AI Issue 12 2017

Acquisition International - December 2017 5 3. IoT – a security time-bomb IoT is a rapidly growing phenomenon which will accelerate in 2018, as both consumers and businesses opt for the convenience and benefits that IoT brings. However, manufacturers are not yet routinely building security into IoT devices and 2018 will see further problems generated through the use of insecure IoT. IoT is a major threat and possibly the biggest threat to businesses in the coming years. Unfortunately, it is not easy, and in some cases impossible, to bolt on security as an afterthought with IoT, and many organisations will find it challenging to deal with the consequences of such breaches. As IoT cascades through organisations’ infrastructures, it is likely to become the ultimate Trojan horse. 4. More from the Shadow Brokers The Shadow Brokers, a hacker group which stole hacking tools from the American National Security Agency (NSA), created havoc in 2017 with the Wannacry ransomware episode. The group has already stated that it will soon release newer NSA hacking tools, with targets that might include vulnerabilities in Windows 10. There will certainly be further episodes from them in 2018, so patch management, security and regular backups will be more crucial than ever. Amajor target of these hackers is the data that organisations hold, including PII (Personally Identifiable Information) and corporate data, so protecting the data ‘crown jewels’ inside the network will become ever more crucial. 5. GDPR – have most businesses missed the point? The arrival of GDPR in May 2018 will, of course, be a big story. However, many organisations are missing the main point about GDPR. It is about identifying, protecting and managing PII - any information that could potentially identify a specific individual. This will become more important in 2018 and there will be considerable focus on identifying, securing and, where required, deleting PII held on networks. 6. GDPR Blackmail – the new ransomware? Unfortunately, GDPR will give a great opportunity to criminals, hackers, disgruntled staff and anyone who might want to do an organisation harm. They simply have to ask you to identify what data you hold on them, ask for it to be erased, and ask for proof that it has been done. If you can’t comply, they can threaten to go public – exposing you to the risk of huge fines – unless you pay them money. Watch out for that one! 7. DDoS on the rise It is now possible for anyone to ‘rent’ a DDoS attack on the internet. For as little as US$ 5, you can actually pay someone to do the attack for you! https://securelist. com/the-cost-of-launching-a-ddos-attack/77784/. This is just one of the reasons DDoS threats will continue to escalate in 2018, alongside the cost of dealing with them. The dangers of DDoS for smaller companies are that it will leave them unable to do business. For larger organisations, DDoS attacks can overwhelm systems. Remember that DDoS is significantly under-reported, as no-one wants to admit they have been under attack! 8. Cloud insecurity – it’s up to you Problems with cloud insecurity will continue to grow in 2018 as users put more and more data on the cloud, without, in many cases, properly working out how to secure it. It is not the cloud providers’ responsibility to secure the information – it is down to the user. With the introduction of GDPR in 2018, it will be even more important to ensure that PII stored in the cloud is properly protected. Failure to do so could bring serious financial consequences. 9. The insider threat Historically, insider threats have been underestimated, yet they were still a primary cause of security incidents in 2017. The causes may be malicious actions by staff or simply poor staff cyber-hygiene - i.e. staff not using the appropriate behaviour required to ensure online “health.” In 2018, there will be growth in cyber education, coupled with more testing, measuring and monitoring of staff behaviour. This increasingly involves training and automated testing, such as simulated phishing and social engineering attacks. 10. Time to ditch those simple passwords In 2018, simple passwords will be even more highlighted as an insecure ‘secure’ method of access. Once a password is compromised, then all other sites with that same user password are also vulnerable. As staff often use the same passwords for business as they use personally, businesses are left vulnerable. While complex passwords do have a superficial attraction, there are many challenges around that approach and multi-factor authentication is a vastly superior method of access. New solution brings digitised compliance approach to remove GDPR burden and offer continuous compliance and high-level data security. Mid-market Financial Services (FS) firms can now benefit from a fast, intelligent and effective solution to achieving GDPR compliance, thanks to the new GDPR EXPRESS from new generation GRC solution provider OXIAL. With the deadline for the EU’s General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, the GDPR EXPRESS solution uses an automated digital compliance approach to offer 100% GDPR compliance. Live and operational in less than 90 days, the new solution is based on OXIAL’s years of experience in risk management, IT security and compliance and reflects the urgency for mid-market FS firms to begin getting GDPR-ready. “GDPR is the most significant change to data protection law in the EU for a generation and the penalties for failure to comply could be catastrophic for some organisations,” said Eric Berdeaux, CEO, OXIAL. “For bigger firms with compliance teams and the resources to allocate sufficient time to GDPR, there should be few problems getting GDPR-ready, but for mid-market organisations it is a different matter altogether. Our GDPR EXPRESS solution removes the burden of GDPR for such businesses, by using a digitised approach to ensure every requirement for GDPR compliance is met.” Compliance is a business function in many organisations that is yet to be significantly altered by digitisation, and OXIAL has placed digital at the heart of its new GDPR EXPRESS solution. It comes with a number of powerful features to help address GDPR, from an initial step-by-step project plan to reporting mechanisms for the regulator and senior management. The GDPR EXPRESS solution encourages compliance to be treated as a continuous process, advised and supported by external experts who will allow an organisation to drive GDPR more efficiently and to reach the desired results from a compliance perspective. Approached in this way – supported by automation of processes to ensure nothing falls through the cracks – means an organisation knows exactly how GDPR relates to their business and data, and is able to assess what they must change in order to be compliant and gauge where the priorities and responsibilities lay. “A major challenge for mid-sized firms is the sheer volume of data that must be accounted for,” continued Eric Berdeaux. “Data is stored all over an organisation – how do you find it, how do you manage and protect it and how do you ensure it is GDPR compliant? Without the know-how, time and experience of compliance teams in bigger firms, answering these questions is a significant problem and one with enormous consequences should an organisation not be able to do so.” There is also an important security element to GDPR, with enormous volumes of data to keep secure. OXIAL has partnered with cyber security provider Global Data Sentinel (GDS), to keep GDPR data safe. GDS is a cross- domain, zero-knowledge system, so all data within a network or cloud is stored encrypted, meaning even IT personnel cannot see it. GDS resides seamlessly inside in organisation’s existing network, securing data from the get-go, without requiring any additional infrastructure investments. Every organisation – irrespective of where in the world they are located – must comply with GDPR if they hold or collect data on European citizens. To ensure compliance, organisations must keep records that show data is stored and used in the right way. Failure to comply will result in fines of up to € 20,000,000 or 4% of an organisation’s annual global turnover, whichever is greater. “Compliance does not begin and end on a fixed date and 25 May 2018 is certainly not the end of GDPR,” said Eric Berdeaux. “Compliance is an on- going process and should be managed as such, including compliance around GDPR. That’s what we are aiming for with our GDPR EXPRESS solution and we believe it can be a game-changer for mid-market firms that are struggling with GDPR requirements.” NewOXIAL GDPR EXPRESS Provides 100%GDPR Compliance ForMid-Market FS Firms NEWS / From Around The World