Migrating your IT infrastructure to the cloud has a ton of benefits. Whether you’re looking to improve security and become GDPR compliant, cut your total cost of ownership by 10.25%, or promote teamwork and innovation by integrating AI capabilities, the cloud provides a solution to your IT problems.
Think Up Consulting is a young, fast-growing agency based in Greenville, South Carolina. The agency specializes in brand strategy, change management and strategic consulting to help global brands make deep, lasting connections with customers.
For Think Up, the ability to ensure seamless communication and reliable security while maximizing productivity are musts. To support these priorities, the company chose Office 365 to streamline internal processes and dramatically reduce the number of emails employees send.
A forward-thinking company, Think Up continues to explore and adapt new technology to help increase employee efficiency and better meet its customer’s needs.
We can help you do the same. Contact us to learn more.
There’s been lots of talk about regulations with bite, a watchdog baring its teeth, and that ‘the gloves are off’ after the UK Information Commissioner’s Office one-two punch of a £184 million fine against British Airways, and £99 million against Marriott International announced a day later.
It certainly looks like the ICO went for the jugular (sorry, it’s contagious) over breaches of the General Data Protection Regulation. But it reminds me of the build-up to the regulation before May 2018. Then, much of the coverage focused on the potentially huge fines at stake. In the same way, last week’s news shouldn’t obscure the lessons beyond the attention-grabbing sums of money.
A wake-up call
The first thing to clarify is that these fines haven’t been issued yet. In both cases, the ICO is saying it’s an intention to fine – it’s giving both companies a warning. Whether or not the amounts will be close to the published figures, we know there will be fines for sure. Companies should take this as a wake-up call that non-compliance with GDPR requirements may result in tough penalties.
As I noted in the SANS Institute newsletter, the fines are not for having a breach, but for poor security that helped it. The ICO press statement makes this very clear. “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” it said.
That being said, the proposed fine nevertheless amounts to 1.5 per cent of British Airways’ revenue. “This should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously,” I wrote.
In an interview with Bank Info Security, I said that more GDPR fines are likely on the way. “Many GDPR data breaches, especially the highly publicised ones, can take a long time for proper investigations by the supervisory authorities… What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months.”
The ICO’s moves last week aren’t the first fines that a supervisory authority has imposed under GDPR. As Tracy Elliott noted in our blog marking the first year post-GDPR, there have been other, smaller fines issued in the UK, Portugal and France. We also know that Ireland’s Data Protection Commission (DPC) has several cases ongoing against Facebook, Google and Quantcast.
(Don’t just) follow the money
Last week, I was at the Maastricht University European Centre on Privacy and Cybersecurity, where I contribute to certification training for data protection officers (DPOs). Some attendees said their senior management were now asking what the fines could mean. They also wondered what assurances they have that their own organisations aren’t at risk from a similar incident.
After the race to get ready for GDPR by May 2018, a certain amount of complacency set in. Since these breaches, the size of these proposed fines has raised GDPR on senior management’s radar again. (Side note: BA’s share price fell by more than £115 million after the news came out.)
There are broader lessons from last week’s news. It’s important to look beyond the financial repercussions, particularly in companies whose business model relies on gathering and processing data. Bear in mind that fines are just one penalty that a regulator can impose. They could compel companies to delete data or stop processing certain types of data. That could have a bigger long-term impact on their business than a monetary fine which they could absorb. Not being able to gather data in a certain way could have negative repercussions on how you do business.
The root causes of BA and Marriott’s breaches highlight a particular security risk: external third parties. BA’s breach was due to a software script integrated into its website. There were no checks in place to verify any changes to that code. The Marriott breach came from its acquisition of Starwood hotels in 2016. It only discovered in 2018 that Starwood’s customer database suffered a hack in 2014.
So, companies need to ask what due diligence they need to carry out against third-party vendors and suppliers. If your company plans to acquire or partner with businesses, you inherit their risk profile, security and data protection frameworks. You need to check what assurances you have that these third parties are adhering to your security requirements, rather than you inheriting theirs.
In light of the news, what actions should other companies take? Interestingly, even before the ICO’s news, the Irish DPC issued a short guide to information sources to consider when reviewing or setting security.
Companies should carry out continuous auditing and verification to ensure their security and privacy controls are working. And if they don’t have the internal resources to do this, to work with independent experts to verify those controls.
The post Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches appeared first on BH Consulting.
Magecart Attacks See Spike in Automation
The latest attack in the long string of Magecart breaches has apparently affected over 900 e-commerce sites in under 24 hours. This increase over the previous attack, which affected 700 sites, suggests that its authors are working on improving the automation of these information-stealing attacks. The results of these types of attacks can be seen in the latest major fines being issued under GDPR, including one to Marriott for $123 million and another to British Airways for a whopping $230.5 million.
Agent Smith Android Malvertiser Spotted
Researchers have been tracking the resurgence of an Android-based malware campaign that disguises itself as any number of legitimate applications to deliver spam advertisements. After being installed from a third-party app store, the malware checks both a hardcoded list and the command-and-control server for available apps to swap out for malicious copies, without alerting the device owner. The majority of targeted devices have been located in southwestern Asia, with other attacks showing up in both Europe and North America.
Third Florida City Faces Ransomware Attack
Almost exactly one month after the ransomware attack on Lake City, Florida, a third Florida city is being faced a hefty Bitcoin ransom to restore their systems after discovering a variant of the Ryuk ransomware. Similar to the prior two attacks, this one began with an employee opening a malicious link from an email, allowing the malware to spread through connected systems. It is still unclear if the city will follow the others and pay the ransom.
British Airways Receives Record GDPR Fine
Following a data breach last year that affected over 500,000 customers, British Airways has been hit with a total fine amount of $230.5 million. The amount is being seen as a warning to other companies regarding the severity of not keeping customer data safe, though it’s still much less than the maximum fine amount of up to 4% of the company’s annual turnover.
Georgia Court System Narrowly Avoids Ransomware Attack
Thanks to the quick work of the IT team from Georgia’s Administrative Office of the Courts (AOC), a ransomware attack that hit their systems was swiftly isolated, leading to minimal damage. Even more fortunate for the AOC, the only server that was affected was an applications server used by some courts but which shouldn’t disrupt normal court proceedings. Just days after the initial attack, the IT teams (aided by multiple law enforcement agencies) were already in the process of returning to normal operations without paying a ransom.
The post Cyber News Rundown: Major Spike in Magecart Attacks appeared first on Webroot Blog.
New capabilities in Teams make it easier for customers across all industries to communicate and collaborate.