FURNITURE and interiors business Arighi Bianchi has announced Sarah Bianchi as its new Managing Director, as the Cheshire-based retailer embarks on an ambitious phase of growth to cement itself as a national brand, challenging online furniture store stalwarts such as John Lewis, Made.com and Next.

With a heritage that dates back to 1854, Arighi Bianchi – famed for its iconic grade II listed building in the heart of Macclesfield – is one of the longest running family-owned furniture businesses in the UK.

The company sells a range of contemporary furniture and accessories for the home, as well as carpets, flooring, blinds, curtains and fitted kitchens through its Kitchenality concession.

The appointment of Sarah Bianchi comes as the retailer looks to significantly increase is national e-commerce presence following a complete website overhaul and renewed e-commerce strategy.

The business has also welcomed a fifth-generation member of the Bianchi family to its team to help spearhead this growth, as Lucy Mather joins as Head of Communications.

While the business had already experienced year-on-year digital sales growth since launching online in 2015, the closure of its store – the first time in its 167-year history – brought its ecommerce site to the fore. With a fleet of 30 liveried vans and lorries, the business was prepared for increased internet orders and rising demand from customers nationwide during the pandemic. As a result, 2020/21 saw a record year for online orders and this is now a firm focus area for growth as it aims to take market share from leading interiors brands. Last year the business turned over £18m.

Commenting on her appointment, Managing Director Sarah Bianchi says, “After a period of time in London working for City Corp and as Private Secretary to the Rt Hon Edward Heath MBE MP, I joined the family business aged just 23 and have since been responsible for running the carpet division, setting up the gift shop, HR, buying and now I’m taking the reins as Managing Director.

“It’s an extremely exciting time to be starting my new role, as we look forward to bolstering all areas of the business – from continuing to invest in our physical retail experience to expanding our online site and digital presence.

“It’s undoubtedly been a challenging time for our Macclesfield store due to the lockdowns, in fact it was the first time ever that we had to close our doors for this length of time – we didn’t even close during the war! But having already firmly established our online presence prior to the pandemic we have managed to continue to trade well and, in fact, we’ve had a record year online.

“One of my priorities as Managing Director is to build our national brand. We’ve already made some great progress here attracting a younger audience and gaining coverage for our online products in national home interest media. As such an established business in the North West, we’re extremely well known among the older generations – but we want to communicate the breadth of our offer and showcase the contemporary furniture and accessories we stock that appeal to fashion conscious buyers.

“We are very active on social media and are continuing to invest in our digital services. Most recently we launched an online sofa design visualisation tool and offer video design consultations, Live Chat and an exceptional e-commerce experience.

Written By Anthony Perridge

Cyber threat intelligence is now being used by organisations of all sizes across industries and geographies. In fact, 85% of respondents to the 2021 SANS Cyber Threat Intelligence (CTI) Survey report they are producing or consuming intelligence with the remaining 15% planning to. More notably, for the first time the number of respondents without plans to consume or produce intelligence was 0%, down from 5.5% in 2020. But there is still much work to be done. A case in point, months after the SolarWinds Orion security breach, 63% of organisations surveyed remain highly concerned, 60% of those directly impacted are still trying to determine if they were breached, and 16% of organisations are still wondering if they were even impacted. Few organisations have matured their security operations (SecOps) to the point where they have integrated a complete CTI practice.

At ThreatQuotient, our mission is to advise and support our customers as they plan to enhance their SecOps by integrating a CTI practice at the core. Having worked on these projects for the past several years, we’ve seen that many of our customers rely on Managed Security Service Providers (MSSPs) or Managed Detection and Response (MDR) for the detection component of their SecOps, setting up processes and serving as tier-1 and tier-2 SOC analysts. These SOC contracts are generally signed for a minimum three-year period with the SOC service definitions and associated SLAs remaining fairly static during this period. While these contracts may specify the need for continuous enhancement, it can be extremely difficult to make significant changes and update SLAs once the contract is in place.

This limitation has become even more problematic given the year of dramatic disruption every customer has experienced. Almost 20% of respondents told SANS that the pandemic has changed how they use threat intelligence due to a rise in phishing and ransomware attacks and work-from-home threats. Moreover, the recent rise of worldwide supply chain attacks has been a real game changer for defenders. However, strategic shifts to mature your SecOps and evolve your use of threat intelligence by implementing a CTI practice are difficult to achieve if you’re outside a contract renewal window. That’s why it’s critical for customers to think ahead about their SecOps maturity needs and work with their MSSP/MDR at contract renewal or during the RFP process to synchronise SecOps process evolutions. It’s the only way to ensure you’ll be able to onboard a CTI platform when you’re ready and gain the benefit of threat intelligence sharing, orchestration and collaboration.

Based on our experience helping customers navigate this situation, here are some of the keys to global project success when leveraging a SOC MSSP/MDR contract process.

Don’t let the window close: The time is now to move from being reactive to anticipatory

Disruptions are a fact of life, and threat actors will continue to take advantage of them. A CTI platform allows you to take a proactive, and even anticipatory, approach to security operations by profiling not only the attack, but attackers who rapidly change their tools, techniques and procedures (TTPs) to evade defensive technologies. With intelligence-based workflows, security operators can then use these insights into adversaries and how they are evolving to enrich internal surveillance, focusing on high priority and relevant threats and minimising alerts that are just noise or are false positives. Security teams can strengthen defenses by automatically sending relevant threat intelligence directly to the sensor grid, SIEM, logs, and ticketing systems, to proactively protect the organisation from future threats. In such a set-up, the customer SecOps teams can create detection policies in real-time and actively collaborate with the MSSP/MDR to perform crisis management when a new, massive threat appears.

CTI serves and is fed by all four functions of your SecOps

Security operations typically consist of four main functions: the defense team, risk management, the SOC for detection, and the incident response team (Figure 1). With a CTI platform, you can leverage threat intelligence across these functions to better understand your adversaries and their tactics, techniques and procedures (TTPs) so you can strengthen defenses, mitigate risk, and accelerate detection and response in a homogeneous and efficient way. As tools and teams in each of these four areas gather additional threat data, learnings and observations, they can feed that information into your CTI platform to create an organizational memory. Intelligence is automatically reevaluated and reprioritised based on this new information, so the CTI practice continues to improve by leveraging trusted and timely information that helps accelerate the right actions and allows real threat data-driven orchestration across all SecOps tools.

A CTI practice requires some modifications to all four functions, including the SOC MSSP/MDR contract

When you introduce a CTI practice into the core of your security operations (Figure 2), every function must adapt to work with a CTI platform in order to benefit from collaboration and communication (SIEM, SOAR, EDR, etc.). Some service providers are able to accelerate the process because they offer a CTI capability as part of their practice. For others, a bit more work needs to be done to their processes and SLAs to ensure successful onboarding of a CTI platform. In either case, modifications are simpler and faster when initiated at contract time. Otherwise, you risk missing out on the full value a CTI practice can bring to your business.

The CTI practice can be activated when you are ready

If you are working with an MSSP/MDR that already has a CTI practice offering, they can provide a CTI platform for your environment and over time transfer the skills to run the CTI practice to your team. Should you decide to have the service provider continue to run the CTI practice for you, the threat memory is yours and remains on your site for reuse to continue to improve prevention, blocking and global analytics. This is the implementation model we have seen the most in the past 12 months, but it’s early days and service providers are working together with their customer SecOps teams to optimise the path forward. If the MSSP/MDR doesn’t have a CTI practice offering (unlikely nowadays), look for a CTI platform that leverages a flexible data model and supports open intelligence sharing standards to ensure efficient and effective connectivity and communication. The goal is to be “CTI practice ready”, even if you aren’t ready to activate the program right away.

The escalation of cyberattacks over the last few months has shown us there’s no time to waste in maturing your SecOps program. A reactive security posture, where you are in a cycle of detect and respond only, is not a viable option anymore. You need to make sure you’re leveraging threat intelligence throughout your security operations to understand your adversaries, strengthen defenses, and accelerate detection and response by turning your SecOps into an anticipatory program. When you work with your SOC MSSP/MDR at contract time, you remain in control of the timeline and aren’t forced to wait another three years for the next contract negotiation cycle to gain the full value of a CTI practice and platform.

Written by Adam Strange, Global Marketing Director at Titus, by HelpSystems 

As more and more social and economic activities move online, the importance of privacy and data protection is becoming increasingly recognised. Of equal concern is the collection, use and sharing of personal information with third parties without notice or consent of consumers. In fact, I read recently on the UNCTGAD site that 128 out of 194 countries have put in place legislation to secure the protection of data and privacy. 

Whilst the U.S. has been lagging behind other countries in terms of implementing national legislation, the picture is now beginning to take a different path at state level as legislative bodies introduce regulations.  Some states such as California, Vermont, New York and Ohio have introduced data protection legislation in some form, Alabama has its Data Breach Notification Act and as recently as last month Colorado passed its new data privacy bill, giving residents the right to stop companies from collecting their data in the future.  There is now a significant movement towards safeguarding data privacy and increasing data protection state by state.   

We are now seeing moves from the U.S. Federal government as well.  In May, President Biden published his Executive Order on improving the nation’s cybersecurity as a whole, showing how the thought process has stepped up a notch. 

The reason for this is obvious. You don’t have to cast your mind too far back to be able to cite high profile cases in the press which showed us how important strong data protection rules are for society, including the very functioning of the democratic process. 

These and other developments have shown that the protection of privacy, as a fundamental individual right, but also as an economic necessity, is crucial. Without consumers’ trust in the way their data is handled, our data-driven economies will not thrive. 

As a practitioner working in the field of data security, I’m pleased to see data privacy and protection laws becoming more commonplace across the U.S.. Data protection is the “one constant” that must be maintained across all environments. Organisations hold and are responsible for safeguarding vast amounts of data and this data must be appropriately protected, irrespective of its type or location. 

With personal data protection and privacy law rapidly evolving in the United States, and without principal legislation that governs data protection at the federal level in the U.S. as yet, one could be forgiven for wondering which regulations are most critical to be aware of. With that in mind, let us take a whistle-stop tour of some of the important and forthcoming laws you need to be aware of: 

General Data Protection Regulation (GDPR) 

Though of course not a U.S. piece of legislation, but a critical one to conform to if, as a U.S. company, you transact with the EU or the UK.   

The most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the member countries of the European Union. The law applies to all EU residents, regardless of the location of the entity that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organisations that fail to comply with the GDPR. 

GDPR’s seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Some important requirements of GDPR include: 

• Though GDPR was established in the EU, it applies to businesses all over the world. If your website collects the personal information of someone from one of the EU member states, then you’re required to comply. Otherwise, you could be faced with fines and penalties. 

• Data subjects must be allowed to give explicit, unambiguous consent before the collection of personal data. Personal data includes information collected through the use of cookies.

• Organisations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users’ personal information in most cases.

• In a lot of cases the GDPR can require organisations to appoint a data protection officer (DPO). For example, businesses in the public body, those with large scale monitoring of individuals or processing large amounts of criminal data. This independent data protection expert is responsible for monitoring an organisation’s GDPR compliance, advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority. 

California Consumer Privacy Act (CCPA) 

 Though of course not a U.S. piece of legislation, GDPR is nevertheless a critical one to conform to if, as a U.S. company, you transact with the EU or the UK.   

 The most comprehensive state data privacy legislation to date is the California Consumer Privacy Act (CCPA). Signed into law on June 28, 2018, it went into effect on January 1, 2020. The CCPA is cross-sector legislation that introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected and giving them the ability to access, correct and delete such information. This notice must be disclosed in a privacy policy displayed on the website of the entity that collects the data. 

• The right to know about the personal information a business collects about them and how it is used and shared;
  
  
• The right to delete personal information collected from them (with some exceptions);

• The right to opt-out of the sale of their personal information; and

• The right to non-discrimination for exercising their CCPA rights. 

Virginia’s Consumer Data Protection Act (CDPA)  

 Virginia’s Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it’s treated and protected and with whom it’s shared. 

The law contains some similarities to the EU General Data Protection Regulation’s provisions and the California Consumer Privacy Act. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents. 

Colorado Privacy Act (CPA) 

In June 2021, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California’s two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as well as Virginia’s recently passed Consumer Data Protection Act (CDPA). It even borrows some terms and ideas from the EU’s General Data Protection Regulation. 

While there are similarities, such as the opt-in requirement to obtain consent from consumers before collecting sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details. 

The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

 The CPA is scheduled to come into effect on July 1, 2023. 

New York SHIELD Act 

In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York’s existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable. This law broadens the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information.  

Importance of privacy policies  

Any website should have a privacy policy that explains to its users what information is collected, how it is used, how it may be shared, and how it is secured. To be fully compliant with U.S. and EU data protection laws, all data subjects should have the opportunity to consent to the collection of personal information. While much information about users is voluntarily provided when they sign up for newsletters, complete forms, or send email requests, information gathered from third parties and through the use of cookies should also be disclosed, and users should be given the opportunity to consent to, block, or disable cookies. 

With the implementation of data privacy legislation continuing to sweep through countries globally, a list which now increasingly includes the U.S., awareness of the key tenets of the laws that relate to your organisation’s business practices are essential. Once you know how you are expected to protect consumer data, you can build a strategy around your people, processes and technology that ensures you comply with prevailing data privacy laws.  In so doing, you are safeguarding your customers against theft, loss, or misuse of their personal information, and also protecting your organisation from the risk of hefty penalties for non-compliance. 

Real-World Data Gathered from the Largest Study of a Digital Weight Management Program

WW International, Inc. has announced results which found that the effects of COVID-19 on members’ weight loss and wellness journeys were short-term. These results indicate that the scalable WW digital program is able to deliver success for members even in the context of the significant behavioral and environmental barriers and disruption to routines associated with COVID and other stressful life events. While prior survey data has suggested that COVID-19 created behavioral barriers for effective weight management, this is the first study to examine how the COVID-19 pandemic affects weight loss among those enrolled in a commercially available digital weight management program.

“As we emerge from the pandemic, these findings are incredibly relevant, because we know that life will always present its stressors and that can sometimes derail our focus on  health and wellness,” said WW Chief Scientific Officer Gary Foster, PhD. “These findings can give people comfort as they move forward, that no matter the context or what happens in life, the initial challenges can be short-lived and they can rely on our proven WW program to continue to guide them on a successful health, weight loss and wellness journey.”

The real-world analysis of 1.5 million WW digital members is the largest study of a digital weight management program. The study reviewed members’ initial weight loss and engagement during a 30-week enrollment period following the beginning of the 2020 pandemic (COVID cohort) and compared the data to members who joined during the same months in 2019 (Control cohort).

Study results showed:

• A slight decrease in weight loss among the COVID cohort during the first 7 weeks of when the pandemic struck with weight loss returning to pre-COVID levels thereafter.

• A slight decrease in food tracking among the COVID cohort, but only for the first 3 weeks with food tracking returning to pre-COVID levels thereafter.

• No differences in the self-monitoring of weight and activity at any time between 2 cohorts.

The decreases in weight loss and engagement were likely due to an initial shock to the system; the increase in stress and anxiety; and a disruption of healthy routines at the beginning of the pandemic. There was an observed mindful recalibration of members with a focus on developing healthy routines in a “new normal” after that initial, seven-week pandemic period.

All WW digital members can now follow the myWW+ program, which is WW’s most personalized program to date, offering a comprehensive approach to wellness. Through a deeply enriching, more interactive and personalized app experience, myWW+ offers members a plan that works best for them with a variety of tools designed to make weight loss easier. The program is rooted in WW’s scientifically proven approach to weight loss and nutrition and grounded in the SmartPoints® system and ZeroPoint™ foods. WW remains a category leader, having been ranked 11 years in a row as #1 “Best for Weight Loss” by health experts in U.S. News & World Report’s Best Diets rankings.

The results will be published in the September 2021 print issue of Obesity and are funded by WW International. An abstract of the study can be found on PubMed.

For more information about WW, visit www.ww.com.