There is somewhat of a “Breach” and Fines” theme to this week’s blog. It starts with news that the Dutch authorities fined Booking.com for failure to report a breach in a timely manner (they took 22 days rather than 72 hours). Many businesses I speak to do not have a breach plan in place so I have included a simple flow chart (from my book) that helps describe the process. Worldwide more than 21 million records were breached in March 2021 and upwards of 350 incidents have been recorded so far this year. In a worrying trend many of the UK cases include a number of schools and colleges, as well as MOD, councils, media, retail and other organisations.
What would you do if you went into work and “computer says no”, how could you get things sorted if you haven’t got something to refer to. So when you are contingency planning think about printing out your recovery plan.
There are some exciting new developments in Linked in, competition for Clubhouse and an update to Hootsuite to read about. Blogs and videos of the week on a variety of topics as usual, in a nod to the Hootsuite story Alex McCann on the pros and cons of scheduling your social media posts. Because there is clearly a need for more effective and “successful” cyber security I have included a link to a webinar that discusses what success looks like (he or you can read his blog).
Blogs of the Week
Alex McCann - Social Media Scheduling – The Pros And Cons
Gabriel Freelander - How to Measure Cyber Security Success
Dave Ffowcs-Williams - Great supply chain starts at the humble pallet
Booking.com fined €475,000
The key reason behind the Dutch DPA’s fine to Booking.com this month is because it failed to report it’s breach in a reasonable timeframe. Data breaches that pose a risk to an individual’s rights and freedoms should be reported to the relevant Data Protection Authority (in UK the ICO) within 72 hours. This is so that the data subjects can take action to protect themselves.
In the Booking.com case the breach occurred in 2018 when employees at hotels in UAE were targeted by telephone scammers in order to get access the Booking.com system. The breach exposed more than 4000 customer’s booking details, 283 card details and 97 CVV codes. This certainly posed a “risk” to individuals (of being robbed or phished). As well as taking payments from cards, the scammers pretended to be from the hotel and tried to take additional payments from the customers.
Speed is very important when putting in place mitigation against such actions, for example the authorities can order the company to immediately warn those who have been affected so that criminals have the shortest period in which to operate. So even though the breach was not their fault. By taking 22 days to report it Booking.com “failed to report in good time” (72 hours).
Here is the simple flow chart of what to do if you suffer a breach. It is from Chapter 10 of my book GDPR:A Game of Snakes and Ladders.
Note: If you don’t have a DPO then the Director/CEO/nominated Data Protection Lead should perform this function.
https://www.routledge.com/GDPR-A-Game-of-Snakes-and-Ladders-How-Small-Businesses-Can-Win-at-the/Alford/p/book/9780367435455
21 million records breached in March 2021
According to the IT Governance blog, across the world there have been 351 “cyber incidents” (Cyber-attacks, Ransomware, Data breaches, Financial information, Malicious insiders and miscellaneous incidents) recorded so far in 2021. What is troubling is that many organisations have not been able to identify how many records have been breached or they didn’t want to reveal the extent of the damage. In one case an IT technician was been for installing software onto computers to spy on colleagues. The table below includes a list of the UK incidents and you can read the full list here: https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-march-2021?utm_source=social&utm_medium=linkedin&utm_campaign=march-db-blog
Have You Printed Out Your Back Up plans?
I know that sounds odd in these days where we are talking about reducing printing and keeping everything electronically. But conversations about what the back-up plan is and how to enact it often bypass key stakeholders and are only known by the facilities/IT department. It is important that all companies take cyber threats and risks as seriously as they do financial or legal ones. The impact of walking into the office and realising you can’t turn on the computer or phone will be made all the more worrying if you don’t have a hard copy of the plan to refer to, an offsite back up or a simple telephone cascade system to let key people know what is going on. It is best to think of it in terms of risk and avoid as much techie speak as possible. Imagine the worst possible scenario and put a plan in place that can get you back up and running.
Competition for Clubhouse
It is not surprising that Clubhouse is will be getting a more competition in the near future. Twitter and Facebook have been working on their own versions for a while but this week I read that LinkedIn are planning to introduce Audio Rooms described as “professional-based rooms aligned with specific niches”. This is likely to be a welcome boost for linked in users looking for help with improving connections and building industry presence or a “community” in their respective areas.
Spotify have also just purchased the live audio app Locker Room (a live audio space chatting about sport) and are looking to “evolve and expand” the platform. Offering a “range of sports, music and cultural programming” as well as interactive features which will allow audiences to connect with the creator in real time.
Changes to the Hootsuite Free Plan
What you can do on the Hootsuite “free” plan is being reduced from 5th April 2021. From that date rather than being able to manage up to 3 social accounts and schedule up to 30 posts you will only be able to manage 2 social accounts and schedule up to 5 posts. The recommendation is that if you currently manage more than 2 social accounts you connect to the accounts you care about most. Otherwise you will have to consider switching your plan to a paid plan. The additional accounts will not be removed immediately but will not be able to reconnect should it disconnect, if you have already scheduled more than 5 posts the limit will kick in after your last post has sent.
Linked In Update
Linked in will be issuing a new release which includes tools to bring your professional life up to date and creating a “more expressive and inclusive Profile”. One of the key things that the Linked In watchers are getting excited about is the introduction of the “Video Cover Story” which apparently adds an orange ring around your profile photo. A preview of your video story auto-plays without sound and LinkedIn plan to add captioning to this future. There is also going to be the ability to offer a Service Page from your Profile, as well as more pronouns so we can all express our authentic self. There is also going to be a new creator mode in the dashboard where you can identify topics you post about the most and this will link to your Featured and Activity sections, display your content more prominently and turn your “Connect” button to “Follow”.
Blog of the Week
Alex McCann - Social Media Scheduling – The Pros And Cons
Because Hootsuite is in the news I thought this blog from Alex on scheduling your social media (using tools such as Hootsuite, Buffer, Tweetdeck, Social Bro, Social Jukebox) was worth sharing. These tools can save you time and mean you aren’t be permanently attached to your device. But there are downsides not least a lack of personal interaction or currency with topics of the moment. Alex’s blog explores the pros and cons of scheduling, what works and what does not! Spoiler alert … it’s OK to schedule on Social Media as long as you - Remember What You Have Scheduled, Listen on social for real time events and Engage with people more than you schedule updates. It’s all about balance. https://altrinchamhq.co.uk/social-media-scheduling-pros-cons/
Gabriel Freelander - How to Measure Cyber Security Success
For too many years the cyber security and prevention focus has been on instilling fear, paranoia and a genuine sense of danger in businesses and their staff. This webinar is a great discussion on what “success” looks like from a cyber security point of view. I really like the focus on the humans rather than the company. If you can understand things from a personal or family safety point of view then individuals will talk about it and pass the information on more widely. I’m all for meaningful conversation and compassion rather than a blame culture. It is time to start thinking what we could achieve if we made cyber training a “benefit instead of a chore”, it is so much more than keeping the company safe. https://www.wizer-training.com/webinars/measuring-success?utm_source=linkedin&utm_medium=social&utm_campaign=webinar
Dave Ffowcs-Williams - Great Supply Chain Starts At The Humble Pallet
Many businesses have manpower intensive systems in place to track “low cost” assets. The driver delivering a load and his managers are often unaware of the impact that a multitude these “little costs” can have over the course of a year. For them filling out something like a pallet tracking book is not a priority especially if it is wet or at the end of a shift. The solution is often to consider the people (just as it is with cyber security training) and invest in something that works for them. This blog suggests five areas to focus on which could help to make a difference and engage the right staff in the process. https://datacom.com/nz/en/discover/articles/blog-great-supply-chain-starts-at-the-humble-pallet