Poor data handling is effecting business sales

The failure to protect customer data is creating sales problems for businesses.

The failure to protect customer data is creating sales problems for businesses.

According to a survey by security firm RSA some 90% of respondents said they were concerned about their personal data being lost, manipulated or stolen.

Monetary theft (74%), identity theft (70%) and having embarrassing or sensitive information made public (45%) were the biggest data security concerns. More than a third (36%) also fear being blackmailed with stolen private images or messages.

Some 84% of UK respondents and 81% of Italians listed security information as a concern, both higher than the global average, while German respondents expressed the most concern about genetic data, US respondent were the most concerned about location data.

As a result, 78% said they try to limit the amount of personal information they share and 49% have falsified information online in an attempt to protect themselves,

More importantly from a business point of view, 62% of consumers said they would blame the company involved above anyone else, even the hacker had exposed their personal data.

With 78% saying a company’s reputation relating to its handling of customer data made an impact on their buying decisions.

In fact, an average of 69% said they have or would boycott a company that showed a lack of regard for protecting customer data, with 82% of UK respondents saying they do so.

Some 60% of all respondents said if they hear that a company has been selling or misusing data without consent they will avoid handing data over to them, and 58% said if they know a company has been mishandling data they are less likely to buy services from them.

RSA said “With more than half (54%) of respondents less likely to buy from a company they know has been mishandling data, and 62% inclined to blame the company above anyone else if data is lost, it’s clear consumers are ready to vote with their feet against organisations that fall short of their expectations.”

“The financial and reputational damage of a data breach in 2018 could be devastating.”

The research further underlines the business benefit of ensuring customers’ data and privacy is protected. More than half (53%) of respondents said they were more likely to shop with a company that could prove it takes data protection seriously.

Consumers clearly understand the value of their personal data and, while there may rightly be occasions for caution, they are willing to part with it under the right circumstances.

After the compliance deadline for the European Union’s (EU’s) GDPR on 25 May 2018, RSA Security predicts that organisational privacy and data protection failings will become even more transparent because businesses will be forced to disclose any breach of the regulation.

Under this microscope, the security firm recommends that organisations must think of the wider business impact of privacy and data protection, while also understanding how to work within the GDPR to their advantage.

The research report points out that the GDPR will affect all companies that handle EU citizens’ data, including US cloud providers and businesses in post-Brexit Britain.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber139 supports Safer Internet Day

Cyber 139 is backing Safer Internet Day which is building online safety practices with young people.

Cyber 139 is backing Safer Internet Day which is building online safety practices with young people.

Many organisations including Cyber139 around the UK are contributing to the important work on making the internet a safer place for everyone

Tuesday 6 February marks Safer Internet Day 2018. Using the hashtag #SID2018, organisations globally will celebrate the safe and positive use of technology.

In Britain, the UK Safer Internet Centre, will be coordinating the activities of over 100 countries to “unite for a better internet”.

Last year’s #SID2017 initiative saw its highest engagement with 1,645 UK organisations supporting the event. Some 42% of children aged 8-17 and 23% of parents heard about the day in 2017, and this year we hope to see more people aware and presented with the online resources to help young people navigate the web effectively and safely.

To achieve this, tech businesses can easily support the initiative by promoting and raising awareness through social media and using #SID2018. Some organisations will be going the extra mile by running events and creating resources that will be getting updated on an ongoing basis.

For example, the South West Grid for Learning run sessions for children, staff and parents throughout the year. Activities such as this mean a lot more schools directly working to involve parents actively, including online safety in the curriculum, and even empowering students in peer-to-peer activities to help each other stay safe.

Safe and secure environment

The idea of supporting #SID2018 is that we work throughout the year to ensure the internet is a safe, secure environment for young people at all times. This is not to negate the ongoing challenge that new technologies emerge every year, which adds complexity to this issue. Nonetheless, we need to understand that this evolving environment is one that our young children must move with, as it is likely to be them who will be using these technologies most in their future jobs, lives and relationships.

In a time where the UK must fill a digital skills gap, an acute understanding and practice of online safety education must evolve in parallel with the innovation of new products and services. This will enable individuals now and in the future to be safe, active digital citizens.

A number of organisations working in partnership with UK industry to tackle illegal content issues, such as WePROTECT, Global Alliance and the Internet Watch Foundation (IWF), are excellent sources of information. The Royal Foundation’s Cyberbullying Taskforce has also set up a new code for children which offers simple steps to help tackle cyber bullying – Stop, speak, support.

There are also technical solutions provided by online services such as Google’s Safe Search function and YouTube Kids, as well as Instagram’s keyword moderation tool which allows parents and users to block comments that contain inappropriate language.

Most SMEs unaware of GDPR data protect laws

Less than half of UK SMEs, businesses and charities are aware of new GDPR data laws just four months before the deadline.

Less than half of UK SMEs, businesses and charities are aware of new GDPR data laws just four months before the deadline.

The new data laws will be brought in through the EU’s General Data Protection Regulation (GDPR), which will be implemented in UK law via the Data Protection Bill on 25th May 2018.

The new UK data protection legislation sets similar requirements and penalties for non compliance as the EU’s GDPR in an attempt by the UK government to ensure uninterrupted data flows between the UK and EU member countries after Brexit.

Awareness is higher among businesses that say their senior managers consider cyber security a fairly high or very high priority, with two in five aware of the GDPR.

The survey found that just over a quarter of businesses and charities that had heard of the regulation have made changes to their operations ahead of the new laws coming into force.

Among those making changes, just under half of businesses, and just over one-third of charities, have made changes to cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.

Speaking in Davos, UK digital, culture, media and sport minister Matt Hancock said the government is strengthening the UK’s data protection law to make it fit for the digital age.

The new legislation is aimed at giving UK citizens more control over their own data, he said, as well as supporting innovative businesses to maximise the potential benefits of increasing use of data in the digital economy.

The new UK data protection legislation will give the ICO more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover for the most serious data breaches, which is roughly in line with the penalties contained in the GDPR.

SMEs and organisations that hold and process personal data are urged to prepare and follow the GDPR guidance from the ICO.

There will be no regulatory “grace” period, but the government said the ICO is a “fair and proportionate” regulator.

“Those who self report, who engage with the ICO to resolve issues and demonstrate effective accountability, can expect this to be taken into account when the ICO considers taking action,” the government said in a statement.

Information commissioner Elizabeth Denham said the data protection law reforms put consumers and citizens first. “People will have greater control over how their data is used, and organisations will have to be transparent and account for their actions,” she said.

“This is a step-change in the law – businesses, public bodies and charities need to take steps now to ensure they are ready.”

According to Denham, organisations that commit to the spirit of data protection and embed it into their policies, processes and people will thrive in the new era of data protection.

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice,” she said. “Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

ICO fines Carphone Warehouse £400K over data loss

Carphone Warehouse has received one of the highest fines by the ICO after putting it’s clients’ personal data at risk.

Carphone Warehouse has received one of the highest fines by the ICO after putting it's clients' personal data at risk.

The UK privacy watchdog – the Information Commissioner’s Office (ICO) warns that more stringent data protection laws will apply from 25 May 2018, with potentially much greater fines.The Information

According to the ICO, the personal data at Carphone Warehouse was exposed in a cyber attack because of the company’s failure to protect the data from unauthorised access.

The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.

The records for some Carphone Warehouse employees, including name, phone numbers, postcode and car registration, were also exposed.

In determining the monetary penalty, the ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.

Information Commissioner Elizabeth Denham said that a company as large, well resourced and established as Carphone Warehouse should have been actively assessing its data security systems and ensuring that systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” said Denham.

Following a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information.

Using valid login credentials, intruders were able to access the system via an out of date version of WordPress software.

The incident also exposed inadequacies in the organisation’s technical security measures. The ICO said important elements of the software in use on the systems affected were out of date and the company had failed to carry out routine security testing.

The ICO said its investigation had revealed a serious contravention of Principle 7 of the Data Protection Act 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

According to Denham, the real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

“The law says it is the company’s responsibility to protect customer and employee personal information,” she said. “Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

“There will always be attempts to breach organisations’ systems and cyber attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems and, most importantly, customers and employees.”

From 25 May this year, the law will get more stringent as the General Data Protection Regulation (GDPR) compliance deadline is reached, the ICO said.

Data protection by design is one of the GDPR’s requirements, the regulator said, and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards and polices that an organisation has or should have.

Companies and public bodies should ensure strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law, the ICO said.

Failure to comply with the GDPR requirements will put companies at risk of fines of up to €20m or 4% of their global annual turnover.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber 139 wishes You a Safe and Secure New Year

Cyber 139 wishes You a Safe and Secure New Year in 2018

Cyber 139 wishes You a Safe and Secure New Year in 2018
With 2018 now here we hope that you have had a Merry Christmas and a great festive break and hope that you are looking forward to a safe and secure year ahead.

Digital identity needs to be cyber security priority in 2018

Protecting digital identities and protecting employees are key cyber security challenges for 2018.

Protecting digital identities and protecting employees are key cyber security challenges for 2018

The issues of protecting digital identity, gaining data visibility and protecting employees are key cyber security challenges for 2018 according to the cyber security 2018 predictions report by security firm FireEye.

“The idea that you can get someone’s date of birth, and their Social Security number and steal their identity and do fraudulent tax refunds, or try to get a loan or credit card – that has to change,” FireEye said.

“This has to happen. Otherwise, every five months, we’re going to have another huge data breach,” they warned.

In addition to the imperative of finding a better way to manage identity, RedEye said it was also important to find a way of dealing with international privacy.

On the topic of nation state actors in the cyber realm, RedEye considers Iran the most interesting country to watch, rather than Russia, China or North Korea.

RedEye said while Iran started “acting at scale” in 2017, the extent of that activity was not really known. “We don’t know if we are seeing 5% of Iran’s activities, or 90% – although I’m guessing it’s closer to 5% – but they’re operating at a scale where, for the first time in my career, It feels to me that the majority of the actors we’re responding to right now are hosted in Iran, and they are state sponsored,” they said.

On the topic of cloud security, RedEye claimed better visibility was of paramount importance. I know that a lot of people are depending on the cloud, and we need visibility.

“Many of these cloud providers are providing it, but we don’t always have security operations that can take advantage of that visibility and see what’s happening,” he said.

An area many companies are still overlooking, RedEye said, is protecting employees from cyber attack.

He said companies needed to consider whether hackers could access corporate accounts through hacking employees’ private accounts, or if they could make it appear as though they have hacked the enterprise.

“There are hackers out there who will hack an employee at a company, and they will post any document they can get, and they will say they hacked the company even if they haven’t. It’s a reputational thing – while it’s hard to gauge the public response to these types of incidents, right now many companies are being deemed irresponsible or negligent or compromised when they are none of those things,” he said.

RedEye said all security professionals should be thinking about what employees are doing when they go home, how they can be secured, how they can be helped, what policies are needed and how those policies could be enforced.

They advised that all organisations moving into the cloud should know everything that is going on.

While there are bound to be new, interesting attacks in 2018, organisations should be preparing for modified versions of current attacks

“For instance, do you have places where documents are getting uploaded and then going into your back office? That’s a good place to ensure there is some high-grade detection, beyond an antivirus scanner. Because you essentially have unauthenticated input going directly into the key parts of your organisation.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber security skills shortage can be addressed

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

There could be up to 1.8 million information security related roles unfilled worldwide by 2022, according to the latest Global information security workforce study from (ISC)2, but the organisation believes there are ways to address this potential shortfall.

“It makes no sense that we have employment issues for veterans and other communities on the one hand, and information security jobs being unfilled on the other,” according to John McCumber, director of cyber security advocacy at (ISC)2.

In this newly created role of advocacy for the information security profession, McCumber is engaging with the governments on issues such as workforce development and supporting information security professionals in the work they do.

McCumber, who has been working in information security in military, national security and civilian roles for the past 30 years, argues that in the light of the fact that there are jobs for people coming out of trade schools, there is no reason that aspects of cyber security cannot be turned into trades.

“By treating cyber security as a trade, it will enable school leavers to get some basic skills without having to do a four-year course and to provide valuable services in well-paid jobs in the cyber security field,” he said. “There are a lot of productive jobs in the cyber security field that do not need a four-year degree.”

The training is aimed at enabling veterans to join the (ISC)2 associate membership programme, which provides them with the experience required to qualify for various information security certifications.

“By enabling veterans to get certified as information systems security professionals, systems security practitioners and cloud security professionals, we are able to connect them with well-paying jobs,” said McCumber.

McCumber predicts that cyber security jobs will also begin changing in future as new technologies enable organisations to automate a lot of their cyber attack responses.

“Things like penetration testing are also likely to be automated with advances in so-called artificial intelligence, so (ISC)2 is working with information security professionals to position themselves for the new world of work and show organisations how they can help them understand their cyber risk and provide an objective way of managing that risk,” he said.

“As a result, that projected 1.8 million cyber security skills gap will not look as insurmountable in two to three years’ time,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Ransomware up nearly 2,000% in two years as cyber mafia hit business

Cyber attacks on businesses in 2017 grew in frequency, sophistication and malice – a report on the new age of organised cyber crime finds.

Cyber attacks on businesses in 2017 grew in frequency, sophistication and malice - a report on the new age of organised cyber crime finds.

The new generation of cyber criminals increasingly resembles traditional mafia organisations, requiring a new approach to dealing with it, according to a report by security firm Malwarebytes.

Cyber criminals have the same professional organisation as mafia gangs of the 1930s, but they also share a willingness to intimidate and paralyse victims, the report shows.

Malwarebytes’ analysis also shows that, in spite of acknowledging the severe reputational and financial risks of cyber crime, many business leaders greatly underestimate their vulnerability to such attacks.

The report calls for businesses and consumers to fight back by acting as “vigilantes” through greater collective awareness, knowledge sharing and proactive defenses. This includes a shift from shaming businesses that have been hacked to engaging with them and working together to fix the problem.

Businesses must also heighten their awareness of cyber crime, and take a realistic view towards the likelihood of attack.

The vast impacts of these attacks, the report said, mean that cyber crime must be elevated from a tech issue to a business-critical consideration.

Malwarebytes’ data demonstrates the urgent need for such a shift in approach by highlighting the capacity of these fast-maturing gangs to inflict greater damage on businesses.

The new cyber mafia, the report said, is accelerating the volume of attacks, with the average monthly volume of attacks in 2017, up 23% compared with 2016. In the UK, the report said 28% of businesses had experienced a “serious” cyber attack in the past 12 months.

Ransomware attacks detected by Malwarebytes show that the number of attacks in 2017 from January to October was 62% greater than the total for 2016.

In addition, detections are up 1,989% since 2015, reaching hundreds of thousands of detections in September 2017, compared with fewer than 16,000 in September 2015. In 2017, ransomware detections rose from 90,351 in January to 333,871 in October.

“The new mafia, identified by our report, is characterised by the emergence of four distinct groups of cyber criminals: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire,” said Marcin Kleczynski, CEO of Malwarebytes.

Malwarebytes argues that the growth of cyber crime and a lack of clarity over how best to police it is damaging victim confidence, with those affected by cyber crime often too embarrassed to speak out.

This is true for consumers and businesses alike, the report said, and can have dangerous ramifications as firms bury their heads in the sand instead of working to reduce future incidents.

The report suggests that the answer lies in engaging and educating the C-suite so that CEOs are as likely as IT departments to recognise the signs of an attack and be able to respond appropriately.

“CEOs will soon have little choice but to elevate cyber crime from a technology issue to a business-critical consideration,” he said.

“Rather than sit back and minimise the blow from cyber crime, individuals and businesses must take the same actions that previous generations of vigilantes once did against the fearsome syndicates of their day: fight back,” the report said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Small businesses cyber success is balance of user experience, privacy and security

Small businesses need to balance user experience, privacy and security to achieve overall cyber success.

Small businesses need to balance user experience, privacy and security to achieve overall cyber success.

A change in approach will help businesses achieve the right balance between user experience, privacy and security more easily, says Martin Kuppinger, principal analyst at KuppingerCole.

“Most businesses are making the fundamental mistake of thinking inside-out, but by thinking outside-in, they will automatically put the consumer first,” he told Consumer Identity World Europe 2017 in Paris.

This means instead of thinking about what suits the business, the business looks at what will best suit its customers, what works best for customers and taking customer preferences into account.

“Most businesses need to switch from the approach where they are telling consumers what they want them to do, to making it clear they are willing to do things the way the consumer wants,” said Kuppinger.

“We do what you want, needs to be the message, because this is the best way to ensure that consumers will want to do the most with them,” he said.

In the light of the European Union’s (EU’s) General Data Protection Regulation (GDPR), Kuppinger said it is now even more important to get the balance right.

From a consumer perspective, this means ensuring that services and interactions with suppliers need to be simple, and as frictionless and transparent as possible.

“Aside from GDPR requirements, consumers are generally more willing to share data if the reward is clear and they know that organisations use their data only for the purpose it was originally collected for,” said Kuppinger.

From a business perspective, it is therefore important to ensure that there is a standard approach to customer data throughout the organisation and that personal data is collected only when necessary.

“They need to be clear about what they are collecting, what purpose they are collecting the data, and they must provide processes for consumers to withdraw consent if they wish.”

However, done correctly, collecting and managing consumer information can improve the customer experience, said John Tolbert, lead analyst at KuppingerCole.

“Consumer identity management can also enable new business models, such as freemium models where basic services are provided free with the option of upgrading to paid services or shared revenue models,” he said.

Tolbert also emphasised the importance of making it clear to consumers what they will get in exchange for agreeing to allow businesses to collect and user their data.

“Again, getting the balance right is important because the more data you collect the more friction you add, so collect just enough information to be useful to keep friction to a minimum,” he said.

Tolbert said it is always important to be explicit about information is being collected, collect only what is necessary, and reduce friction by avoiding pop-ups that continually ask for more data.

“Fine-tune how you interrupt visitors to your site, be conservative in the information you collect and always ensure you have good consent management processes to collect and store consent,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139