Tag Archives: Reputational Risk

Organisations “need to do more” to ensure EU GDPR compliance

Organisations need to do more work to ensure compliance with the European Union’s General Data Protection Regulation (GDPR) which is due to come into force in May 2018. While organisations are largely aware of their upcoming obligations, levels of maturity to meet the new standards are low.

Overall, organisations are only complaint with less than 40% of the principles laid out in the GDPR. DLA Piper’s Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, compared to the average of around 37%. Healthcare and manufacturing are at the bottom end of the scale with 34% and 35% compliance.

Data breaches are already the second greatest concern for business continuity professionals. That’s according to the latest Horizon Scan Report published by the Business Continuity Institute. Unless organisations become compliant by the time the GDPR comes into force then a breach could become even more disruptive.

Patrick Van Eecke, partner and global co-chair of DLA Piper’s Data Protection practice, said: “The responses show that many organisations still have work to do on their data protection procedures. Any organisations operating in Europe will need to see major improvements in their score by May 2018 if they’re to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.”

eugdprweb

Van Eecke added: “With more and more organisations placing data centre stage, data protection will become an increasingly prominent issue. It’s vital that organisations invest now in the strategy and processes needed to help them to meet their obligations.”

Jim Halpert, the US co-chair of DLA Piper’s Global Data Protection practice, added: “As privacy requirements such as privacy by design, data portability and extensively documenting a privacy program become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. The time to step up compliance efforts is this year, not next.”

The GDPR will apply to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU.

The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Organisations failing to comply with the GDPR after its implementation in 2018 could face fines as high as 4% of global annual turnover.

Leave a comment

Filed under Risk UK News, Uncategorized

Standard protecting food from malicious and deliberate attack revised by BSI

BSI has revised its PAS (Publicly Available Specification) that safeguards food and drink against malicious tampering. PAS 96 Defending Food and Drink was first published in 2008 as a guide to Hazard Analysis Critical Control Point (HACCP) which identifies and manages risks in supply chains.

The food and drinks industry is used to handling natural errors or mishaps within the food supply chain, but the threat of deliberate attack – although not new – is growing with the changing political climate. Ideological groups can see this as an entry point to commit sabotage or further criminal activity.

Therefore, the impacts of threats to the food supply chain are great. They can include direct losses when responding to acts of sabotage or paying compensation to affected producers and suppliers, customers and distributors. Trade embargoes may be imposed by trading partners and longer term reputational damage may occur as a result of an attack.

David Fatscher, head of market development for sustainability at BSI, explained: “It’s not just events such as the horse meat scandal and the subsequent Elliot Review that realise a need for clarity in the food supply chain. As issues such as ‘Food Terrorism’ become more of a reality, businesses need to be extra vigilant and confident that they’ve set up the basic practices on keeping their supply chains ‘sabotage free-. PAS 96 was specifically designed to minimise the risks associated with deliberate attack, enabling businesses to stay one step ahead and not suffer damage to their reputations.”

BSI has revised PAS 96

BSI has revised PAS 96

The revision of PAS 96 includes the introduction of the Threat Assessment Critical Control Points (TACCP) risk management methodology. The TAACP process will help businesses of all sizes avoid and mitigate threats to their food supply chain.

The development of PAS 96 was sponsored by the Department for the Environment, Food and Rural Affairs (Defra) and the Food Standards Agency.

What PAS 96 can do

• Introduce the TAACP process
• Offer scenarios on how TAACP may be applied in existing businesses
• Provide guidance to food business managers through approaches and procedures to improve the resilience of supply chains to fraud or other forms of attack
• Aim to assure the authenticity of food by minimising the chance of an attack and mitigating the consequences of a successful attack

PAS 96 will benefit all organisations, but may be of particular use to managers of small and medium-sized food enterprises who may not have easy access to specialist advice. It’s of value to those involved in manufacturing, purchasing, supplying and selling food products.

David Fatscher of BSI

David Fatscher: head of market development for sustainability at BSI

Some of the organisations involved in the development of PAS 96 have included Agrico UK Limited, the Department for Environment, Food & Rural Affairs (Defra), the Food Standards Agency, the Global Food Security Programme, Heineken UK, J Sainsbury plc, McDonald’s Europe and Tesco.

Other businesses involved in the standard’s development are Bakkavor, Cargill, GIST Limited, Hilton Food Group plc, Leatherhead Food Research, Raspberry Blonde and SSAFE.

Leave a comment

Filed under Risk UK News

UK businesses “sleepwalking” into reputational time bomb

According to research conducted by BSI, the business standards company, UK businesses are at risk of sleepwalking into a reputational time bomb due to a lack of awareness on how to protect their data assets. As cyber hackers become more complex and sophisticated in their methods, UK organisations are being urged to strengthen their security systems in order to protect both themselves and consumers.

The BSI survey of IT decision-makers1 finds that cyber security is a growing concern, with over half (56%) of UK businesses being more concerned about this issue than was the case 12 months ago. Seven-in-10 (70%) attribute this to hackers becoming more skilled and better at targeting businesses.

However, while the majority (98%) of organisations have taken steps to minimise risks to their information security, only 12% are extremely confident about the security measures they have in place to defend against these attacks.

Worryingly, IT directors appear to have accepted the risks posed to their information security, with nine-in-10 (91%) admitting their organisation has been the victim of a cyber attack at some point. Around half have experienced an attempted hack and/or suffered from malware (49% in both instances). Around four-in-ten (42%) have experienced the installation of unauthorised software by trusted insiders, while nearly one third (30%) report having suffered from a loss of confidential information.

Managing risks: key to protecting data assets

Despite confidence in the security measures they have in place, three-in-five (60%) of those organisations surveyed have not provided staff with information security training. Over a third (37%) haven’t installed anti-virus software and only just under half (49%) monitor their user’s access to applications, computers and software.

Conversely, organisations that have implemented ISO 27001 – the international Information Security Management System Standard – are more conscious about potential cyber attacks than those who haven’t (56% versus 12%). As such, 52% of organisations with ISO 27001 already implemented are extremely confident about their level of resilience against the latest methods of cyber hacking.

Maureen Sumner Smith: UK managing director at BSI

Maureen Sumner Smith: UK managing director at BSI

“The research reveals that businesses who can identify threats are more aware of them,” said Mike Edwards, information security specialist and tutor at BSI. “Our experience confirms this. We know that organisations with ISO 27001 in place can better identify the threats and vulnerabilities posed to their information security and put in place appropriate controls designed to manage and mitigate risk.”

Consumers looking to organisations that go ‘above and beyond’

As consumers are now spending more and more of their time and money online, so their vulnerability to cyber attacks is increasing. A recent survey2 showed that nearly half of consumers questioned had suffered from a cyber attack/crime event, yet only 4% have stopped using online services to reduce the risks.

Consumers are looking to companies for protection, who in turn need to safeguard themselves and their customers’ data. However, there’s an inherent lack of trust from consumers on how their data is handled by organisations, with one third of those questioned admitting they don’t trust organisations with their data.

On the other hand, there’s a level of acceptance that nothing online will ever be wholly safe, leading to a false sense of security that: ‘This will not happen to me’ among those who have not suffered from a cyber attack/crime.

Maureen Sumner Smith, UK managing director at BSI, explained: “Consumers want their information to be confidential and not shared or sold. Those who want to be reassured that their data is safe and secure are looking to organisations willing to go the extra mile to protect and look after their data.”

Sumner Smith continued: “Best Practice security frameworks, such as ISO 27001 and easily recognisable consumer icons like the BSI Kitemark for Secure Digital Transactions can help organisations benefit from increased sales, fewer security breaches and protected reputations. Our research shows that the onus is very much on businesses to wake up and take responsibility if they want to continue to be profitable and protect their brand reputations.”

References
1Research interviews conducted with 200 IT decision-makers in UK businesses employing between 250 and 1,000 members of staff. Interviews carried out in October 2014 by Vanson Bourne
2Consumer research involving 1,589 UK adults. Conducted in September 2014 by Opinion Matters

Leave a comment

Filed under Risk UK News

CrowdControlHQ: “IT directors ignore social media risks at their peril”

Marc Harris (Chief Technical Officer at CrowdControlHQ) examines the issues facing IT directors from the use of social media.

Many IT directors operate their own personal Facebook and LinkedIn accounts. However, when it comes to corporate social media they pass responsibility for management of same to the Marketing Department. Are they doing so at their peril?

Let me start with the elephant in the room, namely the role of the IT director. After an extensive IT career in the media, telecommunication and technology sectors recent experience has led me to conclude that social media needs to be firmly at the top of the priority list of every IT director.

In my current role, I see at first hand the impact of reputational damage realised by both internal and external sources through the use of social media, and find it surprising how few IT directors are willing to discuss the issues or attend conferences on the subject. Perhaps they feel an unwelcome interference or ‘elbowed out’ by this new communication channel which has evolved extensively under the umbrella of marketing?

In future, the organisations succeeding in the social media space will have Marketing and IT Departments working seamlessly together to tackle the issues. The ‘DNA’ of IT makes it the most qualified department to deal with some of the risk issues that surround social media, so why isn’t it more involved?

Today, social media is being used in every aspect of business, from the Boardroom right through to the delivery of customer service. By its very nature, social media is a collective responsibility. Not surprisingly, its reliance on ‘collaboration’ has in some instances manifested itself as ‘sharing’ responsibility for posting of content… and even the sharing of passwords!

New rules now apply

I once overheard a social media officer quite gleefully boasting the fact that they had the Twitter login to hand for their company chairman. When challenged, the officer admitted that he was ‘The Chosen One’. If he was off sick that was it – no tweets or updates! Worse still, if he left the organisation he had the power to bring the place down tweet by tweet.

This is the stuff that would have kept me awake at night as an IT director, yet in a world powered by social engagement new rules seem to apply.

Marc Harris: CTO at CrowdControlHQ

Marc Harris: CTO at CrowdControlHQ

Recent research also reported that a scarily large number of employees still use the dreaded Post-It note to record their login usernames and passwords, stuck to walls, desks and even the computer screen. Apparently, we’re not coping well with the need to access everything online from social media to our weekly shop and fear our mobile devices could be pinched. We’re reverting to pen and paper, it seems.

This practice can only end in tears. There have now been too many examples of ‘rogue’ tweets, no audit trail of who posted them (or why) and organisations – who, frankly, should have known better – being left rosy cheeked, so why is this practice still so rife?

Why would an employee, with their job on the line, ‘fess up’ when they know that at least 15 other people had access to the account that day?

I also believe that few IT Departments have a handle on the number of users across their ‘official’ social media accounts, let alone a log of which password protocol they are using, how they are accessing the site or posting.

Need to look both ways

We cannot just blame the employees. Even organisations with the most robust and celebrated IT protocols let themselves down when it comes to simple issues such as data storage. I suspect very few IT directors are crystal clear about where their marketing communications teams are storing their social media campaigns, let alone harbour an understanding of the conversations from the past that they may need to reference in the future or where they keep their notes about their customers linked to these campaigns.

I would hazard a guess that many IT Departments are breaking their own compliance and governance issues when it comes to social media.

Today, there’s no need to share passwords. The social media ‘savvy’ have cottoned on to tiered password access, with both the IT and Marketing Departments having an ‘on/off’ switch to give them instant control in times of crisis. If IT is involved in the installation of a Social Media Management Solution (SMMS) they can see exactly who is plugged into the system, where accountability lies and who they need to train and develop to uphold the security protocols needed in order to keep an organisation’s reputation intact.

Within the scope of most IT budgets a SMMS will be a drop in the ocean but will address these major issues. Any smart IT director will already be looking at a SMMS if there isn’t already one in place. Such a system gives control back to the organisation. All passwords are held in one place such that accounts are not owned by individuals but by the company. The right system gives an organisation the ability to moderate content at a senior level. In turn, the risk of misuse or mistakes can be eradicated.

A SMMS also takes care of the practical management issues. I fear that some organisations are taking a step backwards in terms of their technological evolution, reverting to time-wasting, ineffective manual processing of social media (eg multiple logins to different social media platforms rather than using readily available tools for automation and effectiveness).

The message is clear. IT directors ignore social media at their peril. When it comes to corporate social engagement, it’s time for them to wake up, check and challenge.

Leave a comment

Filed under Risk UK News

“Businesses facing high costs of supply chain disruption” states BCI’s research

Business Continuity Institute (BCI) research has exposed the high costs that businesses are facing as a result of supply chain disruptions in this increasingly interconnected world. Nearly a quarter of businesses surveyed have suffered from disruptions within the past year that cost in excess of €1 million, with 40% of them not having sufficient insurance to cover those losses. 20% were only insured against half of these losses.

Organisations simply cannot bury their heads in the sand and pretend an incident will never happen to them. The BCI survey shows that 76% of respondents had experienced at least one supply chain disruption during the previous twelve months, yet a quarter of respondents (28%) still had no business continuity arrangements in place to deal with such an event.

Supported by global insurer Zurich Insurance Group, the BCI report concludes that supply chain disruptions are costly and may cause significant damage to an organisation’s reputation.

While the survey results indicate a growing awareness of business continuity and its role in ensuring supply chain resilience, many organisations have yet to improve on their reporting and business continuity arrangements. Budgets for business continuity and ensuring supply chain resilience are often slashed in favour of other priorities, but this latest study demonstrates why such a move is often found to be an unwise course of action.

With the growing cost of disruption worldwide and the potential reputational damage caused as a result of failing to have appropriate transparency in the supply chain, investments in this area are essential and can make the difference when disaster strikes.

Business Continuity Institute research has exposed the high costs that businesses are facing as a result of supply chain disruptions in this increasingly interconnected world

Business Continuity Institute research has exposed the high costs that businesses are facing as a result of supply chain disruptions in this increasingly interconnected world

Further findings from the research are as follows:
• 78.6% of respondents don’t have full visibility of their supply chains
• Only 26.5% of organisations co-ordinate and report supply chain disruption on an enterprise-wide basis
• 44.4% of disruptions originate below the Tier 1 supplier
• 13% of organisations don’t analyse their supply chains to identify the source of the disruption
• The primary sources of disruption to supply chains in the last 12 months were unplanned IT and telecommunications outages (52.9%), adverse weather conditions (51.6%) and outsourced service failure (35.8%)
• Loss of productivity (58.5%) remains the top consequence of supply chain disruptions for the sixth year running
• Increased cost of working (47.5%) and loss of revenue (44.7%) are also more commonly reported this year and round out the Top Three
• Respondents reporting low top management commitment to this issue have risen from 21.1% to 28.6%. This is a worrying finding as low commitment is likely to coincide with limited investment in what is a key performance area
• The percentage of firms having business continuity arrangements in place against supply chain disruption has risen from 57.7% to 72.0%. However, segmenting the data reveals that small and medium-sized enterprises (SMEs) are less likely to have such arrangements in place than large businesses (with scores of 63.9% and 76.2% respectively)

Commitment to business continuity

Lyndon Bird FBCI, technical director at the BCI, commented: “Should we be alarmed by some of the figures revealed in this survey? Perhaps so. Should we be surprised by them? Probably not. As long as organisations are failing to put business continuity mechanisms in place, and as long as top management is failing to give this issue the level of commitment it requires, supply chain disruptions will continue to occur and they will continue to cost organisations dearly. In our globally connected world, these supply chains are becoming ever more complex and more action is needed to make sure that an incident in one organisation doesn’t become a crisis for another.”

Nick Wildgoose, global supply chain product leader at Zurich Insurance Group, commented: “Top level management support is fundamental to driving improvements in supply chain resilience. I’ve witnessed the significant disruption cost reductions can have in this area. This should be regarded as a business change programme in the context of driving value through supplier relationship management and becoming the customer of choice for your strategic suppliers to improve your business performance.”

Now in its sixth year, the BCI’s annual Supply Chain Resilience Survey has established itself as an important vehicle for highlighting and informing organisations of the importance of supply chain resilience and the key role it plays in achieving overall organisational resilience in today’s volatile global economic climate.

The outcomes of previous surveys have provided organisations with critical insights and valuable information to support the development of appropriate strategic responses and approaches to mitigate the impact and consequences of disruptions within their supply chains.

In terms of this year’s online survey, 525 respondents emanated from 71 countries working in 14 SIC industry sectors. The majority of respondents were from outside the UK.

A major survey from State of Flux – entitled: ‘2014 Global Supplier Relationship Management Research Report’ – was published on 6 November and reinforces the importance of this area as part of overall business performance.

Leave a comment

Filed under Risk UK News

“Organisations must act now to avoid hackers’ oldest trick in the book” urges ICO

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against one of the most common forms of online attack – SQL injection.

The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.

The data was accessed after the attacker exploited a flaw on a page of the Worldview website to access the company’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information – known as the decryption key – were stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three digit security code needed to authorise payment.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013. The attackers had access to the information for ten days. The company has now corrected the flaw and invested in improving its IT security systems.

Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Attacks are preventable

Simon Rice, the ICO’s Group Manager for Technology, said: “It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable. Worldview Limited failed to do this, allowing the card details of over 3,000 customers to be compromised.”

Rice added: “Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”

Leave a comment

Filed under Risk UK News

FT Remark and Wipro survey reveals firms may be missing opportunities to fortify business process resilience

A new report compiled by FT Remark and Wipro confirms that business process resilience is mission-critical, but also highlights that companies may well be missing opportunities to fortify themselves.

In the global survey of 330 C-suite executives, nearly all respondents (98%) agree that technology risk management is important or very important to the overall running of their firms, while 84% feel their firms’ technology risk management programmes add value.

However, 35% describe their firms’ spending on technology risk management as ‘focused on the next year’, with a further 17% working on a ‘project-by-project basis’.

Less than half (41%) describe their company’s spending as ‘focused on the long-term’. In addition, only 15% of those surveyed state that decisions on technology risk management are made at Board level, even though system failures have implications that reverberate throughout a given business’ ecosystem.

The FT-Remark/Wipro report entitled ‘Building Confidence: The Business of Resilience’ seeks to identify how businesses are rising to the challenges that technology presents, and how they are making their operations more resilient in the process through strategies, investments and partnerships.

According to a new report from FT Remark and Wipro, business process resilience is absolutely mission-critical, but companies may be missing out on opportunities to fortify themselves

According to a new report from FT Remark and Wipro, business process resilience is absolutely mission-critical, but companies may be missing out on opportunities to fortify themselves

“In developing resilience plans, businesses should consider the full range of their operations, from customers to third party suppliers,” explained Nick Cheek, managing editor at Remark (which is part of the Mergermarket Group). “Businesses should also concentrate on making themselves agile and modular so that they can minimise the impact of negative events.”

Data is power

Technology has realised fantastic opportunities for businesses of all sizes. Data is power: the more businesses can understand about their customers, partners and products, the more agile and effective they can be.

“Firms should think of business process resilience in the broader sense,” stated Alexis Samuel, global managing partner at Wipro Consulting Services. “Rather than being considered fodder for CIOs or CTOs, corporates should view these issues as Board-level ones that have far-reaching implications for disparate business arms.”

Balasubramanian Ganesh, CEO for the Products and Solutions business at Wipro, added: “Over the years, the level of investment has not kept pace with that required to address inherent and emerging risks when it comes to the provision of services to customers. The aggregate impacts of this under-investment, accompanied by an increase in customer expectations, have created risks to services which are no longer acceptable. Such risks will typically need to be addressed by a significant and sustained programme of investment.”

Additional key findings of the report

• At 65%, the largest share of respondents state that integrating new technologies with old is one of their biggest challenges. This is followed by projects being too difficult or complex (52%)
• The most pressing area of concern over the next 12 months is business continuity and disaster recovery planning, with respondents rating this at 4.09 on a scale of 1 to 5 (where 1 is not at all important and 5 is very important)
• Regarding social media, 74% of respondents say that reputational or brand damage is a potential pitfall
• For those who agree that technology risk management adds value, 72% say that it does so by increasing customer satisfaction or confidence
• When thinking about business process resilience, 88% of respondents consider their own firm with only 65% thinking about their customers

‘Building Confidence: The Business of Resilience’ identifies key trends in business process resilience (defined as a firm’s ‘ability to cope with change, both expected and unexpected’), particularly in relation to managing technology risk.

With globalisation and hyper-connectivity, resilience is being taken very seriously at Board level and external consultants are being brought in to bridge the skills gaps that exist as new technologies emerge.

For the purposes of the report, FT Remark interviewed 330 C-suite executives from corporations with an annual turnover of US$500 million or greater. The interview pool was comprised of 113 respondents from Europe, 100 respondents from the USA, 80 respondents from the Asia Pacific region and 37 respondents from Africa.

To qualify for participation in the study, respondents must have allocated budget to technology risk management in the past two years or have plans to do so in the coming year.

Leave a comment

Filed under Risk UK News