Posts Tagged IT security

Data Breach Epidemic Has Huge Implications for Businesses

Business, Technology, Internet and network concept. Young businessman shows the word: Data breach
Business, Technology, Internet and network concept. Young businessman shows the word: Data breach (Photo Credit: www.shutterstock.com)

By Ronnie Moodley, Server Solutions Sales Leader for IBM South Africa

The data that resides on a mobile phone is better protected than the data that resides in most corporate data centres.

Eighty percent of the data on mobile phones is encrypted, according to a 2017 Solitaire Interglobal Ltd. study, because it’s easier to encrypt data on millions of identical devices. Encryption is often largely absent in corporate and cloud data centres because current solutions for data encryption in x86 environments can dramatically degrade performance (and user experiences), and can be too complex and expensive to manage.

A recent study found that extensive use of encryption is a top factor in reducing the business impact and cost of a data breach. To put that in context, the IBM X-Force Threat Intelligence Index reported that more than four billion records were leaked in 2016, which was a 556 percent increase from 2015.

Regulatory bodies are establishing standards in response to growing security concerns. These include:

  • The European Union, for example, has established the General Data Protection Regulation (GDPR), that will increase data protection requirements for organizations doing business in Europe starting next year. GDPR will require organizations to report data breaches to the regulatory authority within 72 hours and face fines of up to four percent of annual worldwide revenues or 20 million Euro, unless the organization can demonstrate that data was encrypted and the keys were protected.
  • At the U.S. Federal level, the Federal Financial Institutions Examination Council (FFIEC), which includes the five banking regulators, has provided guidance on the use of encryption in the financial services industry.
  • Singapore and Hong Kong have published similar guidance regarding the use of encryption.

Three years ago, as it began the design process for the next generation of its iconic mainframe, our customers — representing the banking, retail, insurance and healthcare industries — asked if the massive scale of the world’s biggest transaction engine could be extended at the same massive scale for data security. In the end, more than 150 companies had a say in the development of IBM Z.

The new system is capable of running more than 12 billion encrypted transactions per day and also introduces a breakthrough encryption engine that, for the first time, makes it possible to pervasively encrypt data associated with any application, cloud service or database all the time. The system’s advanced cryptographic capability now extends across any data, networks, external devices or entire applications – such as the IBM Cloud Blockchain service – with no application changes and no impact on business service level agreements.

Building on the capabilities of the world’s most powerful transaction engine at the centre of global commerce today, the IBM Z supports:

  • 87 percent of all credit card transactions and nearly $8 trillion in payments a year.
  • 29 billion ATM transactions each year, worth nearly $5 billion per day.
  • Four billion passenger flights each year.
  • More than 30 billion transactions per day, or more than the number of Google searches every day.
  • 68 percent of the world’s production workloads at only six percent of the total information technology (IT) cost.

Banks and others in the financial services industry process thousands of transactions per second to keep the world’s financial systems running. The mainframe is more critical than ever for reliably handling high volumes of transaction data. Today, 92 of the world’s top 100 banks rely on the IBM mainframe because of its ability to efficiently process huge volumes of transactions.

Data breach, word cloud concept on white background.
Data breach, word cloud concept on white background. (Photo Credit: www.shutterstock.com)

Addie Buissinne, Executive for Financial Solutions at Emid, a subsidiary of EOH says they took their retail banking and lending platform (C4) to the cloud 15 years ago, using IBM Z because it is highly efficient, scalable and offers unrivalled stability.

They, for example, took a client from first engagement to opening and transacting on 160,000 accounts in just a few months, and this had no impact on the performance level of the mainframe. Given the resilience of IBM Z, they have achieved uptime and stability rates unmatched by any other alternative.

My company believes that organizations should not wait to assess data risks and obligations, and instead, should proactively secure vital data. Businesses should prepare for a broad range of capabilities, which not only include technology, data governance, security and policy, but also people and processes.

Securing data should be seen as an opportunity. The process can accelerate digital transformation, if done properly, by introducing more efficient and integrated data processing. IBM has long held the position that privacy is foundational to trust and investing in a sustainable, governed data asset and data security can be a competitive advantage for businesses.

Article source: https://techfinancials.co.za/2017/08/16/data-breach-epidemic-huge-implications-businesses/

,

No Comments

The DC Circuit Finds Standing for Data Breach Plaintiffs: A Deepening Circuit Split or a Growing Trend?

The D.C. Circuit recently ruled that alleged victims of a data breach have standing to pursue claims, notwithstanding that they have not yet suffered any actual harm as a result of the breach. This ruling adds to the prior circuit court rulings that have reached differing results when addressing the standing issue in data breach cases.

Attias v. CareFirst, Inc., presented a regrettably familiar fact pattern: Plaintiffs were the victims of an alleged data breach at health insurer CareFirst, which exposed their personal and medical data. Plaintiffs filed a class action against CareFirst raising eleven state law causes of action on behalf of a class of all CareFirst customers in Maryland, Virginia, and Washington, D.C.

The District Court concluded that Plaintiffs lacked standing and granted a motion to dismiss based on a defense that has become common in data breach cases: a lack of injury as a result of the breach. In other words, the District Court concluded that Plaintiffs’ personal information had not yet been used to their detriment, and the Complaint did not allege facts to support an inference that it was likely to be so used in the future.

The D.C. Circuit rejected this conclusion and reversed the dismissal. In short, the D.C. Circuit disagreed with the District Court’s conclusion that Plaintiffs did not allege a high likelihood of future injury. To reach this conclusion, the D.C. Circuit adopted the straightforward reasoning of the Seventh Circuit finding standing in a prior data breach case: “Why else would hackers break into a … database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”

By finding standing and reversing the grant of the motion to dismiss, the D.C. Circuit joined the Third, Sixth, Seventh, and Eleventh Circuits in finding standing in a data breach base based solely on the likelihood of future harm. This consensus is not universal, however, as both the Second and Fourth Circuits have refused to find standing in data breach cases based on a risk of theft or misuse alone.

This circuit split will persist, if not grow, as data breaches and the litigation they spawn continue and other circuit courts weigh in. This split of authority, coupled with the growing sophistication, scope, and significance of data breaches, makes this issue a prime candidate for review by the Supreme Court in the near future.

For now, defendants facing a data breach case should be cognizant that the forum may make all the difference and would be well-advised to explore all avenues for transfer to one of the more defendant friendly circuits before making their first appearance. And, as always, stay tuned to this space for updates on this evolving area of the law.

Article source: https://www.lexology.com/library/detail.aspx?g=d20216a8-9cba-4e3c-9344-4d2deab3b546

,

No Comments

Is Your Small Business Ready to Defend Against a Data Breach?

The average total cost of a data breach in the U.S. has increased from $7.01 million to $7.35 million, according to the Ponemon Institute. The severe financial loss and potential reputational harm caused by a breach is overwhelming for any sized organization, but especially for small businesses that may not have the resources to recover. In fact, one-third of small businesses in the U.S. need up to three years to recover from a data breach, according to the 2017 Shred-it Security Tracker survey conducted by Ipsos. For small businesses that often rely on word-of-mouth and reputation, this means multiple years of reduced business.

“Small business information security is at a pivotal point in time. Between evolving outsider and insider threats, as well as changes to state and federal regulations, when it comes to disclosing breaches, small business leaders must take the time to remain vigilant about their information security needs,” says Kevin Pollack, Shred-it Senior Vice President. “As work ramps up in the fall, it is a prime opportunity for small businesses to engage with employees about security and review their physical and digital risk. Business leaders should also take the time to implement cost effective preventative measures to protect confidential data.”

To help SBOs strengthen their information security protocols and mitigate the risk of fraud, Shred-it has identified five strategies for avoiding data breaches and reputational damage:

Hard Drive Destruction – With so much data being shared in every transaction, it’s no surprise that 80% of office computers contain sensitive corporate information. When it comes to disposing of devices, companies need a reliable process to secure the massive amount of data they contain. Before old devices change hands, the best practice is to remove and safely destroy the hard drive to ensure the information is unrecoverable.

  1. Employee Training – According to the 2017 Shred-it Security Tracker, 38% of SBOs never train employees on information security protocols. But training is one of the easiest ways to protect confidential data. When employees are armed with the knowledge of what can and cannot be done when it comes to handling information, confidential paper documents and electronics are more secure. Regular employee training should be at the very core of every information security program so that all employees are aware of information destruction procedures within the company.

  2. Legal Proficiency – It’s not just companies in highly regulated industries that need to know the ‘ins and outs’ of legal requirements around data protection. Organizations of all sizes must understand their responsibilities for data protection and ensure their practices remain compliant with new laws to protect personal information. Yet, 33% of SBOs never audit their organization’s information security policies or procedures.1Small business leaders should consider holding meetings with new employees, as well as refreshers with all employees, multiple times a year. They should also frequently audit information security protocols to ensure they are keeping up with any changes in legislation.  

  3. Physical Paper Shredding – Despite movements towards a paperless office, the reality is that many companies still use paper on a daily basis. In order to avoid the risk of a data breach it is important that small organizations implement information security protocols that include a Shred-it All policy. According to the 2017 Shred-it Security Tracker, less than half (49%) of SBOs shred all documents including non-confidential ones. Requiring all paper documents to be shredded removes any uncertainty around what is required to be destroyed and maintains environmental benefits because all shredded paper is recycled.

  4. Storage Accountability – Document management is key to fighting fraud. One of the easiest – yet most overlooked – methods for managing documents is to use locked storage consoles to protect sensitive information that is yet to be shredded or destroyed. SBOs need to have a greater awareness of how to securely store employee and customer data, whether it’s on paper or on a hard drive. Only 13% of SBOs use a locked console and a professional shredding service.2This is a shocking statistic considering SBOs are more likely to suffer long-term consequences after a data breach. To thwart insider and outside threats, SBOs should store all sensitive materials in a locked console or cabinet and limit access to the area.

For small businesses, the financial and reputational damage of a data breach can be insurmountable. Small businesses must understand their information security vulnerabilities and take a proactive approach to data management in order to protect their customers, their reputation and their people.

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients’ private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com

1 2017 Shred-it Information Security Tracker Survey: U.S.

2 2017 Shred-it Information Security Tracker Survey: U.S.

SOURCE Shred-it

Article source: http://www.prnewswire.com/news-releases/is-your-small-business-ready-to-defend-against-a-data-breach-640726543.html

,

No Comments

Is Your Small Business Ready to Defend Against a Data Breach?

The average total cost of a data breach in the U.S. has increased from $7.01 million to $7.35 million, according to the Ponemon Institute. The severe financial loss and potential reputational harm caused by a breach is overwhelming for any sized organization, but especially for small businesses that may not have the resources to recover. In fact, one-third of small businesses in the U.S. need up to three years to recover from a data breach, according to the 2017 Shred-it Security Tracker survey conducted by Ipsos. For small businesses that often rely on word-of-mouth and reputation, this means multiple years of reduced business.

“Small business information security is at a pivotal point in time. Between evolving outsider and insider threats, as well as changes to state and federal regulations, when it comes to disclosing breaches, small business leaders must take the time to remain vigilant about their information security needs,” says Kevin Pollack, Shred-it Senior Vice President. “As work ramps up in the fall, it is a prime opportunity for small businesses to engage with employees about security and review their physical and digital risk. Business leaders should also take the time to implement cost effective preventative measures to protect confidential data.”

To help SBOs strengthen their information security protocols and mitigate the risk of fraud, Shred-it has identified five strategies for avoiding data breaches and reputational damage:

Hard Drive Destruction – With so much data being shared in every transaction, it’s no surprise that 80% of office computers contain sensitive corporate information. When it comes to disposing of devices, companies need a reliable process to secure the massive amount of data they contain. Before old devices change hands, the best practice is to remove and safely destroy the hard drive to ensure the information is unrecoverable.

  1. Employee Training – According to the 2017 Shred-it Security Tracker, 38% of SBOs never train employees on information security protocols. But training is one of the easiest ways to protect confidential data. When employees are armed with the knowledge of what can and cannot be done when it comes to handling information, confidential paper documents and electronics are more secure. Regular employee training should be at the very core of every information security program so that all employees are aware of information destruction procedures within the company.

  2. Legal Proficiency – It’s not just companies in highly regulated industries that need to know the ‘ins and outs’ of legal requirements around data protection. Organizations of all sizes must understand their responsibilities for data protection and ensure their practices remain compliant with new laws to protect personal information. Yet, 33% of SBOs never audit their organization’s information security policies or procedures.1Small business leaders should consider holding meetings with new employees, as well as refreshers with all employees, multiple times a year. They should also frequently audit information security protocols to ensure they are keeping up with any changes in legislation.  

  3. Physical Paper Shredding – Despite movements towards a paperless office, the reality is that many companies still use paper on a daily basis. In order to avoid the risk of a data breach it is important that small organizations implement information security protocols that include a Shred-it All policy. According to the 2017 Shred-it Security Tracker, less than half (49%) of SBOs shred all documents including non-confidential ones. Requiring all paper documents to be shredded removes any uncertainty around what is required to be destroyed and maintains environmental benefits because all shredded paper is recycled.

  4. Storage Accountability – Document management is key to fighting fraud. One of the easiest – yet most overlooked – methods for managing documents is to use locked storage consoles to protect sensitive information that is yet to be shredded or destroyed. SBOs need to have a greater awareness of how to securely store employee and customer data, whether it’s on paper or on a hard drive. Only 13% of SBOs use a locked console and a professional shredding service.2This is a shocking statistic considering SBOs are more likely to suffer long-term consequences after a data breach. To thwart insider and outside threats, SBOs should store all sensitive materials in a locked console or cabinet and limit access to the area.

For small businesses, the financial and reputational damage of a data breach can be insurmountable. Small businesses must understand their information security vulnerabilities and take a proactive approach to data management in order to protect their customers, their reputation and their people.

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients’ private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com

1 2017 Shred-it Information Security Tracker Survey: U.S.

2 2017 Shred-it Information Security Tracker Survey: U.S.

SOURCE Shred-it

Article source: http://www.prnewswire.com/news-releases/is-your-small-business-ready-to-defend-against-a-data-breach-640726543.html

,

No Comments

The Morning Risk Report: Government Can Help Fill Data Breach Information Holes

The cyberinsurance market continues to grow, but issues remain in the collection and dissemination of incident data. Data collection remains scattered and that leaves insurers with only some of the information they need to more effectively write and price coverage. Jacob Olcott, a former U.S. Senate and House legal advisor and now a vice president […]

Article source: https://blogs.wsj.com/riskandcompliance/2017/08/16/the-morning-risk-report-government-can-help-fill-data-breach-information-holes/

,

No Comments

The Morning Risk Report: Government Can Help Fill Data Breach Information Holes

The cyberinsurance market continues to grow, but issues remain in the collection and dissemination of incident data. Data collection remains scattered and that leaves insurers with only some of the information they need to more effectively write and price coverage. Jacob Olcott, a former U.S. Senate and House legal advisor and now a vice president […]

Article source: https://blogs.wsj.com/riskandcompliance/2017/08/16/the-morning-risk-report-government-can-help-fill-data-breach-information-holes/

,

No Comments

Reflections following the UniCredit Data Breach

The Breach 

Last month, Italy’s largest bank, UniCredit, confirmed that it had fallen foul of a security breach, impacting approximately 400,000 of its customers. Whilst the breach was apparently only discovered by the bank last month, the first breach took place as early as September and October 2016, with another more recent attack in June and July of this year.   

Whilst no unauthorised transactions are recorded as having taken place, nor have passwords been affected, the attackers may have accessed customers’ personal details along with their International Bank Account Numbers (IBANs). In its press statement following the attack having been discovered, UniCredit explained that the breach had occurred due to unauthorised access through an unnamed third party provider.   

Real and immediate threat 

Unfortunately, the threat of a cyber-attack is becoming increasingly varied, common and difficult to predict as ever-creative hackers think of new ways to penetrate organisations’ defences and often outdated IT systems. In the past year alone, we have seen a number of notable cyber-attacks, including both the Wannacry and Petya-related ransomware attacks, in addition to the UniCredit data breach. More recently, HBO (the US production company responsible for Game of Thrones) has reportedly received threats to release stolen, unaired episodes and cast members personal details if a Bitcoin ransom is not paid. 

In Gowling WLG’s online research of 999 large SMEs in the UK, France and Germany, it was made evident that only 65% of UK businesses see ransomware as a high risk to their business, compared to 82% of German and 77% of French businesses.   

Companies and institutions can no longer afford to ignore the threat of cyber-attacks, for reputational and business continuity reasons, as well as from a legal perspective. Given the extension to the data protection regulations coming into force in May 2018, with the new General Data Protection Regulation (GDPR) legislation, the need to take action now is all the more acute.    

Supply chain risks 

The Department for Culture Media Sport (DCMS) recently released the results of its Cyber security breaches survey 2017. One of the headlines from the survey of 1523 businesses was that 19 per cent were worried about their supplier’s cyber security, but only 13% had required suppliers to adhere to specific cyber security standards or good practice. Whilst we do not know specific details, UniCredit mentions the involvement of a third party provider in the recent attack it suffered. This highlights that organisations should bear in mind cyber security risks from outside the business as well as within.

The results of the DCMS survey suggest that, generally speaking, much more can be done and all companies and institutions should review the arrangements they have in place.    

Wrongdoer unidentified   

One of the challenges for victims of hackers is that in the case of cybercrime, not uncommonly, it may not be immediately apparent who is responsible, as compared to frauds and other wrongdoing. It has been reported that UniCredit does not know who was behind the attacks, despite having undertaken, one would expect, an extensive investigation once the breaches were discovered. This serves as a reminder that the available options for seeking compensation in the event of a cyber-attack may be limited. 

Even if the wrongdoer can be identified they may well not have the assets to be worth pursuing. Claims may be possible against third party providers if any are caught up in the incident, as may be the case with the UniCredit breach, but that will depend on the terms of any relevant contracts. Losses may be covered by insurance policies, but as the scale and potential impact of cyber-attacks increase, whether adequate cover will be available at affordable premiums remains to be seen. Depending on the policy wording, some losses may not be covered by insurance. In any case, there are uncertainties around the recoverability of fines under insurance policies, for public policy reasons.    

Increased penalties under the GDPR 

Data controllers already risk potential claims from individuals in the event of a data breach and the prospect of regulatory action, in the UK under the Data Protection Act 1998.  

However, from May 2018 the GDPR will apply to processing of data carried out by organisations operating within the EU. It will also cover organisations outside the EU that offer goods or services to individuals in it. The Regulations will increase companies’ responsibilities and requirements to protect personal data and oblige them to notify (to a relevant supervisory authority) within strict timescales, a breach likely to result in a risk to the rights and freedoms of individuals. Individuals may also need to be notified depending on the likely risks from the breach. It will also impose tough penalties for failing to comply – depending on the breach of the Regulations, fines of up to four per cent of global annual turnover for the previous financial year or €20 million, whichever is higher, can be imposed.      

Individuals who have suffered material and non-material damage as a result of an infringement of the Regulations will be entitled to compensation from the data controller or the data processor, and the controller and processor are jointly and severally liable. The ability to claim non-material damage means that individuals can pursue claims for distress, even where they have not suffered a financial loss. Controllers and processors who have infringed the Regulations, and also any processors that have breached the data controller’s lawful instructions, will only escape liability if they can show that they are not in any way responsible for the event giving rise to the damage.    

Given the new laws and potentially much heftier sanctions in the event of future data breaches, companies and institutions should already be planning and taking steps to ensure compliance. Those steps should include putting in place a breach team and training them to respond to incidents. Incident response plans should also be revisited and evaluated in response to any incident that arises, and revised appropriately where necessary.   

Helen Davenport, Director at Gowling WLG 

Image Credit: Balefire / Shutterstock

Article source: http://www.itproportal.com/features/reflections-following-the-unicredit-data-breach/

,

No Comments

Reflections following the UniCredit Data Breach

The Breach 

Last month, Italy’s largest bank, UniCredit, confirmed that it had fallen foul of a security breach, impacting approximately 400,000 of its customers. Whilst the breach was apparently only discovered by the bank last month, the first breach took place as early as September and October 2016, with another more recent attack in June and July of this year.   

Whilst no unauthorised transactions are recorded as having taken place, nor have passwords been affected, the attackers may have accessed customers’ personal details along with their International Bank Account Numbers (IBANs). In its press statement following the attack having been discovered, UniCredit explained that the breach had occurred due to unauthorised access through an unnamed third party provider.   

Real and immediate threat 

Unfortunately, the threat of a cyber-attack is becoming increasingly varied, common and difficult to predict as ever-creative hackers think of new ways to penetrate organisations’ defences and often outdated IT systems. In the past year alone, we have seen a number of notable cyber-attacks, including both the Wannacry and Petya-related ransomware attacks, in addition to the UniCredit data breach. More recently, HBO (the US production company responsible for Game of Thrones) has reportedly received threats to release stolen, unaired episodes and cast members personal details if a Bitcoin ransom is not paid. 

In Gowling WLG’s online research of 999 large SMEs in the UK, France and Germany, it was made evident that only 65% of UK businesses see ransomware as a high risk to their business, compared to 82% of German and 77% of French businesses.   

Companies and institutions can no longer afford to ignore the threat of cyber-attacks, for reputational and business continuity reasons, as well as from a legal perspective. Given the extension to the data protection regulations coming into force in May 2018, with the new General Data Protection Regulation (GDPR) legislation, the need to take action now is all the more acute.    

Supply chain risks 

The Department for Culture Media Sport (DCMS) recently released the results of its Cyber security breaches survey 2017. One of the headlines from the survey of 1523 businesses was that 19 per cent were worried about their supplier’s cyber security, but only 13% had required suppliers to adhere to specific cyber security standards or good practice. Whilst we do not know specific details, UniCredit mentions the involvement of a third party provider in the recent attack it suffered. This highlights that organisations should bear in mind cyber security risks from outside the business as well as within.

The results of the DCMS survey suggest that, generally speaking, much more can be done and all companies and institutions should review the arrangements they have in place.    

Wrongdoer unidentified   

One of the challenges for victims of hackers is that in the case of cybercrime, not uncommonly, it may not be immediately apparent who is responsible, as compared to frauds and other wrongdoing. It has been reported that UniCredit does not know who was behind the attacks, despite having undertaken, one would expect, an extensive investigation once the breaches were discovered. This serves as a reminder that the available options for seeking compensation in the event of a cyber-attack may be limited. 

Even if the wrongdoer can be identified they may well not have the assets to be worth pursuing. Claims may be possible against third party providers if any are caught up in the incident, as may be the case with the UniCredit breach, but that will depend on the terms of any relevant contracts. Losses may be covered by insurance policies, but as the scale and potential impact of cyber-attacks increase, whether adequate cover will be available at affordable premiums remains to be seen. Depending on the policy wording, some losses may not be covered by insurance. In any case, there are uncertainties around the recoverability of fines under insurance policies, for public policy reasons.    

Increased penalties under the GDPR 

Data controllers already risk potential claims from individuals in the event of a data breach and the prospect of regulatory action, in the UK under the Data Protection Act 1998.  

However, from May 2018 the GDPR will apply to processing of data carried out by organisations operating within the EU. It will also cover organisations outside the EU that offer goods or services to individuals in it. The Regulations will increase companies’ responsibilities and requirements to protect personal data and oblige them to notify (to a relevant supervisory authority) within strict timescales, a breach likely to result in a risk to the rights and freedoms of individuals. Individuals may also need to be notified depending on the likely risks from the breach. It will also impose tough penalties for failing to comply – depending on the breach of the Regulations, fines of up to four per cent of global annual turnover for the previous financial year or €20 million, whichever is higher, can be imposed.      

Individuals who have suffered material and non-material damage as a result of an infringement of the Regulations will be entitled to compensation from the data controller or the data processor, and the controller and processor are jointly and severally liable. The ability to claim non-material damage means that individuals can pursue claims for distress, even where they have not suffered a financial loss. Controllers and processors who have infringed the Regulations, and also any processors that have breached the data controller’s lawful instructions, will only escape liability if they can show that they are not in any way responsible for the event giving rise to the damage.    

Given the new laws and potentially much heftier sanctions in the event of future data breaches, companies and institutions should already be planning and taking steps to ensure compliance. Those steps should include putting in place a breach team and training them to respond to incidents. Incident response plans should also be revisited and evaluated in response to any incident that arises, and revised appropriately where necessary.   

Helen Davenport, Director at Gowling WLG 

Image Credit: Balefire / Shutterstock

Article source: http://www.itproportal.com/features/reflections-following-the-unicredit-data-breach/

,

No Comments

UK Retail Data Breach Incidents Double in a Year

The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC.

The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.

Contrary to some headlines making the news, this doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions.

Nevertheless, the stats highlight a growing problem for the UK’s retailers, and the need for further investments in cybersecurity, according to RPC.

Partner Jeremy Drew argued that cost pressures including rates and minimum wage increases and the declining pound can often take precedent.

“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” he added.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

David Kennerley, director of threat research at Webroot, argued that retailers need to focus both on their internal security and on ensuring customers stay safe online.

“Retailers need to keep PoS software up-to-date and deploy threat protection and detection on these devices, while not forgetting the importance of the physical security of PoS systems. Where possible, two-factor authentication should be used internally and by their customers. Online transactions should always require the CVV number is entered by the customer for every transaction,” he said.

“Retailers need to make sure all data that they store and transmit is encrypted, access is only given to those within the organization that need it to perform their job and at the same time ensure any third-party entities are maintaining the same high standards.”

Sports Direct and Debenhams Flowers are just two well-known brands breached over the past year.

Article source: https://www.infosecurity-magazine.com/news/uk-retail-data-breach-incidents/

,

No Comments

UK Retail Data Breach Incidents Double in a Year

The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC.

The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.

Contrary to some headlines making the news, this doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions.

Nevertheless, the stats highlight a growing problem for the UK’s retailers, and the need for further investments in cybersecurity, according to RPC.

Partner Jeremy Drew argued that cost pressures including rates and minimum wage increases and the declining pound can often take precedent.

“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” he added.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

David Kennerley, director of threat research at Webroot, argued that retailers need to focus both on their internal security and on ensuring customers stay safe online.

“Retailers need to keep PoS software up-to-date and deploy threat protection and detection on these devices, while not forgetting the importance of the physical security of PoS systems. Where possible, two-factor authentication should be used internally and by their customers. Online transactions should always require the CVV number is entered by the customer for every transaction,” he said.

“Retailers need to make sure all data that they store and transmit is encrypted, access is only given to those within the organization that need it to perform their job and at the same time ensure any third-party entities are maintaining the same high standards.”

Sports Direct and Debenhams Flowers are just two well-known brands breached over the past year.

Article source: https://www.infosecurity-magazine.com/news/uk-retail-data-breach-incidents/

,

No Comments