The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.
This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:
- Understanding your data and responsibilities
- Defining your data consent policy
- Access requests and disposing of old data
- Setting up a data storage and security policy
- Training all staff on GDPR
- Creating data processing notices
The way we work and the spaces we work in have evolved considerably in the last fifty years. Corporate culture is nothing like what it used to be back in the 80’s and 90’s. Cabins and cubicles have given way to open offices. Many in the work-force today prefer to work remotely and maintain flexible hours. As such, hot-desking is common in many multi-national companies including those who have large office spaces. As the start-up culture evolved, there was a need for multiple small offices. This growing breed of self-employed professionals and start-up owners need other resources that are commonly required in the office environment like printers, shredders, Wi-Fi, meeting rooms, video-conferencing abilities etc . They also need a common place to meet people, network and exchange ideas because working solo could be monotonous at some time. Co-working has provided an all-in-one solution for the needs of such individuals and small groups of people by providing a common space where equipment and utilities could be shared between businesses who rent the space. Co-working spaces have thus become very popular across the world and especially in cities where real-estate is very expensive. According to statistics the number of co-working spaces has increase by 205% between 2014 and 2018
Medical IoT devices operate in care facility environments that encompass care giving, case management, customer service, and clinic management. As such, the risk of data gathered and managed by medical devices extends beyond the device itself. A compromise of clinic management services can propagate to IoT device command and control, allowing compromise of devices in attacks that do not directly touch the device at all. This is clearly the major driver for the emerging category of “Medical IoT (IoMT) Cyber Security ”
A large hospital for examples could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device also opens the door to a malicious cyberattack. A recent report from Irdeto, found that 82 percent of healthcare organizations’ IoT devices have been targeted with a cyberattack within the last year.
Going over the players in this industry, it is clear that the Medical IoT security category includes a number of different approaches with the common target to provide the customer with a clear assets discovery and timely alerting on security breaches and attacks on its Medical environment.
Although many large security players are addressing this niche too, CyberDB identified a number of emerging players that are focusing on this industry and as such we expect them to benefit from the growth in this market. These players are (in alphabetical order):
“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”
This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”
Come on, people.
Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?
While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.
Industrial espionage is a much more common occurrence than many people realize. As a business grows and begins to compete at a higher level, the stakes grow and their corporate secrets become more valuable. It isn’t just other businesses that might want this information, hackers who think they can sell the information will also be sniffing about.
Even if you can’t eliminate the risk entirely, there are certain things you can do to reduce the risk of a security breach in your business.
Amazon Web Services (AWS) offers a huge variety of benefits for businesses, and organisations are increasingly opting for cloud solutions for their data, website, and applications. However, there are still some businesses using AWS that have not put the proper cyber security controls in place. Here we take a look at ten great tips to improve your AWS cyber security.
- Understand your responsibilities
When you work with any kind of web services provider you need to understand what you are responsible for and what will be managed by the provider. This is absolutely true in terms of AWS – where Amazon runs its so-called ‘shared responsibility model’. In this model AWS is responsible for protecting the infrastructure of the AWS cloud system including hardware, software, and networking.
On the other hand, you as the customer is responsible for customer data, identity and access management, firewall and anti-virus configuration, and issues such as data encryption. It can sometimes be necessary to work with outside agencies to manage your own cyber security.
According to 2017 reporting, Major League Baseball believed that the Boston Red Sox, at the time in first place in the American League East, used the Apple Watch to illicitly steal hand signals from opposing teams. Allegedly, the Apple Watch was used to not only “steal” hand signals from opposing catchers in games using video recording equipment, but transmit the information likely to team trainers. The theft of such information would help determine the type of pitch that was going to be thrown. The recording of signals is strictly forbidden by league rules.
When it comes to targeting billion-dollar sports franchises, many would assume that cyber crime would be the foremost cyber actors behind the scenes. Based on a 2015 report that estimated the professional sports market in North America to have an expected worth of $73.5 billion by 2019, it’s easy to see why. Indeed, there have been several incidents where cyber crime operations have focused on professional sports teams. In April 2016, the National Basketball Association Milwaukee Bucks players had their financial documents (player addresses, Social Security Numbers, and compensation) accidentally leaked due to a team employee falling victim to an e-mail scam. The employee released players’ 2015 IRS W-2 documents to an emailer impersonating the team’s president. Also in 2016, a crippling TeslaCrypt ransomware attack impacted a NASCAR racing team. An estimated $2 million worth of information was potentially lost prompting payment of the ransom to the criminals.
Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign. Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm. To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data. This calls into question how consumer information is shared with other entities, particularly when consent was not provided.
Social Media & GDPR
This revelation has called into question how social media sights harvest the personal information from their platforms. As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.” This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.). A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20. Such access provides a criminal to a compromised individual’s contact list to target other individuals. According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00. After initially denying the claim, Facebook acknowledged the breach and promised to take action.
According to recent reporting, a suspected nation state hacker group with alleged ties to the Iranian government issued death threats to researchers that had detected their cyber espionage activity. The researchers were checking a server that they believed to be associated with a specific data breach when they received the message “Stop!!! I Kill You Researcher.” According to the same report, the server was apparently attached to the attackers’ command-and-control infrastructure. Active since 2015, the group known as “MuddyWaters” has been observed targeting organizations in Georgia, India, Iraq, Pakistan, Saudi Arabia, Tajikistan, Turkey, and the United States. Recently, MuddyWaters has been observed targeting oil and gas entities in the Middle East. Notably, the group is believed to employ “false flag” operations – similar to what was believed to have been done during the recent Olympics – in which it adopted some of the tactics, techniques, and procedures (TTP) of suspected Chinese hackers to obfuscate the group’s true identity.
On the surface, the threat made against the researchers can be viewed as knee-jerk reaction to being tracked by the private sector. But this does raise the possibility of what hostile actors may resort to in the future. The private sector computer security has been aggressively investigating the activities of suspected nation states actors since 2004 when the first report published the activities of a Chinese state entity. Since that time, several subsequent reports have been provided to the public detailing “advanced persistent threat” operations detailing TTPs and targeting that have ultimately been attributed to specific nation state actors. While the standard public reaction of these governments has been to refute or deny the claims, citing the difficulties in providing adequate evidence that supports attribution, sanctions and alleged retaliatory strikes have been know to occur as a result of these accusations.
Unsurprisingly, the healthcare sector continues to be an attractive target as data stolen continues to provide value to a diverse threat actor set. Indeed, criminals and those actors associated with traditional cyber espionage activities have conducted some of the more news garnering incidents over the past few years. What’s more, depending on the actors’ intent, all types of information have been sought after and stolen by these groups and individuals to include financial and insurance-related information, personal identifiable information, and even the health records of patients. The targeting of these different types of data should demonstrate to the healthcare industry that there is no seemingly benign data when it comes to healthcare and that strategies must be designed to safeguard any and all types of data that relate to patients and their care treatments.