IT Security Updates issue 11

The latest news from the sector sees Marriot Hotels fall victim for the second largest cyber attack in history, GDPR hits the news again as SMEs continue to fail to understand the scale of their data privacy responsibilities, 25% of NHS trusts fail to invest in cyber security, and more…

SME organisations ‘clueless’ about GDPR

According to The Independent, small businesses are contravening GDPR with untold consequences for personal data and long-term security. Companies reported a barrage on rule-breaking activities and behaviours. The risk of a multi-million euro fine hasn’t quite impacted on SME leadership in relation to the scale and scope of GDPR within the workplace.

The survey found:

“More than a quarter of those polled allowed staff to use their own computers, tablets and phones for work purposes which contravene rules as personal data could be stored unencrypted at home.

And one in ten revealed they have visitor books in their HQ – where visitors can freely see details of others who have been there previously.

Paper diaries were used by 26 per cent of the businesses polled – which could contain private information or customer details and be easily misplaced, while 10 per cent said the circulation of printed out sponsorship forms – which often contain names and addresses – was common at their place of work, which is another contravention of GDPR rules.”

For any SME owner/Managing Director looking to ‘touch-up’ on GDPR skills – look no further than the ICO’s small business toolkit which provides assessment tools, rule guidelines and GDPR articles to help you understand your responsibilities in relation to managing, processing and interacting with personal information.

Myth-Busting Christmas, Thanks To The ICO

Christmastime festivities can bring joy, but it can also bring out the ‘Scrooge’ in many of us. The Information Commissioner’s Office has published a blog which helpfully myth-busts some serious GDPR-inspired data privacy nonsense. The article came in response to the popular social media meme:

“He’s making a List, He’s Checking it Twice, He’s gonna find out who’s naughty or nice, Santa Claus is in contravention of Article 4 of the GDPR.”

Whilst funny, the ICO realises that uncertainty around the GDPR/Data Protection Act 2018 could put a stopper in Christmas festivities. The article outlined some serious examples of how GDPR was being wrongly applied. One example was a Christmas Fayre that saw teachers thinking they couldn’t tell parents what stalls they’d be running because of ‘express consent’ rules. The ICO noted:

“In short, you don’t always need consent to comply with GDPR – it is not the only lawful basis on which you can use someone’s personal information. For example, in this case, the school or PTA had a legitimate interest in being able to contact parents and volunteers.”

The article is useful to help people, especially data leaders, understand the scope of GDPR and how it can be wrongly interpreted with detrimental outcomes.

How Security Awareness Resulted In Marriott Hotels Data Breach Event

According to security experts, from the FBI to Forbes, the Marriott Hotel’s data breach is the second largest data breach in technology history only eclipsed by Yahoo’s 2013 blunder. The event was a result of a merger between Starwood Hotels and Marriott in 2016. The reservation system used by Starwood was poorly secured and hackers managed to maintain access, for four years, until it was identified and yet it wasn’t actioned. Furthermore, since news of the breach became public, the IT team at Marriott was subsequently hit by a cyber attack in June 2017 – all of which points towards a problematic cyber security regime within Marriott Hotels.

However, according to the MIT Technology Review and the New York Times, state-sponsored actors are behind the Marriot cyber-attack:

“The US suspects the hackers work on behalf of China’s Ministry of State Security, and that they’re part of a massive data-mining exercise designed to identify American spies and Chinese citizens who work for them. Data from US security-clearance forms would be especially useful for this task, as would information about travel patterns. The Marriott group is the biggest hotel provider for US government and military personnel.”

The loss of 500 million guests’ data is a significant event. The state-sponsored dynamics of the scandal makes it a digital security catastrophe. However, data leadership shouldn’t think about such scandals as something that only happens to big fish. This could, and can, happen to even the smallest of micro businesses. Norton offers SME’s useful advice to help provide good cyber-hygiene within their organisations – the resources include patch update news, rights for software/hardware products and other tools to help keep your IT estate safe.

Considerations on Cloud-Computing Redundancy Planning Post-MS Office 365 Outages

The always-on dynamic of the internet – with trusted 4G data streams along with WiFi accessible almost anywhere on earth – has made cloud-computing possible for billions. However, business IT leadership does need to focus on redundancy planning. In the wake of the recent Microsoft Office 365 outage that locked nearly 15 million EMEA customers out of their digital accounts, companies that invested heavily into Microsoft cloud computing services found they couldn’t use key services – including customer information and key marketing products along with office productivity suites. This was of course fixed within hours. But those hours did cost business.

What can you do? Wired Magazine argues that companies are balancing two competing pressures – sound data privacy and a risk to productivity :

“Attitudes are changing as people become more aware of privacy issues, and more big data leaks come to light. For companies, it’s about balancing risk with productivity – losing a day of work could cost money, but a massive data breach could cost much more.”

IT Estate leadership, therefore, need to understand the risk to productivity in terms of the wider risk of data protection and privacy in a post-GDPR ecosystem.

25% Of NHS Trusts Spent “No Money” On Cyber Security in 2017/18

According to research by Redscan, a tech support and cloud services company, the NHS’s ‘cyber resilience’ strategy is substandard and not fit for purpose. The findings of the research outlined a National Health Service failing to meet targets in the aftermath of the disastrous and costly WannaCry cyber attack that brought the NHS to its knees – resulting in hospital ward closures and cancelled operations.

The survey, based on Freedom of Information requests from 226 NHS trusts, found that 43 had not allocated funding directly towards cyber security processes or service improvements. The inability to implement a cohesive cyber security policy and framework is proving to be problematic with long term consequences for NHS trusts UK-wide.

According to Redscan, skills shortages are also a major issue facing trusts:

“On average, NHS trusts employ just one qualified security professional per 2,582 employees. Nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts), despite some employing as many as 16,000 full and part-time personnel.

Several NHS organisations that employ no qualified cybersecurity professionals reported having staff members in the process of obtaining relevant security qualifications – perhaps an indication of the difficulties of hiring trained professionals.”

Investing in cyber security talent and resources can help protect your business. If you are unsure about cyber security and qualifications to help boost your security education among your IT staff, the National Cyber Security Centre can provide useful links and access to databases and resources on certified cyber security courses that can help empower your business.

Until next time …