The largest police force in the UK, the London Metropolitan Police (also known as the London Met), has fallen victim to a substantial data breach. Approximately 47,000 members of the police staff have been informed about the potential compromise of their personal data. This includes details such as photos, names, and ranks. The breach occurred when criminals targeted the IT systems of a contractor responsible for producing staff identification cards.
While this breach has raised concerns about the security of sensitive information, it is important to note that details like identification numbers and clearance levels might have been exposed as well. However, it has been confirmed that the breached data did not include home addresses of the affected Met police personnel. There are fears that organised crime groups or even terrorist entities could be responsible for this breach of security and personal data.
Furthermore, the breach has amplified security apprehensions for London Met police officers from Black, Asian, and Minority Ethnic backgrounds. Former London Met Police Chief Superintendent Dal Babu explained that individuals with less common names might face a heightened risk. Criminal networks could potentially locate and target them more easily online, compared to those with common names. This concern is particularly relevant for officers in specialised roles like counter-terrorism or undercover operations.
Reacting to this situation, former Met commander John O’Connor expressed outrage, highlighting concerns about the adequacy of the cyber security measures put in place by the contracted IT security company, given the highly sensitive nature of the information at stake.
This incident presents a significant challenge to the UK Home Office, and it is likely that the government will be compelled to swiftly review and bolster security protocols. This step is necessary to ensure that the personal data of security service personnel is safeguarded with the utmost levels of privacy and data security. Both the Information Commissioner’s Office (ICO) and The National Crime Agency have initiated investigations.
This follows the data breach of the Police Service of Northern Ireland (PSNI) where, in response to a Freedom of Information request, the PSNI mistakenly divulged information on every police officer and member of police staff. Over in England, Norfolk and Suffolk Police also recently announced it had mistakenly released information about more than 1,200 people, including victims and witnesses of crime, also following an FOI request. Last week, South Yorkshire Police referred itself to the information commissioner after “a significant and unexplained reduction” in data such as bodycam footage stored on its systems, a loss which it said could affect some 69 cases.
These incidents underscore the urgency of maintaining robust data protection measures and raising awareness about potential risks, especially within law enforcement agencies. It also requires Data Controllers to ensure that they have processes in place to comply with the requirements of GDPR (Article 28) when it comes to appointing Data Processors.
Yesterday two major data breaches were reported in the public sector. Both have major implications for individuals’ privacy. They are also a test for the Information Commissioner’s Office’s (ICO) approach to the use of its enforcement power.
In the morning,the Electoral Commission revealed, in a public notice issued under Article 33 and 34 of the UK GDPR, that it has been the victim of a “complex cyber-attack” potentially affecting millions of voters. It onlydiscovered in October last year that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and “control systems”.
The Commission said the information it held at the time of the attack included the names and addresses of people in the UK who registered to vote between 2014 and 2022.This includes those who opted to keep their details off the open register, which is not accessible to the public but can be purchased. The data accessed also included the names, but not the addresses, of overseas voters.
The Commission said it is difficult to predict exactly how many people could be affected, but it estimates the register for each year contains the details of around 40 million people. It has warned people to watch out for unauthorised use of their data. The ICO has issued a statement saying it is currently making enquiries into the incident.
And then late last night, and perhaps even more worrying for those involved, the Police Service of Northern Ireland apologised for a data breach affecting thousands of officers. In response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 10,000 individuals, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours.
The ICO has just issued a statement Cabinet Office the PSNI data breach. A few years ago such data breaches would attract large fines. In 2021 the Cabinet Office was fined £500,000 (later reduced to £50,000) for publishing postal addresses of the 2020 New Year Honours recipients online. In June 2022 John Edwards, the Information Commissioner, announced a new approach towards the public sector with the aim to reduce the impact of fines on the sector. This centred around issuing reprimands rather than fines for the public sector. Since then no public sector organisation has been fined despite some very serious data breaches. In May 2023, Thames Valley Police (TVP) were issued with a reprimand after an ICO investigation found that TVP had inappropriately disclosed contextual information that led to suspected criminals learning the address of a witness (the data subject). As a result of this incident, the data subject moved address and the impact and risk to the data subject remains high. Many data protection experts have expressed concern about the public sector’s special treatment. In relation to yesterday’s data breaches, anything other than serious enforcement action will lead to further questions for the ICO.
The scale of the PSNI data breach is huge. The release of the names exposes individuals who are regularly targeted by terrorist groups. Had the breach included addresses, it would have been even more serious. Both these breaches are going to test the ICO’s public sector enforcement policy.
Ibrahim Hasan has given an interview to BBC Radio Ulster about the PSNI data breach. Listen here.
This month the UK Information Commissioner’s Office has issued two fines and one Notice of Intent under GDPR.
The latest fine is three times more than that imposed on Easylife Ltd on 5th October. Yesterday, Interserve Group Ltd was fined £4.4 million for failing to keep personal information of its staff secure.
The ICO found that the Berkshire based construction company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The Phishing Email
In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s IT system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation.
The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems.
The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Consequently, Interserve had breached Article 5 and Article 32 of GDPR by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.
Notice of Intent
Interestingly in this case the Notice of Intent (the pre cursor to the fine) was for also for £4.4million i.e. no reductions were made by the ICO despite Interserve’s representations. Compare this to the ICO’s treatment of two much bigger companies who also suffered cyber security breaches. In July 2018, British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was reduced to £20 million in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice.
The Information Commissioner, John Edwards, has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures like updating software and training staff:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”
We have been here before. On 10th March the ICO fined Tuckers Solicitors LLP £98,000 following a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles. 60 of those were exfiltrated by the attacker and released on the dark web.
Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place. Here are our top tips:
Conduct a cyber security risk assessment and consider an external accreditation through Cyber Essentials.
Ensure your employees know the risks of malware/ransomware and follows good security practice. At the time of the cyber-attack, one of the two Interserve employees who received the phishing email had not undertaken data protection training. (Our GDPR Essentials e-learning solution is a very cost effective e learning solution which contains a specific module on keeping data safe.)
Are you a cyber security expert with a reputation for delivering engaging training? We are recruiting trainers to join our team of expert associates who deliver in-house and external training courses throughout the UK and worldwide.
We are one of Europe’s leading information law training companies with a 20 year track record of delivering practical and engaging training which makes the complex simple. We recently won the Information and Records Management Society (IRMS) Supplier of the year award for 2022-23. This is the second consecutive year we have won this award.
Despite recently expanding our team, we are seeing an increase in global demand for our courses and consulting services from both the public and private sectors. We need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical, jargon-free manner.
We have opportunities for full time trainers and those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about Cyber Security and passionate about teaching it.
If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in Cyber Security.
Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.
And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.
Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.
The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers.
Frequency and Impact
Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.
Cost of Attacks
The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers.
The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.
Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.
Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.
Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.
Outsourcing and Supply Chain
Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.
Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.
Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.
The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.
Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.
GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.
The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK.
As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page.
The ICO found that Ticketmaster failed to:
Assess the risks of using a chat-bot on its payment page
Identify and implement appropriate security measures to negate the risks
Identify the source of suggested fraudulent activity in a timely manner
James Dipple-Johnstone, Deputy Information Commissioner, said:
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
In a statement, Ticketmaster said:
“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”
Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.
Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said:
“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.
Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.)
75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe. Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.
Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.
Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding of this topic to most effectively discharge their responsibilities and ensure compliance.
What is Cyber Security?
The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more.
Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred. Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis.
While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST).
However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.
It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes.
For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.
Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence. Focused effort and dedicated resources are required but the results will be worth it.
Developing a security culture involves engaging with staff and seeking their input. Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by the European Union Agency for Cyber Security (ENISA).
It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.
Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)
Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved.
Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.
At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.
The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.
Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure.
A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.
Putting it all Together
Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously. A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.
Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.
Cyber security is one of the Information Commissioner’s regulatory priorities; not surprising when you consider the Notices of Intent (to fine) issued by the ICO on British Airways and Marriott International. Recently we learnt that two companies involved in building emergency coronavirus hospitals have been hit by cyber-attacks. Cyber security is an important subject that Data Protection Officers need to understand to be able to fulfil their role effectively.
Act Now Training is pleased to announce that leading cyber security expert, Olu Odeniyi has joined its team of associates. Olu is a Cyber Security, Information Security and Digital Transformation Trusted Advisor who has 30 years’ experience. During this time, he has held several key senior leadership, strategic and operational positions, in the public and private sectors. As a former trustee of three charities, Olu held the roles of Technical Lead, Treasurer and Chair, where he was responsible for regulatory compliance, operational and project risk management.
Recent projects delivered by Olu include investigation of cyber related breaches, analysis of organisations’ cyber security postures and in-depth risk assessments. Olu has advised companies on requirements for attaining the government backed cyber essentials certification and the coveted ISO 27001 Information Security Management.
Workshops, presentations and lectures at the University of West London were given by Olu on topics such as information security and digital transformation.
At the University’s Enterprise Hub, Olu guided start-up companies on cyber security issues ranging from processes to technical considerations – he continues to support and mentor such companies. Analysis of academic cyber security research on novel ways to secure IoT (Internet of Things) devices using artificial intelligence concluded with Olu reporting his findings to the University.
Olu speaks at various conferences and information sessions on information governance and cyber security. In February this year, Olu spoke at the PrivSec Conference on ‘Deepfakes’ (hyper realistic synthetic video/audio generated by deep neural networks) to a packed theatre at the QEII conference centre in London. The session was hosted within the Threat Intelligence theatre with other speakers such as Mike Hulett, Head of Operations at National Crime Agency (NCA).
Olu is a professional member of the BCS (British Computer Society – The Chartered Institute for IT) and a Microsoft Certified Professional (MCP). Within the BCS, Olu is a member of the Information Risk Management and Assurance (IRMA), Information Security, Artificial Intelligence and the Cybercrime Forensics specialist interest groups. Olu said:
“I am delighted to be joining the Act Now team. I look forward to using my cyber security and digital transformation expertise to help Data Protection Officers understand and overcome the cyber challenges their organisations face. Over the coming months I will be developing practical online training courses that delegates can take from the comfort of their office”
Ibrahim Hasan, solicitor and director of Act Now Training, said:
“Olu’s reputation proceeds him. His expert knowledge coupled with experience of working for a range or organisations will help us expand our cyber security services. Together with our other cyber expert, Steven Cockroft, we are confident that we will be able to service the increasingly complex cyber needs of clients.”
In addition to training, Olu can help your organisation with personal data breaches, PEN testing, incident management, breach reporting and incident responses. Olu can also act as an outsourced or interim Chief Information Security Officer (CISO) or a Chief Information Officer (CIO).
Are you an information governance expert with a proven track record of delivering engaging training on GDPR, FOI or Cyber Security? Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external training courses throughout the UK.
Despite expanding our team recently, we are facing heavy demand for our courses and consultancy services from the both the public and private sector. With more courses planned for 2020, including some new ones like Key Skills For Data Protection Officers, we need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.
We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about GDPR, FOI or Cyber Security and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.
Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.
The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.
In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.
The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.
Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:
“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”
This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.
Ibrahim Hasan said:
“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”
Regular registration is now open for the event. Head over to this link to confirm registration.
Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.