The 53rd State of IT

epa05133258 A Union Jack flag flutters next to European Union flags ahead a visits of the British Prime Minister David Cameron at the European Commission in Brussels, Belgium, 29 January 2016. Cameron arived in Brussels for unscheduled talks on a Brexit referendum. EPA/LAURENT DUBRULE

Research has suggested that British technology companies are significantly in favour of remaining within the EU, but Matt Warman, Conservative MP for Boston and Skegness, told a debate about the UK’s digital future that if the sector was so passionate about that position, it should speak up and hope to influence public opinion.

“The tech community is very, very strong in the opinion [that technology] is global,” said Warman, who is also in favour of staying in the EU and is former consumer technology editor of The Telegraph and chair of the all-party parliamentary group For Broadband and Digital Connectivity.

“If you guys believe this stuff, get out there and say it. It’s a hard task for politicians because we are often not the most trusted people in the room.”

Tech and politics
He noted that US-based technology figures, such as Apple CEO Tim Cook and Mark Zuckerberg, hold strong political views as well, particularly with regards to the Republican party frontrunner Donald Trump’s hopes of becoming the next president of the USA.

Indeed, Box CEO Aaron Levie opened his keynote speech at an event in London last week to “apologise” for Trump’s views, which have proved divisive both at home and abroad. However Warman accepted that technology firms had to balance their political beliefs with commercial sensitivities.

“Businesses need to find a way to get it out there. They need to … publically say it rather than hope [the Referendum] goes one way.”

Industry support for EU
Research from industry body techUK suggest that 70% of its members want to stay in the EU, 15% want to leave and 15% don’t know. The majority support the UK’s membership because it makes the country more attractive to international investment, makes the UK more globally competitive and gives it a more favourable trading relationship with other members.

“There is a strong message from the tech industry that Europe is good for business. Tech leaders are clear that the UK needs to be holding the pen on the laws that affect their businesses,” said Julian David, techUK CEO.

“A vote to remain is a vote to ensure the UK voice is at the heart of policies that support the UK’s most innovative sector to continue to grow and create jobs. A vote leave would mean that the UK tech industry would lose its voice on the issues that matter most.”

Tech London Advocates surveyed its members and found that 87% of its members oppose Brexit (the Leave campaign), because they believe that membership of the EU boosts the UK economy by making it more attractive to international businesses looking to operate in Britain.

It seems that just 3% of respondents favoured the UK leaving the EU. The remaining 10% reportedly declined to express their opinion on the matter.

It is clear there is concern within the tech industry about the impact of losing access to the European market. The survey found that nearly three in four (71%) feel Brexit would make it harder to reach customers in EU countries, and threaten existing relationships with suppliers based in Europe.

And more than four out of five (81%) believe that Brexit would make it harder to employ people from EU countries.

“London has established a global reputation as the digital capital of Europe,” Russ Shaw, the founder of Tech London Advocates said. “There is significant concern within the digital community that Brexit would undermine this position and threaten relationships with the European market.

“Attracting international companies to the capital has been one of the great success stories of London’s digital economy,” said Shaw. “Brexit could see global businesses locating in emerging digital hubs in Berlin, Paris and Stockholm rather than London.”

Besides the above reasons, it seems that the London tech sector is not keen on the uncertainty that could be generated by a British exit.

“There are things I don’t agree with in the EU, but no can tell us what the alternative will be like,” said Michael Seres, founder, 11Health. “I have an investment round coming up and looking to hire 14 new people in the next 2 years, I can’t make those decisions if my access to markets and the regulation in this and those markets is unknown.”

Business Risk

“The business risk of leaving the EU is on balance too high,” said Nick Thomson, Chief Revenue Officer at Workshare. “The business risk of leaving the EU is on balance too high. Not just for us but for all businesses engaged in the sharing of data securely.”

And Thomson pointed out Europe’s role in tackling America over recent data protection concerns.

“As a large trading block the EU was able to secure the EU Data Protection Regulation against US pressure,” said Thomson. “The UK may well have to compromise this level of data to protection in the negotiation for its new trade concession from the US. Leading not only to less data security for people and businesses based in the UK, but also making it vastly more complicated to share data with the he rest of Europe – our main trading partners.”

There is a real possibility that the UK could vote to leave, as recent polls have suggested that almost seven in 10 pensioners want to leave the EU, while young people were more likely to be pro-European, but are less likely to cast a vote.

Thoughts

It is clear that the UK Referendum will have a potentially significant impact on IT and Data which is quickly becoming, and always should have been, the “crown jewels” of every company.    If you consider what transpired with Safe Harbour and with the European General Data Protection Regulations (GDPR) on the horizon, would the UK be in such a strong bargaining position outside the EU – or would we be caught in-between the US and the EU?

Added to this, the European GDPR will come into effect before the UK can legally depart the EU, so data controllers and data processors need to think ahead for this anyhow.   Let alone the question of what would the Data Protection and Handling Policy of the UK post referendum look like if we exited?

Technology is global.  Manufacturers are producing to global standards – and yet we still have geographic data protection regulations to adhere to.  Would a global data protection standard work?  Could nation states agree to subsume their local preferred interests against a global framework and would this mean watering it down to gain agreement?

What do you think?

size_500x500

 

The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation introduces crucial data protection requirements for companies with data subjects in the European Union. This page offers a breakdown of the key provisions that will come into force May 2018.

Final text
The final text of the EU General Data Protection Regulation (GDPR) is now available and has been approved by the European Parliament.

Penalties
The Regulation will enforce tough penalties: breached organisations can expect fines of up to 4% of annual global revenue or €20 million, whichever is greater. Fines will be imposed within two years of the Regulation being ratified.

Below is a breakdown of the key changes introduced by the Regulation:

1. If your business is not in the EU, you will still have to comply with the Regulation
Non-EU organisations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

2. The definition of personal data is broader, bringing more data into the regulated perimeter
Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

3. Consent for Children’s Data Processing.
Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.

4. Changes to the rules for obtaining valid consent
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

5. The appointment of a data protection officer (DPO) will be mandatory for certain companies
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

6. The introduction of mandatory privacy risk impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.

7. New data breach notification requirements
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

8. The right to be forgotten
Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.

9. The international transfer of data
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

10. Data processor responsibilities
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

11. Data portability
Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

12. Privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.

13. One-stop shop
A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.

Organisations should take action NOW to implement appropriate measures for improved data security.

teaserbox_53378034

 

Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes

The cost to TalkTalk of the 2015 cyber attacks

In our post of 31st December 2015, we discussed the lessons learned from the TalkTalk cyber attack debacle.  Now TalkTalk have published their Q3 results, offering a truer picture of the costs to date.

The original emergency damage forecast in November by the telecomms company was £30-£35 million (largely for unconditional free upgrades for customers and £15 million in reduced trading revenue).  This has now been doubled to £60 million.

Additionally, and of little surprise, there has been significant reputational loss, resulting in the loss of 4% of their customerbase (some 101,000 customers), following the attack.

Recovery will be slow and despite City share prices rising 5% this morning, this follows a 30% drop following the attack at the end of October 2015.

This, in a week where it was revealed that two other organisations felt the pain of attack:

•      Lincolnshire County Council’s systems shut down for four days following a malware attack contained within an email and a document that was opened in error by staff.  The £1m ransom was not paid and staff have been working off paper all week.  CIO Judith Hetherington-Smith said: “People can only use pens and paper, we’ve gone back a few years. [The attack] happened very quickly. Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software.  A lot of the files will be available for us to restore from the back-up.”

•      HSBC was also hit on Friday 29th January when customers couldn’t access their personal bank accounts. It was a DDoS attack and whilst HSBC sought to assure customers on Twitter stating they “successfully defended their systems“, the process to restore then caused considerable disruption for their customers. The timing couldn’t have been worse for many; the first pay day after Christmas, and the last working day before the tax return deadline.

What this amply illustrates is the urgent need for businesses to change their behaviours and instead of relying on a dim hope that they won’t be the target of an attack at some point in the future, businesses should assume they will be attacked.

NB.  Whatever the size of your company you are at risk.  So ensure that proper IT governance steps are undertaken through pen testing, robust cyber defence software, allied to round the clock monitoring and threat intelligence to put yourself in a stronger position defensively and an agile stance for responses.  That way you start to stem financial loss and costly reputational damage.

talktalk_logo_0

European Commission announces Safe Harbour replacement

With the expiry of the Safe Harbour Agreement 2000 coming to end on 31st January 2016, businesses globally can now breathe a sigh of relief as a new set of guidelines on international data transfers obligations has been agreed, called the ‘EU-US Privacy Shield’.

This followed last October’s ruling by the European Court of Justice that Safe Harbor, the 15-year-old pact between the EU and the US, was invalid.

Under the EU Data Protection Directive (95/46/EC), EU Member States may only transfer personal data to a third country for processing if that country “ensures an adequate level of protection”.   The European Court of Justice found that Safe Harbor did not ensure such a level of protection.

The last few months have been confusing for data controllers and processors. Now, however, shortly after the expiration of the 31 January deadline set by the Article 29 Working Party – the body responsible for data protection in the EU – the European Commission has announced that the EU-US Safe Harbor agreement will be superseded by something called the ‘EU-US Privacy Shield’.

EU-US Privacy Shield

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement:

US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

  • Clear safeguards and transparency obligations on U.S. government access:

For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it.

  • Effective protection of EU citizens’ rights with several redress possibilities:

Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created. It’s also not yet known when the new framework will be put in place. (Knowing EU bureaucracy, it’ll be a while yet.)

And just a reminder about our side of the Pond…

EU General Data Protection Regulation
The EU Data Protection Directive – which informed the Safe Harbor agreement – is soon to be superseded by the EU General Data Protection Regulation, a pan-European law that will harmonise data protection across EU member states.

  • All organisations that collect, process or store information will have to meet the GDPR’s requirements, or face penalties of up to €20 million – or 4% of turnover, which in the case of global Internet companies could be billions.

Implementing an information security management system (ISMS), as described in the international best-practice standard ISO 27001, is the sensible route to compliance.

EU-US

 

Technology & Governance – the year ahead

There is lots of potential in many directions for cyber-security, threat intelligence and risk management in 2016 and I am sure there will be some startling stories.   But the one thing I know for sure is that there will by hyper-growth in online extortion, hacktivism and mobile malware and a pivot for government agencies and corporations towards a much more offensive strategy for dealing with cyber security threats.

g1

I think that both governments and enterprises of all sizes are beginning to recognise the benefits of cyber security foresight and acceptance that there will be cyber attacks – and that it is likely they will be hacked. We see changes in legislation coming down the line and increasing hiring activity around skilled cyber security analysts and officers within enterprises.

g2
Enterprises are now evaluating their risk as it relates to their assets and their position in their supply chain to assess their vulnerabilities and respond with plans to protect and defend accordingly. Individual users are becoming much more aware of online threats and through training and education, are upping their game translating this heightened visibility into increasingly prudent preventative action.  Malvertising is being forced to morph into more sinister approaches due to an almost 50% increase in the use of ad-blocking software in 2015.

g3

This is good and bad, as the new approaches will have figured out a way around the software and will create new and innovative attack vectors that most users won’t see coming. Hackers are really good at evolving to adapt to new environments and for every defensive measure, there must be 50 ways to work around it.

An increase in the sophistication of psychological and analytical techniques and social engineering innovation will create a large bubble in the online extortion business driving hackers to expose even more incriminating information about their victims. Hopefully, the Ashley Madison breach will act as a lesson-learned deterrent, or at least a cautionary tale to help potential victims think twice before posting such potentially incriminating information.

If there is no basis for extortion, then it will be hard to extort.

So here are some of the things I believe we can expect to see during 2016:

•    Evolving cyber criminals will develop new techniques and attack vectors to personalize hacks, potentially making 2016 the year of online extortion (unless we stop posting hyper-personal data in inappropriate spots).
•    Mobile malware will surge along with the sales of smartphones and new online payment systems (these will create a target rich environment that will be impossible for cyber criminals to resist as these payment systems are particularly vulnerable to attack).
•    There will be a significant increase in government regulations designed to increase protection, detection, arrest and prosecution of cyber criminals, but result instead in increased cost and difficulty related to compliance for all businesses.
•    Significant fines and punishment for failure to comply with existing regulations affecting retail, consumer, healthcare, hospitality, finance and manufacturing industries.
•    In spite of increased intention, most companies will not be able to staff cyber security experts in 2016, as the current unemployment rate for analysts is less than zero.
•    There will be a reduction in malvertising but an increase in socially engineered intrusion and the resulting compromise and capture of administrative credentials will lead to an increase in successful breaches.

 

Now is the time to take decisive action to get ahead of all this by installing layered-defence technologies, training in identifying and detecting cyber attacks, moving to immediate compliance with all regulations affecting our and our customer’s industry sector, and developing an internal cyber defence capability as well as partnering with external specialist firms to provide it.

What you don’t want is your emails exposed, your internal documents made public, your assets compromised, your position in your supply chain used as a tool to breach a client company or your name in the paper.

If our assets aren’t more valuable than the investment required to get secure, our customers and reputational impact surely are.   Let’s get moving.

 

Silhouette of a hacker isloated on black

 

 

 

 

 

Amicus ITS conducts data security straw poll

Amicus ITS released its latest straw poll of staff views from their Totton Headquarters, regarding data security.  This follows the spate of cyber security breaches reported in recent months in the news.  Overseeing the latest poll, Head of Technology & Governance, JP Norman commissioned his Security & Compliance department to check with staff on the following two issues:

Q1          Staff were asked firstly, what they would do if a retail organisation (ie. Bank insurance, retailer) lost their personal identifiable data information (including financial data).

96% of Amicus ITS staff said it would cause a complete loss of trust and influence them to stop using that organisation again, whilst 4% said they were undecided.

Q2          The second data security question put to staff, asked whether they would consider removing or withhold an organisation’s right to their data, if personal identifiable information was lost by a Public Sector organisation, institute or employer including healthcare records, employment or financial data.

In this response, 89% of staff said they would consider withholding their data.

The higher return in Q1 suggests a greater confidence and sense of control felt by people in moving an account, or simply voting with their feet commercially by not transacting again with that breached organisation.

The second result is pretty much as anticipated, with a perhaps more wary approach to withholding information (say from a GP or hospital), even though people have the entitlement to do so through the Data Protection Act 1988.

As reported in our blog of 28th May, the growing awareness of the potential frailty of large organisations without good data control, tight security policies and fast response teams, may see a change demanded by the public, unless the organisation takes a proactive stance.

With the value of healthcare records considerably higher due to the volume of personal information they contain including Social Security numbers and insurance details, the worrying realisation is that there is a very real possibility of fraud against an individual or false record creation 10-15 years down the line.

There are a number of checks that people can request to verify how their PII data is handled which we will cover in future weeks.