The risk of doing business: is your legal or accountancy firm putting your data at risk?

Lawyers and accountants depend on a bond of trust with their clients. So you would imagine that protecting their clients’ sensitive personal information would be a priority, yet many firms are relying on cybersecurity measures that are untested – and often incomplete. 

At the moment, most firms are presenting an easy target for hackers. And with serious breaches becoming the norm, the promise of confidentiality is becoming impossible for many to uphold, along with the dependability that these trusted professions are meant to provide.  

These sectors seem reluctant to respond to the threat, however. So it could be up to you – their clients – to change their outlook. 

Why are law firms targeted? 

The legal sector has vulnerabilities – they’re embedded throughout its everyday operations. From bank transfers and automated identity checks, to emails carrying your personal information, law firms routinely handle sensitive data, making them an attractive target to cyberattackers.  

In August 2020, for instance, UK-based law firm Tucker Solicitors fell victim to a vicious ransomware attack. The firm holds court bundles including private personal data such as medical files, witness statements and names and addresses of witnesses and victims relating to crimes of all severities. After the breach, hundreds of thousands of files containing sensitive information were leaked on the dark web and held to ransom. 

A common tactic that law firms often fall victim to is Friday afternoon fraud, which contributes to an eye-watering 75% of all cybercrimes in this sector. This type of fraud is in the name – Friday afternoon is the traditional time-period for completion of property conveyancing transactions. It’s also a time when many in the profession are winding down for the weekend. 

Hackers use this window to break into a firm’s defences – which are often outdated and untested – then imitate an employee, contacting clients from what appears to be the employee’s real company email, so they can make off with the completion day funds. It’s the kind of easy-to-mitigate fraud that could be drastically reduced with a robust cybersecurity strategy. 

Due to the substantial amount of money passing between law firms and their clients, these kinds of scams are widespread. Large amounts of sensitive data held by lenders, estate agents and mortgage brokers is at risk. Despite all of this, the sector doesn’t seem to be in a hurry to act. 

 

What about accountants? 

Accounting firms play a pivotal role in our economy, handling financial data of businesses big and small. They also deal with high-value commercial data and sensitive financial information on a daily basis, making them another prime target for cyberattacks.

At the beginning of 2022, Chester-based umbrella payroll firm Parasol was hit by an attack that forced them to shut down their external and back office systems. This in turn led to thousands of contractors going unpaid or receiving lower pay than expected. A similar attack occurred to the Brookson Group at the same time, and both of these attacks followed a high profile ransomware attack on GiantPay. The UK’s leading accounting companies are certainly in the firing line. 

 

What’s stopping these industries from stepping up their cybersecurity game to protect your data? 

It’s an understatement to say that online working has accelerated over the last few years, but many in the legal and accountancy sectors are still slamming the brakes on digital adoption. Some are beginning to use digital documents, but many are still working with systems that existed before ‘internet’ was a word.

There is still some fear of technology from specialists in these professions, even at a basic level. Let alone before you introduce cloud computing and e-signing of critical documents. 

The pandemic has only made this worse. Overnight home working added a whole new level of cyber challenges, including a deluge of covid-related scams.

The rapid change in digitalisation from forced remote working may have been too prompt for firms to properly consider data security. SME sized firms tend not to have IT teams, or any in-house understanding. They’ll also probably outsource their compliance, without understanding the implications of their own internal processes.

The only real legal requirement is to follow GDPR, even though they are handling very sensitive information, more so than organisations required to have a pen test. GDPR does not enforce a specific set of cybersecurity measures, but rather expects businesses to take ‘appropriate’ action, leaving law and accountancy firms without IT expertise in the dark.

For some of the most traditional law firms, it may be up to clients like you to nudge them forward. If organisations begin to demand pen tests and other security measures before they will agree to work with a firm, it might tip the balance. This is already common practice in some industries, and it’s essential to ensure a secure supply chain<link to supplier due diligence blog>, so it might not be long before organisations and clients demand the same security measures from their lawyers. 

What is the solution? 

We’re not trying to scare you into never using legal or accountancy help. There is a simple solution to ensuring your data is safe.

There is one thing law and accountancy firms must ensure: that a robust cybersecurity strategy is in place. This can inform employees on the rules for encrypting email attachments, steps for accessing work applications remotely, guidelines for creating and safeguarding passwords, and rules for best use of social media.

Getting cybersecurity training up to standard is also critical, particularly in a hybrid working environment. Training ensures promotion of cybersecurity awareness and best practices among employees, so that they can act in your best interest.

As a client, you can request information on your chosen firm's cybersecurity policy, considering they have an obligation to protect your data. Have they put in a robust strategy, especially since the start of the pandemic, to preserve your information? Are they encrypting their emails that contain your sensitive data? And are they conducting third party due diligence <link to blog 07>? Next time you’re speaking with a potential legal or accountancy partner, it makes perfect sense to bring cybersecurity into the conversation.

At Datavax, we are cybersecurity experts. To learn more about what we do, check out our guide to independent penetration testing: what we do and why. 


Supplier due diligence: how to stop hackers slipping through the back door

A business of any size, needs to get their due diligence process set up from the get-go. And once it’s in place, it also needs to be continually monitored and reviewed.

Due diligence can simply describe the reasonable steps taken by a person to avoid harm. In this case though, we’re going to specifically talk about the risk of a cybersecurity breach via a third party supplier.

It’s not just about compliance and protection. Keeping on top of your supplier due diligence can enable your company to attract both customers and investors. It also gives you peace of mind, so you can focus on building and scaling upwards, knowing your foundations won’t let you down.

Big name data breaches

Ticketmaster and Volkswagen are just two examples of big name brands that have fallen victim to a third party’s vulnerability.

Hundreds of thousands of customers' personal details such as full names, email addresses and phone numbers were exposed in the huge data breaches that occurred via third party suppliers, resulting in hefty fines and a massive dent in public reputation for both vendors.

Had they done their due diligence before agreeing to work with these third party suppliers, these massive blunders could have been avoided. Though it’s not as simple as it sounds.

Large companies like Ticketmaster and VW have huge numbers of suppliers, all with their own subcontractors, making all of them hard to keep a track of. And once a cyberattacker has got in via one third party, it’s easy for them to access data in other parties without being flagged.

But these kinds of data breaches aren’t just limited to household names. Smaller businesses and entrepreneurs are also at risk of being targeted.

 

What businesses big and small should consider

Some organisations will barely mention their cybersecurity policy when joining a partnership, but others are more switched on.

Has a supplier completed a pen test recently? Was it completed by a tester who is CREST-certified? Some organisations will consider everything about their suppliers and partners, even down to the routers businesses are using for their WiFi.

While you’ll want some differentiation depending on the type of supplier, you’ll want a due diligence policy you can roll out to every single one. This will keep your business, your employees and your customers digitally secure – and enable you to pass the checks of those performing due diligence on your own organisation.

 

Four best practices for supplier due diligence

1. Security questionnaires for suppliers

First, it’s crucial to understand the ways cybersecurity is implemented into a supplier’s own best practices.

A supplier due diligence questionnaire examines risk by asking questions on data security, human resource policies, financials, and references. You can then use a supplier’s answers to set requirements the third-party supplier must uphold to meet the standards of the business relationship. If anything goes wrong, you can refer back to their answers and hold them accountable.

 

2. Tiering suppliers by criticality

Save time during supplier onboarding due diligence by tiering your suppliers based on the relationship they will have with your business.

For instance, you’ll want to prioritise security of an organisation that will need access to your sensitive data (e.g. a SaaS product provider) more than a business that does not have immediate access to critical information (e.g. a graphic design agency).

Instead of trying a one-size-fits-all approach to evaluating criticality, tiering helps you work out whether you need to review evidence of a clean independent pen test, or whether it's enough for a supplier to abide by GDPR.

 

3. Monitor your suppliers regularly

Cybersecurity due diligence needs to be kept up throughout your vendor partnerships, and isn’t something you can just forget about once the contract is signed.

Depending on your resources, you can use an automated continuous monitoring solution to keep your finger on the pulse about the varying risk profiles of your suppliers. Or you could simply require suppliers to update you on any changes in their systems or processes that have the potential to impact security.

 

4. Evaluate third-party cyber security risk using a pen test

If a third party is dealing with your customers’ data, they will need to present a recent penetration test report, showing either a clean result, or detailing the actions taken to rectify any vulnerabilities found, plus the related retest to ensure the remedial work has been effective.

Penetration testing (often referred to as pen testing) is a security exercise that attempts to seek out and exploit vulnerabilities in a computer system, network or web, to identify any weak spots that could be taken advantage of by a hacker.

A successful test can often reassure customers. Even if they have to address gaps in their security, businesses can wear their due diligence as a badge of honour.

By following these best practices, you can lower the risk of partnering with third parties and relieve the burden on employees. Your security, legal and compliance teams will thank you.

 

Datavax is a trusted, neutral cybersecurity partner with expert CREST-certified pen testers. See how you could benefit by booking a free 30-minute consultation with one of our senior testers and project managers today.


Beyond compliance: The business benefits of penetration testing

It goes without saying that the biggest benefit of carrying out regular penetration tests is protecting your business and customers from an attack and data breach. However, there are also a number of other benefits businesses can leverage.

Compliance is also crucial to avoid facing fines – from GDPR to PCI DSS and SWIFT CSP – but  compliance and protection from an attack are far from the only factors to consider here. If you’re looking for funding, looking to be acquired, or simply looking to land more deals, it might be time to consider the business benefits of penetration testing.

 

Peace of mind

Pen-testing can highlight where your team needs training, where your software needs updating and where your system needs restructuring. Crucially, independent pen testers can make these recommendations without trying to sell you a solution.

Ultimately this gives you peace of mind. Once your team’s cybersecurity strategy has been thoroughly tested with both manual pen tests and automated tools, you’ll know what you’re working with. You can see what’s not working, improve your protocols and setup, and ensure a continuity of security throughout your organisation. Then you can keep building your company without worrying about cracks in the foundation.

 

Attracting and keeping customers

It’s not only your organisation that will appreciate a pen tested infrastructure. You’re also able to pass on that peace of mind to your clients – reassuring them that their data is safe with you.

Large organisations are aware of the risks involved in trusting other companies with their data. Some of our own clients require cover letters for the companies they work with, and they won’t link their data to your organisation unless they can see you’ve either had a clean pen test or you’re addressing any issues that were found.

So if you can promote the fact that you’ve had pen testing done to prospective clients, you’ll be more likely to get through their quality assurance gate. And once you’re through it, you’ll be able to appeal to other key stakeholders too, particularly strategic and financial partners, who need to feel at ease before they give the go ahead.

 

Attracting investors

Speaking of financial partners, it’s here that the rubber can really hit the road. Companies looking to merge with or buy other businesses often won't even consider acquisitions that they can't qualify as being data-secure.

Shareholders can be equally discerning. If Series A or Series B funding is in your long term plans, you need to act like a billion dollar company before you’re treated like one. That means having a robust information security strategy and being able to prove it’s airtight.

 

Protecting your brand

The pandemic has made it clear that businesses need to look beyond present efficiency to create systems that are robust for the future. So while your brand may be high and dry to date, you can’t afford to roll the dice on your reputation tomorrow.

Thorough penetration testing can ensure you avoid more than GDPR fines. It can ensure you steer clear of irreparable damage to your brand. If vulnerabilities are uncovered in testing, especially if they come up more than once, you’ll know how you need to act to mitigate risk. You’ll be able to address the issues, create a long term continuity plan, and keep growing long into the future.

 

A blueprint for data security success

So whether your destination is acquisition, funding or converting more leads, a bias-free audit can set your company in the right direction. Your IT teams might have carried you this far. But scanning for blind spots will do them a favour in the long run – and inspire trust in all onlookers, too.

Datavax is a trusted, neutral, and CREST-certified cybersecurity partner. To learn more, don’t hesitate to get in touch.


Independent penetration testing: what we do and why

If you’re looking for penetration testing for your organisation, you’re unlikely to want to compromise. You’re dealing with highly sensitive data - medical, financial or personal - and the risk of disclosure doesn’t bear thinking about.

Except, of course, you have thought about it. You’ve built a highly secure system to protect against malware and supply chain attacks. You just need an authority to examine whether your infrastructure is watertight.

At Datavax we leverage established practices, certified testers and the latest security tools to uphold the highest standards of testing.

We’re independent, and that’s unusual

A lot of companies that provide penetration testing are also trying to sell you something.

Like a mechanic at a garage, they’ll check over your car, see what’s amiss and then offer to fix everything. Now a very trustworthy mechanic might give you a very honest quote. But in general, there’s a reason that MOTs and NCTs take place independently from those who make a living fixing the problems they find.

It’s the same with penetration testing. If a tester’s priorities are split between finding issues and fixing them, their assessments may not be entirely without bias. At Datavax, we’ve chosen to offer testing alone so that you can have full confidence in our findings.

Our Red Team approach simulates a real cyber threat

When it comes to what we can find, we believe we have the edge.

Ultimately when you’re trying to protect against hackers who may be highly proficient, you want testers who are highly proficient too. Testers who are capable of finding any and all security weaknesses ethically before they’re discovered illegally.

Hackers are humans, capable of using human creativity to exploit exposed vulnerabilities. So our testers, likewise, don’t rely solely on automatic tools for our tests.

Now, we do make use of some of the strongest tools available, including Burp Suite Spider, Nikto and Dirbuster. But for our web application testing, automation only accounts for 25% of our Red Team penetration method. Our CREST-certified testers (the Red Team), expend most of their efforts creatively using this auto-gathered information to see if they can get past the security of your organisation (the Blue Team), simulating a real-world threat.

 

We uncover security gaps that other teams might not find

Our ethical hackers are, if we may say so, some of the best in the field. Our team has a mixture of certifications including CREST and have extensive experience in testing methodologies. We also put a senior penetration tester on every project to ensure we don't miss even the most complex or hard-to-find vulnerabilities.

And we do find them. We’ve found cookies that would have allowed a hacker to create a new Administrator level account and wreak havoc. We’ve identified a cached post-authenticated client session that would allow for PII information leaks. We’ve even discovered an SQL Injection that enabled us to download a database table full of unencrypted credit card information - for hundreds of customers.

Because the companies in question hired us, the gaps in security were discovered by ethical hackers, and not the other kind. They didn’t have to pay out fines, deal with reputation damage, or face a single hiccup in their operations. They could simply address the issue and continue to serve their customers with peace of mind.

 

We’re personally on hand from start to finish

Even when you know that the test is necessary, that the threat is a simulated one, and that you’re hiring a CREST-certified team, it’s still a little unnerving to let anyone hack your organisation.

That’s why we ensure you have a dedicated contact from the early scoping stages right through to the end of the project. Your project manager will help demystify the process, be on hand to answer any questions, notify you if any critical issues are found, and ensure the entire project is efficient.

Your dedicated project manager will never close a project until you are happy and your team understands both our reporting and the actions they need to take. We want to offer support for as long as we can be useful and make the experience as positive as possible.

Some penetration testing companies might choose to be faceless but from our perspective our people are an important part of the package. While the human side of what we do might not seem as important as our technical rigour, the companies we work with come to highly value it:

 

“Working with the team at Datavax was a joy. From the outset they were warm, friendly and professional, and provided clear feedback and advice.” - Chief Technology Officer

“Datavax were very easy to deal with. All queries and requests were responded to promptly and in a pleasant and helpful manner.” - Credit Union Manager

“Datavax provided an excellent service from beginning to end.” - Chief Operating Officer

 

We provide a senior tester every step of the way

You won’t only get a project manager from the get go, you’ll also get a senior tester.

Your IT team, CTO, COO or consultant will be able to ask our senior tester highly technical questions. In return, they’ll be able to ask your team questions that a less experienced tester wouldn’t know or be confident enough to ask. This senior input enables us to scope out your infrastructure in a more defined way. As a result, you get a more accurate quote and our team will be able to put their efforts where it counts.

When you need to bundle several tests together (web, app and social engineering, for instance) a senior tester will have the experience needed to schedule these according to your priorities. If a less experienced tester was left to do this, it would be much more of a guessing game. But our team setup enables you to get better value in a clearer timeframe.

Finally, our experience and responsiveness ensures no time is wasted. During the scoping stages, a senior tester might highlight an issue that you can sort straight away, even before we begin testing. Also, once testing begins, if critical gaps are discovered in your security, our team will feed this back to you in real time so you resolve the issue fast.

 

To learn more about what we do and how we do it, don’t hesitate to get in touch.


CREST certification - don't accept anything less

In theory, penetration testing can be done by anyone from any location. If they have the set up of an ethical hacker – a laptop, an internet connection and the relevant software – they’re ready to go. The only issue is, can you have confidence in their services?

When it comes to hiring pen testers, you’re naturally looking for those you can trust with your data, security and reputation. That means choosing testers accredited for high technical ability and watertight codes of conduct. And for many organisations, that means CREST.

CREST-certified testers are rigorously and independently assessed

It’s often more expensive to use a CREST-certified tester since they’ve acquired a vast amount of experience and a high level of technical expertise. The journey to CREST certification is long and hard, but the lessons a tester learns on that road are worth their weight in gold.

The accreditation is not permanent. All CREST-qualified professionals are required to re-sit examinations every three years. This ensures you never hire an ethical hacker who is anything less than a leader in their field.

CREST-certified professionals typically have at least 10,000 hours of experience, and they are capable of managing ethical hacking teams that can dive deeply and creatively into an organisation’s infrastructure. To learn more about this process – known as a Red Team approach – see our article on what makes our independent penetration testing different.

CREST-certified testers sign up to enforceable Codes of Conduct

All pen testers holding a CREST qualification sign a personal code of conduct, which ensures they follow ethical practices and vetted processes.

You don’t have to take a CREST member’s word for it, either. As a governing body, CREST can and will carry out onsite audits of their members. They also extend their rigorous expectations beyond the walls of the company to any contractors working or assisting the organisation they vet.

What are the other options besides CREST?

While there are plenty of pen testing qualifications from GIAC to CRTOP and CEPT, only a few certifications serve as an effective barometer of how trustworthy a tester is.

CHECK is a popular accreditation in this regard since it’s a government scheme conducted by the UK National Cyber Security Centre. Tigerscheme, set up and administered by the University of South Wales, is also well recognised.

But sooner or later, if you spend any time in cybersecurity circles, you’re going to hear someone say that CREST certification is the gold standard – and few would debate the point.

The Council of Registered Ethical Security Testers is the seal of approval that many public sector contracts and major private companies look for – and sometimes require. Just as no one ever got fired for buying IBM, no CTO or CIO ever took heat for doing business with CREST-certified testers.

So is CREST worth the cost?

CREST’s high standards mean that when you hire a certified tester, you’re prioritising the security of your organisation. While this has obvious preventative benefits, it also has significant business benefits.

We’ve seen several cover letters which include the sentence, “We’ve had penetration testing by a CREST-certified tester”. 2022 cybersecurity trends suggest this practice will only increase as organisations become more and more discerning of those they do business with.

Datavax is a trusted, neutral cybersecurity partner with CREST-certified testers. If you’re still sitting on the fence about pen testing, you can book a free, no strings attached, 30-minute consultation with one of our senior testers and project managers.


A quick guide to planning your 2022 cybersecurity strategy  

If you’re anything like us, you’re probably reflecting on your 2021 IT infrastructure and wondering, ‘how can we iterate on this and make it even stronger?’

Inevitably, cybersecurity will be front of mind whether you’re a  CTO, COO or a founder. This will be especially true if you’re in a growing organisation with a swelling data footprint, or if you’re diversifying into new sectors, or releasing products that make use of sensitive financial or health data. 

Looking at the aftermath of events in 2021 such as the HSE phishing crisis and the supply chain attack on Kaseya, it’s safe to say the benefits of testing your security go far beyond prevention and compliance

PwC’s Independent Post Incident Review of HSE shows their infrastructure was insecure because they lacked investment to maintain it. There’s no doubt that getting the budget you need to create a robust infrastructure is non-negotiable, so here’s our quick guide to evaluating and iterating on your cybersecurity this coming year.

2022 and beyond

What we do now needs to be informed by what’s ahead. By 2025, Gartner predicts that 60% of organisations will prioritise cybersecurity when deciding on transactions and business engagements. This is hardly a far flung prediction, either. We’ve already seen companies rule out organisations for acquisitions or mergers based upon their security infrastructure.

Bloomberg report that according to the US Treasury, the average ransomware transaction was $102.3m per month in 2021. And while cyber insurance might mitigate the damage, it won’t cover GDPR fines or protect against disruption as ransomware attacks become more frequent. Market analyst Jeffrey Williams told the Insurance Times that ransomware attacks now occur every 11 seconds, which is in line with pre-2021 predictions.

With this in mind, it’s no surprise that the Digital Europe Programme is assigning €269m of its funding to advance cybersecurity equipment, tools and data infrastructures. Similarly, the UK government is investing £700m in cybersecurity training and business support.

Whether you take advantage of this funding or not, it’s essential to evaluate your security strategy, policies and technology. You may realise you should be enforcing a zero trust policy, role based access, stricter VPN policies – or you might need to ensure your remote employees have the home infrastructure they need. For many companies, it will also be crucial to reassess their hybrid working cybersecurity strategy and monitoring tools.

Getting the buy-in and budget you need

As with many organisations, you will eventually come up against the issues of internal buy-in and budget. And this is where you’ll likely want to consider a pen test. 

Pen testers can discover where exactly the vulnerabilities are in your organisation – whether it’s your cookies, authentication or employee behaviour. Once you know what your weaknesses are, you can present the risks to stakeholders and use your budget to strengthen them in the optimal way. 

To understand what kind of test is right for you, you should know that automated tools alone will not be sufficient. Hackers don’t solely rely on automated tools, so you shouldn’t rely on defences tested by automated tools either. Of course, the strongest tools can speed up the process, but if you’re going to simulate a real cyber threat, you’ll need a seasoned ethical hacking team – known as a Red Team – testing your infrastructure.

You should also strongly consider hiring pen testers who are CREST-certified or similarly qualified and vetted. The process, training and experience they undertake to get that certification makes them an invaluable asset to have on your side. 

Finally it’s worth understanding the benefits of independent pen testing. The more impartial your testers’ security recommendations, the easier you’ll find it to persuade stakeholders that those suggested measures are necessary.

Book a free consultation 

To kick off the new year, we’re going to be offering organisations a free 30-minute consultation to discuss their infrastructure and cybersecurity strategy.

You’ll have the opportunity to speak with a senior tester and a project manager, and ask any questions – technical or otherwise. There’s no obligation to commit to any form of pen testing with us afterwards, but we’ll be able to explain anything in case you need to make a business case to other decision makers in your organisation.

Datavax is a trusted, neutral and CREST-certified cybersecurity partner. To book a consultation with us, don’t hesitate to get in touch

 


Cybersecurity for hybrid working: A senior leader’s guide

Cybersecurity for hybrid working: A senior leader’s guide

Every company is already a couple of chapters into their own work from home story, and for many the plot has taken a turn toward hybrid. But no matter how flexible the arrangement, if your organisation gives employees the option to work from home, you need to ensure your company is not taking a flexible approach to cybersecurity too. 

It’s not only an issue for IT teams, but for anyone in leadership. After all, the most secure organisations have done more than purchase the right security software. They have also addressed gaps in employee awareness, set comprehensive policies in place, and have found ways to reinforce best practice company-wide. 

Employee awareness

Let’s be clear about this: If your staff don’t understand the risks, all your cybersecurity processes are redundant.

It’s tough to get everyone on the same page. As a HP Wolf Security report has it, over 50% of employees are more worried about deadlines than a data breach.  Because of these mismatched priorities, employees can perceive restrictions to be unnecessary obstacles to their own workflows, particularly when other aspects of hybrid working are often orientated around their preferences. 

It’s no surprise, perhaps, that 83% of IT teams believe home working to be a “ticking time bomb” for a network breach. And despite their best efforts, 69% of IT teams said they’re made to feel like the bad guys for imposing security restrictions. 

What are your employees’ general at-home technology habits like? Do they know about phishing, or other major cybersecurity concepts? Have you ever tried testing them? 

If you’re uncertain how to motivate your employees to follow best practice, the threat of ransomware might tip them over the edge. As we saw in the HSE phishing crisis, employees need to operate by a zero trust principle. They need to assume they will be targeted by hackers, and unless employees exercise caution, they could bring their entire organisation to a standstill. 

 

"The most important factor when it comes to cyber security across a hybrid working model is communication and a strong culture of security awareness. You can have the best policies in the world, but if those aren't known and understood by every member of your workforce then they may as well not exist.

The most successful organisations are those in which every team member has a respect for cyber and information security, and understands where to go for help and how to report concerns. Whether those things are written in to policies is almost irrelevant."

CTO - i3PT

Policy and procedure

Awareness alone won’t protect against every hybrid working security risk. You’ll also want to consider what policies you can put in place to set the standard, promote best practice and mitigate the damage should the worst happen.

Too many organisations rush into buying cybersecurity software, without really knowing what their vulnerabilities are. But simply getting comprehensive policies down on paper – from IT security to remote access and encryption – can help your organisation to assess where you are not yet compliant and where you need to take further steps. 

Role based access

One of the first security principles you should be aware of, and set processes in place for, is the principle of least privilege. Each employee in your organisation – and beyond, in the supply chain – should only have access to the data they need to do their role. This is known as RBAC, Role Based Access Control.

In a small organisation, you can afford to give each employee tailored permissions, while in a larger organisation you may organise it by management level and by department – giving finance access to one set of data, the engineering department another.

VPNs

You also need specific protocols around hybrid working. Employees should always be connected to the company VPN (Virtual Private Network) at all times. This creates a secure encrypted tunnel between their workstation and your workplace, and it shouldn’t be turned off for a second. 

On the other hand, free VPNs are an absolute no go, and this needs to be enshrined in your policy. These VPNs, often used to access international streaming services or other blocked content, are full of holes. Your employees might see it as a helpful hack to watch US Netflix, but for their ingenuity they might be hacked in return.

Hardware and software

But even a company VPN is little help as protection if your employees are accessing that VPN from a device full of malware. If an employee’s children are using the same laptop or phone to download from untrustworthy sources at weekends, there’s no telling what’s on it. While Apple’s App Store is relatively regulated, the Google Play Store is a wild west. 

In a hybrid world, the boundaries are blurring between employees' personal and work lives, and it can be hard to know where they draw the line. 

Without the right support, too, digital poverty may force remote employees to go occasionally to public places to fulfil their job requirements, connecting to unknown routers or other insecure hardware.

A way to mitigate this is to put policies in place to ensure all your employees have the home infrastructure they need, including updated IoT-enabled devices, like printers, webcams, and routers. This isn’t one to overlook, particularly if you’re looking to get cybersecurity certification. Cyber Essentials, for instance, require employees’ routers to be relatively new, otherwise your company will be deemed too vulnerable for their standards. 

How to reinforce best practice

Communicating the gravitas of your policies to a remote team isn’t always simple. It requires more than a company-wide email or a team message – which employees can all too easily ignore. So how can you convince them to take it seriously?

One avenue is training. You could consider putting your company through Cyber Essentials, or ensuring your development teams are aware of OWASP. At a bare minimum, training should get many of your employees using two-factor authentication and updating their software regularly. But there will almost always be employees who don’t show, don’t listen or don’t implement what they’ve been taught.

Here penetration testing can be of great help, enabling you to:

  • Discover which employees are most at risk so that you can intervene.
  • Assess the unique vulnerabilities of your organisation, which will inform your policies and the actions you need to take as a company. 
  • Reinforce best practice by setting up monitoring to automatically notify employees when they act outside of company policy.

 

We’ve been trusted, neutral, and CREST-certified cybersecurity partners to a variety of companies over the years, and we can help your organisation too. To learn more, don’t hesitate to get in touch. 


5 lessons Medtech companies can learn from the HSE phishing crisis

In May, Ireland’s public health service, the HSE, was plunged into disarray. Servers were shut down, referrals ground to a halt, and an entire maternity hospital was put out of operation. Even now, patients are unable to find out whether their own personal data was compromised.

All of this happened because one member of staff clicked on a phishing email. Except, of course, they’re hardly to blame. The HSE crisis was the result of a number of connecting issues - issues which may affect all medtech companies to one degree or another.

Now the HSE is, of course, a huge public body that’s notoriously underfunded. So the implications for private medtech startups won’t exactly run in parallel. Nevertheless, all medtech companies are handling similarly sensitive information, and the consequences of a cyber attack could be equally severe.

1) It’s a question of when, not if

With the HSE crisis, the situation was made worse by slow response times. After the confusion, the various public bodies soon found they had no way of closing down or limiting the information the hackers had accessed.

In some ways, response protocols should be bread and butter security, even though they aren’t required under GDPR. If your Standard Operating Procedures aren’t already in place, we strongly recommend nailing them down, including your disaster recovery plans.

With the right failsafes around hosting, too, you can ensure your systems are not shut down completely in the event of an attack.

2) The latest patches are needed but there may still be gaps

Much of the criticism thrown at the HSE surrounded their use of Windows 7. It was running on many of their workstations, largely because a number of applications were dependent on that operating system.

Legacy systems are typically more of an issue in the public than the private sector. But it’s still good practice to prepare to update systems sooner rather than later. One of our customer’s products will be unsupported by Google when they stop supporting former versions of Android, so our customer is already preparing the product to ensure it will remain compliant and secure in years to come.

While we don’t find many legacy systems in our penetration tests, we do uncover a number of issues related to data patches and updates. Either software hasn’t received the latest patch or interdependencies are brought crashing down by an update. To ensure infrastructure that was secure yesterday is still secure today, medtech companies need to monitor these updates and test for vulnerabilities regularly.

3) Humans need to be as secure as software

It’s not just applications that need updating, it’s the people using them too. Software products can help serve as an early warning system to protect against phishing but they will never be completely foolproof against a sophisticated attack.

Of course, with over 100,000 staff, the HSE had far more phishing targets than the average medtech company. But that doesn’t mean the threat is any less real for you. To keep the virtual gates locked against unwelcome visitors, cyber security training should be part of any medtech company’s growth strategy.

Testing for your organisation could include identifying employees who are at risk of phishing attacks and assessing what level of training is needed based upon your employees’ activity.

4) A small breach can become a big one

The HSE crisis was almost certainly the result of a spear phishing attack rather than the generic emails that are easily sifted out by a spam filter.

In a targeted spear campaign, an attacker might use real information about your employees to masquerade as one of them. If the hacker has gathered enough information through a correspondence leak, they may even be able to refer to a recent conversation about an ongoing issue in your organisation. Their forged communication can be very convincing.

The risk is amplified in a remote working situation. And while more secure communication tools like Teams and Slack help here, they only go so far to bridge this gap. When you cannot quickly glance over at a colleague - who has apparently sent a Slack message that looks slightly off - you might not check in with them before you click the link they’ve sent.

5) Hybrid working will appeal to hackers 

Finally, because HSE’s data was so decentralised, a number of weak points existed in their systems. For medtech companies continuing to work remotely, or pivoting to hybrid, this will be an important issue to bear in mind.

When you have more than one area where you’re storing information - and they link together in some way - there will be vulnerabilities that wouldn’t exist if the information was centralised.

On the other hand, while a single centralised system might seem like a bigger target, it’s far easier to protect. So long as you have enough safeguards covering a single vulnerable point, you mitigate the risk.

When Datavax began working remotely, we understood what we were up against. We quickly implemented company-wide antivirus software and paid for a company to install patch management software on all our workstations. This notifies our employees if any application or system goes out of date. It also enables us to keep track of our infrastructure as if it was all under one roof.

Ultimately, the more links in the chain you have, the more security you need. Your systems are likely much more secure than the HSE’s were in May but you still want to pass with flying colours every time an audit is done.

----

To check that your security is rock solid, you may want an independent penetration test. To learn more, don’t hesitate to get in touch.


GDPR - A recap on the changes

GDPR enhances the rights and principles already defined in the directive and the DPA however it also introduced some more significant changes, including the

  • Requirement to actively demonstrate compliance and document processing activities.
  • Greater powers for supervisory authorities and increased reliefs available to Data subjects.
  • The office of the data protection commissioner (ODPC) now has the ability to issue fines for non-compliance. A recent example of this; WhatsApp was issued a €225 million fine for breaching privacy regulations (BBC 2021).
  • Mandatory reporting of data privacy breaches to the appropriate supervisory authority.
  • Introduction of ‘privacy by design’ as a concept when developing, designing, selecting and using applications, services and products that are based on the processing of personal data.
  • Requirement to complete privacy impact assessments (PIAs) for change activity where there is a “high risk to the rights and freedoms” of the data subject or where processing is likely to be carried out on a large scale.

These changes and recommendations are complemented by guidance from other supervisory bodies such as the information commissioners office (ICO) in the UK who have advised organisations to consider the following:

Information you hold; awareness and communication; rights of individuals; data subjects access requests; legal basis for processing; consent; processing of children’s data; data breach reporting; privacy by design and pia’s; data transfers and appointment of data protection officers (DPO’s).

If you want to find out more about GDPR, read our blog: Data protection in SaaS, Who's responsible for what?


Data protection in SaaS – Who is responsible for what?

Although Europe already has some of the world’s most stringent data protection laws, those protections were upgraded when the general data protection regulation (GDPR) came into force in may 2018. Although it is obvious who is responsible for maintaining security of data held in in-house systems (you are), the modern operating environment is much more complicated.

The average organisation now uses 1427 cloud services, which means that there are potentially 1427 points at which your business may expose sensitive personal data.

 

Who is a data controller and who is a data processor?

Under GDPR, your business is known as a “data controller” – you are the body who has obtained personal data and outlined how it will be used. The data controller bears the greatest responsibility for ensuring information is properly protected against loss, theft or unauthorised sharing.

Every cloud provider you use must share some of that responsibility however, as they will now be classified as “data processors”. By accepting your business, data processors agree to be bound by the same terms as you – to protect personal data against, loss, theft or unauthorised sharing.

 

What is your cloud provider's responsibility?

In the past, data processors – like cloud service providers – had no real responsibility to understand the information held on behalf of their clients. Under GDPR this has changed slightly – the processor must at least maintain logs of data access for use in any investigation following a reported GDPR breach.

It is also extremely important to understand whether you, or your cloud provider, is responsible for implementing security. For PAAS/IAAS services which provide a basic platform on which your company builds its own systems (think amazon AWS and Microsoft Azure), you are most likely responsible for security provisions – so you will bear the greatest burden under GDPR.

If, on the other hand your cloud provider offers security as part of a SAAS package, they are most likely responsible for maintaining safeguards to protect your customers’ data. We say “most likely” because the GDPR does not specifically divide responsibility. Instead, your business must agree which party will take responsibility for each aspect of security. These agreements must be detailed in your service contract too.

 

Non-EU providers are still bound by GDPR

According to GDPR, any business processing data belonging to EU citizens has the same data protection responsibilities – and will be prosecuted to exactly the same extent as a local organisation in the same position. This means that google-based services – which have historically been delivered from data centres in the US – will have to adhere to GDPR.

Importantly, your business will need to negotiate GDPR-compliant contracts with businesses outside the EU. If an agreement is not possible, you will need to seek an alternative provider. Larger companies may not be able to offer sufficient flexibility to meet the specific contractual needs of your business and its customers, so consider this when negotiating.

Ignoring GDPR compliance is not an option – nor is assuming that investigators will automatically divide responsibility between parties.

Ultimately you, as the data controller, will hold the majority of the data protection obligations – but you need to be clear where there are any overlaps, and address them with your partners. Otherwise, you could be found liable for data loss – regardless of whether the incident occurred in your data centre, or that of your SAAS provider.