SC Media – Struggle is real: UK businesses unprepared for cyber-attack response

scmediaBusinesses in the UK are struggling to face the looming threat of cyber-attacks, with nearly a third of C-level executives admitting they don’t have a response plan – or don’t even know whether or not they have one.

“Security training within businesses today is essentially not working. There needs to be different types of training for different types of individuals within the organisation. More importantly, the training needs to highlight the potential impact of security breaches to specific individuals,” Hart said.

“Security ultimately needs to be transparent to the individual user. We are a long way from that point today. But there are hopeful signs. The onward march of AI and behavioural analytics is helping drive the process and the move to cloud and microservices will help to accelerate it. Looking to the future, however, if this is to be sustained, we need to see more collaboration between technology vendors and cloud providers and vendors need to make security simpler and easier for users,” Hart said.

To read the full article click here.

IoTNow – Survey reveals 32% of C-Suite have no response plan for cyberattacks or don’t know if they have one

Internet of ThingsNearly a third of C-Level directors surveyed across the UK (32%) either do not have a response plan in place to manage a cyber-attack on their business, or they are not sure whether they do.

According to Jason Hart, CTO for the Enterprise & Cyber Security division of Gemalto, “The business as a whole should own information security not the IT department. It should be a board level responsibility. They should be pushing down the requirements and then making individuals accountable. IT are there to implement the procedure or the control and manage it. They are not there to police it.”

Hart added, “Security ultimately needs to be transparent to the individual user. We are a long way from that point today. But there are hopeful signs. The onward march of AI (artificial intelligence) and behavioural analytics is helping drive the process and the move to cloud and microservices will help to accelerate it.

Looking to the future, however, if this it to be sustained, we need to see more collaboration between technology vendors and cloud providers and vendors need to make security simpler and easier for users.”

“Security training within businesses today is essentially not working. There needs to be different types of training for different types of individuals within the organisation. More importantly, the training needs to highlight the potential impact of security breaches to specific individuals. Training must never be conducted in isolation. The learning points need to be aligned with the business culture of the organisation.”

“I’ve been involved in GDPR for a number of years. The bottom line is people are still very confused about the regulation. They feel it is complicated. They don’t understand what it is trying to achieve. People often say ‘Well, I’m PCI compliant; I have ISO 27001 certification. I don’t understand the linkage or the additional need.’ Most people I speak to are not even aware that GDPR is coming downstream. So I think as UK PLC, we have done quite a bad job of getting the message out there,” Hart concluded.

 

To read the full article click here. 

ITPro – GDPR news: One year to go until GDPR applies in the UK

itproUK firms struggle with compliance, but experts warn of penalties for failure.

There is just a year to go for businesses to prepare for new data protection rules that hand EU citizens more power over their personal data and promise large fines for companies that transgress.

Jason Hart, CTO of data protection at digital security firm Gemalto, warned that time is running out for “businesses to get their house in order before GDPR comes into effect”.

He added: “Once that happens, we’ll start to see the true picture of data breaches within Europe and the impact that will have on the reputation of a multitude of businesses.

“Companies need to realise that being breached is an inevitability and customers will not put up with those that can’t protect their data. In order to be compliant, business must follow the six step process outlined in the legislation.”

 

To read the full article click here.

April 25th 2017 – Webcast – Part II – How to get started with GDPR & Applying Appropriate Security Controls

april25webcastAs a follow-up to our previous webinar, this panel discussion will dive into further detail about the GDPR.
Presented by compliance experts Christine Andrews (DQM GRC) and Jason Hart (Gemalto) we will answer some of the big questions raised in the previous webinar and open up to the live audience for an interactive Q&A.
To register to attend this free webcast click here.

April 26th 2017 – IPEXPO Manchester – GDPR Blueprint; Tackling Confidentially, Integrity and Availability of Data

The new EU regulation of the Privacy world (the GDPR) is rapidly approaching. This webinar will reveal a back to basics approach in relation to GDPR. Specifically, Jason Hart – Gemalto CTO will identify a GDPR blueprint that tackles the privacy concerns around confidentiality, integrity and availability of sensitive data.

More info here.

23rd March 2017 – Webcast – Getting started with GDPR, Privacy and Applying Appropriate Security Controls

Live webinar: 12pm (UK), 23rd March 2017, and available on-demand after this date.

 

march23webcast

In this webinar, presented by compliance experts Christine Andrews (DQM GRC), Jason Hart (Gemalto) and Becrypt you will learn:

a. The background to the new General Data Protection Regulation
b. An overview of the key areas of change from the existing Data Protection Act – and the penalties for getting it wrong
c. A focus on the information security implications and considerations for meeting compliance
d. An approach for understand the “Gaps” in your current compliance and, importantly, how best to move forwards

To register, click here.

Help Net Security: Industry reactions: UK government cyber security strategy

Yesterday, the UK government announced a new £1.9bn cyber security strategy, which includes an increase in automated defences to combat malware and spam emails, investment to recruit 50 specialists to work on cybercrime at the NCA, the creation of a Cyber Security Research Institute, and an “innovation fund” for cyber security start-ups.

Jason is quoted by Help Net Security:

It’s encouraging to see that the government is making cybersecurity a priority in its latest round of investment, especially with less than two years until GDPR comes into effect. The focus needs to be on securing our most valuable asset: data, instead of just on the perimeter, which hackers can and will breach if they want to. In order for the government’s strategy to be successful, they need to encourage businesses to understand where their most valuable data is, and bring security controls closer to the data in order to ensure user and device access controls are in place.

The threats we face are not just about data being stolen anymore either, businesses have increasingly become victims of data manipulation, the next frontier of cybercrime. Through data being changed, businesses can make vital decisions based on incorrect or exaggerated information, which hackers can exploit for financial gain, or purely for reputational damage – implementing protocols where the data resides helps protect against that.

Read the full article here.

EU business leaders must act now before new security law takes effect

 

The recent announcement by a European parliamentary committee to back a proposal that will require critical infrastructure operators and digital service providers, such as Amazon and Google, to maintain appropriate security measures, and more importantly report major data breaches, is a defining moment for businesses in the EU.

Business leaders should think of it as an early warning to evaluate their security practices before the proposal is approved by the EU Parliament and European Council. So, what is the current status in the EU at the moment and what steps do business leaders need to take to avoid falling foul when the law comes into effect?

The traditional form of security at the moment is dominated by a singular focus on preventing a breach through firewalls, antivirus, content filtering, and threat detection. However, if we are to learn anything from history, it’s that breaches are inevitable and attackers will get past that perimeter wall eventually.

Once this happens customer data or even a company’s IP could be compromised. Consumers entrust their vital information to companies that gather this data and must be confident that it is being kept safe and secure. Once that trust is broken, it can be very difficult for companies to get that back.

Why has there been this sudden change?

Security has always been a hot topic, but with hacks of companies likeTalkTalk generating headlines and companies collecting more and more data about us online, the issue of protecting data and securing consumer trust has never been higher.

Currently in the EU, companies are not obliged to report data breaches that have occurred and, as such, many don’t. With this new law due to be implemented soon, companies will be forced to reveal these breaches and must now consider a change in strategy.

But this isn’t a new policy; the US has been adhering to this practice for a long time now and is the main reason we hear more about breaches there than we do in the EU.

Now is the time to review what has already taken effect in the US and analyse what lessons can be learned.

Instead of focusing purely on protecting the perimeter wall, businesses should instead turn to a layered approach that protects the data at every level should criminals get past that first defence. This also means focusing on the data itself and ensuring it can’t be accessed or used by anyone that is not authorised to do so.

Surrounding the data with end-to-end encryption, authentication and access controls provides that additional layer of security which is vital to protecting customer and corporate information. With encryption tools in place, this means that any data that is taken is rendered useless in value to anyone that is not authorised to access it.

Authorization can be secured using keys to only allow those who are allowed to access the data the ability to do so. All this means, should the worst happen and a breach occurs, the customer data should still be secure.

Telling customers

Once these security measures are in place it’s important to tell customers. In order to build that trust, customers will want to know the processes have been put in place to protect their data. If businesses can show them they are going the extra mile, this will establish them as a credible innovator and trusted company.

Security must be a two-way street though, just as customers should be informed of what is being doing to protect them, they should also be told how they can protect themselves. A better-educated consumer will help to create a safe consumer service all-round.

With this announcement being made public, companies have the opportunity to get ahead of the game and show their customers they are taking protecting their data seriously. No longer can companies simply look at security as a compliance mandate, but rather as a responsibility that is crucial to their success.

Consumers are becoming far more educated and aware of the sensitive data they are releasing to organisations, and the responsibility that entails.

As this education increases, consumer demand will rise on what is expected of the security credentials of the companies that house their data. Failure to take this seriously could result in not only a big impact should a data breach occur, but also on the trust of the consumer. Lose this and face watching customers go to more trustworthy competitors.