A presentation specifically designed for non-technical decision makers who would like to understand Cyber Security and GDPR better, and how to protect their businesses.
Marel Q1 2024 Investor Presentation from May 8, 2024
Cyber Security and GDPR Made Easy
1. Hi. I’m Christoan Smit and I hope this
presentation will help you form a deeper
understanding of Cyber Security, GDPR and
how these two concepts interlock, and how
Cloud services can help your business.
Enjoy the presentation!
2. This is an Information Session
…not a sales pitch
4. Legal Disclaimer
Although the author and publisher have made every effort to ensure that the
information in this presentation was correct at time of creation, the author
and publisher do not assume and hereby disclaim any liability to any party
for any loss, damage, or disruption caused by errors or omissions, whether
such errors or omissions result from negligence, accident, or any other
cause.
Venom IT is not a law firm and does not provide legal services. Watching this
presentation and/or downloading the accompanying booklets does not
create an attorney-client relationship, nor does any of what follows
constitute legal advice.
Images used under license from Shutterstock.com
7. The GDPR
– not such a bad thing
Think of it as Health and Safety for computers
8. The GDPR
– why you should definitely pay attention
Fines of up to £17 million, or 4% of turnover, whichever is
greater. No matter who you are, that will hurt.
Jail time for certain infringements.
Cease order or sanctions on your business
Adopted by the ICO and incorporated in UK law.
9. The GDPR
– why you should definitely pay attention
These new regulations govern things like:
• Types of data you store or process
• The manner of processing
• Consent
• Protecting your data subjects (security)
• The handling of data breaches
• Proof of compliance
10. A Solution to the Problem…
Regulation 18 of the GDPR states, in part:
“….when entrusting a processor
[subcontractor] with processing activities,
the …adherence of the processor to an
approved code of conduct or an approved
certification mechanism may be used as an
element to demonstrate compliance with
the obligations of the controller [you].”
In other words, the certificates and/or approved
codes of conduct of the data sub-contractor can be
used by you as proof (or part of your proof) of your
own GDPR compliance.
12. Do you process or store any of the following?
…if yes, then Yes to the previous question.
• Names of people
• Private telephone numbers
• Residential addresses
• Banking details
• Identity documents
• Any other details that can be used to identify a person
• Medical, genetic, race, gender data
13. The Main Aspects of the GDPR
- you need the whole L.O.T.
• Legal – wording of privacy notices, forms etc.
• Organisational – staff education, reporting mechanisms etc.
• Technical – Cyber Security & IT systems
14. A Solution to the Problem…
Legal
Getting in touch with a specialist law firm that deals with
GDPR.
Organisational
Getting in touch with a cyber-security specialist who can
analyse your business and make recommendations.
Getting ISO9001 certified.
Technical
Getting in touch with a specialist Cloud provider who
themselves meet all the criteria – not all clouds were created
equal. Look for ISO9001, ISO27001 and ISO27017.
Getting Cyber Essentials and/or ISO27001 certified.
17. Confidentiality
Who needs to have access? More importantly, who does not need access and are they
excluded?
Integrity
Is the data whole and correct? How easy will it be for someone to accidentally change or
erase the data? Are the systems we use sufficient to ensure that the data remains
uncorrupted when stored?
Availability and Accessibility
There’s no point in putting security measures in place that are so strict that the data
becomes practically inaccessible.
How easy will it be for rightful users to access the data they need?
CIA – Confidentiality, Integrity, Availability
18. A Solution to the Problem…
Confidentiality
You need to decide this for each person in your organisation. A
common mistake in larger organisations is a shared company
drive that doesn’t have correctly-assigned user permissions.
Integrity
Cloud-based storage offers the highest level of integrity
available to mankind. For example, we use triple back-up
systems, with auto failover.
Availability
Cloud-hosted virtual desktops can be accessed from anywhere
in the world where there is an internet connection,
temporarily turning almost any device (even an old P.o.J.) into
a state-of-the-art machine with all your data and apps on
installed on it.
20. Backups
How regularly do you back up?
How secure are those stored copies?
Should you use incremental or complete backups?
21. Backups
How regularly do you back up?
How secure are those stored copies?
Should you use incremental or complete backups?
Using automated backup tools takes the guesswork out of it.
You should at least have dual backups in place.
Automated backup solutions can manage the full and incremental
backups for you.
22. A Solution to the Problem…
Cloud hosting can also be used for
backups – and it’s more secure than
backing up to a little portable drive or
your own network server, because of
better failover and higher encryption.
24. Hardware and Software Firewalls
Do you have a hardware firewall? (It’s a device)
Does each computer on your network have a software firewall?
Are all the firewalls up-to-date, with the most recent security
patches installed? (Physical firewalls also have software called
‘firmware’ that needs regular updating)
25. A Solution to the Problem…
• You should have a physical firewall
between your office network and the
great big jungle that is the Internet.
• Each machine should have a software
firewall.
• Cloud servers take care of their own
firewalling - all you need to do is
connect.
27. Antivirus Software
There is quite a variety of ‘cyber vermin’ that could infect your
computer – worms, RATs, viruses, Trojan horses and spyware, to
name but a few
• Does each machine on your network have anti-virus software
installed?
• This includes Mac machines. Although more of a prank than a malicious tool,
Elk Cloner is generally accepted as one of the very first computer viruses
(1982) and it specifically targeted Apple Mac 3.3 machines. Mac users often
get lulled into a false sense of security by the erroneous urban legend: “Apple
Macs can’t get viruses.”
Is all the anti-virus software on each machine on your network up-to-
date? What about the mobile devices used by reps and consultants?
28. A Solution to the Problem…
• Cloud-hosted virtual desktops run in a
highly secure environment where the
risk of viral infection is extremely low.
• The cloud servers themselves utilise
highly advanced anti-malware
systems.
30. Updates and Security Patches
Are all the machines on your network up-to-date?
Do you have any software anywhere on any machine that is no
longer supported by the vendor because it so old?
Do you have any machines that use operating systems that are more
than 10 years old, such as Windows 7, Vista, XP, 98 or (heaven forbid)
Windows 3.1? Or Mac OS Tiger, Panther, Jaguar, Puma, Cheetah,
Kodiak or older?
31. A Solution to the Problem…
• Purchasing new machines and new
operating systems is costly.
• Some Cloud providers can provide
virtual desktops that are automatically
updated with the latest patches or
even free Windows upgrades.
• Unlike physical machines, cloud-
hosted virtual desktops never get old
– the servers on which they ‘live’ are
constantly updated and upgraded.
33. Eliminating unnecessary Software, Apps and
Services
What is your company policy on installing apps? Do you allow staff to
install apps as they wish?
Does each machine have the absolute minimum of apps it needs for
each individual to still be able to perform their work?
Is each app on each machine a trusted app from a trusted vendor?
34. Eliminating unnecessary Software, Apps and
Services
What is your company policy on installing apps? Do you allow staff to
install apps as they wish?
Does each machine have the absolute minimum of apps it needs for
each individual to still be able to perform their work?
Is each app on each machine a trusted app from a trusted vendor?
You should only allow your IT department to install apps.
Keep the number of installed apps to a bare minimum.
Beware of fake apps. Sometimes trusted apps get repackaged (legally
or illegally) and resold by less-than-trustworthy vendors.
35. A Solution to the Problem…
• Cloud-hosted virtual desktops are
usually provisioned with only the
necessary programs and apps.
• For security reasons, users are limited
to what they can install on their virtual
desktops.
37. Physical Security
Is your server securely locked? Bolted down?
Are all the USB ports on all machines disabled where necessary?
Do you use cables or Wi-Fi?
How many people have your Wi-Fi password?
Do you leave devices lying around, unprotected?
38. Physical Security
Is your server securely locked? Bolted down?
Are all the USB ports on all machines disabled where necessary?
Do you use cables or Wi-Fi?
How many people have your Wi-Fi password?
Do you leave devices lying around, unprotected?
Pay attention to your physical security. Entire server cabinets have been stolen in an attempt to get at the data inside.
Persons with ill intent should not be able to simply walk up to a computer, plug in a thumb drive and upload malware or
download your data. USB drives should be enabled only for those who really need them in order to do their work.
Cable networks are more secure, and Wi-Fi should be on a separately-firewalled network.
Yu should have two Wi-Fi networks – one exclusively for staff, and one for guests.
Keep devices out of sight when transporting them, and use privacy screen protectors to make it difficult for others to see what
you’re typing when e.g. sitting on a train or in a hotel lounge.
39. A Solution to the Problem…
• Switching to cloud-based computing
immediately negates a whole number
of issues with physical security.
• Cloud-hosted servers can’t be spirited
away and hacked later on.
• Cloud-hosted desktops can’t be stolen
along with all your data on it.
41. Password Security
Passwords are the most common weak link in the cyber-security chain. Good
password policy can be summed up as follows:
Minimum 10-character length
A mix of UPPERCASE, lowercase, numbers (0-9) and $peci@£ characters
Avoid complete words or commonly used themes and ideas for passwords
like film titles, children’s or pet names, birthdays and anniversaries etc.
Very forgetful users might need to write down their passwords, especially
right in the beginning, but should only do so in a very secure place – not
under the keyboard, under the mouse or behind the screen
Use pass phrases rather than passwords
42. Password Security
Does each user on your network know and apply good password
policy?
Do you have a recovery system in place in case someone forgets their
password?
Do you use 2-step authentication wherever possible? Your main
email account from which all resets are done, should definitely have
2-step verification.
43. A Solution to the Problem…
• Teach your staff (and yourself!) good
password security.
• Get a ‘white’ hacker to test your
systems
45. Off-site Work and Working from Home
Can you and your employees securely login to your network from
remote locations, without compromising the security of your entire
network?
Are the intra-company emails you send secured? Or can your
competitors easily intercept them and see what you’re doing?
46. A Solution to the Problem…
• The only truly practical solution, when
looked at from a convenience,
connectivity and security point of
view, is using cloud-based desktops to
connect to work.
48. Educating your Staff
Create an organisational culture of security awareness
Teach your staff these basic principles you are learning here today
Get each member of staff to buy in and take personal responsibility
for the computer security
Educate and train your staff to identify spoofs, phishing scams, social
engineering scams, CEO scams and the like
Just like doing fire drills, have the staff been trained on exactly what
to do when a cyber threat or attack is identified?
49. Educating your Staff
From the Ipsos MORI Cyber 2017 Security Breaches Survey:
• By far the most common type of breach experienced is staff receiving
fraudulent emails (72%).
• The four most common types of breach can be linked to human
factors, such as unwittingly clicking on a malicious link or succumbing
to impersonation.
50. A Solution to the Problem…
• Arrange training sessions for your staff.
• Arrange for a security company to run
practical assessments, such as sending
spoof emails and seeing who opens
and clicks on the links, to test your
staff’s understanding of cyber security.
53. A Solution to the Problem…
• Educate your staff
• Use cloud-based email hosting. With
superior spam and scam detection,
cloud-based email hosting provides
better security.
55. Recap:
• Physical Security
• Password Security
• Off-site Work & Working from
Home
• Educating your Staff
• Perimeter Defense and Safe
Zone
• Saving the Situation
• Common Cyber Attacks
• The GDPR
• CIA – Confidentiality, Integrity,
Availability
• Backups
• Physical and Software Firewalls
• Antivirus Software
• Patch Management
• Access Control
• Eliminating unnecessary
Software, Apps and Services
56. • Venom IT is a trusted Microsoft Silver Partner
• Our offices are Cyber Essentials, ISO 9001, ISO 27001 and ISO 27017
accredited
• ISO 27001 Data Centres
57. If you need help with:
• GDPR compliance
• Network Security
• Managed Support
• Cloud solutions (backup, virtual machines etc)
58. Venom IT offers various off-the-shelf and bespoke business solutions, such as:
• Complete cloud-based virtual office solutions
• Industry-specific packages such as Accounting, Architecture, Dentistry, Medical Supply, Optometry
Recruitment and many more...
• Cloud storage and automated backups
• VOIP Phone and Skype for Business
• App hosting
• Assistance with GDPR compliance
• Staff Training
Phone or email us now for an obligation-free quote.
