Tag Archives: Horizon Scan Report

Organisations “need to do more” to ensure EU GDPR compliance

Organisations need to do more work to ensure compliance with the European Union’s General Data Protection Regulation (GDPR) which is due to come into force in May 2018. While organisations are largely aware of their upcoming obligations, levels of maturity to meet the new standards are low.

Overall, organisations are only complaint with less than 40% of the principles laid out in the GDPR. DLA Piper’s Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, compared to the average of around 37%. Healthcare and manufacturing are at the bottom end of the scale with 34% and 35% compliance.

Data breaches are already the second greatest concern for business continuity professionals. That’s according to the latest Horizon Scan Report published by the Business Continuity Institute. Unless organisations become compliant by the time the GDPR comes into force then a breach could become even more disruptive.

Patrick Van Eecke, partner and global co-chair of DLA Piper’s Data Protection practice, said: “The responses show that many organisations still have work to do on their data protection procedures. Any organisations operating in Europe will need to see major improvements in their score by May 2018 if they’re to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.”

eugdprweb

Van Eecke added: “With more and more organisations placing data centre stage, data protection will become an increasingly prominent issue. It’s vital that organisations invest now in the strategy and processes needed to help them to meet their obligations.”

Jim Halpert, the US co-chair of DLA Piper’s Global Data Protection practice, added: “As privacy requirements such as privacy by design, data portability and extensively documenting a privacy program become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. The time to step up compliance efforts is this year, not next.”

The GDPR will apply to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU.

The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Organisations failing to comply with the GDPR after its implementation in 2018 could face fines as high as 4% of global annual turnover.

Leave a comment

Filed under Risk UK News, Uncategorized

30% of NHS Trusts have experienced a ransomware attack” finds SentinelOne

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – the Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These are the findings of a Freedom of Information (FoI) request submitted by SentinelOne.

The Ransomware Research Data Summary explains that SentinelOne made FoI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex and University College London Hospitals – have invested in anti-virus security software on their endpoint devices to protect them from malware.

Despite installing a McAfee solution, Leeds Teaching Hospital has apparently suffered five attacks in the past year.

No Trusts reported paying a ransom or informed law enforcement of the attacks: all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

nhstrustsransomware

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it’s clear to see why these types of attack can be a concern for business continuity professionals, with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the prime concern. This is a very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week in 2017.

“These results are far from surprising,” said Tony Rowan, chief security consultant at SentinelOne. “Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware. A new and more dynamic approach to endpoint protection is needed.”

Rowan continued: “In the past, some NHS Trusts have been singled out by the Information Commissioner’s Office for their poor record on data breaches. With the growth of connected devices like kidney dialysis machines and heart monitors, there’s even a chance that poor security practices could put lives at risk.”

*Note that the data isn’t always recovered even after a ransom has been paid

Leave a comment

Filed under Risk UK News, Uncategorized

Prolexic Report: ‘Distributed Denial of Service attacks on the increase’

Prolexic’s latest report on Distributed Denial of Service (DDoS) attacks has shown that, compared to this time last year, the number of attacks has increased by 22%. The report also shows that the average attack bandwidth has increased by 72%, while the average peak bandwidth has risen by 241%.

On the positive side, the report states that attack duration has decreased by 54% from an average of 38 hours to 17 hours. Attacks may last for a shorter period, but those attacks are now more frequent and more powerful.

A DDoS attack is an attempt to make a computer network unavailable to its intended users, normally by targeting it with so much data that it slows the network down and renders it unresponsive to its intended users. The largest reported DDoS attack to date was when a client of CloudFlare was targeted, with the peak of this attack reaching 400 gigabits per second.

The DDoS Report by Prolexic has shown that, compared to this time last year, the number of attacks has increased by 22%

The DDoS Report by Prolexic has shown that, compared to this time last year, the number of attacks has increased by 22%

With the threat of cyber attack increasing – something identified in the Business Continuity Institute’s Horizon Scan report, which shows that 73% of business continuity professionals are either’concerned’ or ‘extremely concerned’ by this threat materialising – the technology to counter such attacks has also developed. This could explain why the length of attacks has decreased – as one attack fails, the attacker quickly moves on to an easier target.

Gaming, software and media worlds hit hard

While the length of the attacks has – on average – halved since last year, it’s still worth noting that 17 hours could result in a major outage for the organisation being attacked. If that organisation is reliant upon its network then the consequences may well be dire.

The Prolexic report also reveals the industries most targeted by these types of attack. The gaming industry was the main victim, accounting for nearly half (46%) of all attacks. The report suggests that “gaming attacks are frequently motivated by players trying to gain a competitive advantage, or by malicious actors seeking to steal personal data from players.”

The software and technology industry and the media and entertainment sector accounted for 22% and 15% of attacks respectively, while the financial sector accounts for 10% of all attacks.

The United States was the origin of most attacks, accounting for over 20%. Having not appeared on the list at all in the previous report, Japan wasn’t too far behind with 18% while China accounted for 12% of attacks and Germany 10%.

Leave a comment

Filed under Risk UK News