Friday, 19 August 2016

The General Data Protection Regulation - A post Brexit positive for British enterprise [Link - SC Magazine]

Another proud moment for me, as I have another article published in SC Magazine about the General Data Protection Regulation (GDPR):


A month before the UK chose to leave the EU, The European Union's General Data Protection Regulation (GDPR) was signed into law. The act is designed to change the way businesses approach data protection from its 2018 enforcement date.

Replacing the EU Data Protection Directive, it has considerable scope in standardising and unifying data privacy requirements across member states and any business that markets to EU data subjects.

With strict guidelines around obtaining consent for data collection and individual profiling, alongside far more comprehensive definitions of data, non-compliance will trigger heavy fines - either €20 million (£17 million) or four percent of global turnover, whichever is greater.

Off the hook

If we exit the EU before the GDPR is enforced in 2018, technically the legislation won't apply. In practice, however, the international trading implications of the GDPR means the UK will need to broadly align its laws around handling EU citizens' personal information to maintain a close trading partnership with the EU member states.

So while those IT departments who believe GDPR stipulations impose a heavy burden might consider Brexit a handy escape route, the reality is this: Brexit aside, to continue as trading partners with the EU and remain in the European Economic Area, UK businesses will need to adopt a broadly similar framework of standards to protect EU citizens' information.

This is a positive thing, holding huge opportunity for UK business. The regulation's objectives and framework are vitally important in today's global digital economy. Meeting the new requirements will help protect UK businesses and citizens from much of the catastrophic damage caused from major cyber-attacks and mitigate many of the threats before they occur.

With only two years to meet compliance requirements and implement the changes to business systems and operations, now is the time to start the process of transforming the way businesses collect and use personal information and data.

Key considerations

Firstly, it's important to remember that the GDPR is a set of rules governing the security and management of any data that could be used to identify someone. Companies will have to immediately notify the authorities within 72 hours of any breach of an EU national's data to avoid a fine.

There's currently no UK requirement to do this and many don't due to the potential reputational impact. Recent examples, including TalkTalk's experience, demonstrate the potential damage to profit and trust following public data leaks.

To meet this requirement, businesses will need to deliver huge overhauls of their current systems to ensure breach protocols are compliant. The final draft won't be ready for some time, but companies should closely examine the current version to get up to speed.

From a technical perspective, the GDPR separates responsibilities and duties for both data controllers and processors. Controllers will only be able to engage processors that provide sufficient guarantees to meet the GDPR's standards of protecting data subjects' rights. For example.

Article 32 of the GDPR already outlines these responsibilities and provides specific suggestions for the type of security activities which might be ‘appropriate to the risk'.

Above all, it's worth remembering that from encryption of data to testing and assessing security systems – everything needs to be compliant with the GDPR's new code of conduct.

GDPR readiness

With just two budget cycles remaining until the act becomes law, it seems GDPR readiness is not a priority amongst European IT professionals – and there's a lot to be done.

As an immediate priority, a UK enterprise should start to get its systems ready and implement upgraded breach notification policies. To deliver this effectively, IT must start working with legal teams and other key departments to avoid the potential for heavy fines and get their operations data fit for a new era of global digital trade.

Wednesday, 20 July 2016

Gemalto hunts for partners for its encryption solutions as GDPR approaches [Link - CRN Magazine]

I was asked to give my opinion on our working relationship with Gemalto and GDPR by CRN and may comments were published: 


MTI has been a partner with Gemalto for around eight years, and its services director Andrew Tang said that he has noticed the increased demand for the encryption products Gemalto provides in the run-up to GDPR.

"We have had a couple of organisations in the finance industry that have started asking us about how we can help them with their GDPR strategy. There are organisations out there that are on the ball, but more companies were in limbo because of the referendum," he said.

"People forget that when you look at all the different options, whether it's the Norway, Switzerland, Canada or Turkey models, they all have to adhere to EU regulation, which means GDPR in some fashion or another. It is still about education and evangelisation at the minute."

Saturday, 16 July 2016

Euro 2016: A lesson in BYOD security best practice [Link - ITProPortal]

I was asked to write some thoughts around the security during Euro 2016 for ITProPortal:


One of the stories away from the pitch at this year’s Euro 2016 event was the significant spike in cybercrime on mobile devices.

Attending football fans, trying to keep on top of work or attempting to access tournament information, became victims to cyberthreats as hackers took advantage of insecure public Wi-Fi networks and applications.

Reports suggest that the host country was targeted in a highly calculated way by hackers during the event, with 72 per cent of malicious websites and 41 per cent of exposed passwords were detected on smartphones in France alone.

The UEFA EURO 2016 Fan Guide App, one of the official UEFA mobile applications, was a prime target for hackers during Euro 2016, having been being downloaded onto more than five million devices.

Designed to provide practical tourist information for fans travelling to France for the tournament, the app leaked user data including usernames, addresses, phone numbers, and passwords due to an insecure connection.

The BYOD threat is real

The scale of the attack during the event highlights just how strong the threat is for businesses, especially for companies operating BYOD policies, as employees are free to access malicious websites, fake apps and connect to unsecured Wi-Fi on the same device they store corporate data.

An additional report also suggests business travellers are more likely to be mugged of valuable private and corporate data than of their travel money. The report found that 59 per cent of staff in senior roles claim to log on as quickly as possible upon arrival abroad, while 48 per cent of senior managers and more than 43 per cent of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad.

So how can businesses protect themselves against mobile threats and prevent mobile hardware and apps from leaking corporate data, and what are best practices around BYOD security?

Mobile management

With company owned mobile pools now rapidly becoming out of date and workplace bring your own device (BYOD) policies steadily growing, controlling what an employee does on their device has become far more difficult and complex.

Enterprise Mobility Management (EMM) platforms have become crucial in protecting corporate data. Apps and documents can operate separately from the rest of the device, allowing employers to create a ‘wall’ around sensitive information to prevent infection from compromising data.

EMM also allows for robust security policies to be put in place on an employee’s personal phone without invading privacy or forcing too much control of a personal device to an employer.

Right apps, right channels

It is also important to consider where employees are storing data. Some cloud-based storage applications can present a risk as the data is often entrusted to a third party. This means businesses have to rely on the strength of an employee’s password for protection.

Using the appropriate channels for storing information, such as an encrypted VPN, and making these available to employees’ mobile devices is another step towards protecting business assets. This ensures all information is properly encrypted through storage managed by the company itself, rather than entrusted to a separate party.

Another consideration for most businesses is how to prevent staff downloading apps that can leak data. Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded, but with BYOD, employees are free to download what they want.

By creating a separate corporate app store on the device, IT departments can then ensure that only approved apps can be used to access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.

Public dangers

One of the biggest threats during the Euro 2016 tournament was the use of free Wi-Fi facilities.

Public, password-free Wi-Fi is a particular threat to both individuals and businesses due to the lack of encryption which allows hackers to access almost all information on a user’s device.

The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi to which it is connected in order to extract information from the device.

These type of attacks are especially dangerous for travelling football fans and business people alike, as users often try to avoid having to pay expensive data roaming charges while in foreign countries.

By educating employees of the dangers posed by using unsecured Wi-Fi and unauthorised applications, organisations can help to mitigate at least some of the potential threat.

Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.

IT departments need to be working with the HR team and heads of departments to create a corporate culture around security and convey that the protection of company data is as much their responsibility as it is for IT professionals.

Monday, 11 July 2016

EU General Data Protection Regulation (GDPR)

Before I start on this blog piece, I have to make it clear that I'm not a lawyer and I have no legal training.  The blog piece below does not constitute as law, but these are areas I have researched and may make some assumptions along the way, especially with the uncertainty in the UK and it's relationship with the EU.

Data Protection Directive

The EU Commision were looking at replacing the Data Protection Directive.  So we are clear, an EU directive is a goal that the EU must achieve, but it's up to the individual countries to devise their own laws on how to reach the goal.

In January 2016, a draft form of the EU General Data Protection Regulation was released.  The difference between a directive and a regulation, is that an EU regulation is a binding act, that is applied in its entirety across the EU.

Why GDPR important?

GDPR is there to strengthen and unify data protection for individuals in the EU.  It addresses the export of personal data outside of the EU.

When will GDPR happen?

The regulation has now been released and enters into force on 25th May 2018

What is the impact of GDPR?

  • A Data Protection Officer is needed if an organisation processes 5000+ EU data subjects; or employs more 250+ employees
  • Mandatory disclosure of incidents within 72 hours to the national authority
  • Maximum fines of up to €20 million or 4% of worldwide revenue
  • “Right to be forgotten”: The data subject will have the right to retract consent, request data erasure or portability
  • EU Referendum has no impact to organisations – If you hold personal data on an EU citizen, GDPR still applies
  • Live May 2018 – Two budget cycles left

The Data Protection Officer

If the core activities of an organisation involves “systematic monitoring of data subjects on a larger scale”, or large scale processing of "special categories", such as racial/ethnic origin, political opinions, religious/philosophical beliefs, biometric data, heath/sex life or sexual orientation, then a Data Protection Officer is required.

The function is also there to advise on, and the monitoring of GDPR compliance, as well as representing the organisation when contacting supervising authorities.

Disclosure and Notification

The controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.

According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the EU’s term for PII is considered a breach.

The GDRP notification is more than just reporting an incident, there is a need to include categories of data, records touched, and approximate number of data subjects affected. This will require detailed intelligence on what the hackers and insider were doing.

There is a term known as "Dwell time", which is the period of time that someone malicious is on your network and systems undiscovered.  Most people are shocked to learn that this on average is 206 days (from Cost of a Data Breach Study: Global Analysis, Ponemon Institute, 2015)


The GDPR has a tiered fine structure, so a company can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessments, while more serious infringements merit a 4% fine. This includes violation of basic principles related to data security and conditions for consumer consent. 

The EU GDPR rules apply to both controllers and processors that are in “the cloud”. So cloud providers are not off the hook when it comes to GDPR enforcement.

"Right to be Forgotten"

Individuals can request the erasure of their personal data without undue delay by the data controller in certain situations. 

Consent can be withdrawn and no other legal ground for processing applies. This topic has attracted a huge amount of interest, particularly following the CJEU decision in the Google vs. Spain case.

Alongside this obligation is one to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.

Outside of the EU

The law applies to your company, even if it markets goods or services in the EU zone.  If you don’t have a formal presence in the EU zone but collect and store the personal data of EU citizens, GDPR still applies and the extra-territoriality requirement is especially relevant to ecommerce companies.

Is GDPR still required now that Brexit may happen?

If Article 50 is initiated in July 2016 & UK exits July 2018; GDPR will apply from May 2018. Also the UK were instrumental to writing and strengthening the GDPR.  Receiving personal data from EU member states would need to demonstrate to the European Commission that the law provides an adequate level of protection through its domestic laws or international commitments.

Source: Absolute Strategy Research Ltd

As you can see from the chart above, with many of the options open to the UK, compliance with EU regulation is required in order to trade with Europe.  In my opinion, GDPR will be relevant to the UK, and will need to be in place with UK organisations holding data of EU citizens.

Adopting GDPR

I believe there are some steps that will need to be taken with all organisations that wish to comply with GDRP:
  • Locate the critical data for GDPR
  • Protect the data (and the applications that access it) through segmentation and/or encryption
    • If encryption is used, ensure the encryption keys are secured
  • Use strong Access Controls to servers holding the data, such as two factor authentication
  • Use DLP/Insider Threat technology to prevent data exfiltration
  • Monitor all exfiltration data channels, including web and email
  • Collate logs from the network, so they can be analysed
  • Secure domain and local administrator accounts
  • Penetration test the environment

Final Thoughts

GDPR goes live in May 2018, which means there are two budget cycles left to get the education, processes, workflow and technology in place.  One of those budget cycles are underway already, so if GDPR planning hasn't begun, start it now, so you'll be ready for next years budget.

Thursday, 7 July 2016

Euro 2016 breaches [Link - Professional Security Magazine Online]

I was asked some questions around around breaches due to Euro 2016 mobile applications by Professional Security Magazine Online: 


During the 2016 UEFA European Championships, the SmartWire Labs Team at Wandera has been analysing the mobile data traffic patterns across its enterprise customers in the European countries that make up this year’s tournament. Wandera said that during the research period, the number of data leaks observed increased. The IT firm predicted this number will continue to rise as the tournament goes on as a result of more people travelling across Europe and using unfamiliar apps and websites to access match information. The company suggested that data leaks will peak in late June towards the end of Euro 2016, before going back to normal levels in late July.
The firm summed up that the increased data usage for the beginning of Euro 2016 was no surprise to anyone. The risks associated with this increase in traffic have implications. With more people travelling across Europe, using unfamiliar websites and apps, as well as the discovery that the official UEFA app is leaking data could all lead to serious security breaches with thousands of fans’ data being put at risk, according to the firm.

Andrew Tang, Service Director, Security at MTI Technology, spoke of two ways organisations can protect corporate data. The first is through a fleet of corporate devices, which can control what apps are installed and which websites can be visited. However, with fleets of devices becoming old-fashioned and bring your own device (BYOD) policies ever more common in the workplace, controlling what an employee uses their device for, has become more complex. Enterprise Mobility Management (EMM) platforms are key to protecting corporate data. By separating company information from the rest of the phone; including apps, emails and documents; employers can ensure that a ‘wall’ is created around sensitive information and as a result, can prevent infection from compromising data.

Can organisations prevent downloading of apps that leak data?
With a fleet of managed devices, this is less of a problem as companies can place restrictions on what apps can be downloaded. With BYOD however, employees can be free to download what they want to. Through a EMM platform, businesses can create a corporate app store that restricts what employees can use through the platform. This allows IT departments to restrict access to certain apps on Google Play or the Apple Store, ensuring that only approved apps are used to access corporate information, while still allowing employees are free to download whatever they wish to use on their device.

What are the best practices for protecting infrastructure during major sports events?
Public Wi-Fi is a particular threat when it comes to malware penetrating a mobile device. Open, password free Wi-Fi connections are not encrypted, which means that they are easy targets for hackers. For example, the WiFi Pineapple makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi it is connected to in order take information away from the device. This is especially dangerous in foreign countries as some users try to make the most of avoiding having to pay roaming charges through free Wi-Fi. Education is key here. By informing employees of the dangers free and open Wi-Fi connections can pose, organisations can hopefully mitigate some of the threat. However, this is far from foolproof.

Tuesday, 5 July 2016

The scourge of social engineering [Link- SC Magazine]

I was asked to write a piece on Social Engineering for SC Magazine.  It's in a section called "Last Word" and as it's the last print copy before it moves to digital only, I literally have the last word in SC Magazine!


Today, social media platforms are no longer just a forum for online chat but an important every day work and communication tool. Facebook alone has more than a billion users, while social media business platform LinkedIn has more than 400 million users.

Going after the big guns

A well-publicised incident was a three-year social engineering campaign carried out by Iranians. It targeted US military officials, diplomatic and congressional staff, and defence contractors in the country and abroad.

The Iranian spies used Facebook, LinkedIn, Twitter and Google+ to carry out a sophisticated attack. They developed fake social media personas and posed as recruiters from major international companies including Northrop Grumman and General Motors. The targets were largely in telecom, government and defence industries.

When a connection was established emails were sent to victims with malware hidden in links and attachments. The aim was to get the target to download malware into their computers which would give the hackers access to highly sensitive information. The striking thing about this social engineering-based attack was its scope and sophistication. It's certainly not an isolated event; for some cyber-criminals it's a career path.

You don't need state resources or an encyclopaedic knowledge of psychology and social media surfing habits. You don't even need to be well-versed in the dark arts of black hat coding. All you need is a bit of patience to trawl the web and the knowledge that too many people put far too much information online than is necessary.

It doesn't take much to create a complete profile including place of work, employment history, address, age, family, likes, dislikes, bank, shopping, recent purchases, family members, their locations and so on.

All information to create a complete profile can be gleaned within a few hours. There are even open source tools designed to help trawl social media platforms and scoop up as much information about any one individual as possible.

This information can be used for targeted phishing attacks at a place of work or brute force password attacks on a company's network. Personal information is gathered on the ‘target' from social media and a phishing email is sent to their place of work.

Malware-laden messages

A phishing email is usually mocked up to look as though it's from an organisation the target has recently dealt with. For instance, the victim may have posted something about his or her brand new iPhone, so the hacker creates an email that purportedly comes from Apple with a message about the phone. A link in the email is clicked by the ‘target' and malware is downloaded into the retailer's system. This provides the means for a hacker to steal the contents of a customer database.

This data is put up for sale on a deep net website that trades in credit card and identity information. The hacker is set to make hundreds of thousands of pounds for a task that in all likelihood took a few days to carry out.

A need to click

Organisations today are, by and large, aware of cyber-threats that come from malware such as trojans, viruses and to some extent, ransomware. However, many haven't yet fully grasped the implications of social engineering with people freely giving away information and casually downloading files from the Internet. As a result, education and awareness programmes for employees can make a significant difference.

At the very least, education programmes will hammer home the point that there are cyber-criminals circling corporate firewalls who are only too keen to get into the network.

Education will make employees aware of sophisticated phishing techniques and how sharing too much of their personal information on a social media platform could well provide the starting point for a crippling network attack.

This can also make personal practice tighter so they don't post workplace information or inadvertently reveal pathways to corporate crown jewels.

Saturday, 25 June 2016

Is the character password finally dead? [Link - IT ProPortal]

I was asked to write an article about passwords as organisations were looking to use more secure passwords, for IT ProPortal:


Passwords have been an essential part of our lives for a long time now, ensuring all our personal details are locked safely away from prying eyes. But, as recent hacks such as Mark Zuckerberg’s social media accounts have shown us, they are not infallible or, in some cases, even that secure.

The Facebook founder’s hack is an interesting case study of the dangers simple passwords pose, especially for high-profile individuals. While numerous, complicated passwords are difficult to remember, a simplified password used across multiple platforms leaves them very vulnerable to being hacked.

So Mr Zuckerberg might just welcome Google’s recent announcement that it is developing a new log-in method for smartphones. Called the Trust API, this latest security method could see the typical character based password rendered obsolete and replaced by an algorithm that learns a user’s behaviour.

No more characters

This is a massive step forward for online security, replacing passwords with a ‘trust-based’ system that monitors the way a user typically uses a smartphone.

According to Google, it checks personal indicators such as how you type and swipe as well as your location to continually monitor that it is definitely you holding and using the device, which makes it much harder to break into a lost or stolen phone.

Behavioural technologies such as this have been in development for some time and are already used in sectors that handle extremely sensitive materials, such as financial services industry. The unique activities of a user – such as keyboard typing patterns – are mapped out by the system, which is then matched every time that user tries to access data before entry is allowed.

While this is a fantastic move towards ensuring we do not become a victim to hacks and keep confidential materials behind closed doors, it raises questions about emergency access.

Behavioural monitoring can be quite tricky for the user, especially as people’s usual habits change in times of high stress, such as in an emergency situation, which could result in users being locked out of devices at the moment they desperately need to get in.

The acceptance of Google’s Trust API will most likely be dependent on finding a way to solve this issue without compromising security.

Faster, cheaper…secure?

A strong standard password is supposed to have at least 10 characters, made up of upper and lower case letters alongside numbers and symbols. Admin passwords are often even more complex.

With technology advancing at such a rate while simultaneously becoming cheaper, hackers can now harness more processors to crack even the toughest passwords.

This is why a two-way authentication process is so important. By backing up a standard character or pattern-based password with a unique, personal form of identification it becomes more difficult to be hacked.

This will be fundamental for admin systems, as once they are cracked open, hackers are free to take anything from a company’s electronic safe, including all the sensitive information stored there.

As the most frequently exploited attack surface, passwords assigned to local administrators should be the top priority for introducing a two-tiered security system.

Fight for your (admin) rights

Currently, introducing a password-based policy enforces something known as principle of least privileged. Essentially, this gives a user account only those privileges which are essential to their work.

This makes access to information dependent on fallible, character based passwords. Instead, businesses should introduce privilege control at the server and application level, which will enable IT departments to manage and control which applications run on endpoints and servers to prevent malicious applications from penetrating the system.

This is a very effective way to address the problem of password cracking, providing deeper defences against administrator hacks.

So while Google’s Trust API is only designed for smartphones at the moment, this could be the first step in wider usage, especially for enterprises who are most likely to be at target.

Future perfect?

While this technology certainly ensures greater security, it isn’t the silver bullet needed for a perfect IT security system. For example, while it prevents strangers hacking a network, people are still able download a virus or transfer files outside the proper channels.

Due to the influence and involvement of Google, a tech giant with huge prestige, it’s likely people in the near future will come to see behavioural monitoring as the new normal, and businesses will have to take up the practice as the trend proliferates, or be left behind.

Maybe Facebook will be one of the early adopters?