EDPR and customers data protection

We follow on from our Cyber Security Force’s post yesterday about 96% of firms being unprepared for tougher data protection laws.

We follow on from our Cyber Security Force's post yesterday about 96% of firms being unprepared for tougher data protection.While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security.

Nearly three quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.

Equally concerning, the report said, is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data.

These results show there is a significant disconnect with consumer priorities, the report said, with 88% of European consumers regarding data security as the most important factor when choosing a company with which to do business. In fact, 86% consider it more important than product quality.

Unsurprisingly, the study found that 55% of businesses are not confident they completely meet customers’ data security expectations.

The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.

Some 9% of businesses admitted that all employees are able to access customers’ personal information, while 6% admitted that all staff can access customers’ payment details. Only 14% believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR, the report said.

Under half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27% of businesses polled said they are planning to overhaul their approach to security in response to the GDPR.
Technical readiness

The majority of respondents (91%) have concerns about the ability of their organisation to comply with the GDPR, due to factors such as the complexity of processing data correctly in time and costs involved.

Only 28% of IT and business decision makers realise the right to be forgotten is part of GDPR, while 90% of businesses say customers requesting their data be deleted will be a challenge for their organisation.

Only 9% of respondents have already received requests to be forgotten, but 81% believe their customers would exercise their right for data to be deleted, and 60% of businesses do not currently have a system in place that enables them to respond to these requests.

With less than two years before the EU data protection rules come into force, there are 10 key areas businesses need to focus on to ensure they will be compliant.

The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.

Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.

Nearly all European businesses unprepared for new data protection laws

96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

Lack of consumer and regulatory understanding, combined with low technical and cultural preparedness, represents a major threat to revenue and brand value, according to a Symantec state of privacy report

As a result, 91% of 900 businesses and IT decision makers polled in the UK, France and Germany have concerns about their ability to become compliant by the time the GDPR comes into force on 25 May 2018, according to Symantec’s State of Privacy Report.

The report coincides with a call by the Payment Card Industry Security Standards Council (PCI SSC) for firms to act now to avoid exponentially increased penalties under new European Union (EU) data protection regulations.

UK businesses could face up to £122 billion in penalties for data breaches when new EU legislation comes into effect, the PCI SSC has warned.

The Symantec study also revealed only 22% of businesses consider compliance a top priority in the next two years, despite only 26% of respondents believing their organisation is fully prepared for the GDPR.

Nearly a quarter of those polled said their organisation will not be compliant at all, or will be only partly compliant, by 2018.

Of this group, only a fifth believe it is even possible to become fully compliant with the GDPR, with nearly half believing that while some company departments will be able to comply, but others will not.

This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines, the report said.

These findings show businesses are not only underprepared for the GDPR, they are under preparing,” said Kevin Isaac, senior vice-president, Symantec.

“There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation, but only if firms take immediate action,” he said.

National Cyber Security Centre (NCSC) launched today

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.The government outlined what the NCSC would do, how it would work and who it would work for in May this year, but had not given a precise date for the official opening of the centre until now.

The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ, and the technical director will be Ian Levy, formerly technical director of cyber security at GCHQ.

The NCSC will be run from new offices in London as well as from offices near Cheltenham, Gloucestershire.

The primary goal of the NCSC is to simplify the complicated cyber security picture across government that made it difficult for organisations to know who to talk to.

It brings together all the key organisations under a single organisational umbrella to provide better support and bridge the gaps between government, industry and critical national infrastructure.

There were four main goals for the NCSC, which began preparatory work and conducted trials and pilot studies over the summer:

  • These are to reduce cyber security risk to the UK;
  • To respond effectively to cyber incidents and reduce the harm they cause to the UK;
  • To understand the cyber security environment, share knowledge and address systemic vulnerabilities and;
  • To build the UK’s cyber security capability, providing leadership on key national cyber security issues.

The NCSC has five areas of focus: engagement, strategy and communications, incident management, operations, and technical research and innovation.

In the next six months, the NCSC will test its strategic plan and refine it further based on feedback received.

Know your cyber attacker to defend yourself

Plus ca change- the Chinese general Sun Tzu said “know your enemy” 2,500 years ago- and the advice is as pertinent today as then when it comes to cyber security.

Plus ca change- the Chinese general Sun Tzu said Organisations can build better cyber defences by understanding which criminal underground is likely to target them, according to Robert McArdle, threat research team manager at Trend Micro.

There are several distinct types of cyber criminal undergrounds divided along language lines, each with their own particular characteristics, he told the Cloudsec 2016 conference in London.

The biggest and most mature are the Russian, English, German and Chinese cyber criminal undergrounds, but there also significant operations in Portuguese (Brazil) and Japanese.

“The all operate slightly differently and focus on different activities, so it depends on your business which of these undergrounds are the most likely to target your organisation,” said McArdle.

The Russian criminal underground is the longest-running, most mature criminal underground and was the first to introduce that as-as-service model, which has since been copied by most of the others.

The Russian cyber criminal underground is highly competitive, with most operations run along strict business principles, with some boasting dedicated sales departments and 24-hour support services.

The Trend Micro research team has identified several trends in the Russian underground, such as the fact that fierce competition is forcing prices lower, providing easier access to tools and services.

There has been a rapid increase in the number of tools and services targeting mobile devices and platforms in line with the growing popularity of mobile devices.

Another rapidly growing area is the trade in information about compromised sites that can be used in various cyber criminal campaigns.

Trade in credit card details continues to be strong on the Russian underground, with several sites dedicated to buying and selling this data.

“Some even have clickable maps that enable cyber criminals to view what credit cards are available in particular countries, cities and particular companies,” said McArdle.

“We have also seen the emergence of star-rating systems and the introduction of validation services that allows customers to try before they buy,” he said.

The Chinese underground is interesting, said McArdle, because although China is strongly associated with cyber espionage in the West, it is responsible for relatively little of run-of-the-mill cyber crime.

“Because of the language differences, the Chinese underground tends to build its own malware, does not rely on outside sources and mainly targets companies and individuals in China,” he said.

Although there is a fair amount of cyber crime hardware produced in China, such as card skimming devices, this tends to be sold through the cyber criminal markets based in South America.

The English cyber criminal underground is characterised by a much greater focus on physical goods, such as recreational drugs and fake identity documents, in addition to malware and killers for hire.

Distributed denial of service (DDoS) tools and services are very common in the English underground because they started out as tools developed by rival English-speaking gaming groups before migrating into extortion tools used by cyber criminals.

“We see a lot of tools and services for identity theft on the English underground, such as fake IDs, particularly in the US, where a stolen social security number can be used to impersonate someone to commit fraud by taking out loans, for example,” said McArdle.

Although the Portuguese cyber criminal underground based in Brazil is still relatively immature, he said it is growing and developing rapidly, driven by excellent online tutorials.

“Our researchers came across a three month tutorial programme for just £75 that is practically a masters level course on every aspect of conducting carding operations, including practical assignments with feedback on performance,” said McArdle.

The Portuguese underground is heavily focused on attacks on online banking, with 40% of Brazilians interacting with banks online. Consequently, most new attack methods aimed at online banking emerge in this region, providing a good indicator of what is likely to emerge in other parts of the world.

The Japanese underground is one of the least mature cyber criminal undergrounds, said McArdle, and, like the Chinese, it tends to focus on Japanese speaking customers and targets.

Although there is relatively little malware available because of the strict anti-malware legislation in Japan, he said there is a strong focus on Trojan malware and malware for webcams.

The Japanese underground is also characterised by gated communities, the use of coded language to refer to goods and services, and free porn websites pop-ups that demand payment for allegedly accessing member-only content.

“Strangely enough, around 10% of those targeted by these pop-ups pay the money demanded, even though the claims are false and no malware is involved,” said McArdle.

The German cyber criminal underground is the most mature in Europe and is not far behind the Russian underground.

“There are a lot of overlaps with the Russian underground, especially in terms of fake identity goods and services driven by demand from the growing Syrian refugee population in Germany,” said McArdle.

An understanding of nature of these undergrounds, he said, means that the banking sector should concentrate on the Russian and Portuguese undergrounds, for example, while those tasked with defending government or military networks would do well to concentrate on the Chinese underground.

“Understanding attackers is key to understanding what you need to defend against and building a strategy for doing so,” said McArdle.

UK organisations not taking ransomware seriously

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.

The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.

Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.

Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.

The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.

Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.

A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.

In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.

While ransomware writers were sometimes careless in the past so there was often a way to retrieve files,  that is seldom the case now, making preparation even more important.

Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.

Here are a list of best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:

  • Backup regularly and keep a recent backup copy off-site
  • Do not enable macros in document attachments received via email
  • Be cautious about unsolicited attachments
  • Do not give users more login power than they need
  • Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
  • Patch early, patch often because ransomware often relies on security bugs in popular applications
  • Keep informed about new security features added to your business applications
  • Open .JS files with Notepad by default to protect against JavaScript borne malware
  • Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them

Cyber attack recovery 300% dearer due to skills shortage

Large businesses are struggling to attract skilled IT security experts are paying up to three times more to recover from a cyber security incident.

Large businesses are struggling to attract skilled IT security experts are paying up to three times more to recover from a cyber security incident.As the gap between the available security skills continues to widen, a growing number of organisations are being forced to call in outside help to supplement in-house skills.

For a third of businesses, the improvement of specialist security expertise is one of the top three drivers for an additional investment in IT security, the report by Kaspersky Labs said.

The report combines the results of the survey with input from Kaspersky Lab’s experts and representatives of major universities. It shows that overcoming the lack of skills and shortage of talent in cyber security is a major challenge for companies.

The growing demand is not easy to meet, the report said, due to a lack of available specialists and increasingly complex requirements.

According to Kaspersky Lab’s own recruitment managers, on average only one applicant out of 40 (2.5%) meets the strict criteria for an expert position.

The research shows that 90% of companies looking to hire cyber security professionals in 2016 said it was difficult to find the right candidates for the jobs on offer.

However, the challenge is not limited to technical know how. According to Kaspersky Lab, the need for security managers is even greater.

In addition to deep technical knowledge, managers’ duties include communication with top management and overseeing the overall strategy, which are qualities that are especially important for large companies, the report said.

Higher education institutions recognise the need to revise their courses, but, at the same time, acknowledge the challenge of embedding security-oriented thinking into those courses.

The IT industry continues to evolve at a rapid pace, the report said, but notes that despite the obvious advancements in IT education, most graduates are not ready to help companies in ramping up security immediately.

Overall, the Kaspersky Lab report said 68.5% of companies polled expect an increase in the number of full-time security experts, with 18.9% expecting a significant increase in headcount.
Higher education is an important part of fulfilling such a demand, the report said, but this is also a call for a change in the security industry itself.

Security suppliers need to help universities with relevant experience and adapt research and development efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training and services.

A proper combination of security controls and intelligence, the Kaspersky Lab report said, will help corporate security teams to spend less time on regular cyber security incidents and focus on strategic security development and advanced threats.

Solving the different challenges of threat prevention, the detection of targeted attacks, incident response and prediction, said Levtsov, requires a lot of flexibility.

The report concludes that the problem of talent shortage will be solved through the efforts of education, evolution of the industry and adoption of intelligence sharing models.

UK data well protected after Brexit says new ICO head

UK data is well protected after the Brexit vote according to the new Information Commissioner.

UK data is well protected after the Brexit vote according to the new Information Commissioner.Elizabeth Denham made the observation in the first newsletter to be published by the Information Commissioner’s Office (ICO) since she took up the role on 18 July 2016.

“The result of the EU referendum and its impact on data protection reforms will undoubtedly create uncertainty, as any period of flux does,” she said. “It’s clear to me, though, that the UK is well equipped to navigate the changes ahead successfully.”

Indicating that she means to continue her predecessor Christopher Graham’s policy of engagement with stakeholders, Denham said data protection was a “team sport”.

“Effective regulation requires engagement with the public sector, with industry, with civil society and with the public at large,” she said. “We all have an important role to play in this.”

Although Graham left the ICO on 28 June 2016 after seven years, there was a delay in Denham taking over because of a failure by government to obtain the Queen’s consent for the appointment in time.

Graham’s deputy, Simon Entwistle, was acting information commissioner until Denham was able to take over the leadership of the ICO, which regulates the UK’s Data Protection Act, Freedom of Information Act and the rules around marketing calls and texts.

Denham was shortlisted in April 2016, and was approved for the post of information commissioner by the Parliamentary Committee for the Department of Culture, Media and Sport on 27 April.

She was appointed for a five year term as information commissioner after holding senior positions in privacy regulation in Canada for the past 12 years.

Since 2010, Denham has been the commissioner at the Office of the Information and Privacy Commissioner for British Columbia, Canada.

“Over more than a dozen years in this sector, I’ve seen the pace of the privacy regulator job quicken, and the scope of the work grows wider every day,” Denham wrote in the newsletter.

“Access to information and privacy touch nearly all aspects of public and commercial life and our work is at the centre of some of the most compelling issues of our time.”
ICO makes a difference

Denham noted that the ICO’s work makes a difference to citizens and consumers, employees and other rights holders.

In addition to helping navigate the changes necessitated by the Brexit vote, Denham is the first UK information commissioner since the European Union General Data Protection Regulation (GDPR), Network Information Security (NIS) Directive and EU-US Privacy Shield framework were approved.

Referring to these challenges, Denham said there was “a lot happening this side of the pond” but that the coming weeks would enable her to become more familiar with the work of the ICO and “get to grips” with the challenges ahead.

Denham, who has a track record of taking a proactive approach to enforcing data protection law and tackling government on privacy issues, will also have to deal with implications for UK business of the controversial Investigatory Powers Bill, which is well on its way to becoming law.

Cyber crime included in official statistics

Cyber Security Force welcomes the inclusion of cyber crime in the latest crime survey for England and Wales by the Office for National Statistics (ONS).

Cyber Security Force welcomes the inclusion of cyber crime in the latest crime survey for England and Wales by the Office for National Statistics (ONS).

According to the latest report, there were 5.8 million incidents of cyber crime and fraud in the 12 months up to March 2016, affecting one in 10 people in England and Wales.

Just over half of the fraud incidents were cyber related, with 28% of these being non-investment fraud relating to online shopping or computer service calls. Some 68% of computer misuse crimes were related to malware and 32% were from unauthorised access to personal information including hacking.

However, the ONS cyber crime and fraud figures are an estimate, as specific questions relating to cyber crime were only added to the survey in October 2015 following a field trial.

“Headline estimates will include these offences for the first time in January 2017 once the questions have been asked for a full 12 months,” the report said.

According to the report, there were 4.5 million crimes reported in the period, excluding the 3.8 million cyber-related fraud incidents and 2 million compute misuse offences.

But the ONS said it would be incorrect to assume that once the figures are combined in the next report that the overall crime figure will double.

“This is the first time we have published official estimates of fraud and computer misuse from our victimisation survey, and ONS is leading the world in doing this. Together, these offences are similar in magnitude to the existing headline figures covering all other crime survey offences,” the ONS said.

“However, it would be wrong to conclude that actual crime levels have doubled, since the survey previously did not cover these offences. These improvements to the crime survey will help to measure the scale of the threat from these crimes, and help shape the response.”
Security should be top of board’s agenda

According to the ONS, cyber crime now makes up 40% of all recorded criminal incidents.

The technical capabilities of cyber criminals continue to outpace the UK’s ability to deal with cyber threats.

For the majority of organisations, the main two lessons to take from these statistics are the rapid evolution of cyber crime, and the number of threats that any individual or organisation will face.

As a result investment tends to flow into areas where it will be most productive, and crime is no different.

While there are government initiatives underway to tackle fraud, it is largely down to organisations to take care of themselves and the people they service.  The basics still apply:

  • Using strong passwords,
  • applying caution when using public Wi-Fi networks,
  • not revealing too much information about ourselves online and
  • regularly backing up personal data.

Experian’s Annual Fraud Indicator 2016 said fraud could be costing the UK economy up to £193 billion a year, with phishing attacks up by 21% in 2015 and were estimated to cost the UK more than £280 million.

Information security professionals not too worried by Brexit

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.According to The Security Institute, the Brexit decision may have significant implications for the security profession and will inevitably present fresh challenges.

However, the organisation’s vice-president Alison Wakefield said security professionals pride themselves on being able to take the objective view, to put aside emotion and to focus instead on the hard facts of a situation.

“One thing we categorically disagree with is Michael Gove’s assertion that people in this country have had enough of experts,” she said.

“As an organisation that numbers a great many security experts in its membership, we believe the changes Brexit will bring mean that we, as a nation, will more than ever rely on these experts.”

Whatever cyber security challenges lie ahead as a result of Brexit, Wakefield said they will be met and overcome by the application of expertise and the diligent efforts of experts.

“The Security Institute’s raison d’être is to promote the professionalisation of security. Now that our country has chosen to go through a period of economic and political turbulence, let’s collectively – as experts in our field – do our utmost to re-emphasise professionalism, and redouble our efforts to help nurture security practitioners who can carry the ‘expert’ label with justification, pride and the external recognition they are due,” she said.

Adrian Davis, European managing director at security certification body (ISC)2, said information security is well-recognised as an international concern that has motivated levels of co-operation that already transcend national boundaries and politics.

“There is no reason to believe that this will come to an end or even be significantly interrupted by the Brexit vote,” he said, despite concerns by some information security professionals the cyber threat intelligence sharing may be impeded.

According to Davis, information security professionals in the UK and across Europe have at least two years to understand the practicalities that will affect their day-to-day job, and there is a good chance that quite a lot of what is anticipated over this time will not change.

The need in the UK to comply with the EU’s General Data Protection Regulation (GDPR) for example, will remain the same, he said, as UK businesses will continue handling EU citizens’ data.

“The march of technical innovation reflects global trends and will continue to shape the challenges we face on the front lines, and we all understand that threats and attacks are international. The work we do as a profession already ensures that the standards and practices required to face them account for differences in markets and regulatory expectations. I’m confident that, as a profession, information security professionals right across Europe will continue to work together,” said Davis.

Police ask for early contact of cyber crime

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted.

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted“The sooner we can become involved the better,” said Garry Lilburn, detective inspector, cyber crime unit, Metropolitan Police.

Current reporting mechanisms are “clunky” and there plans to replace them, he said, but in the meantime, businesses can make direct contact with the cyber divisions of the National Crime Agency (0370 496 7622) UK-wide or the Met Police for cyber crime in London (0207 230 8129) or 01452 752644 in Gloucestershire.

“Businesses can call us to discuss what is happening and get advice without having to officially report a crime and without fear of it leaking to the media or regulators,” said Lilburn, adding that some of the biggest cyber crime cases his unit has worked on have never been reported in public.

“If businesses contact us about cyber crime in action, we can advise them on how to mitigate the attack, preserve evidence, and how to communicate with cyber extortion gangs and even the media if necessary in the case of high-profile attacks,” he said.

However, Lilburn said businesses should engage with police even before they are targeted by cyber criminals.

“We offer a service of conducting table-top exercises with businesses so they can experience what it is like to work with the police in the event of an attack by cyber criminals and learn what kind of information we will need and the kind of questions we will ask,” he said.

Businesses should also develop plans for engaging with law enforcement before they are targeted by cyber criminals, and practice those plans in the same way they do fire drills, said Kurt Pipal, assistant legal attaché, office of the legal attaché at the FBI.

“Businesses should ensure they understand what law enforcement can do for them, what investigators are likely to ask for, and what they can do to help any investigation,” he said, adding that they should get their legal counsel involved because they are going to be one of the first points of contact with the police in the event of a cyber criminal attack.

“Many firms fear reputational damage and media exposure, but engaging early with law enforcement before anything happens often alleviates many of these types of concerns and makes them more comfortable in working with law enforcement when they are attacked,” said Pipal.
Police encourage information sharing

Cyber crime is almost always international in nature, but that should not put businesses off reporting cyber criminal activities, even if they appear to be coming from overseas or conducted through anonymising proxies, said Lilburn.

Many of the recent botnet takedowns involving the FBI have been the result of international law enforcement agencies working together, said Pipal.

“While cyber criminals may be based in countries where we cannot reach them, they also like to go on vacation, and often they go to countries where we do have the ability to make arrests, so businesses should talk to law enforcement about the cyber criminal activities they are seeing,” he said.

“Law enforcement should learn from this and also begin to find ways to collect information about bad actors that can be queried by law enforcement agencies around the world,” he said.

“Just because cyber criminals are located in other countries or appear to be anonymous, businesses should not assume we will not be interested or that we will not be able to take action against those responsible”

Many of these third parties are small and medium enterprises that work as suppliers or partners to larger organisations, but these businesses typically do not have the same level of security awareness or resources as their bigger partners, said Ferguson.

“While large organisations have the resources to understand and respond to threat intelligence gathered through industry forums and the government-sponsored cyber security information sharing partnership (Cisp) and the national computer emergency response team, Cert-UK, smaller businesses do not,” he said.

Indeed Cyber Security Force are part of theGloucestershire Safer Cyber Forum- which is founded and run by the Gloucestershire Constabulary.