UK government wants EU to acquiesce with its data safeguards even as Brexit looms

This government white paper is aiming to convince the European Union that it is mutually beneficial to agree on the UK’s data protection proposals.

A special agreement on personal data sharing and protection has been proposed by the UK government, claiming that it is in the best interests of the EU member states to agree to it.

The governments approach to Brexit has been outlined in this latest white paper and has caused quite a stir in the House of Commons.

Both the foreign secretary Boris Johnson and Brexit secretary David Davis resigned over the white paper calling it a “soft” version of Brexit.

The whitepaper containing the terms of Brexit has been stressed by the Prime Minister Theresa May to be equally beneficial to the UK and the EU.

“The proposal set out in this White Paper would honour the result of the referendum. It would deliver a principled and practical Brexit that is in our national interest, and the UK’s and the EU’s mutual interest,” she wrote.

The recently released document asks the EU to maintain cooperation on data protection by continuing to exchange and protect personal data.

The paper states that the UK is a “global leader in strong data protection standards and that as a member of the EU, the UK worked closely with other member states and institutions to develop robust protections for personal data, ensuring businesses and law enforcement agencies can share data safely and smoothly.”

The paper stated that the government wants to go further with stability, transparency and on regulatory cooperation than the EU’s adequacy framework but called it “the right starting point”.

The white paper says the Data Protection Act 2018 shows the UK keeps up with the EU’s legislation including the recent General Data Protection Regulation. It goes on to state that the free flow of data between the two authorities can be achieved as the UK is ready to begin preliminary discussions.

Trying to ram the point home, the Information Commissioner’s Office is cited as further evidence the proposal is beneficial to the EU: “The ICO is an internationally respected, influential and well-resourced regulator in this regard. As a result, the future UK-EU arrangements for data protection should provide for ongoing cooperation between the ICO and EU data protection authorities.”

Michel Barnier the EU’s chief negotiator said the UK would be considered a third party when he previously spoke on the subject of an agreement between the UK and EU.

“It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work,” said Barnier, adding: “The United Kingdom wants to leave. That is its decision. Not ours. And that has consequences.”

IT Decision-Makers Increasingly Opt For Cloud-Native Architectures

A recently published survey from Cloud Foundry discovered that although the IT industry is more multi-platform than ever the foundations are cloud-native.

1 in 4 of the IT decision makers form the survey stated that they are currently assembling cloud –native applications or are looking into doing so in the future. More than 25% of respondents to the Cloud Foundry survey said evaluation would occur within the next 12 months.

The Global Perception study revealed that out of 601 IT Decision makers only 13% were refactoring existing applications, this was the case in China, Europe and the US.

The most popular option for organisations was to find a tailor made solution that mixes both new cloud-native applications and refactoring existing applications, allowing even their most complex needs to be met.

A quarter of IT decision-makers have planned to do an evaluation of containers within the next year and just under 30% are already using or plan to use containers.

23% of the IT decision-makers currently utilise or are evaluating continuous integration and continuous development IT practices. Another 32% plan to evaluate these within the next 12 months
32% are currently running DevOps or are looking into to implementing it, this shows the growing acceptance of the program.

The real potential of the cloud is obvious when you know the percentage of companies who say using platform as a service (PaaS) has saved them more than £100,000 is now at 62%.

Commenting on the findings, Abby Kearns, executive director at the Cloud Foundry Foundation, said: “As IT decision-makers settle into their cloud journey, they are more broadly deploying a combination of available platforms, including PaaS, containers and serverless.”

The Cloud Foundry survey highlights the rise in companies creating new cloud-native applications while at the same time more organisations than ever before are using PaaS.

“In this multi-platform world, it should come as no surprise that, as they become more comfortable with these tools, IT decision-makers are searching for a suite of technologies to work together,” said Kearns. “They want technologies that integrate with their current solutions in order to address their needs today, but are flexible enough to address their needs in the future.”

UK CEOs Believe Cyber-Attacks Are Inevitable

The new survey by KPMG discovered that 40% of UK business leaders believed that they would become the target of cyber-criminals.

4 in 10 CEO’s now have the mind-set that a cyber-attack is now inevitable, this is a shift that has only grown in the last few years.

150 CEO’s in the UK and 1,150 from around the world surveyed by KPMG regard their investment plans for the future and the most complex issues facing the organisations they run.

Out of the UK CEO’s in the survey 39% held the strong belief that they would experience a cyber-attack, outside of the UK this statistic was almost 50%.

The vice chair at KPMG, Bernard Brown, said that the results from the survey reinforce how important cybersecurity has become to businesses.

“The seeming inevitability of a cyber-attack crosses all borders and has now crossed firmly over the threshold for the board-level discussions,” he said.

“Protecting the business from a cyber-attack has jumped further up the boardroom agenda and we are seeing businesses making their defences the best they can be.”

Out of the UK CEO’s included in the survey 74% agreed that a cyber-security strategy is extremely important to gaining the support and trust of stakeholders this drops to 55% when we look at the opinion of global CEO’s.

The report has highlighted the cyber awareness of the CEO’s within UK companies and with 39% of respondents stating they believe there organisation is “very well” or “well” prepared for a future cyber-attack the shift is obvious.

Cybersecurity specialists and data scientists are both seen as an effective part of the business by 45% and 62% of UK CEO’s respectively.

“It’s encouraging to see that CEOs are developing a more mature understanding of what cyber security actually means. They are beginning to ask more awkward and searching questions of their IT teams. What are the challenges that face us specifically, what risks are we carrying, what do we need to be resilient to a cyber-attack?” Brown added.

“Organisations are spending more time planning for worst case scenarios, running simulations and thinking in detail about how they would deal with the uncertainties that arise during a cyber-breach.”

GDPR and Backup: A Potential Minefield Easily Avoided

1150555

 

In their current format it will be impossible for backups and snapshots to comply with the right to be forgotten within GDPR, however systems can be built with compliance in mind.

The right to erasure will also apply to all backups, which in turn would make it impossible to comply with the General Data Protection Regulation (GDPR) as searching for personal data in a backup is very impractical.

According to Andy Barratt the UK MD of security consultancy Coalfire, we can assume that GDPR will only apply to data within the production system and that backups will be exempt.

There are a number of reasons why problems could occur with data that is held in backups and snapshots when there is a requirement to update, rectify or remove data to stay compliant with GDPR.

Data within a backup is not usually stored in its original application format most often it is proprietary. The software can also impact the easy at which data is searched with some systems not allowing this function at all.

In the case of snapshots and incremental backups data is stored in a completely fragmented form “Backups are often point-in-time copies kept in an archive, off production systems,” said Barratt.

“For example, snapshots may comprise numerous deltas of previous copies that contain an entire chain of information about a person. So, they might provide different data depending on what you choose to restore.”

Technically speaking data backups will contain data which is difficult to find and process in respect to the General Data Protection Regulation, however this will only be a problem if it moves to the production systems.

“It is important not to overthink things from the technology point of view,” he said. “To maintain the data an organisation has is in its legitimate interest and the data might only have to pass through the production systems to come under GDPR.”

“So, if we do a restore and the data subject has requested it be erased or corrected, then any relevant data in that restored backup should be dealt with as requested,” he said.

The most important aspect is to ensure production data sets are fully compliant. A good method of doing this would be to store GDPR requests and for these to be applied to the data before it moves over to production applications.

Barratt did recommend privacy-by-design as a solid solution “We’re now seeing developers building GDPR application program interfaces that can process data requests as the data hits the application,” he said. “In the interim, what’s needed is to manage these requests so we know if data hits production and that it can be dealt with as required.”

“More widely, policies are required around the length of retention and erased when necessary,” said Barratt.

STATEMENT REGARDING “SPECTRE” AND “MELTDOWN” VULNERABILITIES

On 3/1/2018 (last week) news broke in the media of two security vulnerabilities which will impact almost every computing device in active use today. Named “Spectre” and “Meltdown”, the vulnerabilities arise because of design flaws in CPUs from Intel, AMD, Qualcomm and ARM which have existed for decades – and they’re important because they allow access to information in memory that should be out of reach, whether that’s passwords, keys or other data.

The vulnerabilities themselves were discovered last Summer, but have been kept under wraps whilst the vendors concerned could find a solution for them. It was believed that no-one was actively exploiting them, but early last week sample code emerged on the Internet which increased the risk of non-disclosure to a level that couldn’t be justified and the issues became public knowledge.

As the root cause of both flaws is hardware design, it’s quite possible that the true solution for them will end up requiring new CPU hardware – but that’s a long, far-reaching change to achieve (think new computers/servers/devices), and a faster remedy is essential. In response key vendors such as Microsoft, Apple & Google have worked to provide software patches in order to mitigate the exploits on their platforms (where they can), and other software vendors (whether operating system or application/browser vendors) are coming forward with patches for their products.

The result is a patchwork of approaches which is only now emerging. And because the focus of those patches is to mitigate a low-level hardware problem, issues with performance (described as anything from ‘neglible’ to ‘30%’ overhead) and compatibility are also beginning to emerge.

Whilst the industry’s response to these vulnerabilities is robust, it’s not yet coherent – it’s going to be a difficult few weeks while these issues are ironed out.

In order to get you started, here’s some additional information along with guidance from the key players you’re likely already working with:-

The Exploits

Meltdown – (CVE-2017-5754 – rogue data cache load) – this is an exploit specific to Intel CPUs going back to 2011 (and possibly to 1995) which allows user applications to reach into kernel memory (or ‘protected’ memory, a design feature which is relied on for data security and system stability) and collect information to which those applications have no right.

It’s relatively straightforward to exploit and sample exploit code is (as of 4/1/18) available on the web. However it’s reported that the hacker must have local access to the machine in order to use the exploit

Spectre – (CVE-2017-5753 -bounds check bypass, CVE-2017-5715 – branch target injection) – these exploits are so-named because they rely on a CPU queuing feature titled ‘speculative execution’ which can be abused to grant arbitrary collection of data from virtual memory which should be out of reach (principally because they are intended to be beyond security boundaries and into other apps, the kernel or an underlying hypervisor).

Spectre can be exploited by visiting a website with which includes malicious code, however it’s a vulnerability that’s described as much harder to exploit (plus also much harder patch/resolve).

It applies to Intel, AMD, Qualcomm and ARM CPUs going back up to 20 years – effectively every computing device on the planet (including smartphones) is vulnerable.

Vendor Guidance

Meltdown:

Microsoft have provided patches for many (but not all) of their operating system platforms – but note that automatic updates won’t be installed unless you (or your antivirus product) create a ‘compatibility flag’ in the registry for each device
Windows Client:
o Windows 10 released (4/1/18) for RTM, 1511, 1607, 1703, 1709, requires “compatible antivirus” and registry key change to enable automatic update
o Windows 8.1
o Windows 7 SP1
NOTE: Some indications that patching devices with AMD Athlon X2 CPU (end-of-life in 2008) is failing and rendering those devices unusable
Windows Server:
o Windows Server 2016 released (1607, 1709 (core))
o Windows 2012 R2 – released
o Windows 2012 – not yet available
o Windows 2008 R2 – released
o Windows 2008 – not yet available
NOTE: A list of compatible antivirus is available in a community managed list here (Trend is compatible but requires a manual registry key for auto update)
Further information from Microsoft is available here

Apple released patches for their affected product ranges during December, so customers should be covered by keeping up to date
Apple Devices: All devices except Apple Watch are vulnerable (specifically Mac and iOS)
o iOS: patched included in v11.2
o macOS: patch included in v10.13.2
o tvOS: patch included in v11.2
Apple suggest only downloading apps from trusted sources such as the App Store

Google have confirmed that they have released patches, access to them will depend on whether you have a Google-branded device (i.e. Nexus, Pixel) or one from a partner using Googles operating systems
• Android: Patches released 5/1/2018 for ARM, Google-supported Android devices should be set to accept monthly updates for January 2018 to benefit, partner-supported devices subject to partners own scheduling
• ChromeOS: Upgrade to v63 when available

Linux
• Redhat – patches available, described here, customers encouraged to upgrade to latest kernel
• SUSE – patches available, described here
• Ubuntu – patches available 9/1/2018, described here

App-Specific patching:
• Chrome – Google suggest enabling site isolation to improve security, patch due on 23/01/18 (v63)
• SQL Server – guidance provided here

Public Cloud:
• AWS: Patch rollout on EC2 was already in progress when news broke, believed to have completed on 4/1/18. Customers directed now to patch their EC2 instances.
• Azure: Patch rollout was already in progress, now accelerating. Customer VMs now being forced into automatic reboots wef 3/1/18. Microsoft say performance impact should not be ‘noticeable’ from patch, however it is present. Further information here
• Google Cloud Platform: patched, declared secure

Spectre:

As mentioned above, patching for Spectre is more difficult – this is borne out by the limited range of patches available. However, it’s also more difficult to ‘productively’ exploit Spectre, so you may accept that the resultant risk is lower.

• Windows Client: not yet available
• Window Server: not yet available
• Apple Devices: not yet available
• Android: not yet available
• ChromeOS: not yet available
• Redhat: not yet available
• VMware: patch information available

App-Specific patching:-
• Firefox – specific mitigations released to Beta/Dev channels – https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
• Safari – patch planned

And what about responses from the chip-vendors themselves?
Intel
AMD
ARM

Update – 9/1/2018: Intel CEO Brian Krzanich made statements in his speech at CES 2018 overnight that patches for 90% of its products would be available ‘within a week’

Our Recommendations

Meltdown and Spectre are significant vulnerabilities and we highly recommend that you patch for them as soon as you’re able. However, the inter-dependencies across products warrant care and testing, so consider applying the patches in a test group (with all your apps) first and then moving forward as quickly as you can whilst containing any risks.

And if you need support, we’re ready to help.

5 Steps to get your business GDPR ready

Like it or not, General Data Protection Regulation (GDPR) is coming, and it will affect your business. Make sure your business is ready before the May 2018 deadline.

The EU’s GDPR is coming in May 2018 and it will affect all sorts of organisations in the UK, even despite Brexit. In our last article, we discussed the fines that face businesses that fail to comply with GDPR when it comes into force next year. Based on the size of the figures, it is so important that you ensure your business is ready to comply with GDPR. Being unaware is not an excuse.
To help you out, we at entrustIT have put together this handy guide of five important steps your business can take to get yourself ready for next May.

1. Review and plan

This seems like an obvious one, but many organisations will not adequately plan for the GDPR changes.
Have a detailed review of the methods you have in place to protect your data. Keep in mind that GDPR fines are imposed in the event of a data breach. Is your business data secure? Is it backed up regularly? Are the servers holding your data constantly monitored against threats? Do your consent processes meet GDPR standards?
These are just a handful of the really important questions you will need to ask yourself as you prepare for GDPR. Asking, and indeed answering, these questions is the first step to developing a plan for what needs to be changed before May 2018.
It may be prudent to work with a partner with a strong tech security focus. Your partner will be able to advise you on the best ways you can get yourself GDPR ready. In some cases, your partner will be able to bring your data into their ecosystem, therefore storing your data to the standards required in GDPR. Most Managed Service Providers (MSPs), such as entrustIT, will be able to do this for you.
The process of planning and implementing data protection changes is likely to take plenty of time. At time of writing, there is just over a year until GDPR takes effect. It is therefore crucial that you begin planning immediately.

2. Test your defences

Since GDPR fines are in place to punish organisations with weak cyber defences, making sure your cyber defences are strong should be a top priority. You may wish to perform penetration testing, which is a test that outlines where the vulnerabilities in your organisation lie. If you have the resources to do this internally then do, but if not, it would be a good idea to find a company to do this for you externally.
An organisation with strong cyber defences will have strong backup and disaster-recovery methods built in to their cyber infrastructure. Their servers will have monitoring tools in place to ensure that any intrusions are stopped before they can spread and cause real damage.
For larger organisations with more financial clout, this is something that can be done in-house. However, small or mid-sized organisations may benefit from seeking the advice of a cloud services provider, such as entrustIT. At entrustIT, security is built in to all our systems and we can help you get your data stores to a GDPR ready state.

3. Get acquainted with your Data Protection Commissioner

As I discussed in the previous article, each country in the EU has a Data Protection Commissioner’s Office. In the event of a data breach, it is your responsibility to notify the relevant authority for your country. In the UK, this is the Information Commissioner’s Office. The full list of Data Protection Commissioner’s Offices in the EU can be found here.
Engaging with your relevant commissioner will help you to get valuable advice for GDPR compliance, as well as educating your employees as to who they need to go to in the event of a breach. It would be wise to have the contact details of your relevant Data Protection Commissioner stored in an easy to access folder or on display somewhere in your office.
The reason for doing this is that a data breach is a stressful time. In times of stress, mistakes can be made. Having the commissioner’s details easy to access will help to ensure that you contact the correct commissioner and that you are reminded to do so. Remember, you have a 72-hour deadline with which to do this before incurring fines.
74% of UK SMEs had a data breach in 2015. It can happen. The lesson from Hatton Garden is that a determined intruder is difficult to keep out, but being prepared is key to minimise damage.

4. Prioritise

The process for compliance is a long one. As a result, you may need to prioritise actions that present the highest risk to the business if left unchecked. These priorities will be different for each organisation, since every organisation has a different level of data security and has different strengths and weaknesses.
Take into account how long each process will take to complete. This may affect how you prioritise. Secondly, be realistic and maybe even critical of your current position. It is better to be over prepared than under prepared.
It may not be possible to be completely compliant for GDPR when it comes into effect in May 2018. This is particularly true as the deadline looms. It is therefore crucial that the areas that present the biggest risk to you are addressed first. For example, your organisation may already have strong server monitoring, but not a clear consent process for data processing. In this scenario, it would perhaps be foolish to spend the next 12 months strengthening your server monitoring at the expense of the consent process.

5. Implementation

When you have planned, tested and prioritised the measures you need to take to ensure GDPR compliance, it is time to implement the measures.
Implementation measures may include data mapping exercises, drafting notices and policies and conducting training and audit programmes. For your organisation to be GDPR compliant, it is important that all members of your team are pulling in the same direction. Therefore, ensure that they are aware of GDPR, what it is, what the consequences are, and what policies they need to adopt to prevent falling foul of the regulation.
Your staff must understand why it is important to be GDPR compliant, or else some of the new processes they will need to undertake may feel like an unnecessary burden and be neglected.
If your organisation requires one, you must hire a Data Protection Officer (DPO) [see previous article]. Ensure that your DPO is a GDPR expert and give them all that they need to continually keep your organisation compliant. You’ll thank them for it.
GDPR seems daunting, but with detailed planning and the right information you can ensure you are compliant without too many headaches. Hopefully, these last two articles have helped cut through some of the complexity surrounding GDPR.
If you have found this helpful, please share it among your friends and colleagues, and download our essential GDPR white paper here.

5 Ways GDPR will impact your business

GDPR (General Data Protection Regulation) is coming into effect on 25th May 2018. With it come a number of important changes for all types of businesses.
GDPR is complicated, but it is crucial that businesses in the EU comply with the regulation. Despite the fact that the UK is leaving the EU, GDPR will still affect us as it comes into force before 2019.
GDPR will impact your business in a number of ways. In an effort to make GDPR easier to understand, we at entrustIT have picked out the five most important ways GDPR will impact your business.

1. Larger fines for non-compliance

GDPR replaces the Data Protection Act 1998 in the UK, and with that replacement comes far heavier fines for non-compliance. The fine structure is split into two tiers, Tier 1 and Tier 2.
Under GDPR structure, should your business suffer a data breach, it must be reported to the UK’s Information Commissioner’s Office within 72 hours (more details on what will be required is in our forthcoming whitepaper). Failure to notify the ICO results in fines being imposed.
Depending on the severity of the breach, and how important the data that has been put at risk is, your fine will fit into one of the two tiers.
Tier 2 is the lower of the two, but still commands a fine up to an eye watering €10m (£8.6m), or 2% of the previous year’s global turnover, whichever is greater.
Tier 1, which is reserved for the most damaging breaches, carries a fine of up to €20m (£17.25m), or 4% of global annual turnover, whichever is greater.

2. Changes to ‘consent’

One important change that GDPR brings is the requirement for consent when handling personal data.
In the past, companies could handle personal data as long as the user in question didn’t ‘opt-out’. The process for opting out was often not immediately obvious or complex and resulted in personal data being processed without the end user necessarily realising.
This has been completely changed in GDPR. Now, in order for a company to process personal data for an end user, they are required to have specific consent for that type of use from that user. Not only that, but they must keep records of when that consent was given, and these records should be available to give to the authorities when required.
Furthermore, the end user has the right to withdraw consent at any time. As a business, you will be unable to lawfully process personal data until you receive their consent. Any business found to be improperly processing personal data will be fined at the highest level of the two tier system and will also experience significant reputation damage .

3. Changes to breach notifications

We touched on this in point 1. In order to provide a data protection standard across the European Union, GDPR includes a single breach notification requirement. Currently, all EU member states have their own data protection laws. Some are strong, but some are very weak. Organisations in member states that have weaker data protection may not have had to notify any authority of a data breach. GDPR seeks to bring all member states in line with each other regarding breach notifications.
A personal data breach is defined as the breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
In the event of a personal data breach, the relevant supervisory authority must be notified within 72 hours of discovery of the breach. Each member state has their own authority. In the UK, it is the Information Commissioner’s Office (ICO).
You must be able to provide the ICO with details on the nature of the breach, the approximate number of people affected and the contact information of the organisation. You must also be able outline measures you will take to reduce further risk to those affected.
Failure to do so can result in a Tier 2 fine.

4. Data Protection Officers (DPOs)

Under GDPR the following businesses must appoint a Data Protection Officer (DPO):
• Public Authorities
• Organisations whose core activities consist of processing operations which by virtue of their nature, scope or purposes require regular and systemic monitoring of data subjects on a large scale
• Organisations whose core activities consist of processing sensitive personal data on a large scale
These DPOs must have “expert knowledge” of data protection law and must report directly to the highest management level – they also cannot be told what to do regarding their tasks and cannot be dismissed or penalised for performing their tasks – a big responsibility indeed!
The DPO will advise its employer on compliance with GDPR and continuously monitor whether the company is complying correctly. The DPO will also act as the main contact with the regulatory authority in event of a data breach.

5. Privacy by Design

GDPR introduces ‘privacy by design’ as a legal requirement. This means that for the designing of all new systems, data privacy measures must be built in from the start, rather than added in at a later date.
Therefore, organisations are required to hold and process only the data they absolutely need, as well as limited access of personal data to those members of the organisation that explicitly need it.
This means that in the development of any new product or service, your organisation must make data protection an integral part of the design of that product/service. The legislation itself is not clear what exact measures you are expected to take, but it is clear that data protection will have to be a focus for all organisations under GDPR.

Did you find this blog post helpful? If so, please like and share it with your friends and colleagues. Look out for the next article in our series on GDPR entitled “5 steps to get GDPR ready” coming soon.

www.entrustit.co.uk | Download our GDPR whitepaper here

IMPORTANT INFORMATION REGARDING THE CURRENT RANSOMWARE OUTBREAK

As you’ll likely have noted from recent media coverage, on Friday 12th May a new type of ransomware (named variously WannaCrypt/WannaCry/WCry) began appearing on computers running Microsoft Windows worldwide – within a matter of hours this infection spread to tens of thousands of devices across nearly 100 countries, causing significant issues for the affected organisations (including the NHS in the UK).

Whilst Friday’s outbreak was subsequently halted through the actions of security professionals, new variants have already begun to appear which cannot be controlled in the same way and that extend the risk of damage to organisational data.

What Is The Risk?

Ransomware is not new – this malicious software (malware) is designed to strongly encrypt your most important files (by targeting particular file types), at high speed, rendering them inaccessible to you. Once the files have been encrypted the application will move on to making demands for an untraceable payment using Bitcoin (an online currency) in return for the promise of a decryptor for your own data.

In this instance the ransomware has been combined with a technique (details) which allows infections to travel from one machine to another – this means that the malware spreads quickly between connected machines, such as on a company network. It is this combination which has made the outbreak so widespread and the impact so visible.

A number of defences are available – Microsoft began protecting against this combination of vulnerabilities using a security patch which became freely available in March 2017 (details). This family of patches provides cover for all currently supported versions of Windows (Windows Vista/Server 2008 or newer), but Microsoft have taken the uncharacteristic step of also providing patches for Windows XP/Server 2003 as a service to their customers.

Further information on the outbreak, as well as suggestions from the UK National Security Cyber Centre are available here:-
Latest Statement
Briefing – Protecting Your Organisation From Ransomware

What can you do?

There are 3 courses of action that we strongly recommend – both within an organisation, and for home/consumer users
1) Ensure that Windows Update has installed all recommended patches, or download and install the specific patch which suits your Windows version which closes the vulnerability that the current outbreak takes advantage of (details here, see below)
2) Ensure that your desktop/server antivirus product is up to date, and run a scan
3) Ensure that you have a backup for your data which is not accessible/vulnerable to ransomware, or if you don’t have a backup take steps to make one as soon as possible
4) Remain diligent when opening emails (and particularly attachments) from correspondents that you don’t recognise (fake or ‘phishing’ emails are a regular source of malware, part of a chain of events that can lead to ransomware arriving on your machine)

How can we help?

If you are a customer using our hosted services, please be assured that we are already defending against these vulnerabilities (just as you’d expect).

If you’re a customer who entrusts us with support for your servers and/or workstations, we will in touch with you to discuss your situation as a matter of priority throughout Monday. For many, the necessary steps will already have been taken.

If you are a PAYG customer and/or a customer with machines which you’re managing yourselves, we’d like to provide the following list of links which may be useful to you in finding the correct security patch against the vulnerability being used by the current WannaCrypt outbreak:-

Vulnerability Operating System Download Link
MS17-010
Windows 10 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012606

Windows 10 x64 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012606

Windows 8.x http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012216

Windows 8.x x64 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012216

Windows 7 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012215

Windows 7 x64 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012212

Windows Vista http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012598

Windows Vista x64 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012598

Windows XP http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows XP x64 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows Server 2012 R2 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012216

Windows Server 2012 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012217

Windows Server 2008 R2 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012215

Windows Server 2008 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012598

Windows Server 2008 x64 http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012598

Windows Server 2003 http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Windows Server 2003 x64 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

If you need assistance with any steps recommended above to defend against with this outbreak please get in touch:-
• Email: support@entrustit.co.uk
• Phone: 0330 002 0046

entrustIT complete acquisition of Tiva IT Solutions

We are pleased to announce that on March 31st 2017, entrustIT completed the majority acquisition of Tiva IT Solutions Ltd, based in Farnham, Surrey.

Tiva are an IT Support business with a strong regional focus and have been trading for 10 years. They focus on contract IT Support to businesses within a 25 mile radius of their base, but with some national presence. Tiva’s ‘proactive’ approach to on-premise IT support has proved particularly popular with local businesses and the company has seen strong growth in the last few years.

“We are really pleased to have Tiva on board” comments Jeff Dodd, Managing Director of entrustIT, “They have a really strong local brand and they will be a great addition to the entrust family.”

Post–acquisition, Tiva will continue providing first class customer service as  normal. and will work with our sister company, entrust Creative Technology to build an even stronger regional focus, including cloud products from the entrustIT range.

If Trump has his way, we’ll all lose some freedom

This article is from Issue 28 of Modern Law Magazine, to read the full issue click here or visit modernlawmagazine.com

If you’ve read the news at all recently, it is likely you will have heard about President Trump’s executive orders because in his first week and a half he has signed thirteen. In the hubbub surrounding order number thirteen, the ‘Muslim ban’, another order has slipped past the scrutiny of the mainstream press – and it is an order that could rob EU citizens of their online privacy.

The focus is on Section 14 of the ‘Enhancing Public Safety in the Interior of the United States’ order, which states: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The EU-US “privacy shield” provides EU citizens with the promise that their data, should it ever be processed in the U.S, is protected with ‘essentially equivalent’ privacy protection once it gets there. The deal is only six months old but with one stroke of his pen, Trump may have wiped it out.

The European Commission has already responded to the order, stating that the privacy shield “does not rely on the protections under the U.S. Privacy Act” but also that they will “continue to monitor” the situation. Given that Mr. Trump has previously voiced opposition to cyber privacy – most notably when he called on his supporters to boycott Apple after their much publicised case with the FBI – all of us should be concerned that our freedoms could be eroded under the Trump administration.

U.S. based companies dominate our working lives. Microsoft’s Office 365 is expected to surpass 100 million users worldwide in 2017 and Apple’s iCloud has over 782 million users. If President Trump encourages U.S. tech companies to share customer data with law enforcement, the privacy of EU citizens is in real jeopardy.

It’s time to act. Technology, particularly cloud technology, is not going away and it is impractical to suggest we revert to storing data in ring binders and filing cabinets. It is practical, however, to suggest we store our files & data in the UK or EU countries. EU privacy law is far stronger than its U.S. counterpart and will afford the citizen far more protection. Invest some time in studying your technology partners, do they store data overseas? Is your data subject to EU data protection laws?

Are you a legal firm relying on Office 365 email to handle your sensitive communications…?

President Trump has already shown how tough he is prepared to be when cracking down on security and has hinted he has little regard for cyber privacy. It is the responsibility of those who are privy to sensitive information to ensure it is protected. Are you doing all you can to protect your client data?