conversation

The key to supply chain security: How to protect your data

The landscape of security and access control has changed markedly over the last decade with the introduction of technology that allows for traceability and time management of mechanical keys. This has changed the conversation and passkeys, cryptographic keys and encryption keys are all becoming more commonplace. By default, we ve become obsessed with cybersecurity and high-profile cases of data theft and loss are rife.

Research shows that 93% of large organisations and 87% of small businesses experienced a security breach in 2013, with affected companies experiencing roughly 50% more breaches than in 2012. Although keys provide access to critical assets, including servers that hold customer data, and offices where customers accounts are managed, we see many organisations that don t know how many keys they have in circulation, or where they are at any given time. The supply chain For organisations handling any kind of data, great importance must be placed on resilience within the supply chain. When considering exposure to risk, physical supply chain management presents a number of unique challenges. Add to this the complex risks that cybersecurity poses, and ensuring a safe supply chain environment can seem like an impossible task. How stable are your suppliers, do you know where they get their products from, how safe and protected are their assets, and how robust are their own relationships with their suppliers? Mitigating risk can involve identifying dependencies and vulnerabilities that can impact on supply chains. Increasing the visibility of these areas allows organisations to anticipate their impact and plan for contingencies. Data protection When it comes to the security of your data, areas that need to be considered include: What information are you sharing within your supply chain?

Where is the data located? What are your suppliers doing with that information? Are they reselling that data? Is there a data controller and processing agreement in place? Are they prepared enough to comply with the General Data Protection Regulation (GDPR)? Enforcement date: 25 May 2018. How would you deal with a data breach? The GDPR is a binding legislative act that will come into force across the EU (including the UK) next year. The regulation seeks to harmonise inconsistent data protection laws currently operating in the EU s member states and aims to facilitate the secure, free flow of data.

If an organisation fails to comply with the regulation it could be fined up to 4% of the company s global annual turnover and could severely damage its reputation. The secure option To combat these risks, Abloy UK offers a high level of both physical protection, with its high-quality locking solutions and data protection using only accredited software and infrastructure providers, compliant with European and National standards for physically secure key systems. PROTEC2 CLIQ, an electronic key system where all power is retained by the key or locks themselves, requires no wiring; users can change permissions, profiles, schedules and validity and revoke use at the CLIQ of a button; organisations can comprehensively track and audit who has access to which locations, when they had access and how often; and uses three factor authentications standard 256-bit encryption, advanced encryption and industry standard SHA-2 SSL certificates. When it comes to data security within your supply chain don t leave anything to chance, mitigate the potential risks in advance and only use suppliers you can be sure will keep your data secure. Free Download: Securing the UK s borders. Getting national security and Brexit right first time is crucial , we do not want to get this wrong. This report considers the implications of leaving the EU for the management of the UK s borders and making it as easy as possible for international business to thrive and legitimate movement to occur in a post-Brexit UK.

Click here to download now Related Topics The pioneer behind the world s first unpickable lock: Abloy celebrates 110th birthday Abloy UK launches Smartair with keypad functionality IFSEC 2017 preview: Abloy UK on Cliq Connect, sustainability, and the benefits of electric locks

Former Hacker Reveals How Business Owners Should Protect Their …

Nearly eighteen years ago, Kevin Mitnick was arrested in his North Carolina home after a heavily-publicized pursuit by the FBI. Mitnick was wanted for computer hacking he bypassed security systems in organizations such as Motorola, Sun Microsystems, Pacific Bell and the FBI themselves and he served five years in prison. Mitnick has since remade himself and has written two books revealing common hacking methods and explanations to how infamous hacks might have been avoided. His newest book, Ghost In The Wires: My Adventures As The World s Most Wanted Hacker details his life as a hacker and his cat-and-mouse game with the FBI. Today, he owns a security consulting firm called Mitnick Security. As a computer security consultant, Mitnick works with companies to prevent them from intruders like his former self. We asked him to help us understand how the mind of a hacker works and what business owners can do to protect themselves. Below is a lightly-edited transcript of our conversation: Should businesses spend money on employing security consultants? Businesses should absolutely set aside funding in their budgets for security consultants. Unless there is an expert on staff, and there usually is not, it needs to be outsourced. What happens with smaller businesses is that they give in to the misconception that their site is secure because the system administrator deployed standard security products firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. But those things can be exploited. They need a security expert not just an expert at installing security software. They also need to have someone monitor security. Most people assume that once security software is installed, they re protected. This isn t the case. It s critical that companies be proactive in thinking about security on a long-term basis. What is social engineering? Social engineering is when an attacker does thorough research on the company, using various simple investigative techniques to hack a company based on human error. They attempt to identify the business relationships that a company has, such as what customers, suppliers, and vendors they do business with. This is especially successful with large companies who have call centers. An attacker would call to ask a simple question; once they get that information, they make another phone call using the previous information provided. Each employee who answers the next call believes the attacker to be a genuine customer or client based on the information they have acquired from the previous phone calls. After a string of inquires, enough information has been obtained to hack the system. The hacker will go after the weakest link and if he can get one person in the business to make a bad decision, none of the security precautions taken will matter. How can a company protect itself against social engineering? Businesses can protect themselves through proper training and education. I recently partnered with a company called KnowBe4 that specializes in security awareness training a niche that wasn t really available before. Proper training demonstrates how hackers are able to manipulate the system through human error. One way to do this is through inoculation planning a fake attack. When you plant attacks on the employees to test them, they are able to learn from their mistakes and will be less likely to make the same ones in the future. How can e-commerce web sites protect themselves from credit card fraud? To have transactions made on your web site via credit card, you must be PCI compliant. Businesses make the mistake of thinking that because you passed the requirements and are PCI certified, you are immune to attacks. Just because you meet certain requirements doesn t mean you re secure. TJ Maxx, Marshalls, JC Penney, and Wal-mart have all been hacked. I had a client whose customers cards were compromised using a SQL injection (according to one study, 83% of successful hacking-related data breaches are a result of this) from someone in Vietnam. The application they had was full of holes. Having someone look over your system and code is extremely important if you are processing credit transactions on your server. How often should you review and update your site s security? It s important to note that information security policies cannot be written in stone. As a business needs change, new security technologies become available, and security vulnerabilities evolve, the policies need to be modified or supplemented. You should review security at least on an annual basis, but if you re a bigger company, on a quarterly basis. Back in my hacking days, I was able to remain in some systems for over a decade as a result of companies failing to review their security measures. What is the hardest form of security breaching to prevent? Threats within the company s own networks. This happens a lot with ex-employees, who leave the company with detailed inside information. One of the things to do is set up booby traps. If an unauthorized employee, such as a mail man, attempts to access something like the payroll, it sets off an alarm. One way to do this is through DLP software, which protects data breaches. When data is invaded, it advises the administrator of the intrusion. If credit card information or other data is stolen, can I figure out exactly what has been taken? That depends. In some cases, we can go into the system and see the logs of exactly what information was viewed, taken, and when it was retrieved. If the hacker deletes those logs, they are irretrievable; we won t be able see it. Please follow War Room on Twitter and Facebook.Join the conversation about this story

Cuatrecasas lawyer questioned in data-trafficking scandal | News …

31 July 2012 | By Ruth Green1

A lawyer from Iberian firm Cuatrecasas Gon alves Pereira is one of the latest high-profile figures to be questioned in relation to a data-trafficking scandal that first came to light in Spain last year.

An investigation carried out by Spanish police has revealed that Javier Llorente Busquets, a labour partner at Cuatrecasas Barcelona office, hired a private detective who is alleged to be involved in Operaci n Pitiusa, the largest ever data-trafficking network scandal in Spanish history.

The investigation began last year after it was discovered that a local policeman in Barcelona had allegedly sold private data related to vehicle licence plates and their drivers. To date it is believed that around 150 people are in some way implicated in the scandal.

After months of investigation, in May the Barcelona police arrested over 70 people who they believe have some connection to the scandal. One of those arrested was Sara Dioniso Garc a, the owner and director of private investigation and intelligence group Strategia.

The police have also called in a number of people, who are believed to have hired a private investigator but are not believed to have been involved or aware of any alleged illegal practices, as witnesses. However, after hearing a recorded telephone conversation between Llorente and Dionisio, Llorente was brought in for questioning so the police could attempt to determine whether he had been aware of the use of illegal methods to obtain the private information.

Earlier this year Llorente spoke to the police to clarify his relationship with Dionisio. According to reports, Llorente asked Dionisio to find out private information about a vehicle that was relevant to a court case in which he was acting a matter of days later involving the driver of the vehicle.

In Llorente s statement to the police, he denied all knowledge that the information he had requested had been obtained illegally or was of a confidential nature or that he had been in contact with anyone that could provide him with illicit information of this nature. Llorente confirmed that he had received an email in which he stated that the fee for the services would amount to between 400-500, but said that this had not yet been paid.

Another lawyer from a different firm, who is also believed to have contracted Dionisio, has been brought in for questioning.

In a statement, a spokesperson for the firm commented: Javier Llorente is completely unconnected with the trafficking plot. As he has already stated and confirmed for the police in a timely fashion, he was completely unaware of any illegal activity perpetrated by the investigator, who merely acted as an external service provider, and did not at one moment consider that the service was being carried out illegally.

The news follows a series of significant departures from Cuatrecasas labour and employment department. Last week Sonia Cort s defected to labour boutique Abd n Pedrajas & Molero (25 July 20122), the previous week a prominent labour partner Javier Herv s left the firm (25 June 20123) and just a few weeks earlier a team of one partner and four associates jumped ship to KPMG Abogados (25 June 20124).


References

  1. ^ Ruth Green (www.thelawyer.com)
  2. ^ 25 July 2012 (www.thelawyer.com)
  3. ^ 25 June 2012 (www.thelawyer.com)
  4. ^ 25 June 2012 (www.thelawyer.com)