Tag Archives: data protection breach

Insider Threats – Charlotte’s View

1 Reply

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

Data breaches … OUCH!

1 Reply

Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.

Data Breach Costs

Data breach 2015 cost graphs and text

Think  a data breach can’t happen to you?  Think again …

data breach percentages graph 2012 to 2014

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Protect your data …

Be Aware Be Secure

The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe.  Call 01787 277742 or email victoria@datacompliant.co.uk

Data Security – Phishing

Leave a reply

phishing

45% of phishing attacks are successful, according to Google’s December 2014 report.   Indeed, the infamous 2013 Target data breach was due to a successful spear phishing attack on one of the company’s suppliers. The reported cost to the business was a massive $162M plus additional expenses resulting from class action lawsuits and reputational damage.

Many data breaches are a direct result of the attacker using individuals or employees to access systems or data, and it’s worth noting that 58% of large organisations and a third of SMEs fall prey to staff-related data breaches (*UK 2014 Information Security Breaches Survey).

With that in mind, I thought it would be helpful to summarise some points to help recognise and deal with phishing emails.

What is phishing?

Phishing is a deceptive means of trying to acquire personal information such as your identity or data that you hold and access – for example your user name, passwords, credit card details, contact directories and so on.  Phishing is typically carried out by email or instant message, which may ask you to provide the data directly, or it may send you to a website or phone number where you will be asked to provide data.

Why Phishing Works

A phishing effort can be hard to recognise, particularly if it comes from a source that you are inclined to trust – for example a friend or colleague (who may have been phished themselves), or your bank, social media site, telephone provider etc.

  • Phishing emails are designed to look like real emails from real, sometimes large, reputable organisations.
  • They are likely to seem to come from an organisation or individual you know and would expect to hear from – for example your bank or building society, your insurer, a business with whom you are in regular contact, your social networking sites, an online auction site or even a friend whose email sits in your address book
  • They may look absolutely authentic, including using legitimate logos
  • They may well contain information that you would not expect a scammer to know – for example personal data (that they may, for example, have picked up from one of your social networking sites)
  • They may include links to websites which will require you to enter personal information – and that website may also look very similar to the legitimate website it is pretending to be.

How to spot a phishing email

There are ways to recognise and avoid being caught out by fraudulent emails or the links they contain.

  • Are you expecting the email you’ve just received? Any email which asks you for personal information or log in details or to verify your account must be treated with caution – most reputable companies will never ask for your personal details in an email
  • Don’t be pressured just because the email looks urgent
  • Beware of attachments – these may pretend to be an order summary or an invoice for immediate payment or a receipt or any manner of other things.  If you haven’t placed an order, or your bill is already paid, then be careful.   If in doubt, simply do not open the attachment.
  • Check the email’s spelling, grammar and formatting – if they’re not correct, treat the email as suspicious
  • Never respond to an email that asks you to update your credit card or payment details
  • Watch out for free giveaways with links to websites – it’s likely that such websites will attempt to embed a virus into your computer which allows them to  capture your keystrokes to get your login details or financial details such as your bank account

How to spot a phishing link?

Such links are likely to include all or part of the legitimate website address.

  • Be aware than any change to the legitimate address may lead to a false website – a spelling mistake, a missing letter – just one character’s difference can take you somewhere you just don’t want to go,
  • It is generally safer to go to the online website using your own bookmarks or by typing in the website address yourself
  • Where a website link is provided, it may be “masked” so that what you see will not take you where you expect.  Using your mouse to “hover” your cursor over the link may enable you to see the actual address – DO NOT CLICK ON ANY LINK unless or until you are completely certain it is the legitimate website

Protect against phishing

Being aware and understanding how to spot a potential phishing effort is helpful, but additional steps should be taken to protect your computer and system against such attacks.  There is no single solution – the best option is to adopt a multi-layered approach:

  • Good security software will help to prevent successful phishing by spotting “bad” links and blocking fake websites.
  • While not providing all-encompassing protection, anti-virus, anti-spyware and anti-malware applications should be used, and kept up-to-date. Ensure that at least two different supplier technologies are in operation.
  • Ensure that all firewall settings should be used and updated regularly to help prevent phishing and block attacks.
  • Subscribe to cyber-intelligence services which may be used to identify on-line threats, misrepresentations, or online fraud’s targeting brands – for example, RSA or Verisign
  • Ensure that applications and operating systems are up-to-date and fully patched

What to do if you have opened a phishing email

Just opening the email is unlikely to cause a problem.  However, it is helpful to report phishing emails:

  • To the ISP (internet service provider) that was used to send you the email so that ISP provider can close the sender’s email account
  • If “report spam” buttons are available, use them
  • Report the email to the legitimate organisation the sender is pretending to be
  • Delete the email from your device
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud – the UK’s national fraud and internet crime reporting centre – at https://reportlite.actionfraud.police.uk/

What to do if you click on a phishing link

  • Immediately run a virus check on your computer whether or not you have provided any personal details
  • Change your password for organisation which the phisher is mimicking
  • If you use the same password for multiple accounts, you need to change all these passwords too
  • Notify the relevant financial organisation(s) if you have entered banking or credit card information
  • Inform your IT department and / or your data protection / data compliance / data security officer
  • Report the phishing email to Action Fraud at https://reportlite.actionfraud.police.uk/

As phishing attacks predominantly targeting end-users, it is a good idea to invest in a security education and awareness programme to raise the profile of risk.  It’s also helpful to include your clients in such a programme.

If you have any concerns about your organisation’s vulnerability to phishing attacks and you’d like a chat about staff training or prevention, just call 01787 277742 or email dc@datacompliant.co.uk

Data Compliant Services

Services at December 2014

Smartphone Security

1 Reply

SmartphoneSmartphones are becoming cleverer by the day. I use mine as an address book … to read books … listen to music … search the internet … look at emails … find my husband … use social media … keep track of the news … take pictures … and so much more. I even use it to make and receive calls and texts.

But from a security point of view, smartphones can be leaky, and increasingly it’s down to the user rather than the provider to take responsibility for their own protection. Here is some simple guidance and some references for those who’d like more information:

Smartphones – as important as your wallet and credit / debit cards

Ofcom advises that you treat your smartphone as carefully as your wallet or a bank card, and that’s excellent advice. Losing your smartphone is inconvenient at best and a disaster at worst. There’s the potential expense of any charges that a thief might run up before you report it as lost. And, unless it’s insured, the cost of replacing a smartphone can be horribly expensive.

Not only that, but any confidential information is at risk – your contacts, your emails, even your bank account. And it’s no longer just your own data at risk. If you use your smartphone for business, losing it may have potentially serious implications for you and your company in the event of a data breach.

What to do before you lose your smartphone

  • Set and use a pin or password both on your phone and your SIM for secure access
  • Make sure you know your IMEI number – if you haven’t already done so, just type *#06# into your handset and it should flash up. If not, look behind your phone battery and you’ll find it there. Make a note of it and keep it somewhere safe.
  • Have a look at Immobilisewhere you can register your phone and may then stand some chance of being reunited with it in the event of loss or theft. All UK police forces and various other lost property offices and agencies use it as an online database to trace owners of lost and stolen property.
  • If you are registered with Immobilise, mark your phone as being registered – it just may help deter opportunistic theft
  • Download an app such as findmyiphone or findmyphone. Not only will this help you trace your phone if it is lost or stolen, but it will also allow you to wipe details from it remotely to allow you at least to minimise theft of your data.

How to keep your data safe

  • In the same way that you’d keep your computer data backed up, you should do the same for your smartphone – keep it backed up, either in the cloud or on some other device. That way you stand to lose the minimum amount of data.
  • Keep up-to-date with your operating system – accept updates as they become available as they will include any fixes to security vulnerabilities within the previous software.
  • Use antivirus software to protect your phone from attack by virus or spyware. I use Lookout, but there are various other excellent options.
  • Make sure your apps are only downloaded from trusted sources. Check them out before you download them – read the reviews and check their privacy policies.
  • Keep you apps updated when updates are offered.
  • Bear in mind that a rogue app may allow access and control rights to a hacker who can then make calls, download content, send or intercept messages using your phone without your knowledge. You also run the risk that your smartphone becomes the entry point to other devices to which it may be connected.
  • Check the permissions you grant when you download an app – for example, it may request to use your current location, or to access your photos etc. Make sure that you only provide the data that you require the apps to have, and ideally only provide the information the app needs in order to work.

What to do if you lose your smartphone

  • If you lose your phone, contact your provider and (if you are insured) your insurer immediately.
  • Get your phone blocked – to do this you’ll need to give your provider your phone’s IMEI number, make and model number.

What to do when you get rid of your phone

Before disposing of your smartphone, make sure that you:

  • Erase any apps
  • Erase any data held on it, including media cards
  • Then go into your Settings menu and reset to Factory settings

Above all, smartphones should be treated as the valuable assets they really are, and kept safe to protect both personal and company assets data and assets.

If you have any concerns about your data security in general or your smartphone security specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Data protection breaches make great news stories …

Leave a reply

breach and bad publicity June 2014

I read today that the BBC is in trouble for “lack of transparency” after it apparently rejected 17.9% of requests for information under the Freedom of Information (FOI) Act, and answered fully only 35% of FOI requests.

Bad press causes rise in volume of FOI requests

Much more interesting to me is the information that the number of FOI requests received by the BBC rose by almost a quarter to just under 2,000 during the 2-year period from 2011 and 2013.  The timing of the rise directly coincides with various scandals including the Jimmy Savile investigation, the profligate spending of £100 million on the disastrous digital archive project and the uproar over the extravagant pay-outs to departed senior executives.  Not, I think, a coincidence.

All publicity is good publicity …

Some claim that all publicity is good publicity. This is simply untrue.  Take data breaches for example. The frequency of data compliance and security breaches is leading to growing press interest and coverage, which in turn is rapidly educating the general population – ie the data subjects (and that’s you and me). And when huge players like eBay and Morrisons are affected – well, breaches of that magnitude become a dripping joint to the media.  The news spreads like wildfire, causing further lack of confidence that big companies have any respect for our privacy or personal data.

So as data subjects, we are more likely than ever to demand that organisations account for the way in which they handle and use our personal data; and to take steps to understand the data held about us and how it is used.  Subject access requests are a case in point, and a well-publicised data security or compliance breach inevitably results in increased subject access requests.

Worse yet, many businesses still don’t know what their legal obligations are once a subject access request is received – which means they run the risk of a further potential breach.

Subject Access Requests (SARs)

Individuals are perfectly entitled to request a copy of the personal data an organisation holds on them.  Once an SAR is received, generally the organisation has a maximum of 40 days to respond and provide the information.  Most business can charge a fee of up to £10 for provision of the data – more complex requests, such as those received by schools and the NHS use a sliding scale up to a maximum of £50.  Every company should have a documented Subject Access Request policy, and keep records of SARs received, and the way – and timescale – in which they have been handled.

If you have any concerns about SARs specifically, or your data governance, data compliance or data security in general, we’ll be happy to have a chat or answer your queries.  Just call us or email victoria@datacompliant.co.uk