If you’re not using two-factor authentication for cloud applications in your organization in the UK, you may be risking a fine.
See my 'No two-factor authentication is like asking to be hacked?' post for further insights on securing cloud apps, especially using Multi-factor authentication (MFA).
The ICO revised their ‘A Practical Guide to IT Security' document while aimed at small businesses the advice is really universal.
The ICO have provided this guidance with “10 practical ways to keep your IT systems safe and secure”.
A reminder of the ICO’s authority and reach with these matters:
Breaches of data protection legislation could lead to your business incurring a fine – up to £500,000 in serious cases. The reputation of your business could also be damaged if inadequate security contributes to high profile incidents of data loss or theft.
Most businesses are using cloud applications in some capacity or are considering doing so with services like Microsoft Office 365 or Salesforce being very popular. The ICO have a section on “Secure your data in the cloud” with guidance on how to protect these systems.
There are a wide range of online services, many incorporated within today’s smartphones and tablets that require users to transfer data to remote computing facilities – commonly known as the cloud.
Processing data in the cloud represents a risk because the personal data for which you are responsible will leave your network and be processed in those systems managed by your cloud provider. You therefore need to assess the security measures that the cloud provider has in place to ensure that they are appropriate.
While I think however simplified, most of us would agree with this assertion as well as what the ICO suggest businesses can do about this:
Make sure you know what data is being stored in the cloud as modern computing devices, especially those targeted at consumers, can have cloud backup or sync services switched on by default. Consider the use of two-factor authentication especially for remote access to your data in the cloud.
The last sentence is what sparked my interest, bear in mind this is advice for small businesses, which typically comprise of 50 staff or less.
The ICO are effectively recommending two-factor authentication even for these small entities. That being the case, surely bigger enterprises must seriously consider two-factor authentication for cloud applications as well.
Without getting into the finer points of the Data Protection Act organizations have to have an appropriate level of security for the type of personal information they hold. Principle 7 is all about security.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Two-factor authentication is an entirely proportionate security measure, that is well placed to protect access to cloud-based applications.
The ICO will rarely dictate all the security measures you have to have in place, that's your job! You as an organization and a data controller must put in the right measures to mitigate potential data breaches.
With daily news of fresh data beaches, isn't it time you secure your cloud applications and enable your staff the ability to truly work from anywhere securely?
See the ICO - A Practical Guide to IT Security document for more top tips on security.
Image credits: ICO ‘A Practical Guide to IT Security’ cover & '8 data protection principles' postcard
I am a firm believer
If the company you worked for wouldn’t properly protect their cloud-based apps, what would you do?
See my more recent post as well - 'Use Two-Factor Authentication for cloud applications or risk fines and data breaches' for more commentary.Continue reading
Learn what you can do to tackle ransomware and protect your business from this threat. A recent story about an open source ransomware kit illustrates the reach of malware. Here I cover the 'Magic' crime kit and tips on how you can protect your business from this menance.
Ransomware is everywhere, not only hurting consumers but businesses are getting hit hard as well. In the UK according to a recent report, ransomware is responsible for 42% of UK security breaches in 2015. This isn't that surprising, businesses aren’t immune to these threats.
The level of sophistication with ransomware varies with CryptoWall, TeslaCrypt, some of the big hitters in the ‘business’. Then you have more homemade solutions, reusing code or kits, from wherever they can be obtained.
Utku Sen, a Turkish security researcher, released an open source ransomware kit, EDA2, on GitHub. He was hoping it would be “suitable for education and attack simulation for companies” and used for good.
However this wasn’t just a few lines of code, EDA2 came with actual code including instructions on how to customize it. Also included was an admin panel to set up a command and control server (C&C). This is where all the encryption keys were sent, making it a complete crime kit.
What was meant as an educational tool became known as ‘Magic’ ransomware. This was used by criminals, infecting PCs and holding data for ransom. Ultimately Utku Sen
The plot thickened when Utku Sen himself was blackmailed, if he withdrew his other ransomware education project, hidden-tear also on Github, the ransomware operator would provide the Magic encryption keys, so victims could get their data back for free
“After further discussions, the blackmail attempt turned into full-on negotiations, but Utku Sen and the ransomware operator have come to an agreement. Utku will take down the Hidden Tear repository in three days while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.”
So a happy ending of sorts but one that illustrates the toxicity of this threat and how pernicious these attacks are.
If as a business you haven’t been attacked, well done. More than likely though, most business will get hit sooner or later. As an IT Pro, there are certain steps you can take to help mitigate ransomware, which I have outlined below:
Ransomware is a menace and evolving rapidly, you can reduce the likelihood of the damage they can inflict on a business by following some of the steps I have outlined above.