Calling Cyber Security Trainers:
We are Hiring

Are you a cyber security expert with a reputation for delivering engaging training? We are recruiting trainers to join our team of expert associates who deliver in-house and external training courses throughout the UK and worldwide.

We are one of Europe’s leading information law training companies with a 20 year track record of delivering practical and engaging training which makes the complex simple. We recently won the Information and Records Management Society (IRMS) Supplier of the year award for 2022-23. This is the second consecutive year we have won this award.

Despite recently expanding our team, we are seeing an increase in global demand for our courses and consulting services from both the public and private sectors. We need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical, jargon-free manner.

We have opportunities for full time trainers and those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about Cyber Security and passionate about teaching it.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in Cyber Security. 

Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

Cyber Security and GDPR Compliance

photo-1584433144859-1fc3ab64a957

Olu Odeniyi writes…

Data Protection Officers (DPOs), and others who work in data protection, will know that a fundamental requirement of GDPR is to protect personal data ”against accidental loss, destruction or damage, using appropriate technical or organisational measures” as stipulated in the sixth data protection principle in Article 5. As the recent British Airways data breach fine has shown, failure to comply can be costly.

Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk  including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.

Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding  of this topic to most effectively discharge their responsibilities and ensure compliance. 

What is Cyber Security?

The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more. 

Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred.
Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis. 

While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST)

However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.

People

It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes. 

For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.

Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence.
Focused effort and dedicated resources are required but the results will be worth it. 

Developing a security culture involves engaging with staff and seeking their input.
Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by  the European Union Agency for Cyber Security (ENISA).

It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.

Process

Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)

Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved. 

Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.

At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.

Technology

The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a  Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.

Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure. 

A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.

Putting it all Together

Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously.
A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.

Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.

Act Now Expands its Cyber Security Team

Olu

Cyber security is one of the Information Commissioner’s regulatory priorities; not surprising when you consider the Notices of Intent (to fine) issued by the ICO on British Airways and Marriott International. Recently we learnt that two companies involved in building emergency coronavirus hospitals have been hit by cyber-attacks. Cyber security is an important subject that Data Protection Officers need to understand to be able to fulfil their role effectively.

Act Now Training is pleased to announce that leading cyber security expert, Olu Odeniyi has joined its team of associates. Olu is a Cyber Security, Information Security and Digital Transformation Trusted Advisor who has 30 years’ experience. During this time, he has held several key senior leadership, strategic and operational positions, in the public and private sectors. As a former trustee of three charities, Olu held the roles of Technical Lead, Treasurer and Chair, where he was responsible for regulatory compliance, operational and project risk management.

Recent projects delivered by Olu include investigation of cyber related breaches, analysis of organisations’ cyber security postures and in-depth risk assessments. Olu has advised companies on requirements for attaining the government backed cyber essentials certification and the coveted ISO 27001 Information Security Management.
Workshops, presentations and lectures at the University of West London were given by Olu on topics such as information security and digital transformation.

At the University’s Enterprise Hub, Olu guided start-up companies on cyber security issues ranging from processes to technical considerations – he continues to support and mentor such companies. Analysis of academic cyber security research on novel ways to secure IoT (Internet of Things) devices using artificial intelligence concluded with Olu reporting his findings to the University.

Olu speaks at various conferences and information sessions on information governance and cyber security. In February this year, Olu spoke at the PrivSec Conference on ‘Deepfakes’ (hyper realistic synthetic video/audio generated by deep neural networks) to a packed theatre at the QEII conference centre in London. The session was hosted within the Threat Intelligence theatre with other speakers such as Mike Hulett, Head of Operations at National Crime Agency (NCA).

Olu is a professional member of the BCS (British Computer Society – The Chartered Institute for IT) and a Microsoft Certified Professional (MCP). Within the BCS, Olu is a member of the Information Risk Management and Assurance (IRMA), Information Security, Artificial Intelligence and the Cybercrime Forensics specialist interest groups. Olu said:

“I am delighted to be joining the Act Now teamlook forward to using my cyber security and digital transformation expertise to help Data Protection Officers understand and overcome the cyber challenges their organisations face. Over the coming months I will be developing practical online training courses that delegates can take from the comfort of their office 

Ibrahim Hasan, solicitor and director of Act Now Training, said:

“Olu’s reputation proceeds him. His expert knowledge coupled with experience of working for a range or organisations will help us expand our cyber security services. Together with our other cyber expert, Steven Cockroft, we are confident that we will be able to service the increasingly complex cyber needs of clients.”

In addition to training, Olu can help your organisation with personal data breaches, PEN testing, incident management, breach reporting and incident responses. Olu can also act as an outsourced or interim Chief Information Security Officer (CISO) or a Chief Information Officer (CIO).

Olu will be a delivering a free webinar on “Introduction to Cyber Security for DPOs on 26th May 2020 (11am). Places are limited so please book early. Our GDPR Update is ideal for those looking to keep abreast of the latest GDPR developments. Finally, the GDPR Practitioner Certificate course is now available as an online option and filling fast.

online-gdpr-banner

Cyber Security Month is Here!

Cyber security concept, authentication screen on computer, confidential business data

October is European Cyber Security Month. This is the EU’s annual awareness campaign that takes place each October across Europe. The aim is to raise awareness of cybersecurity threats, promote cybersecurity among citizens and organisations; and provide resources for online protection, through education and sharing of good practice.

Every single day the cyber security landscape becomes more complicated. Criminals are continually inventing new ways to carry out cyber-attacks. A Freedom of Information  request by insurance broker Gallagher, recently revealed that UK councils were fending off an average of 800 cyber attacks per hour.

Organisations that do not take appropriate action are at grave risk of business disruption, reputational damage and regulatory action. In July we saw the Information Commissioner’s Office (ICO) signal its intention to use its powers to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR). Two Notices of Intent were issued against British Airways and Marriot International respectively.  Both relate to cyber security incidents but for different reasons and amounts. (More here.)

Cyber security needs to become a top priority for organisations and individuals. Training and awareness is crucial. The National Cyber Security Centre publishes a regular report on cyber incident trends in the UK with guidance on how to defend against and recover from them. Act Now is running a series of  Cyber Security workshops led by cyber expert, Steven Cockcroft. The first one was in London last week and attracted delegates from both the public and private sectors. Habib Khatib, Head of Operations at Talk Direct Talk Direct (Leeds) Ltd, said:

“This was an excellent workshop which really opened my eyes to the threats that organisations face from cyber criminals. Steve’s expert knowledge will help me to implement a cyber action plan within my company.”

To celebrate Cyber Security month, all new delegates booking on a Cyber Security workshop will received a discount of 10% if they quote the reference “OCTOBER10%”. This offer applies until 11.59pm on 31st October 2019. A day to remember for more than one reason!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

%d bloggers like this: