The British Library Hack: A Chapter in Ransomware Resilience

In a stark reminder of the persistent threat of cybercrime, the British Library has confirmed a data breach incident that has led to the exposure of sensitive personal data, with materials purportedly up for auction online. An October intrusion by a notorious cybercrime group targeted the library, which is home to an extensive collection, including over 14 million books.

Recently, the ransomware group Rhysida claimed responsibility, publicly displaying snippets of sensitive data, and announcing the sale of this information for a significant sum of around £600k to be paid in cryptocurrency.

While the group boasts about the data’s exclusivity and sets a firm bidding deadline (today 27th November 2023), the library has only acknowledged a leak of what seems to be internal human resources documents. It has not verified the identity of the attackers nor the authenticity of the sale items. The cyber attack has significantly disrupted the library’s operations, leading to service interruptions expected to span several months.

In response, the library has strengthened its digital defenses, sought expert cybersecurity assistance, and urged its patrons to update their login credentials as a protective measure. The library is working closely with the National Cyber Security Centre and law enforcement to investigate, but details remain confidential due to the ongoing inquiry.

The consequences of the attack have necessitated a temporary shutdown of the library’s online presence. Physical locations, however, remain accessible. Updates can be found the British Library’s X (née twitter) feed. The risk posed by Rhysida has drawn attention from international agencies, with recent advisories from the FBI and US cybersecurity authorities. The group has been active globally, with attacks on various sectors and institutions.

The British Library’s leadership has expressed appreciation for the support and patience from its community as it navigates the aftermath of the cyber attack.

What is a Ransomware Attack?

A ransomware attack is a type of malicious cyber operation where hackers infiltrate a computer system to encrypt data, effectively locking out the rightful users. The attackers then demand payment, often in cryptocurrency, for the decryption key. These attacks can paralyse organisations, leading to significant data loss and disruption of operations.

Who is Rhysida?

The Rhysida ransomware group first came to the fore in May of 2023, following the emergence of their victim support chat portal hosted via the TOR browser. The group identifies as a “cybersecurity team” who highlight security flaws by targeting victims’ systems and spotlighting the supposed potential ramifications of the involved security issues.

How to prevent a Ransomware Attack?

Hackers are becoming more and more sophisticated in ways they target our personal data. We have seen this with banking scams recently. However there are some measures we can implement personally and within our organisations to prevent a ransomware attack.

  1. Avoid Unverified Links: Refrain from clicking on links in spam emails or unfamiliar websites. Hackers frequently disseminate ransomware via such links, which, when clicked, can initiate the download of malware. This malware can then encrypt your data and hold it for ransom​​.

  2. Safeguard Personal Information: It’s crucial to never disclose personal information such as addresses, NI numbers, login details, or banking information online, especially in response to unsolicited communications​​.

  3. Educate Employees: Increasing awareness among employees can be a strong defence. Training should focus on identifying and handling suspicious emails, attachments, and links. Additionally, having a contingency plan in the event of a ransomware infection is important​​.

  4. Implement a Firewall: A robust firewall can act as a first line of defence, monitoring incoming and outgoing traffic for threats and signs of malicious activity. This should be complemented with proactive measures such as threat hunting and active tagging of workloads​​.

  5. Regular Backups: Maintain up-to-date backups of all critical data. In the event of a ransomware attack, having these backups means you can restore your systems to a previous, unencrypted state without having to consider ransom demands.

  6. Create Inventories of Assets and Data: Having inventories of the data and assets you hold allows you to have an immediate knowledge of what has been compromised in the event of an attack whilst also allowing you to update security protocols for sensitive data over time.

  7. Multi-Factor Authentication: Identifying legitimate users in more than one way ensures that you are only granting access to those intended. 

These are some strategies organisations can use as part of a more comprehensive cybersecurity protocol which will significantly reduce the risk of falling victim to a ransomware attack. 

Join us on our workshop “How to increase Cyber Security in your Organisation” and Cyber Security for DPO’s where we discuss all of the above and more helping you create the right foundations for Cyber resilience within your organisation. 

£4.4 Million GDPR Fine for Construction Company 

This month the UK Information Commissioner’s Office has issued two fines and one Notice of Intent under GDPR. 

The latest fine is three times more than that imposed on Easylife Ltd on 5th October. Yesterday, Interserve Group Ltd was fined £4.4 million for failing to keep personal information of its staff secure.  

The ICO found that the Berkshire based construction company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

The Phishing Email 

In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s IT system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. 

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Consequently, Interserve had breached Article 5 and Article 32 of GDPR by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

Notice of Intent 

Interestingly in this case the Notice of Intent (the pre cursor to the fine) was for also for £4.4million i.e. no reductions were made by the ICO despite Interserve’s representations. Compare this to the ICO’s treatment of two much bigger companies who also suffered cyber security breaches. In July 2018, British Airways was issued with a Notice of Intent in the sum of £183 Million but the actual fine was reduced to £20 million in July 2020. In November 2020 Marriott International Inc was fined £18.4 million, much lower than the £99 million set out in the original notice. 

The Information Commissioner, John Edwards, has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures like updating software and training staff: 

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office. 

Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.” 

We have been here before. On 10th March the ICO  fined Tuckers Solicitors LLP £98,000 following a ransomware attack on the firm’s IT systems in August 2020. The attacker had encrypted 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.   

Action Points  

Organisations need to strengthen their defences and have plans in place; not just to prevent a cyber-attack but what to do when it does takes place. Here are our top tips: 

  1. Conduct a cyber security risk assessment and consider an external accreditation through  Cyber Essentials. 
  1. Ensure your employees know the risks of malware/ransomware and follows good security practice. At the time of the cyber-attack, one of the two Interserve employees who received the phishing email had not undertaken data protection training. (Our GDPR Essentials  e-learning solution is a very cost effective e learning solution which contains a specific module on keeping data safe.)  
  1. Have plans in place for a cyber security breach. See our Managing Personal Data Breaches workshop.  
  1. Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyber-attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data. For more information, take a look at the ICO ransomware guidance or visit the NCSC website to learn about mitigating a ransomware threat via their business toolkit

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.  

Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 21st November.  

Calling Cyber Security Trainers:
We are Hiring

Are you a cyber security expert with a reputation for delivering engaging training? We are recruiting trainers to join our team of expert associates who deliver in-house and external training courses throughout the UK and worldwide.

We are one of Europe’s leading information law training companies with a 20 year track record of delivering practical and engaging training which makes the complex simple. We recently won the Information and Records Management Society (IRMS) Supplier of the year award for 2022-23. This is the second consecutive year we have won this award.

Despite recently expanding our team, we are seeing an increase in global demand for our courses and consulting services from both the public and private sectors. We need more talented trainers who enjoy the challenge of explaining difficult concepts in a practical, jargon-free manner.

We have opportunities for full time trainers and those who wish to add an extra “string to their bow” without leaving their day job. What is important is that you are enthusiastic about Cyber Security and passionate about teaching it.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your knowledge and experience of delivering training and consultancy services in Cyber Security. 

Cyber Security Breaches Survey 2022: What DPOs need to know

Cyber security breaches are on the rise. Virtually every day there is a news story about a high profile organisation being hacked and personal data being lost or stolen. Last week the BBC reported that thousands, if not millions, of people could have lost money in the second largest crypto hack in history. Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615m (£467m) stolen. More recently UK retailer, The Works has been forced to shut shops temporarily and suspend new stock deliveries after a cyber-attack.

And it’s not just the private sector. In January we learnt that Gloucester City Council’s website was hacked affecting online revenue and benefits, planning and customer services. The work of Russian hackers(allegedly) could take up to six months to resolve and affected servers and systems may need to be rebuilt.

Data Protection Officers need to be aware of the latest incidents and advice when it comes to cyber security breaches. The recently published DCMS Cyber Security Breaches Survey is important reading for all DPOs. It explores the policies, processes, and approaches to cyber security for businesses, charities, and educational institutions. It also considers the different forms of cyber-attack these organisations face, as well as how they are impacted and their response.

Cyber Attacks

The survey results show that in the last 12 months, 39% of UK businesses identified a cyber-attack. Of these, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms. Note recently the GDPR fine issued to a firm of solicitors who suffered such an attack. Interestingly they too chose not to pay the hackers. 

Frequency and Impact

Within the group of organisations reporting cyber-attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber-attack, while one third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact. It is interesting that the survey focussed on charities too. July 2021 saw the first GDPR fine to a charity. The transgender charity Mermaids was fined £25,000 after the ICO found that it had failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.

Cost of Attacks

The survey found the average estimated cost of all cyber attacks in the last 12 months was £4,200. Considering only medium and large businesses; the figure rises to £19,400. Of course such incidents also mean a loss of reputation and customer trust. In October 2020, the ICO fined British Airways £20million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. British Airways also had to settle legal claims for compensation from affected customers. 

Cyber Hygiene

The government guidance ‘10 Steps to Cyber Security’ breaks down the task of protecting an organisation into 10 key components. The survey finds 49% of businesses and 40% of charities have acted in at least five of these 10 areas. In particular, access management surveyed most favourably, while supply chain security was the least favourable.

Board Engagement

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, an increase on 77% in 2021. 72% in charities rate cyber security as a ‘very high’ or ‘fairly high’ priority. Additionally, 50% of businesses and 42% of charities say they update the board on cyber security matters at least quarterly. Our new webinar “GDPR and the Charity Sector Webinar” is ideal for raising awareness amongst charity trustees.

Size Differential

Larger organisations are correlated throughout the survey with enhanced cyber security, likely as a consequence of increased funding and expertise. For large businesses’ cyber security; 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training; compared with 50%, 33% and 17% respectively for all businesses. Our GDPR Essentials e learning course contains a specific module on keeping data safe which warns of the most common cyber hacking/phishing tactics.  

Risk Management

Just over half of businesses surveyed (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common. Qualitative interviews however found that limited board understanding meant the risk was often passed on to; outsourced cyber providers, insurance companies, or an internal cyber colleague.

Outsourcing and Supply Chain

Small, medium, and large businesses outsource their IT and cyber security to an external supplier 58%, 55%, and 60% of the time respectively, with organisations citing access to greater expertise, resources, and standard for cyber security. Consequently, only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Incident Management

Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would make an assessment of the attack.

External engagement

Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essentials certification and 1% have Cyber Essentials plus, which is largely due to relatively low awareness. The importance of this was highlighted in the recent GDPR fine issued to Tuckers solicitors.

The DCMS Cyber Security Breaches Survey is important reading for all Data Protection Officers and IT staff. Aligning with the National Cyber Strategy, it is used to inform government policy on cyber security. It should also be used to stay abreast of cyber security developments and formulate your own organisation’s cyber security strategy.  

Our Managing Personal Data Breaches workshop will examine the law and best practice in this area, drawing on real-life case studies, to identify how organisations can position themselves to deal appropriately with data security incidents and data breaches, in order to minimise the impact on customers and service users and mitigate reputational damage.

Ticketmaster Fined £1.25m Over Cyber Attack

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

Cyber Security and GDPR Compliance

Olu Odeniyi writes…

Data Protection Officers (DPOs), and others who work in data protection, will know that a fundamental requirement of GDPR is to protect personal data ”against accidental loss, destruction or damage, using appropriate technical or organisational measures” as stipulated in the sixth data protection principle in Article 5. As the recent British Airways data breach fine has shown, failure to comply can be costly.

Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk  including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.

Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding  of this topic to most effectively discharge their responsibilities and ensure compliance. 

What is Cyber Security?

The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more. 

Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred.
Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis. 

While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST)

However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.

People

It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes. 

For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.

Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence.
Focused effort and dedicated resources are required but the results will be worth it. 

Developing a security culture involves engaging with staff and seeking their input.
Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by  the European Union Agency for Cyber Security (ENISA).

It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.

Process

Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)

Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved. 

Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.

At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.

Technology

The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a  Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.

Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure. 

A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.

Putting it all Together

Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously.
A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.

Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.

Act Now Expands its Cyber Security Team

Cyber security is one of the Information Commissioner’s regulatory priorities; not surprising when you consider the Notices of Intent (to fine) issued by the ICO on British Airways and Marriott International. Recently we learnt that two companies involved in building emergency coronavirus hospitals have been hit by cyber-attacks. Cyber security is an important subject that Data Protection Officers need to understand to be able to fulfil their role effectively.

Act Now Training is pleased to announce that leading cyber security expert, Olu Odeniyi has joined its team of associates. Olu is a Cyber Security, Information Security and Digital Transformation Trusted Advisor who has 30 years’ experience. During this time, he has held several key senior leadership, strategic and operational positions, in the public and private sectors. As a former trustee of three charities, Olu held the roles of Technical Lead, Treasurer and Chair, where he was responsible for regulatory compliance, operational and project risk management.

Recent projects delivered by Olu include investigation of cyber related breaches, analysis of organisations’ cyber security postures and in-depth risk assessments. Olu has advised companies on requirements for attaining the government backed cyber essentials certification and the coveted ISO 27001 Information Security Management.
Workshops, presentations and lectures at the University of West London were given by Olu on topics such as information security and digital transformation.

At the University’s Enterprise Hub, Olu guided start-up companies on cyber security issues ranging from processes to technical considerations – he continues to support and mentor such companies. Analysis of academic cyber security research on novel ways to secure IoT (Internet of Things) devices using artificial intelligence concluded with Olu reporting his findings to the University.

Olu speaks at various conferences and information sessions on information governance and cyber security. In February this year, Olu spoke at the PrivSec Conference on ‘Deepfakes’ (hyper realistic synthetic video/audio generated by deep neural networks) to a packed theatre at the QEII conference centre in London. The session was hosted within the Threat Intelligence theatre with other speakers such as Mike Hulett, Head of Operations at National Crime Agency (NCA).

Olu is a professional member of the BCS (British Computer Society – The Chartered Institute for IT) and a Microsoft Certified Professional (MCP). Within the BCS, Olu is a member of the Information Risk Management and Assurance (IRMA), Information Security, Artificial Intelligence and the Cybercrime Forensics specialist interest groups. Olu said:

“I am delighted to be joining the Act Now teamlook forward to using my cyber security and digital transformation expertise to help Data Protection Officers understand and overcome the cyber challenges their organisations face. Over the coming months I will be developing practical online training courses that delegates can take from the comfort of their office 

Ibrahim Hasan, solicitor and director of Act Now Training, said:

“Olu’s reputation proceeds him. His expert knowledge coupled with experience of working for a range or organisations will help us expand our cyber security services. Together with our other cyber expert, Steven Cockroft, we are confident that we will be able to service the increasingly complex cyber needs of clients.”

In addition to training, Olu can help your organisation with personal data breaches, PEN testing, incident management, breach reporting and incident responses. Olu can also act as an outsourced or interim Chief Information Security Officer (CISO) or a Chief Information Officer (CIO).

Olu will be a delivering a free webinar on “Introduction to Cyber Security for DPOs on 26th May 2020 (11am). Places are limited so please book early. Our GDPR Update is ideal for those looking to keep abreast of the latest GDPR developments. Finally, the GDPR Practitioner Certificate course is now available as an online option and filling fast.

Cyber Security Month is Here!

October is European Cyber Security Month. This is the EU’s annual awareness campaign that takes place each October across Europe. The aim is to raise awareness of cybersecurity threats, promote cybersecurity among citizens and organisations; and provide resources for online protection, through education and sharing of good practice.

Every single day the cyber security landscape becomes more complicated. Criminals are continually inventing new ways to carry out cyber-attacks. A Freedom of Information  request by insurance broker Gallagher, recently revealed that UK councils were fending off an average of 800 cyber attacks per hour.

Organisations that do not take appropriate action are at grave risk of business disruption, reputational damage and regulatory action. In July we saw the Information Commissioner’s Office (ICO) signal its intention to use its powers to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR). Two Notices of Intent were issued against British Airways and Marriot International respectively.  Both relate to cyber security incidents but for different reasons and amounts. (More here.)

Cyber security needs to become a top priority for organisations and individuals. Training and awareness is crucial. The National Cyber Security Centre publishes a regular report on cyber incident trends in the UK with guidance on how to defend against and recover from them. Act Now is running a series of  Cyber Security workshops led by cyber expert, Steven Cockcroft. The first one was in London last week and attracted delegates from both the public and private sectors. Habib Khatib, Head of Operations at Talk Direct Talk Direct (Leeds) Ltd, said:

“This was an excellent workshop which really opened my eyes to the threats that organisations face from cyber criminals. Steve’s expert knowledge will help me to implement a cyber action plan within my company.”

To celebrate Cyber Security month, all new delegates booking on a Cyber Security workshop will received a discount of 10% if they quote the reference “OCTOBER10%”. This offer applies until 11.59pm on 31st October 2019. A day to remember for more than one reason!

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

Exit mobile version
%%footer%%