Wednesday, 27 November 2019

Deal or No Deal Brexit |The Impact on EU GDPR



Photo credit: https://www.bighospitality.co.uk/Article/2019/08/21/Beyond-Brexit-are-restaurant-supply-chains-ready-for-no-deal

Written by Steve Giachardi

On 25th May 2018, data protection moved from the shadows into the spotlight. Suddenly, businesses of all sizes were at risk of huge fines for failure to comply with the new law, marketeers were in fear of contacting people without their consent, small businesses were rapidly adding cookie warnings and privacy notices to their websites - explaining what they did with your personal data, and larger companies were creating whole departments to respond to an anticipated deluge of data access requests. The media focus throughout the whole “GDPR is coming” furore was of course the massive fines - €20 million or 4% of your annual turnover, whichever is greater… And, lurking in the corner, was Brexit.

What will be the impact of Brexit on GDPR? Will Brexit mean that GDPR will no longer apply?

The simple answer is nothing will change – at least for the foreseeable future. GDPR will still apply to companies in the UK as it does to all companies that are in possession of data belonging to EU citizens.

If the UK leaves without a deal, the UK Government has prepared the EU (Withdrawal) Act 2018 (EUWA) which retains the GDPR in UK law. The purpose of the EUWA is to ensure that the fundamental principles, obligations, and rights that organisations and data subjects have become familiar with will stay the same. The EU Withdrawal Act gives the government the power to make appropriate amendments to ensure that GDPR works effectively in a UK context.

But what does this actually mean for your business? It’s all very well understanding that the government has a bill that sounds like a Star Wars character, but what impact will a no-deal Brexit have on your business?

Transferring Data – Inside and Outside the European Economic Area (EEA)


The UK Government has published guidance, stating the following about transferring data between EEA (European Economic Area) states: “The UK will recognise all EEA states, EU and EEA institutions, and Gibraltar as providing adequate levels of protection for personal data”. This means that personal data can be freely transferred between those states following the UK’s exit from the EU.  

For the transfer of personal data outside of the EU, this will continue with countries or territories that have an existing adequacy decision already in place such as Japan, Canada, Israel, and the United States.

Brexit will have no immediate impact on existing data transfer between your business and your trading partners.

If you are an organisation that has Standard Contractual Clauses (SCC) in place between you and your trading partners, these will continue to be valid. There will be no need for an interruption in the flow of data between organisations. Moving forward, the UK Information Commissioners Office will be empowered to issue new SCCs, as opposed to the EU, after the UK leaves the EU. But again, essentially, nothing really changes.

The biggest questions, I guess, are those around Data Controllers / Data Processors. Will there be an impact on leaving the EU? Will this change the status of my organisation? Again, the answer is no. The UK Government states the “responsibilities of data controllers across the UK will not change”. But the decision on whether your business is a Data Controller, or a Data Processor, is still decided by establishing who determines what data should be collected and what that data is going to be used for.

EU GDPR – Friend or Foe?


Interestingly, the EU GDPR has had an influence on data protection regulations, especially relating to Personal Information beyond Europe, and in a refreshingly good way. The UK Data Protection Act 2018 amendments released last year aligned the privacy and data regulation with the GDPR. ISO/IEC, the Swiss based International Standards Organisation, released an extension to the ISO/IEC 27001 certification, ISO/IEC 27701 which focuses on security techniques specifically around Personally Identifiable Information (PII). The extension looks at the controls relating to both Controllers and Processors and the impact of those controls on PII. The incoming California Consumer Privacy Act is another piece of legislation that seems to take its lead from the GDPR.

The magic, or beauty, of the GDPR is that it transfers the power from the organisation to the person (the data subject). In truth, the exponential growth of the internet into every corner of our (working) lives has happened with a zeal for the possible. The idea that data, especially identity, would become more valuable than gold was unthinkable when the internet was launched. We all created data back then - whether it was our first website, or those posts in the text chat forums - we were leaving behind evidence of our identity. Now, trying to regulate what happens with our data is very much closing the stable door while the horse is galloping into the next valley!

The Power (and Responsibility) of Personal Identifiable Information


The attempt by the GDPR to rein in the use of PII, to restrict what companies can and can’t do with the data that we, in whatever capacity, share with them is to be welcomed. That it creates an unwelcome extra level of diligence on organisations highlights that the correct governance and procedures weren’t in place from the beginning.

The adoption of the internet has been fuelled by the advances in the infrastructure that supports it. The whole new working paradigms of Infrastructure, Software and Programs “as-a-service” has only been possible with the spread of fibre broadband to reliably deliver these services. Office365, Amazon Web Services, Google Cloud, Salesforce, Slack - none of these everyday business programs would be possible without reliable internet.

All these services need your identity for you to be able to access them. PII is the new firewall. Your identity is the edge. That’s why it’s so important that companies take care of the usernames, email addresses, bank details, national insurance numbers, driving licence numbers, and passport numbers that we provide.

That’s why there’s a need for GDPR and that is why, after Brexit, there will still need to be good PII protection by default in organisations that deal with data belonging to EU Citizens.

Brexit changes nothing – for now, at least.

Get a Deal - Not a Steal - This Black Friday


Photo credit: https://ultiworld.com/2017/11/24/definitive-2017-black-friday-deals-thread/

Written by Stuart Peck

Cyber attacks on Black Friday and Cyber Monday are becoming increasingly common; it’s the one time of the year where cyber criminals really do follow the money. With the increased focus on grabbing an amazing deal, it’s easy to get caught up in the bargain hunting without realising the risks.

Shoppers in the UK spent £1.4 billion on Black Friday last year and this is only expected to increase in 2019; with such a large influx of online transactions comes an increased attack surface, and cyber criminals will be banking on weaknesses in our online security. However, this article discusses the top 3 things you can do protect yourself and shop safely online.


1) Gone Phishing

Phishing remains a highly effective way for a cyber criminal to target both companies and consumers, with credential stealing and malware delivery being the most common objectives.

During Black Friday, however, what might look suspicious on any other day may get lost amongst the legitimate deals - it is always tempting in the spirit of bargain hunting to go for that one offer that seems too good to be true – and it’s that split-second decision that could lead to a compromise of your machine or an attacker gaining access to your credentials and other sensitive information.

Phishing In Practice: A Real Life Example


Cyber criminals will use social engineering techniques which rely on distraction, fear, and urgency, and during this time it is vital that we all be mindful of failed package delivery emails, offers too good to be true, fake shipping invoices, and the like. Avoid clicking links and opening attachments unless you are explicitly expecting them. The reality is that phishing increases dramatically before and during Black Friday and Cyber Monday, so be extra vigilant.

Top tip: create login bookmarks of all the shopping sites you may use over Black Friday and Cyber Monday, and use these instead of gambling by clicking links in emails, or use a password manager such as 1Password, Keeper, etc.


2) Reusing Passwords Online

Cyber criminals are constantly exploiting weaknesses in passwords for online accounts - in a lot of cases, passwords which we think are secret, are not. There are over 11 billion leaked or stolen credentials available to attackers for a small fee, or in most cases, free.

These are all from hacks (and leaks), from third party social media, ecommerce, dating, business applications, etc. The usernames and passwords are collected and usually dumped online at some point after a breach. And, given that the average person has over 24 online accounts, it’s very taxing trying to create a unique password for each one, meaning that most people reuse a variant of a password they like. You can check your own exposure of where your passwords might be exposed by using https://haveibeenpwned.com.





Combine this with the amount of passwords that are harvested by attackers, it’s highly likely the password you are currently using for your email, Amazon, or social media is in one of these dumps.
The best way to combat this is to use a password manager which will help you generate a strong, random and unique password for each of your online accounts, only requiring you to remember one password - the master password for the password manager. There are plenty of good password managers; offline is the most secure but also least user friendly, online is the least secure option, but more secure than reusing the same password across sites.

It is also vital that you protect online accounts further by using multi factor authentication (MFA). This is usually a random code that either gets generated through a mobile app (Google Authenticator or Microsoft Authenticator), or via a code sent to your mobile, which is required on top of a username and password combination.

This will prevent attackers from logging into your accounts even if they know your password, as they need the token generated by MFA. This is another layer of security and will make it harder - not impossible - for a determined attacker. There is an increased trend of attackers phishing for MFA tokens, especially for email accounts, so be mindful and refer to point one about clicking links.


3) Safe Browsing Habits

There will be plenty of adverts and offers on the sites you visit over the next few days; most of these will be legitimate, however, the risks of visiting a bogus site are heightened, so being mindful of this is key. Attackers will push out malicious adverts over legitimate channels in the hope of landing unsuspecting bargain hunters, either to steal credentials or to deliver malware to steal sensitive information or credit card details.

The safest way to prevent this is to use the legitimate mobile apps for online retailers, rather than running the risk of hitting a phishing site. If this is not an option, then avoid the temptation of clicking on adverts over this period or, better yet, block them altogether. For Black Friday and Cyber Monday use the Brave browser for your online shopping, which focuses on protecting your privacy by blocking cookie trackers and adverts, and potential unwanted content.

Finally, check the site you are on; a website can still be a fake website if it has a padlock and/or ‘https’ in the address bar. These simply mean data is encrypted when transferred over the internet, not that the website itself is trustworthy. Check the address, keep your eye out for anything unusual and, if in doubt, don’t enter any information and leave the site.


Summary

In summary, if you rely on the principles of Verify First then Trust, then many social engineering attacks can be prevented. Like the old saying - if it’s too good to be true then it probably is, but with a sting in the tail.

Tuesday, 29 October 2019

Passwords or Passphrases? Being More Secure Online



Written by Adrien Souyris 

"Sorry, your password must be at least 8 characters long, contain a capital letter, a number, a special character, an inspiring message, a spell, a gang sign, a hieroglyph and a quantum mechanics equation"

There are three main methods of proving your identity online: 
  • Through something you have (for instance, a smartcard)
  • Through something you are (entering the realm of biometrics here)
  • Through something you know (usually a password)


The latter is the most widely used means of authentication, being the cheapest to implement and manage. However, passwords introduce a significant problem:

  • A strong password which is difficult to guess, typically being at least 8 characters and containing an upper case, lower case, number, symbol, and being a phrase rather than a word, will be difficult to remember
  • A simple password which is easy to remember, either because it is short, contains simple patterns, or is a single word, will be easily guessed by an attacker
  • Writing down a password turns it into "something you have" and makes it vulnerable to theft or copying


Passwords are one of the weakest ways of authenticating yourself but there’s a couple of neat tricks to secure your accounts, while making your life easier. 

Multi-factor authentication 

Authentication can be achieved by using one of the five authentication factors. Multi-factor authentication (MFA) simply makes use of two or more of the above. But how can we make this work in a simple manner? Well, nearly anyone can authenticate using "something they have".

MFA for mobiles works by asking for a second, six-digit, one-use password each time you log in to your account.

This password is either: 

  • Received by text message
  • Generated by a smartphone app (such as Google Authenticator)


So, if a cyber criminal attempts to hack your account, they will be unable to access your data without your phone. Google, Amazon, and social media accounts support MFA.

Password managers

Instead of writing down passwords, there is one tool used for remembering strong, complex, lengthy passwords: password managers.

These applications act as a secure notebook for your credentials. With a password manager, you can use more complex passwords such as @p:[^U5w}cAvA<b4>^G+. The only password you need to remember is a strong one for your ‘notebook’. Most of these managers can automatically connect you on any website you return to, and the majority can also be protected using MFA.

Use passphrases 

When password managers are not an option, an alternative to re-using credentials or having weak passwords is to use passphrases. Passphrases are usually quotes, expressions, or any memorable series of words. Passphrases lack complexity but are longer, making it easier for you to remember but harder for hackers to crack!  

Thursday, 17 October 2019

ISO / IEC 27001 | Gaining Your Competitive Advantage

Written by Steve Giachardi

There are many benefits to your organisation aligning or certifying to business standards: documenting that you have strong governance in place, ensuring that you are adopting best practice, and demonstrating that you take security seriously, to name a few. In this article we will discuss the benefits of aligning and certifying to ISO/IEC 27001.

Deriving from the Greek word Iso, meaning equal, ISO/IEC 27001 is now widely recognised as the de facto standard for information security, controlled by the governing body, the International Organisation for Standardisation.

There are 31,910 organisations globally that are ISO/IEC 27001 certified, with 2,444 in the UK and 9,111 in America alone. So, why are so many organisations choosing to certify to ISO/IEC 27001?

Good governance, best practice, strong controls, and maturing as an organisation are all important and admirable objectives, but perhaps the greatest benefit is in fact a commercial one. Information and cyber security are common boardroom topics, that often filter down into what organisations demand from their suppliers. This is particularly true, but not limited to, financial services, pharmaceuticals and any industry that is highly regulated or that has valuable assets to protect, such as customer data or intellectual property.

Demonstrating that you take information security seriously, as a potential new supplier, can ultimately mean the difference between winning or losing your next tender process.        

ISO/IEC 27001 Overview

This article discusses ISO/IEC 27001, its purpose and its benefits, addressing specification and requirements, ISMS (information security management system) specification and requirements, and issues with ISMS.

ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2013 and is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for, and recognised as best practice framework for, an ISMS. Organisations meeting the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process. Organisations will meet information security standards by aligning to ISO/IEC 27001, making them likely to win more business, especially in enterprise organisations.

International information security standards

ISO/IEC 27001:2013 specifies 114 controls in 14 groups:
  • A.5 - Information security policies
  • A.6 - How information security is organised
  • A.7 - Human resources security - controls that are applied before, during, or after employment
  • A.8 - Asset management
  • A.9 - Access controls and managing user access
  • A.10 - Cryptographic technology
  • A.11 - Physical security of the organisation's sites and equipment
  • A.12 - Operational security
  • A.13 - Secure communications and data transfer
  • A.14 - Secure acquisition, development, and support of information systems
  • A.15 - Security for suppliers and third parties
  • A.16 - Incident management
  • A.17 - Business continuity/disaster recovery (to the extent that it affects information security)
  • A.18 - Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

ISMS Requirements

The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements".

27001:2013 has ten short clauses, plus a long annex, which cover:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.

This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management); this helps organisations who aim to comply with multiple standards, to improve their IT from different perspectives.

Information Security Management System

An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.

The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organisation and external environment. ISO/IEC 27001:2013 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

ISO/IEC 27001:2013 is a risk-based information security standard, which means that organisations need to have a risk management process in place. The risk management process fits into the PDCA model given above.

Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework, Risk IT, dedicated to Information security.

The development of an ISMS framework based on ISO/IEC 27001:2013 entails the following six steps:
  1. Definition of security policy
  2. Definition of ISMS scope
  3. Risk assessment (as part of risk management)
  4. Risk management
  5. Selection of appropriate controls
  6. Statement of applicability

ISMS Requirements

To be effective, the ISMS must:
  • have the continuous, unshakeable and visible support and commitment of the organisation’s top management
  • be managed centrally, based on a common strategy and policy across the entire organisation
  • be an integral part of the overall management of the organisation related to and reflecting the organisation’s approach to risk management, the control objectives and controls and the degree of assurance required
  • have security objectives and activities based on business objectives and requirements and led by business management
  • undertake only necessary tasks and avoiding over-control and waste of valuable resources
  • fully comply with the organisation philosophy and mindset by providing a system that, instead of preventing people from doing what they are employed to do, will enable them to do it in control and demonstrate their fulfilled accountabilities
  • be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices
  • be a never-ending process

Dynamic Issues In ISMS

There are three main problems which lead to uncertainty in information security management systems (ISMS):

  • Dynamically changing security requirements of an organisation
Rapid technological development raises new security concerns for organisations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organise and manage dynamically changing requirements and keep the system up to date.

  • Externalities caused by a security system
Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organisation may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalisation of externalities caused by the ISMS is needed in order to benefit internalising organisations and interacting partners by protecting them from vulnerable ISMS behaviours.

  • Obsolete evaluation of security concerns
The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need for continuous security evaluation of organisational products, services, methods and technology is essential to maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organisation is a critical need to achieve information security objectives. The re-evaluation process is tied with the dynamic security requirement management process discussed above.

Summary


Is ISO/IEC 27001 accreditation for everyone? Perhaps not. But if your business is serious about reducing risk, and is looking for an effective way to assess the risks in your business (Plan), implement controls to measure that risk (Do), use these to benchmark ongoing performance (Check), and continuously review the ISMS as the business changes over time (Act)? Yes, absolutely.

An ISO journey may seem like a big undertaking but, for most, the benefits far outweigh the initial investment, and the journey to accreditation can be surprisingly short. Rarely is there a better opportunity to drive cultural change in a business and, not only that, one that leads to both a mature information security posture, as well as your business’s next big competitive advantage.