Split Tunneling: Does it all lead to endpoint security?

Written By; Eduardo Elvira

When this pandemic started, back in February, we experienced an overwhelming change in how we live our lives. Consequently, I couldn’t help but contemplate how these changes would impact cybersecurity, especially remote working. I found myself re-thinking concepts like split tunneling, and different options for its configuration. While it seems all clients will have their own unique requirements, the same conclusion applied to all of them: “All roads leads to Endpoint Security”.

Lets expand on this…

In order to do that, I need to explain split tunneling: when a user is working from home, split tunneling allows us to specify which traffic goes out directly to internet and which traffic is tunneled back to the company. Different vendors have different “VPN agents” but they are becoming much more than Virtual Private Network (VPN) agents. For now, let’s just focus on that functionality. The agent makes use of windows routes to specify what destinations should be tunneled. All of this is usually done at the HQ firewall, allowing granular configurations based on users, departments etc. It provides great flexibility, allowing us to include even FQDNs addresses but, the major advantage is that it sanitizes the traffic which goes through the tunnel, using different security features that we have back at the office: Antivirus, Content Filtering, Sandboxing, IPS, SSL Inspection, etc.

Hold on.. but what happens with all the traffic that doesn’t go back through the tunnel? What if the user downloads malware that captures information and sends it to the C&C? What if the user receives a link with a phishing web, what if…. Well, that is the first consideration. We need to ensure that this traffic is protected, somehow. Let’s be more specific about some of the options we have:

• Some endpoint security software could protect all that traffic that is not tunneled. This software could implement similar security functionalities as our Firewall back at the office. As you can guess, these are some of the other functionalities that the “Endpoints Agent” can now help with.

• Web proxy technologies are perfect to protect web browsing from different security threats. Ok, but we are talking about remote users working from home – not a problem, let’s put the web proxy in the cloud!

Different security vendors use their endpoint agents to send the internet traffic to their web proxies in the cloud, while company traffic is still tunneled through the VPN.

In my opinion both options work well to solve current challenges we are facing, using one or the other will depend on the current infrastructure in place, and the cloud approach of the organization.
Independent to the option you go for, visibility is key. With all users working remotely, security administrators need to have a clear idea of what is happening on the company computers, even if they are connected onsite or working from home. At the same time, we need to be able to respond to any breach and suspicious alerts, but EDR is a topic for a different day.

You could be using either a management console on the cloud or providing visibility to the endpoint agents through the DMZ with an on-premise solution, but in either case, integrations with your company SIEM will be important.

You might be thinking – those are two solutions for the main issue of having traffic going directly through the internet… but what if we tunneled all the traffic to the office, so we can use the company protections we already invested in, problem solved!! That is actually a valid solution, but unfortunately, not all companies will be able to implement it, mainly due to bandwidth limitations. All users internet traffic tunneled back through the company firewall will have an impact on the firewall performance and bandwidth of the internet line. Keep in mind that inbound traffic will increase, since tunneled traffic is first arriving through the external interface, firewall security checks, going back to internet, and back again to the remote users through the same port.

What about using the secondary internet line (if available) to receive the remote users tunnel traffic, and the primary to send the traffic to internet? Personally, I’ve never seen it implemented, it is just an idea which came to me while writing this blog. We can still find a bottle neck in the main internet line, but I think it could be useful in some specific scenarios…some food for thought.

We cannot forget the main purpose of the VPN client, it doesn’t matter if using SSLVPN (I like to call it TLSVPN now but anyway…) or IPSEC VPN, it is to protect and encrypt traffic. Both “protocols” are considered very secure, mainly because the ciphers they use are constantly evolving and improving. That means that they need to be configured properly, disabling the insecure ciphers etc.

• If the VPN protocols are very secure there is not much risk to consider with our users working from home, right?

If the VPN protocols are very secure there is not much risk with our users working from home, right? VPN protocols themselves are very secure and if configured properly and maintained, their risks are easily managed. Saying that, using laziness as an advantage, an experience bad actor would rather to avoid attacking the strong defenses and focus on identifying the weak points… in this case, the endpoint itself and his applications.

No matter which angle I look at this for this topic, everything brings me back to the endpoint security and its visibility.

At Ward Solutions we can help to maintain your VPN configuration securely and mitigate the risks. We can discuss the best options for your organization and provide the solutions not just for remote access but also for endpoint protection.

As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:

Contact your normal account manager for sales or sales@ward.ie
Contact our orders department at orders@ward.ie
Contact our service delivery office at servicedeliveryoffice@ward.ie
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie

Tips and Tricks for securing users as they use…

Written By; Eoin Morrissey

Many companies have gone through, or are planning to go through digital transformations to the cloud, and moving to Microsoft 365 (M365) is often a key part of the journey.
Microsoft provides all the controls to effectively secure these environments, but these security controls are not always implemented, and in making the transition there is also a risk the solutions are not as secure as they can be.

Some tips and tricks for securing users as they use M365, are as follows

1. Multifactor Authentication
Using multi-factor authentication is one of the easiest and most effective ways to increase the security of your company. When users log in, multi-factor authentication means they can type a code from their phone to get access to Microsoft 365. This can prevent hackers from taking over, even if they get the users password.

2. Use dedicated admin accounts
The administrative accounts you use to administer your Microsoft 365 environment are valuable targets for hackers and cyber criminals. Use admin accounts only for administration. Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function.

3. Train your users
As with any new tool, companies must adequately prepare and train their staff on usage of the tool. It is vital that this includes security awareness training in order to protect companies from things such as phishing. Phishing is a large attack vector for hacker’s today, for example:
• 90% of security breaches are caused by Phishing
• 30% of phishing messages get opened by targeted users

4. Raise the level of protection against malware in mail
Your Microsoft 365 environment includes protection against malware, but you can increase this protection by blocking attachments with file types that are commonly used for malware.

5. Protect against ransomware
Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for “ransom,” usually in form of cryptocurrencies like Bitcoin, in exchange for access to data.
You can protect against ransomware by creating one or more mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email. A good starting point is to create two rules:
• Warn users before opening Office file attachments that include macros. Ransomware can be hidden inside macros, so this will warn users to not open these files from people they do not know.
• Block file types that could contain ransomware or other malicious code. You can start with a common list of known executables. If your company uses any of these executable types and you expect these to be sent in email, add these to the previous rule (warn users).

6. Stop auto-forwarding for email
Hackers who gain access to a user’s mailbox can ex-filtrate mail by configuring the mailbox to automatically forward email. This can happen even without the user’s awareness. You can prevent this from happening by configuring a mail flow rule.

7. Protect your email from phishing attacks
If you’ve configured one or more custom domains for your Microsoft 365 environment, you can configure targeted anti-phishing protection. ATP anti-phishing protection, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven’t configured a custom domain, you do not need to do this.
We recommend that you get started with this protection by creating a policy to protect your most important users and your custom domain.

8. Protect against malicious attachments and files with ATP Safe Attachments
People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It’s not always easy to tell whether an attachment is safe or malicious just by looking at an email message. Office 365 Advanced Threat Protection includes ATP Safe Attachment protection, but this protection is not turned on by default. We recommend that you create a new rule to begin using this protection. This protection extends to files in SharePoint, OneDrive, and Microsoft Teams.

As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:

Contact your normal account manager for sales or sales@ward.ie
Contact our orders department at orders@ward.ie
Contact our service delivery office at servicedeliveryoffice@ward.ie
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie

COVID19 and Cyber Security Analogies

Written By; Pat Larkin CEO Ward Solutions

In cyber security the healthcare analogy has been apt and used widely for over 25 years. In both sectors we use terms like “virus”, “isolation”, “outbreak”, “remediation”, “anti-virus”, “mitigation”, “payload”, “immunity”, “self-healing” for different circumstances with very similar characteristics in public health and Information Technology. Its timely and useful to look at the analogies between the outbreak, impact and mitigation of COVID19 and its application to Information Technology and Cyber and vice versa.

1.. A stitch in time saves 9
COVID19 has been described as a “game changer”, “a once in 100 years pandemic”. The emergence of such a pandemic has been a mathematical certainty predicted by a number of sage people in healthcare, technology, academia and public policy over the last 30 years or more, not least Bill Gates in his TED talk in 2015 https://www.youtube.com/watch?v=6Af6b_wyiwI. The only unknown was how or when it would occur and its exact nature. The impact of COVID19 to date has been huge not just in terms of the number of people who have been or are likely to be infected, or die, but also the downstream economic and societal impacts in responding to COVID19, containing its spread. This is where the most relevant analogy can be drawn. Like cyber security there has been lots of indicators and warnings – SARS, MARS, Ebola, WANNACRY, NotPetya. There is certain knowledge that these outbreaks will occur. There is knowledge from previous outbreaks and from current societal trends, globalisation, mass transport and air travel, population densities, digital transformation and dependency as to its potential impact. This wired article from 2018 is very informative as the near pandemic nature and impact of NotPetya. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ . Once an outbreak occurs there is limited time to contain it. If it is not contained it spreads to pandemic levels, with mass impact. Despite all of that society and its leaders and C Suites deem that the investment in upfront resources to detect and rapidly manage such an outbreak need not be put in place or allowed to deteriorate on their watch. This limits the time, capability and effectiveness to respond and prolongs the duration and impact of the event once it occurs. Also when resources are not in situ, it leads to aggravated competition for resources where lots of organisations or countries are effected.

Call to Action: It’s not “if” but “when” – so make the upfront investment now for a security risk assessment and security strategy to put in places the resources to identify, protect, detect, respond and recover. Put in place the management, maintenance and governance regimes to sustain this system such as ISO27001.

2. Competition for resources and investment
Healthcare, IT budgets and thus cyber security budgets has been stretched for as long as I can remember. Seasonal trolley crisis, expanding waiting lists for both lifesaving and non-acute procedures. Balancing the economics and ethics of providing expensive treatments for niche diseases or prolonging life vs quality of life and the greater good has always been fraught. Competing demand for investment in business, housing, healthcare, education, policing leads to underinvestment in all – particularly if tax cuts are on top of the political agenda. In technology CFO’s often view IT as a cost (and thus cyber security is the ultimate cost!) instead of viewing it as a critical service that enables digital transformation of business. Minimising the cost of cyber security vs the need to invest appropriately to secure the digital channel have waged for as long as I have worked in the technology sector. Similarly, to the macroeconomic tax cut argument if the approach to cyber security is met by the relentless push for profits through cost management then investment in these areas will usually not be what is required. This means that you will not be ready when the inevitable occurs. The cost of containment and cleanup is usually far greater than the costs if this original investment is made. In a lot of cases your organisation doesn’t survive longer than 6 months, post a serious cyber security incident.

Call to action: Be brave, make the case for IT and Cyber Security in a rational and data driven way. Use tools like an Organisational Risk Assessment or a Cyber Maturity Assessment to build your business case. Find the balance of resources to secure and sustain the systems that sustain your organisation. Digital is now a critical infrastructure and channel for virtually all nation states and organisations. Outsource cyber security skills and services allowing you to concentrate on core business.

3. Intelligence and data means effective response
As COVID19 spreads – the latest country to be infected has the advantage of learning via the World Health Organisation (WHO) or through multi-lateral collaboration and knowledge sharing the symptoms, the at risk populations, the containment and treatments that are more effective, the restoration to “normalisation” protocols that work etc. Through intelligence sharing, collaboration, coordination through organisations such as the WHO and correct use of this intelligence each subsequent regional outbreak should have less impact or duration than previous one. Prevention or treatment strategies can be developed in parallel again with collaboration and information sharing. Similarly, in Technology and Cyber the provision and correct us of high quality intelligence should help downstream organisation prevent or minimise the impact of a cyber-event on their organisation. Coordination and collaboration should similarly lead to the rapid development and normalisation of prevention or immunity strategies.

Call to action: Subscribe to, use and contribute to appropriate and actionable intelligence sources. Integrate intelligence with your automation. Agitate and contribute towards creation of the “WHO” of cyber. If you are a cyber-player or a cyber-dependent join an industry cluster organisation such as cyber Ireland www.cyberireland.ie.

4. Inventory, diagnostics and testing
If you can’t measure the problems then you don’t know if it needs fixing, what you need to do to fix it. In the absence of prevention (immunisation) We have seen the race for rapid and accurate testing in order to contain the COVID19 problem and apply the fix of isolation (and treatment if needed) to the infected, to stop further spread. With limited testing capacity, decisions need to be made as to who to test – symptomatic people only or symptomatic people plus those in recent contact with same and perhaps sampling of higher risk populations. If and when a prevention is available then presumably it will need to be rolled out on a prioritised basis to those at highest risk – healthcare workers, immuno-compromised individuals etc. Knowing who these groups are is important to direct limited prevention or treatment resources. The use data and analytics by the healthcare sector to measure and validate COVID19 status and impact of remediation is also notable. Similarly, in IT and Cyber prevention is not 100% effective. Therefore, excellent diagnostics and testing allows inventory of resources at risk, the rapid assessment of what or whom is vulnerable, the prioristised treatment or mitigation of at risk resources, the early detection of an outbreak, the ability to measure containment effectiveness and restoration to normal health and immunity.

Call to action: Invest in your inventory of critical information assets and risk classifications. Use Risk Assessments, Vulnerability Management, Penetration testing to determine at risk systems, for targeted application of prevention or mitigation to highly vulnerable, high impact resources first and on a prioritised based thereafter. Use diagnostics such as SIEM IPS/IDS to detect outbreaks as soon as possible. Back this up with effective incident response capabilities to reduce your exposure time, isolate outbreaks and minimise your time to recovery. Use automation and AI to help manage your workload

5. For all bugs, fixes, earlier is better and cheaper
In healthcare and IT – we all know the data – a patient or a network starts with a niggle pain, temperature or some indicator, which if it remains unaddressed end up with a far costlier impact and treatment plan with far poorer outcomes. We have seen COVID patients presenting late to A&E with acute symptoms needing prolonged ICU and ventilator care. We have seen patients with symptoms not being detected early enough and becoming super-spreaders as a result of prolonged contact and exposure to other parties. We have seen late diagnosis or interventions resulting in poorer outcomes in terms of recovery. Similarly, in technology, bugs or misconfigurations typically cost 6 times more to fix during deployment or implementation than had they been identified and fixed during the design phase. Too many times Ward’s penetration testing team have been asked to penetration test a system in the final weeks before go live or just on go live, having had no involvement in the system earlier in the lifecycle. Usually the issues found are of such magnitude and volume that it jepordises the customer’s go live timetable, resulting in a flurry of costly fix and a sub-optimal go live decision based on risk profile.

Call to action: Get security involved as part of your project team right at the earliest point possible in your SDLC. Change your philosophy from Systems Development Lifecycle (SDLC) to SSDLC (secure systems development lifecycle) or SecDevOps from DevOps. Perform secure design reviews and design stage, security test and validate throughout the lifecycle both pre and post production. Adopt frameworks and principle such as security by design, privacy by design and OWASP top 10 etc.

6. A risk based approach
Accepting that 100% prevention of COVID19 or Cyber Security incidents is not possible right now, and nobody has infinite budgets, we cannot shut down society, the economy or your digital infrastructure – then we need to move to a “risk based approach”. It’s a number game based on a systemic approach to risk assessment and risk mitigation planning getting to the point of “an acceptable level of risk”. This risk based approach is guiding our public health response to COVID and our policies. People might argue that our public health approach is too risk averse and does not balance the other factors such as economic risks, mental health risks, health risks from lack of normal healthcare activities in terms of management of other diseases and symptoms etc. and needs to be rebalanced. Similarly, this approach should guide our approach to Information and Cyber security. It is not possible to have 0 risk. It is possible to balance and weigh actual risk and determine acceptable risks to your organisation backed up by data, testing and good risk mitigation strategies addressing people, process and technologies risks and controls.

Call to action: Adopt a systemic risk based approach to cyber security continuously re-balanced by acceptable levels of risk with workable controls. Consider starting with something like an organisation risk assessment and the implementation of an appropriate ISMS such as ISO27001

7. Necessity is the mother of invention
The response to COVID19 in the healthcare sector has seen incredible innovation and transformation. A&E queues have disappeared overnight. A sector fraught with industrial relation tensions, public v private tensions and difficult working practices has united and delivered an incredible response of heroism and output to stem the COVID19 crisis. Pharmaceutical, life science companies, sector frontline workers, academic and research communities and volunteer’s groups have all coalesced to produce open source ventilators, tests and possible vaccines at a point where perhaps traditional approaches, cost structures, regulation and decision making shackles have been removed by a common goal to address the COVID crisis, save lives and find a cure/vaccine. In the technology sector COVID19 has been attributed with driving organisation to implement 2 years worth of laboring digital transformation in 2 months based on necessity and survival. Businesses are transforming their business models, routes to market and even product, service and manufacturing strategies. Gin companies and producing sanitising gels, blind companies are producing medical PPE, traditional event companies are producing virtual events.

In Cyber Security we like to think of our sector and ourselves as young, hip, innovators. However, for years, in net terms the cyber security sector has been losing the battle to cyber-crime and nation states in terms of volumes on incidents, breaches, data and revenue lost, security costs mounting etc. Has the sector perhaps become a slave to similar legacy strategies and ways of doing business, tied up in a compliance based, male, pale and stale world of risk aversion, risk management, conservatism and restrictive working and business practices. Imagine what is possible in the Cyber Security sector and what benefits to our customers would be if we adopted the medical sector approach to innovation to COVD19?

Call to action: The Cyber Security Sector needs to increase the levels of innovation and collaboration focused on protection of society and customers first rather than protection of intellectual property and legacy business models, driven by the same sort of urge that medical sector has experienced to try and win the battle against COVID19 and cybercrime for the good of society.

As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:

Contact your normal account manager for sales or sales@ward.ie
Contact our orders department at orders@ward.ie
Contact our service delivery office at servicedeliveryoffice@ward.ie
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie

Happy 2nd Birthday GDPR!

Happy 2nd Birthday GDPR!

Written By; Ciara Fitzgerald & Declan Timmons

The GDPR is two years in force on 25th May 2018 and a very happy birthday to it! It’s debatable as to whether it has been as noisy as any other two year old but it certainly has had some impact on businesses.
In the months leading up to the GDPR coming into force, businesses were worried about the potentially heavy GDPR compliance burden, and the level of fines that could be levied.

Mitigating Data Protection Risk under the GDPR and complying with obligations
One of the core data privacy drivers for the introduction of the GDPR on May 25th 2018 was the requirement to encourage organisations to take responsibility for the security of the personal data shared with them in the course of their business activities. This was intended to have a positive effect on data subject’s willingness to embrace the digital economy and drive secure online transactions. This followed a period where huge breaches of personal data were being exposed on almost a daily basis. These data breaches often resulted in considerable risks to the data privacy of the data subjects whose personal data was exposed. It is not entirely clear if this objective has been achieved (or can ever be fully achieved) however businesses have (and are still) taking steps to make sure that they are complying with their GDPR obligations and minimising their risk.

While data protection is not a new concept, pre-GPDR, there were seldom any consequences for organisations who did not comply with their responsibilities under the Data Protection Acts. As most organisations will know, under the GDPR there are a number of sanctions that can be imposed by the DPC including:
• Issuing warnings and reprimands;
• Imposing a temporary or permanent ban on data processing;
• Ordering the rectification, restriction or erasure of data, and;
• Suspending data transfers to third countries.

However, the sanctions that created the greatest risk for organisations were the significant fines that can be imposed under the GDPR – a maximum of €20 million or 4% of annual global turnover.
All personal data processing activities present an inherent risk to business but there are ways to mitigate that risk. The severity of that risk is heavily dependent on the volume of records involved and the type of personal data processed. This data is processed and stored on various systems. To comply with article 32 of the GDPR, a risk assessment of these systems should include consideration of the data processed or stored on the specific system. The result of this risk assessment will be to implement mitigating controls to reduce these risks. By carrying out this risk assessment, an organisation is demonstrating that it has applied technical and organisational controls that are appropriate to the risk.

The Personal Data Records of Processing activities (ROP) is core to demonstrating an organisations compliance with GDPR. Every business must fully understand and document every business process or activity which generates a personal data record. Without this as a foundation, an organisation’s understanding of the extent of its data processing activities is limited and the controls assigned to protect that data is ad-hoc at best. A business certainly could not trace a specific mitigating control back to an individual personal data processing business activity. Therefore it could not apply controls that are appropriate to the risk.

The ROP should be used as the organisation’s central reference points when dealing with GDPR compliance, understanding the personal data in scope, protecting that personal data, providing evidence for accountability, and ability to demonstrate compliance on an ongoing basis.
In addition to the ROP there are requirements to create and maintain a range of data protection policies and procedures and to ensure all staff are aware of their responsibilities in relation to personal data.
Under the GDPR, a nominated Data Protection Officer (DPO) is required by public bodies and within certain organisations whose core activities involve the large scale processing of personal data. Recently there is a growing trend to outsource DPO responsibility within organisations. Often these organisations find it difficult to attract the required experience across technology, data protection and information security that is vital to delivering effective data protection compliance and mitigating data protection risk.

Fines
To date, the fines imposed by the European regulators have not been as headline catching as anticipated. 2019 was really the first year where the international community saw the GDPR enforcement machine churn out fines. In January, Garante (the Italian regulator) imposed a fine of €27.8million on TIM (an Italian telecommunications company) for multiple breaches of the GDPR. This was swiftly followed by CNIL (France’s regulator) imposing the largest GDPR fine to date (€50million) on Google for a lack of transparency and failure to provide users with understandable information on its processing operations and a lack of a legal basis for processing personal data for advertising purposes.

The summer months saw the ICO (the UK regulator) proposing to fine British Airways in the amount of £183.9 million and Marriott International in the amount of £99 million. The ICO has delayed the actual enforcement of both of these fines. The latter part of the year saw Austrian Post being fined €18 million for creating profiles of 3 million citizens documenting their personal preferences, addresses, political interests and other information which it then sold to third parties.

In the latter half of the year, the Berlin Commissioner for Data Protection and Freedom of information fined a real estate company €14.5 million for breaches in respect of data retention and the German Federal Commissioner for Data Protection and Freedom of Information imposed a fine of €9.55million on a Telecoms company for failing to take appropriate technical and organisational measures to protection personal data (anyone could access customer information by calling the helpline and giving the name and date of birth of a customer).

The Data Protection Commission (the DPC) has been the focus of increased scrutiny as the regulator for a significant proportion of the “big tech” companies. There has been some commentary of the lack of fines being issued by the DPC but it has very recently issued its first two fines for breaches of the GDPR – both of them issued to Tusla (the Child and Family Agency). The first fine was reported to be in the amount of €75,000 but the amount of the second fine has not yet been announced. Both were in respect of wrongful disclosure of personal data. In addition, the DPC published that it has completed its inquiry into a data breach sustained by Twitter in November 2018 and has sent a draft report to Whatsapp Ireland in respect of its sharing of information of Facebook and compliance with articles 12 to 14 in that respect.

These are only a flavour of the fines European Regulators have imposed for breaches of the GDPR but they show fines being imposed for a broad spectrum of breaches. It was well publicised that the fines proposed by the ICO arose from external cyber criminality flagging to companies that it is essential to have appropriately robust cybersecurity systems in place to minimise the risk of being fined. In addition, the fines imposed by the Austrian German and Irish regulators show the importance of having strong and effective policies and procedures in place and following those policies in order to protect personal data.

The future of the GDPR
It must be borne in mind that the GDPR is still only a toddler and for a law of this depth and breadth, it will take another few years to bed in fully. What is clear is that there is still a lot of “growing” to be done by the GDPR – in terms of its maturity within companies and within their processes and in terms of its use and enforcement by European regulators. The rest of 2020 will see the decision by the European Court of Justice into Shrems II case (on the transfers of personal data from the EU to US) and (presumably) the ramping up of enforcement action by the Irish Data Protection Commission now that it has issued its first GDPR fines. It is essential that companies do not let their initial fervour to ensure that they are GDPR compliant lapse. It is as important now as it was on 25th May 2018 that companies abide by their data protection obligations both to protect data subjects’ rights and to protect their businesses.

Ward Solutions can help to maintain your Data Protection compliance. We provide, on an ‘as a service’ basis, certified, knowledgeable and experienced Data Protection Officers to help you fulfil the role of DPO in your organisation. Many organisations of varying size across all sectors are moving to this cost effective model to fulfil their Data Protection compliance requirements

Ward Solutions can also assist in improving your overall Information Security posture in a cost effective manner through our “CISO as a service”. We supply a dedicated senior Information Security consultant to work with your organisation to deliver all the responsibilities of a CISO. This service can be delivered for a specific set of tasks, a specific timeframe or on an ongoing retained (but not necessarily full-time) basis.

As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:
Contact your normal account manager for sales or sales@ward.ie
Contact our orders department at orders@ward.ie
Contact our service delivery office at servicedeliveryoffice@ward.ie
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie

Regards,
Ward Support Team

Tusla has become the first organisation fined for GDPR…

The child and family agency, Tusla, has become the first organisation in the Republic of Ireland to be fined for a breach of the General Data Protection Regulation (GDPR).
The agency was fined €75,000 arising out of an investigation into three cases where information about children was wrongly disclosed to unauthorised parties.
State bodies can be fined up to €1 million for breaches of the data rules, and multinationals can be fined up to €20 million, or four per cent of their previous year’s turnover.

During the COVID-19 pandemic organisations were required to quickly move their staff to a remote working model. In normal circumstances, remote working would add considerable data protection risks. The urgency of the recent move to this model in a sometimes ad-hoc and unplanned manner has increased these risks even further. Coupled with this there is evidence of a global increase in fraud and hacking activities in the past weeks. It is clear that the compliance requirements of GDPR continue regardless of the current crisis. This is evident in the move to introduce the first GDPR fine in Ireland.

GDPR compliance is a requirement for organisations in terms of managing their data protection risk and demonstrably showing their customers, staff, and partners that you take their data protection seriously. To comply with the accountability compliance requirement of GDPR this aspiration must be supported by documentary evidence to prove this is the case. Under GDPR a nominated Data Protection Officer (DPO) is required by public bodies and in certain organisations whose core activities involve the large scale processing of personal data.

Ward Solutions can help to maintain your Data Protection compliance in these unusual times. We provide, on an ‘as a service’ basis, a Data Protection Officer to help you fulfill the role of DPO in your organisation. Many organisations or varying size are moving to this cost effective model to fulfill their Data Protection compliance requirements

Ward Solutions can also assist in improving your overall Information Security posture in a cost effective manner through our “CISO as a service”. We supply a dedicated senior consultant strategic information security professional to work with your organisation to deliver all the responsibilities of a CISO. This service can be delivered for a specific set of tasks, a specific time frame or on an ongoing retained (but not necessarily full-time) basis.

As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:

Contact your normal account manager for sales or sales@ward.ie
Contact our orders department at orders@ward.ie
Contact our service delivery office at servicedeliveryoffice@ward.ie
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie