Cyber Security and GDPR Made Easy

Hi. I’m Christoan Smit and I hope this
presentation will help you form a deeper
understanding of Cyber Security, GDPR and
how these two concepts interlock, and how
Cloud services can help your business.
Enjoy the presentation!

This is an Information Session
…not a sales pitch

Legal Disclaimer
Although the author and publisher have made every effort to ensure that the
information in this presentation was correct at time of creation, the author
and publisher do not assume and hereby disclaim any liability to any party
for any loss, damage, or disruption caused by errors or omissions, whether
such errors or omissions result from negligence, accident, or any other
cause.
Venom IT is not a law firm and does not provide legal services. Watching this
presentation and/or downloading the accompanying booklets does not
create an attorney-client relationship, nor does any of what follows
constitute legal advice.
Images used under license from Shutterstock.com

The GDPR
– not such a bad thing

The GDPR
– not such a bad thing
Think of it as Health and Safety for computers

The GDPR
– why you should definitely pay attention
 Fines of up to £17 million, or 4% of turnover, whichever is
greater. No matter who you are, that will hurt.
 Jail time for certain infringements.
 Cease order or sanctions on your business
 Adopted by the ICO and incorporated in UK law.

The GDPR
– why you should definitely pay attention
These new regulations govern things like:
• Types of data you store or process
• The manner of processing
• Consent
• Protecting your data subjects (security)
• The handling of data breaches
• Proof of compliance

A Solution to the Problem…
Regulation 18 of the GDPR states, in part:
“….when entrusting a processor
[subcontractor] with processing activities,
the …adherence of the processor to an
approved code of conduct or an approved
certification mechanism may be used as an
element to demonstrate compliance with
the obligations of the controller [you].”
In other words, the certificates and/or approved
codes of conduct of the data sub-contractor can be
used by you as proof (or part of your proof) of your
own GDPR compliance.

Do you process or store any of the following?
…if yes, then Yes to the previous question.
• Names of people
• Private telephone numbers
• Residential addresses
• Banking details
• Identity documents
• Any other details that can be used to identify a person
• Medical, genetic, race, gender data

The Main Aspects of the GDPR
- you need the whole L.O.T.
• Legal – wording of privacy notices, forms etc.
• Organisational – staff education, reporting mechanisms etc.
• Technical – Cyber Security & IT systems

Legal
Getting in touch with a specialist law firm that deals with
GDPR.
Organisational
Getting in touch with a cyber-security specialist who can
analyse your business and make recommendations.
Getting ISO9001 certified.
Technical
Getting in touch with a specialist Cloud provider who
themselves meet all the criteria – not all clouds were created
equal. Look for ISO9001, ISO27001 and ISO27017.
Getting Cyber Essentials and/or ISO27001 certified.

Section 2
Cyber Security
Basics

CIA – Confidentiality, Integrity, Availability
…the three legs of Cyber security

Confidentiality
Who needs to have access? More importantly, who does not need access and are they
excluded?
Integrity
Is the data whole and correct? How easy will it be for someone to accidentally change or
erase the data? Are the systems we use sufficient to ensure that the data remains
uncorrupted when stored?
Availability and Accessibility
There’s no point in putting security measures in place that are so strict that the data
becomes practically inaccessible.
How easy will it be for rightful users to access the data they need?
CIA – Confidentiality, Integrity, Availability

Confidentiality
You need to decide this for each person in your organisation. A
common mistake in larger organisations is a shared company
drive that doesn’t have correctly-assigned user permissions.
Integrity
Cloud-based storage offers the highest level of integrity
available to mankind. For example, we use triple back-up
systems, with auto failover.
Availability
Cloud-hosted virtual desktops can be accessed from anywhere
in the world where there is an internet connection,
temporarily turning almost any device (even an old P.o.J.) into
a state-of-the-art machine with all your data and apps on
installed on it.

Backups
 How regularly do you back up?
 How secure are those stored copies?
 Should you use incremental or complete backups?

Backups
 How regularly do you back up?
 How secure are those stored copies?
 Should you use incremental or complete backups?
 Using automated backup tools takes the guesswork out of it.
 You should at least have dual backups in place.
 Automated backup solutions can manage the full and incremental
backups for you.

Cloud hosting can also be used for
backups – and it’s more secure than
backing up to a little portable drive or
your own network server, because of
better failover and higher encryption.

Hardware and Software Firewalls

Hardware and Software Firewalls
 Do you have a hardware firewall? (It’s a device)
 Does each computer on your network have a software firewall?
 Are all the firewalls up-to-date, with the most recent security
patches installed? (Physical firewalls also have software called
‘firmware’ that needs regular updating)

• You should have a physical firewall
between your office network and the
great big jungle that is the Internet.
• Each machine should have a software
firewall.
• Cloud servers take care of their own
firewalling - all you need to do is
connect.

Antivirus Software
 There is quite a variety of ‘cyber vermin’ that could infect your
computer – worms, RATs, viruses, Trojan horses and spyware, to
name but a few
• Does each machine on your network have anti-virus software
installed?
• This includes Mac machines. Although more of a prank than a malicious tool,
Elk Cloner is generally accepted as one of the very first computer viruses
(1982) and it specifically targeted Apple Mac 3.3 machines. Mac users often
get lulled into a false sense of security by the erroneous urban legend: “Apple
Macs can’t get viruses.”
 Is all the anti-virus software on each machine on your network up-to-
date? What about the mobile devices used by reps and consultants?

• Cloud-hosted virtual desktops run in a
highly secure environment where the
risk of viral infection is extremely low.
• The cloud servers themselves utilise
highly advanced anti-malware
systems.

Updates and Security Patches
 Are all the machines on your network up-to-date?
 Do you have any software anywhere on any machine that is no
longer supported by the vendor because it so old?
 Do you have any machines that use operating systems that are more
than 10 years old, such as Windows 7, Vista, XP, 98 or (heaven forbid)
Windows 3.1? Or Mac OS Tiger, Panther, Jaguar, Puma, Cheetah,
Kodiak or older?

• Purchasing new machines and new
operating systems is costly.
• Some Cloud providers can provide
virtual desktops that are automatically
updated with the latest patches or
even free Windows upgrades.
• Unlike physical machines, cloud-
hosted virtual desktops never get old
– the servers on which they ‘live’ are
constantly updated and upgraded.

Eliminate Unnecessary Software, Apps and
Services

Eliminating unnecessary Software, Apps and
Services
 What is your company policy on installing apps? Do you allow staff to
install apps as they wish?
 Does each machine have the absolute minimum of apps it needs for
each individual to still be able to perform their work?
 Is each app on each machine a trusted app from a trusted vendor?

Eliminating unnecessary Software, Apps and
Services
 What is your company policy on installing apps? Do you allow staff to
install apps as they wish?
 Does each machine have the absolute minimum of apps it needs for
each individual to still be able to perform their work?
 Is each app on each machine a trusted app from a trusted vendor?
 You should only allow your IT department to install apps.
 Keep the number of installed apps to a bare minimum.
 Beware of fake apps. Sometimes trusted apps get repackaged (legally
or illegally) and resold by less-than-trustworthy vendors.

• Cloud-hosted virtual desktops are
usually provisioned with only the
necessary programs and apps.
• For security reasons, users are limited
to what they can install on their virtual
desktops.

Physical Security
 Is your server securely locked? Bolted down?
 Are all the USB ports on all machines disabled where necessary?
 Do you use cables or Wi-Fi?
 How many people have your Wi-Fi password?
 Do you leave devices lying around, unprotected?

Physical Security
 Is your server securely locked? Bolted down?
 Are all the USB ports on all machines disabled where necessary?
 Do you use cables or Wi-Fi?
 How many people have your Wi-Fi password?
 Do you leave devices lying around, unprotected?
 Pay attention to your physical security. Entire server cabinets have been stolen in an attempt to get at the data inside.
 Persons with ill intent should not be able to simply walk up to a computer, plug in a thumb drive and upload malware or
download your data. USB drives should be enabled only for those who really need them in order to do their work.
 Cable networks are more secure, and Wi-Fi should be on a separately-firewalled network.
 Yu should have two Wi-Fi networks – one exclusively for staff, and one for guests.
 Keep devices out of sight when transporting them, and use privacy screen protectors to make it difficult for others to see what
you’re typing when e.g. sitting on a train or in a hotel lounge.

• Switching to cloud-based computing
immediately negates a whole number
of issues with physical security.
• Cloud-hosted servers can’t be spirited
away and hacked later on.
• Cloud-hosted desktops can’t be stolen
along with all your data on it.

Password Security
Passwords are the most common weak link in the cyber-security chain. Good
password policy can be summed up as follows:
 Minimum 10-character length
 A mix of UPPERCASE, lowercase, numbers (0-9) and $peci@£ characters
 Avoid complete words or commonly used themes and ideas for passwords
like film titles, children’s or pet names, birthdays and anniversaries etc.
 Very forgetful users might need to write down their passwords, especially
right in the beginning, but should only do so in a very secure place – not
under the keyboard, under the mouse or behind the screen
 Use pass phrases rather than passwords

Password Security
 Does each user on your network know and apply good password
policy?
 Do you have a recovery system in place in case someone forgets their
password?
 Do you use 2-step authentication wherever possible? Your main
email account from which all resets are done, should definitely have
2-step verification.

• Teach your staff (and yourself!) good
password security.
• Get a ‘white’ hacker to test your
systems

Off-site Work and Working from Home

Off-site Work and Working from Home
 Can you and your employees securely login to your network from
remote locations, without compromising the security of your entire
network?
 Are the intra-company emails you send secured? Or can your
competitors easily intercept them and see what you’re doing?

• The only truly practical solution, when
looked at from a convenience,
connectivity and security point of
view, is using cloud-based desktops to
connect to work.

Educating your Staff
 Create an organisational culture of security awareness
 Teach your staff these basic principles you are learning here today
 Get each member of staff to buy in and take personal responsibility
for the computer security
 Educate and train your staff to identify spoofs, phishing scams, social
engineering scams, CEO scams and the like
 Just like doing fire drills, have the staff been trained on exactly what
to do when a cyber threat or attack is identified?

Educating your Staff
From the Ipsos MORI Cyber 2017 Security Breaches Survey:
• By far the most common type of breach experienced is staff receiving
fraudulent emails (72%).
• The four most common types of breach can be linked to human
factors, such as unwittingly clicking on a malicious link or succumbing
to impersonation.

• Arrange training sessions for your staff.
• Arrange for a security company to run
practical assessments, such as sending
spoof emails and seeing who opens
and clicks on the links, to test your
staff’s understanding of cyber security.

Common Attacks
• Plastic card fraud
• Mandate fraud
• ‘419’ advance fee fraud
• Romance fraud
• Lottery scam
• Ransomware
• CEO scams
• Social engineering scams
• Man-in-the-Middle
• Investment fraud
• Spoofs
• Email spoofing
• Phishing scams

• Educate your staff
• Use cloud-based email hosting. With
superior spam and scam detection,
cloud-based email hosting provides
better security.

Recap:
• Physical Security
• Password Security
• Off-site Work & Working from
Home
• Educating your Staff
• Perimeter Defense and Safe
Zone
• Saving the Situation
• Common Cyber Attacks
• The GDPR
• CIA – Confidentiality, Integrity,
Availability
• Backups
• Physical and Software Firewalls
• Antivirus Software
• Patch Management
• Access Control
• Eliminating unnecessary
Software, Apps and Services

• Venom IT is a trusted Microsoft Silver Partner
• Our offices are Cyber Essentials, ISO 9001, ISO 27001 and ISO 27017
accredited
• ISO 27001 Data Centres

If you need help with:
• GDPR compliance
• Network Security
• Managed Support
• Cloud solutions (backup, virtual machines etc)

Venom IT offers various off-the-shelf and bespoke business solutions, such as:
• Complete cloud-based virtual office solutions
• Industry-specific packages such as Accounting, Architecture, Dentistry, Medical Supply, Optometry
Recruitment and many more...
• Cloud storage and automated backups
• VOIP Phone and Skype for Business
• App hosting
• Assistance with GDPR compliance
• Staff Training
Phone or email us now for an obligation-free quote.

UK: 0330 202 0220 venomit.comFind us on:

Cyber Security and GDPR Made Easy

More Related Content

What's hot

Similar to Cyber Security and GDPR Made Easy

Recently uploaded

Cyber Security and GDPR Made Easy