Tag Archives: GDPR

Cybersecurity, News, North of England

Open source intelligence experts launch DarkInvader -continuous dark web monitoring provides early warning of data breaches-

The team behind award-winning cyber security consultancy, Pentest People, have launched a new business that provides organisations with early warning of data breaches. DarkInvader continuously trawls the dark web and hacker forums for caches of stolen data associated with a user’s organisation, so that they can respond to incidents more quickly and prevent further damage. DarkInvader was co-founded by serial entrepreneurs, Andrew Mason and Robin Hill, along with technical director, Gavin Watson and sales director, Anthony Harvey, who has already won a number of public sector contracts for the new company.

Under GDPR, organisations are legally bound to inform the Information Commissioner’s Office (ICO) within 72 hours of a data breach and alert affected customers. However, stealthy hackers often lurk on networks for long periods, increasing their access privileges, while organisations are unaware that their systems have been penetrated.

DarkInvader’s software automatically scans hundreds of thousands of illicit online marketplaces and millions of dark web pages to identify key pieces of information that indicate that an organisation’s stores of payment card data, passport numbers, healthcare records and other sensitive personally identifiable data have been compromised.

To bolster the automated searches, the company’s cyber security researchers also manually monitor hacker forums for conversations indicating new exploits. This blended approach, combining the best dark web scanning automation with human research and open source intelligence gathering, helps organisations to act more quickly to prevent leaked credentials being used to log into critical systems and cause further damage, or steal customers’ data.

When a breach is confirmed, DarkInvader provides the affected organisation with a risk report on the severity, along with remediation advice to help the company to identify and block the source of the leak to prevent escalation.

DarkInvader co-founder, Andrew Mason, said, “Organisations often don’t realise they’ve been hacked until we tell them that their data is being offered for sale on forums and secret websites that are not easily accessible to the general public. Our combination of technology and human research allows us to identify threats earlier than standard dark web automation tools.”

DarkInvader provides a full monitoring and consultancy service to organisations that do not have their own in-house security experts. Larger organisations with their own cyber security teams can also sign up to receive DarkInvader alerts allowing them to assess the veracity and severity of suspected data leaks to prevent leaked data being used to attack critical systems.

“Even with robust cyber defences in place, a brand new web vulnerability, an unpatched server, or a misconfigured device can create a small chink in an organisation’s armour that gets exploited by determined hackers. Like a river pollution alarm alerting a factory that it’s leaking chemicals, if company records are found on the dark web this cannot be ignored,” says technical director, Gavin Watson, “DarkInvader provides the last line of defence.”

DarkInvader is the third company co-founded by Anthony Harvey and Gavin Watson and the sixth business launched by Andrew Mason and Robin Hill who employ more than a hundred and fifty people in Leeds and Cheltenham. Their fast-growth companies have well-established apprentice schemes and graduate recruitment programmes, with strong links to local schools and universities.

 

About DarkInvader:

DarkInvader provides automated dark web scans, backed by world-class research. The company was founded by the cybersecurity experts who founded Pentest People, Data Protection People, ShadowAPI, Rapidspike and cybersecurity consultancy, RandomStorm, which was acquired by Accumuli Security PLC in 2014.

DarkInvader’s Dark Web Monitoring Tool indexes hundreds of thousands of dark web sites using its recursive, depthless web crawler. Millions of dark web pages are indexed, while our experts use OSINT to perform manual searches and analyse hacker forums to spot new data breaches. Our combination of cutting-edge automation and expert cyber security researchers helps organisations to find leaked data faster.

Dark Invader provides RAG severity ratings to breaches, along with customised pro-active preventative measures, helping organisations to respond to emerging threats quickly and efficiently to prevent breaches leading to critical incidents.

For more information, please visit https://www.darkinvader.io/

 

 

HR News

UK Greetings chooses Macro 4 to support HR’s switch to hybrid working

GDPR-compliant information management system will provide HR team with easy online access to hundreds of thousands of employee documents from home or office

Crawley, UK, March 1, 2022 – Major greetings cards publisher UK Greetings has selected Macro 4, a division of UNICOM® Global to deploy a new GDPR-compliant online content store for its Human Resources department following a switch to hybrid working since the pandemic. The new system will deliver secure remote access to employee documents, helping HR to provide a responsive service to the company’s 2500-strong workforce from any location.

By replacing its existing manual paper-based filing system, the card publisher, whose cards are available in major UK supermarkets and independent retailers, plans to realize HR efficiencies and time savings while enhancing GDPR compliance and reducing its paper and printing costs. Reducing the use of paper will also support the company’s sustainability goals.

UK Greetings, one of the largest direct to retail publishers of greeting cards and social expression products in the UK, has a loyal workforce including many long-serving employees. As a result, the company has thousands of personnel documents which it needs to keep securely stored and accessible, covering a wide variety of information relating to the employment relationship.

The decision to move away from paper was made when the HR team started working from home during the pandemic, explained Laura Roderick, HR Manager at UK Greetings:

“With all our documents kept in filing cabinets in the office, we were unable to access the employee records we needed to work effectively. Even before this, however, we were planning to go digital eventually as we knew all the printing and filing we were doing was not the best use of our time. COVID-19 just gave us an additional incentive.”

Macro 4 will use its Columbus enterprise information management software to create an online content store for UK Greetings’ employee information. Existing paper documents will be scanned into the system, while new documents will be captured digitally. All information will be held together in individual employee files.

The solution will use encryption and role-based access to protect employee information and ensure only authorized staff can access it. Information lifecycle rules will be applied to make sure information is deleted when required under the GDPR.

As a trusted supplier which had already implemented an information management solution for the UK Greetings finance department, Macro 4 was recommended to the HR department by the company’s IS team.

“In HR we need the right information at our fingertips to support our customers – the UK Greetings employees – as well as helping us to work efficiently and effectively whether we’re at home or in the office. We’re confident that this is what the Macro 4 system will deliver,” said Laura Roderick.

 

 

Cybersecurity, News

Guy Lloyd: The ugly truth – the real cost of cyber breaches to SMEs

Cyber security preparedness is more than a nice to have, an SME’s survival can depend on it. Guy Lloyd at CySure explains why.

Small and medium sized enterprises (SMEs) rarely trigger national headlines for breaches in data security and compliance, not because they aren’t a target but because the monetary impact is small compared to the big corporations. However, breaches are all too common and the while the cost of cyber breaches to SMEs, including the impact to business operations, remediation work and resultant fines, may not run into millions, it can do untold damage. SMEs are agile and lean in their business operations, and so unbudgeted costs can severely impact finances.

Such is the concern about the UK economy’s resilience to cyber attacks that the UK Government recently commissioned a study[i] to analyse the cost of cyber breaches. It found that organisations are being hampered from managing and mitigating cyber risks by a lack of transparency, awareness and understanding of the costs. UK businesses tend to overlook indirect and long-term costs when assessing the impact of a cyber breach. This leaves organisations woefully unprepared for the financial impact, which in the most extreme cases, can spell an end to the business. SME’s in particular are most likely to underestimate the costly impact from non-compliance with cyber security breach-related laws and regulations, therefore leaving them unprepared for any potential fines.

Bumper year for cyber crime

The Coronavirus pandemic has provided cyber criminals with a fertile ground to execute scams and reap a bounty of riches. Attacks designed to steal valuable company and customer information have skyrocketed in 2020. Interpol[ii] reported that in a four-month period some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs, all related to COVID-19 were detected. With many of us working/schooling from home, our concentration levels have been tested to the max. When under pressure and distracted it is easy to click on a phishing email or unknowingly visit a scam website. The rush to remote working has opened up opportunities for hackers and any company with lax security measures makes easy pickings.

Work smarter, not harder

In today’s GDPR world no company can afford to be naïve or negligent about regulatory compliance. Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect themselves against common cyber threats. It offers organisations a way to demonstrate to customers and suppliers a commitment towards cyber security and data protection by achieving an accredited and registered certification standard. It lays the foundation to developing policies and procedures to mitigate against threats that can impact business operations.

Getting started can seem daunting but achieving certification doesn’t have to be. Using an online compliance risk management system that incorporates GDPR and Cyber Essentials Plus is a simple and cost-effective way to achieve certification. SMEs should look for a solution that can guide them through a gap analysis to highlight the business areas to focus on.

Cyber security doesn’t need to be complex, costly or confusing. A low cost, simple set of actions as defined in Cyber Essentials can go a long way to protect against common attacks.

Preparedness in uncertain times

Business confidence comes from understanding the risks involved and the knowledge that should the worse happen it is possible to keep calm and carry on. Being certified with a creditable scheme delivers the assurance that SMEs can demonstrate their commitment and attention to bolstering cyber defences.

Uncertain times can hit when we least expect but the benefit of certification through with help from an information security management system (ISMS) is knowing your business is prepared. Now more than ever we should be celebrating business resilience and preparedness.

[i] Analysis of the full cost of cyber security breaches Report
[ii] Interpol report shows alarming rate of cyberattacks during COVID-19

Brexit, Data & Analytics, Law, News

LAW FIRM WARNS OF POST BREXIT GDPR IMPACT

Conexus Law, the specialist advisory firm that provides legal and commercial advice to clients who work in sectors where the built environment, technology, engineering and people converge, is urging companies to prepare for the strong possibility that the EU will fail to agree that the UK has an “adequate data protection regime” after the transition period at the end of the year. This will mean that businesses will face barriers transferring personal data to and from the UK to EU countries under GDPR. The warning comes on the back of the ruling by the European Court of Justice at the beginning of July that reversed the prior adequacy decision of the EU for the USA – rendering its Privacy Shield ineffective.

Ed Cooke, Founder at Conexus Law said: “The UK’s use of mass surveillance techniques, our Investigatory Powers Act, and our membership of the Five Eyes intelligence sharing community has raised particular concerns with the EU – especially in relation to the sharing of data with the US, and even more so given the recent Schrems II decision on the Privacy Shield scheme. What is clear is that once a decision has been made then companies will need to move quickly to ensure they are not severely impacted.”

Failure to reach an agreement would mean that companies will need to look at alternatives such as Standard Contractual Clauses and binding corporate rules. Ed reiterates that merely relying on consent is not really an option for most businesses.

“Each of these options has its challenges with consent generally viewed to be unworkable as it can be revoked at any time. Standard Contractual Clauses were upheld in the ECJ in its judgment on Privacy Shield, but the judges did cast some doubt on whether or not these offer suitable protection in all cases without businesses adopting further practical measures such as encryption, to ensure the protection of personal data,” explains Ed.

Conexus Law is advising companies to start preparing now. Companies should already have a full audit of what personal data they collect and where it is stored and transferred to, including back-ups that may be held by cloud-based providers with datacentres all over the world. This audit needs to include all suppliers and partners that data is shared with. The next stage is to look at standard contractual clauses and decide whether further measures are required based on the specific data being transferred. If not, consideration should be given additional methods such as encryption.

“It seems that an adequacy ruling under GDPR is being used as a BREXIT bargaining chip in relation to other unrelated diplomatic negotiations taking place. Unfortunately, businesses may end up bearing the brunt of this and I would highly recommend that they start to prepare now,” concludes Ed.

Marketing, PR and SEO

38% of SMBs believe that GDPR doesn’t apply to them

38% of small to medium-sized businesses (SMBs) believe that the GDPR does not apply to customer data they may come into contact with.

This is according to the Data & Marketing Association’s (DMA) ‘SMBs and GDPR’ report, created in partnership with Xynics, which investigated the impact of the GDPR on organisations with fewer than 250 employees.

In addition, a near-fifth of SMBs (18%) feel the impact of the GDPR has been negative, which is around four times the number seen in previous research of the entire data and marketing industry, including large organisations and multinationals.

Highlighting how these smaller organisations may be struggling with the new laws more than their larger counterparts.

“While most of the data and marketing industry has long been aware, understood and implemented the necessary strategies to be compliant with the GDPR, there is a concern about knowledge gaps and training made available to smaller and medium-sized businesses. Of greatest concern is that 38% of them appear to believe that the GDPR does not apply to customer data they may acquire and process,” said Tim Bond, Head of Insight at the DMA.

“SMBs form the bedrock of our economy and yet are the ones with the lowest knowledge and, therefore, the highest risk. We’ve been staggered by the increasing number of businesses, suppliers and partners that remain non-compliant with the GDPR,” stated Mike Kilby, Solutions Consultant & Data Protection Practitioner, Xynics Data Solutions Ltd. “Part of the problem is that although some businesses know they are having difficulties; the vast majority don’t know where to go for help.”

Overall, sentiment among SMBs about the new laws has been positive, whether that’s in relation to marketing programmes (54%), sales (49%) or internal processes (60%). In fact, the 57% of respondents who reported a generally positive impact on their business was even higher than the 44% we saw for all businesses in our ‘Data Privacy: An Industry Perspective 2019’ report (57%).

“Compliance is clearly an important issue when it comes to GDPR, but it’s also important to remember that the benefits of being diligent with data go far beyond that. This strategy already appears to be paying dividends for some, but the future success of our industry will be dependent on all organisations placing the needs of the customer front and centre,” added Bond.

To read more about the DMA’s new research, including the report, visit the DMA website: https://dma.org.uk/research/smbs-and-gdpr