Security Updates April 2019

Posted · Add Comment
businesses

Hi again Paul and welcome to our latest ‘Essential IT Security Updates’ newsletter : essential reading for IT security and data protection leaders like you wanting to stay ahead of developments and news in this ever-changing sector. Feel free to use this content in your marketing or simply to keep abreast for yourself and your team.

The latest news from the sector finds the ICO fining companies big sums of money for spamming and falling foul of data privacy rules, Huawei is a big risk but how big a risk for your business(?), how ethical hackers are helping UK universities improve their cyber resilience and more …

ICO fines Pension Company £40,000 for sending out nearly 3 million Spam Emails

The Information Commissioner’s Office has successfully prosecuted Grove Pension Solutions Ltd who were responsible for sending out 1,942,010 spam emails all of which promoted their core pension services. Unusually, however, was the detail of the outcome. Grove Pension Solutions had in fact engaged with a privacy consultant and lawyers before embarking on this marketing campaign.

The ICO argued the case was unusual but the fine proportional:

“Spam email uses people’s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want.

We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it. 

The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine.”

The moral of the story – make sure your marketing campaign is kosher by approaching specialist data protection lawyers and marketing professionals and also reach out to the ICO who provideadvice and support to marketers looking to utilise direct mail marketing systems legally!

Newham Council Fined £145,000 After Gangs Database Was Wrongly Distributed via Email

The ICO has fined Newham Council in London a massive £145,000 after the council emailed 44 recipients (both internal and external stakeholders) with an unredacted copy of the Metropolitan Police Service updated Gangs Matrix database. The database had the names, addresses, ages, alleged gang allegiances and criminal convictions.

The wider publication of this database did result in an upsurge of criminal gang activity in Newham with people on this database directly targeted. However, this upturn cannot be argued to be causally connected to the data breach.

The ICO states:

“We recognise there is a national concern about violent gang crime and the importance of tackling it. We also recognise the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely.

Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.

This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations.

Data protection is not a barrier for information sharing but it needs to be compliant with the law. One of the ways in doing this is by conducting data protection assessments. We have a data sharing code which provides guidance on how to share data safely and proportionately, and we will soon be publishing an updated code.”

The main problem with the breach wasn’t the distribution but the glaring lack of data protection frameworks like sharing agreements, policies and guidance notices to help staff understand their responsibilities. If you’d like to know more about data protection and your rights as a business, why not visit this useful service created by the ICO?

Huawei Technology a “Long-term Security Risk” says GCHQ

Huawei, the mobile telephony and electronics conglomerate, has been branded a “long-term security risk” according to the National Cyber Security Centre – which is part of the Government’s listening spy agency GCHQ.

The report highlights the troubling issue surrounding Huawei as a tech vendor. As the Government and business more widely starts to ramp up the 5G infrastructure, Huawei is a major player worldwide. However, with Canada, New Zealand and the US banning Huawei from critical 5G infrastructure, this latest report from a ‘five eyes’ nation highlights the problematic nature of Huawei as a vendor of choice for governments worldwide.

According to the report:

“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated. The Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”

This latest development will frustrate 5G roll-out in the UK in terms of infrastructure, but Huawei’s overarching trust issues could impact business expenditure on a range of Huawei electronic devices from smart phones to laptops and the security implications therein.

UK Universities Fail Cyber Security Test

A test performed by so-called ‘Ethical Hackers’ in partnership with the Higher Education Policy Institute found that the hackers could get through the cyber-defences of 50 major universities – and considering the sector saw 1,000 major cyber-attacks in 2017/18 this ability to access highly valuable information was shocking.

According to the report’s authors, HEPI and JISCO, the hacking team managed with 100% success to get through the cyber defences of 50 universities cyber infrastructure and managed to access sensitive information. This so-called “penetration testing” experience saw top universities hit simultaneously and in waves in order to test on the on-going cyber security experience.

The BBC reported:

“The Oversight Board advises that it will be difficult to appropriately risk manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated. The Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”

How the Latest Grindr App Security Breach Could Cause Problems for Your BYOD Policies

Keeping your organisation safe and secure as the growing cyber threat looms large is a 24/7 experience for senior IT leadership in the UK’s business landscape. However, the news that the LGTBQ dating app, Grindr, has been identified as a data breach risk – thanks to its Chinese corporate parentage. The growing ownership of Chinese, Russian and other state-dominated nations could pose a cyber risk to your business.

If you offer your staff a Bring Your Own Device experience for smartphones, you could open your business up to indirect risks like the one outlined by the Committee on Foreign Affairs in the United States.

Your IT leadership needs to implement stringent policies that take account for users app usage whilst firewalling your business content from this risk. The main point of contention will be to decide what apps will be allowed and banned. This useful app by CIO Magazine can help SMEs construct BYOD policies that can protect them from major app data breach scandals.

Until next time … get in touch here : https://mklink.co.uk/contact/
and/or leave a review here : http://mkapps.co.uk/feedback/?u=mklink

If you’ve not registered to come to our IT Support owner get-together on 14th May, you can register here …  https://mklink.co.uk/meetup/

Comments are closed.