What’s been happening in the world of tech this week? We’re leading with stories on cyber security, the big topic for organisations in 2016. With data breaches increasingly making the headlines involving large companies and small, cyber security should be on everyone’s agenda this year.
Cyber Security Education Tool For Businesses
The UK government and the professional body for HR and people development ‘Chartered Institute of Personnel and Development’ (CIPD) have joined forces to launch an e-learning tool that companies can use to educate their workforce about cyber security.
The new e-learning module (which is free) is funded by the government’s National Cyber Security Programme has been launched as part of a wider partnership between the government, HR professionals, and security professionals with the aim of promoting the importance of cyber security at work.
The launch appears to be well timed as it comes in the wake of some very high profile security breaches such as those at TalkTalk (reportedly losing them over 100,000 customers) and JD Wetherspoon.
There are also new EU data protection regulations coming into force in 2017 and failure to comply could see companies facing penalties as well as the financial, legal, reputational and human consequences of falling victim cyber crimes.
The fact that the tool has been developed with the help of government and security experts highlights how sophisticated cyber criminal activities are becoming, how many more cyber security targets companies must meet (for governments, stakeholders and insurers) and how some practical help is now really needed to help companies get up to speed with and stay on top of the whole subject.
Reducing Human Error
At the heart of the launch of the new e-learning tool through HR is the fact that an individual’s knowledge about cyber crime could be a key factor in whether or not they take actions that could compromise the security of the whole business. It can also have a strong bearing on whether they become a victim of cyber crime in their life outside of work.
Based on Research
The government and businesses are all too aware of the research that shows that most online / IT security breaches are staff-related and result from employees’ not knowing or understanding the risks, potential mistakes and / or matters of compliance for the company / organisation.
The motivation for companies to take advantage of the new free learning tool should be all too apparent when considering the 2015 UK government figures that show that the costs of severe online breaches start at £1.4m for large businesses and can reach as much as £310,000 for small businesses.
The focus on HR being central to the introduction of the new e-learning tool is not just because HR professionals handle sensitive personal data but also because they are responsible for recruiting, managing and developing the workforce in organisations.
Information about the Cyber Security for HR Professionals course can be found here on the CIPD website here.
Cyber Crime: Humans Vs. Automation
At a recent Security Analyst Summit in Tenerife by Internet Security Company Kaspersky researchers made the point that even though robotics and automation are playing a larger part in all aspects of life, including cyber crime, it is likely that there will always be the need for humans to play at least some part in most cyber crime.
The Metel banking fraud gang were cited as a specific example of a cybercrime gang who rely upon using individual members or associates to physically travel to ATMs and take money out in order to complete a spear-phishing crime.
The gang who target employees of financial firms in order to access to payment processing computers, also use human rather than digital means when the card numbers are typed in to the ATM. Hackers actually wait for the card numbers to appear in the payment processing and manually click ‘cancel’ from their end.
Another example of the vital human links in the money laundering was given at the Kaspersky show by Adrian Nish, head of cyber intelligence systems at BAE. Mr Nish highlighted the case of the hackers behind the Shylock attacks which involved using a banking Trojan, spread via Skype, and could allow them to take control of a PC in order to steal banking login credentials.
These same Shylock hackers actually placed a job advert online for an “e-commerce representative” who could work from home transferring money for businesses. The stipulation that the individual should have no criminal record and a PayPal account meant that the hackers would have a network of individual ‘mules’ who would be hard for the authorities to detect while carrying out much of the laundering process. The work appeared to be legitimate from the surface and was kept at a distance from the hackers themselves.
The mules even received some basic training in order to give the right answers to any questions from the authorities.
Future of Cyber Crime - Still Needs Humans
Experts at the Kaspersky Summit pointed out that even though automation is likely to become more advanced and sophisticated in cyber crime, humans are still likely to be needed long into the future to ensure that the perpetrators actually get the money. As such, this human element will always be the weakest link in the cyber crime chain.
This is good news for all of us as businesses and individuals alike are all potential cyber crime targets, and the fact that there are potentially traceable humans involved means that authorities stand a much better chance of catching the perpetrators.
French Give Facebook Just 3 Months To Stop Tracking Non-Members
The Chair of the French data protection authority ‘Commission Nationale de l'Informatique et des Libertes’ (CNiL) has issued Facebook with a formal notice giving it 3 months to stop tracking non-members of the social network in France.
The CNiL has also asked Facebook to stop the transfer of some personal data to the U.S. If Facebook does not comply with the CNiL’s requests it could face sanctions.
The problem has arisen because the CNiL believes that Facebook is not currently complying with the French Data Protection Act (DPA) due to a number of alleged activities that the CNiL have outlined in a post on their website.
The areas where the CNiL state that Facebook is not complying with the French DPA include:
- Collecting, without prior information, data concerning the browsing activity of Internet users who do not have a Facebook account. N.B. Facebook currently tracks all visitors to the website by using cookies known as datr.
- Collecting data concerning the sexual orientation and the religious and political views without the explicit consent of account holders.
- The website setting cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.
- Compiling information on account holders to display targeted advertising and not providing tools for account holders to prevent such compilation.
- Transferring personal data to the U. S. on the basis of ‘Safe Harbor’, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015.
The CNiL have stated on their website that the reason why the formal notice to Facebook has been made public is “due to the seriousness of the violations and the number of individuals concerned by the Facebook service (more than 30 million users in France).”
Last year Facebook made changes to the way the site is viewed in Belgium after a similar order from the Belgian Privacy Commissioner.
The new deal to replace ‘Safe Harbor’ called the ‘EU-US Privacy Shield’ has not yet come into force, therefore companies wanting to legalise data transfers across the Atlantic cannot use it as the basis of any argument.
Facebook however is reported as saying that it is not using Safe Harbor. In reply to the CNiL requests Facebook is reported to have said that it is looking forward to engaging with the CNiL to respond to the concerns raised.