Safer Internet Day 2020

log on box

1,2,3,4 is the start of The Beatles “I saw her standing there”, it’s the way you “declare a thumb war” and it’s also the first 4 characters of the worst password of 2019 – which is 123456.

11th February 2020 is the 17th “Safer Internet Day” and I’d like to make it a day where people change their simple passwords for something much more secure.

Why is internet security important?

Safer Internet Day

Every day millions of websites come under attack, ranging from simple personal sites to complex e-commerce sites and online email service providers.

Just think about your information that’s out there, and what could happen if your business or personal security was breached.

What’s in your Gmail, Hotmail, Outlook.com mailbox, how valuable would that be to a cyber-criminal? What if they hacked your email account and sent emails to your contacts and connections, as you, then tried to use your email address for more nefarious purposes?

How about if, after hacking your email account, they used your credentials to try to

  • break into your bank account
  • hack in to your building society account
  • access your credit card account
  • use the info to set up fake accounts that they can then use to steal your identity, borrow money in your name and have it sent to their bank accounts,
  • buy products online that are delivered to them and billed to your address – the list goes on and becomes even worse if it’s business data that has been stolen.

Business bank accounts typically have more money in them with longer lines of credit, your servers may contain enough information for the cyber criminals to target your customers, there may even be ideas, designs and other pieces of Intellectual Property that could be sold or misused in a variety of other ways, all to your disadvantage.

You know it makes sense to have stronger passwords but a lot of people, as evidenced by this list, obviously can’t be bothered – maybe they deserve what comes their way?

Well I don’t think they do, which is why I’ve published this blog post as part of “Safer Internet Day” and I’d ask you to review your password policy, both internally and personally and follow these simple tips and guidelines to minimise your risk.

Password Box

What should you do?

Don’t use the same password on every site you log in to, ideally, each site that you have an account with should have its own, unique, password. I know that sounds hard but it’s remarkably easy if you use one of the many, secure, password creation and storage sites. There are loads to choose from, some hare subscription based whist others are free. You can read a review of the top ones here.

Personally, I use LastPass, I started using it a number of years ago and find it invaluable in matters of internet security. Your password manager will automatically create strong and unique passwords and save them in your databank and automatically fill in the boxes whenever you are on one of your sites that require secure access.

Many also come as Apps for installation on your phones and tablets so that you can always access the sites you need to, whenever and wherever you are.

Crowbar

They run in your browser so that you can access your passwords and other log-in data from any internet connected computer, at home or abroad, on holiday or business trip – just make sure you remember to logout if you’re using a public computer.

If you don’t want to use an App then make sure your passwords are at least 8 characters long and are comprised of a mix of UppEr cAse and loweR case, 1nclud3 a numb3r or 2 and m@ke use of spec!al character$ wherever possible. You can check the strength of your password at HowSecureIsMyPassword

If you are concerned about any of the security aspects for your business, then send me an email, andy@enterprise-oms.co.uk or give me a call on 01793 238020 for a hack free, zero obligation chat and I’ll be delighted to see whether I can help secure your business from cyber criminals and make sure that you don’t become a victim, like Capital One did in 2019 where a hacker stole 100 million records that included names, addresses, post codes, email addresses, phone numbers, dates of birth, bank details and social security numbers.

Yes, it’s “Password Madness” time

USer name and password box

Government Communications Head Quarters (GCHQ)- where the UK spooks provide signals intelligence to the UK’s government, military and Military Intelligence and the Department for Digital, Media and Sport (DCMS) carried out their first UK Cyber Survey and the results didn’t make for great reading.

Apparently

  • 42% of us Brits expect to lose money to on-line fraud
  • 23.2 million worldwide victims of cyber breaches used 123456 as their password
  • 15% say they know how to properly protect themselves from harmful on-line activity
  • 33% rely on friends and family for help with their cyber security
  • Young people are the most likely to be cyber aware, privacy concious and careful of the details they share on-line
  • 61% of internet users check Social Media daily, 21% say they never look at it
  • More than 50% use the same password for their email that they use elsewhere
Hacker Inside

Dr Ian Levy, NCSC Technical Director said “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” whilst Margot James, DMCS Minister said “We shouldn’t make their (cyber criminals) lives easy so choosing a strong and separate password for your email account is a great practical step. “

Most Regularly Used Passwords

RankPasswordTimes Used PasswordTimes Used
1.123456 23.2m ashley432,276
2.1237567897.7m michael425,291
3.qwerty3.8m daniel368,227
4.password3.6m jessica324,125
5.11111113.1m charlie308,939

It’s a shame that the top password list hasn’t really changed for at least 10 years – it shows how complacent a lot of us are with our on-line security.

I used to have 3 passwords, a simple one that I used really casually for newspaper sign-ups etc – name123 (not my real passwords, merely examples) a medium security one that I used on shopping sites, n@m3123 and a more secure one, used for banking etc – c3ler0n! (and all of the ones that I used feature on the Have I Been Pwned list).

About 5 or more years ago I switched to a Password Manager. I have 801 log-ins and 801 different passwords. All of them are at least 16 random characters long and comprise upper & lower case letters, numbers and symbols (where permitted).

Logging On

My Password database is stored securely in the cloud and is replicated on my PC, Phone and Tablet and accessible from my Chromebook too. I use LastPass but others exist and here’s a review of some of the top ones.

As you can see, I do my best to stay on top of my security but if you feel adrift, or need some help, just give me a call on 01793 238020 or email andy@enterprise-oms.co.uk for a free chat.

What the FA is 2FA and do you need it?

Let’s answer the easy question first, “do you need 2FA”? The simple answer is “yes”, you do need Two Factor Authentication (2FA). Now read on to learn more about what it is, how it works and how it can secure your data and online activity

I’ve written in previous posts about passwords, hacking, identity theft and the threat to our privacy, data and businesses from cyber criminals. As you might imagine, the number of attacks is increasing, as is the sophistication.

Why are Cyber Attacks increasing

Simple! The number of websites that we log-in to continues to increase and many people use one password across many websites. As you can see from the list on the right a lot of people use passwords that are less than ideal. The cyber criminals know this which makes it a gift for them.

Some people think they are safe because they have 3 passwords. A simple one for common sites where they don’t see a threat (posting comments to newspaper websites for example), a medium one that they use for on-line shopping and Cloud storage sites (DropBox for example) and a really complicated one for their “secure” sites, such as bank access etc. 

After all, just trying to remember pWa#eeAS7uNggK49 is a challenge but if you have to remember a different one for every single website it becomes a real challenge. You might jot them down in a notebook or diary but what happens if you loose your book, or just leave it on a train. Not only have you been frozen out of your accounts (until you work your way through all those “forgotten password” routines) but your security has been seriously compromised.

Some people, like me for example, use password manager. These apps create a secure password for ever site that you log in to and make it available across desk-tops, lap-tops, phones and tablets and don’t cost very much at all. But even if you use one how secure are you, actually?

chocolate teapot

If a site that you use your super strong password on is penetrated and data stolen, your strong password is about as much use (from a security perspective) as the infamous chocolate teapot.

And if you have used this super-strong password on more than one site you are at an even greater risk of becoming a victim of data theft. With more than 6,474m email addresses in the wild for cyber criminals to use and 551m passwords stolen in security hacks the criminals job gets ever easier.

Use the Have I been Pwned website to see whether your passwords have been stolen by cyber criminals or nabbed in a data breach and read more about the risk, and how the criminals use this stolen data in a previous post.

What’s the Solution

It’s actually fairly simple. It’s called two factor authentication [2FA] or multi-factor authentication. This is where another layer of authentication is required, beyond your user name and password.

In the early days of 2FA sites would send you a text with an access code so you could only log-in if you had your phone with you [and had a mobile signal]. This extra layer of security hit the cyber-criminals hard, until they realised that intercepting text messages was not particularly difficult if you were tech-savvy so something else was required.

Image result for hsbc internet banking device

The banks solved this problem by providing you with a device like the one to the right, this one’s from HSBC. At the website you enter your user-name and pass-code as normal, enter a PIN in the device and then enter the displayed number from the device in to your banks website. It may feel like a pain but it really does have a positive effect on the security of your on-line banking. A criminal needs a your user name/password, access to a device as well as your device PIN

Microsoft Authenticator

Having a device for every website is pretty clunky so Microsoft and Google released authentication apps for Android and iPhones. The way they work is they generate a six digit code, as can be seen in the image on the right, and the website that you are looking to access requests this code after you have entered your user-name and password – as demonstrated in this screen-shot of my LastPass password manager.

Two Factor Authentiaction

All I have to do is launch my Authenticator App and enter the six digit password. For additional security, the code changes every 30 seconds or so

Hardware Security

Hardware 2FA security solution

The final security solution is the physical “Key” such as this one from Yubikey. This is a USB device that simply plugs in to a USB port on your computer and allows you access to secured sites – or even your computer itself.

If you are worried by your security, or need any help with your internet activity, from a new website through social media and on to other online marketing opportunities then just send me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020

 

Have you had your electronic ID stolen?

In other words, have you been pwned*. There have been millions of email addresses and passwords stolen in hack attacks and millions more that have been left exposed by incompetent website owners. However, it’s not just your email address that’s been stolen, your name will have gone with it, possibly your address and maybe even credit card (and other) data.

The stolen information is then made available for sale on the dark web and here’s a sample of the prices it can fetch

  • Credit/debit card number – $5-$11
  • With the CVV (3 digit) security code – + $5
  • “Fullz” (card, CVV, name, address, date of birth etc.) – $30
  • Bank account access – 10% of the credit balance in the account
  • Online Payment Services, such as PayPal – $20-$200

But how do you know whether your information is “out there” just waiting to be abused by cyber criminals? Well, I don’t know but I know a man who does, and he’s set up a rather useful website

Have I been Pwned?

There’s a website called Have I Been Pwned. This has been created by Troy Hunt, a Microsoft Regional Director & MVP (Microsoft Most Valuable Person for developer security). After data from a major cyber incident was “found” on the Dark Web Troy decided to put a database together – in his own time & at his own cost – as a way of allowing people to check whether their data was amongst stolen information and to “keep his hand in” from a programming perspective.

The site is now a comprehensive source of information about data hacks and data loss and is simple to use. All you have to do is enter your email address to see whether you have been “pwned”

And if you have been, as shown in the image above, it will also tell you which data breach (breaches) your email address has been found in.

Not every data breach leads to passwords being available. Some databases have encrypted passwords, making them worthless to the cyber criminal. However, many don’t and, like email addresses, there are millions (over 550) of passwords available on the Dark Web.

As he’s done with email addresses, Troy has now gathered all the stolen passwords that he can find and has created another searchable database dedicated to stolen passwords.

Why it’s important to know whether your passwords are available to cyber criminals.

At this point, all the criminals have is a list of emails and and another list of passwords. They may not know which ones go together and they also don’t know which websites these email addresses and passwords relate to.

But, from our perspective, there’s a significant weakness. This comes in to play because a lot of people use the same password for many websites simply because it’s easier to remember one password than many. This use of the same password makes things a lot easier for the cyber criminals to put our data to fraudulent use.

Let’s say, for example, that the criminals target Amazon. You might have your credit card details already stored against your account so if a cyber criminal can gain access, all they have to do is change a delivery address and Bob’s their uncle.

They’ll use a “Credential Stuffing Attack” which means that they’ll load all the email addresses in to one database and the passwords in to another and start the attack. First they pick their target (Amazon in my example) and use software that will add an email address to the log-in box. They’ll then turn to different software to try all the passwords in the password database to see whether there’s a match.

And once they’ve tried one email address they’ll automatically move on the next one. Once they’ve tried all combinations, and flagged those that work, they’ll move on to another site.

This sounds like a long, slow process but they’ll probably use a “Botnet” – a network of tens, hundreds or possibly thousands of hacked computers around the world that they have control over.

So, you should check “Have I Been Pwned” for both email addresses and passwords and if you’ve got a compromised password you should find the sites you use it on and change it – remembering to use a different one for each site.

Top 10 Passwords of 1018

Different, not similar – Password, PassWord, PAssword1960 and Pa55W0rd are NOT different to a cyber criminal. Criminals will also use these, and other variants of the world’s most popular passwords (2018’s shown in the image to the right) in their attempts to hack your accounts.

If you are concerned about your digital security, or need some help with your website, SEO or anything else online then just drop me an email, andy@enterprise-oms.co.uk , or give me a call on 01793 238020 for a free, no obligation conversation about your requirements

*Pwned – When a map designer in the online game called Warcraft beat another player he wanted to say “Player x has been owned”. Unfortunately, he mis-typed and actually said “Played x has been Pwned”. This is now a “thing”

Worries with WordPress, or what happens if you don’t keep up with updates

WordPress Logo

You might have a website that’s been build using WordPress. No one will blame you, after all it’s free and has become probably the most used Content Management Systems (CMS) out there. In fact, in 2018 around one third of all websites were built on WordPress.

You might have built the site yourself or paid a developer to design and build it for you. You might not even know that your site has been built using WordPress.

It’s popular because it’s free and pretty easy to use – well it is when compared to some of the alternatives out there anyway. Although popular and free, it may not be the best and although it It is OK it does have a number of issues.

WordPress Editing screen

Because it’s so popular it’s become a top target for hackers. This means that the people behind WordPress have to be on their toes, always on the lookout for weaknesses & flaws that the hackers can exploit to break into a website and create mayhem.

When the WordPress developers come across such a flaw they create a patch and release a new version of WordPress. As an example, the current version is 4.7. However within the next couple of weeks there will probably be a new version. 4.7.1 and then 4.7.2 and so on and so on and so on, releasing updates as and when flaws are discovered.

You and your web developer need to be on top of this by making sure that you’re running the latest version of WordPress. The newer versions, if set-up properly, should update themselves automatically but you need to keep an eye on things just in case. Older versions had to updated manually, by clicking the ‘Update Now’ link so it all seems pretty straightforward. But it’s not!

Why things may not be as easy as they seem

WordPress Menu

Most websites using WordPress use a number of Plug-Ins, small pieces of software that add extra functionality to the website and make it easier to manage.

However, you need to exercise caution when updating – especially if you use a lot of plugins to manage different elements of your site because some of the plug-ins may not have been updated to work with the latest version of WordPress.

This means that hitting the WordPress Update link might cause a plugin to stop working and this could break your website.

But what happens if you don’t update WordPress?

Well, you might find that your website gets hacked and will start to do things that you would’t want to be associated with. It could start to download malware to the computers of all the people who visit your site – software that could monitor their keystrokes and pass banking details back to criminals in Eastern Europe or China, for example.

Or you could find – as one news website found out to their embarrassment – a lot of unsavoury spam being inserted into the first paragraph of every news story on their website.

Hacked WordPress page
How did this happen?

The company were very lax – their site was built using WordPress and was last updated in June 2012. Since then, there have been 114 updates to WordPress, some to improve performance and some to improve security.

By failing to keep up to date this gave the hackers and “easy in”. The hackers were able to use automated tools to find websites using WordPress and to find out which version was being used. From there, it would have been simple for the hackers to target a known weak spot and break in. From there, it would have been the work of moments to install their own spammy code.

What should their website manager do?

It’s easy to cure – all they have to do is identify and delete the malicious software and then update to the latest version of WordPress, although they are so behind with their updates that they might find their site gets broken by the update so they might be caught between a rock and a hard place.

If you are worried about WordPress, then don’t hesitate to get in touch. Give me a call on 01793 238020 or drop an email to andy@enterprise-oms.co.uk for a free, confidential and obligation free chat.

The Deep Web and Dark Web. What are they?

Browser Address bar

The Deep Dark Web

The “Dark Web” has been in the press frequently over the past couple of years, associated with tales of hacking, the sale of personal information, credit card data, drugs, weapons and other illicit items. However,  there’s been very little by way of explanation as to what the dark web is and how you go there and this item looks to answer that, purely for research purposes of course.

A number of news stories have also referred to the “Deep Web” which has lead to a degree of confusion, as if the media consider the two to be interchangeable.

So, just to clear up any confusion here’s an explanation of the differences between the Deep and the Dark Web.

Let’s start at the top

The “Surface Web” is the web we all know and love, the websites we visit and the sites/pages that we find using Google/Bing/Yahoo and other search engines. And there’s the key, it’s only the parts of the internet that the search engines know about.

Just visit any website and click a few links, you’ll be doing the same thing that the search engines do, visiting websites and following links to find pages that they can present to you when you’re looking for things.

Steps leading down to represent the Deep Web

What is The Deep Web

Simply put, the Deep Web is just the area of the internet that is beyond the reach of the major search engines.

As an example, just go to www.britishairways.comand try to find a holiday to the Nautic Hotel between 7th and 14th October in Mallorca without using the search facilities.

It’s not that easy, in fact it you might find it confusing/difficult/impossible. You’re not alone, the search engines do to because they can’t get much further down than the first 3-4 layers. At least this is getting better because Google, Bing and the like are always looking to improve the way they manage such challenges but it’s still a struggle for them. 

Websites can use code, called robots.txt, to actually block the search engines from certain pages so that they are difficult to find, deliberately. Websites with members only pages may choose to do this, for example.

As you can see, the Deep Web is neither illicit nor scary, it’s just out of reach of the major search engines.

What is the Dark Web

This is where things get really interesting. The Dark Web is a small portion of the web that is intentionally hidden and encrypted and which cannot be accessed through your typical web browser.

TOR logo representing the Dark Web

To access the Dark Web you need a specialised web browser that enables you to tap into the the TOR network. TOR, short for ‘The Onion Router’, so called because it uses many layers to both encrypt the data that moves around and to make it almost impossible for the authorities to trace internet activity back to a particular user and location. Great for security and anonymity which is why TOR was originally designed by US Intelligence agencies to enable American spies to securely communicate with their parent organisation and not reveal their location and identity. 

The code was officially released to the public in 2004, and it’s still used by human rights groups and the like in repressive and unsafe countries to communicate with the outside world, but like almost everything it has also been subverted by those with criminal tendencies and put to a darker use.

You might recall that a couple of years ago the media was full of stories about a Dark Web website called Silk Road. This was like an eBay for criminals, a place where you could buy illegal items such as drugs & weapons and engage criminals to carry out illegal activities on your behalf, hacking for example.

The Silk Road was eventually closed down by the authorities but similar sites still exist if you know where to look and how to access them.

The first step is to download the TOR software, it’s free and pretty easy to find. However there’s no Dark Web version of Google – you have to know your way around if you want to find the illegal stuff – I don’t and wouldn’t broadcast it even if I did know.

I may not be able to help with your journey to the Dark Web but if your Surface Web needs improving or your Deep Web needs surfacing to make it easy to find, then get in touch, andy@enterprise-oms.co.uk or give me a call- 01793 238020 and I’ll dive in and see what I can do.

What information do you have to publish on your website?

Laptop on a table being used by Andy, checking out websites as part of his work

As you might imagine, I spend quite a lot of time looking at websites. I look at client sites to see what can be improved, I look at potential client sites to put bids and proposals together and I look for sites that I can prospect to. I also look at other sites to keep my knowledge up to date – and that’s just during the working day.

I see good sites, OK sites, indifferent sites and some real shockers but it does not matter how good (or how poor) the site, whether pennies, pounds or thousands was spent on the development loads miss out on the provision of basic information. A lot of which is a legal requirement when a business is using a website to promote themselves.

As an example, a lot of businesses provide a web form as a means of communication despite the fact that a lot of people don’t like forms – especially ones that ask for too much information. Part of the dislike is due to the fact that sending a form leaves no record of what was sent, nor when it was sent, unless it automatically forwards a copy to the senders email address but there’s no way to know this – until you’ve sent the form (unless the form actually informs you of this)

Gavel - representing a legal requirement

There was a piece of legislation passed in 2002 called the eCommerce Regulations that applied to ALL companies using the internet, not just those selling online and perhaps that’s why a lot of businesses don’t comply. Either that or it’s simply a lack of knowledge either within the organisation or by the web developer. Either way, ignorance of the law is no excuse – as the law says.

So, what does the law require you to publish in an “easily, permanently and directly available location” on your website?

Minimum information to be provided on your website

  • The name of your business, which might be different from the trading name and any difference MUST be explained. For example, ABC.co, is the trading name of ABC Enterprises Ltd.
  • The geographic address of the business must be provided
  • Your email address. A “Contact us” form without providing an email address is not sufficient
  • Your Company Registration Number, if yours is a Registered business, together with the place of registration
  • Your VAT Registration Number, if you are VAT registered
  • If you are subject to an overseeing body, such as the FCA, then you need to provide the governing agency AND your registration number.
  • Prices – if you are quoting prices (or selling) online your pricing should be clear, unambiguous and state whether prices are inclusive of tax and delivery costs, or not.

If you need help with compliance, or with anything else relating to your website or marketing activities then give me a call for an initial, free and zero obligation chat on 01793 238020 or email andy@enterprise-oms.co.uk

Do you use a .EU domain?

MAshup of Union and EU flags, Image result for brexit

Brexit was always going to have problems and issues for businesses but none expected it to have an impact on business domain names.

Well, until Easter 2018 anyway, which was when a major problem for businesses was announced in well known and respected technology news site, The Register.

You probably chose your .EU domain for a really good reason, you want the world to know that either you are an EU-based business or your market is the EU, for example.

Brexit and the .EU domain

However, as a result of Brexit, the EU has announced that all .EU domains registered by UK businesses (and individuals) will be revoked on B-Day (Brexit Day) 31st March 2018

What this means is that if you are one of the 300,000 UK organisations or individuals who has registered a .EU domain you might well see your website disappear overnight.

Obviously, continental domain registrars may well take advantage of this, offering to take on your domain and “fix” the problem for a (presumably large) fee, but that also has issues. The European Commission has hinted it is unhappy with that arrangement too; they will no longer allow you to own an .eu domain (that’s their whole point), so you are putting yourself at some commercial risk (similar to not owning IP in any products you make), and the EU is legally bound to prefer “the good of the EU” in any contractual dispute. Thankfully though, there are alternatives:

What’s in a (domain) name?

It’s not just your web site that could be affected, your email system, security certificates for encryption and e-commerce, and possibly even remote access to company assets for sales staff might be impacted too.

It will vary, obviously, depending on how you are set up, but checking this now is very sensible.

Perhaps the best approach is to do two things

  1. Immediately register a suitable .UK domain, and
  2. Point your .EU web traffic to it as soon as possible.

You have a choice of .uk domain name, and you can still represent your EU connection in it, if that’s crucial. For example,

bloggs-transport.eu

might change to,

bloggs-transport-eu.uk

We realise this isn’t ideal, but the second name is safe as it can’t be affected by any disruption the EU Commission might cause. You would have normal rights to the name, under English law, and, if it’s done right, there’s almost a whole year for your clients to get used to your new URL. Thus the risk is minimised, and it becomes one aspect of Brexit that can’t hurt you further commercially.

If this change goes ahead—and this is much more likely than unlikely in our opinion—you have less than a year for clients to become used to the change. This isn’t something to hesitate over: the implication is that no redirection will be possible after 31st March 2019, so at that point your site will simply vanish off the internet. People may even think you’ve gone bust!

Right now, you have enough time for this NOT to become an expensive issue. The longer you leave this one, the more electronic business disruption is likely to cost you come Brexit day.

If you have a .eu domain and you are worried, please get in touch: 01793 238020 andy@enterprise-oms.co.uk, the fixes are mostly straightforward and inexpensive to implement (without disruption, if you act quickly enough).

007 in ‘For your GDPR Only’

MI6 headquartersWhen “M” has finished spymastering for the day, or pops out for a cheeky Nandos, we always see M locking the “Top Secret” files away in the office  safe. We know that’s so that no secrets will be discovered, even if an enemy spy (or the tea person) manages to gain access to the empty office.

In business, we need to be like “M”.

In a previous post I looked at Data Protection and the forthcoming General Data Protection Regulations (GDPR). However, I didn’t make it clear that the regulations don’t just apply to digital data stored on your IT systems and network but also apply to paper records too.

Anything that contains personal data, whether paper or digital, falls under the auspices of the Act, including the recordings from your CCTV cameras, phone systems (think “this call may be recorded for training purposes”) and biometric data – such as fingerprint or iris recognition systems used to unlock systems or grant access.

Keyboard with the word 'Privacy' overlaid

This means the files on your desk, the files in your filing cabinet, your paper archives as well as your electronic records, anything that includes personal data.

To start with, you need to ask yourself

  • Who has overall responsibility for the data you have and/or use?
  • What data are you holding, why are you holding it and where is it held?
  • Are your Privacy and Data Use Policies as good as they need to be?
  • How long do you need to keep data & how will you securely destroy it when you no longer need to keep it?
  • Who has legitimate access to it and who else can access it?
  • How secure is your building, your paper records and IT systems?
  • What happens out of normal business hours?
  • Can data be exported and removed without authorisation (to a USB key for example)?
  • Is your network connected to the internet and how secure is your connection?
  • Can your network be accessed remotely – is this secure?
  • Is your electronic data encrypted so, in the event of a breach, data cannot be accessed and used?
  • Can your network prevent unauthorised intrusion (hacking)?
  • How do you manage Subject Access Requests, (when someone requests to see the data you hold about them)?
  • How will you manage a data breach, whether it’s a hack, unauthorised file copy or unauthorised removal of paper records?

So, how can I help?

I can put you in touch with reliable IT companies and trusted partners 

  • Blob figure staring, "James Bond like" down the barrel of a gunthat will be able to inventory all of your IT and data assets.
  • who’ll test your network to see how secure it is and whether hackers are likely to be able to gain access
  • who will secure your network from external threats (hacking) and ensure that your remote access requirements are reliable, easy to use and secure.
  • who will help you secure your data inside the organisation and set things up so that only appropriately authorised employees can access the data they need to do their job and no more.
  • who will secure your network so that it’s almost impossible for data to be copied onto a USB key or external hard drive and removed from the organisation
  • who will put transparent encryption in place which means that it doesn’t slow anything down but is so strong that only GCHQ or the NSA would be likely to crack it.

Take the first step now, by giving me a call on 01793 238020 or emailing andy@enterprise-oms.co.uk to find out how I can help mitigate data security risks and start preparing for GDPR guidelines.

General Data Protection Regulation (GDPR)

Keyboard with the word 'Privacy' overlaidWhat is the GDPR?

The General Data Protection Regulation (GDPR) is the name given to the new law that will come into effect on 25 May 2018 to provide added protection and security to the data that businesses hold on, and about, individuals. It will replace the UK’s Data Protection Act (DPA).

At the end of this post you’ll find a simple glossary of terms for reference

Why do we need the GDPR?

There has been a huge change in the amount of data, and the way we use it, since the Data Protection Act came into effect 20 years ago.

Back then, a home PC was a rarity, now it’s pretty much the norm and households typically have multiple devices (PCs/laptops, phones, tablets, smart TVs and other internet connected devices) whilst the majority of businesses are totally reliant on IT and data.

As a consequence of these changes the laws relating to data needed updating and there was a strong drive to have common data protection laws across the EU due to the increased globalisation of business. Brexit will have no impact on the new regulations

What impact will the GDPR have on my business?

There will be a need to ensure that the way you collect, store, manage, use and destroy data is in compliance with the new regulations and there may be a requirement to employ new staff, outsource services or allocate new responsibilities to existing employees.

People & Accountability

DATA PROTECTION OFFICER

To comply with the new regulations you may need to allocate data protection responsibilities to employees or employ a new member of staff, depending on the size of your business and the data protection requirements placed on it. The following businesses MUST appoint a Data Protection Officer (DPO)

  • Public Authorities
  • Businesses whose core activities involve large scale systematic monitoring and profiling activities
  • Businesses whose core activities involve large scale processing of special categories of data such as ethnic origin, political opinions or religious beliefs

DPOs can be employed or outsourced but must report to the highest level of management.

DATA PROCESSORS

Current law does not apply to pure data processors, i.e serviced providers who only deal with data as directed by their customer, only applying to data controllers. If you are a mailing house which accepts data from a client for producing mail shots (land mail or email) for example

GDPR introduces direct rules and accountabilities for data processors, including

  • Keeping records of data processed
  • Designating a Data Protection Office (where required)
  • Notifying the Data Controller where there has been a breach

Under GDPR, data controllers can only use data processors “providing sufficient guarantees to implement the appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects

Accountability and the GDPR

Accountability is all about considering risks and demonstrating that you have considered, and managed, data protection risks. You will need to have clear policies in place to show that you meet the required standards and should establish a culture of monitoring, reviewing and assessing your data processing procedures

Privacy Impact Assessments

Businesses will be required to carry out a data protection impact assessment where carrying out any processes that use new technology that is likely to result in a high risk to data subjects, required in particular where there will be automated processing (including profiling) and on which decisions which affect the data subject and for large scale processing of personal data

Privacy By Design

Businesses must take data protection requirements into account from the inception of any new technology, product, or service, that involves the processing of personal data, with an ongoing requirement to keep those measures up to date.

Notification of Breach

The existing DPA requires an organisation to notify (register and pay a fee) the ICO that they will be processing personal data. This will no longer be a requirement under the GDPR, replaced by an obligation on the Data Controller and Data Processor to maintain detailed documentation, recording;

  • Processing records
  • Data location
  • Purpose of processing
  • Lists of data subjects
  • Categories of data
  • Security procedures

However, if you have fewer than 250 employees, the requirements are less onerous and you’ll only need to comply if your processing is “likely to result in high risk to individuals, the processing is not occasional, or includes sensitive personal data.

Because the processing of employee data is likely to involve sensitive personal data there will be an obligation on all organisations to maintain documentation, no matter what their size.

With the removal of registration and fee payment, the ICO loses their main source of income and this could make them keener to catch organisations in breach and fine them.

Under current  legislation there is no requirement to notify the ICO should you suffer a data security breach. This changes under the GDPR with the introduction of a requirement to report data security breaches to

  • Data Controllers (if a Data Processor breaches)
  • Regulators – if a Data Controller breaches and the result is a risk to the rights and freedoms of individuals – without undue delay (within 72 hours of discovery if feasible)
  • Affected Data Subjects – where the breach could leave them open to financial loss, for example. If the risk is high, this notification must be without undue delay.

When does the GDPR come in to law?

25 May 2018

Where will the GDPR apply?

Current data protection laws apply if you are located in the EU, or make use of equipment located in the EU, such as servers. The GDPR applies whether or not you are located in an EU country – it applies if you offer goods or services to EU residents or if you monitor their behavior.

If you want to transfer data beyond the EU (if you use a server based in the US to do your email marketing, for example) you need to ensure that the destination country has been recognised as having “adequate or equivalent” data protection regulations and you will have to ensure that suitable safeguards are in place to ensure the protection and security of the data you are transferring.

What happens if I don’t comply with the GDPR?

Currently, fines across the EU for a Data Protection Breach vary greatly with the UK having a maximum fine of £500,000 for a breach of the DPA.

One of the goals of the GDPR is to ensure that fines are consistent across national borders and to impose a significant increase in fines to emphasize the importance of good data management and security.

The new fines are to be split across two tiers

  • Up to 2% of annual, worldwide, turnover of the preceding financial year or EU10m (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers and data protection by design and default
  • Up to 4% of annual, worldwide, turnover of the preceding financial year or EU20m (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers

The Information Commissioner’s Office (ICO) will also have increased enforcement powers and grounds for seeking judicial remedies under the GDPR, including a power to carry out audits and to require (demand)  information to be provided and obtain access to premises

Practical Steps to prepare for the GDPR

  • Ensure that you have the resources to plan and implement GDPR requirements
  • Identify all existing data systems and the personal data processed
  • Review existing compliance programs and update/expand as required to meet the requirements of GDPR
  • Ensure you have clear records of all data processing activities and that the records are available
  • When using Data Processors, ensure you include terms in your agreement relating to immediate notification of any data breach.
  • Develop and implement a data breach response plan and have templated notifications so that staff can act promptly
  • Put internal reporting procedures in place, have an internal breach register and train staff on notification and use
  • Ensure that you have sufficient resources to implement required changes
  • Consider appointing a DPO
  • Assess whether the organisation uses consent to justify processing
  • Develop, and implement, a policy on data storage and retention
  • Review contractual arrangements with Data Processors
  • Consider Data Protection when developing new technologies, services and goods and keep clear records
  • Ensure all policies and procedures are available and written in clear, concise and easily understood language
  • Consider how you will gain consent for the use of the ata you hold, and use, for advertising, marketing and/or social media
  • Examine your Privacy notices now and start updating them
  • Review privacy notices and other “fair processing” information given to employees
  • Review employment contracts, handbooks and policies. Is contractual “consent” sought?
  • Ensure that you can respond to Subject Access Requests within 1 month (no admin fee will apply under GDPR)
  • Train staff on data protection responsibilities

Summary

The GDPR will have a wide reaching impact on most businesses, both large and small, which make use of data within the organisation.

Within the GDPR there are many undefined phrases, such as what counts as “large scale” and what is “new technology” and it is likely that these will only be determined as part of case law i.e. when a company is prosecuted for a suspected breach and their defence (or prosecution) need an accurate description of such terms.

It is likely that things will change as we get closer to implementation. However, you should start your preparation as soon as possible and the ICO has published a useful leaflet called “12 Steps to Take Now” which provides more helpful advice.

Disclaimer

I’m a digital marketer and SEO professional, not a legal practice. As a consequence, this should be used as a guide to the GDPR and legal support sought to ensure that your business is in compliance.

Glossary of Data Protection and GDPR Terms

  • Consent – Permission to collect, store and use personal data
  • Data Controller – A person, or persons, determined the purposes for which, and the manner in which any personal data are, or are to be, processed
  • Data Portability – The ability to move data from organisation to organisation, or across nation states
  • DPA – Data Protection Act, the regulations that the GDPR replaces
  • Data Processor – Any person who processes data on behalf of the data controller
  • Data Protection Officer – Person responsible for the oversight of organisational data protection strategy and implementation to ensure compliance with the GDPR
  • Data subject – The person to whom a data set relates (you and I)
  • GDPR – General Data Protection Regulations. The name given to the new regulations relating to the way we collect, store, use and destroy data
  • ICO – Information Commissioner’s Office – body responsible for upholding GDPR
  • Personal Data – anything clearly seen as personal, including name, address, phone number but also including IP addresses, cookie identifiers and UDID (Unique device Identifiers). Expressions of opinion about an individual also count as personal data so you need to be careful what you say about colleagues or clients in emails
  • Right to be Forgotten – The right to request the complete deletion of all personal data.
  • Subject Access Request – A request that an individual can make to find out the data that an organisation has relating to them.

And if you are struggling with your GDPR then give me a call on 01793 238020 or email andy@enterprise-oms.co.uk and I’ll do everything I can do to help.