likely EU based controllers will have to deal with the UK as it does for any non-EU countries – with established data protection mechanisms in place, such as the United States. 

Under lock and key: how can the public sector keep data safe?

 960 638 Stuart O'Brien
By:
0
0

Dan Panesar, VP EMEA, Certes Networks

The public sector faces intense public scrutiny, especially when it comes to cybersecurity.

However, the launch of the National Cyber Security Centre in (NCSC) in 2016 suggests that the sector is beginning to take the issue of cybersecurity seriously, marking the Government’s commitment to making the UK a safe place to live and work online.

And it’s not just public scrutiny the sector has to contend with, but the global digital revolution means that changes are happening rapidly, and technology adoption is not happening as quickly as it should.

On top of this, the public sector has numerous regulatory and Information Assurance (IA) based obligations they are required to fulfil, making some organisations within the sector too scared to make changes or enforce new policies for fear of breaking the rules. 

Restricted budgets, small teams and intense workloads can often make cybersecurity a low priority. Rather than enforcing and developing proactive, robust strategies to keep the organisation’s data safe, teams end up working reactively to mitigate threats as they arise. Not to mention the complex and wide-reaching nature of public sector organisations, making coordinating the array of essential services, stakeholders and functions a near impossible task. 

Keeping up with digital change 

The digital transformation means that traditional connectivity solutions are being replaced to reflect cloud deployments, network function virtualisation and the ability to deploy meaningful orchestration-based management. To reflect the update of digital and online services, public sector networks are expected to grow at 15-25% per year; in order to keep up with this demand, users are becoming increasingly reliant on both high-speed and high-availability transport networks, whether they are MPLS, SD-WAN or 5G or a combination of networks to deliver information when and where needed. 

In the not so distant future, dependency on traditional hardware will become more challenging as additional capacity means the user may have to continuously upgrade its network to reflect growth. However, current and conventional approaches to data protection create numerous challenges particularly around scalability, performance, complexity, key management and key rotation.

Don’t shy away from new technology

The public sector needs to start embracing new technology; the prospect of digital transformation should be exciting, rather than daunting. As a sector with a reputation for being slow to adopt mobile technology, potentially due to concerns over its lack of security, there is a tendency to instead lock down data and restrict the use of technology altogether. However, this just isn’t sustainable, and a lack of mobile technology won’t keep the hackers out. 

If changes don’t happen soon, the public sector will get left behind. To keep up, it needs to recognise that a digital network with a mix of connected users, devices and applications, does not need to make an organisation vulnerable; no matter how complex it may be. Flexibility and digital agility are undoubtedly at the top of every government’s agenda, making it essential for organisations to embrace the technology available. However, instead of putting adopting technology that attempts to secure each entity itself, or worse, layering technology on top of technology with a security solution tied into the network, organisations need to focus on what’s really important – and that’s Information Assurance (AI). In order for organisations in the public sector to really be secure, rather than securing the network, the focus needs to be on protecting the data.

An organisation’s biggest asset

Data is arguably an organisation’s biggest asset; it’s the crown jewels that must be protected, and what the hackers will inevitably set their sights on when planning an attack. In reality, a fine won’t be enforced under regulations such as the General Data Protection Regulation (GDPR) for a breach to an organisation’s network; the fine comes into play when a breach results in data being lost or stolen. That’s the difference in value between an organisation’s network and its data. 

And the fact is, the public sector is quickly becoming a prime target for hackers. But how can organisations ensure their data is really protected? Firstly, organisations need to move to a data-centric, IA security model underpinned by a robust and strategic security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure, making the network itself irrelevant. A software-defined security overlay enables a centralised orchestration of IA policy and by centrally enforcing capabilities such as software-defined application segmentation using cryptography, key management and rotation, data is protected in its entirety on its journey across whatever network or transport it goes across. 

For the public sector, this means organisations no longer need to fear technology; each application on the network and the data it holds will be kept secure, irrespective of any changes made. Furthermore, if a data breach does occur, as long as it’s encrypted it will be rendered useless to hackers, mitigating the potential damaging consequences of a breach. 

Quite simply, cybersecurity must be at the forefront of business strategy. Public sector organisations need to embrace technology, coupled with the right security architecture, or risk being left behind. 

Guest Blog: The cyber resilience model

 960 638 Stuart O'Brien
By:
0
0

For too long, organisations have sought the holy grail of 100% Cyber Security. But security is never absolute; it is essential to understand that a breach is inevitable. It is the way in which organisations respond to a cyber security breach that is critical.

Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance explains the fundamental importance of creating a Cyber Resilient model…

Cyber Security Myth

Cyber security is defined as the state of protecting information from attack by identifying risks and establishing appropriate defences. But as investment in security solutions continues to spiral it is essential for organisations to recognise the truth: total cyber security is unachievable. 

Cyber criminals can and will dramatically outspend their targets, creating ever changing and ever more sophisticated threats. At the same time, the ease with which these individuals and organisations bypass security technology and exploit poor process and ill-educated employees simply reinforces the futility of the current model: when 93% of security breaches occur as a result of a phishing or pretexting email, clearly a different approach is required.

Breaches occur routinely – and companies rarely know they have been breached. Not only are the majority of security breaches actually identified by third parties, on average it takes 193 days after the breach first occurred. So much for the much vaunted cyber security strategy.

What is required, therefore, is a far more robust approach to both managing the breach and minimising the business impact – a model that is predicated on achieving cyber resilience, not cybersecurity.

Cyber Essentials

To create a cyber resilience model an organisation needs to totally reconsider security provision; to assess and determine the business specific acceptable level of risk and acknowledge that an attack may be successful however well prepared the defences. By adopting a standards-based approach that encompasses technology, people and processes, a cyber resilience strategy can be designed to reflect each organisation’s maturity level with regards to both cyber security and data privacy.

At the heart of a cyber resilience strategy is defence in depth. In addition to using technology to block phishing emails, for example, a company must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.

Resilience Journey

This is, of course, an evolution. For smaller or start up business, a simple first step is to adopt Cyber Essentials, five basic controls which should prevent around 80% of Internet borne attacks from being successful. As an organisation matures, it is important to add process and people controls, even pursue the ISO 270001 information security standard, and to consider the wider business ecosystem. Is there a corporate network vulnerability created by the heating supplier routinely accessing the building’s heating, ventilation and air conditioning system, for example? What about customer security? Should the hosted web site be relocated to the cloud to achieve the encryption demanded by PCI DSS when handling credit card details? Throughout the evolution, a good cyber resilience model will continually learn, collecting data about breaches, for example, to highlight staff that need additional training or improvements to escalation processes, and ensuring the cyber risk assessment adapts in line with business expectation.

Critically, therefore, this is a board level issue and, over time a board’s awareness of and involvement in the business’ cyber resilience model must become part of the standard governance framework, as embedded as board and market reporting, health and safety and social engagement. 

Simply raising the cyber security budget year on year is not the answer: what is required is an evolving, multi-layered set of responses to the continually escalating cyber threat. Replacing a futile search for cyber security with a robust, practical and risk appropriate cyber resilience model is one of the most important steps an organisation can take.