Downtown in Business Cyber Session, focusing on Cyber Security / Resilience and the General Data Protection Regulation coming into enforcement on 25th May 2018. Part of the Digital Leaders Cyber Resilience Week 11th-15th September 2017.
5. @magma_digital @DigiEnable#DLCRWeek
★ Blackburn Vehicle Hire company in 2015, lost 12000 files to hackers
and had to pay £3000 to get them recovered
★ CEO fraud – cost businesses 32 million in the UK
★ If a cyber-attack caused systems to go offline, 30% of businesses
would survive less than a day without their revenues being impacted.
★ 20% of respondents did not believe it would affect their organisation
at all!
★ 77% of companies don’t have a security plan
Cyber Threat Costs
13. @magma_digital @DigiEnable#DLCRWeek
★ Approved 14th April 2016
★ Comes into enforcement: 25th
May 2018
★ “Regulation” - binding legislation
across EU, not just a directive
★ Applies to both Controller &
Processors, any organisation
processing data on EU citizens
(anywhere)
General Data Protection
Regulation (GDPR)
http://i.memecaptain.com/gend_images/nrN8Hg.jpg
14. @magma_digital @DigiEnable#DLCRWeek
★ Territorial
scope
★ Consent
★ Penalties -
apply to
processors too
★ Breach
Notification
★ Right to Access
★ Right to be
Forgotten
★ Data Portability
★ Privacy by
Design
★ Data Protection
Officers
GDPR key changes since
DPA ‘98
http://www.cardwaveservices.com/wp-content/uploads/2016/12/Fotolia_85564322_M_6cr-860x573.jpg
15. @magma_digital @DigiEnable#DLCRWeek
★ Processed lawfully, fairly & transparently
★ Collected for specified, explicit & legitimate
reasons & no more
★ Adequate, relevant & limited to what is
necessary
GDPR Principles
Data shall be…
17. @magma_digital @DigiEnable#DLCRWeek
★ The right to be informed
★ The right of access
★ The right to rectification
★ The right to erasure
★ The right to restrict
processing
★ The right to data
portability
★ The right to object
★ Rights in relation to
automated decision
making and profiling
GDPR Rights
For individuals…
18. @magma_digital @DigiEnable#DLCRWeek
★ GDPR defines
personal data very
broadly:
• any data that
relates to an
identified or
identifiable natural
person.
★ Data can be found in:
• Customer
databases
• Email content / lists
• Feedback forms
filled out by
customers
• Paper records
• Photos / CCTV
footage
Personal data,
what / where is it?
• Loyalty program records
• HR / employee databases
https://www.l2cybersecurity.com/wp-content/uploads/2016/09/Data-Privacy-Violate-400.jpeg
19. @magma_digital @DigiEnable#DLCRWeek
★ Investigative Powers
★ Available Civil Sanctions: Tiered levels
• Maximum €20m / £17m or 4% Global
Turnover
• Lower tier €10m / 2% - inadequate records
• Regular periodic data protection audits
• A warning in writing in cases of first and
non-intentional non-compliance
Regulation: Information
Commissioner
★ Criminal Sanctions
★ Protection for Journalists /
Whistleblowers
https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAzYAAAAJDY4ODA5NWI3LTQwYTktNGIxNC04ZTY2LTZiMTQwMmU5YmYyYw.jpg
20. @magma_digital @DigiEnable#DLCRWeek
★ Applies Brexit or not - extra-territorial rules
★ Data Protection Bill - planned to incorporate:
• GDPR
• DP Law Enforcement Directive
• likely Network & Information Systems
Directive
★ Aiming for gold standard, safest place to live
& be online
UK?
https://castlebridge.ie/sites/default/files/default/files/e0f72_xlexvch5dkqaf6ktrqenoa2.jpg
21. @magma_digital @DigiEnable#DLCRWeek
★ Knowing
• what your data is
• where your data is
• who has access to
data
★ Enables
• better control
• reduces risk
• greater resilience
Opportunities
22. @magma_digital @DigiEnable#DLCRWeek
★ Remaining timescale - 252
days…
★ Lack of guidance: The Record
★ Dearth of staff available to
audit, plan, control, report
★ Additional overhead alongside
rising threat landscape
Challenges
http://blog.businessdecision.com/wp-content/uploads/2017/04/keep-calm-gdpr.png
23. @magma_digital @DigiEnable#DLCRWeek
★ Audit - data footprint, start
point
★ Policies - structures to
follow, measure against
★ Training - disseminate
awareness, start now
★ Involvement - representation
throughout organisation
Practical
Approaches
https://cdn.meme.am/cache/instances/folder497/250x250/76905497/dr-evil-meme-gdpr-master-plan.jpg
24. @magma_digital @DigiEnable#DLCRWeek
Example
GDPR Plan
Discover Manage Protect Report
Needs /
Challenges
Identify what / where
personal data is
Govern how data is
used & accessed
Create security
controls: prevent,
detect, respond to
breaches
Record documentation,
deal with data requests
IT Team /
Partners
Security & Risk
Assessments, locate
personal data, plan
compliance
Compliance plans,
design, configure,
monitor policies and
controls for data and
applications
Monitor, analyse &
react to threats,
address
vulnerabilities,
prevent breaches
Admin services,
documentation
requirements, respond
to data requests
Providers
Help locate & identify
personal data you
collect
Manage policies, use
cases
Threat intelligence,
provide tools to take
advantage
Help demonstrate due
diligence, handling
data requests
LiveSlide Site
https://www.polleverywhere.com/discourses/Vj6GZRAzjV2ViBK?preview=true
Q&A
CEO Fraud and phishing – what it is, stat on costs, example from Blackburn company, phishing the largest common cyber breach cause
LiveSlide Site
http://map.norsecorp.com/#/
People
- Your people can be your best asset, but also one of your biggest security risks
- Employees and accounts – who has access, passwords, permissions, remote logins, mobile devices
- Employees and Social Media – access, hacking risks
- Example – who in the room has previous or today logged onto Huntleys free wifi?
LiveSlide Site
https://youtu.be/opRMrEfAIiI?t=1m35s
Passwords - idiots!
Access control - People - leavers
How to reduce these risks
- Access/Permission – only give those who need it and audit who needs/has what access to what drives, folders, client data
- passwords – don’t use simple passwords, don’t use same password for multiple platforms, use 2FA
- CEO fraud and phishing – have protocols for processing payments within teams, top tips on how to check an email is legit (Phishing being the #1 reason for cyber attacks)
- But what about the data your people have access to?.....
LiveSlide Site
https://youtu.be/AwHLG2chwwU
Matt Hancock
extended jurisdiction of the GDPR; applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location; non-EU companies processing or monitoring
consent strengthened; intelligible & easily accessible form with data processing purpose attached to consent; as easy to withdraw consent as give it
Breaches notified within 72hrs to DPA & processors notify customers ‘controllers’ without undue delay
Privacy by design - implement appropriate technical and org measures, in effective way; only hold and process data absolutely necessary for completion of duties; limit access to necessary people
DPOs: < 250 employees records of higher risk processing, data risks rights or freedoms of individual, or processing special categories of data or criminal convictions or offences; > 250 additional internal records or processing activities
Identifiable no longer than necessary - pseudonymisation - aka encryption with keys not kept with data
Informed: at time data obtained; Id of controller, DPO etc; Purpose of processing; Legitimate interests of controller (third parties); Recipients/categories of recipient; Details of transfers to third country & safeguards; Retention period; details of other rights; Details of automated decision making
Access: Confirmation data being processed; Access to that data (for free!); Less time to comply - within 1 month unless complex/numerous;
Rectification: Respond within 1 month; Pass correction on to third parties where possible & inform the individual
Erasure: Not absolute right to be forgotten; limited to data that causes unwarranted damage or distress; pass erasure notice on to third parties
Restrict: Less than erasure, restrict further processing; applies when contested accuracy, objected to processing, individual defending legal claim
Portability: obtain & reuse data for own purposes; move, copy or transfer in safe & secure way without hinderance to usability; for free; within 1 month
Object: to processing based on legitimate interests; direct marketing; scientific/historical research & stats; inform at first point of communication
Automated decision making: safeguards against risk of damaging decision taken automatically; right to obtain human intervention; provide meaningful information on logic involved
DPIA - Impact assessments needed when new tech introduced; processing likely to introduce risk to rights or freedoms of individuals
Belgium’s Privacy Commission DPA first to publish (June ’17) what The Record should contain:
Controller: Name/Address; Representative/DPO; purposes of the processing; categories of data subjects and personal data; categories of recipients (internal or external), who will have access; details of transfers to third party countries or organisations (documentations of safeguards); time limits for erasure of diff categories of data; description of technical and organisational security measures established
Processors: Underlined above + DPIA; past notifications to DPA; list of any breaches
The Record must be kept constantly up to date; made available to DPA on request
Failure to keep a Record can lead to administrative fines of up to €10m/2%.
DPIA - Impact Assessment - understand risk & consequences of data during audit, required as part of The Record
Embed DP training from induction, through entire lifecycle of tenure - culture of privacy protection.
Get GDPR as a standing item/report on board agendas between now and May & beyond.
LiveSlide Site
http://localhost/workspace/gdpr-countdown/index.html
GDPR Countdown
LiveSlide Site
https://www.polleverywhere.com/discourses/Vj6GZRAzjV2ViBK?preview=true
Q&A
LiveSlide Site
https://www.polleverywhere.com/free_text_polls/QIv6y31PFVdfFR4?preview=true
Satisfaction words