Latest News

GDPR and the rules for the you the 'Data Subject'

EU GDPR and the rules for you, the ‘Data Subject’

The GDPR and the rules for you, the ‘Data Subject’

Confused about the GDPR? Surely not… With so many blogs and training courses everyone is an expert… Do you really understand GDPR and the rules for you, the ‘Data Subject’?

So when GDPR comes into force (in May 2018) our data will be better controlled and handled……..right?

However, based on the many businesses and people we talk to, it is clear that there is still a huge lack of understanding about data, the GDPR and why it needs protecting…

For this reason, it’s more than wise that we all as data subjects grasp and understand for ourselves what GDPR is, and what is happening to OUR data. Only then can we begin to understand the true consequences for our organisations.

At the very heart of the new legislation is the very simple basic principle that organisations / businesses who use our data for their own legitimate interests should be doing this securely, legally and with our full knowledge.

However, it seems to me that increasingly our data is being used without our knowing or understanding, especially when we enter our details online. It is therefore imperative that we become the guardians and custodians of our own data.

Watch out when entering your data online

It is unfortunately true, that we have all become so very trusting of organisations and businesses who ask us so innocently for our data online. They expect us to have read the pages of small print in their T&Cs or data privacy policy. They even ask us to click the boxes that say either we ACCEPT the terms or ‘that we have read the T&Cs’. But so trusting are we that, in my experience, we accept or agree to these terms without ever having read them!

So, this means we do not know what we have allowed the data controllers to do with our data. Whilst for many businesses, aside from perhaps some behavioural analytics on how we use their website, or some legitimate direct marketing, there maybe no intentions to make gains from our data. BUT as they have it in their possession can we be certain? What we do know is that perhaps we are giving away our details too easily, without challenge and without knowledge as to how it will be used or processed. All on the basis of  trust.

The GDPR and the rules for you, the ‘Data Subject’ – nothing is free.

Now my late mum always said that nothing in life comes for free. But online we get so many free apps or offers. We expect free wifi in bars, restaurants, hotels and even the train. So, are they really free? Unless you have read the T&Cs or Data Policy or have been told what happens to your data then you cannot really know. My experience is that these free apps / offers tend use and sell our data so while we get something for nothing they make money out of our personal data and without us really knowing.

A fair trade? In my opinion, unfair if we do not know they are selling it or who they are selling it too……..and we wonder why we get so much trash email!!

A very recent example explains yet further about how we give data and, without challenge do not know, what happens to it:-

The GDPR and the rules for you, the ‘Data Subject’ – my local car dealership

My car recently went into the car dealership for some work; they needed it for a couple of days so I organised for a loan car.  This is a major reputable car manufacturer / retailer who asked me to bring my drivers’ licence as it was needed for the user car insurance. On collecting the vehicle, I handed over my licence and the very friendly chap wandered off to take a photocopy.

On his return, I said “why have you taken a copy of my drivers’ licence”

“it’s our policy and needed for the insurance”

My follow up question “so what happens to the copy after I return the user car”.

“It will just stay in your customer file probably collecting dust”

At the same time this was happening I clocked another of the car dealership staff photographing my car.

“Why is he taking pictures of my car?”

“We need this to evidence to show any damage ahead of us doing the work” …

”so, what happens to the photographs….? “

You get the gist

Now as I challenged he did say that they would delete the records if I so desired……. but let’s be clear he didn’t know why this data was being taken or stored nor if it would be latterly used. He was just doing what he had been asked to do.

How the GDPR changes the rules for you, the ‘Data Subject’

The GDPR will change this. It will expect that I need to be told these things by the car dealer. Therefore the guy I met would need to be trained to explain fully to me, as a customer, the what’s, why’s and how’s they will manage, protect and process my data. However, can we trust or do we believe this will happen in all cases?

That is why it’s better for us as data subjects to look after our own interests and to drive the change that the new regulations provides, ensuring the businesses we trust with our data are meeting the new legal requirements. In doing, so the risks of our data being stolen from that car dealer for identity fraud or other purposes is much greatly reduced.

My advice is therefore to challenge and understand what is happening with your data now….. Why do they need my Date of birth or my gender for an online purchase? What will you do with my records after I accept? Make sure you ask and they will advise

AND definitely make sure you start to read T&Cs before ticking the AGREE boxes (even if you only dive into the data privacy or policy). It’s not great bedtime reading but will keep you safer so you can at least sleep at night!!!

 

 

If you would like to find out how we can help your organisation to prepare for the forthcoming regulations, then please email us at info@riskevolves.com or give us a call on 01926 80071.

 

 

 

 

 

Cyber Security concept. Cloud containing words related to Cyber Security.

What is Cyber Essentials?

What is Cyber Essentials? 

For the 3rd successive year we have recertified to Cyber Essentials and IASME…. And in the same week we assisted two other companies achieve their Cyber Essentials Certifications. Just what is Cyber Essentials?

For readers of our blogs, many know that we are passionate about the value that this scheme to deliver to organisations regardless of size and sector. And we’re not alone in realising this, as the growing number of organisations who have certified demonstrates.

By certifying, some companies can experience an 80% reduction in their risk of suffering a cyber breach.

The History of Cyber Essentials

Way back in 2013 the UK Government recognised that despite having issued ’10 Steps to Cyber Security’ a few years earlier, organisations were continuing to experience security breaches.

In conjunction with industry, analysis was undertaken to understand the root causes of those breaches and from this, the Cyber Essentials scheme was born. It focuses on 5 key areas :

  • Boundary Firewalls and Internet Gateways
  • Secure Configuration
  • Access Control
  • Malware Protection
  • Patch Management

How does Cyber Essentials help my business?

The scheme is a self assessment which is reviewed by a certification body – a copy of the questions is available here. By certifying, some companies can experience an 80% reduction in their risk of suffering a cyber breach.

Still not convinced ? Elizabeth Denham (UK Information Commissioner) recognised the value that Cyber Essentials can deliver in protecting data and the relevance of preparing for the GDPR when she delivered a speech in January 2017 saying :

The ICO has already produced guidance for SMEs on IT security and I would also recommend consideration of the government’s cyber essentials scheme to assist in identifying the actions you need to take. You can expect to see more guidance on this in the context of GDPR.

3 months later, Matt Hancock reiterated the advice on Cyber Essentials when speaking to the Institute of Directors  said that

‘if you’re not concentrating on cyber, you are courting chaos and catering to criminals’

…and went on to say that :

 

.. For getting the basics right, we created the Cyber Essentials scheme. GCHQ analysis shows the vast majority of cyber attacks exploit basic, known vulnerabilities, like passwords and admin access policies. Cyber Essentials shows you how to address those vulnerabilities. It’s simple, low cost and specifically designed for SMEs. All firms which rely on the internet should have Cyber Essentials – as a minimum.

 

Why is Cyber Essentials Important?

The Government thinks this is so important we now require all our suppliers which handle sensitive data to hold a Cyber Essentials certificate.

Importantly, it’s affordable. The certification costs just £300 and, if you certify using an IASME company, comes with free insurance as well. For charities, there is a discounted scheme which runs for a short period of time in September 2017, reducing the certification fee to £225.

So instead of the question being why would you certify to Cyber Essentials, perhaps the more appropriate question is why wouldn’t you ?

After all, you wouldn’t buy a holiday from a company that wasn’t ABTA/ATOL registered, or ask someone to install a gas appliance without being CORGI registered, so why would you buy goods or services from a company that wasn’t Cyber Essentials certified ?  Turn the risk of a breach into a real opportunity and certify to differentiate your organisation from others in your industry.

 

How can I get help with Cyber Essentials?

So how can we help ? If you’ve read the questions and don’t know your patches from a strong passwords, or your firewall from your router, then don’t worry, help is at hand. We pride ourselves on guiding organisations through the certification process and making it (in the words of one of our Clients) a painless process !

Give us a call on 01926 800710 or email us at info@riskevolves.com and we’d be delighted to help.

who is responsible for GDPR

Who Is Responsible For GDPR?

Just who is responsible for GDPR in a company?… Everyone starting at board level down…

GDPR In The Press

There was a flurry of press coverage, interviews, radio and TV coverage recently as the ICO began their campaign to make businesses and other organisations aware that there is now less than 200 working days until the EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.

But here at Risk Evolves HQ we sighed with frustration and gnashed our teeth that the wonderful BBC continue to report this as a technology story.

Once more the responsibility for all things data related is expected to fall on the shoulders of the much maligned IT Department / Provider. As we have highlighted previously, the entire organisation has a responsibility.

Who Will Be Affected By GDPR?

The EU GDPR will touch every aspect of the organisation and it is important that organisations begin to work on a strategy now. And we very deliberately say ‘organisation’ as the new laws apply to all organisations – commercial, public sector, charities, not for profit, education, SME’s, sole traders – you name it, it is likely to affect you. In brief, anyone who collects and processes data, regardless of organisations sector and size. And regardless of whether it’s digital (ie. on a computer) or on paper.

The EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.

The golden rule – if you have data that can identify an individual, then the data is personal. This could be through name, address, IP address, finger print etc. Personal information needs to be treated and respected in the same way as any other company asset. With care and respect, protecting it from damage or theft.

 

Why is GDPR more than just an IT Manager’s Issue?

  • Human Resources / Personnel : they should manage starters and leavers to the organisation, ensuring that new starter information is correctly managed, that employment contracts and induction programmes  make individuals aware of their responsibility to manage data as an asset. They may need to gain consent from the individual for DBS checks, DVLA checks and gain authorisation to process data for payroll, reassuring them that it will not be misused. If you provide information to pension providers, or companies that provide health care benefits, are their systems secure ? What are they doing as data processors to protect individuals information?
  • Training : the on-going education and training of staff to ensure that they understand how data can and cannot be managed. This needs to include information on what to do if they think that they have lost data
  • Procurement : they should ensure that any 3rd parties who may be used to process data follow the same ethos, that the data is protected, not shared with others, and that only the information that is required is passed to them. Equally, if they lose data, suffer a ransomware attack or suspect that their systems have been compromised,, how will this be communicated to you as the data controller ? And if you have outsourced your IT, does the provider have the correct processes and systems in place to manage your data securely ?
  • Legal : are the contracts that are in place with Customers and suppliers robust enough in the new era ?
  • Marketing : similar to the current legislation, marketing has to change to ensure that customers who have positively opted in to mail (both online and postal) campaigns receive emails,
  • Security : is the office and other premises secure ? How is physical data (ie. paper, old laptops etc) destroyed ?

…. The list goes on ..

Management NEED To Take Ownership Of GDPR

However, absolutely key, the management team need to demonstrate to customers and employees that they are serious about the new legislation by taking ownership for ensuring the resources are available to support. This responsibility cannot be abdicated, and in some instances, they will need to assign the role of  Data Protection Officer to an individual who can join them at Board level.

This is clearly not solely a technology challenge !  It is possible to avoid the over reported threat of fines by taking some straight forward and pragmatic steps now.

We understand that these changes all sound daunting, regardless of the size, sector or turnover of your organisation. However, help is at hand. Contact us to find out how the new legislation and regulations apply to your organisation, and for information on our no nonsense approach to becoming compliant.

Contact Us Now

 

NHS ransomware

NHS Cyber Attack

What is the NHS Cyber Attack?

Today (12th May 2017) news broke of a massive NHS Cyber Attack that has had catastrophic impact on our NHS, leading to a major incident being declared.

Operations have been delayed or cancelled, patients have delayed being discharged from or admitted to hospital, prescriptions have not been issued, A&E has been disrupted … the impact of the NHS cyber attacks continue and sadly there is a real risk that lives may be jeopardised.

Was the NHS Cyber Attack targeted?

According to the BBC News, the attack does not appear to have been limited to the UK with 70+ other countries impacted. A major ransomware attack has unfolded, impacting thousands of users.

More info

business risks are vital

The 4 Essential Business Risks For Every Business Owner Must Know

The 4 Essential Business Risks Every Business Owner Must Know

Whether you are an SME or an international corporation, you will have been and are exposed to business risks on a daily basis. Unfortunately, no business is immune regardless of its size or industry presence. Risks and issues come in many forms including Financial, Operational, Supply Chain and Cyber. Each type of risk or issue is as detrimental to a business as the others.

The word risk seems to be becoming commonplace in our daily conversations both in and out of the office. The concept of risks and issues can seem confusing and these terms often used interchangeably. Those in the know are guilty of assuming that people know what risks and issues are and how much they can impact a business.

More info

Complying To GDPR

What Are The Consequences Of Not Complying To GDPR?

So what are the consequences of not complying to the EU General Data Protection Regulations ?

I recently wrote a blog ‘What is GDPR and why do you need it?’ to highlight the real meaning behind why data protection is changing.

What Are The Consequences Of Not Complying To The GDPR?

The UK Government and Information Commissioners Office (ICO) have declared that no new legislation will be introduced to cover the growing threat of cybercrime as this is a business owner responsibility to address.

What they will enforce though is legislation about the use of data… If data is protected then at least any cyber-attacks will mean that personal data is (or should be) protected and safe.

What Are The GDPR Fines Or Punishment?

So the focus is on the GDPR and the penalties for non-compliance are eye watering

  • Infringement of Articles 5, 6, 7 and 9 carries a penalty fine of up to €20M or up to 4% of total global revenue of the preceding year, whichever is greater.
  • Infringement of Articles 8,11, 25-39, 42 and 43 carries a penalty fine of up to €10M or up to 2% of total global revenue of the preceding year, whichever is greater

In summary, we know that the GDPR is coming, that it will become law in May 2018, that it is important, that it should not be ignored and that there will be some pain if we fall short.

You need to comply to the GDPR so the question is…

More info

GDPR the new legislation

What is GDPR and why do you need it?

Why Do We Need the EU GDPR?

The European Union General Data Protection Regulations (or EU GDPR for short) is the update to the current UK Data Protection Act. It will impact all business and how we deal with data online.

Current Data Protection legislation was launched in 1998 and has improved the way businesses control our personal or sensitive data.

Increasingly if you are like me, you find yourself questioning on a daily basis, why more and more people are able to gain my details and send me junk mail and spam, or monitor my activity on websites.

How is this possible if I have ticked the TPA exclusion boxes or put exclusions on my BT line?

The fact is that data protection requirements were written for a different time, so what was a compliant use and retention of data is now not fit for purpose.

Perhaps the legislation was not unreasonable in 1998…….

Where were you 20 years ago? You may have had a computer with a floppy disk and a processor far less powerful that a mobile device today.

I still have my BBC commodore so can quickly prove this to be true!!

  • There was also no Facebook no Google, no Twitter, Instagram to name a few.
  • An iPad didn’t exist, a tablet was still something prescribed by your doctor.
  • Robotics amounted to watching K-9 on Dr Who!

In fact, everything was different … including control and access to data.

Bring the clock forward to a far more technologically advanced world…

More info

what is skimming

What is skimming?

As you know we’re passionate about the role that people and processes have to play in the fight against cyber crime… But seriously what is skimming?

This week, we had a stark reminder of just how easy it is to be a “victim.”

One of the team was idly flicking through the police feed on Twitter… obviously working hard… well sort of!

The police tweeted the discovery of skimming device on an ATM in the local area.

More info

Cyber Security For Small Business

Small Business Cyber Security

There is a dangerous trend emerging in small business cyber security…

So many SMEs like you are working in the belief that “it won’t happen to me..”

But we enter into 2017 you cannot get away from the continued warnings about cyber risk and cyber threats, the amount of information is frightening.

Are you carrying on with known or unknown weaknesses in your businesses systems and processes?

If you know the weaknesses then you only have yourself to blame, but the scariest problem is the weaknesses you don’t know that make you vulnerable to a cyber attack.

The Landscape of Small Business Cyber Security

The landscape for cyber threat is rapidly changing as is the nature of a cyber criminal too.

No longer is it a chancer trying to hack your system because they can.

Now it’s as likely to be an organised professional criminal with multi millions as the prize; and of course the more they gain the better and bigger their cyber and hacking abilities become.

Stats released for 2016/2017 around cyber threats were astonishing and in particular the growth in the last 3 months of the year.

More info

How can i improve my business resilience

6 tips to improve your business resilience in 2017 : A New Year Resolution

6 Tips To Improve Your Business Resilience In 2017: A New Year Resolution

Well it’s that time of the year again when we all make promises to ourselves that we will do something different in the new year:

  • join the gym,
  • stop smoking,
  • stop drinking
  • reconnect with friends that we haven’t seen for some time etc.

Here at the Risk Evolves HQ we’ve been discussing the New Years resolutions you should consider for your business.

One things is for sure – 2017 is going to be filled with change…

  • What will the terms of Brexit be when Theresa May invokes Article 50 and how will they impact the UK ?
  • Will inflation in the UK rise as predicted by Mark Carney ?
  • What will the new policies of President-Elect Trump mean for the World ?
  • How will the General Elections to be held in Holland, France and Germany impact Europe ?
  • Will the current peace plan negotiated by Russia for Syria hold?
  • How will the continuing cyber threat impact the UK and the overall global economy ?

Unfortunately, no one has a crystal ball to predict the future…

At Risk Evolves we much prefer to focus on the items that we can influence, and to keep a watch on the things that we can’t. More info

Supply-chain-risk

What is Supply Chain Risk

What is supply chain risk?

The phrase ‘supply chain risk’ is one that is now heard in the news with increasing frequency. But what it is, how can it affect small businesses, and what should we do to manage it?

Supply chain risk is a potential risk to damage a business from an unknown problem within the supply chain. Essentially it might not directly be your fault, but you should have had procedures in place to check. Remember it’s always your reputation that could be damaged first.

Supply chain risk in Supermarkets & Fashion

Who can forget the media frenzy when horsemeat was found in frozen products like burgers and lasagne sold by the major supermarket chains. Our trust as the paying public in the organisations who supply these goods changed, driving the supermarkets to change their processes.

Since that  scandal in 2013 the way businesses manage and consider who is in their supply chain has changed. As a direct result, a number of supermarkets were forced to learn lessons on how they interacted with their suppliers. Roll forward to 2015, and a new debate food waste and the fate of ‘wonky vegetables‘ commences.

We are now much more conscious of where our produce has been sourced, the contents and the ethical nature of how it has been produced. More info

leamington-business-awards

Leamington Business Awards – Ritz Evolves

The Leamington Business Awards Gala Evening

Governance… risk… cyber security… compliance… the words may carry associations of mastery and a certain professional mystique, but they hardly conjure visions of glamour and glitz. But then came the Leamington Business Awards…

The Risk Evolves team donned their bond black tie & ball gowns for the Leamington Business Awards dinner. Proud to be attending as nominees in the Professional Services category.

Held at the beautiful Woodland Grange, the black-tie event began with canapés, giving award nominees, their guests and other local business representatives the chance to compare finery, frills and furbelows over fizz. More info

The Key Business Risks For 2017

The Key Business Risks For 2017

The Key Business Risks For 2017 And What You Must Do To Prepare For Them.

The landscape is changing and so are the key business risks for 2017. External business risk is growing at an exponential rate, especially in cyber crime. We look back at some of the greatest business risks of 2016 and predict how these might shape your strategy for 2017.

The Business Life Cycle & Business Risk

businesssaleslifecycleThe risk your business faces will vary depending on where you are in the business life cycle. Undoubtedly you will have faced risk and will have many more business risks impacting your growth.

As Forbes recently mentioned business risk continues to evolve.

What concerned you say 2 or 3 years ago may look very different in 2017. The risk is not just internal but increasingly also from external……….If your business is facing new risks, what are you doing to prevent and or prepare? More info

We discuss what is ISO9001 and why is ISO9001 important

What is ISO9001 and why is ISO9001 important?

What is ISO9001 and why is ISO9001 important for my business? 

‘What is ISO9001 ?’ and ‘Why is ISO9001 important for my business ?’ are two of the most common questions we get asked by our clients, so we thought we’d put this handy blog post together. The ISO9001:2015  – frequently asked questions.

What is ISO9001:2015, and why is it important? 

ISO9001 is the world’s leading quality management standard. It’s at the heart of many other national and international certifications to help an organisation improve it’s overall performance.

The standard had it’s origins back in the late 1970’s in the form of BS5750. Since then it has evolved, becoming an international standard in the 1980’s. When the standard was first developed it was used predominantly by manufacturing organisations who recognised that if there was a process for manufacturing ‘widgets’ in a standard, regular way, then the cost of rework, fix and repair would fall. In other words, if quality is managed correctly in an organisation, then it will save you time and money. Since then the standard has changed and will deliver not just cost savings, but also improvements in customer satisfaction, a more resilient organisation, a better relationship with your suppliers and the supply chain, and demonstrate that you have strong corporate governance.

So why all the fuss over ISO9001:2015 ?

Given the World continues to change, there is a requirement for all standards to reflect the current business environments.  The quality standard is no exception and is reviewed on a regular basis. The lastest review culminated in the issue last year of ISO9001:2015.

What if I have the old version ISO9001:2008?

More info

Talktalk data breach

The TalkTalk data breach, a record £400k fine and a warning to others

The TalkTalk Data Breach

On the 21st October 2015, TalkTalk became aware of a major security breach.  Over the following days and weeks, the severity and magnitude of that breach filled the headlines of the British and International newspapers. More than 150,000 users saw their personal information leaked. Of those, more than 15,000 users saw their bank account details compromised. 

“failed to apply software patches to a database, fixing a known exposure that had been identified more than 3.5 years prior to the breach.”

The next day, TalkTalk informed the Information Commissioners Office of the data breach. The TalkTalk data breach has cost about £60m and contributed to the loss of over 100,000 customers. The police are still questioning 6 individuals (all under 21 years of age) in relation to the crime.

The ICO Investigation to the TalkTalk data breach

Now TalkTalk is back in the headlines as the ICO issues a record-breaking fine of £400,000, due to security failings that allowed a cyber attacker to access customer data “with ease”. The ICO investigation found that the attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information. Worryingly, TalkTalk failed to apply software patches, fixing a known exposure that had been identified more than 3.5 years prior to the breach. The report highlights that there were two additional attacks 12 weeks before the October breach which had not been detected. More info