How AI is protecting businesses from cyber-threats

IT security - How AI could be the future of cyber-security

We are currently in the middle of another industrial revolution. This so called Fourth Industrial Revolution (4IR) has the potential for change on a massive scale.

The first industrial revolution brought us mechanisation and steam power. The second introduced production lines and electricity. The third added computerisation and robotics. And now the fourth promises interconnected intelligent systems.

Artificial Intelligence (AI) is next big thing in almost every industry. Even being called “the new electricity” in reference to its capability to revolutionise the way we work. And amidst this rapid change, the sphere of cyber-security has not gone untouched by the new power of AI.

Advantages of AI in cybersecurity

Most approaches to cyber-security such as firewalls or antiviruses rely on signatures. For instance, a firewall will drop incoming traffic from a known malicious IP. And an antivirus will prevent files with known pieces of virus code from running.

But because these systems rely on signatures, a new threat can slip past and cause untold damage. What’s worse is that large amounts of malware already bypass these peripheral defences by using emails as a carrier. Additionally, these approaches to cyber-security leave the issue of insider threats completely unguarded.

AI offers a solution to these problems.

Protecting against external threats

By using machine learning, AI can build a view of ‘normal’ on the network. Then when something something out of the ordinary happens, it can flag it.

Malware doesn’t act like a human does. So the ability to identify anomalous activity is incredibly useful. A human doesn’t access thousands of files per second because they can’t click that fast. But, a piece of malware is easily capable of doing such a thing. This makes spotting it easy.

For example, let’s say a normal employee accesses 50 files a day. One evening, after office hours, an account begins accessing and encrypting hundreds of files per second. The AI detects this as unusual behaviour and locks the account. Preventing it from accessing any more files.

In this scenario, ransomware had infected the machine was infected. It intended to encrypt and ransom back company files. By using the machine learning data about what typical activity looked like. The AI could determine that suspicious activity was occurring. Then by performing a rapid response, it contained the malware. Limiting the damage to the company’s files.

But AI-based security systems aren’t only capable of dealing with the behaviour of humans. They can also detect when hardware or software is acting in suspicious ways.

For example, placed around the office are several networked security cameras. Including one in the meeting room where major corporate decisions are made. The AI detects that the meeting room security camera has made a repeat connection to an unknown IP address outside the business and flags it.

A follow-up investigation discovers the device was infected with spyware. Allowing someone to watch private meetings and learn company secrets. Although damage had already occurred, patching the issue prevented it from happening again.

Protecting against insider threats

Besides detecting typical threats in the form of malware. AI-based security systems can also detect unusual activity from malicious employees.

For example, a disgruntled ex-employee with access to the company database containing client information decides to get revenge. They attempt to steal company files using the cloud storage system that employees can access from home.

Total downloads of 5GB of data from the company cloud every month are typical. So when the AI detects a download of several terrabytes it sees it as unusual and locks the account. Preventing the theft of company records.

Because the AI defence system can see any type of unusual activity, dealing with insider threats becomes as easy as outside attacks. Current cyber-security solutions don’t have a good way of detecting an insider threat. And it’s only been through new applications of AI and machine learning that the prospect of reliably detecting insider attacks has arisen.

Disadvantages of AI

Unfortunately, AI-based cyber-security is not a perfect system and has its shortcomings. The main issue is its inability to differentiate harmless unusual behaviour from dangerous unusual behaviour. This can create a significant management overhead.

For example, a typical employee who works in the marketing department acquires an album of stock images to use in marketing materials. They decide to download them from the company cloud system so they can work from home. The AI sees the unusually large file download and locks the account.

Although the actions of the AI are reversible and the account can be unlocked, the disruption resulted in lost productivity. Because unusual things are sometimes done on purpose and without bad intentions, an AI can be overreactive.

This, along with the technology being still in its infancy means an AI security system is generally used as a supporting tool to a typical security system. Instead of being the single line of defence.

To conclude

The evolving use of AI in IT security is already invaluable and it’s going to develop quickly – it has to as the threat-landscape is just so large. But it’s worth noting that on the other side of the fence, hackers have begun using AI to breach security defences. The battle has begun…

FAQ: What is Cyber Essentials?

IT security - What is Cyber Essentials and why you need Cyber Essentials

Cyber Essentials is a government-backed scheme designed to help organisations of all sizes reduce their risk of common cyber-attacks. It allows businesses to obtain one of two Cyber Essentials badges and has the support of industry organisations like the Federation of Small Businesses, the CBI and numerous insurance organisations.

What are the certification levels?

There are two levels of certification available: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials Badges

What are the requirements?

In order to become certified your IT infrastructure must meet specific requirements. These are defined by five technical controls:

  1. Firewalls – You must configure and use a firewall to protect all devices, particularly those that connect to public or other untrusted wifi networks
  2. Secure Configuration – Only use necessary software, accounts and apps
  3. User Access Control – You must control access to your data through user accounts. Only give administrative privileges to those who require them and control what an administrator can do on those accounts
  4. Malware Protection – You must implement at least one measure (e.g. Anti Malware, Whitelisting, Sandboxing) to defend against malware
  5. Patch Management – You must keep all your devices, software and apps up to date

Companies applying will also need to test all their in-scope public-facing IPs. For most companies, this will be the block of IP addresses they get from their internet service provider, but it also includes IP addresses at all in-scope locations like data centres and cloud providers.

You can exclude IP addresses from tested if you do not have control of the security configuration of the service, for example where the address belongs to the cloud provider.

Cyber Essentials Plus also includes a technical audit of in-scope systems. This includes a representative set of workstations, mobile devices and build types in use by the organisation which an unauthorised user could access.

To determine the number of build types you must review the number of operating systems and software suites installed. For instance, if more than one browser or Office suite is used then each variant will need to be tested.

What are the benefits of Cyber Essentials?

  • Protects your organisation from approximately 80% of cyber-attacks, according to the UK government.
  • Demonstrates your commitment to security and data protection to customers and stakeholders.
  • Boosts your reputation and increases your chance of securing new business by showing you have cyber-security measures in place.
  • Cyber Essentials permits you to work with the UK government, Plus gives you the opportunity to work with the MoD.
  • Lets you focus on your business objectives, knowing you are secure.

What are the requirements for Cyber Essentials certification?

  • Firstly, complete a self-assessment questionnaire.
  • Then, a senior company representative signs off the questionnaire.
  • An external certification body then verifies the questionnaire.
  • The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.

What are the requirements for Cyber Essentials Plus certification?

  • Firstly, complete a self-assessment questionnaire.
  • Senior company representative signs off the questionnaire.
  • Then, an external certification body then verifies the questionnaire.
  • The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.
  • They will also test the security and anti-malware configuration of each device type/build. This is done using malicious email attachments and web-downloadable binaries, including an on-site assessment.

How to get Cyber Essentials certified

QuoStar offers a Cyber Essentials consultancy service for organisations that require additional guidance. Our service includes Gap Analysis, technical support and guidance to implement the required controls, practical advice to ensure ongoing security and guaranteed certification. Please click here for more information on our Cyber Essentials consultancy service.

Eight ways to avoid phishing scams

IT security - 8 ways to protect against phishing attacks

Phishing is a form of online scam in which fraudsters trick Internet users into submitting personal information to what they believe is a legitimate organisation. This can lead to scammers gaining your personal login credentials or the information needed for identity theft.

Phishing scams usually arrive as an email pretending to come from a legitimate source. Most commonly, Microsoft and Amazon are used as the credentials for those accounts offer a wealth of personal and financial information. However, other companies scammers often pose as include Apple, DropBox, LinkedIn and PayPal.

Because phishing is one of the most devious forms of identity theft, it is important to become familiar with various types of phishing scams as well as learn how to protect against them.

How to protect against phishing attacks

1. Guard against SPAM

Many phishing emails follow a preset script or are sent out in bulk. Having a SPAM filter in place allows you to filter out the majority of these mass emails and can allow you to block messages which come from known malicious addresses. Even with a SPAM filter, you should be especially cautious of emails that:

  • Come from unrecognised senders
  • Ask you to confirm personal or financial information over the Internet or make urgent requests for this information
  • Aren’t personalised
  • Try to upset you into acting quickly by threatening you with frightening information

2. Communicate personal information only via the phone or secure website

When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or an “https:” URL, whereby the “S” stands for secure, rather than an “http:”.

Do not blindly trust a website which uses https though. Many phishing sites now use https and the green padlock to imply they are more genuine or to instil more trust. But this is just another piece of social engineering. All https means in this scenario is that you’re securely handing your details over to a scammer.

However, you should also be aware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.

3. Don’t click on links, download files or open attachments from unknown senders

It is best to only open attachments when you are expecting them and know what they contain, even if you know the sender. Some email clients come with the ability to preview the contents of an attachment and this can be used to determine if the contents are malicious or not.

Additionally, if a link is present in an email, don’t click it. Instead, navigate to the legitimate site via a web browser and continue from there.

4. Never email personal or financial information, even if you are close to the recipient

As a general rule, you shouldn’t be sending personal information over an insecure channel like email. You never know who may gain access to your email account, or to your recipient’s account either and then be able to find that information.

If you must send personal information, many email clients now have the ability to send a self-destructing email which can prevent it from being intercepted.

5. Beware of links in emails that ask for personal information

Even if the email appears to come from an enterprise you do business with you should still be cautious. Phishing websites will often copy the entire look of a legitimate website, to make it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you.

6. Beware of pop-ups

  • Never enter personal information in a pop-up screen
  • Do not click on links in a pop-up screen
  • Do not copy web addresses into your browser from pop-ups
  • Legitimate enterprises should never ask you to submit personal information in pop-up screens, so don’t do it.

7. Protect your computer

At a minimum, ensure your computer is protected by a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure you are blocking new viruses and spyware.

Additionally, setting up two-factor authentication on your accounts can add an additional layer of security and prevent scammers from accessing your personal information.

8. Check online accounts and bank statements regularly

If you’ve been the victim of a phishing scam or think you have, it’s important to constantly monitor the activity of that account. A scammer may lie low for a while to trick the victim into thinking they weren’t affected and that can make the damage much more potent.

Conclusion

You should always be careful about giving out personal information over the Internet. Luckily, companies have begun to employ tactics to fight against phishers, but they cannot fully protect you on your own.

Remember that you may be targeted almost anywhere online, so always keep an eye out for those “phishy” schemes and never feel pressured to give up personal information online.

Read next >>> 4 types of scam emails to watch out for

How should CIOs prepare teams for cyber threats?

IT security - How should CIOs prepare teams for cyber-threats?

With new cyber threats appearing constantly, it’s important that a business keeps on top of these.

CIOs need to have a rolling training program to ensure that staff within a business are aware of all the major cyber threats which target the end-user. For example, social engineering, phishing, theft, data leakage, etc.

It’s important that classroom-based training occurs at induction or soon after. In the main, web-based online training systems do not deliver the same impact. Users often simply click next and have a pop at the answers in an online test. Classroom-based training is much harder hitting and typically raises awareness and increases retention of risks.

Post initial training, you should regularly update staff about changes to the threat landscape and to reinforce the basics. Online solutions are, typically, a good fit because training is quick and easy. Generally, some form of test post-training is sensible to assist with the retention of information.

It’s certainly beneficial to test staff without their knowledge. Let them know that this will happen periodically. Example tests will be things such as picking up data from a printer to look for sensitive material, call in from an external source pretending to be from IT asking for details to connect onto a desktop or compose a phishing type email.

Training and testing staff regularly goes a long way in ensuring the security of your business as many serious cyber threats target staff.

Why should you invest in your IT systems?

IT strategy - Why should you invest in your IT systems?

You may dread hearing “infrastructure refresh” or “systems update”, but if you want to remain competitive then you need to invest in your IT systems.

As your business grows, your needs and priorities will change. An increased headcount, technical advancements or market pressures could put pressure on systems that may have been perfect when starting out, but are now starting to restrict the business and hamper operations, agility and growth.

If you aren’t running a rolling IT upgrade program within the business then you will be building up technical debt that will often cost you more in the long run. You may think it’s okay to sweat an asset for another year, but often it brings with it a number of issues:

  • Increases the risk profile as aged systems are more prone to failure.
  • You miss out on technological advances that deliver greater value and returns versus the legacy asset.
  • Greater disruption when a delayed change happens versus a steady and rolling investment and upgrade cycle.

If you’re holding back on investing in your IT systems, then you could be missing out on increased efficiency, productivity and often a competitive advantage. In today’s blog, we’ll show you the benefits you will achieve if you regularly invest in your IT systems.

What are the benefits of investing in your IT systems?

1. Competitive advantage

IT is now the beating heart of most businesses, both in terms of driving internal efficiencies and enhancing productivity, right through to improving customer and supplier engagements on the front-end of the business.

The pace of change is so significant that gains are always there for the taking. Of course, that doesn’t mean to say you upgrade every year. But too many businesses are sat on dated systems that are holding back business growth. It’s clear to see and proven in most sectors that those at the top are those who invest wisely in IT. Not those who sweat their IT assets, specifically in terms of their business systems, i.e. ERP, CRM, case management systems and the like.

It’s also important to note that technology and systems is a key differentiator and certainly an area which potential customers look at when choosing between companies. It could be as simple as one business has a better web portal than another.

2. Business agility

The ability to respond to changing business needs in an ever-complex world is key to success, and technology plays a key role in this. It goes hand in hand with collaboration, which leads to streamlined processes and more efficient projects. From unified communications through to CRM systems, technology must be a key part of your strategy, if you want an agile business. Other areas to consider are IT platforms built around mobility, cloud, big data, artificial intelligence, block-chain and social networking which can play a transformational role in a growing business.

3. Employee morale

The level of technology within a business certainly affects morale. It’s crude, yet true that staff include the IT environment when evaluating their position within a business. The IT environment is where the majority of office-based workers spend their days. If the equipment or systems are dated then when comparing their role to their peers. it does play a factor, in terms of morale. It’s as simple as one employee in one business drives a new company car whilst another sits in a 5-year-old, high mileage one. It matters to people.

4. Greater efficiency and productivity

New technology, where there is a clear business case along with the right technology, delivers efficiency and productivity. It’s what IT and computing, in general, was created to do – automate and improve manual processes and operations. Businesses should regularly measure where they are and what a new system could deliver compared to sitting still. You don’t always have to change – but first you should understand if there is an advantage to be gained.

5. Security

You wouldn’t leave your office unlocked, so why would you leave your IT environment open to security violations? It’s important that you regularly undertake a risk analysis to identify new issues and continually invest to mitigate them. The security landscape is changing rapidly now, the threat landscape from one quarter to the next can be dramatically different.

It could be as simple as the need for multi-factor authentication. Passwords alone are really not secure enough, but requiring staff to use a key fob when logging in or accessing certain areas is an easy way to add an extra layer of security. Depending on your business, you may also need to look at secure communications to protect your voice, video, email and text conversations. The rise of GDPR obviously brings in other areas to address, particularly around encryption and control. Failure to invest can cost a business on many fronts.

Conclusion

If you actively invest in your IT systems, it will help increase productivity, enhance data security and expand storage capacity. All of these elements will naturally contribute to higher revenue and profits as your business becomes more efficient and streamlined.

However, remember the key is making the right investments. Technology trends come and go, so do seek out the advice of an experienced technology consultant when considering an investment.

Enhance your IT estate's value with a cost-neutral audit. Enhance my IT's value.

Meltdown and Spectre: The two new security vulnerabilities explained

Various researchers, including Google Project Zero, have today disclosed two critical processor vulnerabilities, named “Meltdown” and “Spectre”.

These vulnerabilities affect laptops and workstations from all major manufacturers including HP, Dell, Microsoft, Apple etc.

Essentially, they allow programs to steal data which is currently processed on a computer. This could include passwords stored in a password manager or a browser, photos, emails, instant messages or documents.

Typically programs cannot read data from other programs. However, a malicious program can exploit Meltdown and Spectre to get hold of information stored in the memory of other running programs.

The implications of these bugs are far-reaching and can affect personal computers, mobile devices and the cloud. The QuoStar team have collated the following information about both hardware bugs for your convenience below.

What is Meltdown?

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the details of other programs and the operating system.

Every Intel processor which implements out-of-order execution is potentially affected by Meltdown. This means that every processor since 1995 (except Intel Itanium and Intel Atom before 2013) could be vulnerable, which may affect desktop, laptop and cloud computers. It is currently unclear whether Meltdown also affects ARM and AMD processors.

At QuoStar we are continually monitoring the situation and all workstations and servers that we manage are showing as clear of any malicious software. Our monitoring systems will alert us to any potential problems, and we will keep our clients informed of any new information.

However, if your computer does have a vulnerable processor and is running an unpatched operating system, then researchers are recommending not to work with sensitive information due to the potential for data leak.

What is Spectre?

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices into leaking their details.

Spectre affects all desktop, laptops, cloud server and smartphones. Specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. Spectre has been verified on Intel, AMD and ARM processors by researchers.

What should I do?

Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses attacks by comparing binaries after they are known.

Microsoft has released a security patch, which we are working to apply to applicable client systems. However, there are some limitations in terms of the compatibility with this patch and some Anti-Virus products. Therefore it may be necessary to wait for Microsoft to release an improved patch before it is applied to all systems. We keep all clients aware of current and future planned patching activity.

There are also patches against Meltdown for Linux and OS X. Furthermore, there is work to harden software against future exploitation of Spectre, respectively to patch software after exploitation.

We recommend to our clients that they update any device which is not managed by QuoStar as soon as practicable.

If you would like to read further information on either vulnerability, researchers have set up a website called Meltdown Attack.

The QuoStar team are here to assist with any Meltdown or Spectre queries or issues, please give us a call on 01202 055400 for further advice.

Third party security breaches: How to ensure your data is safe on others’ systems

IT security - How to keep your data safe in third-party systems

The reality of today’s cybersecurity landscape is that a company’s security extends to its third-party relationships.

Whilst many businesses are still grappling with their own IT security, it is evident that they must also consider security strategies across the entire supply chain.

Many companies, particularly those with tight regulatory bodies or running against standards such as ISO 27001, will understand the need for managing third parties in terms of data security. Different types of data can be classed as asset-types and categorised, with suitable controls in place. You have to identify what you are trying to protect before you’ll see the potential issues revolving around it.

Theoretically, many businesses will be unable to easily control the security of their data once it’s with a third party. However, it can check the third party’s controls and sign them off or demand stricter ones. For example, Data Leak Prevention, encryption at rest etc., if necessary. This check should form part of the outsourcing contract. It makes sense if both parties work to a standard, like ISO 27001, to ease integration and integrity of documentation.

Businesses and their suppliers must take steps to minimise their own IT security risks in the event of a compromise. Many IT users fall into the habit of using similar passwords, if not identical ones, for all their applications, leaving the business vulnerable. To avoid the risk of a data leak, organisations should consider implementing unique passwords for every application,  account, and user.

Using multi-factor authentication will add another layer of security. It will make it more difficult for a cybercriminal to use stolen third-party credentials. The rise of the GDPR will also help businesses understand the data they hold and process, both for themselves and others. Provide real-life examples of breaches to help staff understand their role in IT security. This will remind them that they are, in fact, the first line of defence.

READ NEXT >>> Why passwords are insecure

4 quick cyber security tips every employee should follow

IT security - Four quick cyber-security tips every employee should know

Whilst most would assume the majority of cyber security breaches are the result of external weaknesses, your weakest security link is actually inside your business, sitting at your desk right now.

All too often cyber criminals are able to gain access to companies’ systems due to employee negligence, error or ignorance. According to a survey by Experian, more than half of organisations attribute a breach or security incident to a malicious of a negligent employee.

Protecting your company begins with employee education and training. If users are not aware of the risks out there and how their actions could potentially impact the business then the danger will continue to exist. Although businesses should already have security solutions in place, there are a few simple tips employees should follow which will help bolster that protection.

1. Always update apps and software

Although updates can be annoying they are necessary to maintain the maximum protection against potential threats. It is good practice to turn on automatic updates for all devices you work across (including any personal ones) if you haven’t done so already.

2. Avoid unsecured Wi-Fi networks

With office hours no longer strictly 9am-5pm, many employees now work remotely or on the go. Whether you’re working in a café, hotel or anywhere else outside the office you should always try to avoid connecting to unsecured public Wi-Fi hotspots, where it’s relatively easy for others to capture sensitive information such as emails, passwords and unencrypted instant messages. In the instance where there is no other option but to connect to a less secure network, it is recommended that you use a good quality virtual private network (VPN) when connecting to your business. Even if a hacker were to position themselves in between you and the Wi-Fi hotspot that data would be strongly encrypted.

3. Don’t reuse personal passwords for work

Thanks to the advice which stated that passwords should contain uppercase, lowercase, characters and numbers, many of us are suffering from password fatigue. It can be difficult enough to remember one complex password, let alone a whole string of them for the various applications we use inside and outside of work, so many people have resulted to using the same password across multiple accounts or just changing one minor detail, e.g. Password123! to Password234! Once one account is compromised, every account that uses the same password will be at risk.

This was demonstrated by the Dropbox breach back in 2012, which was the result of a stolen employee password. The employee used the same password for LinkedIn and to access Dropbox’s corporate network. After the LinkedIn data breach hackers were then able to use the password to access Dropbox’s corporate network and steal more than 60 million user credentials.

One stolen password has the potential to cause widespread damage, so it is really important to use a different one for each account. Luckily, the advice regarding passwords has now changed. Now it’s recommended to use a string of words to create a memorable passphrase, such as “footballapplegolf”. Not only is this more memorable but it is also much harder for a computer to crack.  If remembering multiple passphrases is an issue then it may be worth looking into a password manager.

4. Know how to spot a phishing scam

Emails are one of the most popular attack methods and it only takes one click for a virus to infect your systems. You should always be cautious when it comes to emails. Never reply to, follow links or open attachments from any unexpected or suspicious emails, even if the sender looks familiar.

When in doubt you should check the source first (one easy way is to check the full email address next to the sender’s name) and make sure the request is genuine. If you receive an urgent email,  supposedly from the Finance Manager, requesting a bank transfer verify the request in person or by phone. Hackers now take the time to craft a message which seems genuine, so it is always best to exercise caution.

Check out our full guide to identifying scam emails here.

What can business leaders learn from a cybersecurity breach?

IT security - What can business leaders learn from a cyber-security breach

As attacks against IT infrastructure are typically all about the money, they are increasing in frequency and sophistication. It’s, at best, embarrassing to have a breach, but at worse it can destroy a business.

As with business continuity, a significant percentage of business leaders do not take cyber-security seriously until they get burnt.

It can be difficult to believe that your business is at risk, as many think attacks are mainly focused on banks and large firms. However, if hackers can exploit your business data for financial gain then you will be a target. No matter what size your business is or sector you operate in.

Even relatively simple attacks like ransomware or data theft for blackmail can cause havoc within an underprepared organisation. The Internet is global. Someone out there will be delighted to receive £2,000 for perhaps 20 hours of work, without even leaving their room.

Learning from a cyber-security breach

A good way to demonstrate the potential damage a cyber-security breach could cause is to have an independent red hat and white hat attack or audit carried out by a third party. When you present the CEO with printouts of their emails, pictures of their family, salary information and the like, it really highlights the danger.

Another sensible way to engage the C-Suite is to undertake ISO 27001 certification. A significant percentage of the standard is to list all the risks associated with all parts of the business. After this, you need to assign controls to mitigate the risks. You will then need to show the CEO or another c-level executive, and explain all of the potential risks and controls. It up to the CEO or senior executive to decide whether to invest in the controls or accept the risk.

All too often you will find the responsibility for cyber-security placed solely in the hands of the IT department. But really it must be dealt with at board level – just like any other serious threat to the business. Undertaking ISO 27001 certification increases the board’s accountability for IT security, by allowing them to see the risks firsthand.

Every company could potentially suffer a cyber-security breach, so you must be aware of your risk profile. If you understand the risks, implement the appropriate controls and have a documented procedure to protect your business from breaches and their aftermath you can keep that risk at an acceptable level.

Robert Rutherford, CEO of QuoStar

NEXT>> The future of global cyber attacks. Are the motives changing?

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a piece of EU legislation introduced on the 25th of May, 2018. It changed the way companies are allowed to collect and process data about citizens within the EU, providing more rights to the consumer and introducing stricter penalties for businesses who fail to comply.

what is gdpr

Do companies outside the EU need to comply with GDPR?

Any company that processes data of any EU citizens needs to comply with GDPR, even if the company is located outside of the EU. This means that UK businesses will still need to comply post-Brexit and companies in the Americas, Asia, Africa, Australia and even Antarctica will need to comply with GDPR if they process the data of any EU citizen.

Why did the EU introduce GDPR?

The GDPR has been four years in the making, and one of the main reasons for its introduction is the changing ways companies are using personal data. Many companies such as Facebook, Google and other social networks swap access to people’s data for use of their services.

GDPR acted as a modernisation of the 1998 Data Protection Act which didn’t account for the new ways companies were utilising personal data. Another driver behind GDPR was to give businesses a simpler, clearer legal environment to operate in.

Who does GDPR apply to?

This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed. Whereas a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides by data protection law. However, the processors themselves have a responsibility to maintain records of their processing activity.

What do businesses need to be aware of regarding GDPR?

The GDPR expands the definition of personal data considerably, in line with the types of data organisations collect about individuals.

Organisations must ensure that they process personal data lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of an active opt-in, and there must be a record of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point you must delete the data.

Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer charge individuals for this request unless it becomes excessive or repetitive.

They also have “the right to be forgotten”. Individuals can demand that their data is deleted if it is no longer necessary for the original purpose it was collected. Furthermore, individuals can also demand the erasure of their data if they withdraw consent for data collection or if they object to processing activities.

Controllers must store the personal data in a common format, such as a CSV file, which is easily transferred to another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.

What if I don’t comply with GDPR?

Penalties under the GDPR are much tougher than any data protection regulations we’ve seen before, so, if you haven’t done so already, you will want to prioritise preparations.

If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.

There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.

Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, if that breach had occurred under GDPR legislation. That fine would have increased to £59 million – a considerable jump!

This is just meant as a high-level overview of the key point of the new GDPR. Organisations should carry out their own research and seek consultative advice on the steps they need to take to comply.