The Biggest & Best Portal to the Professional Property, Workplace and Built Environment Community

Sunday, 25 February

UK GDPR Exemptions & Critical Infrastructure at Risk

The Government has outlined (week ending Sept 22) protections and flexibilities for the financial services, journalism and legal services as part of its plans to update data protection legislation.

The Data Protection Bill (when passed in to UK law will reflect the EU General Data Protection Regulations) will introduce safeguards to prevent and detect fraud, protect the freedom of the press, allow scientific research and maintain the integrity of professional sports and specifically includes measures to allow action against terrorist financing, money laundering and child abuse.

The Bill will preserve existing tailored exemptions that have worked well in the Data Protection Act 1998, carrying them over to the new law.

Matt Hancock, Minister of State for Digital, said: "We are strengthening Britain’s data rules to make them fit for the digital age in which we live and that means giving people more control over their own data. There are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality. As we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work."

 

The Bill will include exemptions for data processing in the following areas:

  • Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded.
  • Scientific and historical research organisations such as museums and universities will be exempt from certain obligations which would impair their core functions.
  • National bodies responsible for the fight against doping in sport will continue to be able to process data to catch drug cheats.
  • In the financial services sector, the pricing of risk or data processing done on suspicion of terrorist financing or money laundering will be protected

The Bill will allow the processing of sensitive and criminal conviction data without consent, including to allow employers to fulfil obligations of employment law.

 

What's planned

In its recent statement of intent, the Government committed to updating and strengthening data protection laws. Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.

Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.

Data protection rules will also be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights. Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.

 

UK’s Critical Infrastructure Skipping Basic Cyber Security Checks and Ignoring DDoS Threats

There is a lack of cyber resilience among critical infrastructure organisations a freedom of information search has revealed, as the UK considers imposing fines of up to £17 million for infrastructure organisations that fail to protect themselves against cyber attacks, under the NIS Directive

CNI organisations could be ignoring 90% of the DDoS attacks on their networks by not mitigating short duration DDoS attacks, which are frequently used by hackers to distract from data theft attempts

Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK government, according to data revealed under the Freedom of Information Act by Corero Network Security, a provider of real-time DDoS defence solutions.

The fact that so many infrastructure organisations have not completed the ’10 Steps to Cyber Security’ programme indicates a lack of cyber resilience within organisations which are critical to the functioning of UK society. It also suggests that some of these organisations could be liable for fines of up to £17 million or four per cent of global turnover, under the UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive.

The Freedom of Information requests were sent by Corero, in March 2017, to 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations. In total, 163 responses were received, with 63 organisations (39%) admitting to not having completed the ’10 Steps’ programme. Among responses from NHS Trusts, 42% admitted not having completed the programme.

Sean Newman, Director of Product Management at  Corero, commented: “Cyber attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”

 

Critical Infrastructure Operators Ignoring DDoS Threats

Modern Distributed Denial of Service (DDoS) attacks represent a serious security and availability challenge for operators of essential services. This is why DDoS protection is highlighted within the government consultation on NIS as a mechanism that critical infrastructure should consider when protecting their services and availability from disruption caused by cyber attacks.

But while most people equate DDoS with high-volume attacks, like that against DNS provider Dyn in 2016 that took down large parts of America’s internet, the vast majority of today’s attacks are actually short and low volume in nature.  In fact, 90% of DDoS attack attempts stopped by Corero during Q1 2017 were less than 30 minutes in duration and 98% were less than 10Gbps in volume.  Due to their small size, these stealth DDoS attacks often go unnoticed by security staff but they are frequently used by attackers in their efforts to target, map and infiltrate a network.

Worryingly, the Freedom of Information data revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to these attacks because they do not detect or mitigate short-duration surgical DDoS attacks on their networks.  As a result, just 5% of these infrastructure operators admitted to experiencing DDoS attacks on their networks in the past year (to March 2017).  However, if 90% of the DDoS attacks on their networks are also shorter than 30 minutes, as experienced by Corero customers, the real figure could be considerably higher.

Sean Newman, continued: “In the face of a DDoS attack, time is of the essence. Delays of minutes, tens-of-minutes, or more, before a DDoS attack is mitigated is not sufficient to ensure service availability, and could significantly impact the essential services provided by critical infrastructure organisations.

“By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any potential DDoS incursions, as they arise.”

Picture: The government has announced that it has successfully negotiated exemptions from the EU’s General Data Protection Regulations

Article written by Brian Shillibeer

Share



Related Articles

Andromeda Strained - International Cyber Op Dismantles Botnet

On November 29, the Federal Bureau of Investigation, in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s...

 Read Full Article
Watch What Staff Click - Ransomware Warning

Colin Tankard says the dust from the ransomware which hit major organisations around the world on Friday 12 may seem to have settled but vulnerabilities still exist in...

 Read Full Article
Ransomware - the Protection Racket

ThisWeekinFM has been making a racket about Cyber Security because vulnerabilities are exploited at a personnel and personal level - where FM's should have some...

 Read Full Article
Who's Taking on the Cyber Men?

One in five businesses have fallen victim to cyber attacks in the past year, according to the results of a survey released this week ending April 21 by the British...

 Read Full Article
ONS Head - Gaping Hole in Government Info Security

Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge that is leaving a...

 Read Full Article
Sage Stuffing - Alleged Fraudster Nabbed On the Wing

According to massive international payroll and accounting software firm Sage, which now offers nearly all of its services internationally via the cloud, unauthorised...

 Read Full Article
Crime Stats and Cyber Crime Surveys

The results for the Crime Survey of England and Wales (CSEW) by the Office of National Statistics reveal for the first time that fraud is the most prevalent crime...

 Read Full Article
Cyber Security - Tackle Staff Weak-point

With online crime becoming an increasing threat for businesses, new figures from Action Fraud and Get Safe Online released this week show that from March 2015 –...

 Read Full Article
World's Local Bank Back on World-wide Web

The disruption this week for HSBC and its online customers appears to be over as it declared matters were now ‘stable’ but embarrassment remains for the...

 Read Full Article
On Trend - Can Hackers Turn The Heat Off?

Ken Munro of Pan Test Partners has written a blog - the original of which and more pictures can be accessed if you Click Here  Munro says he has found...

 Read Full Article