GDPR & Consent

GDPR and Consent (1)

The deadline for compliance with the General Data Protection Regulation (GDPR) is approaching fast: May 25th, 2018 is when enforcement will begin.

Be sure to read Centry’s GDPR Guide for a concise, easy-to-read breakdown of what GDPR is and important details of what you need to know about it.

For any questions or comments, feel free to contact us at info@centry.global or on any of our social media outlets. We’re here to help you!

 

The Question of Privacy in the Smart-Tech Life

pexels-photo-267394

Smart-technology, wearable or otherwise, is undoubtedly a luxurious convenience. With products ranging from Fitbit for keeping track of your health to voice-activated vehicle consoles to home improvement and more, the market for this tech is seemingly limitless.

So how does this compromise your privacy?

Josh Lifton, CEO of Crowd Supply, said in a TechRepublic article: “…we’re entering this world where everything is catalogued and everything is documented and companies and governments will be making decisions about you as an individual based on your data trail…”

The European Union answered this question by issuing the new General Data Protection Regulation (GDPR), which bolsters the rights of individual data privacy, ensuring people have the right to know how, when, and where their personal information is used.

While it might not always be a bad thing for organizations to collect information about you, it’s important that those details don’t fall into the wrong hands.

The main concern among security experts when it comes to smart devices like Amazon Echo and Google Home is the degree to which they’re listening. Obviously, they are listening for the voice-activated commands the user might say. But if you own Alexa and have ever had it interrupt you when you weren’t intentionally speaking to it, you might wonder about what else it’s listening to?

Recently, an array of Bluetooth flaws that affect Android, iOS, and Windows devices were discovered in millions of AI voice-activated assistants, including both the Amazon Echo and Google Home.

The Blueborne Exploit is the name that has been given to the attack that takes advantage of these vulnerabilities, allowing external entities to run malicious code, steal information, and otherwise assume control. What is more threatening about this is that it does not require targets to click any links or fall for any other phishing scams; it can just assume control. Moreso, once an attack seizes one bluetooth device on a network, they can infect any other devices on the same network.

While both companies have since released patches and issued automatic updates for their products, it certainly serves as a cautionary tale to be mindful of what you say and do around these devices.

Wearable smart watches like Fitbit and jogging apps on smartphones run into their own security issues, which readers may have observed recently in the news, after a heat map of jogging and cycling routes released by Strava identified dangerous details of US soldier in war zones in the Middle East.

Overall, as much as it can be a minor inconvenience to do so, it is important that users don’t blindly press ‘accept’ on privacy terms for these apps and gadgets, and instead take the time to review how their information is collected and used. Such insight could lead to foresight that would ensure turning the relevant devices off in situations where that is appropriate.

This article was written by Kristina Weber, Content Supervisor of Centry. For more content like this, follow @CentryLTD on Twitter!

2018 World Economic Forum Highlights

davos_2018_2018125112752

Each year, world leaders, economic experts, industry leaders, celebrities, and other keynote speakers gather to meet in Davos, Switzerland for the annual World Economic Forum. The official program lasts for five days and features more than four hundred sessions, which center discussion around key issues of global relevance, such as globalization, markets, international conflict, environmental issues, etc.

As of today, January 26th, the 2018 forum just wrapped up.

With the immense volume of information, it can be difficult to get a handle on everything that was discussed. As such, we’ve put together some of the big bullet points here for your leisure:

  • India’s Prime Minister, Mr. Narendra Modi, listed his three greatest threats to civilization: terrorism, climate change, and reactionary backlash to globalization.
  • The German Chancellor, Ms. Angela Merkel, stated that global multilateralism has come under threat, as populist movements sweep through countries.
    • Upon this point, Mr. Emmanuel Macron, the President of France, voiced his enduring support for Europe, stating that France would not succeed without greater European success.
    • Although Brexit may come to mind on the point of Ms. Merkel’s statement of deteriorating multilateralism, the UK Prime Minister – Ms. Theresa May assured attendees of Davos that the United Kingdom would remain an advocate of global trade, with plans for bilateral deals with countries worldwide.
  • United States President, Mr. Donald Trump, discussed the state of the US economy, saying that “America First does not mean America alone,” in the context of the thought that as the United States grows, so too will the rest of the world.
  • Alibaba founder Jack Ma spoke about the IQ of love – a subject that we have discussed previously on Centry Blog.
  • The International Monetary Fund raised its forecasts for global crown in 2018 and 2019 to 3.9%, in the wake of the impact of the recent US tax reforms. These new estimates are 0.2 percentage points higher than the IMF’s previous projections in autumn of 2017.
  • Google CEO Sundar Pichai emphasized the importance of artificial intelligence, saying that despite the risks, the potential benefits of it could not be overlooked.
  • China’s three big movements for the future, as outlined by Mr. Liu He, will be: alleviating poverty, preventing major financial risks, and reducing pollution.

In light of the Davos forum, the WEF released this year’s risk report, outlining ten significant risks in terms of likelihood and impact. See Figure 1 below.

It should be noted that within the top 5, just behind natural disasters, the threat of cyberattacks and data breaches pose a remarkable risk to individuals and organizations worldwide. For an additional perspective on the landscape of geopolitics on the cyber field, be sure to read our article on how Cyber is the New Cold War, written by Centry CTO Dave Ehman.

For more content like this, follow @CentryLTD and @CentryCyber on Twitter!

Centry’s GDPR Guide

europe-3220208_960_720

What is GDPR?

The General Data Protection Regulation (GDPR) is a broad set of rights and principles, enacted into law by the European Union to ensure the protection and use of personal data pertaining to EU residents. These regulations are extensive, featuring 173 recitals, 99 articles, and 160 pages, and they will be enforced with teeth.

When will it be implemented?

The EU enacted GDPR on May 24th, 2016 and enforcement of it will begin on May 25th, 2018. Companies that are not compliant with the regulations by May 25th, 2018, and experience a breach of personal data, can expect to face steep fines, i.e. up to 4% of global revenue or 20 million Euro (whichever is higher)!

What does it affect?

  • Any organization that stores or processes personal information about EU subjects, including non-EU entities.
  • Any company that has a presence in an EU country, either by offering goods and services to or monitoring the behaviour of EU citizens.
  • If a company does not have a physical presence in the EU, but processes the data of EU subjects, it will still be subject to GDPR.
  • Large companies
  • Small-medium enterprises are affected if they conduct data processing that impacts the rights and freedoms of data subjects, or if it includes non-occasional sensitive personal data.

Data, Processes, & People

Data refers to any information that your business uses, processes, stores, or needs. Some things you would expect to see on this list are:

  • Customer data
  • Employee information (current & former)
  • Orders
  • Inventory
  • Financial Information
  • Documentation

But there are other things that you may not expect to qualify, such as: vendor lists, certifications, access to resources and credentials, physical access, unstructured [big] data, logs, etc.

Personal data includes any information relating to an identified or identifiable natural person. An identifiable person is one whose identity can be determined either directly or indirectly by reference to an identifier. Keep in mind there is a difference between personal data and sensitive personal data, where the latter corresponds to anything relevant to religious beliefs, sexuality, etc.  Sensitive personal data is protected to higher standards, and breaches are subject to larger penalties.

Processes refer to those that are critical to the business, such as:

  • Customer communications
  • Metrics
  • Relationships
  • Reputation
  • Social Media
  • Supply Chain & Materials
  • Industrial Controls
  • Power/Cooling
  • Physical Access & Trade Secrets

Finally, consider the people who are responsible for business operations, and what they have access to. For example, evaluate the following:

  • Current and former employees
  • Executives
  • Contractors
  • Partners
  • Suppliers
  • Customers and Potential Customers
  • Other

What are the goals of GDPR?

GDPR asserts that the protection of data privacy is a fundamental right. These regulations will give control back to the citizens and residents of the EU over their personal data. Furthermore, they will simplify the regulatory environment for international business, by unifying regulations across the EU.

Key Elements

  • Transparency for data subjects – meaning the people whose data is collected should be able to find out what the data is collected for, its purpose, who has access to the data, and how long the data lives in the system. Furthermore, they should be able to verify, correct, export, move, and erase their data as easily as it was provided in the first place.
  • Privacy by design, which minimizes data collection and retention, whilst gaining consent from customers.
    • This includes having a valid basis for processing personal data – it should answer the question of why the data is being processed, and what right does the company have.
    • Consent must be clear, precise, and understandable. It cannot be pre-set. It should also be just as easy to cancel the consent as it was to grant it to begin with.
  • Data Protection Impact Assessments (DPIA)
    • For certain data, companies will have to evaluate the risks to privacy (in advance).
  • Right to erasure and to be forgotten
    • Citizens have the right to request that companies erase personal data and inform them how long they will store the data.
  • Extraterritoriality – GDPR applies even if a company does not have a physical presence in the EU, but collects data about EU subjects.
  • Breach notification requirements to both data authorities and persons affect
  • Steep fines for non-compliance

Centry can help!

For any questions or comments, contact us at info@centry.global or @CentryCyber on Twitter!

This article was written by Dave Ehman and Kristina Weber of Centry LTD. 

Centry Blog: 2017 in Review

pexels-photo-285173

As of this month, Centry Blog has been in production for one year!

Over this period of time, we have published weekly entries on a variety of subjects ranging from Cyber Security, informational security, data breaches, social media, phishing, history, to geopolitics and more.

In honor of that, we’ve put together a list of some of our most-read articles written over the course of 2017:

JANUARY

Website Creation. These were the earliest days of setting up Centry Blog and refining its look before publishing content for our readers.

FEBRUARY

The Value of Secure Logistics Supply Chains 

What is the cost of unsecured supply chains? Is it a price your organization is willing to pay? Learn more about common ways supply chain security can be compromised, and how to address the issue.

MARCH

Spies in History: The Story of Elizabeth Bentley

Elizabeth Bentley was a Soviet spy in the United States between 1935-1945, until she famously defected from the USSR and gave testimony before the House Committee, wherein she named more than eighty associates in her network– some of whom held positions in the government of the United States. Her story was but one in the mounting tensions after World War II that began to pave the path to the Cold War, but her impact certainly was remarkable.

APRIL

When Due Diligence Fails

When does mediocre effort become detrimental? In due diligence, there are three certain ways: insufficient information, lack of verification, and disregarding red flags. Let this article be a lesson in what not to do, and learn from the mistakes of real world examples.

MAY

Spies in History: Virginia Hall, The Most Dangerous Allied Agent in France

Another installment in the Spies in History series, this article reviewed the story of Virginia Hall, a little known hero of World War II. Among other achievements, Virginia Hall was responsible for helping to organize, fund, supply and arm the French resistance during Nazi occupation.

JUNE

Hook, Line, and Sinker: Phishing on Social Media

Phishing attempts have grown to be tailored around their individual social media platforms. This article illustrates these attempts across various platforms such as Facebook, Twitter, Tumblr, and Instagram, and gives tips on how to identify scams.

JULY

A Quick Guide to Anti-Corruption and Bribery

Bribery and corruption are significant issues that entrepreneurs and businesses may encounter worldwide. Violators of anticorruption laws and regulations may face the possibility of financial sanctions, crippling fines, and massive reputational damage. When companies are caught in corruption or bribery, it is usually not a quiet settlement, rather their story becomes a cautionary tale for all others…

AUGUST

Are Your Phones Protected?

In the Cyber era, companies have been investing heavily into their data infrastructure, protecting information vaults, CRM databases and critical production management systems. But when is the last time someone took a look at the customer service center IP phone server? How about the phone bills accumulated by the desktop phones of the call center or personal office phones? Those same phones might be still on your desk, but you have not used them in months or even years.

SEPTEMBER

When VPNs Go Wrong

VPNs have become widespread over the past few years as their users have expanded from businesses utilizing them for information security to individuals seeking out ways to bolster their privacy or obscure their location. The issue that arises from growing individual use is that there are more opportunities to be scammed, and some people with VPNs for personal use may not be able to distinguish between a reputable service and a charismatic, albeit malicious scam. Read on for some red flags to look out for when considering a VPN service!

OCTOBER

Travel Risk Management

Most of the time, trips carry on as expected with maybe a small hiccup in conveniences here or there. But what happens when things go really wrong? Any number of situations could arise with permanent consequences – do you or your organization have a plan for this? This article answers some of those questions by outlining key risks to consider before traveling.

NOVEMBER

Unraveling the Equifax Data Breach

The Equifax Data Breach dominated headlines for weeks after news of it first came out. This article examines how it happened, what went wrong in the aftermath, and what people affected by it can do.

DECEMBER

When is ‘State-Owned’ a Red Flag?

One of the things that we screen for in our risk assessments is the connection of the subject to a politically exposed entity. This basically refers to any individual or company that has connections to the government of a country or other public office. For someone unfamiliar with screening processes and typical red flags, you might ask – when does political exposure or state ownership become a red flag?

 

 

 

8 Predictions for 2018

B48284

2017 seems to have passed in the blink of an eye, bringing with it several changes, and these moments have paved the way for the future. That said, here is a quick look at what is in the forecast for 2018 in the security and compliance industries:

GDPR

  • The General Data Protection Regulation (GDPR) has been expected to set a new standard for consumer rights regarding their data, but companies will face a challenge as they update their systems and processes to comply with the new regulation. Companies must be able to show compliance by May 25, 2018.
  • However, CSO suggests that some U.S. companies subject to the European Union’s GDPR are falling behind, and may not be able to make the compliance deadline.

Cybersecurity

  • F-Secure predicts that production of new types of ransomware will probably slow down in 2018, however cyber criminals will focus more on conducting attacks on companies for a bigger profit from fewer victims.
  • Biometrics as a form of identity authentication will continue to become more widespread.
  • State-sponsored attacks will continue as political tensions continue to rise. FireEye suggests that we will see more instances of ‘hacktivism’, that is, attacks to promote a political agenda or social change.
  • McAfee predicts that there will be a machine learning ‘arms race’ between cyber attackers and defenders.

Cryptocurrency

  • Bitcoin took a hit after the South Korean government announced new legislation that would heighten regulations on the country’s cryptocurrency markets, however predictions for it and other cryptocurrencies in 2018 remain strong– BlockTribune offered a few predictions regarding increasing user growth for Bitcoin, the use of Bitcoin as a ‘gateway’ to other cryptocurrencies, and increased market growth.
  • Forbes predicts that cryptocurrency will continue on its path to go mainstream, where more retailers will diversify payment options by offering the use of cryptocurrencies, and furthermore, the development of cryptocurrency-only e-commerce stores.

As these landscapes are so fluid and swiftly changing, it is up to time to determine what changes the New Year will yield. We hope our readers enjoy their celebrations and we will be back next week with another blog update!

Like what you’ve read here? For more content like this, follow @CentryLTD and @CentryCyber on Twitter!

Cryptocurrencies & Sanctions

bitcoin-2007769_1920

Bitcoin has seen its value skyrocket in the past few weeks, and some cyber analysts are beginning to worry that the digital cryptocurrency is primed for exploitation by countries looking to dodge sanctions.

Bitcoin is but one of many cryptocurrencies backed by encrypted blockchain technology that allows users to conceal their identities when buying or selling the currency. This offers a level of anonymity that has been perceived as hitherto limited to cash transactions. Consequently, cryptocurrencies may offer a means for criminals and sanctioned entities to conduct business beyond the global financial system.

Furthermore, the anonymity available in bitcoin transactions makes it challenging for international authorities to prove that money has been transferred by sanctioned entities.

Nonetheless, we have seen stories crop up surrounding North Korea’s use of the currency to dodge UN sanctions. According to FireEye, North Korean state-backed hackers have been increasing attacks on cryptocurrency exchanges in South Korea to steal Bitcoin and other cryptocurrencies. It’s expected that North Korea’s hold of the digital currency will continue to increase in the wake of tightening sanctions.

Keeping in mind that FireEye’s article was originally published in September, it was stated that they observed North Korean actors target at least three South Korean cryptocurrency exchanges since May 2017. When taken into consideration in combination with the ties between North Korean operators and a compromised Bitcoin news site in 2016, as well as the use of a cryptocurrency miner, we begin to see the potential interest that the nation has in Bitcoin, among other cryptocurrencies.

Furthermore, Bloomberg recently published a report suggesting that Russia may utilize cryptocurrencies to work around increasing sanctions.

However, there are still quite a few obstacles in the way of using Bitcoin for large-scale transfers, as cashing out of the system is complicated. Regulators keep a close watch on the transfer of virtual currencies into cash, and anything that operates in dollars would be subject to US regulation.

Moreso, there’s simply the issue that there is a limited quantity of the cryptocurrency available. The total market capitalization of Bitcoin seems to be around $280 billion, which, while it is a lot of money, is but a drop in the bucket of true global wealth.

For more content like this, follow @CentryLTD and @CentryCyber on Twitter!