GDPR and Data Breaches – Live Interview Now

Transcript of the Video

Suzanne Dibble:              
Okay, so now, I started that again. I've rotated my screen. No, not letting me. Not having any of it.

All right guys, well, the tech gods are not my friend this week. I'm going to have to try and balance that on there like that and hope that it stays. It's a bit precarious but it's not letting me rotate it either way for some reason, which is very annoying. All right, I'm going to hold it. Hello Mord thanks for bearing with me and coming back on. Nice to see you.

Today we're going to be talking to our resident, well, another resident security expert. It seems that we have a few and I'm very grateful, very grateful to them because this is an area that I don't know much about at all, actually. So very, very grateful to Stuart Brown, who's going to be joining us today to talk about data breaches and what we need to do.

Well, A, what we need to do to guard against a data breach in the first place. Secondly, how we're going to know if we've had a data breach. And thirdly and very importantly, what do we actually do if we're in the very unfortunate position of having had a data breach take place.

So, I'm going to bring Stuart on to the camera now and maybe if I bring you on Stuart, then maybe it will let us go side by side, and it will let me have my phone the way that I want to have it. So, let’s try and bring you on.

Okay, bring Stuart on to the camera. Okay, it's thinking about that. There we go. Hello Stuart.

Stuart:

Hi, How you doing?

Suzanne Dibble:

Aside from the tech problems, all good. But it would be fair to say the tech problems this week have been driving me mad. So, it's not been a good week for tech problems. That is for sure.

I'm just going to see if can I now rotate this? No, it's still not working. It's very frustrating because I've done exactly the same set up many, many times before and it's been absolutely fine. But hopefully people will be able to see us side by side on the screen. Let me just check how people can see that in the group.  Okay, it's still got a bit of catching up to do in the group.

So, Stuart. Aside from the tech problem, thank you so much for joining us today. You've been very helpful.

Stuart:

Welcome.

Suzanne Dibble:              

Very helpful in contributing to some of the discussions in the group that have more of a security aspect. So, thank you very much for that. And you have very, very kindly agreed to give some of your time today to talk us through the position on data breaches.

Which hopefully, nobody in this group is going to find themselves in the position of having a data breach, but it's something that we all need to know about. Not have to deal with it, but the first step of how do we actually stop it happening in the first place.

So, thank you very much. I'm going to ask you some questions. We'll just have a really informal chat and I'm sure the group will benefit hugely from your huge expertise in this area.

Wanted to say a few words about you and your experience in this and why we should know that you are the absolute expert in this area.

Stuart:

Well, I've been in IT for what, over 30 years. Worked in all kinds of different organizations. So, different projects, technical architects, and lastly in the last two or three years just specializing particularly in the security aspects, ethical hacking. And a couple of years ago the government introduced the Cyber Essentials scheme. Which is something that all SMEs should be aware of, because it's now becoming part of the supply chain requirements, particularly in government contracts?

So, if you supply into like the NHS or any of the civil service, they're now making it requirements that suppliers have to be cyber aware and through that, having gone through an accreditation, which is a Cyber Essentials at a very basic level for a small business, up through Cyber Essentials Plus and then on to other.

Suzanne Dibble:              

Oh my word. And I thought it couldn't get any worse. But it seems to have frozen mid-flow. So, let's see if we can get Stuart back.

You there, Stuart?

Stuart:

Yeah, no.

Suzanne Dibble:

Okay, great.

Stuart:

Sorry, I just got a call.

Suzanne Dibble: ​

Yeah, that's happened to me before as well. Okay, I'm glad it's nothing more serious than that.

Stuart:                 

Yeah, sorry about that. Yeah, I'm just doing this on my phone, so I'm not ... it's interrupting me.

Yeah, so 18 months ago ... are you there?

Suzanne Dibble:

Yes.

Stuart:

You're wobbling quite a lot.

Suzanne Dibble:

It's just, I know. This is just terrible and also I've noticed I've looked at me.  I'm recording on my iPad and you're appearing in this little kind of bubble above my head, which is not the best format at all. So, I'm wondering if I could actually do it on my iPad and that might work. But, honestly, this week has just been a tech disaster, it would be fair to say.

I'll ask you a question. You can be talking about it and I'll experiment with my iPad and see if it's going to work on there, okay.

So, my first question is ... so, bear it in mind that most people listening to this are not the likes of Facebook or big multinational or anything like that.

What are the things that we, sort of reasonably small, online business that isn't doing much with data more than marketing, probably? Maybe they're doing a bit of Facebook ads, but there's no processing of large volumes. There's no sensitive data. There are no apps passing data between third parties, that kind of thing, other than your sort of usual processes, like Facebook and people like that.

What are the risks, I suppose, is the first question.  What are the risks of a data breach? Because I'm sure that there are probably a lot of risks other than just the fact that somebody wants to hack in because they perceive that there's valuable information there. So talk us through the risks. What are the risks and how concerned, as small business owners, do we need to be about data breaches?

Stuart:                 

Well, the risks are, well, varied, but it depends on your absolute businesses to whether the risks that you take are commensurate with what's classed in the GDPR. But, in essence, the primary concerns of small businesses are the loss of equipment.  So you leave your lap on a train or how it's stolen. The first principle is knowing as a business what data you have, where that data is, and what's it stored on.

So, if you lose a device, or if you have a data breach, or somewhere you click on a phishing email or that, in effect, invites intruders into your machine or into your home network or into your small business network. What are they going to find, how are they going to find it, and how are you going to know they're going to be there.

So, the first thing under the GDPR is that you need to know what data you have, where it is. And if you haven't done an exercise is knowing, where the data is in your organization and subcontracts, etc. Then how do you know you've had a data breach?

If you don't know what data's there you don't know if it's potentially been stolen or it's impossible to work out whether it has been stolen. So, the start of my whole recommendation for any business is to know and understand what your data is, where it is, and who potentially has got access to it. Because many data breaches do occur from either employees or third party suppliers who have access to that data.

So, if you have a website, and you potentially use it for marketing or you may need an e-commerce site, then there are even more steps that you need to take care of in terms of you said third party, particularly data processing agreements that they're in place and you know where your data is.

So, that's the most important thing is to know what your data is, where it is, and who's got access to it.

Suzanne Dibble:              

Okay, so that's good, because the starting point in my pack is the data inventory which we'll give if you want a really good overview as to what the data is, where it's been transferred to, that kind of thing.  So, in terms of, I just want to talk about the general security risks, then. So, we can all just get a handle on that.

So, in terms of an online breach, I mean we know there's the kind of breach if where like an employee leaves some printed out copies on the train and someone steals it and everyone's heard of that. But, in terms of someone actively hacking in or doing something like that or, I mean, a breach is a loss of data as well. So, if there's a problem with, I guess, a hosting company or something like that even, that would still be classed as a data breach. If -

Stuart:                 

Yeah, I'll just read you the definition under from the ISACA's website. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a public electronic communication service. Bit of a mouthful.

Suzanne Dibble:              

So, pretty all encompassing, isn't it? So, it's clearly -

Stuart:                 

It is and -

Suzanne Dibble:              

... not just talking about where somebody actively hacks in to want to try and steal the data. It's much wider than that.

Stuart:                 

It's who's got access and why. In your business case, do they have access to that data? So if you employee two or three people or two or three subcontractors, it's having to find the lines of which, what data they have access to, what their ... if for example, you use a courier company and they have personal details of deliveries to customers, how long do they keep that data for, when does it get destroyed. Knowing your entire supplier model, as well as your customer model as to what agreements are in place, and what data transfers in and out of each sort of. Whether it's a website. Whether it's your email system. Whether it's just your spreadsheets that you're keeping track of things on. Who's got access to them is very important.

So, if you have a mate down the street who helps you out with technical problems, is it, they become a processor of your data. And have had access to it.  So, you've got to be very careful in terms of the definition of the terms by the ICO and what you do as ...

Suzanne Dibble:              

Yeah, absolutely. So, I'm thinking about things like if a business is storing holiday data, for example. If there were people targeting that so that they know when people are on holiday so that they could go and break in. That's ...

Stuart:

Yeah, absolutely. There's all manner of ways, I mean, if you like the what's called social engineering is where the sort of hacking groups and data thieves sit and they analyze people and what you're doing on social media and what you're doing if your settings are secure within that.

Within you may have an out of office notice on your Facebook page. That's probably not a good idea, in terms, if you're going on holiday and who the owners are. It really starts, if you have a web presence, i.e. you have a website, a domain in your business name, it really starts there. Because if you have registered under your personal name, then on the domain name registration will have your personal details.

A lot of people, they kind of forget about it because they register it three or four years ago.  Nobody really took any notice. So, when people want to socially engineer whether you're a likely target for a data breach or phishing email scam or things like that, which often solicitors are people who work in the health industry supply chain, medical practitioners, things like that. Then you have to understand exactly what data you put out there.

And if you put out personal data in your domain settings, then you need to take steps to rectify that, as well as who you use as suppliers for IT support, for web hosting. Whether they're reliable, do they operate out of a bedroom, or are they a fully-fledged IT company with proper security processes.

So, you have to look at, its back to the start.  What data you have, where you have it, where you've given it away, how to retrieve that information, how to subscribe to privacy.  I mean, most domain name registrations have privacy options so that you can hide your personal details. Have you done it? Many, many, many thousands of things are still open in terms of having personal contact details in there.

Suzanne Dibble:              

Absolutely. Can you still hear me, because I'm ...

Stuart:  

I can still hear.

Suzanne Dibble:              

Can you still hear me?

Stuart:                 

Yeah, I can still hear you.

Suzanne Dibble:              

Because basically the headphones loud so I can put the phone on the tripod because my arm was there too. But you can still hear me?

Stuart:                 

Yeah.

Suzanne Dibble:              

You can still hear me? Good. Okay. Awesome.

Stuart:                 

I can.

Suzanne Dibble:              

So, I suppose what the message I want to really get people to understand is, how much of a risk it is. Because I don't want to give people sleepless nights about there being a data breach, but we need to get some kind of sensible risk check on how likely it is. I don't suppose you know -

Stuart:                 ​

Yeah, I mean -

Suzanne Dibble:              

I don't suppose there are any stats out there, are they, about the size of the business and the number of data breaches out there, but I'm...

Stuart:                 

Well, not in terms of the number of breaches, but what the interesting statistic that comes out in a lot of cyber security presentations is how long is it before someone realizes they've been breached. Now the UK average is over 220 days, so, before somebody actually realizes you've been breached. Now you liken that to if you compare it to your house and home security. It's like leaving the window open for 220 days and not knowing who's come in and who's gone out, or the back door open.


When somebody gets into a system, through various things like either phishing emails and things like that. You've clicked on a link, you downloaded a file. It contains malware or some kind of baddie inviting somebody into your network. They can sit there and basically go undetected for a good while.

Suzanne Dibble:              

And how does that 

Stuart:   ​

It's very difficult once somebody's ...

Suzanne Dibble:              

Sorry, there's a delay on the line. How does it normally come to the -

Stuart:                 

There is.

Suzanne Dibble:              

... attention. When there is a data breach, how does it normally come to somebody's attention? How does it come to say the small business owner? How does it typically come to the attention?

Stuart:                 

Potentially, if you do have a decent antivirus and malware solution on a machine, it may pick it up after the event.  I mean, you would hope that it would pick it up before it happened, but invariably, these kinds of attacks are becoming more and more sophisticated these days. And becoming antivirus and malware software is very reactionary as opposed to proactive in terms of detection.                        

And its, when you're a bigger company you can afford better, what's called border control, and more robust security systems to mitigate the risk. But when you're a small business, you're very potentially quite open to somebody clicking.

Suzanne Dibble:              

Oh, we've lost you again. Maybe his phone's gone off.

Stuart:                 

Yeah, it's back.

Suzanne Dibble:              

Yep, was that the phone again. You can put it on divert Stuart:   I was just -

Suzanne Dibble:              

I think that works. I've got mine on divert, but then a phone call did come through the other day when I was doing it live. So, who knows, who knows? Yeah, so -

Stuart:                 

Yeah, no it was a message that.

Suzanne Dibble:              

So, really, what you're talking about there is so, and I just don't understand enough about this type of stuff, but say the Russian hackers ... I'm watching Homeland at the moment, so the Russian hackers are on my mind.

                               

Now, I'm not a bank. I don't, people can't, I've not got that level of amazing information that these hackers are going to want to get. But presumably, just what they're interested in is just going into people's backend databases and getting names and email addresses so that they can spam them and do potential phishing exercises and things like that. Is that why they're doing this kind of stuff?

Stuart:                 

Yeah. Yeah, I mean, the thing is that most people who have a broadband connection and they use it for both home and for work.  What you should do is use the standard router that is given them by the ISP. Now, it's not really classed as a security device. Yes, it potential stops attacks to your router, but what it doesn't do, it doesn't protect anything that goes out, any device inside your network.

So, if your machine gets compromised or a video or a security TV cameras, for examples, get compromised or your smart TV that's not quite smart, really, gets compromised and once somebody's inside your networks routers aren't really good security devices. They don't stop data being removed from your network.

If you have a more comprehensive firewall solution, then you can potentially stop. You know it's about what necessary steps you can take as a small business owner and one of the principle elements is your]. And if you ... decent devices cost between 3-800 pounds.

Now, it's about whether you think your business needs to take that step of properly protecting itself. A lot of small offices operate from home and if you've got kids and they bring friends home and they connect to your home Wi-Fi, then potentially you're putting at risk your business devices that are connected to the home network and the home Wi-Fi.

So, having some method of splitting out your home network from your business network is also an advisory. It's becoming, again, through the cyber essentials and program, these sort of things, when you talk to experts, become more readily talked about in terms of protection. Knowing who goes on to your network, why they go on to the network. So, when you have your ...

Suzanne Dibble:              

Just taking that scenario, then, when children's friends come round to play and they're logged on to my Wi-Fi to play their iPad game, what threat is that going to have on my network?

Stuart:​

Well, if their iPad is compromised and they bring in a virus or they bring in malware, it’s a bit like the WannaCry outbreak inside the NHS and various other organizations. Once one device is got, it goes back to ring fencing your business in terms of risk with knowing what devices.

Suzanne Dibble:              

So, sorry, this is stupid. I'm really like not up to speed with this discussion at all. So, just in my ignorance here, so, a friend brings in a compromised iPad that they connect to my Wi-Fi. Somehow they can transfer a virus over the Wi-Fi to my network. Is that right?

Stuart:                 

Yes.

Suzanne Dibble:              

 All right.

Stuart:                 

That's how devices spread, malware can spread from device to device. And if somebody's got access to say a CCTV camera inside your network, they can bounce off that device on to other devices inside the network.

Suzanne Dibble:              

So, the same example in a coffee shop, for example.

Stuart:                 

Absolutely and that's why in the previous presentation forget the guy's name -

Suzanne Dibble:              

Lewis.

Stuart:                 

... but using a VPN inside a ... any public access to the internet. If your device is a business device, then solely recommend using a VPN.

Suzanne Dibble:              

Right, okay. So, this scenario then, the friend brings the iPad in that's been compromised. The virus spreads via the Wi-Fi to my system.  I've got a membership site with thousands of names and email addresses on there. They can then ... is that what they're after? They're after those names and email addresses to then spam them

Stuart:                 

Potentially they're after that. They're after confidential information that could potentially be used to compromise your business, potentially through ransom. Or it's very much what data do you have and how sensitive it is, whether it can be used, whether it’s about your clients. Can it be used to set some phishing expeditions against your clients?

If you've got a list of ten email addresses at another client's, can they target those with the information and pretend to be you, because they've picked off your email

Suzanne Dibble:              

How effective are the typical malware that's on PCs and Macs and things like that? If you didn't know anything about this, what's the real risk? Say that you've got your shopped for malware on there or sort of a commonly known malware and antivirus protection. What are the risks of that actually happening? I know, obviously you can't give me a number, but is that fairly low risk, would you say? I mean, how many of these viruses are out there and is the current malware kind of sufficient to protect against that?

Stuart:                 

There's tens of thousands of malware out there, so, and over the years there's been so many. If you have devices, you need to make sure that they're up to date in terms of updates and patches or if you're running windows, then windows updates. You need to make sure you're running the firewall on your windows machines and on your apple computers. You need to make sure that yes, the antivirus is there. And it is up to date and being updated.

Suzanne Dibble:              

That's a really, sorry to interrupt, but that's a really interesting point. Because when I get those updates, I just think, "What a hassle. That's either going to slow my computer down or it's going to take ages for it to install or whatever." So, I often leave my software updates for months. So, you're saying that really puts it at risk. We need to do that straight away.

Stuart:                 

Yeah, because the thing is if somebody gets on to your machine, they will identify what are called vulnerabilities on that machine. So, if you're running Windows 7 without any security updates, then there's an online list of probably several hundred potential ways of gaining administrative access to the machine. And then if you've got root or administrative access to a machine, you've got access to everything, potentially. And then you can siphon off the data.

You've probably got access to all the passwords that are on the machine that could potentially get into the systems remotely from there, because if you connect, for example, into your web posting provider over FTP, which is a very old way of doing it, which is insecure, then potentially they can find and gain access to all the systems that they shouldn't have access to.

Suzanne Dibble:              

So, what is the ... I'm going to ask my web person this ... so, we shouldn't be connecting by FTP. What should we be connecting by?

Stuart:                 

By what's called SFTP. It's a secure version. So, your encrypted data.

Suzanne Dibble:

Right. I'm sure she's on the case with that, but that's good to know.

Stuart:                 

And many web hosts have control panels for you to access your website or your admin system in your website. You need to make sure that you're connecting via https, i.e. secure links, not http. And believe it or not, just recently, I got access to a client's entire control panel, their entire database, their entire online work site, all via an IT suppliers control panel in an insecure format.

And that sort of thing is disturbing to find, and this is close to the 25 of May, that even IT companies, who provide local support and things like that, local domains and domain registrations, and local email services to small businesses, which is very common, those small companies go to local providers because they want local service. You need to make sure that the services that they provide to you are over secure links and encrypted links.

Suzanne Dibble:              

So, with the http and the https websites, if we have our existing website that is http, is that when people get those little pop-ups saying, "this website is not secure" and are encouraging us not to go on to those websites?

Stuart:                 

Yeah, that's one of the things over the last six months that I've been encouraged by a lot of the browser providers. But, again, it's only if you update your software regularly. So the latest versions of Chrome, for example, and Firefox, and Edge, do prompt you, "This potential website is not secure." You may have, if there's a login panel, a login and password panel on an http page. It will warn you and say, "this is potentially insecure."


So, you really need to make sure that if you run your own website, that you've got user access to various parts of the website, that you are providing only secure access to your own website. And also, when you're going around on, using client's, suppliers, you may have ordering systems that you get on to for your supply chain, and just double check and make sure that everything and your login ids all go over secure links, not over http, because they could potentially be compromised.

Suzanne Dibble 1:           

Wow, there are lots to think about, isn't there? So, we talked there about having a ... now, so we've got our usual home network and you're saying that the best practice would be to have the business network separate or on a VPN.

Stuart:                 

Split. You can split your business devices with not very costly hardware these days to separate your business network from your home network.

Suzanne Dibble:              

And what would be the kind of thing we'd be doing there? Would we need to get a specialist in to help us with that or is that something that you can just go and buy at PCWorld or something?

Stuart:                 

Well, you get into a technology called, essentially what's called V land technology, which is virtual land. So you can still physically use the same pieces of wire. Now most small IT companies should probably be aware of how to assist you in doing this. Devices to support it cost a decent gigabyte V land switch. A port for a home can probably cost about 30 pounds. So, you could follow some online guides as to how to split it. It all depends on how technical you are or if you just want a box solution. Then, it's possible to buy a box solution that can separate and have different solutions.

Suzanne Dibble:              

So, that part about separating the business devices from the home network. We talked about the making sure you're connecting to service by SFTP rather than FTP. We've talked about only accessing and putting personal details into https websites and not http ones. And indeed, if we currently have our own business website http, that we need to think about upgrading that to https.

And I've seen a comment in the page saying you need to purchase an SSL certificate through your website so https encryption. I believe GDPR either requires or definitely requires encrypted data transfer from browser to visitor. So, can you say a little bit more about the SSL certificate, Stuart?

Stuart:                 

Well, first of all, you can either buy an SSL certificate through your domain registrar, potentially if you use any of these ...

Suzanne Dibble:              

We'll just give him a couple of secs to come back. Oh no, we've lost him. Disaster. Okay, well hopefully he'll pop back. Let's look at some of your questions while he's coming back on the line.

So, I saw one right at the start that I can answer, that I don't need Stuart for. Just, for those of you who have joined late, yet another technological problem this week. I have been besieged by technological problems. I have done so many of these Facebook lives before and have had my phone set up in exactly the same way that I did today, but today it decides that it will not work in landscape mode. So, that's why you've got Stuart in a little box above my head. I have tried turning the phone.  I've tried starting again and doing it from scratch in both portrait and landscape mode and nothings working, okay. So, we're just going to have to go with this today.

Okay, so David said, "Do you need to have controller and processor agreements amongst employees to mitigate data breaches?"

No, David. So, controller processor agreements are just at the legal entity level, so the employer level. But employees will be subject to general fiduciary duties of confidentiality. Hopefully you'll have an IT security policy that tells employees what they can and can't do with things. Give them some training on how to mitigate data breaches, etc. Okay?

Elaine is making the point about with GDPR coming in, who is data? As in, when you have a domain name there is a who is site where you can go on and you can find out who owns the domain and unless you pay for that extra service, where your anonymous, then your personal data is there.

So, it will be interesting to see Elaine. I've not even thought about that, what the position will be with that going forward.

Ian says, "If you're running a business, you currently can't opt out of having your address details published."

Well that goes against what I've just said. I'm sure I opted out when I did mine, so maybe I'll look into that.

Carl says, "With subject access requests, if you collect email addresses for user account info and that generates a user ID in the database and you relate lots of other marketing data to the user ID, would you have to send them that data?"

Not sure I understand that question. So, hold on.

"So, any click tracking, usage data, or any other data you collect that is related to the ID that ties back to the email address could be considered personal information."

Yes, I believe it can be considered that. I'm not sure who you're talking about sending it to, though. So, sorry about that Carl. Can't really follow that question.

Jay says, "Is the threat of blackmail going to become more lucrative and easy for hackers? For example, they hack your data, steal sensitive data, but rather than bombard you with spam, they come to you and say pay up or we'll leak your data and you'll be at the mercy of GDPR fines."

Well, yes. Well, we don't want to think about that Jay, do we? Let's hope that people don't get that idea.

Mary, "What costs 300 to 800 pounds? What's this about making the router secure?"

That was, yes, I think that was about ... I think we covered that after your question, which was about making business network separate from the home network. Although, he then did then say that seemed to be quite cheap. So, we'll ask Stuart to clarify when, hopefully, he comes back on.

Let me see, he might have when I got through these questions. He's probably popped back on to the bottom then we can bring him on.

Richard is plugging his IT company there. I should delete your promo there Richard, but he just kindly say, "This gentleman is giving good advice and knows his stuff."

Well, jolly good.

Okay, is he back? Is he back? Is he back? He's back. Alright, let's get you back on Stuart. Bring Stuart on camera.

Hello. We lost you.

Stuart:                 

Yeah, you just asked me about SSL certificates.

Suzanne Dibble:              

Yes.

Stuart:                 

Yeah, pick up there. You can actually get free SSL certificates from a website called Let's Encrypt. Most IT companies know about them, so if your web hosting company or you're ... may even provide through your control panels. So you can get free SSL.

Also, you can purchase certificates for one, two, three, five years or whatever starting probably from about 50 pounds to probably two or 300 pounds. It depends on the level of what's called insurance you require and whether you want sort of a gold star certificate, which are the more expensive ones. So, you just need to check out that you cover yourself on SSL.

Suzanne Dibble:              

Okay, listen. So, I was just, while you were off there, you might have heard me reading the question out loud. You know what you were saying earlier about something cost 500-800 pounds, can you remind us what that bit was again?

Stuart:                 

Sorry, just shut the door. A decent firewall, border control unit to ... Cisco do them. You can get them with open source software, for example with pfSense and...

Suzanne Dibble:              

And how is that different

Stuart:                 

most of the

Suzanne Dibble:              

Sorry, I didn't mean to interrupt. How is that different from the V land technology and box solution you were talking about earlier? Have I got the wrong end of the stick? Are those two different things?

Stuart:                 

Well, it becomes a part of ... with the V land technology and a decent firewall, you can then segment your network from home use and business use.

Suzanne Dibble:              

Okay, so the 500-800 pounds firewall unit, that's for the home and business to protect both of them, and then you use this device, this V land technology to split off your business from the home.

Stuart:                 

Yeah. So, you can use the same cabling and or Wi-Fi points that you have.

Suzanne Dibble:              

Okay, awesome. Okay, that's brilliant. So, let's move on then. Just crunched for time. Let's move on to the ... so, you become aware that you have a data breach. So, the nasty Russian hackers have ... and sorry if anyone's Russian. I'm using that as an example because I'm watching Homeland at the moment. So, no offense to anybody who's Russian. But the hackers have, they've come in, they've done their stuff, they've spammed all your contacts. They've somehow got hold of your banking passwords or whatever else. So, I guess this is looking at two ways, isn't it?

In fact, we'll leave me as a consumer and an individual on one side and just talk purely about the compromising of our data subjects data that we're storing as a business owner. So, that's happened and I heard what you said before about the stats of it being 250 days until someone actually finds out about it. Now how does that interplay with the requirements in GDPR about notifying that within the time frame, which whereas if there is, if it is reportable, then you've got to do that within 72 hours.

Stuart:      

Yes, correct.

Suzanne Dibble:              

Actually, let me just read the wording of  myself. Whether its 72 hours of becoming aware, isn't it, actually? I think. Let me just check. But while I'm checking that Stuart, why don't you tell us a little bit more about how we can, I mean is there anything more we can do to find out if there is a data breach other than what you said before about if you've got a good piece of protection, it can, I guess ... does it alert you after the event or does it alert you that its stopped it in the first place. Talk us a little bit around that.

Stuart:                 

If your antivirus or malware software can detect that you've got a virus or malware installed, it can alert you. Secondly, you would probably have to intervene to actually try and remove it. The remediation would be to disconnect your machine from the internet or from your local network to start with. So you've in effect, isolated it.

So, potentially you can't, if it's on Wi-Fi, turn your Wi-Fi off. If it's on your physical network, unplug your device from the network. And then you need to define, try and decide, if you don't have skills in terms of determining whether you potentially got a nasty virus and how long it's been there, as you need to find some professional advice.

You've gone through something like the cyber essentials program and been certified, you'll probably find, along with it, you'll get some insurance. Which will include some forensic analysis of the insurance cover to pay for external forensic analysis to come in and determine the extent of your breach.

It's very difficult for nontechnical people to understand, potentially, what data they have lost and how long that's, how long your machine has been compromised or how long your network's been compromised. And if you're unsure whether other devices on your network are also infected, then turning your router off, plugging your broadband to start, is also a good idea. So ...

Suzanne Dibble:              

Let me just stop you there and ask you some questions about that then, because that's really interesting. So, tell us more about the cyber essentials program and also the insurance. How much would that be likely to cost if you have the insurance versus if there is a data breach getting in the person to assess how much data's been lost. Talk us through that kind of stuff.

Stuart:                 

Yeah. The cyber essentials you have to contact a company that's been certified to validate. First of all, you can self-validate your business, if you know what you’re doing, online with the some of the providers. For example, with IASME, you can go through a question and answer process. It's quite lengthy too and if you answer all the questions in a good enough way, then you can gain the accreditation. And the cost is about 300-400 pounds.

A lot of companies who provide this will also provide probably half a day training as well. Again at this similar sort of money to assess and help you answer all the questions correctly and actually look at whether you do what you say you do when you're filling in these things. And with that accreditation you will get a certain level of insurance that will cover you what, for I don't know, five, ten, 15 thousand pounds worth of forensic analysis.

If you get the more advanced Cyber Essentials Plus, then you will go through a much more rigorous assessment. Which it also includes what's called a penetration test. Which occurs both inside your network and outside your network to determine what your security's like inside your network and also potentially what people can access from outside your network. So, it's ... and cost for that probably start 15 hundred pounds minimum.

And then if you want to, don't forget as well, how do you say you're GDPR compliant? Well, in security terms my answers to go through Cyber Essentials Plus as a minimum, but also the next level, which is things like the IASME governments level with GDPR, which covers a lot of questions on your data security as well as your physical cyber security.

So, if you're a small business of probably five to 20 people, then the Cyber Essentials Plus is probably the and if you're bigger than that, really, the IASME Governance or there are other equivalents that you can go through to be accredited too.

It makes, also from the supply, as I said at the beginning, a supply chain, knowing that your suppliers are also ... local support company should be at least Cyber Essentials Plus accredited. So, as an IP support organization, they should have gone through the accreditation to make sure that their processes are. Your hosting company is probably at least the ISO 27001 accredited. I mean, a lot of small businesses do hosting and knowing that they follow good practices is reassuring for your business that you're taking a lower risk than you are with a company you've not really done due diligence on.

Suzanne Dibble:              

Okay, awesome. So, with the basic cyber essentials program that's about three to 400 pounds, insurance is included as part of that and as part of that insurance, you get cover for ten, 15 -

Stuart:                

Some of the providers.

Suzanne Dibble:              

Okay, some of them are. You get cover for ten to 15 thousand pounds worth of basic analysis -

Stuart:                 

 Yeah.

Suzanne Dibble:              

... if there is a breach. The next step up from that is Cyber Essentials Plus, which cost about 15 hundred pounds, did you say?

Stuart:                 

Yeah.

Suzanne Dibble:              

And what does that give you over and above the basic level?

Stuart:                 

It really gives, it means that somebody, so an expert has come down and tested your network and tested your security, looked at your processes and actually asked, potentially, employees or gone through when you've written an answer, have you got proof that you actually do practice what you say. Because it's very easy for some companies to just write some processes and say, "Oh, we're compliant." However, the Cyber Essentials Plus is really geared to check and validate that you do what you say.

Suzanne Dibble:              

So are these the kinds of services that you help people with, Stuart?

Stuart:                 

Yeah, I'm accredited through the IASME Consortium and been through the training, etc. So, a lot of it is common sense, to be perfectly honest, but it's the skills you need to be tested. You know machines are patch checking. That they, when you say they get updated, every day or every week or every, that they have. And then doing a bit of what's called ethical hacking to actually try and determine whether at a network level that you are secure.

Suzanne Dibble:              

Okay, brilliant. So, thanks for those of you who posted in the group. Yes, there is indeed. So, 72 hours after having become aware of a breach, then you need to notify the supervisory authority of the data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Now, how are we supposed to assess that, Stuart? In terms of, if you know that someone's email and email address, sorry, name and email address has been compromised, then how can you guess what the intention is of that person and hazard a guess as to whether it's going to result in a risk to the rights and freedoms of natural per ...

Stuart:                 

It's the ten thousand dollar question, isn't it? How can you assess your own? You're policing your own data loss, in effect. And do you err on the side of caution, report it anyway? That would probably be my advice.

If you haven't got an idea how much data's been lost, again, err on the side of caution and report it. The ISACA can always turn around and say, "We're not going to take it any further. At least you've reported it." Whereas, if you don't report it and two, six months, a year down the line your list appears on the dark web as freely downloadable, then you don't know.

One of the things I was going to mention is that one thing you should do is, as your own business, is check through all your email addresses that you've used and whether they've been compromised in a data breach in the past of somebody else. There is a website. If you search for hacked email, check your hacked email, or check if your email has been hacked, it will ... I've got the link, I'll post it later. You can put your email address in and it will tell whether that has ever been in a data breach for example, TalkTalk's data breach, any of them.

It's just a facility that one of an ethical hacker has put online to make sure that when you list appear on the dark web or in various places for people to download, it gets amalgamated here so that people can actually validate whether their data's been breached. So, if your email and potentially the passwords that you use to log in to other sites has been compromised in the past.

First, you've got to find out if it has been. And then you need to take steps to make sure that you've checked all yours and all your employee's emails to make sure that. And if they have, then you need to change the email address that that user's using or at least make sure that you go around the websites and change passwords that have been used. And this should be part of your GDPR practices that every three or six months that you check. You're protecting your business by checking and rechecking people's emails.

There are extensions for things like Chrome that can do this for you if you use work panel. It just varies. But it's about having a process of checking that your email addresses haven't been compromised by other people.

Suzanne Dibble:              

So, are you just talking there about internal email addresses? You’re not suggesting that we run the database of our prospects through this system?

Stuart:                 

No, no, no, no, no. Just your own business email addresses.

Suzanne Dibble:              

Right, okay.

Stuart:                 

And obviously any personal email addresses you have.

Suzanne Dibble:              

Yeah. Okay, that's great. Okay, awesome. So, okay, so we've talked about we think if something happens to our attention that we've got a data breach. We get in a forensic analysis person to come and assess how much data has actually been compromised. We then need to take a view as to whether we alert the supervisory authority. And if we think we have to do that, then we've got to do that within 72 hours of becoming aware of it, unless we think that this risk to the rights and freedoms of those people whose email or whatever data, whatever it was, has been breached or that ... I completely take your point that that is the million dollar question and to err on the side of caution and report it.

Anyway, for those of you who haven't seen it yet, I did a video on data breaches from the legal point of view and I listed, certainly for the UK, how you would go about reporting a data breach on that video. So, if you haven't watched that yet, you can go refer back to that.

What is, if you, and you might not be able to answer this question, but say someone, we as small business owners, maybe we're blissfully unaware about all this amazing stuff that we should be doing. And somebody comes in, hacks in, data's compromised, there is a data breach. How, do you think, is the ICO going to react to that, in terms of sanctions, fines, anything like that?

Is it a case of they'll say, "Okay, Suzanne, you didn't know about this. Put it in place going forwards." Or is it like most laws that a caveat emptor, the obligation is on us to know about the law. Not the ignorance of the law is no defense, if you like. And how do you think, for the average small business owner, Stuart, who isn't quite as up to speed on security matters as they should be and there is a data breach, how do you think the regulators are going to react to that?

Stuart:                 

Well, the first thing that they're going to do is look at your compliance with the GDPR. Whether you've done, whether you know what it is, you been through it, you've defined your processes, you've looked at your IT security to support your compliance. No security is a 100 percent in any way, shape, or form.

So, do the load of steps and you've followed best practice, then the likely hood is the ICO will go in to do some recommendations or learn from or whatever. I don't think you're going to get much of a fine.

Whereas, if you have processes, but you don't follow them and it's proven you don't follow them, then they're going to take a dimmer view. And if you don't have any processes in the first place, they're going to take a very dim view.

So, it's all on a scale of, I think, whether a business has treated your fiscal security in a way that is professional and expected of a business of your size. If you try to just ... I've met quite a few people, business, that have an attitude that, "Well, I'm only a small business. It will never affect me." They're the kind of people that, probably, the ICO will make an example of. And it's a, particularly healthcare.

Suzanne Dibble:  

So what then, what would you recommend those small business owners

Stuart:                 

... where you've got ...

Suzanne Dibble:              

Sorry.

Stuart:                 

Sorry. I'm not getting any at all from you now.

Suzanne Dibble:              

Yeah, there's a delay. So what would you recommend that small business owners do as sort of first steps? What's the bare minimum that small business owners should be doing before the 25 of May?

Stuart:                 

Well, I just saw somebody put up, "Can he list examples of key processes that we need to adopt?"

One is obviously about employees and employee data. And not only conforms with employee law, but in terms of data privacy, make sure that only authorized people have the access to ...

Secondly, you make sure that your suppliers who potentially have access to your personal data; your IT or maybe your web symphony, your web developer who's potentially helped you put your website together. Where you've got registered users, things like forums. Potentially more personal data. You need to make sure that you've checked and balanced that people have got the right level of access, that it is secure, that it is only accessed on secure links and any backups that exist of data are encrypted to make sure that you don't have like USB sticks or external USB drives that can just be picked up or if they are ...

Suzanne Dibble:              

We've lost you again Stuart. Hopefully, it will just be a quick message and he will come back. Okay, let me scroll through some questions here, while we're waiting for him to pop back.

Okay, Richard says, "Any business class router should do it." I think we're talking about the firewalls there. "Starting around 150 pounds and up to a thousand."

Jay is saying, ".co.uk domain who is free and you can opt out at Nominet or within your domain registrar. Currently .com up tower is five pounds a year."

Okay, alright we'll just wait for Stuart to come back on because obviously this is really useful bit of what we should actually be doing to make sure that ... and I think what Stuart is saying is very similar to what I say on the legal side, but, obviously, coming from an IT security side, which is the attitude of the ICO.

If people who've stuck their head in the sand and said this is nothing to do with me.  The ICO is going to take, as he says, more of a dim view with those type of people than with the ones who are trying their best to work towards compliance. So this is certainly highlighted a number of areas that I need to look at.

I'm hoping that my IT people have got this all under control and I don't need to worry about it, but I'll certainly be making a call after this to my IT people to say, "Just checking on this and this and this and this." So, I think what it's demonstrated to me, is that we do need to take these kinds of risks really seriously. And it's only going to get more riskier, isn't it? As people become more sophisticated in ways to hack in and to steal data and to compromise data.

So, let's hope that Stuart comes back. If he doesn't, what I'll ask him to do is maybe he could pop a quick checklist, a very quick checklist, in the group of the types of things that small business owners can be doing to become GDPR compliant on the security side.  Because let's remember where this comes from is one of the overriding principles of GDPR, as you would expect, to keep data secure. And I'll just read you out the relevant provision while we're waiting.

So it comes in on the lawfulness of processing. Sorry, not the lawfulness of processing, the principles. Sorry. The principles relating to the processing of personal data. And the final principle is that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

And what else do I need to tell you about the act? Just let me have a flick through. Come on, Stuart. Come back and then we can wrap up and tell people how to find you. I'll just give him a couple more minutes, then we'll wrap this up if he is gone forever.

Yeah, processes. So there is Article 32, for any of you who are interested, talks about the security of processing. So if those of you who are processors, take a look at that.

You're back. Stuart, you've not got a little camera icon and when I click on you, it's not giving me the option to bring you on to the camera. Have you come on in a different format? Because it's not letting me add you at the moment.

John, sorry Jay, is saying that you can also protect your website for free by using a CDN provider, like Cloudfare. Maybe that's a typo. Cloudflare. Where IP traffic is filtered before hitting your site, preventing malicious attacks and bad traffic.

Okay so a CDN provider. I'm going to write that down. CDN provider. Cloudflare. Okay, thank you very much.

Okay, Stuart, if you can come back on the other, whatever you were on. Maybe it was your phone. If you can come back on that, then I can just pop you on camera quickly and then we can wrap it up.

But just back to the security and processing in Article 32. And actually, well this is an obligation on the controller as well as the processor.

Yes Stuart, you are on a camera now. I'll bring you on in one tic when I just read through this.

So, it says, "Taking into the account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The controller ..." i.e., us, people who are controlling the data, and the processor, who would be somebody like your web developer or whoever, someone who is processing that data under your instructions ... "Shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including" and then it lists the number of security measures, like encryption, ability to restore the availability and access, process for regular testing, assessing and evaluating the effectiveness of measures to ensure the security, etc.

So, it's absolutely an obligation on controllers and processors to keep the data secure.

Right, let's bring Stuart back on. There we go. And just while Stuart comes on, Richard is saying, "From a physical point of view, have a decent business class router, encrypt backups and hard disks, and antivirus on machines."

Okay, thank you for that Richard. That's a good three- step process that we can all get our heads around. Okay, that's a really helpful comment. Thank you for that, Richard.

Okay, so come on Stuart. We're adding you, it's flashing, it's saying, "adding," but you're not actually being added here. Okay, we'll give it half a minute more, and then if not, I'm going to wrap up and then Stuart can post in the comments group how you can find him if you need more information on this.

Okay. I think it's still not working for some reason. I say the technology gods are not shining on us this week. So, I think we'll wrap it up there and Stuart can add any final words and his contact details in the group.

Thank you all for coming on and watching live. And for those of you who are watching the replay, I hope that's been really useful for you. I think I've taken away a lot of good points from that. The first one of which is to phone my IT person and say, "Are we all good on the security side for GDPR purposes?" And I think those three steps that Richard posted, really helpful there. Just as a reminder, decent business class router, encrypt backups and hard discs, and antivirus on the machine. So, I think those are the three things that I'm going to focus on.

But that was super helpful, Stuart, if you can still hear me. Thank you so much for coming on. Sorry, again that we weren't in the proper landscape mode and that you were appearing in a little box above my head. My phone just wouldn't allow it for some reason, despite having used exactly the same phone and exactly the same set up for many, many Facebook lives.

But, thank you for watching live. Thanks for your questions. Thanks, as always, for your engagement in the group and asking all your brilliant questions that exercise my brain like nothing else. Thanks for sharing about the group. Thanks for just being generally awesome.

Okay, Stuart's posted his contact details there. Yeah, his email address and his phone number. So don't worry about asking Stuart to opt in for you to reach out and contact him. That's fine. Okay. That's you can take it as well that that's Stuart's consent to you using those details to get in touch with him to find out about his services.

Richard is getting a sneaky promo on the back of this. Richard, you're going to have to come in and offer some standalone value, okay, if you want a promo in this group. So, but thanks for your three key points, get you probably a quarter of the way there. But message me and tell me what other value you can add to the group. Be happy to hear that. Okay.

Yes. Sorry, Annette I tried to change into horizontal mode. The phone was just not having any of it. So, there you go.

All right, well I'm going to go and enjoy the sunshine. My personal trainer is coming in 15 minutes. We're going to go into the garden and jump around in the sunshine, which is just what I need after this week. So, I wish you all a brilliant sunshiny Friday. Enjoy your weekend and I will see you very soon. Take care.

Enter your text here...