Posts

Laptop security

With GDPR now in place, what should businesses consider in order to set good policies around data at the different stages in the data journey, such as when it is at rest, in transit, in the cloud? And what will GDPR mean for this?

This blog, from Nigel Crockford, Business Development Manager at IT consultancy and data security specialist eSpida discusses data policies.

Data policies

A good data policy must clearly outline how data will be managed from collection through to storage, with an unambiguous set of procedures detailing how, why and by who. This is necessary for businesses to protect themselves under the new GDPR law. This includes a clear policy on the use of email as a method of storing and moving data.

The proliferation of email has meant that it is far too easy to embed malware into an email that will then sit in an inbox for weeks or even months. Organisations should start to adopt policies that take advantage of instant messaging for general peer to peer communications, to minimise the risk associated with over-reliance on email and email security.

The cloud

When multiple people have access to data, which is often the case with information stored in the cloud, there is a greater concern of loss, amendment or handling without necessary permissions. Businesses must have a procedure in place that not only ensures only authorised people directly handle data, but that every person who may process data in some way does so safely.

Data loss prevention (DLP) solutions help to form good policy to help identify, report and stop the movement of data in and out of your network.

IT security best practice

If a person’s device or computer has access to a system that holds data, any viruses that affect it or hackers that attack it can pose a potential risk to data security. It’s crucial that good IT security practice forms an integral part of business culture.

IT security best practice includes:

  • updating systems
  • upholding policies around patch management to ensure systems are kept up to date and protected against hacking
  • installing antivirus software
  • setting secure passwords
  • using more advanced security solutions such as two factor authentication

The introduction of GDPR has made such policies and best practice even more important.  If you feel your business is vulnerable, an IT consultancy offering IT security solutions and services such as eSpida can help.

Cybercrime prevention with Forcepoint

The General Data Protection Regulation (GDPR) is being dubbed as “the greatest change in data privacy regulation in over 20 years”. It will replace the Data Protection Act 1998 and comes into play on May 25th 2018.

With only a third of businesses said to be currently prepared for GDPR, many organisations are reportedly rushing to hire data protection officers. Whilst companies with more than 250 employees or public authorities are required to appoint a Data Protection Officer; those below the threshold are not obliged to do so.

However, all businesses are required by law to comply.

When the new regulations are enforced, businesses must have recorded consent before they can use personal data or risk severe penalties. A data breach can result in administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

So how can technology be used in the quest to become GDPR compliant?

Data policies
Look at the way data flows through your business, review your data model and implement an end-to-end data protection strategy to meet GDPR regulations.

Data Classification
Consider the types of data flowing through your business:

• Is it freely available?
• Does it contain personal information?

Data should be protected by the authority in a data classification system.

Encryption
Encryption translates data into code, so that only people with access to a key or password can read it. At present it is one of the most widely used data security methods in the protection of data and its confidentiality across all devices.
By encrypting information, businesses can take control over their data by validating users and ensuring data authenticity when data is used and transferred.

Data Loss Prevention (DLP)
Data loss prevention software uses detection techniques to recognise sensitive data. It enables businesses to determine why and how information is being used and therefore identify any data breaches or misuse. It is highly recommended to protect businesses from insider threats.

Two-factor authentication (2FA)
Most standard online security procedures involve a username and password. With the ever increasing level of cybercrime, an extra layer of security is recommended to ensure data is adequately protected.

Two-factor authentication, also known as 2FA involves the use of a traditional username and password as well as a piece of information that only the user knows, such as a PIN or fingerprint.

Anti-virus/Anti-ransomware
With more than half of UK businesses already being affected by Ransomware, it is said to be a case of not IF, but WHEN an attack occurs. This is a scary prospect for any businesses, regardless of size which is why antivirus & anti-ransomware software are so important. By scanning systems, the software wipes out any identified ransomware attempts.

Device management
Device Management enables IT teams to control the security, monitoring, integration and management of devices such as laptops, mobile phones and tablets in the workplace to ensure the network and its data is fully secure and GPDR compliant on all devices throughout the business.

Access/identity management
Many businesses do not validate employees’ access rights and permissions to use data. To achieve GDPR compliance, businesses will need to take a much more controlled approach to minimise unauthorised access to critical information using stronger and more centralised access and identity management

Backup
With the increase in cybercrime coupled with the new laws, data backup has never been more important than it is now. Backups are vital in the event of information being destroyed, be it accidentally or maliciously.

Exploit prevention
An exploit attack is designed to slow down your computer, cause sudden application failure and/or expose your personal data to hackers.
Exploit prevention protects the applications and files that are prone to these attacks and cleverly mitigates the methods attackers use to exploit software vulnerabilities.

Patch Management
Patch management involves keeping software on computers and network devices up to date and capable of resisting low-level cyber-attacks. With older software versions, companies are far more vulnerable to cybercrime and leave obvious gaps for hackers to intercept.
It sounds basic, but the simplest technological solution in the fight against cybercrime is good patch management. By keeping software up to date and capable of resisting low-level threats, businesses are far less vulnerable to cybercrime.

For further details on GDPR I recommend visiting eSpida’s dedicated GDPR page where you can find information on preparing your business for GDPR, useful links as well as our ‘Preparing for GDPR’ whitepaper.

Our webinar brings you an update on IT security.

With cybercrime on the rise, keeping your security strategy up to date is imperative to the protection of your organisation. And with the General Data Protection Regulation (GDPR) May 2018 deadline looming, data security is now critical to legal compliance.

Watch our webinar with our resident IT security expert, Nigel Crockford to learn:

  • The changing landscape of IT security
  • The security challenges facing your organisation and its leadership team
  • GDPR and the practical implications for business
  • How to build robust security strategy to meet tomorrow’s threat

For more information about data security and how we can help you to protect your business, please get in touch on 0344 880 6145 or email [email protected]

 

DLP and CASB

With the introduction of Bring Your Own Device (BYOD) into the workplace, holes have appeared within many organisations’ security and compliance applications.  Holes which some IT users are blind to.

Software programs such as OneDrive, GoogleDrive and Dropbox that users install on their personal equipment to move files to work on outside of the workplace, are highly susceptible to such “holes”.  These transferable documents may contain sensitive data and can pose a threat to any organisation if compromised.

Cloud Access Security Broker (CASB) and Data Leakage Protection (DLP) software is designed to eliminate such issues.

What is CASB?

  • CASB stands for cloud access security broker.
  • It is an application that separates the company’s own on-premises infrastructure and an external cloud provider’s infrastructure.
  • CASBs identify active cloud applications and detect high-risk users and applications.
  • CASB extends organisational security policies beyond internal infrastructure.

What is DLP

  • DLP stands for data loss prevention.
  • DLP products enable network administrators to regulate the business data that users can transfer to ensure confidential or sensitive data is not sent outside the business network unless authorised.
  • DLP applications use predefined rules to categorise and protect confidential information to prevent users from sharing such data, be it accidentally or maliciously.

Forcepoint CASB and DLP

Forcepoint has developed its Cloud Access Security Broker (CASB) and Data Leakage Protection (DLP) applications to offer organisations an effective and efficient way to protect business-critical, sensitive data.

Forcepoint CASB along with its sister product Forcepoint DLP allows organisations to monitor who, what and when with regards the movement of information and data between the organisation and the cloud applications installed on user devices.

The software allows IT departments to discover and assess the risks of the unsanctioned cloud apps and will also enable tighter control of sanctioned cloud apps, facilitating a greater understanding of organisational data flow and the prevention of critical data loss.

These two Forcepoint products have been recognised as the market leaders in this area by analysts.  They provide industries with the most complete data protection platform, utilising its functionality in data discovery and data leakage prevention and as such provide a secure base for organisations to meet industry compliance requirements such as the General Data Protection Regulation (GDPR).

Never has an IT department’s role in the protection of data been as crucial as it is today.  Educating employees is a fundamental starting point. And to take care of the inevitable mishaps, having the right protection in place is imperative.

Take a look at the Forcepoint webpage to find out more.

As new technologies are developed, consumers have multiple devices and channels to interact via, allowing marketers to access more data than ever. However with the general data protection regulation (GDPR) deadline nearing, marketing departments must consider how they collect, store and process any data moving forward in order to meet the required level of GDPR compliance.

Featured in Digital Marketing Magazine, Nigel Crockford, Business Development Manager at IT security consultancy eSpida, explains the ways in which marketers must adapt within the thought provoking article ‘Have your customers given consent?’

The article can be read in full here

 

protect against cybercrime

The May 2017 ransomware attack on the NHS crippled 47 trusts across England and Scotland. At least 6,900 appointments were cancelled and seven A&E departments were forced to turn ambulances away. This demonstrates the significant damage that cyber-attacks can cause. Here, Nigel Crockford, business development manager of IT consultancy eSpida, discusses what businesses must consider to protect themselves in 2018’s IT landscape.

 Back in 1995, when Bill Gates set up Windows 95, there were very few IT applications and, according to www.internetlivestats.com, only 0.8 per cent of the world’s population had internet access at home. Therefore, the risk of cyber-attacks was relatively low.

Since then, the IT landscape has changed dramatically. It was estimated by www.internetlivestats.com that in 2016, 46.1 per cent of the world’s population had internet access at home — a huge increase since 1995. A single device is now capable of processing an extraordinary number of applications and cloud technology means data can be easily shared between devices. These technological advancements have considerably increased the risk of cyber-attacks.

There are things that every business must do to protect its employees, customers and stakeholders from the potentially damaging effects of attacks such as the ransomware attack on the NHS.

Everybody is a security officer

The task of ensuring cyber security in a business can no longer fall to one or two security officers. Everybody must have an awareness of the potential threats, how to protect against them and how to respond in the case of a security breach.

The cyber-security of a business increases considerably if everybody takes simple but effective protective measures. These measures must include installing antivirus software, keeping all software updated, identifying suspicious popups and regularly changing passwords. Common sense is the first line of defence.

Comply with GDPR

In May 2018, the new general data protection regulations (GDPR) will enforce new mandatory requirements for businesses. In essence, you will need to know exactly where all data is stored, how it is held and how it can be accessed.

By complying with these regulations, you will be helping to keep your business’s data and IT systems safe from cyber-crime.

Have a strategy in place

The key to dealing with cyber-crime is to protect, detect and respond. Once an attacker has access to data, it’s extremely difficult to retrieve it. Therefore, prevention is better than cure.

Regardless of how well you protect your business, cyber-attacks may still occur, so everybody must know the signs. According to a 2017 cyber security breaches survey from the Government’s department for digital, culture, media and sport, 46 per cent of organisations had experienced a cyber-attack in the past twelve months. However, many others may have been attacked but did not realise.

To make sure you detect any cyber-attacks that you may fall victim to, look out for unusual password activity notifications, slow network speed and suspicious e-mails or popups — all of which could indicate a breach.

Businesses must also be prepared to respond to a cyber-attack. As of May 2018, the GDPR will state that a cyber breach must be reported in 72 hours. Failure to comply could result in a fine of up to €20 million or four per cent of your business’s global turnover. In addition to reporting the attack, the breach should be contained by shutting down all IT equipment and assess all systems that could have been compromised.

The May 2017 attack was the largest cyber-attack the NHS has ever fallen victim to. NHS England stated that no patient data was compromised and the staff response was commendable. However, this attack may potentially have been avoided if the NHS had been more diligent in its cyber protection measures.

If you are worried about your current security set up and need some advice, contact eSpida today on 0344 880 6145 or email [email protected] 

GDPR will affect multinational organisations

Many businesses are yet to understand the sheer scale and breadth of changes their company data processing policies will need to undergo to comply with the general data protection regulation (GDPR). Here, Nigel Crockford, Business Development Manager at IT consultancy eSpida, explains how the regulation will impact multinational businesses — and how they must prepare themselves.

Benjamin Franklin once said, “By failing to prepare, you are preparing to fail”. This statement will ring especially true for multinational businesses in the coming months as the GDPR comes into force across the European Union (EU).

By uniting 28 different EU member state laws under one data protection law, GDPR is set to harmonise data protection laws throughout the EU, giving greater rights to individuals.

Taking effect as of May 25, 2018, every business will need to alter their existing procedures to ensure the correct mechanisms to comply with GDPR are in place. Failure to comply with the regulation will result in costly penalties of four per cent of global annual turnover or €20 million, whichever value is greater.

Non-compliant businesses could also be faced with bans or suspensions on processing data, in addition to the risk of class actions and criminal sanctions.

GDPR and multinationals
To enforce the regulation, each country will have its own national data protection act (DPA) regulator that will oversee and manage any breaches. Businesses operating in multiple EU countries have frequently asked since the announcement of GDPR, how an authority will be chosen to enforce action if found non-compliant with the regulation, or if an authority from each EU affiliate would take action.

If a business has conducted non-compliant cross-border data processing activities, only one national DPA regulator must act on the complaint. For instances where a business’ data controller operates in multiple EU countries, the DPA regulator that will take action must be located in the same country as the organisation’s main establishment, or where it’s central administration takes place.

Non-EU affiliates of a multinational business will also be impacted by the GDPR, depending on whether the data is accessible from one central system to affiliates across the globe. Companies operating on this scale will need to have a clear understanding of how data flows in the company to ensure that cross-border data transfers are compliant.

This is just one example of how GDPR is introducing formal processes for issues not previously covered by the DPA. Another area that the ruling focusses on is when a data breach occurs.

In 2016, it was revealed that Yahoo had suffered a cyberattack that resulted in three billion users having their account details leaked. What was appalling to the public, however, was that the attack had taken place three years prior to the incident being reported.

Unfortunately, this is not an isolated incident. In 2017, Uber revealed that data of its users had been held to ransom by hackers in 2016, prompting similar backlash to the Yahoo breach.

Under GDPR, companies are required to report a breach within 72 hours of its discovery. This includes notifying the country’s DPA regulator, which in the UK is the Information Commissioner’s Office (ICO), and the people it impacts. Businesses should also consider taking additional steps to avoid the detrimental impact cyber breaches can have on its employees and customers.

Preparing to succeed
Identity management is just one example that allows companies to restrict access to certain resources within a system. Identity management can define what users can accomplish on the network depending on varying factors including the person’s location and device type.

With the rise in cloud computing among businesses, extra measures should also be taken to safeguard this data. A survey found that 41 per cent of businesses were using the public cloud for their work, with 38 per cent on a private cloud network. By implementing security measures like encryption software, businesses can prevent unauthorised access to digital information.

Taking these precautionary steps is necessary for businesses with more than 250 employees. This is because a business of this size, following the introduction of GDPR, must detail what information they are collecting and processing. This includes how long the information will be stored for and what technical security measures are in place to safeguard the information.

In addition to identity management and encryption software, businesses can also consider various other security tools for their systems, including anti-ransomware, exploit prevention and access management.

Another notable change for companies that have regular and systematic monitoring of individual data, or process a vast amount of sensitive personal data, is that they will now be required to employ a data protection officer (DPO). Sensitive data refers to genetic data and any personal information such as religious and political views.

GDPR will have a wide-ranging impact on multinational businesses. Although some may be more prepared than others, each business’ status in complying with GDPR is different, with no one solution suiting all. By investing in GDPR compliance specialists like eSpida, businesses can avoid costly fines because of discrepancies with the regulation.

It’s fair to say that the GDPR is the most meaningful change in data privacy law since it was first established over twenty years ago. Despite it currently only being enforced in the EU, many believe this will spark a revolution across the globe for the protection of data for individuals.

Businesses must prioritise updating their current systems to ensure their processing policies are compliant with the GDPR. Depending on the current position of a business, some may need more preparation than others. For example, not every business will be required to employ a DPO, but others may need to reorganise its HR team to help enforce GDPR compliance across a company.

With May just around the corner, businesses who have not already started preparing need to act now to avoid financial punishments and reputation repercussions.

IT Security
GDPR compliance for employees and candidates

Is your HR team the key to GDPR compliance?

GDPR is fast approaching and HR professionals are looking to be considerably affected, particularly surrounding recruitment data.

In an article published today, featured on the GDPR:Report website, Nigel Crockford, Business Development Manager at eSpida explains how HR departments can lead by example in GDPR compliance and ensure the organisation is ready for the change in legislation?

The article is available to read here