Q&A - Covid, Dark Web, Safety & Privacy

Q1.      What have companies had to consider in terms of data privacy during the Covid-19 isolation?

A number of actions have had to be taken by employers, including the sensitive management of redundancies, furloughing of staff and supporting the remaining staff to allow home working.

Redundancy and furlough both require the proper management of staff’s personal data, which must be kept with additional security, as must any “Covid-19 data”, which may be required to help understand where people have travelled and how has tested positive to Covid-19.

Supporting staff and having a secure infrastructure has been a far more difficult task, when you consider the National Fraud & Cyber Crime Reporting Centre published, a rise in cybercrime in 400% in March 2020. This has been put down to the opportunity for organised criminals to hack into organisations via the homeworkers.

Traditionally, phishing emails are used to infect the home working machines, which then spread into the organisation to compromise your systems, often to hold a company’s data to ransom, this is called ransomware.

In the lockdown, it seems the majority of reports are related online shopping scams where people have ordered protective face masks, hand sanitiser, and other products, which have never arrived.

Q2.      How would you know your cyber-security has been compromised?

Typically, statistics tell us we don’t detect a data breach until 206 days after the event, as many hackers like to act in a covert way and build up a good profile of their victims to maximise their efforts.

Having a Cyber Attack Plan is a key part of understanding when you have been compromised, which we do not often see in SME organisations. We also have the ability to search on the “Dark Web” to see if any company’s data is on sale, which is am alarming thought, but we have found up to 30,000 compromised accounts on our larger clients.

If Ransomware has been used, you will find out when a demand for payment via BitCoin is received on all your screens for the release of your data. There is software that guarantees you will not be compromised, as they will pay any ransom you are asked for (as long as you have their software on your machine (See at the end for more background on this)

Q3.      What is the Dark Web?

There are 3 parts to the Worldwide Web:

Surface Web, which is Google searchable, Wikipedia and all that information freely available.

Deep Web, holds all the company data and things deliberately hidden from the general public

Dark Web, amazingly it is Government sponsored and used covertly by spies, whistleblowers, journalists and… Drug dealers, arms dealers, child pornographers.

There is place on the Dark Web where you can buy email address and passwords, which have been stolen but hackers or sometimes even cleaners who take the opportunity to photograph phone lists or Post-it notes with usernames and passwords.

Everything has a price, but you have to pay in BitCoin (hence it’s rise to fame), and we can search the Dark Web for you to see if you have been compromised. Note: you can only access the Dark Web via one of their special browsers, such as the TOR Browsers.

Q4.      How many SMEs are GDPR compliant?

On 20th April 2020, in a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers, Dell and Dimension Research found that 80% of businesses know few details or nothing about GDPR. Recently, TrustArc found that only 20% of businesses believe they are now GDPR compliant.20 Apr 2020

So if you are not compliant or haven’t reviewed your GDPR this year, you are not alone, but you are at risk of a fine.

Q5.      Will the GDPR still apply when we leave the EU?

As per the ICO guidance, the default position is the same as for a no-deal Brexit: the GDPR will be brought into UK law as the ‘UK GDPR’, but there may be time for further developments about how we deal with particular issues such as UK-EU transfers.

For more information please review: https://ico.org.uk/for-organisations/data-protection-and-brexit/information-rights-and-brexit-frequently-asked-questions/

Q6.      What are the fines for GDPR?

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Some recent fines in the last 6 months

Black Lion Marketing Ltd fined ￡171,000 for making unsolicited direct marketing calls.

Cathay Pacific fined ￡500,000 for failing to protect the security of its customers’ personal data.

CRDNN Limited fined with the maximum ￡500,000 fine for making more than 193 million automated nuisance calls.

DSG Retail Ltd fined DSG Retail Limited (DSG) ￡500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

Doorstep Dispensaree Ltd fined a London-based pharmacy ￡275,000 for failing to ensure the security of special category data.

EE Limited fined ￡100,000 for sending over 2.5 million direct marketing messages to its customers, without consent. 

Q7.      How can I stay safe and become GDPR compliant?

There are a basic set of requirements to make sure you are looking after anyone’s data you hold to ensure their rights to: be informed, have access, to rectify, to erase, to restrict how you process it if unhappy, to have the data moved to another party, to object and to question any automated decisions or profiling, such as insurance assessments. 

We have a simple baseline questionnaire to help you understand where you need to invest to become compliant.

We have designed a whole set of artefacts on our GDPR Portal, that allows you access to all the policies and procedures required to become compliant, as well as a set of checklists to help you understand each step and background documents.

You will also need to ensure you have adequate cyber-security in place, by becoming Cyber Essentials certified, which will protect you against hackers.

You should have a Cyber Attack Plan in place and understand how to recover and escalate any data breaches.

Q8.      How much does it cost to become GDPR Compliant?

As shown in the graph, about 60% of businesses have spent less than ￡10,000 on becoming compliant, we estimate it would cost roughly half that for a reasonably run SME business to become compliant. Less if you are willing to do most of the leg work yourself:

GDPR Baseline Questionnaire allows a full report with recommendations, which we will refund from any further work, will cost ￡500. We estimate it will take, on average, 5 to 10 days to become compliant.

Setting up a Cyber Attack Plan would cost you less than ￡1,000 for the audit and recommendation of how to make yourself secure

A Dark Web Report would give you the reassurance your company has not been hacked, which costs ￡50 for each time we run the report. But gives good peace of mind.

To guarantee you never get hacked and never have ransomware issues, we use Sentry Defender, which ensures you will be covered by a ransom guarantee of $1,000 per protected computer up to a maximum of $1,000,000. This cost is ￡14.97 pcm per machine.

For more information please look on our website @ https://privacy-specialists.com/keeping-you-safe/ or contact us at https://www.dhirubhai.net/company/privacy-specialists/