I recently attended a (very early morning!) presentation all around ‘Cyber Crime & GDPR’; its aim to educate, inform and provide solutions – thankfully not put the fear of God in to its attendees as many of the meetings with the same topic seem to have done!
Hosted by Barclays and Clive Owen LLP, the meeting started with some definitions, situations on how you could find your business a casualty of cyber crime and some key tips as to how to protect yourself and your business.
Following on Eset, the IT ‘arm’ of Clive Owen LLP offered an introduction to GDPR and the morning was concluded by Rob from Hiscox explaining GDPR in more depth and responsibilities around data collection & holding.
Below, I have summarised the information offered related to Cyber Crime & GDPR and added some of the key tips to finish with….
- As a globe, we need to approach cyber crime with a ‘defence in depth’ attitude, as we would protecting our homes, cars, etc. – ie. have layers of protection not just one element & our fingers crossed that no-one guesses our passwords…
- The main threats of cyber crime for 2017 -2018 according to Barclays are:
- through 3rd party software like Ransomware – a virus is introduced to one machine with the scope to infect business systems and the business is literally held to financial ransom with the virus not being cleared until the ransom has been paid.
- business impersonator – more on a personal level where a criminal will impersonate a ticket booking line/e-shop business where they ask the target to click on a link which will go through to a fraudulent site (which may look identical to the true site!) & ask for personal / financial information for their gain.
- CEO / Director impersonation – where emails are sent requesting cash transfers / ‘invoice’ payments allegedly by the CEO / Director however they are in fact a 3rd party impersonator.
- invoice fraud – similar to the above but posing as external suppliers to a business.
- distributed denial of service attack – when multiple systems flood the resources of a targeted system with traffic, which often results in multiple compromised systems.
- internal threats – which could occur as malicious behaviour, neglectful behaviour or accidental error.
- password compromise – apparently software is now available that can solve an 8 character password containing letters, numbers & special characters in just 9 hours. In addition, human beings are habitually lazy and so will pick simple easy to remember, short passwords – great for ticking the laziness box, but not great for protecting your business against cyber crime gurus.
- in the main an attack starts via one of the following ways:
- phishing – generic, non-targeted, scattergun approach (for example a random email)
- spear phishing – highly targeted approach
- malware – ie. malicious software, such as Ransomware
- Penalties occur where:
- data loss has occurred (personal data).
- encryption software has not been used to protect data.
- portable & mobile devices are not encrypted.
- where there is no compliance to recognised standards advised.
- Data breaches occur in a number of situations:
- when a device is lost or stolen – is the data accessible on the desktop? is the password simple to solve? Can the data be accessed? What data is stored on the hard-drive? What remote systems access is available?
- data transferred by USB/DVD/CD – even a USB stick can be encrypted, vital if being left at a business reception or being sent through the post.
- unauthorised access – who has access to your laptop / business information if you are away on holiday / off sick? Is it left on your desk for all employees to access?
- email – again unprotected data being sent, incorrect email addresses or addressees.
- Currently data loss incidences
- are a mix of civil cases, 3rd party claims and well as 1st party claims.
- have penalties which are currently capped by the ICO at £500,000 – once GDPR comes in to force in May 2018 the financial penalties will be either €20million or 4% of turnover which ever is greater.
- As a Director / Officer of an SME you could be personally liable for a data breach as it is your responsibility in that post to ensure data is encrypted & protected.
- Even if you outsource some tasks within your SME business (such as IT or Marketing) given that the customer is ultimately yours, the responsibility of that data remains yours, not the 3rd party supplier.
- It is advised that if you work with 3rd parties you check that they have their own policies and insurance for data protection as a matter of course.
- Even if you think you don’t hold data & therefore you have no need to have to consider GDPR or data protection, only 22% of claims currently brought forward are related to personally identified information (PII), ie. it could be business data, confidential plans and the like.
Cyber Crime & GDPR Tips – Protecting your Business & getting Prepared:
- The government recommends linking 3 random, unconnected words as passwords; for example, ‘dentist@mercedes#presentation951’ – random but actually quite memorable! This password would apparently take 2 tredecillion years to unlock (that equates to this …. 1000000000000000000000000000000000000000000!!).
- How to fraud proof your business:
- check for impersonations – if the CEO is away on holiday & you get an email asking to transfer funds, text or call them to check they definitely want the action completing. If their commitment is to the business, they won’t mind you double checking!
- check the tone of the communication; does it sounds like its from the person it says its from? Would your CEO sign off ‘there’s something in it for you if you do this’ or ‘thanks mate’? If not, it probably isn’t them!
- work out who is the weakest link in your business – this doesn’t have to be a witch-hunt, but equally if your IT team has requested all users change their passwords, they can check if this has been done or not! It’s always worth a check.
- follow the 10 Steps to Cyber Security from the Government (click here for more detailed information).
- Barclays are offering free webinars to businesses with unlimited attendees, even if you don’t bank with Barclays, plus suppliers can be invited on to the webinars etc too.
- As an SME often feedback requests are valuable in knowing that your clients are happy, what improvements could be made & testing new products. If you receive or wish to send out such a feedback request, hover over the click through link & check that the address of that link looks genuine, you’ll know if it’s not!
- Follow the Information Commissioners Office on Linked In, Twitter etc to ensure that you have the most up to date information (www.ico.org.uk)
- Encryption is low cost & straight forward to employ & can be used for mobile /portable devices as well.
- At the very least the FPS 140-2 standards should be met for software & hardware (read more here)
The stats regarding cyber crime make for harrowing news (according to a recent survey, defending Britain against cyber-attacks and repairing the damage done by hackers who penetrate security systems costs businesses £40.5bn (source: Lloyd’s Insurance). And no business is exempt from GDPR. All businesses need to ensure they are prepared for this enforcement or literally pay the consequences.
I have found that there is a huge amount of information flying about which, in my opinion, doesn’t necessarily make for an easy read or offer ‘laymen’s’ clarity. I hope that this brief summary helps to offer you some clear facts conveyed and get you and your business protected & prepared in terms of cyber crime & GDPR.
Disclaimer: I am by no means an expert in this area & this is my interpretation of the information & advice offered at the meeting attended. If you have any queries or require further information always contact the ICO or one of the parties mentioned above for factually accurate advice.