What can your IT Projects learn from the TSB “IT Meltdown” ?

If you have been keeping an eye on the news over the last couple of weeks, you won’t have missed the major story that broke on Monday 23rd April 2018. TSB, one of the UK’s major high-street banks, was taking major steps to separate its IT systems from Lloyds Banking group systems after they split in 2013. As part of this process, TSB had scheduled downtime from 16.00 on Friday 20th May until 18.00 the following Sunday.

 

As the headlines broke it was clear that this “smooth process” had been anything but. With customers still unable to access vital services and systems still not running correctly a week on, this blog post explores the lessons that your IT project delivery can learn from the mistakes made by TSB.

 

The cardinal sin of this whole process was transparency. TSB failed to acknowledge that customers were reporting issues even after they had issued a statement claiming the project was a complete success. With customers taking to social media about their ongoing problems, it took the business over 2 days to remove the notice of ‘successful migration’ and inform all customers that there were still issues. In this day and age, it is detrimental to a business’ success if they hide the truth from their customers. Businesses must be seen to be upfront be honest in accepting their mistakes, it’s better to admit your shortcomings than mislead your customer base.

 

The cardinal sin of this whole process was transparency – it is detrimental to a business’ success if they hide the truth from their customers.

Alongside this mistake, it was clear that the business had no rollback plan. All projects should follow a clear methodology as soon as you encounter an issue you ask the delivery team the question “Can we resolve this or is this a major issue?”. If any part of the delivery team believes it could be a major issue, then the business should revert back to its previous state and then return to testing and plan stages to resolve the found flaw before attempting to roll the project forward.

 

Time management is critical when running any project IT related or not, if you’re not working with enough time to complete a task then your project is doomed to fail. It’s always better to over-estimate and deliver ahead of time, than it is to promise a deadline and fail to reach it. Which is exactly what TSB have done in this instance.

 

One of the most critical lessons to learn from this process is that in this social and digital era – how your customers engage and perceive your services to be online, is just as important as how much money is in the bank.

 

“In a world where reputation is everything, trust is the new currency” -Rachel Botsman

 

When looking to deliver IT projects why not lean on our in-house expertise at Planet IT, our team of qualified project engineers and project managers are here to help your business deliver its IT projects.

 

Get in contact:  enquiries@planet-it.net | +44 (0)1235 433 900

Our dedicated and knowledgeable business development managers are here to help with all your IT business needs.

Data Protection Officer (DPO) – a new role now required for all public bodies & schools under GDPR legislation.

As of the 25th of May 2018 your school regardless of it’s status (state-run, academy or private) will be required to appoint a data protection officer (DPO). This role can either be an internal appointment or outsourced, however the fundamentals are the same, this person must be “qualified” to complete the role.

 

The DPO role in schools is mandatory because GDPR states that all Public bodies must appoint a DPO and anyone who’s core business activities involve the “regular and systematic monitoring of data subjects of a large scale”, which is a core part of the education system.

 

A critical factor for appointing a DPO in any organisation, especially in schools, is that the individual must be free from any conflict of interest, must be able to carry out their duties as DPO without fear for their employment, and they must have a direct route of communication to both senior management and to school governors (should the need arise).

 

Any person who is appointed to the role of DPO must be able to carry out the following responsibilities;

 

• Educating all staff on important compliance requirements

• Training staff involved in any form of data processing

• Conducting audits to ensure compliance and to address potential issues proactively

• Serving as the point of contact between the school and GDPR Supervisory Authorities

• Maintaining comprehensive records of all data processing activities

• Delivering and maintaining the schools GDPR compliance project.

All public bodies must appoint a DPO and any business who has regular and systematic monitoring of data subjects of a large scale

These are just some of the responsibilities of a DPO in schools, there are many more and we can provide a full job description to support you school.

 

Alongside the long list of responsibilities is the requirement for the person to be trained and qualified to complete the role. There is no formal list of required qualifications but a good starting point would be the ED GDPR Foundation course. Your appointed DPO is expected to have “expert knowledge of data protection law and practices.”

 

With all this said, who is your school going to appoint as their DPO? Can they fulfil the required role? Do you need more guidance?

 

At Planet IT we are focused on supporting schools in their GDPR compliance projects. Contact one of our GDPR specialists today for more advice and to see how we can help you.

Stand Up to Cryptojacking – in partnership with Sophos

Cryptojacking has recently erupted onto the cybercrime scene, thanks to the surge in value during 2017 of cryptocurrencies such as Bitcoin, Monero, and Ethereum. Crooks are aggressively targeting laptops, desktops, servers, and even mobile devices. From a single device to entire networks, they infect as many devices as they can to mine for cryptocurrency on, or while using, other people’s computers. Simply put, you do the work, pay for the electricity and hardware, and they pocket the rewards. Read this paper to learn how to fight back! We’ll explore the differences between legitimate mining and cryptojacking; how cryptojacking works; the costs of cryptojacking to today’s organizations; and practical steps you can take to avoid being a victim of cryptojacking.

Setting the stage

Cryptomining and cryptojacking are two terms that are commonly used when discussing this topic. Let’s start by quickly distinguishing between the two. Cryptomining is the act of doing all the necessary – and quite frankly very complex – effort required to generate and work with cryptocurrency. It can be both legitimate or malicious, which is determined by several factors, most significantly whether you consciously agree to it. Cryptojacking is malicious cryptomining.

The crooks get code onto your devices without your permission to mine for cryptocurrency using your equipment and your resources. They keep all the proceeds themselves while you get nothing for your hard work. A common misconception is that the sole purpose of miners is to generate cryptocurrency. It’s true, this is part of the job.

However, they also have another role that is at least equally as important: validating transactions on the blockchain. To explain blockchains, let’s use banks as an analogy as cryptocurrency is attempting to replace traditional currency. Usually, banks are in charge of keeping accurate records of transactions. In cooperation with governments, banks ensure that money isn’t created out of thin air, and that people don’t cheat and spend their money more than once.

Blockchains are responsible for the same duties, but also introduce a new way of record-keeping. With a blockchain the entire network, rather than an intermediary or individual, verifies transactions and adds them to the public ledger. Although a ‘trustless’ or ‘trust-minimizing’ monetary system is one of the goals for cryptocurrency, the financial records need to be secured, and the system must ensuring that no one cheats.

The miners who work on the blockchain come to a consensus about the transaction history while preventing fraud, notably the double spending of cryptocurrency. All of this sounds quite complex, and it is. However, there are some basic principles that, once understood, provides you with the ability to understand why cryptojacking has exploded as a trend.

Let’s start by looking at what it takes to perform legitimate mining and later learn the differences between legitimate and malicious mining.

 

How to be a cryptominer in four easy steps

Before you can start being a miner for a cryptocurrency, there are a few things you need to consider:

Hardware. Regardless of whether you are a casual miner or you’re making mining your full-time profession, your objective is to make money. To mine you need hardware, which clearly has an associated cost. For the casual miner, you may choose to use your gaming or personal machine as it is not being used most of the time. If you’re more serious, you can spend a considerable amount of money on customized cryptomining hardware. If you’re not buying dedicated hardware for mining, the next most efficient way of mining is by chaining together multiple graphics processing units (GPU).

This is your traditional graphics card, and miners prefer the high-end kind and they are not cheap. Why a GPU? Because GPUs are efficient at performing the mathematical calculations that are necessary to work on the blockchain. The market has already reached the point that it is almost impossible for gamers (not miners) to buy high-end graphics cards because the miners are eating up the supply as soon as it is available. Nvidia has already taken the unprecedented step of asking retailers to stop selling their cards to miners and focus on selling to gamers*.

The big question is, if mining is all about making money, how long is it going to take you to recoup your initial investment?

Ongoing investment. Over time all computer equipment gets faster and more efficient. The older your hardware, the slower it becomes in comparison to new hardware. Also, the bigger the hardware, the more electricity it will consume. Ongoing costs associated with running and maintaining your hardware will apply just like in a traditional business, but with cryptomining they can be considerable. The old statement “you need to spend money to make money” is very true here.

Pools. As a single casual miner working on your own you would need to be incredibly lucky to successfully mine just one unit of cryptocurrency. Your chances are slim to none. So, what’s the answer? Pool your resources with those from other devices to create a “pool” with the computational power of all combined resources. The chances of successfully mining cryptocurrency increases with the size and computational power of the pool.

Pools are an important concept to understand for both legitimate and malicious mining operations. When you are running a mining application, are you a member of a legitimate or malicious pool? Obviously, both want their pools to be as big as possible as it increases computational power and the chances of successfully mining cryptocurrency. The big difference is how it pays out. While the legitimate pools will have an agreed method for splitting the proceeds amongst all members, the malicious pools usually only provide the proceeds to a single entity (namely the crook). Different pools have different payment structures and many will payout proportionally compared to how much you worked.

Now that you’ve got your hardware and a basic understanding of pools, you can begin mining. And legitimate mining is really just like working any other kind of job. There are four basic steps to make money from mining cryptocurrencies:

Step 1: Find a job!

This is known as joining a pool. You find a pool that is going to pay you a decent return for what you invest in time, computational power, and ongoing running costs. It’s essentially finding out what people are going to pay you for your work.

Step 2: Create a wallet.

After you have a job, you obviously want to be paid. Any proceeds you receive from mining need to go into a wallet. A wallet can be on an exchange, in software (i.e. a file on your device) or secured in hardware. The hardware option is the most secure and recommended option as it is harder to steal.

Step 3: Start working…

Next step, you need to find the mining program of your choice. There are many different options available depending on the cryptocurrency you are mining, and the specific type of GPU in your device. Then you have to start it. Don’t bother sitting and watching it because it’s just a command line and you’ll grow bored very quickly. It is a “set and forget” type of operation.

Step 4. Get paid.

Now sit back, watch the power bill grow, hope your machine doesn’t overheat and cross your fingers that you’ve joined a legitimate pool and will get paid… Generally, pools have an agreed-upon payment period. Ongoing costs associated with running and maintaining your hardware will apply just like in a traditional business, but with cryptomining they can be considerable, just like a real job. At that point in time they will divide the proceeds from the pool amongst all members of the pool in the agreed-upon fashion.

Crooks will take every piece of computational power they can grab!

The many faces of cryptojacking

Malicious JavaScript miners Malicious JavaScript miners are the quick and easy way for crooks to enslave a large number of devices. The logic is pretty simple: what do most people do on a regular basis? They browse the web. By turning every browser that goes to a website into a worker the crooks can very quickly add lots of devices to a malicious mining pool.

If you’re a cryptojacker, it’s brilliant: someone else does the work, you use their resources, and you get all the proceeds for yourself. Now, ask yourself how many devices have a browser that can run JavaScript? It’s a mindbendingly large number. Every laptop, desktop, mobile device (phone and tablet), servers, and other devices are the potential victims. And as the crooks have access to a large number of compromised websites, the chances that they will get devices with a browser running the JavaScript miner are very high.

JavaScript miners are transient miners, as your browser may only perform the mining tasks for a short period of time. The mining stops when you close the browser or the tab that is viewing the infected website, so it is in theory easy to stop. However, how often do you actually close your browser, or is it always running the background?

When a user surfs to a site or page hosting a malicious JavaScript miner, they are not asked for permission to run the JavaScript miner – it just runs. Around this time the CPU on the device will increase to near maximum capacity and the device will slow to a crawl. The more a processor works, the more electricity it consumes, the hotter it gets.

Mobile devices can rise to “cooking temperatures” and mining can drain a battery quickly, even leading to battery expansion and device destruction. Some of these JavaScript miners are smart and have the ability to limit their CPU usage, enabling them to remain hidden for longer. The longer they can hide and execute, the more work they perform for the crooks and their malicious pool. Even though a mobile device is not the most efficient miner, the crooks will take every piece of computational power they can grab!

Some JavaScript miners are smart enough to know that they are on a mobile device and only really go into full blown mining when they are attached to power and stays relatively dormant when operating on the battery. That way the user doesn’t notice a suspiciously large drop in battery performance – again so they can remain unnoticed for longer. Also, most people don’t pay attention to their phones if they have them plugged in and charging. This works better on a mobile device because people don’t close the browser on their mobile device – they mainly have it in the background as they swap to different apps.

The business implications of cryptojacking

Cryptojacking might sounds relatively harmless at first – it doesn’t need to read your personal data, or even to access to your file system. However, the downsides are still very significant:

1. Unbudgeted operating expenses from powering computers to work for someone else.

2. Opportunity costs because legitimate works gets slowed down. You think your computer is slow now, wait until you get cryptomining software on it!

3. Security risks from who-knows-what untrusted programs and network connections.

4. Reputational and regulatory costs of reporting, investigating and explaining the cryptomining activity.

5. Ethical concerns of allowing employees to mine using your resources.

Those risks are real, and you need to decide if your business can afford to ignore these risks. Your business needs to form an opinion on what is your policy on cryptomining. While the view on cryptojacking is simple – it should never be allowed – the view on legitimate mining varies from business to business.

Some companies will allow legitimate mining on company resources. Others will not. Again, there is an ethical component of allowing employees to use company resources, including the hardware, electricity, and ongoing running costs to perform legitimate cryptomining.

You can also ask yourself: does this make the employee the bad guy?

Fighting back against cryptojacking

When it comes to stopping cryptojacking there is no silver bullet. Just like protecting yourself against ransomware, you need to take a layered approach to protection.

1. Block websites hosting JavaScript miners both at the gateway and the endpoints

2. Stop cryptomining malware at every point in the attack chain

3. Prevent cryptomining apps from running on your network

 

We also recommend that you:

– Keep your devices patched to minimize the risk of exploit-related attacks

– Use mobile management technology to ensure that native mobile apps aren’t present on your mobile phones nor tablets

 

– Educate your team:

• Cryptomining is not an acceptable use of company resources or power

• Explain traditional attack vectors of malware such as phishing and how they can protect themselves Ì Maintain a strong password policy

 

– Keep an eye out for the tell-tale signs that you’ve been cryptojacked:

• Slow network

• Soaring electricity bill

• Spike in CPU consumption

It’s not just about IT! Data Protection By Design

Implementing GDPR is not just about IT systems and making them compliant with the regulations. Data exists in many forms, however in many organisations the greatest risk of breach comes in the forms of physical data. Many businesses have overlooked the physical aspect of the GDPR, this article explores the risk presented by physical data and what you should do to mitigate these.

Physical Risk

Some physical risks are obvious, e.g loss through data being dropped, left behind or misplaced. These kinds of incidents have been well documented, for example; when Mi5 and the U.K Government suffered data loss through loosing paperwork or storage devices. However some risks fly under the radar, like secure data destruction. If your business is storing or filing secure PII (Personal Identifiable Information) then you must have the policies and procedures in place to prevent data loss.

Physical risks to data also exist in the forms of misfiled data, when someone has put HR data in with your finance records, or placed loose in a box of files. These are still cases of data loss, despite them still being present in your office building, however you have lost control and visibility of them. This and many other data loss cases in the physical world happen through carelessness, whether data is left on the train, or have been placed in that drawer, which (one day) will get sorted out, is still data loss!

When was the last time your business checked how your data destruction company was actually disposing of and handling your waste? In some cases ‘data destruction’ or ‘shredding’ companies are acting as a law upon themselves, using less than acceptable methods to reduce cost and admin time. The truth of the matter is, companies are responsible for this data and so, should know what happens to it when it leaves the office.

In rare cases physical data can be stolen, either on purpose or by coincidence. This cannot always be prevented, but businesses need to ensure that their processes mitigate against data loss by offering secure transport solutions for paper records.

The most obvious and most under-thought part of physical data protection is locks, safes and keys. Does your business have locked filling cabinets? Who has keys? Do they need access to all the data in the cabinet? Is the key stored safely and securely? What about your doors are they all locked, with either a physical key or electronic system. Is access properly controlled? These questions should be asked of all locations where PII can be found and is stored.

Implementing GDPR is not just about IT systems and making them compliant with the regulations. Data exists in many forms…

How do you prevent physical data loss?

With Data protection by design, the best practice is to start from the most basic action, in this case looking at physical security start from access;

 Are all doors into offices, storage locations and the building locked when not in use? Do only the staff whom need access have keys/access to these areas?

 Are all file storage systems (filling cabinets, draws etc.) locked? Do only the staff whom need access have keys/access to these systems?

 Are all your employees desks “clean” when not in use? Is data left openly on display? Does this data pose a risk to the freedoms and rights of any living persons?

 Do your employees take home or take offsite personal identifiable information about your customers/clients or business colleagues?

 How is data transported?

 When data reaches its destination how is it stored?

 You should make sure that all of your documentation for GDPR compliance reflects the steps you have taken to move from non-compliance to compliance including all the steps taken against physical loss as shown above.

Conclusions and next steps

As with my previous articles on data protection by design, this is not the end of the road. Making data protection a critical part of your design process and making data protection part of your everyday business processes will only strengthen your business.

You should be thinking about the bigger picture when looking at GDPR compliance beyond that of IT and your IT Systems, look at GDPR as a business wide issue and look to gain compliance by instigating changes across all parts of your organisation.

For more information on GDPR or IT security and support solution for your business in general, give our Planet IT team a call today.

The Top 5 Things you need to know about GDPR for your Business

As the deadline for the 25th May is approaching, it feels like all everyone is talking about is GDPR and what it will mean for businesses, large and small.

So in an online world of endless, confusing information about what GDPR is.. we have devised the Top 5 things that you need to know and how to action it for your business.

 

1. GDPR will affect your business – no business in the U.K is excluded from the requirement to be complaint with GDPR, this covers all sectors and verticals.

2. Brexit makes no difference – regardless of when we leave the EU and what the final deal is, the Government will transition the regulations into British law on that date, this has been defined in the British Data Protection Bill.

3. With GDPR you are required to prove compliance – under the DPA you could simply say you where complaint with no proof required, with GDPR the focus heavily shifts to being able to prove that you are complaint and the steps that have been taken.

Regardless of when we leave the EU and what the final deal is, the Government will transition the regulations into British law on that date.

4. Its not just about IT – although most systems in a modern business will be related to IT, GDPR is not just a problem for your IT department or provider it will effect you whole business and will require changes in most areas of all business and their practices.

5. Its not too late to act – you still have time to get your business complaint.

Get in touch with one of our expert consultants now 012345 433900 or enquiries@planet-it.net

Education, Education, Education… People are the key to GDPR success

As a business trying to achieve compliance with GDPR by May is a daunting task. The sheer volume of required changes, polices, procedures and business wide adjustments can be enough to overwhelm, the best of us. Because of this I have noticed a trend , which could potentially lead to the failure of many business’s GDPR compliance projects. This comes in the form of staff awareness and training.

Many organisations have started laying the foundations of solid compliance, but are missing the key to the success of delivering this project to completion. If your staff don’t know about GDPR, what it means for their roles and how the business is adjusting to facilitate these changes, how are they expected to work in a GDPR complaint way following the implementation of your changes?

To combat this you should look to train all staff, this should take the form of formal recorded staff training with all staff required to be present. These training sessions should cover from the cleaners to the board. By taking this simple step business can not only accelerate their compliance but ensure best practice across the board.

3n$rYpt!0N…Encryption under GDPR

The regulations are quite forth coming about what is needed in terms of encryption. In short, everything should be encrypted and this should be done to protect the rights and freedoms of those subject to data capture.

What this means is that data should not only be encrypted when at rest (on your server/computer/tablet) but should be encrypted in transit (via E-mail of file transfer) and should be encrypted during use. Now, we know this doesn’t sound easy. Managing Encryption of data when; At rest (AR), In Transit (IT) and In Use (IU) is a massive challenge for businesses who don’t currently have encryption, but this can be achieved using a number of products.

Planet IT are able to offer businesses the following products, which we believe will tick as many of your security and data compliance boxes:

  • – Sophos Safeguard Encryption
  • – Bitglass
  • – BitLocker and FileVault
  • – Microsoft Office 365 Security and Compliance Centre

Sophos Safeguard Encryption

Sophos’ safeguard encryption places all created files on a system under an encryption that can only be reversed by someone using the same software whom has access to the file. This really is as simple as it sounds and is a great option for any business trying to become GDPR Compliant. Looking at the demo of Sophos Safeguard Encryption the protection it provides to documents both IU and AR are unparalleled.

Providing not on file level protection but whole system protection through BitLocker or macOS’s File Vault. This is unlike any other product on the market, leveraging the built in OS technology to maximise the provided protection. On top of all this, it can provide protection to files transferred off the system via USB, file share or to the cloud.

If you are a Sophos customer using one of their other products this move makes perfect sense, it seamlessly integrates with their desktop protection products (Antivirus and Intercept X) and their network protection units like the SG and XG line.

You can find more information here https://www.sophos.com/en-us/products/safeguard-encryption.aspx

Bitglass

Bitglass is a different technology to Sophos and comes from the traditional space where firewalls and content protection would of sat, or for those in the technology space CASB (Cloud Access Security Broker). This technology is designed to leverage antivirus/anti-malware (provided by Cylance), Access Control, Data loss provision and Visibility on a single platform. Bitglass can sit onto any cloud service and apply itself to your data source.

Bitglass offers a great platform for anyone who is based completely in the cloud and has very stringent data protection or legal compliances to abide by. However if your business is focused on mobility and home working, this platform presents more issues than its worth.

Bitglass can be found here https://www.bitglass.com 

BitLocker and FileVault

Both BitLocker and FileVault are tools built into your modern operating systems BitLocker is available for free inside Windows 7 (Enterprise and Ultimate editions), 8(Pro and Enterprise editions), 8.1 (Pro and Enterprise editions), 10 (Pro, Enterprise, and Education editions) and FileVault is free inside macOS and OS X (10.3 or higher).

This software is disk level encryption, the basis of its operating is as such. The data or the hard drive is encrypted in such a way that only the hardware that performs the encryption can reverse it and open the files, this means that if your laptop or desktop hard drive is removed and placed into different hardware to be read it will fail. This technology is critical for any business which allows it’s devices to leave site. Businesses cannot risk having hardware containing business-sensitive data roaming freely around without basic levels of protection in place.

BitLocker can also be used to encrypt mobile storage, like USB, External Hard drives and memory cards. However it is worth noting that if you use this technology on a external drive, it cannot be read on a non Windows 7 (and above) PC, which can cause compatibility issues with macOS and Linux.

Other points of note with BitLocker and FileVault is that this technology can be leveraged with other platforms like Sophos Safeguard to increase the device protection, above those offered by the software platform alone.

More information on BitLocker can be found here https://technet.microsoft.com/en-us/library/cc732774(v=ws.11).aspx

More information on FileVault can be found here https://support.apple.com/en-gb/HT204837

Microsoft Office 365 Security and Compliance Centre

This solution offers nearly all the features of Bitglass but in a less intrusive way, it allows you to leverage all the features of Office 365 and the Azure platform.

With data classifications, Data loss prevention, data governance and threat management, this tool offers all the pieces of the puzzle that you need to meet GDPR compliance and its only getting better by the day. The way that Microsoft have set up Office 365 means your constantly receiving new features and improvements and this shows up massively in the Security and Compliance centre. Microsoft have a clear GDPR road map for Office 365 and the platform will give you all the protection you need for your data (that is stored on Office 365) from this tool.

Warning! This takes some time to configure and may require specialist support to ensure the data is being handled correctly, however the 0 cost option is always one preferred by businesses.

My personal view on this toolset is don’t run off buying a product like Bitglass until you have given the Security and Compliance centre a run for its money, as it is more than likely going to give your compliance team the piece of mind they need.

More information on Microsoft Office 365 Security and Compliance Centre can be found here https://technet.microsoft.com/en-GB/library/dn876574.aspx

For more information on GDPR or IT security and support solution for your business in general, give our Planet IT team a call today.

The Data Protection Bill – GDPR

So you have heard about this Data Protection Bill? Or at least you have heard the media talking about this revolution to the rights of British Citizens in relation to their data.

Well fear not, the data protection bill, in short is just the U.K government taking the steps to implement their obligations in regards to turning GDPR into U.K law. All countries in the EU, have or will be doing the same.

The reason its in the media so much is for the average British citizen it would seem like a revolution, however for a data specialist or anyone who has heard the words GDPR, then it simply the same old story with a new title.

The only legislation in the Data Protection Bill that may be seen as different is that the U.K have elected to set the age of consent at 16, which is higher than some countries in the EU. However this is one of the only rules under the implementation of GDPR that the local government gets to set.

So keep calm and carry on with your GDPR compliance program.

Looking for a technology partner?
Let’s talk