Eurofins Scientific, another Ransomware victim

The most recent high profile case of a cyber-attack involves Eurofins Scientific, a company that accounts for over half of the UK’s forensic science provision.

The company stated it was the target of a ‘highly sophisticated’ ransomware attack on the 2nd of June and is under criminal investigation. As a result the police have stopped all work with Eurofins. The repercussions of this are huge, as Eurofins normally processes more than 70,000 criminal cases including DNA testing, firearms testing, toxicology analysis and computer forensics for police forces across the UK. Other forensic firms have increased their workload to deal with the backlog of cases but some are still being delayed as police are overwhelmed with cases, and many court hearings have been postponed. To add insult to injury, the Telegraph claimed a few weeks before this attack ‘a House of Lords report warned that the provision of forensic science in England and Wales has reached breaking point, risking crimes going unsolved and miscarriages of justice occurring.’

Ransomware is a type of malicious computer programme which either publishes or bocks access via encryption to a computer system until a sum of money is paid. The National Crime Agency (NCA) is conducting an investigation into the attack supported by the National Cyber Security Centre (NCSC). ‘Our priority is to limit harm to the UK and the Public’ the NCSC announced on June 21st.

It is clear from this attack that simple precautions such as keeping back-ups must take place regularly in data-reliant businesses. With the recent rise of successful ransomware attacks, and the vast amounts of money taken from victim organisations, the rate of these types of malware attacks are only going to increase. Sandip Patel QC of OSP Cyber Academy states that “Ransomware is a global threat, which will only intensify unless organisations purge themselves of a culture of complacency, adopt appropriate cyber hygiene measures and never pay ransomware attackers.” Having a recent back-up to restore data to the format previous to the attack would have saved a lot of time and resources.

Although there is no evidence or confirmation from Eurofins Scientific themselves, the BBC report than Eurofins have in-fact paid a ransom. Hackers are criminals – criminals cannot be trusted to honour an agreement. Approximately 70% of companies who pay a ransom fee do not get their data back. Moreover as Sandip Patel QC argues, money that is paid only fuels further crime operations; “In my view, giving in to the attackers’ demands only rewards them for their malicious deeds and breeds more attacks.”

The Eurofins case is just one of many issues to impact the forensic provision, following alleged drug test manipulation and the collapse of Key Forensic Services.

“Cybercrime – A Prosecutors Perspective” By Sandip Patel QC


Click image to go to YouTube


“He acted with determination and undoubted ingenuity and it was sophisticated, it was calculating. This represents the most extensive and grave incident of social media hacking to be brought before the British courts.”

Everyone knows Facebook. Hear the interesting background from the barrister who prosecuted the hacker that almost brought Facebook to it’s knees.

This was not industrial espionage as the British and American Governments thought, but a 26-year old man named Glen Mangham who admitted to infiltrating Facebook from his bedroom in his parents’ house. This hack was not done for financial reward but intellectual challenge.

Follow the link and hear this first ever public exclusive from Sandip Patel QC about Glen the Facebook hacker, as well as some insight into Annonymous and Spamhaus.


“What are the implications of the GDPR and Data Protection in 2019?” By Irene Coyle

Click image to see full magazine

The General Data Protection Regulation (GDPR) is certainly leaving its mark on the data protection field by being the first legislation of its kind to tackle present-day dangers to data security and companies’ accountability to their customers in the face of these threats.

Many companies are struggling to put in place the infrastructure needed to respond to incidents and data requests as laid out in the GDPR, while entrepreneurs are profiting by building tools that enable companies to more easily manager visitor and customer consent.

Non-compliant companies are hoping that they will never incur the wrath of their customers and data protection agencies, but with data breaches continuing regardless, through the ingenuity of perpetrators or the neglect of employees and customers (who have the right the request their data at any time), it won’t be long before they find themselves on the wrong side of the GDPR unless they take action and grab the opportunity this legislation offers them.

Research undertaken by the Information Commissioner’s Office (ICO) shows the state of 600 UK-based companies 100 days plus after GDPR was implemented:
• Only 20% of the companies believe themselves to be GDPR compliant.
• Although 53% say they are in the implementation phase.
• Alarmingly, 27% have not yet started.
• Looking in a more positive direction, 74% of respondents expected to be compliant by the end of 2018.

Improved data protection compliance should encourage innovation and continuous improvement. It should not be perceived as a cost overhead but more as an investment in your people, business and future security.

The key to a stable, secure work environment is continued personal development through training, education and awareness. Date protection should be the driver to do things better in 2019.

“Summary of the ICO’s report on data analytics in political campaigns” By Sandip Patel QC

Click here to see full ICO report

The Information Commissioner’s Office (ICO) has published its report to Parliament bringing the ICO’s investigation into the use of data analytics in political campaigns up-to-date. It is the largest investigation of its type undertaken by any supervisory authority and the report covers areas investigated, findings and actions to date.

Particular concerns surrounding voters’ personal privacy include the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing and the use of third party analytics companies with insufficient checks around consent. The enforcement actions taken include:

• Fining Facebook the maximum penalty for serious breaches of the first and seventh principles of the Data Protection Act 1998.
• Instigating criminal proceedings against SCLE Elections Ltd (trading as Cambridge Analytica) for failing to properly deal with an enforcement notice dated 4 May 2018, in relation to a data subject access request. A trial is set for 9 January 2019 at Hendon Magistrates’ Court.
• Issuing a notice of intent to fine both Leave. EU and Eldon Insurance (trading as GoSkippy) £60,000 each for serious contraventions of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (SI 2003 2426) (PECR).
• Issuing a notice of intent to fine Leave.EU £15,000 for serious contraventions of regulation 22 of the PECR.
• Issuing formal warnings to 11 political parties requiring action, backed by an intention to issue assessment notices for audits, from January 2019.

The ICO has also made recommendations including asking the government to consider whether there are any regulatory gaps in the current data protection and electoral law landscape to ensure that the UK has a regime fit for purpose in the digital age. The ICO has recommended that a Code of Practice for the use of personal information in political campaigns be put on a statutory footing to help combat unlawful campaigning tactics and has launched a consultation.

The ICO started its investigation in May 2017, after allegations about “invisible processing” of people’s personal data and micro-targeting of political adverts during the EU Referendum.

“WannaCry?” By Sandip Patel QC

Click image to see full article

”2017 brought unrelenting growth in cybercrime including ransomware, phishing, hacking, social engineering and targeted campaigns, some state-sponsored. The World Economic Forum (WEF) has ranked cybercrime in the top three risks the world will face in 2018. According to its statistics, 357 million malware variants were released in 2016 alone and banking trojans (designed to steal account login details) on sale for just $500. Ransomware, said to be worth $1bn globally, continues to dominate the malware landscape and has grown by 56% according to McAfee Lab’s 2018 Threats Prediction Report.”

Sandip Patel QC – Chairperson of the Cybercrime Practitioners Association & OSP Cyber Academy’s Chief Legal Adviser – is an industry leading expert in cybercrime and cyber security. Involved as the prosecuting QC in cases ‘Anonymous’ and ‘Facebook Hacker’, Sandip has a wealth of knowledge of the Internet of Things and its potential threats.

Within this article for Counsel Magazine, Sandip goes into detail about Internet crime: Explaining the relationship between cyber attacks and internet infrastructure. He demonstrates which countries/ sectors are affected, as well as examining the UK’s own cyber security strategy; before explaining risk mitigation and how to protect from viruses and other malware.

Full article can be found here – Counsel_Magazine_May_2018 (1)

“A Cyber Week in London” Part 2 By Jane Lo

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” – UK ICO’s Elizabeth Denham, 5th October 2016.

“The most significant risks to individual’s personal info are now driven by the use of new technologies” – Elizabeth Denham at Turing Institute as part of the Turing GDPR event.

Day 3 – 2nd May – Breaches and Threats

TalkTalk Data Breach

The highest profile ICO case is undoubtedly the £400,000 fine against TalkTalk, close to the maximum fine of £500,000 ICO is empowered to apply, for contraventions of Data Protection Act 1998.

TalkTalk’s failure to properly protect customer data from a cyber attack resulted in a breach of personal data of 156,959 customers, including names, addresses, dates of birth, and in many cases bank account details and sort odes.

ICO found that the attack could have been prevented if TalkTalk had taken basic steps, such as infrastructure scanning (which could have uncovered vulnerable websites through which attacker accessed a customer information database), patching out-dated software (which could have fixed a bug that allowed the attacker to bypass access restrictions), installing defences against common hacking technique SQL injection used to access the data.

Cyber Security is a Board Room Issue

“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.” – UK ICO’s Elizabeth Denham, 5th October 2016, on issuing the largest fine, £400,000 to TalkTalk.

Tone-from-the top, where the Board is highly engaged and understands what comprises information “Crown Jewels”, is a foundational building block for effective cyber risk management.

Establishing clear authorities and responsibilities, demonstrating commitment to risk mitigation, fostering risk communication are some areas where industry best practices recommend Boards oversight. TalkTalk’s data breach also emphasized that Board’s oversight of regular independent assessments is essential to identifying vulnerabilities and forming appropriate risk mitigation and incident response plans.

Simply: if it matters to the board and senior management, then it will matter to everyone else across the organisation.

All threats, all hazards

The Queen’s Speech to Parliament on the 21st June 2017 confirmed ICO’s enforcement actions highlights that Privacy intrusions and data breaches can arise, not only from Cyber Security lapses, but also exploitation of standard operation procedures.

Reflecting these emerging security themes, focused conferences are hosted as part of the International Security Expo 2018. To find out more, under the invitation of International Security Expo organizer (Peter Jones, CEO Nineteen Events), we spoke to Don Randal MBE, who is also the Bank of England’s first ever CISO on Cyber Security.

He emphasized that: ‘The key to successful prevent, detection and subsequent prosecution is to understand the motivation of the attacker. Primarily people commit crime for three reasons. One is they need to, they’re cash-strapped, poverty-ridden and in such a bad state that the only way to go forward is to cross the line and commit a crime. The others are greedy script kiddies who are in pursuit for peer recognition and want the power of a hacker, or those with an alternative motivation, the likes of terrorism.’

Addressing these motivations such as countering terrorism in the digital age increasingly forms part of the big data conversation – and how data is collected and used.

Don Randall (right), Bank of England’s first Chief Information Security Officer, presented with outstanding Security Performance Awards (OSPAs) on 1st Mar 2018 at the Royal Lancaster London. Left Rick Mountfield of SYInstitute, sponsor of the Lifetime Achievement Award, presenting the award to Don Randall.

Day 4 – 3rd May – Data Protection by Design, by Default

Previously known as ‘privacy by design,’ “Data Protection by design, by default” has always been part of data protection law. Under GDPR, it is now a legal requirement.

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organization measures such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subject” – GDPR Article 25, Para 1, Data protection by design and by default.

It covers data protection and privacy up-front, and proactively anticipates potential privacy invasion events – that is, practicing end-to-end security in the design and architecture of IT systems and business practices: Protect, Detect, Know, Response, and Recovery.

And, by default, the design and architecture of IT system and business practices should also automatically protect personal data to meet the principles of personal data processing. Recognising that 100% protection is neither practical nor effective, a risk-based approached is central to “Data Protection by design, by default”.

This means building data protection in accordance with the risk profile of the operation. One example of how GDPR views this , is the requirements on ‘high-risk’ activities, such as Data Protection Impact Assessments (DPIAs).

From Left: Sandip Patel QC (OSP Cyber Academy Chief Legal Advisor), Ken McMillan (CEO Cap Badge Singapore), Peter Jones (CEO Nineteen Events International Security Expo 2018), Audrey Brown (M.D. Fuse Box), Admiral Lord West of Spithead GCB DSC PC (Chair and former UK Security Minister), Thomas McCarthy (Managing Director OSP Cyber Academy)

Day 5 – 4th May – What does it mean for Singapore?

Singapore’s Personal Data Protection Act 2012 (PDPA) came into force with the formation of the Personal Data Protection Commission.

As with the data protection acts in UK and EU, Singapore’s PDPA governs the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

Enforcement actions have been taken against organisations as well as individuals for lax cyber security procedures, unauthorized access and failure to take reasonable security measure in documents disposals. By regulating the flow of personal data among organisations, ultimately, PDPA also aims to strengthen Singapore’s competitiveness and position.

Development of Singapore’s PDPA

The development of Singapore’s PDPA takes into account international best practices on data protections, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework.

Since the introduction of GDPR, three public consultations had been conducted to seek feedback. A recent proposed change relates to how companies handle individuals’ NRIC numbers, collect the physical NRIC or a copy of it.

NRIC (The National Registration Identity Card) has been widely used in Singapore for a range of activities by consumers. PDPC acknowledged that as “The NRIC number is a permanent and irreplaceable identifier of information relating to the individual, the indiscriminate collection and use of the numbers is of special concern as it increased the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.”

The latest guidelines addressed this concern and proposed that organisations should not collect, use or disclose an individual’s NRIC number; expect when it is required under the law or when it is necessary to identify the identity of the individual.

GDPR-ready for Singapore organisations

An organisation that does not have an establishment in the EU can still fall within the GDPR’s scope. Specifically, GDPR not only considers the location of the processing, but also the location of the individual whose data is being processed.

A Singapore e-commerce trader whose website is available in English and ships products to customers in the EU, is likely considered to be offering goods in the EU. A Singapore online behavioural advertising network or analytic company that processes personal data of say, a Singaporean living in EU to offer tailored promotions is considered monitoring data subjects in the EU.

In short, the territorial scope of GDPR means that a Singapore organisation that shares data or sells products and services within the EU, or process data subjects in EU will be subjected to GDPR. Moreover, as GDPR requires EU data controllers to only appoint GDPR-compliant processors, any Singapore organisation that provide data processing service to data controllers within the EU will need to ensure it is GDPR-ready.

Wrap-up – Privacy and Innovation

Sheer processing power and ‘big data’ are accelerating technological capabilities. With high communication speeds and falling costs of data storage and processing, innovations in the areas of mass data collection, automatic processing and algorithmic programming give rise to fraud detection, behavioural analytics, ubiquitous surveillance and so on.

Leveraging off technology for the legitimate interests and benefits for the customers and businesses promotes economic growth. Confidence and trust in the technology to securely capture, store and use information is essential to achieving this aim.

GDPR focuses organisations towards achieving this aim. While there are certainly short to medium-term costs for organisations to achieve compliance, data protection should also be seen as enabler of technological progress.

Elizabeth Denham summed this up at her keynote speech at the National Association of Data Protection and Freedom of Information Officers (NADPO) Annual Conference on 21st November 2016, “I wanted to make the point that I do not believe data protection law stands in the way of technological progress. The theme of my speech was privacy and innovation, not privacy or innovation.”

“A Cyber Week in London” Part 1, By Jane Lo

Click image to see full article

linkedin: @Asia Pacific Security Magazine          twitter: @apsmagazine

Just weeks ahead of the new European Data Protection law which came into effect on 25th May 2018, its parent SCL Elections Ltd. And Cambridge Analytica filed applications to commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook users as far back as in 2014.

“The siege of media coverage has driven away virtually all of the Company’s customers and suppliers,” the firm said in the statement. “As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the company into administration.”

Heavily embroiled in the scandal and determined to win back trust, Facebook said in full-page ads in European newspapers, “New EU legislation means more data protection for you.”

The new EU legislation is the General Data Protection Regulation, or GDPR in short. What is GDPR, why does Data Protection matter, and what are the implications for Singapore?

To answer these questions, we spent a week in London, speaking with Security Professionals with extensive experience in the European private and public sectors, and Cyber specialists from the OSP Cyber Academy.


Day 1 – 30th April – An Introduction to GDPR

What is Personal Data?

Data protection of personal data refers to the ability of a person to control, edit, manage and delete this information, and to decide how and to what extent such information is communicated to others. Common personal data such as race, age, gender come immediately to mind.

How did EU and UK Data Privacy and Protection laws come about?

“When we speak about social media, apps and the digital economy, it’s easy to forget the world that the UK’s current Data Protection Act was forged in. No Google. No Facebook. Clunky desktop computers with less processing power than we all have now in our pockets and purses.” – UK ICO (Information Commissioner’s Office) Elizabeth Denham.

With the appearance of mainframe computers which facilitated data banks in the 1960s, the collection and processing of personal data became widespread.

Elizabeth Denham, Commissioner UK ICO


Data protection principles were devised.

The German region of Hesse passed the first law in 1970; the US Fair Credit Reporting Act 1970 also contained some elements of data protection. In the UK, the Data Protection Act became law in 1984 Updated in 1998 to align with the EU 1995 Data Protection Directive, it became law on 1st March 2000.

How have they evolved since?

GDPR brings a 21st century approach with mandatory data breach reporting, higher standards of consent, and significantly larger fines (up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher).

Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU. Effective from 25th May 2018, GDPR puts new obligations on companies and public bodies that collect data while giving consumers new rights over how their data is handled.

What does GDPR mean for UK businesses, after Brexit takes effect?

As UK is not yet out of EU on 25th May 2018, the legal reality, made explicitly clear by the UK Secretary of State, is that, UK businesses, like businesses in any other EU Member Sate, will need to comply with GDPR.

The Queen’s Speech to parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

This latest law, enshrining the GDPR and built on the UK Data Protection Act of 1998, was the UK Data Protection Bill. The text of the Bill received Royal Assent on 23rd May 2018 and is now an Act of Parliament (law).


Day 2 – 1st May – Demonstrating GDPR Compliance

“If it is not written down, it did not happen”. – Richard Preece, OSP Cyber Academy Chief Training Officer

What are the Key Principles underpinning the GDPR?

The European Court of Justice emphasized that even where there is a legitimate basis, processing must meet the principle of proportionality, and necessary to achieve stated purpose.

These key principles of “legitimacy”, “proportionality” and “transparency” in the EU Data Protection Directive of 1995, are retained in the GDPR Article 5 – Principles relating to processing of personal data:

1. Lawfulness (Data must be processed lawfully, fairly and in a transparent manner);
2. Purpose limitation (Data must be collected for specified, explicit and legitimate purpose);
3. Data minimization (Data should be limited to what is necessary)’
4. Accuracy (Data should be accurate and up to date);
5. Storage limitation (Data should be kept for no longer than is necessary).

What Rights do Data Subjects have?

The right of individuals to access their data is already an important part of the existing EU data protection law. Examples are the Right to request rectification of inaccurate personal information; the Right to restrict the processing.

GDPR also introduces the Right to data portability, seen as an important tool to facilitate the exchange of information necessary in the digital era. This right to transfer personal data from one organisation to another, or to the data subject, in a structured, commonly used and machine-readable format also encourages healthy competition between EU data controllers.

Some other key changes?

Where individual EU members had the ability to set specific detailed regulations in the old regime, GDPR sets explicit rules. Old rules specified data requests to be handled “without excessive delay” – but GDPR sets a deadline of one month.

Another is where previous rules allowed countries to set maximum fees in responding to requests – but GDPR rules that information be provided free of charge unless requests are “manifestly unfounded or excessive”.

What are the financial penalties?

Headline grabbing figure of €20 million, or 4% of the worldwide annual for non-compliance had attracted much attention.

But the penalty to be handed down may be lower, depending on the nature of data breached, and “the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them”.

What do all these mean in practice?

GDPR is principle-based to cater for the varying processing and technological approaches. Flexible though explicit, the interpretation depends on social and cultural attitudes to privacy. For example, “fair” in Germany may not be regarded as “fair” in Spain.

Differences in the resources and attitudes of national supervisors are likely to result in variations in enforcement.


Full article (Part 1) can be found here

Full article (Part 2) can be found here

“Implications of the GDPR and Data Protection Post 25 May 2018”

Former Chief Inspector with Police Scotland Irene Coyle, having retired after serving 30 years has now joined OSP Cyber Academy as Training Director, and acts as the Data Protection Officer for OSP Group Ltd. Irene is a certified GCHQ accredited Data Protection and GDPR practitioner; a registered DPO with the ICO, and now supports a wide range of clients with their training and outsourced Data Protection needs.

Irene was recently invited to be a Keynote Speaker at the “City of London Crime Prevention Association” Update on GDPR in Carpenter’s Hall, London. She gave a fantastic presentation to over 100 industry leaders and experts on the Implications of the GDPR and Data Protection Post 25th May 2018. Her findings are summarised below.

Irene Coyle, Training Director

GDPR is certainly leaving its mark on the Data Protection field. The legislation aims to tackle dangers to data security and to ensure companies are accountable to their customers.
Since 25th of May 2018, there have been 500 breach related reports to ICO every week. The effects can be seen in a variety of industries, from Education and Health to Transport and Criminal Justice.

Here are just a few examples of companies that have been caught out already:

• Oaklands Assist UK Ltd fined £150,000 – thousands of nuisance direct marketing phone calls
• Bupa Insurance Services Limited fined £175,000 – failing to have effective security measures in place
• Equifax Ltd fined £500,000- failing to protect personal information of up to 15 million UK citizens after cyber attack
• Everything DM Ltd fined £60,000 – sending 1.42 million emails without consent
• Gloucestershire Police fined £80,000 – revealing identities of abuse victims in bulk email
• Bayswater Medical Centre in London fined £35,000 – left highly sensitive medical information in an empty building
• University of Greenwich fined £120,000 – microsite compromised 20,000 staff & students’ personal data.

Some of the common themes that are causing concern for companies and their data breaches include marketing, not dealing with SARs, stolen information, and selling data on the dark web. Over 600 companies across the UK were surveyed about their GDPR compliance. The following facts make for interesting reading:

• 20% of the companies believed themselves to be GDPR compliant
• 53% in the implementation phase
• 27% have not yet started
• GDPR implementation under way or completed increased from 37% to 73% in the UK
• 74% of respondents expect to be compliant by the end of 2018 and 93% by the end of 2019.

Looking at some statistics 100 days post GDPR, more than 56% of companies admitted they have not audited their compliance with GDPR. More than 51% of organisations have not documented their technical and organisational security measures on how they are processing personal data.

Looking forward, Data Protection should encourage innovation & continuous improvement – whilst Data Protection & Cyber Security should not be perceived as a cost overhead. It should be a driver to do things better and to do better things.
Privacy by design and by default is now a legal requirement and is about considering privacy issues upfront in everything you do. Having the right mindset to Data Protection helps future proof a business. You should look to communicate this to your consumer’s, as they will know that companies are building privacy by design into their products and services, third party arrangements and future use of data.

As Irene says herself…

“Education, Awareness and Training of staff is key to the success of your business and in protecting the privacy and rights of individuals, including your staff. It is easy to forget that we are all human and just trying to do our job, but mitigate risk of the data breaches – that we can see here are still occurring – by making your staff fully aware of Data Protection and GDPR.”

“The Network Information Security Directive and the General Data Protection Regulation”

The OIL & GAS Sector must be prepared for “The Network Information Security Directive and the General Data Protection Regulation”


Oil & Gas Vision spoke exclusively to Aberdeen Security Training Company, OSP Cyber Academy and their Chief Training Officer Richard Preece, here is what Richard had to share with our readers.


May 2018 will see coming into effect of not one, but two, potentially far reaching pieces of new legislation: the Network Information Security Directive (NISD) on the 10th May and General Data Protection Regulation (GDPR) on the 25th May. Wait you may say, this is EU legislation and Brexit means Brexit, surely, they won’t apply in the UK!

However, the reality is, the British Government is not only bringing NISD and GDPR into British law, they are actually adding additional penalties. This includes new corporate and individual criminal offences in the case of the Data Protection Bill, which will incorporate the GDPR into British law and replace the current Data Protection Act 1998 (DPA 98). Whilst the current Government consultation on the proposed Security of Network Information Systems introduces similar provisions for potential Administrative Fines of £18m or 4% of global revenue, whichever is higher for Operators of Essential Services (OES). Why is this happening and what does all this mean?

We are now in what has been sometimes describes as a new Digital Age, that is increasingly hyper-connected, complex, dynamic and uncertain. This creates new opportunities for growth and innovation, but also creates new vulnerabilities, whilst exacerbating often known but previously not-fully addressed risks. The potential impacts of these upon individuals, organisations, the economy and society are not always simple to understand, therefore the risks have not always been effectively managed. The trend is clear, more digitisation for greater growth and prosperity, but with it greater and often new risks. This has driven the flurry of new legislation in the UK, EU and elsewhere in the world, including the United States. NISD and GDPR are an indication of more to come, not the limit to the legislative environment. So, it is time for companies to start approaching this at Board level and integrating cyber resilience and data protection into their core strategy and business as usual. What can and in fact must they do? Both NISD and GDPR introduce the concept of Security by Design (Security of Network Information Systems Consultation Paper) and Data Protection by Design and By Default (GDPR, Article 25). Both effectively work on the same approach, although NISD is focused upon protecting OES, whilst GDPR is focused upon protecting data subjects (all of us), privacy rights and freedoms.

Practically that means, seeking to design from the outset to prevent vulnerabilities (people, process and technology based) from occurring; in the high likelihood that vulnerabilities do occur, they are identified, mitigated and controlled; and if the protection fails, whether through malicious cyber-actor’s actions, or non-malicious failure, to ensure that there is the capability in place to detect, respond and recover, to mitigate the consequences. For those in the Oil and Gas sector, who are classed as OES, it means that cyber-security incidents will have to be reported as a matter of routine to the Department for Business, Energy and Industrial Strategy (BEIS) as the nominated competent authority. Whilst if a personal data breach is involved the Information Commissioner’s Office (ICO) and potentially the individual data subjects will have to be informed. Inevitably that will almost certainly lead to investigations and additional liaison with the National Cyber Security Centre (NCSC) and the appropriate law enforcement agencies. Having a tired and tested plan, with appropriately trained people is now not just a nice to have, but an explicit requirement for both NISD and GDPR. OSP Cyber Academy has recognised the increased business challenge this has created and designed and developed GCHQ Certified Training (GCT) Scheme.

Awareness and Practitioner Courses for GDPR Data Protection and can provide bespoke NISD and GDPR courses and scenario workshops to help organisations prepare for the future. Given all of the obvious Cyber Security and Data Protection issues now at stake, it was a natural choice for OSP Cyber Academy to join forces with Restrata and utilise their purpose built, Incident Management Centre now supporting every aspect of training and support for the Oil & Gas Sector. Chief Training Officer at OSP Cyber Academy recently said “the Restrata facility is the perfect centre for every aspect of Incident response, both for the Oil & Gas Sector and Cyber Resilience Industry, both of which work hand in hand” we look forward to continue delivering our comprehensive GDPR and Cyber Resilience training exclusively with Restrata here in Aberdeen. Richard has been very busy supporting the Scottish Business community and oil & gas sector delivering keynote presentations in Aberdeen at GDPR Summit Aberdeen, and Security In Energy ADIPEC where many UK and Aberdeen companies now support the growing demand for expertise in every sector of the Energy Industry.