Compliance Week Europe
This conference is designed to help compliance, audit, legal and risk executives understand how they can build and manage their ethics and compliance programmes more effectively.
Topics to be discussed include:
So important even Her Majesty the Queen focussed her attention to it the 2017 Queen’s Speech, interest in the GDPR legislation shows no signs of slowing down.
The Queen’s speech confirmed that the General Data Protection Regulation (GDPR) will still come into force in the UK on 25th May 2018 and will replace the Data Protection Act, which has governed data handling directives in the UK since 1998. The new GDPR legislation is designed to streamline data handling across the European Union, making it easier for members of the EU to share data safely and also introducing more stringent data protection regulations to suit an increasingly digital age.
So, why would the UK implement EU-wide legislation following the beginning of Brexit negotiations? Firstly, it’s important to understand that the UK was (and still is) a major influence behind the new European legislation, so it’s natural that it would still adopt the GDPR even with Brexit going ahead. Secondly, with UK/EU legislation lining-up following May 2018, the UK will maintain its ability to share data with other members of the EU – for example, police forces and other international authorities. Conserving this ability is imperative in the fight against terrorism and other cross-border crimes.
The GDPR will affect organisations across all industry sectors, and all must ensure they’re up to speed by its implementation next year. Whilst the new legislation will bring with it some welcome consistency for multi-national organisations and employees working across Europe, the legislative burden of new rights for individuals and fines of 2 – 4% global annual revenue for breaches are likely to take a toll.
For this reason, it is important that organisations avoid accidental breaches by ensuring that all employees are prepared and understand what they need to do to remain compliant with the GDPR. Human error (undoubtedly in the form of lack of understanding and knowledge) has proven to be the main cause of data breaches in years past, and so-thought ‘harmless’ mistakes still make-up a large percentage of security law violations and consequent fines.
Organisations need to act quickly to ensure they’re not caught out next May and can take advantage of VinciWorks GDPR eLearning courses to ensure they’re up to speed. We offer three GDPR training courses which together form a comprehensive package covering your preparation for the GDPR, what your organisation’s accountability under new GDPR legislation will be, and a microlearning course created to clarify the new legislation’s ‘right to be forgotten’ regulation.
The courses outline the UK’s Key Priorities for the GDPR, which are:
Failing to prepare for the GDPR could have disastrous consequences for organisations; with punishments for non-compliance including fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the fine however that could be potentially damaging to organisations but the reputational damage suffered and adverse publicity.
Our GDPR training will help you to prepare for the GDPR in the correct manner and we will be adding to our portfolio of courses as more details come to light about exactly how the GDPR will affect organisations.
The Information Commissioner’s Office (ICO) recently imposed a record £400,000 fine on communications company Keurboom. The fine was the result of a large-scale campaign of automated, unsolicited marketing calls. Keurboom Communications made nearly 100 million automated calls to people who had not given consent. Some of the calls were made at night. And some people received multiple calls on the same day. Many of the recipients of these calls were unsurprisingly distressed and upset by these calls, but it was not easy for people to identify the source of the calls or to make them stop. The automated calls that Keurboom bombarded people with related to non-existent PPI or accident claims, leading recipients to worry unnecessarily.
Keurboom Communications has since gone into liquidation, meaning that much of the fine may never be recovered by the ICO.
Future flouters of data laws will not escape so easily. The government has changed the rules so that future fines can be levied against directors personally. Multiple directors could be fined up to £500,000 each. The ICO hopes that this will stop the cycle of companies setting up to make a quick shilling by harassing the public, and then folding to avoid paying their fines.
One of the reasons for the record fine was the lack of consent sought before making millions of calls. Keurboom apparently made no effort to seek consent, or even direct their marketing to a suitable audience. The calls were indiscriminately made, and recipients had no easy method of opting out. Minister of State for Digital and Culture Matt Hancock said: “Nuisance callers are a blight on society, causing significant distress to elderly and vulnerable people. We have been clear that we will not stand for this continued harassment, and this latest amendment to the law will strike another blow to those businesses and company bosses responsible.”
The rules on data use and consent are about to get tougher as the new General Data Protection Regulation (GDPR) comes into force on 28 May 2018. This EU legislation will not be affected by Brexit negotiations or decisions, so businesses must ensure that they are prepared for the new rules. Any organisation using customer data must have consent, and that consent must have been gained by clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Organisations must keep records of how and when consent was given. And people have the right to withdraw consent at any time.
Is your business ready for GDPR? Have you had to make any organisational changes – or implement any training – to prepare for the new legislation?
It’s boomtime for ransomware and the cybercriminals making easy profits using this virulent strain of malware. The ransomware epidemic will not come as a surprise to the NHS, who recently had thousands of computers frozen by the WannaCry virus.
What can we learn from the spread of ransomware around the world? And what can organisations do to resist the onslaught of attacks?
A ransomware infection often starts with spam. Hackers use social engineering to nudge users into saving attachments or clicking links that look genuine. Emails may appear to be a request from the CEO, a parking fine notification, or a penalty notice from HMRC. Users are often scared into action, believing that something bad will happen if they don’t act quickly. But not all infected computers are the result of user error. In the case of the NHS and WannaCry, hackers exploited a known vulnerability in Microsoft Windows to gain entry into unpatched systems.
A popular exploit kit used by cybercriminals, called Angler, allows for drive-by downloads, in which malware is downloaded automatically when a user visits an infected site. The download happens in the background, without the user’s knowledge. These kinds of technologies are not just the preserve of expert hackers or international criminal gangs; anyone with criminal intent can access ransomware-as-a-service offerings on the underground Tor network, making cyber-crime as easy as setting up a website.
This demonstrates how unsophisticated some hackers are. These are rarely master criminals; they are often just chancers who recognise an opportunity for making easy money. And because web technologies allow ransomware to be deployed and utilised remotely, with money collected using anonymous crypto-currencies like Bitcoin, there is the lure of consequence-free crime. Why risk jail time for the takings in a petrol station when you can work from home and watch your Bitcoin wallet slowly fill? Of course, some of these perpetrators are caught and tried; there is no such thing as the perfect crime.
The ease of use of these tools might be one reason for their proliferation, and may explain why ransomware is on the rise. Security software company Sophos detected thousands of new pages booby-trapped with Angler every day in May 2015. And in their annual security survey, SonicWall reports that ransomware attacks increased by 167x year-on-year and was “the payload of choice for malicious email campaigns and exploit kits”.
The rapid rise of ransomware does pose new threats for organisations, but many of the treatments are familiar. Organisations must start with fully patched and up-to-date software and systems. Every uninstalled update is a potential backdoor for an opportunist cyber-crook.
Security systems must also be in place to limit the spread of any infections that take place, and to alert administrators to their existence before they do lasting harm. Backups provide protection against encrypted files and frozen machines. Training is the best way to ensure employees understand the evolving risks. And given the high stakes of IT security, this training should be regularly refreshed so all staff understand the vital role they play in digital defence.
On 12 May, hundreds of NHS employees turned on their computers, only to be greeted by a message stating that their files had been encrypted and could only be unlocked by paying $600. Their computers had succumbed to WannaCry, a particularly vicious type of virus known as ransomware. The on-screen message that now dominated the screen could only be removed by transferring $600 worth of Bitcoin to a given address. Instructions for obtaining Bitcoin were also provided.
Forty-eight NHS organisations were affected by this cyber-attack, leading to cancelled appointments, operations and more. Patients were asked to stay home because staff did not have the means to receive or treat them. The NHS was held to ransom by unseen forces.
WannaCry and the threat to computers
The WannaCry software might be dangerous, but its spread is usually checked because it requires people to download a dodgy attachment or click a suspicious link. The virus typically spreads slowly, gradually, in fits and starts. What happened on 12 May was very different. The doctors, nurses, surgeons and administrators who found their machines frozen that day may not have been to blame for the virus overtaking their machine. WannaCry had found its way to their desktop through a backdoor that exists in older Microsoft Windows machines.
Remarkably, this backdoor is alleged to have been developed – and utilised – by America’s National Security Agency (NSA). This vulnerability, known as EternalBlue, was stolen from the NSA by a group of Russian hackers called ShadowBrokers and then shared online. EternalBlue was used to inject WannaCry onto a huge number of machines in a synchronised attack. Infected machines were then used to spread the ransomware onto other networked machines.
In a story with many startling elements, perhaps one of the most shocking parts is the fact that Microsoft had released a patch to close this vulnerability in March. The only computers affected by this attack where those that had not been updated. In the case of the NHS, it seems that the government chose not to renew a multimillion-pound security package which would have protected against this threat. This meant that the NHS attack also became a political issue in the middle of a general election.
The WannaCry attack was only halted by an intrepid IT security consultant who noticed that the malware was trying to connect to a non-existent web domain. Marcus Hutchins immediately registered the address, an act which killed the virus immediately and meant that hundreds of NHS organisations could get back to work.
While the usual advice on digital security is to raise awareness among staff, the WannaCry incident is a good reminder that employee training will only protect your organisation if your technology is up-to-date. Effective digital security must be holistic, protecting against a wide range of evolving threats with a mixture of training, processes, hardware, software and company culture.
How VinciWorks can help
Our vast and expanding cyber security training suite prepares users for all cyber risks. It includes hours of training, hundreds of micro-learning modules and topics from social media to IT security. These courses and micro-learning units can easily be configured into a multi-year training plan.
How certain are you that your employees understand the risks posed by their use of the Internet? And do you trust that your employees know how to minimise risks – and what to do when they discover a threat?
We all rely on the Internet and email for marketing, communications and essential business operations – but how often do we step back and assess the risks?
Evolving risks
Hackers and fraudsters are constantly looking for vulnerabilities. Businesses are regularly assailed by financially-motivated agents, as well as state-funded hackers in search of intellectual property and the disruption of commercial activity.
The threat from within
In recent years, organisations have discovered that digital security and processes are not enough to prevent hacks, malware and data loss, because even the most robust systems can be swiftly neutered by an untrained (or disgruntled) employee. This has brought a renewed focus on employee training and the need to defend against internal threats. So, what can your organisation do to help employees use the Internet and email securely?
Assess your technology risks
Before you consider what kind of training your employees require, you must evaluate the potential threats to your business. For example, you might have a database of customer data, precious intellectual property or product designs, vital systems, online resources or costly digital infrastructure. Does your business have any compliance requirements? Are these being met – and protected? Once you have identified the threats, you can devise a strategy for mitigating and managing risks.
Security policy
Does your organisation have an up-to-date security policy? It’s important that your employees read the policy and understand everything it covers, such as:
Training is clearly a core component of modern digital security. Your employees represent a significant risk – whether intentional or accidental – and regular training is the best way to ensure that every individual recognises the threats and their role in preventing a security breach. Training should be mandatory and regularly refreshed to cope with the changing nature of digital security. Employee training programmes should form the core of a comprehensive security setup.
The General Data Protection Regulation (GDPR) is the new EU-wide law that comes into force from 25 May 2016. As this is a piece of EU legislation, there is now uncertainty about whether the regulation will be adopted in the UK, or whether the UK government will produce its own version.
But even if the regulation is ignored by UK authorities, all British companies that trade with EU countries must abide by the legislation. So what is the General Data Protection Regulation (GDPR) – and what impact will it have on UK organisations?
GDPR in a nutshell
The GDPR has been created by the European Commission to strengthen data protection for individuals within the EU. A key aim is to give citizens control of their personal data and to simplify the regulations for international businesses. The new regulation replaces the data protection directive (95/46/EC) and was adopted on 27 April 2016, entering application on 25 May 2018.
The GDPR applies to both controllers and processors of data. Controllers are organisations that determine how and why personal data is processed; the processor acts under the controller’s guidance.
Data protection rights for individuals
Individuals’ rights have been expanded under the GDPR. Key rights for individuals include:
Obligations for data controllers and processors
GDPR also expands protections for individuals by increasing the requirements for organisations that control and process personal data:
Accountability and governance – “You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.” – Information Commissioner’s Office
Breach notification – under GDPR, organisations will be obliged to notify relevant authorities of certain types of data breaches.
Transfer of data – GDPR includes a restriction on the transfer of personal data to countries outside the EU. This ensures that the protection of the GDPR is not undermined.
Is your organisation prepared to meet the requirements of GDPR, and do your employees understand the implications of the new legislation? Will the new rules create new work for your organisation – or will you be able to meet the new standards with ease?
You can find out by taking our FREE GDPR online training course. This GDPR eLearning module provides answers to questions including:
Compliance is one of the most fast-moving divisions in the corporate world. The rapidly-evolving demands on our function is driven by a whirlwind of ever-changing technology, risks and regulations. So where do we find ourselves in 2016? And what are the biggest challenges facing compliance professionals?
PwC recently released their State of Compliance Study 2016. Let’s explore their findings and see what we can learn from their global survey of 800 executives – including chief compliance officers, chief ethics and compliance officers (CECO), chief legal officers, general counsels and chief audit executives.
The report focuses on business strategy, and how well this is aligned with compliance management. Compliance success starts with the board, and how well senior leaders set the tone and focus attention on ethics and compliance.
Compliance is key, but not always prioritized
The report suggests that this, in general, is happening; 98% of respondents have senior leaders who are committed to ethics and compliance. But this commitment does not always translate into hands-on ownership: 55% claim that senior leaders provide only ad hoc oversight – or delegate many of their compliance and ethics oversight activities.
How to strengthen the ‘tone at the top’
PwC recommend a range of measures for clarifying the tone at the top, including regular communications about the importance of ethical and compliant behaviour, recognition of employees who embody these virtues, and disciplinary action against ethics and compliance violations. They also recommend that organisations aim for a 95% completion rate for compliance and ethics training within three months of deployment.
The report finds that compliance and ethics teams are aligning with other assurance functions, but greater coordination can be achieved: 54% conduct compliance and ethics-specific risk assessment activities beyond traditional risk management efforts. Organisations might be missing out on insights from people on the ground: only 21% use employee surveys to gather information on risk assessments.
The strain of regulation
While organisations recognise the importance of compliance, many CEOs view these demands as a burden. In PwC’s 19th Annual Global CEO Survey, 79% of CEOs cite over-regulation as a threat to their growth prospects. Could this frustration with regulation make life harder for compliance professionals? It could explain why so few compliance divisions (36%) claim to be ‘inherently integrated’ in their organisations’ strategic planning.
Perhaps the biggest challenge facing compliance and ethics professionals is the puzzle of how to get greater participation from the C-suite, and to encourage them to set the ‘tone at the top’ – when those same professionals are growing to resent what they perceive as ‘over-regulation’.
Compliance training from VinciWorks
VinciWorks provides convenient, online training for compliance professionals. Browse our compliance training now.
