Search

Brian Pennington

A blog about Cyber Security & Compliance

Category

brian pennington

1380px-OWASP_2018_IoT_Top10_Final

21 Significant 21st Century Data Breaches – Infographic

OptimumSecurity has created an infographic that is a great representation of many significant data breaches.

21 Biggest Breaches

how-do-we-stop-the-widening-cybersecurity-gap-infographic

Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference 2017

6th march Manchester, UK.

Good morning, and welcome to Manchester. It’s cold and it’s grey, but for those of us who live around here, we kind of like it, and we’re proud it’s where the biggest data protection conference of the year takes place.

We’ve got a busy schedule today. Lots on GDPR, of course. Trevor Hughes from IAPP talking about the role of the data protection officer internationally. Practical workshops on everything from breach notification to consent. And a very engaging information market – the speakers’ corner looks sure to be a conversation starter, and don’t miss our experts talking about the law enforcement directive too.

So lots to engage you. Let’s get started by getting your grey matter warmed up: a quick general knowledge quiz. One question:

What links the following:

  • the Labour Party;
  • international weightlifting;
  • the music you heard when I entered the room; and
  • the ICO?

The answer is right before your eyes: all have performed right here at this venue. I’m not sure which of the four had the rowdiest audience…!

Manchester Central has been the home of the Data Protection Practitioners Conference for the best part of a decade, and I’m sure you’ll agree it’s an excellent venue. It was converted from a railway station built more than 125 years ago by Sir John Fowler, the architect famed for his work on the Forth Railway Bridge.

Sir John once said: “Engineers are not mere technicians and should not approve or lend their name to any project that does not promise to be beneficent to man and the advancement of civilization.”

DPOs in the mainstream

I think there’s something in that comment for us here today. About not merely being technicians. About looking to see how the projects we contribute to can be beneficial to citizens. How we can put the customer first.

I don’t think that’s too grand an aim. This is an exciting time to be in data protection. Like many of you, I’ve worked in this sector a long time. I remember when we were a back office function. When we often were seen as “mere technicians”. That seems a very long time ago.

My colleague Rob Luke, who you’ll hear from shortly, is speaking before an advertising conference later this week. Fifteen years ago, which advertiser would have invited the data protection regulator to their annual event? Who thought data protection when they booked a slot in the ad break during Coronation Street? But today, data protection is central to their work. Making the most of customer data. Combining big data sets. Finding new ways to better understand what consumers want, to track how they act or predict what they will do next.

Last week, we opened an inquiry into privacy risks arising from the use of data analytics for political purposes following public reports about the role of private firms in the Brexit referendum. We often find ourselves at the heart of many debates of modern society.

It’s an exciting time to work in data protection, whatever your sector, with real opportunities. We’ll talk a lot today about the practical aspects, from how GDPR will change things at your organisations, to the steps you can take to use the coming change in the law as an opportunity to inform your practices.

But let’s not lose sight of what good data protection can achieve. We have an opportunity to set out a culture of data confidence in the UK. We just need to keep in mind that when we lend our name to projects, we should think about how they can be of benefit to citizens.

Review of last 12 months

I think it’s fair to say that a recap of the files we’ve been involved in over the past twelve months can be characterised by organisations failing to put customers first.

Our work with WhatsApp and Facebook springs to mind. We all rely on digital services for important parts of our lives. But my office felt these apps were not taking enough responsibility for data protection. Companies have legal responsibilities to treat people’s data with proper care and transparency – to give them persistent control and choice.

Similarly the record fine we issued to TalkTalk. You could write an essay discussing the technical detail of the cyber-attack itself, but fundamentally, not enough respect – not enough care – was being given to the type of protection consumers would have expected of their personal information.

And without rehearsing the conversations we’ve had with parts of charity sector, there’s a similar theme: insufficient thought about the level of transparency donors would want, expect, or support.

They’re examples of organisations getting it wrong under the current Data Protection Act. GDPR is going to put even more of an onus on organisations to understand and respect the personal privacy rights of consumers.

GDPR

Because while the General Data Protection Regulation builds on the previous legislation, it provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data.

The GDPR gives specific new obligations for organisations, for example around reporting data breaches and transferring data across borders.

But the real change for organisations is understanding the new rights for consumers.

Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.

On that subject, do take a look at the guidance on consent that is now out for consultation, and will be discussed at our workshop later today.

Accountability and breadth

At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data. The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organisations understand, and mitigate – the risks that they create for others in exchange for using a person’s data. It’s about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society.

Making it matter to the boardroom

I’ve already spoken to some of you this morning, and I hear what you’re saying. You understand why having your organisation accept more accountability for data protection matters. You want to change the culture of your organisation. But in many cases, you need to convince your senior management first. So, what can I give you today to help you make that case when you go back to your offices tomorrow?

The fines are the obvious headline. The GDPR gives regulators greater enforcement powers. If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.

But there’s a carrot here as well as a stick, and as regulators we actually prefer the carrot. Get data protection right, and you can see a real business benefit.

Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.

What the ICO is doing

Gandhi said the future depends on what we do in the present. So let me talk a little about what my office is doing now, to help you prepare for the future.

I’ve worked as a regulator in this field for more than twelve years and my focus has always been on making sure the regulator is relevant. On making sure we’re taking on that challenge of not being mere technicians but instead are making a difference to the organisations we regulate through education. Making a difference to the public, through giving them an avenue to file a complaint and by sanctioning the bad actors.

Each of us in the information rights field, on a daily basis, tries to make a difference to the public. Collectively, we do a good job: I think people have never been more aware of their rights, of what they can expect of the businesses and organisations they trust with their data. But consumer trust hasn’t followed that. An ICO survey last year showed only one in four UK adults trust businesses with their personal data. And I don’t believe the figure would be much higher for the public sector. As a regulator, it’s one of my jobs to give you the tools and the support to turn that around.

I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK. I think that’s achievable.

We’ll be shortly announcing work we’ll be doing to contribute to that. We want to support independent research that helps people better navigate the digital world. Our research and grants programme will dedicate funds over the next five years to engaging the research community in finding ways to help consumers. More details in due course.

Post Brexit

And of course we need to be looking to the horizon, to what might exist beyond GDPR.

Fourteen months ago I was writing a speech for a different audience, in a different role. My appearance was at the Canadian annual privacy and security conference, as information and privacy commissioner for British Columbia. I was talking about the challenges of a digital economy that required data to flow across borders, where different legal systems and cultural norms about privacy make this a complicated undertaking. More specifically, I spoke about how changes within the EU affect those outside of it, particularly around adequacy.

How familiar does that sound today? The UK EU referendum decision means we’re facing the same challenges. The UK’s digital economy needs data to flow across borders: how do we make sure that can happen? How can we foster economic growth while still respecting citizen’s rights?

When the government comes to answer those questions beyond the implementation of GDPR in 2018, we expect to be at the centre of many conversations, speaking up for continued protection and rights for consumers, and clear laws for organisations. And addressing the strong data protection laws we’d need if we want to keep the UK’s approach at an equivalent standard to the EU.

Conclusion

Which brings us back to today. The GDPR is a strong data protection law. It gives consumers more control over their data. And it includes new obligations for organisations.

Today is about learning more about those obligations, more about data protection best practice, more about how to get it right.

Today is about helping you make the best use of tomorrow.

BYOD security market to reach over $337 million

Technavio’s market research analysts expect the global BYOD security market to reach over $337 million between 2016 and 2020 

The increased use of mobile devices, triggered by the growing need for employee mobility, is the fundamental driving force behind growth in this market.  

The increase in employee mobility and the rising adoption of the Bring-Your-Own-Device (BYOD) policy is leading to the increased use of mobile devices. Enterprises are increasingly adopting BYOD security solutions to secure their networks from growing security threats and to provide secure access to confidential information. 

North America accounts for more than 36% of the market share to dominate the global BYOD security market. The growing awareness among enterprises about the benefits of using BYOD security solutions on mobile devices coupled with the rise in the number of cyber-attacks and malware are some of the key factors contributing to the growth in the BYOD security market in the Americas during the forecast period.

The growing popularity of cloud-based BYOD security is the latest trend in the global BYOD security market. Cloud-based BYOD security does not require any hardware or software and can be controlled remotely, making it cost-effective for the end-users. Also, it has a faster response rate to the new security threats and unauthorized activities as well as allows companies to use software products on a pay-per-use basis and are cost effective. Limited hardware infrastructure, less dependency on internal IT personnel, faster implementation of IT solutions, no licensing costs, and low maintenance costs are some of the advantages of a cloud-based BYOD security system,” says Amrita Choudhury, Lead Analyst, ICT, Technavio Research.

Currently, the Mobile Content Management (MCM) segment occupies almost 52% of the market share to dominate the global BYOD security market. MCM is gaining prominence among large enterprises, government organizations, and small and medium-sized business (SMBs) because of the increased acceptance of the BYOD policy.  

Some vendors in the MCM market are even providing additional security features in the products that they are offering to gain consumer interest and market shares. For instance, AirWatch provides the Secure Content Locker that comprises of secure storage containers to safeguard data stored on mobile devices. 

The key vendors in the global BYOD security market include Citrix Systems, Good Technology, IBM, MobileIron, and VMware. The global BYOD security market highly fragmented owing to the presence of many international, regional, and local vendors. Established BYOD security solution vendors are likely to acquire small vendors to expand their product portfolio and increase their market share.  

During the forecast period, the level of vendor competition is likely to intensify with product and service extensions, technological innovations, and M&As.

 

Your Biggest Weakness Is Already on Your Payroll

Imperva IG

An Imperva Infographic

healthcare-apps

Breaches caused by either hacking or malware nearly doubled in relative frequency

Beazley, a leading provider of data breach response insurance, today released its Beazley Breach Insights 2016 findings based on its response to over 2,000 breaches in the past two years. The specialized Beazley Breach Response (BBR) Services unit responded to 60% more data breaches in 2015 compared to 2014, with a concentration of incidents in the healthcare, financial services and higher education sectors.

Key data:

  • Breaches caused by either hacking or malware nearly doubled in relative frequency over the past year. In 2015, 32% of all incidents were caused by hacking or malware vs. 18% in 2014.
  • Unintended disclosure of records – such as a misdirected email – accounted for 24% of all breaches in 2015, which is down from 32% in 2014.
  • The loss of non-electronic physical records accounted for 16% of all breaches in 2015, which is unchanged from 2014.
  • The proportion of breaches involving third party vendors more than tripled over the same period, rising from 6% of breaches in 2014 to 18% of breaches in 2015.

Beazley’s data breach statistics are based on 777 incidents in 2014 and 1,249 in 2015.

We saw a significant rise in incidents caused by hacking or malware in the past year,” said Katherine Keefe, global head of BBR Services. This was especially noticeable in healthcare where the percentage of data breaches caused by hacking or malware more than doubled

Ransomware on the rise in healthcare

Hackers are increasingly employing ransomware to lock up an organization’s data, holding it until a ransom is paid in nearly untraceable Bitcoin. Hollywood Presbyterian Hospital in Los Angeles reported suffering a ransomware attack in February 2016 and ultimately paid the hackers $17,000 in Bitcoin. A year earlier, the FBI had issued an alert warning that ransomware attacks were on the rise.

This trend is borne out by Beazley’s data. Breaches involving ransomware among Beazley clients more than doubled to 43 in 2015 and the trend appears to be accelerating in 2016. Based on figures for the first two months of the year, ransomware attacks are projected to increase by 250% in 2016.

Clearly, new malware programs, including ransomware, are having a big impact, said Paul Nikhinson, privacy breach response services manager for BBR Services. Hacking or malware was the leading cause of data breaches in the healthcare industry in 2015, representing 27% of all breaches, more than physical loss at 20%

Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record.”

Higher Education

Higher education also experienced an increase in breaches due to hacking or malware with these accounting for 35% of incidents in 2015, up from 26% in 2015.

Colleges and universities are reporting increased “spear phishing” incidents in which hackers send personalized, legitimate-looking emails with harmful links or attachments. The relatively open nature of campus IT systems, widespread use of social media by students and a lack of the restrictive controls common in many corporate settings make higher education institutions particularly vulnerable to data breaches.

Financial Services

In the financial services sector, hacking or malware was up modestly to 27% of industry data breaches in 2015 versus 23% in 2014. Trojan programs continued to be a popular hacking device.

The State of Cybersecurity in Healthcare Organizations in 2016

ESET and the Ponemon Institute have announced results of The State of Cybersecurity in Healthcare Organizations in 2016.

According to the study, healthcare organizations average about one cyber attack per month with 48% of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security,” said Stephen Cobb, senior security researcher at ESET. “The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management

Key findings of the survey:

78% of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

63% said the primary consequences of APTs and zero-day attacks were IT downtime

46% of respondents experienced an inability to provide services which create serious risks for patient treatment.

Hackers are most interested in stealing patient information

  • The most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records, according to 81% of respondents.

Healthcare organizations worry most about system failures

  • 79% of respondents said that system failures are one of the top three threats facing their organizations
  • 77% cyber attackers
  • 77% unsecure medical devices

Technology poses a greater risk to patient information than employee negligence

  • 52% of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information
  • 46% of respondents also expressed concern about the impact of employee negligence
  • 45% cited the ineffectiveness of HIPAA mandated business associate agreements designed to ensure patient information security

DDoS attacks have cost organizations on average $1.32 million in the past 12 months

  • 37% of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.

Healthcare organizations need a healthy dose of investment in technologies

  • On average, healthcare organizations represented in this research spend $23 million annually on IT
  • 12% on average is allocated to information security
  • Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks

Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: