CVSS Score: 9.8

Vulnerability Type: Remote Code Execution (RCE)

CVE Identifier: CVE-2023-50164

Exploitation Status: Actively exploited.

Affected Version: Struts 2.0.0-2.3.37(EOL), 6.0.0-6.3.0.1, 2.0.0-2.5.32.

Link: Apache.org

Introduction 

Recently discovered, CVE-2023-50164 reveals a critical flaw in Apache Struts that could allow hackers to execute code remotely by manipulating file upload settings. Actively exploited, this poses an imminent threat demanding quick action. It significantly jeopardizes services relying on Apache Struts, emphasizing the urgent need for updates to versions 6.3.0.2 or 2.5.33. With an easily accessible proof of concept on GitHub, web applications should undergo thorough assessments to prevent potential exploits. The urgency is crucial, impacting various sectors and requiring customized advisories for affected vendors. Take prompt action to secure your systems.

Recommended Actions

• Immediate upgrade to Struts 6.3.0.2 or 2.5.33

The implications of these might seem obvious but they pose greater problems — Information and Cyber Security Risks.

Having information readily accessible to threat actors e.g., paper documents not in lockable storage, puts an individual and the organisation at risk of data exfiltration and a breach. This is where a Clear Desk Policy becomes important.

What Is a Clear Desk Policy 

A Clear Desk Policy (CDP) within the framework of ISO 27001, often referred to as a “Clear Desk and Clear Screen Policy,” comprises precise guidelines and procedures crafted to align with the stringent information security stipulations set forth by ISO 27001.

The primary goal of a clear desk policy is to enhance information security, protect sensitive data, and reduce the risk of data breaches or unauthorised access.

ISO’s guidance goes beyond just having a tidy desk, however. The standard suggests protecting user endpoints via lock and key when not in use. This includes ensuring computers are configured with an automatic logout feature to lock when unattended, confidential documents are always collected from the printers and placed in a safe place out of sight, and clearing sensitive information from whiteboards immediately after use.

Vacating your office for good? Make sure you do a clean sweep and ensure there are no information assets fallen behind drawers or furniture for prying eyes to see.

Why Is a Clear Desk Policy Required for ISO 27001 Compliance?  

Well, there are some compelling reasons for implementing a CDP. First and foremost, it helps protect sensitive data and reduce the risk of a data breach. Think about all those confidential documents, login credentials, and company secrets that could be lying around.

Additionally, senior management regularly enforcing the need for a tidy workspace can do wonders for productivity among employees. Let’s take a deeper look into its impact contributions to compliance with ISO 27001.

1. Improve Security Awareness and Culture: ISO 27001 places importance on creating a security-conscious culture within an organisation. Implementing a CDP helps raise awareness among employees about the importance of security. It reinforces the idea that everyone has a role to play in safeguarding sensitive information.
2. Compliance with ISO 27001 Annex A: Annex A of ISO 27001 outlines a comprehensive set of controls that organisations can adopt to address various aspects of information security. Control A.11.2.9 specifically pertains to the “clear desk and clear screen policy,” making it a mandatory control for ISO 27001 compliance. Adhering to this control involves implementing a Clear Desk Policy.
3. Audit and Certification Requirements: ISO 27001 compliance involves regular audits and assessments to ensure that security controls are effectively implemented and maintained. A CDP is part of this auditing process and is important evidence for an auditor to check an organisation’s compliance with ISO 27001 requirements.

Challenges of CDP

While Clear Desk Policies come with a host of benefits, they are not without their set of challenges:

1. Resistance to Change: Some employees might push back against the policy, seeing it as an encroachment on their workspace and ensuring consistent adherence to the policy can be a challenge, particularly without effective oversight.
2. Personalisation Dilemma: Striking the right balance between a clean and organised workspace and allowing employees to personalise their workstations can be a delicate task.
3. Remote Document Management: Managing physical documents and maintaining a clear desk remotely can be challenging, as employees may not have access to secure physical storage solutions typically available in the office.

Implementing a Comprehensive Clean Desk Policy for Remote and In-Office Work Environments 

So, you’re convinced that a Clear Desk And Screen Policy is a good idea for your organisation. But how do you go about implementing one? It’s not as complicated as it might seem. Here are some steps to get you started:

1. Define Clear Guidelines: Start by creating a set of clear and easy-to-understand guidelines. These should outline what is expected of employees in terms of desk cleanliness and organisation.
2. Communicate the Policy: Once you have your guidelines in place, make sure everyone in the organisation is aware of them. Hold meetings or training sessions to explain the policy and its importance.
3. Provide Tools and Resources: Give employees the tools they need to keep their desks clean and endpoints secure when unattended. This might include filing cabinets, shredders, and recycling bins.
4. Electronic Documentation: In a bid to reduce paper vulnerabilities and encourage efficient information management, you should promote the use of electronic documentation wherever feasible.
5. Monitor and Enforce: Regularly check in on employees’ workspaces to ensure compliance with the policy. They should consistently lock the computer and log out of the office account when not in use. Enforce the policy consistently and fairly.
6. Reward Compliance: Consider implementing a rewards system to incentivise employees to maintain clear desks. Positive reinforcement can go a long way in promoting compliance.

Conclusion  

Clear Desk Policy (CDP) serves as a multifaceted asset for any organisation. It goes beyond just tidying up workspaces; it acts as a bulwark against data breaches, safeguarding sensitive information and ensuring its protection.  The ripple effects of a CDP are equally significant, fostering increased productivity, improving office aesthetics, and enhancing overall organisation.

By adhering to such a policy, companies not only streamline their internal operations but also project a positive image of professionalism and meticulous attention to detail. So, consider implementing a CDP in your workplace – it’s a small step that can yield big benefits in the long run.

Don’t teach your users to follow policies. Teach them to understand the “why”.

Access More Resources

APACHE STRUTS 2 Critical Vulnerability – CVE: 2023-50164

Risk Rating: CRITICAL CVSS Score: 9.8 Vulnerability Type: Remote Code Execution (RCE) CVE Identifier: CVE-2023-50164 Exploitation[...]

How to Implement a Clear Desk & Clear Screen Policy for Your Organisation

You know that feeling when you walk into an office, and it looks like a[...]

ISO 27001 Clauses 4-10: A Complete Guide

ISO/IEC 27001  is an international standard for creating an information security management system (ISMS). It[...]

What is Open-Source Intelligence? How to Get Started

Imagine a world intricately woven with connections, where information flows like a meandering river of[...]

NIS 2 Timeline & Requirements to Minimise Risks

NIS 2 Preparedness It’s getting Risky out there… The protection of our networks and systems[...]

How to Prepare for an ISO 27001 Audit

In the world of information security, there are many frameworks and countless guidelines. But among[...]

How to Submit a Data Breach Breach Compensation Claim

What is a Data Breach Claim? “Someone stole my personal information and I want something[...]

ISO 27001: Steps to Write a Statement of Applicability

ISO 27001 Statement of Applicability A central component of becoming compliant with ISO 27001 is[...]

How to Respond When Data Breaches Hit the Fan

Not many companies anticipate being the focal point of a significant data breach incident. However,[...]

PPI Principals of GDPR for Small Businesses: Navigating Data Protection

“So, all we have to do to implement these 11 chapters containing 91 articles in[...]

Urgent Advisory: Hackers Steal $20 Million by Exploiting Flaw in Revolut’s Payment Systems

Date: 10/07/2023  Link: The Hacker News Introduction  We would like to bring to your attention[...]

Importance of Black Box Testing for Your Cyber Security Defence

In a world where the digital landscape keeps changing, how can we effectively protect our[...]

This standard is broken down into Clauses and Security Controls (Annex A) which every organisation that intends to be ISO 27001 compliant is required to follow. The clauses are best described as the pillars of your ISMS, a sort of paint-by-numbers system, where each organisation will choose colours that best suit their business interests and appetite for risk.

Although the clauses stretch from 1-10, we will focus on clauses 4-10, which contain the specific requirements themselves.

It can all get complicated if you are getting into the world of ISO 27001, but we will break it down into its sizeable chunks for easy understanding. Let’s get started!

ISO 27001 Clause 4 – 10

Clause 4 – Context of the Organisation

Think of your organisation as an individual. Just like any individual, no one is an island: your organisation doesn’t exist in isolation. It’s influenced by various internal and external factors.

Maybe it’s the waves of market trends, the storm of the socio-political environment, or the internal shifting sands of the workforce.

All these can and will influence how your information security system will function. That’s what the context means. 

PESTLE and Your Organisation’s Context: Adding Colour to Clause 4

When diving further into understanding an organisation’s context in Clause 4.1, a handy framework many turn to is the PESTLE analysis. By weaving a PESTLE analysis into your exploration of Clause 4 you’re painting a fuller picture of your organisation’s context. It’s like plotting your ship’s course with a detailed map instead of just a compass.

This clause asks organisations to be introspective and contemplative. To look around, both inside and out. Ask yourself: What’s going on in our industry? What’s the buzz among our employees?

The intent is simple but crucial: to identify any factor, big or small, that affects your ability to protect your information assets.

It’s a bit like checking the weather before heading out – know what’s coming so you can dress accordingly. There’s no point bringing your brolly when it’s hurricane season. 

Clause 5: Leadership

Every project carried out by an organisation requires a leader to literally “take the lead”. You will want a consultant within the Information Security industry with a demonstrated commitment to ensuring the goal of being ISO 27001 compliant is attained.

In partnership with the leader who in some cases is the Chief Information Security Officer, top management should be brought on board in this process. This will ensure that the ISO 27001 standard is not just a tick-in-the-box exercise but a consolidated effort on every leadership level and across all departments.

Leaders will be responsible for the following.

• Ensuring that responsibilities for implementation and maintenance are assigned.
• Ensuring objectives of the information security policies are met and integrated into every business process.
• Establishing an Information Security Policy that is fit for purpose.
• Communicating the importance of implementation. 
• Ensuring that responsibilities for implementation and maintenance are assigned.
• Ensuring resources for maintenance are available.

Clause 6: Planning

As the popular saying goes…if you fail to plan, you plan to fail.

In the advent of a security breach, what do you do? Do you hurriedly go online to search for a quick template to get started on your Information Security journey? Probably not.

This clause highlights the importance of identifying risks associated with your business, documenting how they will be addressed, and then analysing, evaluating, and prioritising those risks. This is what we call conducting a Risk Assessment and is the basis for the development of a Risk Treatment Plan.

1. Risk Assessment: Here you will have to think of the following.

• Determine your risk criteria, including risk acceptance criteria.
• Establish criteria for performing information security risk assessments.
• Ensure repeated risk assessments produce consistent, valid, and comparable results.
• Identify the information security risks.
• Analyse the information security risks.
• Evaluate the information security risks by comparing the results of risk analysis with the risk criteria established.
• Prioritise the analysed risks for risk treatment. 

2. Risk Treatment: Having completed the above, you will proceed to work on the following.

•  Select appropriate information security risk treatment options, considering the results of the risk assessment above.
•  Are there any controls not in Annex A that you need to put in place? Verify that no necessary controls have been left out.
•  If no? Have you produced a Statement of Applicability to justify? Remember, you must justify every control in Annex A in your SoA, whether you include it, or in the rare case, one is excluded.
•  Formulate an information security risk treatment plan.
•  Obtain the risk owner’s approval of the risk treatment plan and acceptance of the residual information security risks obtained.
•  Finally, all documented information on the risk treatment process should be retained.

Clause 6 concludes by emphasising that if your organisation wants to make changes to the ISMS, it is essential they are carried out in a planned and organised manner.

Clause 7: Support

Attaining ISO 27001 Compliance is no easy fit, except of course – you are following a template. The idea behind this standard is to ensure information security is embedded into your daily processes and fit for purpose.

To achieve this, you need to determine if you have competent persons and resources for the implementation, maintenance, and improvement of the ISMS. Otherwise, you may want to implement an education and training plan to fill this gap.

Having competent staff is crucial for compliance. It is equally important to have evidence of their competence. Additionally, it is necessary to document any actions taken in response and ensure that relevant staff understand the ISMS, policies, and their own responsibilities.

Clause 8: Operation

This clause stipulates the processes needed to implement Clause 6. (Planning). According to the standard, you will need to:

• Establish criteria for the process.
• Implement control of the process in accordance with the criteria.

This involves documenting the process to ensure confidence in the execution of the planned processes. The organisation must control planned changes and review the consequences of unintended changes – acting to mitigate any adverse effects.

Also, the Standard states that Risk Assessment shall be performed at ‘planned intervals’ or after ‘significant changes’ and keep documented information regarding the activity. The phrase ‘planned intervals’ often confuses people as it sounds arbitrary and vague.

The reason the Standard has it this way is because the ‘planned intervals’ should meet your organisation’s risk appetite. The word ‘planned’ is important – it shows there is foresight and that the process has been thought through. 

Clause 9: Performance Evaluation

Here, we investigate what to monitor so that we can measure the results of the ISMS. It’s in this part of your ISMS that you will describe what you will monitor, the methods for doing so, who will be responsible for what and when the monitoring and evaluation/analysis will occur.

Two other critical components under this clause include an Internal Audit Program and a Management Review. The clause states that your organisation is required to conduct planned internal audits to make sure your ISMS complies with the requirements of the standard and is effectively implemented. In conducting an Internal Audit, you will want to consider the following.

• The audit criteria and scope
• Selection of independent auditors for objectivity
• Reporting of results to management

Once this has been presented to the relevant management, you are looking for two main things: areas for non-conformities and feedback on opportunities for continual improvement. 

The idea is to prevent the problem from reoccurring elsewhere. The thing to remember is that your first audit may not be perfect.

Clause 10: Improvement

With all the hard work from documenting your ISMS to conducting either an internal or external audit, having a non-conformity can be frustrating especially when close to meeting the requirements of ISO 27001.

To make progress, you need to look at non-conformities another way. They can find weaknesses in your ISMS that, if fixed, can protect your organisation from events like data breaches. 

To initiate this process, your first port of call is undertaking a ‘Root Cause Analysis’. Keep asking ‘why’ until you get to a foundational cause that you can address with a program of corrective action to prevent the issue from reoccurring.

Sometimes, this may require making changes to your ISMS and once implemented, you’ll want to review the effectiveness of the corrective action.

In Conclusion

ISO 27001 requires a meticulous, documented and risk-based approach to ensure compliance and certification. If you are getting started with the standard, you can find a summary of the ISO 27001 documentation required in this checklist or you can access more resources for further reading below.

Similar ISO 27001 Blog Posts

ISO 27001: Steps to Write a Statement of Applicability

ISO 27001 Statement of Applicability A central component of becoming compliant with ISO 27001 is[...]

25
Jul

ISO 27001 Compliance Checklist: The Documentation Required

Documenting your information security management system (ISMS) for evidence of compliance with the ISO 27001:2022[...]

26
Jul

How Agrimetrics Successfully Attained ISO 27001 Certification

About the Company Agrimetrics, founded in 2014, is a leading Agri-tech Centre dedicated to revolutionising[...]

24
Apr

This is the world we currently live in.

In the past, intelligence primarily revolved around strategic knowledge, used by decision-makers to gain advantages, often centred on foreign capabilities, global events, and local concerns, particularly in the military and security spheres.

However, in the world today, intelligence is readily available especially across diverse domains, spanning from supply chain, trade, and finance to culture and education. Advancements in technology have reshaped the definition of intelligence. What was previously the domain of the powerful is now accessible to many.

The Origins of Open-Source Intelligence

Open-source intelligence (OSINT) has its origin within the U.S. intelligence community, tracing back over half a century. Its origins can be traced to World War II, when it was employed to monitor propaganda broadcasts, later contributing to intelligence efforts during the Cold War.

The modern era of OSINT was ushered in with the expansion of the internet, particularly the rise of social media. In the mid-2000s, the Open-Source Centre was established to facilitate the collection and sharing of open-source information among intelligence agencies.

OSINT’s importance was underscored by events like the 2009 Iranian Green Revolution, where social media unveiled a comprehensive view of an uprising despite media blackouts.

As time progressed, the role of OSINT expanded, embracing novel technologies even in the domain of cyber and information security.

The Role of OSINT in the Current Threat Landscape

Open-source intelligence, often abbreviated as OSINT, involves the craft of intelligence gathering and enrichment through publicly accessible information, sometimes for the purpose of security testing by organisations or to understand the threat landscape they may be faced with. This encompasses data available to the public without the need for secret clearances or invasive system penetration.

This data reservoir includes not only openly accessible internet sources and social media but also mainstream media, publications, audio, imagery, videos, and geospatial/satellite data.

Prominent platforms such as LinkedIn, X (previously Twitter), Reddit, Instagram, TikTok, Threads, and Snapchat, coupled with advancements in mapping and satellite technologies, have revolutionised the dynamics of data. These platforms now host an extensive repository of user-generated data, which is harnessed in innovative ways.

Even with the advent of Web 3.0 (Blockchain) and Artificial Intelligence (AI), The OSINT framework plays a pivotal role in aiding decision-making, assessing public perception, predicting change, and gathering security intelligence for organisations.  

The Importance of OSINT for Security Testing

The evolving threat landscape has given rise to OSINT communities on social media platforms which provide a wellspring of free education and innovative tools hosted on GitHub’s open-source platform to gain insights into emerging threats and human behaviour even in organisations.

Its use is not limited to malicious threat actors seeking to gain access to an organisation’s assets and infrastructure, but is also leveraged by law enforcement, governments and organisations for the following use cases.

• Security and Threat Intelligence: Organisations use OSINT to monitor and analyse potential threats to their security, including cyber threats, physical security risks, and reputational risks. By monitoring online discussions, hacker forums, and social media, they can identify potential vulnerabilities and take proactive measures to address them.
• Competitive Intelligence: Businesses use OSINT to gather information about competitors, industry trends, and market dynamics. This information can help organisations make strategic decisions, develop new products or services, and stay ahead of their competition.
• Risk Assessment: OSINT is used to assess risks associated with various activities, locations, or individuals. Organisations can gather data on political stability, social unrest, natural disasters, and other factors that might impact their operations.
• Fraud Detection: Financial institutions and e-commerce companies use OSINT to identify potential fraudsters and patterns of fraudulent activity. By analysing publicly available data, they can spot unusual behaviour and take appropriate action.

Open-Source Intelligence Tools

There are several OSINT tools used by individuals and organisations for the threat monitoring and security testing of their infrastructure. Some of these include.

• Maltego: A powerful OSINT tool that provides a graphical interface for link analysis and data visualisation.
• Shodan: A search engine for discovering Internet-connected devices, including servers, routers, and other networked devices.
• theHarvester: A tool for gathering email accounts, subdomains, virtual hosts, and open ports from public sources.
• OSINT Framework: A collection of various OSINT tools and resources categorised for easier navigation.
• SpiderFoot: An OSINT automation tool that gathers information from various sources, including search engines, social networks, and more.
• Censys: Another search engine that focuses on identifying devices and systems on the Internet.
• Recon-ng: A full-featured reconnaissance framework that provides multiple modules for data collection.
• Amass: A tool for in-depth DNS enumeration and information gathering about target domains.
• GatherContacts: Specifically designed for finding and collecting contact information from different sources.
• Photon: A web crawler designed to extract useful information from websites, such as URLs, email addresses, and more.

OSINT Best Practices for Security Audits

It’s important to note that some of these tools should be used responsibly and legally. Always ensure you have proper authorisation before using them on any target. Additionally, the effectiveness of these tools may vary depending on the context and target, so it’s important to understand their capabilities and limitations.

At Risk Crew, we seamlessly integrate Open-Source Intelligence (OSINT) into every facet of our security audits, encompassing threat intelligence and penetration testing. Our approach aligns with the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM).

This rigorously peer-reviewed methodology ensures precise operational security characterisation for tasks such as penetration testing and security assessments. By centring our efforts on verified facts, OSSTMM empowers our fact-based decision-making, ensuring that organisations are well-informed in their chosen methodologies.

In a landscape where some accept the status quo, we think deeply, question assumptions, detect cause and effect, and deliver measurable results.

Read More Posts

Importance of Black Box Testing for Your Cyber Security Defence

In a world where the digital landscape keeps changing, how can we effectively protect our[...]

07
Jul

External Penetration Testing and How to Do It

What is External Penetration Testing External penetration testing also known as external network penetration testing[...]

05
Jul

Why Red Team Testing is Crucial for Every Business: Insights from Cybersecurity Experts

In today’s digital age, businesses are more vulnerable than ever to cyber-attacks. As a result,[...]

02
Jun

It’s getting Risky out there…

The protection of our networks and systems is of utmost importance, now more than ever. Attackers are increasingly sophisticated and attack with increasing frequency and ferocity. Only a Superhero (in the guise of an EU directive) can help us. Is it a bird? Plane? An A.I. drone, gone bonkers?

Nope …it’s NIS2.  You see, The EU is replacing its first Network and Information Systems Directive (NIS 1) with an improved, more robust version. The NIS-2.

NIS 2 Summary

What the Hake is NIS 2? In short, a beefed-up, super-sized version of NIS 1. NIS 2 seeks to forge a common, coordinated and cooperative approach. One that improves information security across EU member states and beyond.

What’s changed is that NIS 2 is a lot tougher than its predecessor. It’s also more costly. More complex. But it’s also a smarter way to protect essential and important information assets, keeping what matters running while raising cybersecurity standards across the board. Here’s why it’s going to make a difference: the thing has teeth. Big ones.

Unlike NIS 1, NIS 2 is armed with far heftier fines (and more compliance standards) than its predecessor. Entities within its scope must expect ad-hoc audits, expensive implementation costs and, if they don’t buckle up and comply, eye-watering fines of up to $10 million. Got your attention yet?

The Price of NIS 2 Non-Compliance

At Risk Crew, we never use Fear, Uncertainty and Doubt (FUD) tactics ­— our goal is to empower with knowledge. However, here are the facts for non-compliance.

NIS 2 introduces new fines as an “incentive” to encourage entities to take security measures seriously (and to report incidents promptly to the competent authorities). For Essential entities, fines could reach up to €10 million or 2% of global turnover, whichever is greater. For Important Entities, it’s €7 million or 1.4% of global turnover.

But financial penalties are not the only cost to consider. Implementing the necessary measures for NIS 2 compliance will require time and considerable expense. Companies should prepare for a dramatic budgetary swell, approximately an additional 12% of the existing (ICT) Information and Communications Technology spend for those already subject to NIS1, and a whopping 22% increase for organisations new to NIS.

Comprehensive Cybersecurity Risk Management

The directive urges organisations to be proactive about risk management. It mandates controls in business continuity and crisis management, supply chain security, incident reporting and supervision. Entities must promptly report any incident that significantly impacts their services to their (CSIRT) Computer Security Incident Response Team, issuing early warnings, incident notifications, intermediate reports and final reports within specific timeframes.

That’s the bad news. The good? NIS-2 is designed to enhance cybersecurity across EU member states, with a particular focus on safeguarding critical infrastructure. It’s the information security equivalent of NATO.

Supply chain security is a significant focus area. Entities, regardless of their direct involvement, could be affected because of the mandatory requirements for Essential and Important entities to assess the cybersecurity practices of their suppliers and service providers.

Moreover, in-scope entities are encouraged to incorporate risk management measures into their contractual arrangements, and they are urged to conduct rigorous due diligence when selecting their managed security providers.

There’s an ancient Chinese curse ‘May you live in interesting times’. You don’t need a crystal ball to see that times are already ‘interesting’, and likely about to get even more so. NIS 2 aims to help EU member states weather the coming storm, whatever form that takes.

Who is Affected and What is the Timeline for Compliance

Entities operating within the EU that fall under ‘Essential’ or ‘Important’ sectors, with the exclusion of ‘small’ and ‘micro’ businesses. Essential sectors range from energy and transport to banking, health, digital infrastructure, public administration, and space. Meanwhile, Important Entities include postal and courier services, waste management, food production, manufacturing, digital providers, and research organisations, among others.

Is there a timeline? Yes and no. The timeframe for the transposition of NIS 2 into the national laws of the 27 member states of the EU is 17 October 2024. But this is the deadline for transposition into national law for member states, not the compliance date for entities subject to NIS 2. As yet, the compliance date for entities remains unspecified. The directive advises that ‘Member States shall require entities referred to in paragraph 1 to submit the following information to the competent authorities by 17 January 2025.’ The ‘following information’ requested is much like an application to Companies House and includes basic information only.

What You Can Do Now

Ultimately, the goal of the new directive is to harmonise the cyber resilience of member states and foster a shared understanding of cybersecurity threats and challenges, centring on essential services (and their third-party service providers). In other words: we’re stronger together (but only if we truly cooperate). To start preparing now we suggest:

• Get familiar with the 10 cybersecurity management measures in Article 21
• Educate your senior leadership on the penalties of NIS 2 and get their buy-in on a budget to begin your compliance project.
• Prepare for training. NIS 2 mandates regular training and risk ownership for all executives.
• Document your Incident Response Plan. NIS 2 increases obligations for response and shortens timeframes.
• Assess your Supply Chain.
• Create a Vulnerability Disclosure Policy. Put procedures in place to receive vulnerability notifications from third parties.
• Promote secure DevOps

Risk Crew can help you start readying your organisation today – and take the preliminary security measures that are required. Get ahead of the game and speak to one of our experts to discuss your NIS 2 readiness.

Originating from the Plateau of Gorgoroth in Northwestern Mordor, it towers high above the rest, peering deep into the very hearts of organisations like the Eye of Sauron; controlling information security for all the peoples of Middle Earth.

Ok, maybe that’s a bit much.

Achieving this esteemed certification is no small feat. It involves (alongside an effective risk assessment and treatment process) a diligent and systematic review of your organisation’s information security management systems (ISMS); processes known as internal and external audits.

“The Audit…”

This a phrase that strikes terror into the hearts of CEOs and Information Security managers everywhere who, like the Balrog facing down Gandalf in the Mines of Moria, fear to hear the words: “You Shall Not Pass!”

Though it’s true that audits guard the gates of ISO 27001 certification, what they require to open is not pain, blood, or a mysterious Elven password. They just require compliance and diligent a Risk Management process.

The Fellowship of the Audit

I know what you’re thinking.

“This is all just a tick-box exercise! Let’s get it out of the way, so we can keep doing business with our overly-fussy partners, who merely require our compliance! …And stop with the Lord of the Rings References!”

The point is that ISO 27001 is much more than mere box-ticking. If deployed properly, it’s a protective forcefield that helps guard your organisation’s sensitive information against potential threats and breaches. Like an Elven cloak. Sorry.

ISO 27001, My Precioussss…

At Risk Crew, we recommend being ISO 27001 compliant. Why? Because it prescribes a tailored, risk-based approach, one that involves an expansive range of controls. These encompass many security aspects, as diverse as physical security and incident management, all the way to business continuity planning and managing your third-party suppliers.

“How will I ensure these controls are effectively deployed and managed? The answer is simple: a well-chosen set of Key Performance Indicators (KPIs), along with internal auditing. More on those later.

One ISMS Framework to Rule Them All

For many, they read ‘audit’ and slip into a dark and dreamless sleep, never to return, as if they have been poked by a Nazgǘl Blade.

But this doesn’t need to happen. The word comes from the Latin root ‘Audire’, meaning ‘to hear’. In ancient times, auditors would listen to financial transactions to diagnose issues. Even now, the concept is essentially the same: to thoroughly ‘hear’ what’s up with your organisation. It’s a diagnostic tool and a crucial part of achieving ISO 27001 certification.

But we’re getting ahead of ourselves. Let’s start at the very beginning.

Hobbits to Isengard: The Audit Pathway

An essential aspect of the audit process is understanding (and tackling) non-conformities. A non-conformity arises when there’s a discrepancy between your existing information security management practices and the requirements of ISO 27001.

Identifying them is ultimately about avoiding an information security incident down the road; there is no need to try and hide them. Instead, focus on fixing them.

External auditors would prefer to see you’ve noticed the potential non-conformities and have begun making moves to correct them. Non-conformities are the canaries in your mine. Ignore them at your peril.

Non-conformities vary in severity. Some are minor; pretty easy to fix, whereas others might suggest a deeper, systemic problem that might take the whole team’s best efforts to put right. Prevention though, I’m sure you’ll agree, is always better than cure.

Stage 1 Audit – An Unexpected Journey

During a stage 1 audit, your friendly auditor will be looking at ‘documentary evidence’. This is often called a ‘tabletop audit’, or a ‘document review audit’.

They will look at all the required policy, process or procedure documents. Expect a review of your essential records, like your Information Security Policy, Statement of Applicability and Risk Treatment Plans. This stage will usually be handled by your information security team members. In short, the stage 1 audit is all about ensuring your ISMS is in place.

Stage 2 Audit  – The Orcs Enter the Shire

Stage 2 is all about the details. This stage is a Compliance Audit and more often than not, the auditor will physically visit your HQ.

Their first port of call: auditing the information security team, followed by the remaining departments. The auditor wants to know how you’ve implemented your security controls (and whether they’re working well enough to secure your information assets).

The auditor will want to understand your choices in regard to the security controls you’ve deployed. This is all conversational, but it’s important you and your team are confident and conversant about your choices. The auditor will then meet with senior management before scurrying back into their cave to amass their report. But it’s probably best not to call them Gollum. Most auditors prefer Sméagol.

Stage 3 Audit  – The Return of the King

Generally called a ‘surveillance audit’, this is essentially a follow-up. It’s an annual event and validates that you’re keeping your ISMS alive and well (rather than locked in a basement somewhere). Ask yourself whether you’re focusing on continual improvement (or not); as that’s what the auditor will be asking. Here’s how to get ready for your audit:

• Understand the Context, i.e., the internal and external factors affecting your organisation.
• Make sure Leadership are committed and on board.
• Plan for the audit – Make sure you’re confident about the controls you’ve selected, manage the risks in the register, scrutinise the results of your risk assessment and hone your risk treatment plan. Finally, develop your communication plan.
• Finish any documentation – Define and implement all policies and procedures (and any other documents such as review and network logs and training records.
• Schedule your Stage 1 Audit – Now you have all your documents in line.
• Prepare the Team – Have each team member ready to give genuine examples when asked for evidence. Keep their spirits up and don’t give in to fear, uncertainty or doubt. And don’t drink the emergency brandy.
• Fill any Gaps – After your Stage 1 Audit, there may be some gaps or issues identified by the auditor. Send this information back to the auditor for review.
• Schedule Stage 2 Audit – This is the last lap, at the end of which you receive the ISO 27001 Certificate.
• Party! Now you and the team can open the emergency brandy.
• Read the Report: The cheat sheet below should help you

Get into the Hobbit of Mock Audits

Before the real one, conduct a mock audit along the lines above.

A ‘dress rehearsal’ internal audit and gap analysis will help with both preparedness and confidence. This involves assessing your ISMS to identify potential non-conformities and opportunities for improvement, ahead of the actual audit.

This will help ensure that all relevant documentation, like security policies, procedures, risk assessments, and evidence of control implementation, are all up-to-date and readily accessible.

• Remind yourself the aim isn’t to annoy everyone in your office. It’s much more annoying when everyone has been locked out of their endpoints and a cybercriminal is demanding £1M in Bitcoin to unlock them again. The idea is to help the cogs of your machine run smoothly and cope when (and not if) a spanner is thrown into the works
• The audit process is not a one-time event. It’s a cyclic process. If conducted properly, your ISMS should keep improving with age, just like fine Brandywine in a cool Hobbit hole. The aim is to keep it robust and resilient in the face of the ever-growing Orcish army of security threats out there.
• Training is another great way to prepare you and your team. This includes training on ISO 27001 requirements, controls, internal audit procedures, and who is responsible for what during the audit. Risk Crew provide world-class training, so why not get in touch with one of our experts today for an informal chat?

Thinking of Getting Started with ISO 27001?

“Someone stole my personal information and I want something done about it now!” 

A very human, and natural reaction to theft. If someone steals your car or breaks into your house and steals your personal possessions you rightly expect the police to come, investigate and hopefully catch the perpetrator and ideally return your stolen property. OK so in today’s age police forces are stretched. A lack of resources means that crimes like this — are less likely to be prosecuted successfully than ever. But you can rightly expect to be able to claim compensation from your insurer to cover your losses.  

“Surely the same is true of data and information theft, after all, theft is theft, right?  

Well, no, it’s not the same. 

Before we go any further for ease of reading the terms “data” and “information” are used interchangeably in this post. It’s worth remembering that data is a collection of facts, which in and of themselves have no meaning. Information puts those facts into context. For example, your age is data. Your age and what you read in the last month could be classed as information. Either way, if an organisation loses data or information, they are responsible for it under data protection law.  

It can be daunting when as an individual you need to understand your rights in any situation dealing with law and your rights. The avenues available to you for seeking compensation in the aftermath of a data breach are not simple to navigate. BUT we can help you navigate through them. This post will provide some key insights into data breach compensation and claims in the UK. After reading this, you will be in a much stronger position. Without knowing the law, you can never hope to have it work for, and with you.  

Data Protection Laws in the UK 

The UK was subject to the Data Protection Act (DPA) 1998, which aimed to regulate the processing of personal data. However, with the implementation of the General Data Protection Regulation (GDPR) in May 2018, the landscape of data protection significantly changed. The GDPR provides comprehensive guidelines for data protection, data breach notifications, and the rights of data subjects, enhancing individuals’ control over their personal data.  

Data Breach Notification 

Under the GDPR, data controllers are obligated to report significant data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Additionally, affected individuals (data subjects) must be notified if the breach poses a high risk to their rights and freedoms. Proper and timely notification is the key here, as it allows victims to take appropriate measures to protect themselves from further harm. Businesses that process and control personal information are now under quite some pressure to ensure their processes minimise the reach of data being stolen, however, the process still does not make it easy to approach these companies as individuals.  

Establishing Liability for Breaching Your Data 

To seek compensation for a data breach in the UK, individuals must demonstrate that the data controller or processor was responsible for the breach due to negligence or inadequate security measures. Proving liability can be challenging, and it often requires expert legal assistance to build a strong case. You do not have the right to demand investigations or supporting information from the data processor, and in any case, these organisations tend to be less concerned about individuals and more geared up for dealing with corporate clients. However, as a data subject, who has had data stolen, you do have the right to claim for a data breach. A data breach claim (not the most imaginative name) can be made if the following criteria have been fulfilled: 

• The data was lost or stolen in a successful hacking attempt or was lost due to gross negligence on the part of the controller/processor. 

• Your data was sent to a third party without your express permission. 
• The organisation (or Individual) had not kept accurate information about you, or it was not kept up to date and that inaccuracy has caused your material (e.g., it cost you money) or non-material damage (stress, personal harm to your reputation) (more on that later). 
• Your data was used “inappropriately” e.g. A software company that you bought a product from passes your data to a third party who processes it for targeting you with medical insurance advertising. 

When and Where to Submit a Data Breach Claim 

One key right you have is one you have always had. It’s the right to discuss the data breach with the organisation at fault. The best advice is to start the process with an expert in data protection law who can step you through the process and give you solid legal advice.  

If you suspect your personal data has been involved in a breach your first step should always be to contact the data processor/controller (ideally via the aforementioned expert) and demand a disclosure of the data that has been breached. Data protection law is quite clear about always first trying to sort an acceptable settlement “out of court”.  

You can then enter into the process of negotiating directly with the organisation (or individual) to secure a satisfactory conclusion. If this proves unsuccessful, you do have the right to take the case to court and seek a legal judgement on your case, however, you must notify the third party who caused the breach of your intention to take the matter to the courts for resolution. You should only do this if all other possible avenues for resolving the matter have been explored, as it is very likely that any cooperation you had with them will be swiftly withdrawn the second they know you intend to “go all legal” on them.  

If you are unable to reach a satisfactory conclusion you can apply to a court with an action to enforce your rights under data protection law.  

Compensation and Damages 

If you do decide to “go legal” In the UK, as a data breach victim you can seek compensation for both financial and non-financial damages resulting from the breach. Financial damages may include direct financial losses, while non-financial damages encompass emotional distress, anxiety, and reputational harm. The courts will assess the extent of the harm and determine appropriate compensation accordingly.  

From the analysis of previous breach claims in the UK, you can reasonably expect to see compensation for the various types and levels of the breach to be in the region of £2000 for minor breaches up to £42900 for breaches that have caused bodily or emotional harm. Remember these are only approximate figures. The court will determine the exact amount and there are no hard and fast rules for the figure they may come to.  

Initiating a Data Breach Claim 

To initiate a data breach claim in the UK, individuals can pursue various routes, including: 

• Informal Complaints: Initially, victims can approach the data controller or processor directly to resolve the issue informally. However, if this does not lead to satisfactory results, formal action may be necessary. 
• ICO Complaint: Victims can lodge a complaint with the ICO, which will investigate the breach and may impose fines on the responsible party. While the ICO can take enforcement action, it cannot provide compensation to individuals. 

• Legal Proceedings: If informal complaints and ICO complaints do not yield the desired outcome, data breach victims can pursue legal action through civil courts to seek compensation. All the UK courts provide advice and guidance on how to do this on their various websites, but as previously stated you are best served going to a legal expert who can guide you from the start.  

Time Limit for Data Breach Claims 

In the UK, the Data Protection Act 2018 provides a limitation period of six years for individuals to bring a data breach claim before the courts. The time limit typically starts from the date when the victim becomes aware of the breach. 

Challenges in Making Data Breach Claims 

Data breach claims can be complex, and individuals may face various challenges, including: 

• Proving Causation: Establishing a direct link between the data breach and the harm suffered can be difficult, especially for non-financial damages. 
• Legal Costs: Pursuing legal action can be expensive, and as a victim, you may be concerned about the costs involved. 
• Settlement Negotiations: Some data breach cases may lead to settlement negotiations, and victims should carefully consider the terms and conditions of any proposed settlement. In many cases, these can be long a drawn-out taking years to complete. 

Is It Worth Making a Data Breach Claim? 

You bet your data it is. If not only to continue to put pressure on organisations to manage other people’s data, more securely. Is it going to alleviate the pain and distress caused by your personally identifiable information being made public? No, but it might just make it less likely for people in the future. 

Furthermore, if your data was breached and you were offered a free credit monitoring service — take up the offer to help protect yourself from threat actors using your stolen data for potential theft. Don’t play the odds – reduce them. 

A central component of becoming compliant with ISO 27001 is creating a Statement of Applicability (SoA). This is a document in which a vast number of controls (defensive policies, procedures, techniques and mechanisms) are considered, and the applicability of each one is weighed up against your organisation’s risks.

While a deeply useful process, it is also labyrinthine. This guide is designed to help you successfully navigate that maze.

Whether your organisation is using ISO/IEC 27001:13 or 22, there will be a vast number of controls for you to consider. In the 27001:13 iteration, there are 114, divided into 14 domains, whereas the updated 27001:22 version has 93 Annex A controls, 11 of which are new.

That’s a whole lot of controls.

So, What Does This All Mean For Your Organisation?

It means that for every single one of ISO 27001’s controls, you must consider each in your Statement of Applicability. But that’s not all.

Your SoA must include:

• A description of every single control from Annex A (the identical text)
• A short description of all additional controls you have applied
• Justification for each applied control
  • For all applied controls, whether they are currently implemented (or not)
  • For all excluded controls, justification of why they have been excluded.

In short, for each control you must adopt a ‘comply or explain’ approach: you must comply with the control …or explain why you don’t. Although this may seem fairly straightforward, it’s worth illustrating what that would look like in practice.

Sample Statement of Applicability: January 2024

In the example above, only the numbers and titles of the Annex A controls are mentioned. However, Clause 6.1.3d requires that you include ‘the necessary controls’ in the SoA. This means the full description of the controls as stated in Annex A.

Your justification for inclusion should match previously identified risks and/or relevant legislation. Justification for exclusion should be that a control ‘does not contribute to modifying a risk’.

Benefits of a Statement of Applicability

Creating a Statement of Applicability serves a few purposes beyond being a requirement for certification.

Your SoA not only acts as a useful register, tracking whether each control has been applied (or not) and implemented (or not), but also allows an at-a-glance method of communicating your information security status with stakeholders, without divulging specific implementation details. Ideally, your SoA won’t reveal specific information that your organisation would be safer not sharing.

Do remember, however, that you are under no obligation to share your SoA with others – although withholding it could raise questions with potentially interested parties.

Finally, your SoA will also be useful as input for your risk treatment plan.

Is ISO 27001 Annex A Sufficient?

You might think that given the horde of controls included in Annex A, the official list would be all you will ever need. But you’d be wrong.

There may be additional controls you might want to include – ones particular to the unique risks your organisation faces.

Often, for smaller companies, the existing Annex A controls are sufficient, but larger organisations sometimes supplement the existing set with many more of their own.

A thorough risk assessment will help you understand for which risks additional controls might be needed. Always start with identifying the risk before deciding on the right control.

Justification for Inclusion

Clause 6.1.3 states that you must justify the inclusion of Annex A controls in your SoA.

You must show ‘correspondence’ between risks and the use of Annex A controls. During stage 2 of an ISO 27001 certification audit, the auditor will want to see ‘correspondence between the determined controls, the Statement of Applicability, the results of the information security risk assessment and risk treatment process, and the information security policy and objectives.’

What to Do If a Specific Annex A Control Cannot Be Linked to One of Your Identified Risks

If this is the situation you find yourself in, you should work on any missing risks (in your risk assessment), then link the newly identified risk to the relevant control.

Doing so can restore the coherence between controls and risks that the standard demands. Any control that does not contribute to modifying a risk should be excluded, along with justification for its exclusion given.

Justifying every control in the SoA might seem time-consuming, but it’s a useful and valuable process. The information can be used for internal audits, as well as help an external auditor assess the suitability and effectiveness of deployed controls.

You should state, as directly as possible, the reason for applying each control. Doing so, helps find correspondence between risks and the controls designed to manage them.

What Does Exclusions Mean in ISO 27001?

Excluding a control doesn’t mean it isn’t in the SoA. The standard asks us to justify any excluded controls.

If you have not been able to identify risks within your scope for which you can apply the control, you may exclude that control. This might mean that the activity or circumstances mentioned in the control, i.e., ‘Delivery and loading areas’, are not present in your scope.

However, if you have identified a ‘low risk’ in your organisation’s risk assessment, this is not a reason to exclude the relevant control. In such a situation, you can express this low risk by translating the generally formatted Annex A control to your own specific control that better suits your organisation.

Implemented: Yay or Nay?

For each control, you must state whether that control has been implemented (or not).

However, this is not as binary as it might appear. The SoA implementation guide states that control can be ‘fully implemented’, ‘in progress’, or ‘not yet started’. What matters is that the implementation of the control is in progress, is being monitored and has been logged as so. It’s all about awareness and the SoA is a record of that awareness.

To claim conformity with the Standard, specifically requirement 6.1.3d, your SoA document must indicate whether each control is implemented or not. To comply, all necessary controls should be fully implemented.

Partial Controls in ISO 27001

If a given control is only partially relevant to your organisation, you should reference your information security risk assessment results along with the risk treatment plan. Follow this up with the expected information security risk modification derived from implementing the modified control.

For example, a company might modify control: A.11.2.9 ‘clear desk and screen policy’, because they have no paper documents and only need a clear screen policy. That’s absolutely fine.

In the justification, all that would be necessary is a brief description of how paper documents and removable media are never used, and therefore not applicable. It’s just that simple. The controls are there to suit your organisation – make them work for you.

Can You Include Information in Your Statement of Applicability

Don’t hesitate to include supplementary relevant information in your SoA. It can be useful for interested parties if you include information such as ‘owners of controls’, or details on how controls are implemented.

ISO 27001 Statements of Applicability for Suppliers

Interested parties can ask to see your SoA, and you can equally ask to see suppliers’. This aids a mutual assurance of how information security is managed.

When you request the supplier’s SoA, remember to check:

1. The certificate’s expiry date – is it still valid? If not, why not?
2. The scope: Are the services and products you receive covered?
3. Which Annex A controls have been excluded and why?

You’re now SoA  Aware – to Get Ready for Compliance

Although we recommend you seek the help of an experienced consultancy team, you’re on the right path to understanding SoA process before you set out on your compliance journey.

In short, it is crucial to remember that each control should be meticulously evaluated for its relevance, effectiveness and alignment with the specific risks your organisation faces.

Whether a control is included or excluded, the justification for the decision is what matters and should reflect your risk assessment outcomes.

Your SoA’s importance extends beyond mere compliance. It’s an effective tool for internal audits, risk treatment planning, and a communication bridge with stakeholders — providing them with a snapshot of your information security status without divulging specific details.

As much as it can seem daunting, developing a robust Scheme of Applicability is a valuable process that ensures a robust and tailored approach to managing information security, enabling your organisation to navigate the ever-evolving cyber security landscape with confidence.

In today’s competitive business landscape, companies increasingly rely on data systems like cloud computing and remote working to stay relevant. While these data practices empower organisations, they also expose them, along with their customers and third-party vendors, to additional cyber security risks such as data breaches.

The response of a company to a data breach can have a profound impact on its liability, reputation, and ability to sustain business operations following a cyber incident. This guide will assist you with preparing a comprehensive response plan for potential data breaches.

Common Causes of Data Breaches

Gaining insight into the causes of data leaks and breaches is crucial to understand their impact. Companies need to recognise that potential data breaches and leaks are more prevalent than they might expect. With a combination of malicious hackers and inadvertent actions by employees, critical incidents are often just a single click away.

Here are some of the most common factors contributing to data breaches:

1. Phishing
2. Ransomware
3. Social engineering scams
4. Software misconfigurations
5. Weak passwords
6. Physical device theft
7. Third-party breaches
8. Insider threat

Once cybercriminals breach a company’s files and systems, they have the potential to expose billions of stolen and leaked records on the dark web. This exposes sensitive data, such as personally identifiable information (PII), which can lead to severe consequences like financial fraud or identity theft.

Types of data usually at risk include names, emails, addresses, financial information, bank account details, credit card numbers, social security numbers and other sensitive information.

In the Event of a Data Breach, Companies Typically Aim to Achieve Three Primary Objectives:

1. Contain the Situation: Swiftly implement measures to prevent the data breach from escalating further, ensuring that the breach is contained, and the damage is mitigated.
2. Notify Affected Parties and Comply with Regulations: Inform the individuals or entities affected by the breach promptly. This step also involves complying with regulatory requirements, reporting the incident to relevant authorities, and demonstrating a commitment to safeguarding and restoring compromised data.
3. Remediate and Prevent Future Incidents: Take necessary actions to address the breach, fix vulnerabilities, and eliminate risks to prevent future incidents. Restoring the business to a fully operational state while implementing measures to enhance data security is vital.

Neglecting to Comply with Data Protection Regulations Can Lead to Substantial Penalties, Especially in cases where:

1. The breach could have been prevented through the implementation of fundamental procedures and policies.
2. The regulatory body deems the company’s remedial actions insufficient following the discovery of the breach.

Here’s What Companies Should Do Immediately After Detecting a Data Breach:

1. Act Quickly

Don’t panic but act quickly. It is crucial to act promptly to minimise the extent of the damage. Immediate implementation of a comprehensive disaster recovery and incident response plan is necessary to contain the security breach, safeguard personal data, and protect customer information.

Timely action should also involve close collaboration with relevant law enforcement agencies to bring the situation under control and ensure compliance with reporting requirements and legal obligations.

It’s important to note that by the time a data breach is discovered, the systems may have already been compromised for a considerable period. On average, the lifecycle of a breach, from its initiation to containment, spans around 277 days, with a significant portion of that time elapsing while unaware that a breach had occurred in the first place.

2. Contain the Breach

In the year 2022, it took an average of more than two months to successfully contain a data breach. Again don’t panic but do respond promptly and implement measures to restrict further access to critical systems. Here are the recommended actions to achieve this:

1. Disconnect all connected networks, systems and devices from the access point: In cases where the source of the breach is uncertain, it is crucial to swiftly disconnect all components from the access point used by the malware or threat actor. This proactive step helps contain the attack and limit its impact. However, it is important to exercise caution and seek expert guidance before shutting down compromised machines to avoid unintended consequences.
2. Gather comprehensive information: During the data breach response process, it is imperative to gather relevant evidence and focus on identifying compromised systems and servers. By doing so, the IT team can isolate the affected components and gather valuable insights for conducting a thorough cyber forensic analysis. This analysis helps in understanding the unauthorised access methods used by the attacker.
3. Restrict access to critical systems: Upon detecting a data breach, it is essential to swiftly restrict or remove access to critical data. This ensures that only authorised personnel who genuinely require access can interact with sensitive information. Additionally, this action provides an opportunity to strengthen security measures by updating firewalls, antivirus software, anti-malware tools, and other security software.
4. Reset passwords: If the breach originated from a compromised employee account, it is advisable to reset passwords for the entire organisation as a precautionary measure against further potential compromises. Regular password resets every six months to a year can significantly enhance security and mitigate the risk of future incidents. Implementing multi-factor authentication (MFA) also adds an extra layer of protection to password security.
5. Seek expert assistance: Engaging the expertise of specialist IT teams or data forensics teams is highly recommended. These professionals can assess the situation, determine when the breach is contained, capture system images, conduct a detailed analysis of evidence and ascertain the extent of the breach. Seeking guidance from a legal firm can also provide valuable advice on when it is safe to resume normal business operations.
6. Perform a Damage Assessment

Once the affected systems have been quarantined, the incident response team must initiate a thorough investigation into the security incident and the extent of data compromise. By enlisting the expertise of forensic investigators or trained IT professionals, valuable insights can be gained regarding the specific type of information that was compromised and the potential impact on records and individuals involved.

Furthermore, this stage of the investigation provides an opportunity to evaluate the effectiveness of network segmentation in preventing unauthorised access from one server to another. By analysing the breach and its impact on different segments of the network, valuable lessons can be learned about the strengths and weaknesses of the existing network segmentation measures.

3. Determining the Source

Intrusion detection (IDS) and intrusion prevention system (IPS) software automatically log security events, allowing users to pinpoint the breach’s location and time. While possible without these systems, gathering information manually is more laborious and costly.

The damage assessment should identify if the breach resulted from human error or software misconfiguration. Understanding the cause, location (internal or external), and user access helps prevent a recurrence.

To pinpoint the breach, provide a list of users with access to compromised systems. Logging software can reveal active network connections during the breach.

4. Identify and Fix Vulnerabilities

Understanding the origin of a data breach is essential for effectively addressing risks and vulnerabilities. Real-time threat detection and response tools can be invaluable in this regard, even if they were not previously installed or active during the breach.

During the data breach response process, organisations must assess their entire attack surface. This includes monitoring for potential vulnerabilities across their systems as well as the environments of third-party vendors. A comprehensive data breach response plan should outline the critical aspects of the system, enabling prioritisation of security solutions. It is important to strike a balance between short-term and long-term solutions to minimise damage and expedite recovery.

5. Inform Relevant Parties

Here are the main parties to notify following a data breach:

1. Regulatory Bodies and Law Enforcement: Depending on the industry, nature of the breach, and data loss impact, a company experiencing a data breach may be obligated to inform appropriate law enforcement agencies to ensure compliance with federal or state laws. Various data protection regulations like the Data Protection Act 2018, General Data Protection Regulations (GDPR), and the Health Insurance Portability and Accountability Act 1996 (HIPAA) specify timeframes for reporting data breaches. Timely, comprehensive, and transparent communication regarding breach details, causes, and remedial actions should be provided in the company’s notification.
2. Customers, Clients and Stakeholders: After reporting the data breach, the company must devise a plan for notifying the individuals impacted and providing an explanation of how the cybercriminals gained access to the data and exploited the stolen information. Contact information should be supplied for any further inquiries related to the incident. Swift notifications enable affected parties to take necessary measures, such as changing passwords and reaching out to credit bureaus like Equifax for credit reports, ongoing monitoring and fraud alerts. Some affected organisations may offer complimentary credit monitoring services to data breach victims. Prioritising communication with stakeholders is also essential, as it demonstrates the company’s prompt and effective response, safeguarding its reputation and earning stakeholder trust.
3. Cyber Insurance Companies: It is strongly advised for companies handling sensitive data that they cannot afford to lose to consider obtaining cyber liability insurance. While cyber insurance does not prevent data breaches, it provides coverage for the financial losses incurred because of such breaches.
4. Staff and Third-Party Entities: Apart from notifying customers, clients, business partners, and authorities, companies must inform their internal staff as well. Building trust within the organisation is equally important. The internal communication should provide a comprehensive overview of the incident and outline the steps being taken to address the issue. Furthermore, companies should inform any third-party agencies that have been affected by the breach. If the breach involved account access information that is not maintained by the affected company, the organisation responsible for maintaining those accounts should be notified

6. Test Cyber Security Defences 

After completing the data protection procedures, you should assess the effectiveness of your security measures and determine if they would withstand future attacks. The implementation of new cyber defences should address any identified issues and update policies and procedures accordingly, to be prepared for potential cyber-attacks or data breaches.

To ensure that vulnerabilities no longer pose a significant risk, the organisation should conduct penetration testing and ethical hacking. This testing will verify that it is no longer possible for another hacker to replicate the original method of cybercrime. Regular annual testing should be conducted to stay prepared against emerging threats and to ensure that all software has appropriate safeguards in place.

7. Implement New Data Security Policies and Procedures 

After experiencing a data breach, the company must conduct an internal review of its policies and identify any security gaps that may have contributed to the incident. If such gaps are identified, the security measures should be revised to minimise the likelihood of a similar incident occurring in the future. Clear and comprehensive incident response plans should be in place, covering all aspects of the company’s attack surface and providing specific procedures to follow in response to any incident. If any of these plans are unclear, it is necessary to consider rewriting them.

Furthermore, business continuity and disaster recovery plans are vital to ensure the company’s ability to continue operating after a data breach. Regular reviews of all plans – incident response, business continuity, and disaster recovery – should be conducted to keep them up to date.

Companies that have well-prepared incident response plans have significantly reduced data breach damage costs compared to those that must react and learn on the fly. On average, prepared companies have incurred $2.66 million less in costs than the worldwide average.

It is also beneficial for companies to have a designated individual or team, such as a Chief Information Security Officer (CISO) or Chief Information Officer (CIO), to lead the response efforts. This individual or team can assemble dedicated IT security response teams to safeguard customer data.

Most importantly, plans should be practised. You should have regular ‘dress rehearsals’ to measure your team’s readiness — the time it takes to identify a breach and respond. If this isn’t something you’ve done internally yet, a good place to start is by attending a training course that simulates real scenarios and tracks effectiveness and response times.

Embrace Risks Before They Hit the Fan

The significant risk of a data breach response plan cannot be overstated in today’s digital landscape. The increasing frequency and sophistication of cyber-attacks pose significant threats to organisations of all sizes and sectors. By defining roles, responsibilities, and communication channels in advance, an incident response plan ensures a coordinated and organised approach during the critical moments following a breach.

“Yes, that’s it.”

“Jess how long have you worked here?”

“Erm, 20 years since last spring. “

“How many people work here Jess?”

“About 60.”

“Jess, who is going to do it?”

“I don’t know, but someone has to!”

“It’s about IT isn’t it, Jess?”

“Well, it’s a bit more complicated than that…”

“Jess, you’re the IT person, come back when you have done it!”

Sound Familiar?

GDPR Requirements – The Must Do’s

The General Data Protection Regulation is a hard sell, even to a large organisation. Unfortunately, or fortunately, it’s a necessary one. Why? Here are just a few reasons:

• You must obtain an individual’s permission to process their data.
• You must ensure any data you collect and keep — is kept to a minimum, and is anonymous where possible and necessary.
• You must tell the Information Commissioner’s Office (ICO) if an individual’s data was stolen or lost.
• You must be careful of how you transfer data. This applies both in UK Law (under the DPA 2018) and in Europe (under the GDPR).
• You must provide a mechanism that allows individuals to request what personal information you hold about them.
• You need to ensure processes are in place to allow individuals to be “forgotten”.

These are just some of the directives included in the 91 Articles in the GDPR alone. When you consider that these are MUSTs, it can be a daunting read and one that sends shivers down the spines of SME’s IT directors.

And there is a very good reason why. Data Protection is not just about IT.

So Where Do You Begin with PPI Compliance?

A simple place to start is to define what your Information Assets are. Information about people is where you should start, as the primary goal of the GDPR is to protect the privacy of individuals and protect them from personal data breaches. It states very clearly that individuals have “the fundamental right” to privacy and data protection.

This is a very good thing. Just imagine a world where your data was not your own. Your digital footprint was at the mercy of everyone else. You had no rights to protect your anonymity and there was no way of finding out what information any organisation (be it law enforcement right down to a guy in his back bedroom sending out videos of his cat that you like) holds about you.

You might be feeling that this does not apply to you as a small business. You may also be feeling that what you do as a business means that you don’t process or control the information that the GDPR is concerned with. You may feel like the required security measures are unattainable in your organisation.

I am willing to bet a free day’s consultancy with Risk Crew that you process far more PII than you realise. Do you hold the names, phone numbers and addresses of customers? Then it applies to you.

It’s not all bad news. The regulation does make some concessions for micro, small and medium-sized enterprises.

“To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”

The Article that sits in the minute’s document on the European law site it’s not in the GDPR. It sits in Document 32003H0361. And herein lies the main problem. The reason GDPR and DPA guidelines are so impenetrable is that they MUST consider other laws and regulations (in many cases, ones that were written many years ago) that were in place before the regulations were implemented. For example, the aforementioned Document 32003H0361 was written into law on the 6^th of May 2003.

What Does Document 32003H0361 Mean to You as a Small Business?

It means that the GDPR and DPA are both not written in a way that makes them easy to understand, let alone easy to implement. But there is a very simple way to cut the problem down into smaller chunks.

Make sure:

• You know what data and information you are processing.
• You understand what subset of this information and data is PII.
• You establish what subset of the PII carries a special category PII.
• You have the basic mechanisms in place to service the rights of the individual subjects of this PII.

Treat Data as If It Was Your Own

This may seem like scaremongering, but at its heart, the GDPR and DPA are there for the safe processing and controlling of your own personal data too! So, it makes sense to be both aware of it, and where you see other individuals’ data and information, you control and process it in a way that you would expect your own personal data and information to be managed.

The main issue in implementing Data Protection policies and processes in SMEs — is the time and resources needed. The aforementioned IT person “Jess” has now got a whole new tranche of work to do. What is even more frustrating is that Jess was right, it’s not just an IT thing. Just because a vast amount of business transactions are carried out using technology, these are only the container and carrier of the information. The contents are PII. These could just as easily be on a piece of paper in a sealed envelope being mailed somewhere, with the carrier being the Royal Mail, the container being the envelope rather than a packet of data being sent over fibre optic cable. Your responsibilities are the same because the content is the same — it’s someone’s Personally Identifiable Information.

Not Sure Where to Start Within Your Organisation?

If this all seems a bit too much to take on board. Why not ask for a GDPR gap analysis from Risk Crew? We talk in plain English, have done this many times before and are happy to help you and your “Jess” on their data protection journey.

If you don’t have an internal resource like Jess, we can provide a DPO as a Service option. This allows you to have a dedicated consultant as much or little as needed to help get your compliance on track.