This week, we discuss new online crime figures and critical Microsoft vulnerabilities, and answer listeners’ questions on third-party security and GDPR compliance.
Hello and welcome to the IT Governance podcast for Friday, 17th June. Here are this week’s stories.
According to new figures from Action Fraud and Get Safe Online, online crime cost UK businesses over £1 billion in the year from March 2015 to March 2016 and there was a 22% year-on-year increase in reported online crimes in the last year. Of course, the true figure could be much higher as it doesn’t take unreported crimes into account. Get Safe Online comments that “A substantial amount of attempted fraud against businesses is successful due to lack of knowledge or sloppy habits by their employees.” Evidence, if evidence were needed, that UK businesses really need to invest in staff awareness training.
Certain online crimes are not as lucrative as criminals might hope, though: the criminal hacker who listed a Windows zero-day vulnerability for sale on the dark web in May has now dropped the price to US$85,000 after failing to find a buyer, according to Trustwave. As I reported a couple of weeks ago, the local privilege escalation vulnerability gives hackers admin rights to Windows machines from Windows 2000 all the way to the newest version of Windows 10.
Microsoft, meanwhile pushed out 16 security bulletins in this month’s ‘Patch Tuesday’, which address 44 different vulnerabilities in Windows, Internet Explorer, Edge, Office, Exchange Server and more. Five bulletins have been classified as critical.
Now, a few weeks ago I invited you to tell me what you wanted this podcast to cover, and I’m delighted to say we’ve had a couple of responses.
First, Cony asks for more information about third-party security. Three words, Cony: service level agreements. If you’re concerned about third parties’ security, insist they prove their credentials before you do business with them. Simple as that. And don’t be surprised if your business partners ask for yours.
In the modern, interconnected world, even if you’re confident that your organisation is secure, it’s perfectly possible that criminal hackers can enter your networks via your suppliers – and even your suppliers’ suppliers – especially when functions have been outsourced to the Cloud or to smaller organisations.
Even small organisations of no apparent interest to cyber criminals are actually attractive targets – a number of large-scale data breaches in recent years have been caused by security failings in supply chains. Many SME websites use common, off-the-shelf CMS platforms, software, applications and plugins, which often contain vulnerabilities that can be exploited by criminal hackers. Automated attacks, phishing campaigns and drive-by malware installations are all cheap and easy to run, and by their nature are indiscriminate, looking only to exploit known weaknesses rather than specific sites.
For smaller organisations, the government’s Cyber Essentials scheme is a good place to start. Launched in 2014, Cyber Essentials provides a set of five controls that organisations can implement to establish a baseline of cyber security that can help prevent around 80% of common cyber attacks, and against which organisations can achieve certification to prove their credentials. Those five controls are secure configuration, boundary firewalls and Internet gateways, access control and administrative privilege management, patch management, and malware protection.
Certification to the scheme demonstrates to customers and business partners that fundamental cyber security measures are in place, and provides evidence to validate an organisation’s security posture. Visit itgovernance.co.uk/cyberessentials for more information. I hope that helps, Cony.
Secondly, MrsP asks for specific information about what SMEs need to do to comply with the new EU General Data Protection Regulation (the GDPR). Thank you for your question, MrsP. According to merchant banking group Close Brothers’ recent quarterly survey, 82% of SMEs in the UK either haven’t heard of the GDPR or don’t understand the impact it’ll have, and a further 14% say they need further advice. We’re more than happy to provide that advice.
I touched on this subject a couple of weeks ago, but I’ll try to be a bit more specific now. If you deal with personal data – and pretty much every business does in some capacity – then you’ll already comply with the UK Data Protection Act 1998 (the DPA). When the GDPR supersedes the DPA on 25 May 2018, you’ll need to have made a number of changes to the way you operate. (I should also emphasise that May 2018 is the date by which you must be compliant – organisations need to start their compliance projects as soon as they can.)
Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the Regulation”. It also states that controllers can use adherence to approved codes of conduct or management system certifications “as an element by which to demonstrate compliance with [their] obligations”.
The international standard for best-practice information security management is ISO/IEC 27001:2013 – aka ISO 27001. This is the only independent, internationally recognised data security standard that also has a globally accepted certification scheme. ISO 27001’s risk-based approach reflects the GDPR’s requirement that controllers and processors should implement appropriate technical and organisational controls based on, and proportionate to, identified risks. What’s more, an ISO 27001-compliant ISMS (or information security management system) is the default management system for protecting organisations against cyber crime – a major cause of data breaches. That’s why we recommend that organisations implement an ISMS as a means of demonstrating that they’re complying with the GDPR.
I’m afraid I don’t really have the time to go into much more detail than that, but we do have a lot of free information available on our website that I hope you’ll find useful (go to itgovernance.co.uk/gdpr). We’re also running a series of free webinars on the GDPR, recordings of which will be available so you can listen at your leisure. Go to itgovernance.co.uk/webinars and follow the links.
As well as these, we’re launching a new suite of products to help SMEs meet their GDPR compliance objectives. A good place to start is our new GDPR pocket guide, which is due to be published next week. The Regulation itself is 261 pages of legalese, so if you don’t have the time to sift through it, working out which parts apply to you, the pocket guide – the first of its kind on the market – provides a useful overview of the new law and explains exactly what you need to be aware of. You may also want to consider our Certified EU GDPR Foundation training course. The next Live Online version runs on 28 June.
Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you want to hear more of. And until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.