LondonLovesBusiness – Talk Talk fined again after customer data breach

londonlovesbiz-logoTalkTalk has been fined £100,000 for failing to protect 21,000 of its customers data, and putting it at risk by allowing contractors to access it.

Jason Hart, CTO, Data Protection at Gemalto and former ethical hacker said it is the important to punish businesses that fail to protect their customers’ data. He said: “This fine should serve as a warning to all other companies that they need to ensure they are protecting their customers’ data.

“GDPR is just around the corner, so this is likely to be just the start of things and we’ll soon start to see what the real picture of cybersecurity is like throughout Europe. If businesses are not protecting data at its source they will no longer be able to hide any breaches that occur and ultimately deserve to be fined.”

To read the full article click here.

CyberSecurity Insiders – 6 steps to prepare for post Brexit GDPR compliance

cyber-insider-logo[ This article was originally published here ]

With new data protection laws on the way, UK businesses have run out of excuses, writes Jason Hart, CTO, Gemalto

Ever since the vote to leave the EU last year, it’s been unclear how much, if any, of the incoming GDPR legislation would be applied in the UK. Thankfully, the government has taken this on board, and today revealed plans to improve our current data protection legislation.

This updated law aims to:

  1. Transfer the European Union’s current General Data Protection Regulation into UK law
  2. Grant the UK’s data protection watchdog new powers to levy bigger fines on firms that break laws
  3. Give UK citizens more control over what happens to their personal information, such as asking for personal data posted when they were children to be deleted

This overhaul of UK data protection law is a big step towards updating the country’s approach to cybersecurity. By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit. With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.

Six steps every business should undertake ahead of GDPR
While it’s all well and good talking about compliance, it’s another thing entirely to understand the steps a business must take to work towards it. So, what does a business need to do, to ensure it’s protecting the data it holds? Below are six steps every business should undertake on its journey towards GDPR compliance.

Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities 
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes 
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

The basis of this new data protection bill and GDPR is to push businesses into action and start putting security at the top of the agenda. When next May comes around, businesses won’t be able to hide anymore. It’s vital to start making the preparations for compliance now, before it’s too late. It’s not a case of if, but when, a breach occurs and that revelation could cause serious damage to their reputation. Not only this, but businesses will also face severe fines. With just a year to go, there are no longer any excuses for businesses when it comes to protecting their customers data.

What can you do to prepare for the emerging GDPR requirements? Read Preparing for the General Data Protection Regulation.

Fleetworld – DfT to enforce anti-hacking measures for connected cars

fleetword-logoNew generations of connected cars will offer better protection against the threat of hacking under latest Department for Transport measures.

Jason Hart, CTO data protection at digital security specialist Gemalto, also welcomed the news, saying: “It’s a long time coming. I think it shows that actually this should go beyond the connected car – I get it why the Government are focusing on the connected car, given lots of them are going to be on the road. But ultimately this should be expanded to anything that’s connected and have similar mandatory requirements – anything where there’s lives involved.”

To read the full article click here.

6 steps to prepare for post Brexit GDPR compliance

Ever since the vote to leave Are you ready for GDPR? the EU last year, it’s been unclear how much, if any, of the incoming GDPR legislation would be applied in the UK. Thankfully, the government has taken this on board, and today revealed plans to improve our current data protection legislation.

This updated law aims to:

  1. Transfer the European Union’s current General Data Protection Regulation into UK law
  2. Grant the UK’s data protection watchdog new powers to levy bigger fines on firms that break laws
  3. Give UK citizens more control over what happens to their personal information, such as asking for personal data posted when they were children to be deleted

This overhaul of UK data protection law is a big step towards updating the country’s approach to cybersecurity. By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit. With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.

Six steps every business should undertake ahead of GDPR
While it’s all well and good talking about compliance, it’s another thing entirely to understand the steps a business must take to work towards it. So, what does a business need to do, to ensure it’s protecting the data it holds? Below are six steps every business should undertake on its journey towards GDPR compliance.

Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities 
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes 
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

The basis of this new data protection bill and GDPR is to push businesses into action and start putting security at the top of the agenda. When next May comes around, businesses won’t be able to hide anymore. It’s vital to start making the preparations for compliance now, before it’s too late. It’s not a case of if, but when, a breach occurs and that revelation could cause serious damage to their reputation. Not only this, but businesses will also face severe fines. With just a year to go, there are no longer any excuses for businesses when it comes to protecting their customers data.

What can you do to prepare for the emerging GDPR requirements? Read Preparing for the General Data Protection Regulation.

GDPR:Report – HBO has suffers a “cyber incident” leaking a Game of Thrones episode

gdprreport-logogHBO was victim to a “cyber incident”, which has resulted in the theft of a Game of Thrones episode and other data.

On Tuesday anonymous hackers leaked HBO data to the website “winter-leaks.com” however it was inaccessible by Wednesday. The hackers claimed to have stolen 1.5 terabytes of data from the network’s servers.

Jason Hart, CTO, Data Protection at Gemalto and former ethical hacker said on the incident:

“Broadcasters face a unique threat. Due to the nature of the industry, hackers have the opportunity to access data as it is transmitted between multiple data centres, and so they require solutions to help encrypt their high-value TV transmissions – without interfering with the audience’s viewing experience. These specialised solutions, such as high-speed encryption, will help ensure that broadcasters are protecting their IP in an age of increased piracy and data theft.

“HBO now joins a list of other Hollywood victims of crime such as Netflix and Sony. This incident is another reminder that broadcasters must invest in fundamental security controls and practises – encryption, key management and two-factor authentication – to control access to highly sought-after content and protect it in the event that a breach takes place.”

To read the full article click here.

eSecurity Planet – HBO Hack Highlights Importance of Encryption, Data Governance

esp_logo1.5 TB of data, including unreleased episodes of upcoming shows, was stolen and leaked online.

Gemalto CTO of data protection Jason Hart said by email that broadcasters in particular face a unique threat. “Due to the nature of the industry, hackers have the opportunity to access data as it is transmitted between multiple data centers, and so they require solutions to help encrypt their high value TV transmissions — without interfering with the audience’s viewing experience,” he said.

“HBO now joins a list of other Hollywood victims of crime such as Netflix and Sony,” Hart added. “This incident is another reminder that broadcasters must invest in fundamental security controls and practices — encryption, key management and two-factor authentication — to control access to highly sought-after content and protect it in the event that a breach takes place.”

To read the full article click here.

Game of Threats: It’s Time for a New Data Security Script

game-of-threats-imageHBO now finds itself among a growing list of Hollywood data breach victims, joining Netflix and Sony, to have some very serious intellectual property stolen by hackers – their programming content. One would think media companies would defend their most sensitive assets like banks do with financial data. That does not seem to be the case here. There’s an explanation for that, which I will get to shortly. But let me start with some context.

This data breach comes just as HBO has released the seventh series of Game of Thrones. For the first six seasons, it’s been somewhat easy to predict what might happen because readers of George R. R. Martin’s books knew the general storyline. Season seven is different. There’s no book to provide a script. This time around, viewers are all flying blind – with the exception of a few clues that may foreshadow the events of this new season. (Of course, this could now change because of the breach, but .)

This is kind of how IT and security teams find themselves today when it comes to protecting their data and networks from hackers and other threats. It’s a new Game of Threats and there’s no script to follow. There’s so much data to defend, the attack surfaces have increased and the threat vectors are too large to stay on top of. Security teams can no longer rely on what traditional strategies have told them in order to predict how best to defend their networks and what is most critical – their data. The script they have followed –breach prevention – is a thing of the past just like medieval history and the dodo bird.

Much like the castles of Dragonstone, Riverrun and Winterfell that were built to protect the great houses in the Game of Thrones, today’s security teams continue to rely on defending the perimeter as the foundation of their strategy. Build walls and moats, set up sentries to keep guard and monitor who gets in (or not) with the right password or credentials. Even as the threats and technology landscape has changed dramatically, this is the essence of security practiced today. But just like the first (and second) Siege of Riverrun, castles and perimeter defenses can easily be compromised and taken control of by outsiders.

Breach prevention (as a foundational strategy) is dead. Relying on perimeter security as the principle means of protecting sensitive information is a fool’s errand. Instead, companies should stop pretending they can prevent a perimeter breach. They should accept this reality and build their security strategies accordingly. They need to learn how to best secure the breach and adopt cybersecurity situational awareness.  It is impossible to protect everything by building bigger walls and adding more guards to detect attacks. Deploy layered defensive strategies that enable them to protect what matters most, where it matters.

In 2017, companies will spend $90 billion on information security worldwide, up nearly eight percent from last year. Most of this is being spent on prevention, detection and response products and services. Now let’s weigh that against how effective this has been. According to the Breach Level Index, in 2016 there were more than 1.4 billion data records stolen which was up 86% versus 2015. So, one might say companies are not making very good investments with their IT budgets. You know the saying made famous by Albert Einstein that the definition of insanity is doing the same thing over and over again and expecting different results? It applies very well with how data security is done today.

It’s time for a new data security mindset. One that shifts from breach prevention to breach acceptance and is focused on securing the breach. This Secure the Breach manifesto is something we have been saying for five years. Companies need to move their security controls as close as possible to the data and users accessing that data because perimeter security controls do not protect data. By embedding protection on the assets themselves you ensure that even after the perimeter is breached, the information remains secure. By implementing a three step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and controlling access to apps and authentication of users – you can effectively prepare for a breach. That way, you can Secure the Breach and more effectively defend your company in the Game of Threats.

Protect what matters, where it matters – Discover how at Secure the Breach.

This post also appears on the Gemalto Enterprise Security Blog here.

 

What challenges enterprise cyber security executives?

data-security-confidence-index-2017-infographic-image-300x179Here’s an understatement for you: this is an interesting time to be a cyber security or risk management executive at an enterprise.

In reality, this is the most challenging period ever for organizations when it comes to safeguarding data and systems. There is a rising number of data breaches—nearly 1.4 billion data records were lost or stolen in 2016, according to Gemalto’s Breach Level Index—and serious threats such as ransomware are making worldwide headlines on a regular basis.

On top of that, companies are having to deal with a growing number of data protection regulations. This includes the General Data Protection Regulation (GDPR), a set of rules created by the European Parliament, European Council and European Commission to strengthen data protection for individuals within the European Union (EU).

Despite these and other developing challenges swirling around the cyber security landscape, many organizations are relying on the same old security solutions they’ve had in place for years. For example, a majority of IT professionals still think perimeter security products are effective at keeping unauthorized users out of their networks, according to a new Gemalto report conducted by independent research firm Vanson Bourne.

The report, Gemalto’s fourth-annual Data Security Confidence Index, also shows that companies are under investing in technology that adequately protects their business.

To gather data for the study, Vanson Bourne surveyed 1,050 IT decision makers across the U.S., U.K., France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa on behalf of Gemalto. The sample was split between manufacturing, healthcare, financial services, government, telecommunications, retail, utilities, consultation and real estate, insurance and legal, IT and other sectors from organizations with 250 to more than 5,000 employees.

A huge majority of those surveyed (94%) think perimeter security tools are quite effective at keeping unauthorized users out of their networks. But at the same time, about two thirds (65%) are not extremely confident that their data would be protected should their perimeter be breached. This represents a slight decrease from the survey conducted last year (69%). And despite the broad lack of confidence, nearly six in 10 of the organizations report that they think all their sensitive data is secure.

This shows that at many organizations, perimeter security is the focus but a good understanding of technology and data security is still lacking. Many of these businesses are continuing to prioritize perimeter security without realizing it has been largely ineffective against sophisticated cyber attacks.

The latest Gemalto research findings show that 76% of the decision makers said their organization had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention systems (IDPS), antivirus software, content filtering tools and anomaly detection systems to protect against external attackers.

Despite this investment, however, two thirds of the survey respondents (68%) think unauthorized users could access their networks, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions being used today, especially when you consider that more than one quarter of the organizations (28%) have suffered perimeter security breaches over the past 12 months.

The reality of the situation gets even worse when you take into account the fact that, on average, only 8% of the data breached was encrypted. That means the vast majority of the stolen data was completely exposed to attackers—an unacceptable situation for organizations that should be doing all they can to protect sensitive information.

Furthermore, according to the report more than half of the respondents said they do not know where their sensitive data is stored, and more than one third of businesses do not encrypt valuable information such as payment or customer data. In other words, if this data is stolen, a cyber criminal would have full access to the information and could use it for crimes such as identify theft, financial fraud or ransomware.

It is clear that there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality. By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data.

Businesses need to be aware that hackers and other bad actors are going after companies’ most valuable assets: their data. It’s important that they focus on protecting these resource, otherwise reality will inevitably bite those that fail to do so.

Inadequate security not only exposes organizations’ data to attackers, it leaves enterprises open to the risk of non compliance with regulations such as GDPR. There seems to be a global trend toward reforming and enhancing data protection laws, and many companies are not sure how to approach these new requirements.

That’s especially true of data privacy, which has traditionally been an afterthought, rather than included in products “by design.” This necessitates a longer-term change in approach and mindset.

With GDPR, which becomes enforceable in May 2018, organizations need to understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, more than half of the survey respondents said they do not think they will be fully compliant with GDPR by May next year.

With less than a year to go, companies need to begin introducing the correct security protocols in their efforts to reach GDPR compliance, including encryption, two-factor authentication and key management strategies.

Investing in cyber security solutions has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cyber security will face severe legal, financial and reputational consequences.

That’s not all. Organizations that don’t bring their security infrastructure up to date might also face the wrath of their customers, employees, business partners and other stakeholders. Fortunately, they can take steps to bolster security before it’s too late.

Discover more and download the Data Security Confidence Report.

Also posted on the Gemalto Enterprise Security blog here.

eSecurity Planet – Massive Breach of Swedish Citizens’ Data Points to Desperate Need for Risk Management

esp_logoVehicle registration data for every Swedish citizen was exposed — including those under witness protection.

“It is clear that there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality,” Gemalto vice president and chief technology officer for data protection Jason Hart said in a statement. “By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data.”

To read the full article click here.

Silicon Republic – Wanted: IT security superheroes to fight cybercrime

siliconrepublicFrom WannaCry to Petya, it’s no wonder the cybersecurity sector is crying out for talent to fight ransomware. Hays’ Carolyn Dickason explores the increasing need for talent in infosec.

“The Breach Level Index highlights four major cyber-criminal trends over the past year. Hackers are casting a wider net and are using easily attainable account and identity information as a starting point for high-value targets,” said Jason Hart, Gemalto’s chief technology officer for data protection, in the report.

“Clearly, fraudsters are also shifting from attacks targeted at financial organisations to infiltrating large databases, such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid.”

To read the full article click here.