Tackling the Threat of Cybercrime within the Legal Sector

Cybercrime is a widespread phenomenon across the world. It can affect firms and organisations of any size, belonging to any industry or sector. Through carefully coordinated attacks, cybercriminals tend to target vulnerabilities in technology or cause poorly trained staff to make mistakes – both approaches are designed to put businesses at risk.

This has shown to be true for the legal sector too. The National Cyber Security Centre’s Legal Threat Report found that 60% of law firms in the UK reported experiencing an attack in 2017; up from 42% in 2013. Cybersecurity concerns amongst legal sector firms are therefore significant and steadily rising.

Cyberattacks on Legal Firms

Recent research by Crowe UK into the cybersecurity risks impacting the top 200 UK law firms indicates that most of the firms surveyed have ‘significant unaddressed cyber risks’.

Legal firms tend to be an easy target due to the money and sensitive client data they hold. According to the Risk Outlook 2018/19 report by Solicitors Regulation Authority (SRA), the amount of money law firms are losing to cybercrime is on the rise – with £9.4 million of client money lost in 2016, increasing to £10.7 million in 2017.

With financial loss and reputational damage at risk, it is more important than ever for legal firms to consider and prepare for the threat of cyberattacks.

Key Areas of Concerns

Based on the reported cybercrimes and scams, some of the key areas of concerns that have been identified are:

Email fraud

The Risk Outlook report identifies email modification fraud as the most common type of cybercrime against legal sector firms. 91% of the firms surveyed by Crowe UK have had their website address ‘spoofed’ and used to send a fraudulent email to obtain confidential information, such as passwords and personal details. Email spoofing increases the risks of exposure to malware and ransomware, and phishing of employees and clients.

Vulnerable technology

The Crowe UK report states that 80.5% of the firms surveyed were running at least one service with a well-known vulnerability. Cybercriminals target these vulnerabilities which could result in data theft, loss of control of the website, and viruses and ransomware programs which encrypt files and demand a ransom in exchange for restoring access.

Data breaches

With many firms reporting a cyberattack in the last two years, firms are also concerned about how to respond to a cyberattack and ensure compliance with regulations. This is particularly true about data breaches and the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. A data breach could cost a legal firm thousands of pounds in fines for failure to comply with the GDPR – before and after an attack.

Mitigating the Risks

Prevention is key to ensuring that firms are mitigating the risks and protecting their organisation and employees from the threat of cyberattacks. The two main areas to focus on are:

Securing Systems

Investing in technology and securing your firm’s IT systems will help you avoid heavy financial loss from the fallout of a cyberattack. Keeping your systems up to date is one of the most effective weapons against cyberattacks. Make sure you have robust and reliable security measures in place and develop information security policies to protect your firm from known and newly discovered vulnerabilities.

Raising Awareness

Human error is becoming a common factor in cyberattacks on firms and organisations. Whether it is from opening unsafe email attachments, clicking on suspicious website links to downloading unsafe files, employees are often responsible for enabling access to systems. It is down to lack of awareness which often puts employees at risk of making errors in judgement. Educate your workforce on the cybersecurity threats they face and the risks to look out for. By driving a culture of awareness and training employees on the risks they face and how to respond, firms can protect both their employees and their businesses from cyber threats.

Cyber Security Awareness Training

At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of cyberattacks. Find out how we can support your firm with a wide range of eLearning solutions dedicated to raising awareness on cybersecurity and information security risks. Visit our website for more information.

British Airways and Marriott Facing Record GDPR Fines

British Airways and Marriott Facing Record GDPR Fines

The ‘world’s favourite airline’ and the largest hotel chain both reported huge data breaches in recent times, affecting millions of records. After investigations by the Information Commissioner’s Office (ICO), British Airways and Marriott International are both facing record fines for data breaches under the General Data Protection Regulation (GDPR).

Marriott

In November 2018, the Marriott International group of hotels reported a massive breach to the ICO. It relates to a cyber incident involving the unauthorised access of the Starwood hotels group systems in 2014. Marriott subsequently acquired the Starwood Group, however, the breach wasn’t discovered or reported until 2018.

As a result, the personal data of approximately 339 million guests globally was compromised. Of which around 30 million related to residents of 31 countries in the European Economic Area (EEA); around seven million related to UK residents.

After an extensive investigation, on 9 July 2019, the ICO issued a notice of its intention to fine Marriott in excess of £99M under the GDPR. While Marriott International has co-operated with the ICO investigation and since the data breach was reported, have made improvements to its security arrangements. However, the ICO’s contention is that Marriott had failed to perform due diligence when it acquired the Starwood Group and should have made sufficient checks to ensure their IT systems were secure.

In a statement, Marriott have revealed that they intend to appeal the fine and defend their position.

British Airways

The ‘world’s favourite airline’, on the other hand, is facing a record fine of £183M for breaches of data protection law. The proposed fine relates to a cyber incident in June 2018 when 500,000 customers browsing the British Airways website and booking tickets online were being directed to a fraudulent website. Their personal data, including name, address, login, payment card and travel booking details, were then harvested by the cyber attackers.

As per the investigation by the ICO, personal data of approximately 500,000 customers were compromised in this cyber incident, including login, payment card, and travel booking details as well name and address information.

In a statement, British Airways apologised to customers, expressed disappointment and revealed the intention to appeal.

Fines Issued in 2018

The ICO are simply reaffirming their commitment to the GDPR by disclosing the details of its fines and investigations to the public. Since the GDPR came into effect on 25 May 2018, a number of high-profile data breaches have come to light. The ICO issued some of the biggest fines last year including fines for the Crown Prosecution Service (CPS), Equifax UK, Uber, Facebook and Bounty.

With the ICO adopting a tough stance and walking the talk, businesses must bear in mind the very expensive consequences as a result of data breaches.

Is Your Business Prepared?

What we have learnt from these recent breaches is that the GDPR goes beyond ‘consent’ and data privacy issues. Both the breaches at British Airways and Marriott were a result of IT or web systems failures and hackers gaining unauthorised access.

A quick recap of what any form of data breach under GDPR could cost your business: the ICO can issue a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR. For British Airways, the ICO fine comes up to 1.5% of global turnover for the year, while for Marriott, it’s 3% of the company’s global revenue.

Mitigate the risks of a hefty fine and ensure that your business is prepared to combat the lapses in cyber security. Investing in cyber security and information security is key to keeping the hackers out. Keeping your systems secure and up to date is the first step and one of the most effective weapons against cyber-attacks.

Not forgetting the importance of awareness training for your workforce. Are your staff engaged to spot the signs of an intended cyber-attack and understand the implications? By training your employees on the various aspects of cyber security and GDPR, and the risks they face, businesses can keep the hackers out and prevent costly breaches under the GDPR.

How Can We Help

Our FREE download on Handling a Data Breach offers practical tips for reducing the risk of a breach, including a checklist for managing and reporting data breaches should your data be compromised.

We can also support your business with a wide range of eLearning solutions dedicated to cyber security and GDPR. Our eLearning can be delivered as off-the-shelf packages, or we can customise the content to suit your organisation. To find out more, check out our great value Compliance package.

Free Download: Handling a Data Breach

Could your organisation handle a data breach?

Whilst it’s imperative for organisations to do all they can to prevent a data breach and protect the rights of individuals, many are unprepared to manage a personal data breach should the worst happen. This can cause further damage to finances and reputation and even lead to further breaches.

To help get the conversation started, download our FREE eGuide, Handling a Data Breach.

As well practical tips for reducing the risk of a breach, this handy booklet also includes a checklist for managing and reporting data breaches should your data be compromised.

DOWNLOAD YOUR PDF COPY BY CLICKING THE LINK BELOW.

(For media enquiries or to share this eGuide on your website please contact [email protected])

DeltaNet International are heading to Maryland

DeltaNet International are heading to Maryland

We will be exhibiting again at the largest compliance conference in the USA; the 18th Annual Conference of the Society of Corporate Compliance and Ethics (SCCE) which runs from 15th to 18th September 2019 in Maryland.

SCCE’s annual Compliance & Ethics Institute is the primary educational and networking event for compliance professionals across a range of industries around the world. The event attracts more than 1,800 attendees from 40 countries with leading industry experts covering real-world compliance issues, emerging trends, and practical applications.

Learn about current hot topics such as global antitrust compliance, Office of Foreign Assets Control (OFAC) sanctions, artificial intelligence, and preventing harassment and discrimination. We’ll be on hand to discuss our essential Compliance eLearning, participate in educational sessions, and get to grips with the latest in compliance and ethics.

For further information about the event please visit the event website.

Currys PC World Data Breach

Currys PC World is the latest in a long line of corporations to suffer a large-scale data breach, but the positive news to take from the story is the swiftness and clarity of their response. One of our colleagues, as a Currys PC World customer, received an email explaining the loss of data, what was involved, and what he should do to protect himself from fraud.

The message was comprehensive and apologetic – and suggests that British businesses are finally learning how to respond to these kinds of cyber crimes.

The recent news from Currys PC World came in two waves; at first, they believed that 1.2 million customers were affected, although no payment card information was involved. Several weeks later the electronics giant had to report that the scale of the problem was far larger. After an internal investigation they put the number of customers affected at 10 million.

Currys PC World reports that none of their customers has been directly defrauded in the immediate aftermath of the data breach. But we know from previous hacks that customer data is rarely used in isolation; instead, this kind of information is used as bait in phishing attacks. With customer data in their hands, fraudsters can dupe people into handing over more information which then gives them access to bank accounts, payment cards and online stores.

So, the true impact of this kind of data breach is unlikely to be immediately obvious – and people who are defrauded six or nine months from now may never know that their loss originated with lax security at Currys PC World.

Alex Neill of Which? commented on the incident: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.”

The letter from Currys PC World is commendably clear and direct: “Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.”

Currys PC World also laid out clear guidance for their customers on how to minimise the risk of fraud:

  • If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.
  • We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.

Although the value of Currys PC World shares fell after news of the initial data breach was revealed, markets reacted less extremely to the second wave of news, with shares actually rising slightly. This may reflect a degree of breach fatigue – or a belief that the high street’s last electronics retailer has already paid the price for its security failure.

Are data breaches an inevitable part of a society that lives and trades online? Or will businesses eventually find systems and processes to outfox the data bandits?

Worried about data breaches? Find out more about Data Protection eLearning from VinciWorks.

Ticketmaster Data Breach: did they act quickly enough?

Data breaches are nothing new.

What has changed recently is the regulations surrounding personal data.

Under the General Data Protection Regulation (GDPR), companies must notify the Information Commissioner’s Office within 72 hours of becoming aware of a breach.

In the case of Ticketmaster’s recent breach, questions remain about whether they reported the loss of data affecting 40,000 customers quickly enough.

Ticketmaster lost the customer data because of a third-party application designed to help them manage customer support requests. The Inbenta software was infected with malware and was passing customer data to a third-party, who then used the information to help them make fraudulent payments.

Ticketmaster claims that up to 40,000 UK customers may have had their data stolen. Customers in the US were not affected in the incident. Ticketmaster is offering customers a 12-month identity monitoring service to help prevent further frauds from occurring.

One of the problems with a data breach of this kind is the avalanche of follow-up crimes that typically occur – not always relying on the actual data lost. This is because criminals use the confusion and concern caused by a major data loss incident to dupe customers into changing passwords – on dummy websites that they control. Ticketmaster is urging customers to only visit genuine Ticketmaster websites on recognised addresses.

Brooks Wallace, cyber-security specialist from Trusted Knight commented: “After an incident like this, criminals from around the world will jump at the chance to try and catch a few unsuspecting people out,” said Brooks Wallace from the cyber-security specialist Trusted Knight. “If you receive any emails purporting to be from Ticketmaster asking for any personal information, discard them. If you need to contact Ticketmaster, type the website address into your browser and log-in that way.”

Questions about the timing of Ticketmaster’s notification surfaced after Monzo, the online bank, reported that they had uncovered evidence that Ticketmaster may have been breached in early April – something they passed on to authorities and to Ticketmaster. Monzo’s discovery followed customer reports of fraudulent transactions. The security team at Monzo analysed the accounts of approximately 50 customers who had all been the victim of fraud and found a pattern: 70% of the affected customers had recently bought tickets from Ticketmaster. Only 0.8% of their entire customer base had used Ticketmaster.

The question that the ICO may want answered is why it took months for Ticketmaster to confirm that a breach had taken place? Was the breach carefully concealed by hackers? Or did Ticketmaster hope to limit the scope of scandal?

Read more about Information Security eLearning from VinciWoks.

PCI DSS Compliance Reduces the Risk of Data Breaches

The payment card industry data security standard (PCI DSS) is designed to protect consumers by encouraging businesses to do more to protect payment card details. A recent survey by US Internet giant Verizon found that compliance with PCI DSS can be a powerful force in fighting cyber-crime – but many organisations struggle to maintain full compliance with the standard.

Speaking to Computer Weekly, Verizon’s head of advisory services Gabriel Leperlier commented: “Since 2010, not a single organisation that has been breached was 100% PCI DSS compliant at the time of the breach.” This is a remarkable finding. Why are so few organisations struggling to comply with the standard?

Firstly, it helps to examine the 12 requirements of PCI DSS:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

In addition to these 12 requirements, digital security teams must contend with changing technology, workplaces that are riddled with web-connected devices, malicious employees and a host of determined hackers, criminals and foreign agents – who are all working day and night to access a company’s valuable data.

As Leperlier puts it: “Many organisations struggle to keep up with the continual cycle of scanning, testing and patching, which is why it is important to involve all employees, so they understand why certain security controls are in place and will be more likely to stick to them rather than finding ways around them.”

Achieving and maintaining PCI DSS compliance does not guarantee that you won’t be hacked – but failing to maintain compliance is a sure-fire way to attract the attention of hackers and criminals. After all, dropping the ball on PCI DSS compliance effectively means you’re making life easier for anyone who wants to steal your data.

There are many examples of companies that have paid a heavy price for data breaches that could have been prevented by complete compliance with PCI DSS. For example, US retail giant Home Depot agreed to pay at least $19.5 million to consumers harmed by a data breach in 2014. The breach occurred because Home Depot used inadequate security software and weak data protection policies. Under PCI DSS, companies are required to conduct vulnerability scans – something that was not carried out fully at Home Depot.

PCI DSS compliance may be difficult to achieve and maintain, but it seems the costs of dealing with a major data breach are likely to be far higher than the price of meeting the 12 requirements outlined above.

Yes, There’s Still Time to Protect your Data Under GDPR

Recent suggests that almost half of UK businesses are preparing to receive non-compliance penalties, with many owners having already set aside funds in anticipation of a fine.

The research (conducted by data privacy firm, Ensighten) highlights a worrying amount of unpreparedness surrounding the new legislation and the additional responsibilities it will bring for organisations who wish to process and store personal data. CEO of Ensighten, Ian Woolley, comments that business owners are ‘aware, but still uncertain’ about GDPR, with 61% of survey respondents indicating they would like an extension of the deadline if one became available.

At What Cost?

A lot has been made of the potential penalties for non-compliance with GDPR. The shock value of The Information Commissioner’s Office (ICO)’s power to fine up to £17m, or 4% of annual turnover (whichever is higher) makes for eye-catching news articles indeed. However, organisations would do well to maintain a level-head on the matter and remember that their compliance efforts and behaviour will be taken into consideration when it comes to any fines incurred.

In this sense, it is important for companies to work on implementing a culture of data protection as standard – and as an ongoing commitment – rather than viewing GDPR as simply a box-ticking exercise with a ticking time-bomb attached.

How can VinciWorks Help?

The good news is that organisations still have time to educate their employees about the new legislation and what it will mean for data processors, subjects, and controllers at a practical, day-to-day level.

As firm believers that prevention is better than the cure, VinciWorks offer a range of GDPR eLearning courses, spanning from introductory modules to more comprehensive courses, and also includes microlearning courses to cover specific GDPR clauses that your employees may find tricky.

Specially developed to get organisations GDPR-ready, our comprehensive eLearning course, Protecting Data, offers a detailed yet accessible approach to GDPR legislation. Developed alongside subject experts, the course gives particular focus to the principles, rights, and obligations of GDPR, and offers learners the opportunity to test their knowledge by asking them to deal with realistic potential data-breaches.

To find out more, simply get in touch via the form below. It’s never too late to start your compliance journey.

Social Media Data Scandal: Who’s in Control of your Data?

Facebook and Cambridge Analytica recently found themselves at the centre of a sensational dispute over the collection and use of personal data (in this case, information about users’ political alignment; data that’s known as ‘sensitive’ personal data under new GDPR legislation).

It all began with a ‘Personality Quiz’ app designed – and one can assume, approved – for use on the social networking site as a fun way to pass the time and connect with friends. As was common at the time, the app was also developed to harvest personal data of the user and, if reports are true, that of their unconsenting friends’ list.

According to reports, the personal data was then sold to Cambridge Analytica and used to psychologically profile users so that targeted advertisements and political spin/smear campaigns could be delivered straight to their profile pages and newsfeeds. A shocking allegation of invasion of privacy and political bias that has authorities on both sides of the pond enraged.

It’s worth noting that Facebook has since changed the amount of data that app-developers can scrape in this way and removed the app, demanding all its information be deleted.

Cambridge Analytica claims that it never used the data, and deleted it when Facebook told it to.

So, what can we take from the events?

It’s true that most users of social networking sites have no idea how much the platform actually knows about them (and their list of contacts). Remember, advertisers buying space on such networks are paying for your attention, and that attention is intensely targeted by the personal and sensitive data we’re almost all guilty of over-sharing online. The question left in the aftermath of such a scandal is this: with whom does the burden of data protection lie, the user or the platform?

Whilst admitting that mistakes were made and listing the more stringent measures he would implement to protect users’ data, Zuckerberg’s proposed solutions include a tool to empower users to control their own data on the site, e.g., which apps they allow to access their profile information and for how long.

Indeed, if we were to find a silver-lining here, it would be the empowerment and the raised level of awareness amongst social network users who have been following the story. Knowledge, as ever, is the key to prevention.

As GDPR legislation came into force in May 2018, individuals will have ever-more control over their personal data as well as increased access to it, a directive which is highlighted in Zuckerberg’s promise to ‘provide an easy way to revoke’ data-access permissions.

Looking to raise awareness about using social media, data protection, or GDPR? Visit our Compliance page to see our full range of courses.