CALL US TODAY : +44 (0)20 8798 9282

Blog

GDPR and why encryption is important?

GDPR and why encryption is important? Encryption is like backup. Everyone agrees that is the right thing to do, but still some will do it, and some will not. With backup, it is a no brainer – you should backup (often, regularly and keep copies off site based on a strategy that is appropriate to your risk appetite). I think the same applies with encryption – if you have sensitive information you should consider encryption. What is encryption? (See ICO for more details) Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information. In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures. Why use encryption? So why should you consider encrypting your data? Well today the use of mobile devices is everywhere (laptops, phones, hard drives, USB sticks) and the risk of these devices being lost or getting into the wrong hands are likely if not very likely. Just look at the latest security breach relating to London Heathrow airport. Another reason for encryption is the use of the internet. Of course, most would already be using encryption for various internet transactions for example when communicating with the online bank or when visiting sites that have the https in their url. I would suggest that more should also consider using a VPN encryption when accessing the internet from a public wifi. Deloitte has also had a breach of their... read more

Continued growth in ISO 27001 certifications world wide

Growth in ISO 27001 certifications is reported. The International Standards Organisation (ISO) reports a 21% rise in ISO 27001 certifications worldwide. ISO and IEC’s standard for information security, ISO/IEC 27001 saw a 21% increase to 33,290 certificates worldwide. This is reported through the ISO Survey of Certifications.  The ISO Survey of Certifications is an annual survey of the number of valid certificates to ISO management system standards worldwide. The UK accounting for 10 % of global certificates issued (the UK ranks second in the world with 3,367 certificates issued). ISO 27001 is the best-practice framework for implementing an Information Security Management System (ISMS). Through a risk balanced focus on technology, processes and people the standard will help design and implement an ISMS that will both help protect, detect & respond and recover in case of a cyber security incident. This survey certainly supports, what we are seeing as well. More and more organisations are implementing an ISMS according to the ISO 27001 standard and reaping the benefits such as: Safeguards business interests Supports business objectives Achieves a competitive business advantage Enables cost effective and relevant security based on risk Aligns with the industry standard for information security management Supports your preferred supplier status and/or tender responses Clearly sets out how to address and manage the key information security requirements Demonstrates how information and information systems are safeguarded Helps to prepare for the unexpected In JSC Consultant our approach is: All our Senior Consultants have an extensive background in business They also have many years of ISO 27001 training, assessment and implementation experience No project is the same and hence time is spent understanding the specific situation of the client Projects typically include... read more

Petya in Maersk – what can we learn?

I often get asked ”what can I do to never get a cyberattack?” or ”if I implement ISO 27001 will I be 100% secure?” or ”why don’t you invent a product that would make an organisation 100% secure?”. The last question came from my father this summer, when we were reading about the Petya outbreak in Maersk. It made fascinating reading not least the cost, which was approximately 2 billion Danish Kroner (which is around 240 million British Pound according to my calculation). Certainly not small change for any company. Maersk has chosen to be quite open about the attack and based on the various news reports, the attack was not directed specifically at Maersk. Maersk was one of many global companies to be hit by a malware later known as NotPetya, distributed through a Ukrainian accounting software called MeDoc, which is used for filing tax returns in Ukraine. The MeDoc software contained backdoors into the networks of users of the software, which were used by the malware to enter via the software’s automatic update system. So back to the question…of course I would love to be able to develop a piece of software (or magic potion), that would make a system or organisation 100% secure. I am sure, I would be able to sell many copies of this kind of software. However, I am not sure if this is possible, but perhaps I am limiting myself by having this kind of attitude (at least that is what my father thinks)? On the other hand if I am wrong I would be joining a “club” that includes Bill Gates... read more

GDPR and ISO 27001

You might have heard, that GDPR is coming? Of course you have, and it would be very difficult not to have heard about GDPR as it almost resembles the good old Y2K days (if you are old enough to remember those days). With GDPR it seems to be a lot of common sense and as the ICO says “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law, then most of your approach to compliance will remain valid under the GDPR”. Then again if you are not complying with the current DPA, maybe now is the time to be getting slightly nervous as well. One of the reasons, GDPR has everyone’s attention, is to do with the potential fines, if you are found to be non-compliant with GDPR you might “be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”. So perhaps now is a good time to start the work to make sure, you will be compliant come May 2018 (25 May 2018 to be precise). The good news is, that if you have ISO 27001 in place, you have already done a lot of the work. Does GDPR even apply? First step is to determine, if GDPR applies? The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says... read more

Solid growth in ISO 27001 certifications world wide

Solid growth in ISO 27001 certifications is reported. The International Standards Organisation (ISO) reports a 20% rise in ISO 27001 certifications worldwide. ISO and IEC’s standard for information security, ISO/IEC 27001 saw a 20% increase to 27,536 certificates worldwide. This is reported through the ISO Survey of Certifications.  The ISO Survey of Certifications is an annual survey of the number of valid certificates to ISO management system standards worldwide. ISO 27001 is the best-practice framework for implementing an Information Security Management System (ISMS). Through a risk balanced focus on technology, processes and people the standard will help design and implement an ISMS that will both help protect, detect & respond and recover in case of a cyber security incident. This survey certainly supports what we are seeing as well. More and more organisations are implementing an ISMS according to the ISO 27001 standard and reaping the benefits such as: Safeguards business interests Supports business objectives Achieves a competitive business advantage Enables cost effective and relevant security based on risk Aligns with the industry standard for information security management Supports your preferred supplier status and/or tender responses Clearly sets out how to address and manage the key information security requirements Demonstrates how information and information systems are safeguarded Helps to prepare for the unexpected In JSC Consultant our approach is: All our Senior Consultants have an extensive background in business They also have many years of ISO 27001 training, assessment and implementation experience No project is the same and hence time is spent understanding the specific situation of the client Projects typically include a thorough gap analysis and risk assessment as... read more

ISO 27001 and law firms

  ISO 27001 and law firms. As the BBC could report, a partner at Mossack Fonseca, the Panamanian law firm at the centre of a huge leak of confidential financial data, says it was the victim of a hack. Ramon Fonseca said the leak was not an “inside job” – the company had been hacked by servers based abroad. It is surprising, that not more law firms are choosing to adopt the international standard for information security given the fact that these typically would keep a lot of confidential information. Perhaps it is time for law firms to ask themselves, if systems and confidential information (whether electronic or paper) are safe and secure? According to the ISO survey there were 1923 ISO 27001 certificates in the UK in 2013. That number grew 17.6% to 2261 in 2014, however that growth was mainly made up of the Information Technology industry sector. Of course a number of these IT companies will be providing secure services to law firms, but I would expect the number of law firms looking to ISO 27001 to be a much larger piece of the pie, given the kind of information they hold. So why does ISO 27001 and law firms not appear to be a match made in heaven? I think this latest breach will get more law firms to think about information security and perhaps consider implementing ISO 27001. However as a minimum I would recommend, that taking a look at the latest guidance from the ICO would really benefit any kind of company. 10 practical ways to keep your IT systems safe and secure: Assess the threats... read more

ISO 27001 Internal Audit

ISO 27001 Internal Audit. Part of running an effective ISO 27001 Information Security Management System (ISMS) is to run an effective internal audit programme. The purpose of the audit programme is make sure, that the ISMS conforms to your own requirements as well as the requirements of the standard and to check that it is working effectively. If you have a good audit programme, you should get lots of improvements. If you don’t get lots of improvement, you should review your audit programme. The ingredients you need to run an effective audit programme, is an audit plan, really good auditors and a process, that ensures non-conformities or observations get acted upon. You need “business consultants” Really good auditors are trained in auditing and can ensure objectivity and are impartial to the area being audited. The auditors you chose, also need to have certain traits (see list of auditor traits), and you certainly need people, who understand how to look at a process and be able to add value. I always like to think of auditors as “business consultants”. In large organisations this is fairly simple to set up as they typically have the resources and you can find auditors, who are completely independent of the process they are auditing. In small and medium sized organisations this can be tricky, both in terms of finding the resources, as well as in terms of finding auditors, who are independent. Outsource Internal Audit Many organisations therefore chose to outsource the audit function to an external consultant, allowing employees to focus on the core business and leaving the auditing to an expert. By outsourcing... read more

ISO 27001 is also about people

ISO 27001 is also about people. Often when information security is discussed it centres around technology and IT, however although technology and products are very important, information security is very much about people as well. In fact it is probably reasonable to state that around 80% of information security incidents are caused by people, and the cost is high. Of course you can do a lot with the right products and technology such as tight rules relating to what I can and can’t install on my corporate PC, email filters, firewalls, encryption and software that helps me understand suspicious events within my 50 million logs per day database. Despite all these kind of technologies you will still see information security incidents, and one reason for that is people, and their awareness of information security. Sometimes it is just pure human error that is the cause, for example sending an email to the wrong person containing sensitive information. Yes you can argue that this kind of error should have been prevented by policy and technology. It is however still one of the more frequent information security incidents that I see. Other times it is a more sinister and targeted approach where people are tricked into doing something that causes to compromise information security. Phishing or spear phishing are the typical incidents that are seen, and in particular spear phishing can be really difficult to detect as a normal human being. Even “security experts” can sometimes be tricked by sophisticated spear phishing. To test how well prepared you and your people are try adding social engineering to your penetration test framework. It... read more

The cost of cybercrime

The cost of cybercrime is high! No news here, I think everyone knows that. Many studies have been made and published showing the cost of cybercrime is high and getting higher each year. Still when a company then publish their latest quarterly financial results you can’t help feeling surprised (or shocked even) about the true cost of cybercrime. Remember TalkTalk? They are the Telecoms company that had an attack last year in which personal information and credit card information of some of their customers were stolen. The latest Q3FY16 trading update from TalkTalk now reveals the cost of this attack: Total cost of cyber-attack was £60m Of which trading impact is £15m; And exceptional costs £40m-£45m Reading the Q3FY16 trading update from TalkTalk it is quite interesting to see that the way you chose to communicate and be transparent after a cyber-attack can actually help your brand. Dido Harding, TalkTalk CEO: “In fact trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.“ Perhaps you are thinking this only happens to the big companies. My company is small and does not really have a lot to steal so it won’t happen here. In reality every company has information that can be turned into a profit for a cybercriminal such as personally identifiable information (PII), credit card information, customer information, intellectual property, etc. Sometimes you might have information that can be used to break into another company, for example VPN access codes or it could be information that could be used to intercept the transport of valuables or... read more

Is ISO 27001 certification just for large organisations?

Is ISO 27001 certification just for large organisations? That is quite often a question raised to me or in various public domains. There is for example a discussion going on at the moment on the ISO27000 for information security management LinkedIn forum . In my view the short answer is no. The size of the organisation has no impact on whether ISO 27001 certification is feasible, appropriate or relevant. There might be other things than size of the organisation that will make it relevant or not as I will try to discuss later in this blog. Sometimes the same question is asked without the word “certification”. ISO 27001 on its own is a standard that provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Or, as I like to think of it, it is really just good practice for anyone who has information where they would like to protect the Confidentiality, Integrity and Availability of that information…and honestly who would not have that need? So I would suggest that any organisation regardless of size should get a copy of the ISO 27001 standard and perhaps as well also the ISO 27002 guideline (code of practice for information security controls). Read these documents and take some best practice into your own organisation. So what about ISO 27001 certification? Is that feasible for a small organisation? As I have already eluded to above I don’t think size matters when it comes to ISO 27001 certification and it is definitely feasible for a small organisation to obtain ISO 27001 certification. Of course reading between the lines of... read more