The things you say Write to: Professional Security Magazine Westcroft, Cannock Road, Wolverhampton WV10 8QW Phone: 01922 415233 Email: info@professionalsecurity.co.uk Web: www.professionalsecurity.co.uk 82 More carrot please The NIS Directive (page 56) is welcomed, but could be a little too much of the stick, and not enough of the carrot, it’s suggested. By focusing on the severity of the fines, we lose sight of the fact that there are better reasons than fines to have a comprehensive cybersecurity policy in place. Cyber-crime can have devastating effects on both individuals and businesses, and having a strategy in place to keep your applications and data safe should be a priority for any business. A culture of preventative cyber-security measures should be fostered to protect the businesses and remove the pipeline that cyber-crime creates for other criminal enterprises down the line. Spencer Young RVP EMEA, Imperva Prudent perimeters It is always prudent to take security seriously, even more so in times of rising crime. The latest figures reported by the ONS paint a worrying picture and should not be taken lightly. Taking the time to properly assess your overall security including perimeters and access control followed by taking the appropriate steps with quality security products, should eliminate any need for worry. With the use of security measures such as fencing and gates, people can be safe in the knowledge that they and their property are adequately protected. Cris Francis Head of Commercial Sales, Jacksons Fencing Cyber rights A new Data Protection Bill would grant unprecedented rights for consumers to force social media websites and online companies to delete their data and take back control of their personal information, says an IT security man. In combination with the incoming GDPR regulations being implemented by the European Union, there will be widespread changes in the coming years to the way organisations collect, store and process data. It is important that the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cyber-criminals. New data protections laws are designed to make organisations more careful with our data, but regardless of this, it is important that we on an individual level know what information is being kept and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands. Being vigilant online – whether when using a work computer, home laptop, mobile or tablet device – should be second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using anti-virus software across all devices can significantly help protect data. David Emm Principal Security Researcher, Kaspersky Lab SEPTEMBER 2017 PROFESSIONAL SECURITY Nowhere to hide It’s important companies take a first step by assessing how GDPR-ready they are. From data inventory scans which locate the relevant data, to assessing maturity of data protection practices – the process needs to start now to ensure compliance. This legislation is about organisations taking responsibility in a digital age where data is the new currency. Whether private or public sector, every organisation must establish GDPR-compliant policies for processing personal data, including how they handle data erasure and rectification. GDPR readiness will oblige organisations to carry out thorough preparation, to set up the processes necessary for compliance, as well as supporting alignment of their systems and services with GDPR’s requirements. GDPR means there is nowhere to hide, and we expect to data protection to become top of the c-suite agenda in the coming months. Sarah Armstrong-Smith Sarah Armstrong-Smith, Head Continuity and Resilience, Fujitsu UK and Ireland As the devastation caused by WannaCry and NotPetya has shown, cyber-attacks are evolving to impact reap maximum destruction by spreading as widely and fast as possible. The attack vectors being employed are not necessarily new or more sophisticated, for instance targeting vulnerable Windows XP operating systems. That’s why it’s important that the government is building on the European GDPR regulations for data protection to While a lot of questions remain around how some of these proposals will work in practice, this Statement of Intent’s focus (page 16) on creating more consumer trust in the data economy is very welcome. This trust must ultimately come from consumers feeling that they control who has access to their information. This will develop as consumer understanding of the value of data increases. The public’s current level of understanding over who has access to their data, and what it is being used for is generally low, with many people largely unaware how much of their personal information they are giving away each time they use online products or services. Many of the proposed new measures, such as the need for explicit consent to be gained from the consumer, and the expanded ‘right to be forgotten’, will help to raise the public level of understanding, and are therefore a welcome step. An informed public discussion over many of the subjects in the upcoming Bill is timely and welcome. So much could be achieved with the effective sharing of data - from improved consumer services to advances in medical treatments - but this can only happen when individuals understand both the risks and benefits of sharing their data. Armed with that information, they can make an informed choice over their own data enough that they are willing to consciously share it. Clearly, an environment in which an informed public can consciously and happily choose to share their information with government and organisations in exchange for improved services or products would be beneficial for society as whole. James Davies Personal data policy manager at BCS, the Chartered Institute for IT introduce greater liability for firms that do not adequately protect against cyberattacks. This, it hopes, will provide the incentive that some firms need to overhaul their cyber-security strategies and ensure they are completely protected against this new breed of hackers. However, while a fine will certainly provide an incentive, typical defence systems will not be as effective for our national infrastructure. The reality is that the lifecycle of our infrastructure systems are such that they are not going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches. As part of their defences, firms will need to ensure that they take steps to control and secure their network core, ensuring the ability to indicate unusual or potentially malicious activity not just at a device level, but also at a network level. Given the importance of our national infrastructure, it’s critical that we never compromise our core. Dr Malcolm Murphy Technology Director for Western Europe, Infoblox Businesses will need to track and trace each piece of potentially sensitive data, and determine how it is processed across their entire information supply chain - from their CRM and HR systems to their data lakes. Compliance with the new proposals will also depend on the organisation’s data agility, as it mandates transparent communication with data subjects on their personal data and grants those subjects rights for data access. Patrick Booth VP UK and Ireland, Talend In general, legislation of this type sounds great at the surface, but the ‘devil is in the detail’. What does it mean to take steps to prevent a cyber-induced stoppage in service? Does it include specific technologies like multi-factor authentication and privileged management but not access governance? Is access governance part of the base capabilities an organisation should enact? It should be noted that the UK Government is holding workshops with operators so they can provide feedback on the proposal. Ideally this type of communication will remove the devil as the details are defined. Bill Evans One Identity Protecting people’s data seems to be one of the hardest jobs for some companies to do. It’s always difficult to put measures in place for something that may or may not happen and in some cases it may have been cheaper to deal with the fines of data breaches than actually paying to protect against it. These fines are huge and definitely overdue but let’s put this in perspective - the fines are not necessarily for being breached, but for not doing enough to protect your users’ data. The new measures will also protect you as a user from having your data sold or used for other purposes that were not initially stated when your details were taken, something that happens so often. Encryption will be a big part of protecting our data, although it won’t protect you if an authenticated user is compromised, it will protect such failures as USBs, laptops or DVDs left on trains, lost in the post or just lying around for anyone to view. Mark James Security Specialist, ESET www.professionalsecurity.co.uk
View the latest global vacancies from the Leading Specialist Recruitment Consultancy for Corporate Security, Technology Applications, Cyber, Engineering, Health and Safety. Voted by you as the Leading Security Recruitment Consultancy