Data protection is critical for all small businesses

Small businesses that misuse data or fall victim to breaches not only risk financial loss, but also reputational damage.

Small businesses that misuse data or fall victim to breaches not only risk financial loss, but also reputational damage.

A study from Gigya showed that 69% of consumers have reservations about brands handling their personal information, while nearly half of UK firms were affected by a data breach in 2017.

By failing to implement sufficient mechanisms to protect customer data, companies not only risk incurring financial loss by having to pay hefty fines and mitigate damage caused by breaches, but they also risk reputational damage.
Facebook, for instance, has been criticised for taking a lacklustre approach to data privacy after it was discovered that that the social media site somehow let marketing firm Cambridge Analytica gain unauthorised access to an estimated 87 million user accounts.

With the compliance deadline for the EU’s General Data Protection Regulation (GDPR) on 25 May 2018, most firms should be considering what they can do to boost and improve their data protection procedures and prevent breaches.

Customer trust is paramount for small businesses

As the compliance deadline for the GDPR looms, firms have increasingly been exploring ways they can improve their security mechanisms. Businesses that fail to adhere to the law face having to pay up to €20m in fines.

Such a sum of money would be damaging for most firms, but reputational damage would be more catastrophic to companies. Consumers put their faith in firms that conduct good data practice.

Businesses must be more transparent at disclosing not only policies and terms and conditions, but exactly how the data will be used. They need to be more specific in terms of what data is being collected and detail the intended use. Many companies are asking customers for their permission to harvest data, but opt-in mechanisms are vague.

Consumers are becoming more aware about data privacy concerns, mainly because of news headlines. A key example is the Facebook and Cambridge Analytica debacle.

Data protection is a constant operation

Many businesses are failing to implement appropriate mechanisms to protect this information.

Personal data is considered to be one of the most sensitive categories of data an organisation has access to, and perhaps it is the most valuable. As the value of personal data increases, so should the controls needed to protect it.

Personal data should be processed only with clear consent given by the data owner, with a transparent agreement and an organisation-wide focus on preventing data theft or misuse.

To identify misuse, firms should constantly analyse their businesses procedures and operations to ensure they are compliant with the latest data protection safeguards. Firms should not assume that once they have installed or developed a system to protect customer data, they have nothing else to do.

With the GDPR compliance deadline looming, UK organisations should be in the final stages of educating their workforce and deploying the appropriate technology to manage the large swathes of information they hold.

As masses of devices continue to connect to the internet, it is clear companies will have access to an ever-growing amount of data. If they put the right data protection and management mechanisms in place, they can gain a lot of potential from customer information. But without sufficient safeguards, the risks will keep on growing and firms could find themselves in all sorts of trouble.

So if you want to save yourself stress, money and a damaged reputation from a phising data cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Most UK Britons concerned about personal data sharing

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

Britons also feel that the data they share is not being used to benefit them, with 48% saying businesses benefit the most and 63% saying the organisation holding the data should be responsible for protecting it, according to a poll of more than 2,000 UK consumers commissioned by identity management firm ForgeRock.

Only a third (36%) of consumers say they would be likely to share personal data to get a more personalised service, with over half (53%) saying they would not be comfortable for their personal information to be shared with a third party under any circumstances. Just 15% say they would be likely to sell personal data to an organisation or business.

At the same time, UK consumers underestimate how much personal information is available online, with 46% saying they do not feel they know how much data is available about them online, 19% saying they think Twitter has access to data on users’ political affiliations, 31% believing Instagram has access to location data on its users, 48% thinking Facebook holds information on whether they have children, and 20% believing Facebook does not have access to any personal data about its users, despite the fact that social networks have access to this data on a large number of their users.

One in three would take legal action and 24% would contact the police about their personal data being shared.

British consumers are also clear that there would be consequences for any company sharing their data without their consent, with 58% saying they would stop using a company’s services completely if it shared data without their permission, 49% would remove or delete all the data held on them by that company, 44% would advise their family and friends against using the company, and 30% would request financial compensation.

Growing concerns about data sharing

With the EU’s General Data Protection Regulation (GDPR) set to give consumers much more control over their personal data and how it is used, the survey report said it is crucial that members of the public understand their rights and how their data is being used and shared.

The ForgeRock survey suggests there are growing concerns about data sharing, which businesses and regulators should address. Some 63% of UK consumers say they know little or nothing about their rights regarding personal data and 64% have never heard of or know nothing about GDPR.

Banks and credit card companies are most likely to be seen as trusted holders of personal data, the survey shows, with 82% of consumers reporting that they trust these organisations to store and use personal data responsibly. Amazon also performed well, with over three-quarters (78%) of consumers saying they trust the ecommerce company to manage personal data.

Social media platforms performed less well, with 63% of Britons saying they trust social networks to treat personal data in a responsible manner.

There is a clear correlation between the organisations consumers trust with their data and how in control they feel, the report said, with Amazon (60%), banks and credit card companies (58%) and mobile phone operators (51%) ranked as the organisations that give users most control over their data. Just 51% of UK consumers said they feel in control of the data that is shared with social media platforms.

In contrast, social media companies offer consumers experiences without any financial payment – instead they pay in data. If companies were more transparent about how their business models rely on purchases, attention or data, consumers would have a much stronger understanding of what their privacy risks are and could tailor their behaviours and trust levels accordingly.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Small businesses face unprecedented volume of cyber attacks

Small businesses are facing the highest levels of cyber attacks in both number and sophistication as automated swarm attacks increase.

Small businesses are facing the highest levels of cyber attacks in both number and sophistication as automated swarm attacks increase.

A cyber threat report reveals an average of 274 exploit detections per firm were recorded in the last quarter of 2017, up 82% from the previous quarter, according to Fortinet’s latest global threat landscape report.

The Fortinet report shows that the number of malware families also increased by 25% and unique variants grew by 19%, indicating not only growth in volume, but also an evolution of the malware.

Also, automated and sophisticated “swarm attacks” are accelerating, the report said, making it increasingly difficult for organisations to protect users, applications and devices.

As small businesses become more digital, the report warned that cyber criminals are taking advantage of the expanding attack surface to carry out new disruptive attacks, including swarm-like assaults that target multiple vulnerabilities, devices and access points simultaneously.

The combination of rapid threat development and the increased propagation of new variants is increasingly difficult for many organisations to counter, the report said.

The researchers found that encrypted traffic using HTTPS and SSL (secure sockets layer) grew to a high of 60% of total network traffic, but the report noted that although encryption can help protect data in motion as it moves between core, cloud and endpoint environments, it also represents a real challenge for traditional security technology that has no way of filtering encrypted traffic.

Three of the top 20 attacks identified in the quarter targeted internet of things (IoT) devices and exploit activity quadrupled against devices such as Wi-Fi cameras. None of these detections was associated with a known or named vulnerability, which the report said is one of the troubling aspects of vulnerable IoT devices.

Unlike previous IoT-related attacks, which focused on exploiting a single vulnerability, the report said new IoT botnets such as Reaper and Hajime can target multiple vulnerabilities simultaneously, which is much harder to combat.

The data shows ransomware is still prevalent, with several strains topping the list of malware variants. Locky was the most widespread malware variant and GlobeImposter was second.

The report highlighted an increase in sophisticated industrial malware, with the data showing an uptick in exploit activity against industrial control systems (ICS) and safety instrumental systems (SIS). This suggests these under-the-radar attacks might be climbing higher on attackers’ radar, the report said, citing an attack dubbed Triton, which has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis.

Because these platforms affect vital critical infrastructures, they are enticing for threat actors, the report said, adding that successful attacks can cause significant damage with far-reaching impact.

The report also pointed out that steganography, which embeds malicious code in images, also appears to be resurgent.

The Sundown exploit kit, the report said, uses steganography to steal information, and although it has been around for some time, it was reported by more organisations than any other exploit kit, and was found dropping multiple ransomware variants.

The threat data in the quarter’s report reinforces many of the predictions made by the Fortinet FortiGuard Labs global research team for 2018, which forecast the rise of self-learning hivenets and swarmbots.

The report predicted that the attack surface will continue to expand, while visibility and control over today’s infrastructures diminish. To address the problems of speed and scale by adversaries, the report said organisations need to adopt strategies based on automation and integration.

“Security should operate at digital speeds by automating responses as well as applying intelligence and self-learning so that networks can make effective and autonomous decisions,” the report said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

 

Cyber139 supports Safer Internet Day

Cyber 139 is backing Safer Internet Day which is building online safety practices with young people.

Cyber 139 is backing Safer Internet Day which is building online safety practices with young people.

Many organisations including Cyber139 around the UK are contributing to the important work on making the internet a safer place for everyone

Tuesday 6 February marks Safer Internet Day 2018. Using the hashtag #SID2018, organisations globally will celebrate the safe and positive use of technology.

In Britain, the UK Safer Internet Centre, will be coordinating the activities of over 100 countries to “unite for a better internet”.

Last year’s #SID2017 initiative saw its highest engagement with 1,645 UK organisations supporting the event. Some 42% of children aged 8-17 and 23% of parents heard about the day in 2017, and this year we hope to see more people aware and presented with the online resources to help young people navigate the web effectively and safely.

To achieve this, tech businesses can easily support the initiative by promoting and raising awareness through social media and using #SID2018. Some organisations will be going the extra mile by running events and creating resources that will be getting updated on an ongoing basis.

For example, the South West Grid for Learning run sessions for children, staff and parents throughout the year. Activities such as this mean a lot more schools directly working to involve parents actively, including online safety in the curriculum, and even empowering students in peer-to-peer activities to help each other stay safe.

Safe and secure environment

The idea of supporting #SID2018 is that we work throughout the year to ensure the internet is a safe, secure environment for young people at all times. This is not to negate the ongoing challenge that new technologies emerge every year, which adds complexity to this issue. Nonetheless, we need to understand that this evolving environment is one that our young children must move with, as it is likely to be them who will be using these technologies most in their future jobs, lives and relationships.

In a time where the UK must fill a digital skills gap, an acute understanding and practice of online safety education must evolve in parallel with the innovation of new products and services. This will enable individuals now and in the future to be safe, active digital citizens.

A number of organisations working in partnership with UK industry to tackle illegal content issues, such as WePROTECT, Global Alliance and the Internet Watch Foundation (IWF), are excellent sources of information. The Royal Foundation’s Cyberbullying Taskforce has also set up a new code for children which offers simple steps to help tackle cyber bullying – Stop, speak, support.

There are also technical solutions provided by online services such as Google’s Safe Search function and YouTube Kids, as well as Instagram’s keyword moderation tool which allows parents and users to block comments that contain inappropriate language.

Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

ICO fines Carphone Warehouse £400K over data loss

Carphone Warehouse has received one of the highest fines by the ICO after putting it’s clients’ personal data at risk.

Carphone Warehouse has received one of the highest fines by the ICO after putting it's clients' personal data at risk.

The UK privacy watchdog – the Information Commissioner’s Office (ICO) warns that more stringent data protection laws will apply from 25 May 2018, with potentially much greater fines.The Information

According to the ICO, the personal data at Carphone Warehouse was exposed in a cyber attack because of the company’s failure to protect the data from unauthorised access.

The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.

The records for some Carphone Warehouse employees, including name, phone numbers, postcode and car registration, were also exposed.

In determining the monetary penalty, the ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.

Information Commissioner Elizabeth Denham said that a company as large, well resourced and established as Carphone Warehouse should have been actively assessing its data security systems and ensuring that systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” said Denham.

Following a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information.

Using valid login credentials, intruders were able to access the system via an out of date version of WordPress software.

The incident also exposed inadequacies in the organisation’s technical security measures. The ICO said important elements of the software in use on the systems affected were out of date and the company had failed to carry out routine security testing.

The ICO said its investigation had revealed a serious contravention of Principle 7 of the Data Protection Act 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

According to Denham, the real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

“The law says it is the company’s responsibility to protect customer and employee personal information,” she said. “Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

“There will always be attempts to breach organisations’ systems and cyber attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems and, most importantly, customers and employees.”

From 25 May this year, the law will get more stringent as the General Data Protection Regulation (GDPR) compliance deadline is reached, the ICO said.

Data protection by design is one of the GDPR’s requirements, the regulator said, and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards and polices that an organisation has or should have.

Companies and public bodies should ensure strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law, the ICO said.

Failure to comply with the GDPR requirements will put companies at risk of fines of up to €20m or 4% of their global annual turnover.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber 139 wishes You a Safe and Secure New Year

Cyber 139 wishes You a Safe and Secure New Year in 2018

Cyber 139 wishes You a Safe and Secure New Year in 2018
With 2018 now here we hope that you have had a Merry Christmas and a great festive break and hope that you are looking forward to a safe and secure year ahead.