• PPP Management

Thursday Thoughts - 4th March 2021

This week’s Thursday thoughts has a focus on remote working and keeping safe. 5 years’ worth of cyber innovation has taken just 12 months to come into force. None of us can imagine going back to the pre-March 2020 ways. But we do need to consider what staff are doing with our data while they are working from home. Who can see/hear what they are doing and how can we ensure that it is disposed of appropriately. News of the reason behind the SolarWinds hack - I kid you not someone had used the password “solarwinds123”. Also a recommendation that business owners adopt a “Zero Trust” model. Lessons we can learn from the ‘80s about AI and modelling software and a link to the Select Committee debate on the Armed Forces Bill for the Vet Community.

Naturally there is the latest on news, patches, phishing and fines. If you send unsolicited marketing emails you will want to read the piece about the ICO fine of Muscle Foods Ltd (£50,000) for sending nearly 136 Million unsolicited marketing emails over a period of seven months.

Blogs and Videos of the Week

Tash Whitaker - How much will it cost to be compliant?

Joeli Brearley - When will ministers care about the needs of mothers?

Data Protection Diaries - How to Complete a Record of Processing Activities

Remote Working has Led to Innovation in Cybersecurity

One of the upsides of the last 12 months has been the innovation in the cyber security sphere. With some reporting that 5 years’ worth of innovation has occurred in just 1 year. The massive increase in cloud adoption has changed the cybersecurity environment completely and as a result most companies have changed their definition of their “secure perimeter”. There are new security “black holes” as businesses struggle to get visibility on what staff are doing off premises.

Security controls are now linked with providing a good user experience. This is because if the home working security measures cause friction for staff they will find ways to get round them (putting the organizations at risk). There has also been a renewed focus on SaaS security and a move for developers to also take responsibility for security (we can thank the SolarWinds attack for that). You can read more here: https://www.infosecurity-magazine.com/news/remote-work-innovation/?utm_source=dlvr.it&utm_medium=linkedin

The NCSC Small Business Guide has been revamped for 2020 as well as the response and recovery guidance

Homeworking, Hybrid or Back to The Office

Do we think working from home is really going to be a permanent part of everyone’s working lives in the future or will it be just for some people? Even household names are split on this topic. JP Morgan and HSBC are in the ‘hybrid’ working model camp, where employees divide their time between office and home. But the Goldman Sachs CEO recently described working from home as an “aberration that we are going to correct as soon as possible”. So I think that there will be a mixture of ways of working depending on the individual and the business. Those who can cope with long hours alone at their desk will continue to do so. However many need human company to motivate themselves, to bounce ideas off to share a laugh with. For those with ambitions for promotion or who need to learn their trade it would be difficult to motivate oneself or learn those soft skills from your bedroom (or more likely your parents’ spare bedroom). The trick will be to match companies with employees!

Just What Are Your Staff Printing at Home?

Not only do we need to worry about providing the tech to support our staff at home and the H&S assessments of their working spaces. What about if they need to print or write about confidential or security issues or take confidential calls while home schooling. How do they dispose of it? What happens to that data? Who else can see it or hear it? What about those working in shared houses? If you have not yet considered these issues because you responded “flexibly” to the emergency; start now. You may need to devise a system to get this material back to the office or provide mini shredders for staff. If you haven’t developed a working from home policy which covers this start writing that too!

More Organisations Urged to Adopt a Zero-Trust Model

The SolarWinds Hack has caused the US NSA to urge the Defence Sector to “Adopt Zero-Trust Model. This is because cyber leaders advise the “old security models are no longer adequate for today's IT environments”. Zero trust is a “data- centric” approach to security. In essence you assume the worst and mitigate against it. So you assume the organisations that you deal with have already been breached, you apply the principle of “least privilege” to every user and node and build in risk-based access control, security monitoring, and security automation.

Modelling Software Once Led Us to the Precipice of Nuclear War

Something to bear in mind as we move to include more AI in our lives. Back in 1983 we were very close to an accidental nuclear war, largely because the software that the Soviet Union relied on to make predictions were based on false assumptions. There are lessons we can learn now from “RYAN” and “Able Archer”. Namely that the assumptions and beliefs of those who create the software will shape the outcome. So, as in the case of the Soviet system “RYAN”, trying to model another party’s actions is limited by your ability to model their intent. Especially if your planning or world view are different. You can read more here: https://www.defenseone.com/ideas/2021/03/modeling-software-once-led-us-precipice-nuclear-war-what-will-ai-do/172329/

News

SolarWinds Attack Traced Back to a “Poor” Password

An intern who “violated password policies” and “posted that password on their own private GitHub account” in 2017 has been blamed for the SolarWinds Attack. The password "solarwinds123" went unnoticed for several years and was publicly accessible in a GitHub repository from mid-2018. It just goes to show the need to check that staff are complying with your passwords policy/procedure particularly temporary or inexperienced ones!

Latest News On Phishing Attacks

Mixed news on the phishing front. While there has been a decrease in the number of daily phishing attacks in 20/21 from 76% to 53% but he number of attacks occurring weekly and monthly has increased. There is a shift toward increased sophistication and precise social engineering attacks targeting business apps to replace “batch-and-blast phishing”. The majority of attacks are now focussed on breaching the use of apps like Zoom, Microsoft Office, DocuSign and collaboration tools.

Select Committee on the Armed Forces Bill

Veterans and service personnel will be interested in the deliberations of the Select Committee on the Armed Forces Bill. Certainly something to keep an eye on: https://parliamentlive.tv/event/index/c0317bd3-c192-4d4a-8954-5fa8d8c090e7

Updates and Patches

Patches for on-premises Microsoft Exchange

Microsoft has released emergency patches for on-premises Exchange Servers. This is as a result of a new Chinese state-sponsored threat actor who use vulnerabilities to access Exchange servers, granting themselves access to email accounts, installing malware to facilitate long-term access to the victim’s systems removing sensitive information and collecting data. It is currently most prevalent in the US in a range of sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs.

Remember to Update for Your Chrome Browser

If you haven’t already it is time to update Your Chrome Browser. A new patch for Google Chrome update for Windows, macOS, and Linux will fix a total of 47 flaws.

Fines

Muscle Foods Limited fined £50 000 by the ICO

Muscle Foods Limited have been fined £50 000 for “sending approximately 135,651,627 marketing emails and 6,354,426 marketing SMS messages to individuals without their consent”. More than 135.5 Million emails over a period of seven months is a considerable number to send. That only 11 recipients complained is surprising. PECR is the regulation that is used most often at the moment to generate fines because it is relatively simple and easy to follow.

TikTok Privacy Class-action Suit Settled

TikTok’s parent company Bytance have agreed to settle the class-suit action filed against it for privacy violations in the US. As a part of the $92 million settlement, TikTok agreed it will only collect those categories of personal data mentioned in their privacy policy and not to transfer personal data outside the US.



Blogs and Videos of the Week

Tash Whitaker - How much will it cost to be compliant?

In this FIT4PRIVACY Podcast, Tash Whitaker shares her opinions and answers to the common questions that DPOs get asked. This discussion centres around the DPO role and explores the challenges of the moment. As well as what businesses are asking their DPOs now – some really useful advice on both Brexit and Privacy Shield are provided. Tash makes the complex world of data protection easy to follow and has a knack of turning regulatory legalese into something the rest of us can understand. You can listen to the podcast here: https://podcasts.apple.com/be/podcast/025-fit4privacy-podcast-tash-whitaker-full-episode/id1506795962?i=1000510431822

Joeli Brearley - When will ministers care about the needs of mothers?

We know that recently there has been an exodus of pregnant women and new mothers from the workforce. This is not solely a result of the pandemic. This week in a blog, a book, and 2 articles (Grazia and the Mail), Joeli discusses this difficult subject. The most recent legislation to support pregnant women and mums is the ‘Braverman Bill’ giving six months fully paid maternity leave to ministers. A step in the right direction but it ignores the needs of backbenchers and other parliamentary staff nor does it support the needs of fathers to share the load with their partner. One wonders also what message it sends to those living in financial poverty because they are on statutory maternity pay (£151 a week) rather than full pay. You can read the Blog here: https://pregnantthenscrewed.com/when-will-ministers-care-about-the-needs-of-mothers/

Data Protection Diaries - How to Complete a Record of Processing Activities

The fact that businesses need a Record of Processing Activities is something that frightens many. The ROPA is a key requirement of GDPR and a great tool but it doesn’t have to be complex and frightening. This weeks Data Protection Diaries explains the what a ROPA is, why they are important and how you can start to create your own. You will find the video here: https://www.youtube.com/watch?v=G7KUSYEOqUk&feature=youtu.be


1 view0 comments

Recent Posts

See All