Welcome Chris Joberns- Managing Director at Strident Experts With - - PowerPoint PPT Presentation

Welcome

Chris Joberns- Managing Director at Strident

Experts With Practical Answers

u

Beck Moran- ReMo, ISO and GDPR guru Becky will introduce GDPR and highlight areas you need to address

u

Darren Davies- ESET , Darren will demonstrate the very latest tools and techniques

u

Chris Joberns- Strident, I will conclude by explaining the 9 critical issues your IT company must address

Becky Moran

“It’s a horrific piece of legislation. It was designed for online retailers like Amazon, but it captures us. We have a lot of work to do to become compliant”

Chief Data Officer, Global Investment Bank

25th May 2018

The six principles

Personal Data shall be:

1.

Processed lawfully, fairly and in a transparent manner in relation to the data subject

2.

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

3.

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

• 4. Accurate and, where necessary, kept up to date; every reasonable step must be taken

to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

• 5. Retained only as long as necessary
• 6. Processed in an appropriate way to ensure it’s security

The six principles

u

2016 Tesco bank – fraudsters steal thousands resulting in online accounts being frozen

u

2016 SWIFT banking system hacked 3 times in a single summer totalling $81M in losses

u

2016 Ukrainian bank hacked – hackers make off with $10M by exploiting the messaging system

u

2016 State bank of India (SBI.NS) suffered a breach where 3.2 million debit cards were compromised and customers suffered fraudulent transactions on their accounts.

Why security?

Bob Quick, Anti -Terror Officer: 2009 he was forced to resign after this blunder Cyber Security is not your only concern

Why security?

u

Privacy by design (risk identification and treatment, setting of security objectives)

u

Encryption, anonymisation and pseudonymisation of personal data

u

Secure backup and disaster recovery

u

Network segregation

u

Know your data and it’s physical location

u

Plus MUCH more…

How do we meet the six principles?

Personal data definitions have changed….

Personal data- redefined

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts

• n social networking websites, medical information, or

a computer’s IP address”.

European Commission (EC)

Personal data- redefined

Special or sensitive personal data

Personal Data Data

Race Passport Information Biometric Data: Voice Finger prints DNA Retinal scans Handwriting Gender Religion Medical Information Political Views IP Address Date of Birth National Insurance Number Genetic Information Twitter Handle Banking Information Credit and debit card information Personal email address Mother’s maiden name Browser / Web Cookie Driving license number Tax Information Telephone number Home address Training and education Criminal record Salary Clicks School / college Country, country, postcode or town

• f residence of
• rigin

Profession Place of work or employer name Age Flight number

• r last

destination

Personal data- redefined

Processing of the following special personal data is prohibited: Race or ethnic

• rigin

Biometric data Religion Political

• pinions

Health data Genetic data Sexual

• rientation or

information about a data subjects sex life Trade union membership Philosophical views

Special categories of personal data

The following conditions apply for consent:

u

In order to process personal data, the controller must have a legal basis for processing

• r gain consent from the data subjects

u

When gaining consent, subject must be made aware of their rights

u

Consent age for Europeans is 16

u

Member states can reduce this age but to no lower than 13

u

The controller will make reasonable efforts to verify parental consent

Consent (legal vs consent, & children)

Human risk = BIGGEST RISK!

u

Include security stipulations within employment contracts

u

Where you are processing personal information, enter your staff into a Non – Disclosure Agreement (NDA)

u

Train your staff to be security aware, ensure the training is ongoing and it is tested

u

Control access to information – the minimum access needed to perform the duties of a role

u

Control mobile devices

u

Include all types of security threat in the training – cyber isn’t your only concern….

Secure the human – training and awareness for your employees

u

72 hour reporting rule (ICO Reporting)

u

Must have a disaster recovery plan

u

Data subjects must be notified if their data is compromised

Breaches & reporting

October 2016 TalkTalk received a fine of £400K for failing to protect the personal data of over a million customers. They were later fined a further £100K for failing to report the breach.

Under GDPR, the fines could have totalled over £32M!

Penalties

The GDPR carries huge penalties:

u

€10,000,000 or 2% of global annual turnover for the infringement of requirements (Lesser)

u

€20,000,000 or 4% of global annual turnover for the infringement of requirements (Severe)

u

The ICO estimates that small to medium sized business could face fines of up to £60,000 under GDPR Sally Anne Poole, ICO Enforcement Manager said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you”

Penalties

u

Published on 14th September 2017

u

Aligns with requirements of GDPR with a few exemptions

UK data protection bill (REVIEW)

u

Know the GDPR basics

u

Understand data subject’s rights

u

Look at your business processes – understand where personal resides

u

Understand the risks posed to the personal data

u

Protect it in a way your business can afford

u

Document it

Next steps

Information Commissioners Office provides a huge amount of information and guidance

• nline for free. This includes help with writing your privacy notice, how to perform PIAs,

the 12 steps to compliance plan + much more : https://ico.org.uk/ Free data security training: https://www.gov.uk/government/collections/cyber-security-training-for-business

Further information

Darren Davies

Encryption - General

In 2015 the ‘Information and Security breaches Survey Technical Report’ 90% of Large Organisations 74% of Small to Medium Enterprises ………Have suffered some form of a data breach Cost of breaches Large organisations = £1.46m to £3.14m SME’s = £75k to £311k Typical breaches Malicious outsider Well meaning insider

The European Commission plans to unify data protection within the EU with a single law, the General Data Protection Regulation (GDPR).

• One continent, one law
• Non-European companies must comply with EU regulation
• Compulsory data protection officer
• Data breach notifications within 72 hours
• Penalties to € 20,000,000 or 4% of worldwide revenue
• Date: 25 May 2018, member states have had two years to comply

New EU data protection reform for 2018

GDPR states organisations need to secure…… Any information relating to an identified or identifiable natural person hereinafter referred to as ‘data subject’ an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one

• r more factors specific to his or her physical, physiological, mental, economic,

cultural or social identity Companies need to understand… What data they hold Where it is And to understand what is potentially under the radar

GDPR- General Data Protection Regulation

Fined £180,000 by the Information Commissioner's Office (ICO)

• The penalty follows the loss of a back-up hard drive at HMP Erlestoke prison in

Wiltshire

• The hard drive contained sensitive and confidential information about 2,935

prisoners

• Including details of links to organised crime, health information, history of drug

misuse and material about victims and visitors. The device was not encrypted Stephen Eckersley, head of enforcement at the ICO, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.” “This is simply not good enough”

Ministry of Justice

Fined £200,000 by the Information Commissioner's Office (ICO)

• More than 3,000 patient records were found on a second hand computer
• NHS Surrey was alerted to the problem by a member of the public
• Further investigation found confidential sensitive personal data and HR records
• Including patient records relating to approximately 900 adults and 2,000 children
• n the device

Stephen Eckersley, head of enforcement at the ICO, said: “The facts of this breach are truly shocking” “This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case”

NHS Surrey

Fined £80,000 by the Information Commissioner's Office (ICO)

• The penalty follows the loss of a USB in the council offices
• The USB stick contained data on 286 school children
• Including name, DOB, gender, address, physical/mental difficulties, detail on

home life. The device was not encrypted. Data never recovered

North East Lincolnshire Council

Lawyers take issue at TalkTalk's 'no obligation to encrypt' blurt www.theregister.co.uk/2015/10/26/talktalk_crypto_obligation/ “It wasn't encrypted, nor are you legally required to encrypt it,“ "We have complied with all of our legal obligations in terms of storing of financial information.“ TalkTalk CEO, Dido Harding "If personal data has been stolen, then a notification will be required to the ICO and there is a chance that TalkTalk will suffer fines as a result. At present, the ICO is permitted to fine up to £500,000. If this happened with the GDPR [General Data Protection Regulation] in place, TalkTalk could be looking at significantly greater fines of up to €100 million or 4 per cent of annual turnover.“ Alex Cravero, commercial associate at Legal firm, Kemp Little.

High profile examples of how not to comply

Sony fined £250,000 after millions of details compromised

Sony Computer Entertainment Europe Limited received a monetary penalty of £250,000 from the ICO following a serious breach of the Data Protection Act In total it’s estimated that the breach cost Sony $170 million, excluding the ensuing lawsuits, government scrutiny from both the US and UK, not to mention a major drop in its stock prices

www.ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2013/01/sony-fined-250-000-after-millions-of-uk-gamers- details-compromised/

High profile examples of how not to comply

Chris Joberns

About Strident

Rock solid

We help SMEs raise their business performance through IT . We are financially sound, employ twenty colleagues and celebrate a quarter of a century of trading in 2018.

Customer centric

Work with nearly 300

• rganisations, most of which

have been with us for more than 10 years. Independent surveys confirm that 98% customer satisfaction rating.

Business focused

Run your business, don’t worry about your IT . Our ‘business benefits, not bits and bytes’ approach ensures we continue to deliver relevant and practical IT business solutions.

Great people

People are our biggest asset and we maximise their

• potential. Recognised as an

Investor in People five times

• ver, we remain ‘Suffolk’s Best

Employer’.

Carbon balanced

We take sustainability seriously and our green credentials underpin our offers. Our headquarters is ‘Neutral Territory' and we are Suffolk Low Carbon Charter holders.

Quality assured

We manage through people not paper with formal policies for critical processes. Working towards ISO 27001 to ensure these exceed our customer expectations.

u

Limit access to your data to prevent unauthorised individuals and malicious programs from copying or editing important information.

u

Organise your infrastructure into ‘security groups’ to limit unauthorised access to sensitive data.

u

If a computer becomes infected with a virus, the amount of damage or data theft can be contained too.

• 1. Data exposure

u

It is your responsibility to understand where your data is being held and if the standards of the service proved meet with the standards of GDPR.

u

Microsoft and other cloud providers are seeing a growing demand for data residency.

u

Work with your suppliers to ensure your data is being held in compliance with the regulations.

• 2. Data location

u

Ensure your files, databases and emails are all backed up frequently.

u

Encrypt backups locally before being copied with recovery passwords only held by authorised individuals.

u

Some backup programmes just take a copy of your data and store it on an easy to read USB or cloud drives. This means anyone with access to your backups has access to your entire company information system.

• 3. Secure backups

u

A device login password is not sufficient to protect your business data. This low-level protection is easy to circumvent.

u

Adopt data encryption that goes beyond a simple login password.

u

This places all your data in a secure ‘wrapper’ denying unauthorised access even if your computer’s hard drive has been removed and attacked directly.

• 4. Data encryption

u

Weak, easy and shared passwords allow unauthorised users to gain access to your company data.

u

Two-factor authentication uses a secondary device such as a smartphone to generate a time-sensitive unique code in addition to your password.

u

Enable two-factor authentication wherever possible for maximum security.

• 5. Password management

u

Cloud-based services allow multiple devices to access your data. Many of your colleagues will use company issued devices for personal use and vice versa.

u

This enables your business data to proliferate on unsecured devices and allows malicious and accidental data breaches.

u

Use device management software to allow your colleagues to use devices for both personal and work use while still ensuring your company data is secure by ‘ring fencing’ it from unauthorised device apps.

• 6. Device management

u

Good security starts with vigilant users.

u

Help your users to understand security issues, from the basics such as keeping passwords on sticky notes, storing data in unsecure formats on USB drives, to recognising ‘phishing’ emails.

u

Keep them up to date with new security attacks such as impersonation attacks, that rely on them being complacent and allow access to important files.

• 7. Security awareness

u

Segregating your network helps ensure that one access point does not give the ability to reach your entire business network.

u

Not only is security improved but so is network performance.

u

Isolate network environments, such as separate public and private network wi-fi access. Place systems such as telephone and data on different networks to prevent users of one system attempting to hack another.

• 8. Network segregation

u

In addition to updating software functionality, software vendors continuously roll out updates in order to maintain security.

u

In recent ransomware attacks Windows 10 users were protected while users of earlier versions were still vulnerable.

u

Ensure you are using the latest software and monitor your users to ensure security updates are applied effectively, regardless if users find updates intrusive and unnecessary.

• 9. Security updates

What next?

Get in touch: www.strident.co.uk Email: chris.joberns@strident.co.uk Phone: 01473 835 281

Thank You for Listening Questions welcome…