<![CDATA[Killian Consulting - Cog Blog]]>Fri, 22 Mar 2019 06:44:52 -0500Weebly<![CDATA[GDPR]]>Wed, 04 Apr 2018 05:00:00 GMThttp://killian.consulting/cogblog/gdprGDPR = General Data Protection Regulation (EU)
The General Data Protection Regulation (GDPR) is new legislation enacted by the European Union intended to better protect the privacy and security of individuals located in the EU. It is the most comprehensive privacy initiative since the 1995 European Union Data Protection Directive. The GDPR completely replaces the EU Data Protection Directive. GDPR gives users more control over personal data collected and how it is used. The regulation is broad, far-reaching and affects anyone who handles personal data for individuals located in the EU. Enforcement begins May 25, 2018, and covers both new personal data, as well as legacy personal data collected prior to that date.

What are Some of the Key Changes to Data Privacy Under GDPR?

  • Broader Territorial Applicability – the GDPR applies to any company processing the personal data of persons in the EU, regardless of whether or not the company is located in the EU (the test being whether products or services are being offered to them, for example through a website, or their activity is being monitored in the EU).
  • Consent – if you are relying on consent for the processing of personal data (consent being one ‘lawful basis for processing’) this must be intelligible, specific, and unambiguous, and, where sensitive personal data is to be processed (i.e. health information and certain other data types called “special categories” in the legislation), explicit consent is required. One example of where you will need to rely on consent is for the conducting of direct marketing by electronic means.
  • Penalties – companies found to be in breach of GDPR may be subject to penalties of up to the greater of 4% of annual global turnover and €20 million and it is important to note that cloud providers will not be exempt from GDPR enforcement. 
  • Expansive Data Subject Rights – under the GDPR, data subjects in the EU have broad and additional rights with respect to their personal data, including among other things, the right to access, correct, port and erase such personal data (i.e. the “right to be forgotten”), and to withdraw their consent for the processing of personal data.
  • Heightened Accountability Obligations – companies processing the personal data of persons in the EU need to ensure that they have documented a lawful basis for data processing activities, engage in ongoing recordkeeping of data processing activities, document their compliance with the principles set out in GDPR and notify relevant authorities of data breaches within 72 hours, and take additional steps to protect and secure personal data.
  • Transparency – under the GDPR companies are required to clearly describe how they process and use personal data, with more detail including their data retention, anonymization, and deletion policies and practices. Companies will as a minimum need a privacy policy on their websites.
  • Compliance – some companies may be required to hire a Data Protection Officer, while all companies are required to train employees on data privacy and ensure vendor compliance with the GDPR.
  • Definition of Personal Data – the GDPR broadens the definition of personal data to include any information that can be used to directly or indirectly identify an individual, including IP addresses and device IDs. It also covers web data such as location, IP address, browser cookie data, RFID tags, health or genetic information (including bio-metric data). The GDPR also protects racial and ethnic information, political opinions and sexual orientation.

Data Collection Audit

Companies can prepare for GDPR by first reviewing existing data collection, storage and usage practices. Remember, old and new personal data is affected. To start, try answering the following questions to better understand how data flows through your organization:
  • How do you collect personal data?
  • On what lawful basis are you relying to collect personal data?
  • What do you do with it?
  • Where do you store it and for how long?
  • Are you prepared to comply with data requests within 30 days?
  • Are you documenting the process?

Third-party Solutions

Consider third-party solutions (such as website analytics, email marketing and customer contact tools) while reviewing your existing data collection methods. Many major solution providers have already transitioned to GDPR compliant practices. Check the provider's website for compliance details or contact them to request more information.

Next Steps

Develop policies and procedures that allow you to comply with data requests. Documentation is an important aspect of GDPR compliance. Create and maintain internal documentation of official policies and procedures for each of the data request use cases. Every business is different. Consult with a licensed attorney regarding your company's data practices.

Will Killian Consulting and it's Clients be GDPR compliant by May 25, 2018?

Yes. We will be ready to process GDPR requests for our clients (including third-party data that vendors and third-party apps are processors for). We will not deploy any cookies until users have chosen to opt-in on the cookie banner that will be presented to visitors. We are currently working on additional solutions to ensure personal data from persons located in the EU is kept private and secure on our platform.

Author

Shared per Weebly: ​https://www.weebly.com/inspiration/gdpr-and-small-business/

]]>
<![CDATA[End User Education]]>Wed, 07 Jun 2017 05:00:00 GMThttp://killian.consulting/cogblog/end-user-educationWhen weighing up the biggest security hazards to an organization, it may come as a surprise to discover that the End User within the organization is often the first to compromise security. ​Through no fault of their own, and mainly due to a lack of awareness, employees frequently open the virtual gates to attackers.
The End User is the person who uses the software or hardware after it has been fully developed, marketed, and installed. It is also the person who keeps calling the "IT guy" with questions about why the product isn't working correctly. 
With the rise in cybercrime as well as the increase in the consumerization of IT and BYOD, it is more important than ever to fully educate employees about security attacks and protection. Although BYOD has given them an increased level of flexibility, it has also given the end user even more potential to cause security breaches.
Bring your own device (BYOD) refers to employees who bring their own computing devices - such as smartphones, laptops and tablet PCs - to work with them and use them in addition to or instead of company-supplied devices. The prevalence of BYOD is growing as people increasingly own their own high-end mobile computing devices and become more attached to a particular type of device or mobile operating system. BYOD means users must be aware of the risks and responsible for their own ongoing security, as well as the business.
Threat actors actively target end-users as a primary route to compromise. Some criminals may be targeting the end-user directly, for example to conduct financial fraud, others will be leveraging the user to gain access to the organizations IT infrastructure. It is important to note that threat actors can target end users on their home networks and mobile devices, who will then unwittingly bring the “infection” inside the organization.
Increasingly these days, the criminals use a technique called spear phishing; an attacker sends a highly targeted email, often with personal contextual details that fools the user into clicking a link and, unknown to them, downloading malware. Once this has been downloaded, it provides access to the end users device which is used as a launch point to harvest network information and expand control inside the network. 
Additionally, spear phishing can be used to fake a page the targeted ender user is familiar with, such as Dropbox, and ask them to login. The end user will not be able to login but in attempting to do so the fake page will record their login credentials. 
Due to the detrimental ramifications, it is vital that end users have a full understanding of the most common ways for threat actors to target them. This includes educating employees that they will be targeted, encouraging them to be vigilant at all times, teaching employees what qualifies as sensitive data, how to identify and avoid threats, acceptable use policies and security policies.
It’s also crucial that end users understand their role and responsibilities in maintaining the organization's compliance with relevant regulations, such as PCI DSS for payment card data or HIPAA for health records. In short, educating the work force is critical and is a key requirement of information security standards such as ISO27001.
There are a number of ways that security awareness training can be delivered to end users. The most popular tends to be the e-learning variety, where online courses covering the essentials of security awareness are mandated for all employees.
This would teach the user that they are a target, how to look out for social engineering and phishing, password security, handling of sensitive data, plus any specific compliance-driven requirements. This is good for compliance and building a basic level of awareness, but it might not engage the user as well as it could.
The most effective way the leader of an organization can deliver practical and memorable education is to make it real and physically demonstrate what can be achieved as a result of an attack. Taking employees through a real life example of someone clicking an email which looks authentic presents what takes place behind the scenes and makes evident the power the attacker acquires. This illustrates precisely what a threat entails in an easy to understand and influential manner.
Employees who manage both their work and private lives on one device access secure business information, as well as personal information such as passwords and pictures. Ensuring that they know the right procedures for accessing and protecting business information is crucial. Making it personal and teaching employees how to protect their own data adds value by highlighting how a threat could impact their personal life as well as their employer. Implementing best practice will then become second nature as people adopt the same practices in both their personal and professional lives.
Although end user education will help to prevent the risk of human error, it’s impossible to eliminate it completely.
In order to take control and minimize risks, end users should only have access to the information necessary for them to perform their roles. Processes and technology can be put in place to limit and control what information end users can access within a network as well as the actions they can take. 
As a final point to consider, the security of an organization relies on education. Begin educating yourself and your employees by implementing quarterly End User Education. For more information on how Killian Consulting can help you:  
I Need Help!

Author

Sourced from Ben Rossi, author for Information Age

]]>