Cyber security is a topic that is on everyone’s minds this month, and if you follow the news it will be obvious why (and if you don’t, see our previous blog posts!). On May 18th I attended the Norfolk Chamber of Commerce’s Cyber Security Conference, hosted by Paul Maskall. The itinerary included four very relevant talks from speakers Kitty Rosser, Peter Freeman, Andy Taylor, and Rahul Colaco.
On the 15th May 2018 a new legislation will be put into place, replacing the current Data Protection Act (DPA). This new law is called the General Data Protection Regulation (GDPR). Kitty Rosser explained how we can make sure that we are complying to this regulation before it comes into effect, protecting both ourselves and our customers. Below is a short summary of the key new aspects of this law:
- Accountability and transparency – ensure that you are absolutely clear about what you will be using their data for
- Data protection by design – build data protection into processing activities from the ground up
- Consent – a high standard of consent is required, and you will need to record how and when this consent was given
- Data subject rights – the rights from the DPA will be carried over, with the addition of the right to transparency, portability and to erase personal data
- Data protection officer – this is a new mandatory role for businesses whose activities match certain criteria
- Data processors – records must be kept in writing and electronically for reference
- Fines – the maximum fine can be much higher (€20 million or 4% of global group turnover, whichever is highest)
Peter Freeman explained how managing your network can make all the difference when defending yourself from a security breach. Something I hadn’t considered before to refrain from giving your WIFI password to visitors, as you don’t know what is on their hardware that could affect your network, or even better – have a separate network for guests. For a similar reason, you should also change your wifi password at regular intervals, to keep it secure and harder to reach. There are several wireless encryption types that have been hacked and compromised too, so you should only use WPA2 with PSK or Enterprise. In essence, monitor who is on your network, and keep it as restricted as possible.
Andy Taylor was full of hard hitting statistics, and emphasised that hacking is often a business problem, not technical. Some of the figures that stood out most to me were:
- 99.9% of victims have anti-virus software
- 99.9% of breaches include stolen credentials
- Attackers are on the network an average of 150 days before breaching
- 66% of malware is installed through corrupt email links
There are steps we can all take to ensure that we don’t inadvertently ‘invite’ hackers onto our network. You should therefore have in place day to day cyber essentials, including user access controls, malware protection, patching, and boundary wall configuration. It is also important to have risk management, so that if you are attacked you have all of the necessary components in place to recover quickly.
Rahul Colaco expanded on this, explaining that you need to have a plan on what to do if you are attacked, for “you are only as good as your security measures”. It may be that in response to a beach, the IT department needs to switch off, the legal department needs to discover what legal consequences there may be, whilst the rest of the business needs to operate as usual. This is no easy task, so pre-planning for the worst care scenario is the most effective way of managing the situation.
As Paul Maskall recapped, you need to look at the value and risk of the data you hold, and ask yourself the following question: what do you have in place should you be breached? Do you have an incident management policy? It is also key not to “fire and forget”, but instead keep your software up to date and check it regularly. At the end of the day, it is usually your client’s data that would be at risk and in order to deserve their trust, it is your moral duty to protect it.
Words by Emily