Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    Why does data processing play a critical role in…

    [powr-countdown-timer id=5137ae2d_1491490870751]

    With under nine months to go until the commencement of GDPR, we hope that your organisation is well on its GDPR road of discovery at this stage.
    A processor is an organisation (can be a natural person) that processes personal data on behalf of a controller. Bearing in mind the expansive definition of processing – any operation carried out on personal data which includes collection, destruction to storage; there are a number of organisations out there that fulfil processing activities.  As data protection legislation stands (pre GDPR commencement), the obligations of a data processor are limited and therefore processors may not be aware that GDPR introduces a big change for them as they now have serious obligations under GDPR and become responsible for any breaches they commit under the new regime. Any such breach can result in legislative fines, and/or actions by data subjects that have suffered material or non-material damage as a result of a breach and contractual claims from controllers.
    Although, these obligations may not always have been adhered to in the past, since the introduction of the Data Protection Acts there has been an obligation on controllers to ensure that where data is processed by a processor on behalf of the data controller that there is a written contract in place between the controller and the processor which included certain conditions. These requirements however have been expanded under Article 28 of the GDPR which sets out detailed conditions which must be included in any contract between a controller and processor. It is the obligation of both the controller and the processor to ensure this requirement is met. (There is of course nothing stopping you from agreeing more stringent conditions in the contract – the requirements of Article 28 set the minimum threshold).
    Some processors are only now waking up to the relevance of GDPR to them. This may happen when a controller client at contract renewal is taking a new attitude to the required agreement to be entered into, security audits etc. Remember where you are entering into a one-year contract now it needs to take into account the requirements of GDPR as GDPR will commence during the term of the contract. In entering into a contract for a new service we ourselves have had a processor refuse to sign a data processing agreement in accordance with Article 28 saying “nobody has ever asked us to sign this before”. This required some (free) education for the processor on the requirements of GDPR! For those processors out there who have not yet started their GDPR journey of discovery you need to get your skates on because your GDPR aware controller customers may end up going to your GDPR ready competitors as with so much now at stake under GDPR they will just not be happy to take the chance on you.
    If you require assistance in relation to getting your organisation GDPR ready contact gdpr@ward.ie.
    To keep up to date with what you exactly need to know about GDPR, download our whitepaper here:
     
    [lab_subscriber_download_form download_id=2]

    Insights

    Ward Solutions appoints Orlagh Moylan to the role of…

    Ward Solutions, Ireland’s leading information security provider, today announces the appointment of Orlagh Moylan as Business Development Executive. Orlagh’s key role will be to identify new business opportunities and build existing client relationships.

    With over 12 years’ team management and commercial experience in the technology sector, Orlagh brings an understanding and depth of experience to her new position which will enable her to identify new opportunities and develop Ward Solution’s sales team. She will play a crucial part in developing Ward Solutions’ sales strategy for information security solutions to protect customers against increasing security threats.

    Prior to joining Ward Solutions, Orlagh held the role of New Acquisitions and Channel Manager for Sage for four years. In this role she was responsible for new acquisitions, working with channel partners to help them achieve revenue targets and managing the sales team. Previously Orlagh worked with Xerox Europe for 10 years and her last role with the company was Senior Business Advice Manager where she was responsible for the management of a team of 40 focused on customer services and renewals.

    Insights

    Vulnerability Scan & Penetration Test- How are they different?


    Five differences between a vulnerability scan & penetration test:
    As a security company we get asked these questions a lot of times and surprisingly we see the number of businesses that actually think these two are just the same but here are the main reasons why you need to know the difference between the two.
    Please note the below are drawn from industry best practice standards e.g. PCI-DSS.
    Vulnerability Scan:
    Objective: The process includes to identify, rank and report the list of vulnerabilities or potential vulnerabilities that, if exploited, may result in a compromise of your system.
    Plan the scan: It is recommended your business should conduct scans quarterly or after any significant changes have been made to your system. (Ref: PCI_DSS Requirement 11.3)
    Duration: Vulnerability scans take a short period of time; typically scanning can be completed within a day, of course this may differ based on size of project but it’s much shorter when compared to a penetration test.
    Functionality: A vulnerability scan is an automated scan which produces a report which is then analysed in third party vendors like Ward. An external and internal vulnerability scan is conducted by Ward Solutions.
    Reports: The vulnerabilities are typically ranked in accordance with the common vulnerability scoring system which is what we mainly use and another ranking tool that’s used for these kind of scans is the national vulnerability database.
    Now let’s look at penetration testing:
    Objective:
    To discover and exploit exposures that exist on the network which is internal or external in order to gain access to sensitive information or resources. In addition, a detailed report is provided in order to provide prioritisation and remediation advice so that necessary mitigations can be actioned.
    Plan the scan:
    It is recommended that a pen test needs to be conducted annually or after any significant changes made to the system. (Ref: PCI_DSS Requirement 11.3)
    Duration:
    Penetration testing takes more time, and differs depending on  the nature of the testing (e.g. web application or infrastructure), the size, and the complexity of the environment. Before the implementation of this type of testing, all projects should be scoped in detail to understand the estimate of effort required.
    Functionality:
    This process involves manual testing by one of our in house pen testers which includes reconnaissance, discovery and exploitation phases. The output delivers a comprehensive report.
    Reports:
    The comprehensive report consists of  three sections:

    • An executive summary.
    • A detailed table of findings from the penetration test.
    • An information gathered section which describes the results of all the testing carried out both positive and negative.

    Now the only piece of advice we can give before you conduct a scan or a test is that you develop a plan in place. Discuss the reasons why you need and what you want to achieve from this and involve the key decision makers in your organisation. Once you know what you really want to achieve from testing, set expectations and decide which are the areas of risk you need to focus on. Involving a third party is not going to disrupt your plan, it only helps you with a clearer perspective from all sides so that you are not left with a gap that might have been missed if it’s done internally.
    Ward advises to make sure when you receive proposals from third parties you understand the above differences before you select which option is correct for your organisation and so which one you want to go ahead with.
    If you want to speak to one of our experts to proceed with this discussion:
    E-mail me at grainne@ward.ie or what you can also do is call our office. If you’re based in Ireland call +353 1 6420100 or in Northern Ireland, call, +44 28 90 730 187 to discover our range of information security solutions and discuss your unique requirements.
    To have a look at our latest survey results, checkout our latest whitepaper edition of our mapping cyber security solutions – [lab_subscriber_download_form download_id=1]
     
    By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
    If you do not wish to receive this information please e-mail us at     privacy@ward.ie.
     
     

    Insights

    Should I be afraid of my fridge? Threats of…

    The Internet of Things (IoT) is a term that causes much confusion, but doesn’t need to. IoT simply refers to the huge range of devices that are all connected to the internet and, therefore, to one another. Aside from the standard fare of computers and smartphones, the IoT really refers to the vast range of connected devices we would not usually associate with the internet, from cars, to kitchen appliances, to thermostats. The array of devices with the potential to make the shift from ‘dumb’ to ‘smart’ seems almost endless, with around 8.4 billion IoT devices currently in use around the world, and a predicted 20.4 billion to be in use in households and businesses by 2020. The majority of IoT devices are currently found in the US and Chinese markets, but Western Europe will be the other major region driving this growth. However, the rapid growth in numbers of connected devices in circulation is also driving very real security concerns.

    The security threats facing companies are constantly evolving with new technologies. For example our recent survey found that 77% of companies predict cybercriminals will use AI to strengthen attacks in the next 12 months. Despite the forecasted growth of the Internet of Things, consumers too have expressed justified security fears which will need to be addressed before widespread adoption. The worries surrounding the IoT read like features of a dystopian novel, but are in fact a very real concern. A study from Hewlett-Packard found that 70 percent of the most commonly used IoT devices were not secure.  On one hand, there are concerns around the use of these unsecure devices for government surveillance, as evidenced by Wikileaks’ release of CIA documents highlighting the targeting of consumer electronic devices. Our Android devices, iPhones, and Smart TVs are all open to being spied on and targeted, due to their often paper-thin security levels.
    On the other hand, these devices are frequently targeted by hackers for a range of criminal activities, which can be divided into two categories. Firstly, devices may be taken over by hackers and used to do something they are not intended to do. Distributed Denial of Service (DDoS) attacks are one example of this. DDoS attacks attempt to make an online service unavailable through overwhelming it with traffic from multiple sources. Due to the relative ease with which hackers can access a range of IoT devices, they are often employed in these attacks. Your smart toaster may unwittingly be contributing to these large scale disruptive botnet attacks.

    Secondly, devices can be commandeered and put to their intended use, but in devious ways. For example, a drone device may be taken over mid-flight, and simply redirected into the hands of the hacker. More nefariously, we may have cause for worry if our future self-driving car can be overridden and directed off the road. In the future, hackers may conceive of a multitude of ways in which to use our devices that we simply can’t comprehend beforehand.

    It’s clear then, that the cyber threat to IoT devices is less about the traditional viruses we associate with our computers and laptops, and more the re-purposing of open devices for criminal activities. While there is no simple fix for IoT security, there are simple ways in which we can greatly improve the security of our own devices. Too often consumers fail to change the default password of their devices. This simple step may not shut out hackers completely, but it will at least close the front door.

    A culture change should also be adopted within organisations, where cyber security should be made a top priority. The first step for organisations in IoT security is to identify how many connected devices are on their network. A survey from AT&T shows that almost half of enterprises base the number of connected devices in their business simply through estimations. Penetration testing is an effective method to get on the front foot and understand the extent of the IoT security challenge facing your organisation. Employees should also receive basic security training, and risk assessment and information system audits should be commonplace.

    Securing the Internet of Things is a daunting challenge, complicated by the fact that many devices use only simple processors and operating systems, incapable of supporting sophisticated security approaches. Placed on the top of Gartner’s list of 10 IoT technologies for 2017 and 2018, security will remain an ongoing issue for manufacturers and regulators as IoT device use expands. However, consumers should remain aware of the risks and take it upon themselves to adopt whatever steps possible to secure their devices.

    For further advice and support on how to secure your IoT assets and protect your business speak to our subject matter experts, e-mail us at info@ward.ie or call 1800 903 552 to discuss your unique requirements.

    Insights

    Your safety guide to Cloud Shadow IT!


    Missed our webinar? Don’t worry! We recorded this for you: Click here
    How to turn the potential threat of Shadow IT into an advantage?
    In our webinar we looked at the hidden threat at the heart of many Irish organisations that is shadow IT, i.e. the use of software or systems that are not authorised by the IT department. The growth in cloud services has made it extremely easy for users to access unauthorised programs, and as a result we have reached the point at which Cloud Shadow IT now poses a significant threat to Irish organisations. Companies need to decide how best to deal with shadow IT trends in their organisation but the best option might not necessarily be to clamp down on users.
    When it comes to dealing with the threat of shadow IT, it’s important to first understand the reasons behind its spread. In the majority of cases it stems not from malicious intent, but rather from employees aiming to be proactive and implementing software that they feel will benefit their organisation. The proliferation of cloud services has made it easier than ever for users to implement unauthorised apps, as they typically only require a browser rather than any installation of programs on local devices. However, in doing this, many employees unintentionally turn to unauthorised programs while attempting to fill a perceived gap in their existing software suite.
    Security awareness training is crucial
    When deciding on the correct approach to effectively tackle shadow IT companies need to ensure that they bear this in mind, and create a culture of acceptance and protection rather than one of detection and punishment.
    Employee education is central to developing such a culture. Providing your employees with security awareness training that gives them an overview of the reasons for the existence of particular security processes can help them to appreciate the necessity of adhering to company policies.
    Identifying unauthorised apps
    As well as ensuring that your team is aware of the inherent risk associated with cloud shadow IT, it’s also important to make certain that you have oversight of the apps that are being accessed on your network. Utilising a tool such as Microsoft Cloud App Security (CAS) can give you the visibility and control that you require.
    CAS allows you to collect information from firewalls and proxies and identify exactly which apps are in use from your network. This can help you to assess risk, and also identify which users are utilising apps that fall outside company policy.
    Having identified individual users who are using cloud apps without the authorisation of the IT department it is a good idea to ask them to outline their reasons for doing so, in order to establish whether or not there exists a genuine need for such an app. If it transpires that providing employees with access to a particular app would be likely to increase productivity or have an otherwise positive effect on the company then it might be worth reassessing current policies and investigating the possibility of integrating this app into your overall software suite. Doing this will help you to ensure that these programs are contained within your security infrastructure, rather than existing outside it in a position that could leave your network open to vulnerabilities.
    When seeking to on-board CAS initially it’s a good idea to take a phased approach, utilising the tool as a proof of concept to increase visibility over the network and justify an ongoing governance and compliance strategy.
    ISO 27001 and GDPR
    General Data Protection Regulation, which comes into force in May 2018 will require organisations to know precisely where their data is stored. The unauthorised use of cloud storage solutions could result in organisations being unable to track exactly where their data flows, leading to them being considered non-compliant, This could leave  companies open to fines of €20M or 4% of global turnover, depending on which is greater. This highlights the need for Irish organisations to tackle shadow IT tendencies sooner rather than later.
    Using solutions like CAS can be a powerful and effective way of uncovering the movement of data from your network to cloud services. Following the initial discovery, organisations should continue to use CAS to perform their due diligence, to regain control over their data flows and ensure ongoing governance and information protection.
    A good approach to ensuring GDPR compliance is to employ an overarching framework such as ISO27001 to ensure information security best practices are in place from an early stage. Striving to adhere to a standard such as ISO27001 will help you to uncover and effectively deal with shadow IT practices that exist in your organisation.
    Acting now and taking the right approach can not only help you to identify software that may benefit your organisation, but also help you to take the initial steps towards GDPR compliance.
    Ward Solutions can help companies to tackle cloud shadow IT practices, using Microsoft Cloud App Security to regain control of the software being used from their networks. Ward’s expert team also provides comprehensive consultancy to help Irish organisations become ISO27001 and GDPR compliant. E-mail cloud@ward.ie to find out how we can help you.
    [lab_subscriber_download_form download_id=3]
     
    By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
    If you do not wish to receive this information please e-mail us at     privacy@ward.ie.

    Insights

    WEBINAR ALERT: Awareness, Discovery and Control of Cloud Service…

    Ward Presents: Awareness, Discovery and Control of Cloud Service Usage

    When and where?

    Start: 4:00 PM, 15/08/2017
    End: 4:30 PM, 15/08/2017 (GMT)

    Missed it? Here is the recorded session: Click here

    Do you know what the hidden threat is at the heart of many organisations?

    It’s called shadow IT!

    Let’s explain this in the simplest way possible.

    Shadow IT refers to the implementation and utilisation of IT solutions and platforms without any organisational authorisation.

    The growth of cloud services combined with business drivers of mobile workforces and greater collaboration within and between organisations has added a different set of challenges like data governance and control issues for organisations. The ease in which a user can adopt a cloud service, usually at limited or no cost and without the need to install software except a browser, means we are faced with likely scenarios that cloud services which haven’t been vetted or authorised by the organisation, are in use within our networks. This poses a significant risk, if this usage is undetected and unmanaged, especially if users are utilising cloud services for storage, sharing or processing of data, which may be in direct conflict with your information security policies. It may result in exposure of sensitive data to unauthorised audiences.

    It’s worth noting that adoption of these unauthorised services is usually for non-malicious reasons, driven by the needs of the user to increase efficiency, be more productive or as a work around to perceived organisational blockers to their tasks.

    A simple example; I need to get a file to a customer, which is larger than the limit allowed by our email service. We don’t have a business file sharing service, so I will copy the file to a public cloud storage service that I happen to have a personal account with, and share the file from there.

    Problem solved for the member of staff!

    Problem created for the organisation!!!

    • What data is in the file & how sensitive is it?
    • Who else can access it now?
    • How long will it stay up there?
    • We have no control over the cloud service or the file, what do we do?

    According to our recent survey where we interviewed 170 senior IT decision makers, 72% of them believe that the explosion of cloud services has led to shadow IT becoming an issue for a number of organisations. Our experience is that organisations don’t have the adequate assessments and controls in place to prevent shadow IT which further leads to risks and incidents that ultimately affects your organisations’ reputation.

    We think it’s important to give you a head’s up about this crisis and that is why we bring you one of our experts. In this webinar, Allan Cahill, head of secure identity and information solutions will explain Shadow IT, how the risks associated with it can impact your business and how to manage these risks.






      By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).

      If you do not wish to receive this information please e-mail us at privacy@ward.ie.

      For more information on our cloud security solutions e-mail: cloud@ward.ie