Third Party & Supply Chain Cyber Security Summit

Could cyber risk ever get under control?

Business response to the cyber security threat

As business processes are increasingly digitising, cyber threats pose significant risks to business operations, especially when dealing with third parties and suppliers.

The recent cyber attacks remind us of our digital dependency and vulnerability driven by the technology proliferation.

We’ve interviewed three leading industry practitioners working in cyber security from Huawei Technologies, Nokia and Geodis to see how they manage cyber risks in dealing with third parties and suppliers.

The biggest disrupter

Huawei Technologies’ Cyber Security Officer & Advisor to the CEO Jaap Meijer claims that the biggest disruptor is “the risk of breaking the integrity of the whole cyber security chain”. “Supply chain management is just one part of this but other parts, like R&D, logistics, partner management, implementation, manufacturing are equally important in order to manage the confidentiality, integrity, availability, traceability and authenticity of the products and services” – he argues.

Speaking about the supply chains specifically Meijer mentions a number of main threats for products that are to be tainted or counterfeited. He names malware, unauthorised parts, unauthorised configurations, intentional damage, or the use of substandard parts or unauthorised production.

The driver

When looking into what drives cyber risks GEODIS Freight Forwarding’s Head of Global Supply Chain Security, Tom Brabers names “the availability of data that enables online platforms to offer services” as the main driver. “As the supply chains are getting more and more complex, the data is getting more important.” – he expands.

Echoing Brabers’ point, Nokia’s Supply Chain Information Security Program Lead Santtu Erkkilä says that a growing number of suppliers makes it incredibly hard to know “where your valuable data is and whether it is sufficiently protected”. The other risk is associated with the speedy use of process automation and digitalisation where “information security risks are not assessed and controls do not exist”.

Being a fast moving space, cyber security requires continuous monitoring and improvement constant review of the end to end chain as new products, services, processes, legislations are being released and are being altered everyday says Huawei Technologies’ Meijer.

The risks

Among the major cyber security risks when working with third parties interviewees named the loss of intellectual property, the loss of the availability of digitalised and automated supply chain process due to a cyber threats, and most importantly, the loss of the customers and key stakeholders’ trust.

How to manage cyber risks

 While a board-led security and privacy committee is leading these efforts at Huawei Technologies, all employers must “own” cyber security responsibility claims Meijer. “The responsibilities are developed, distributed, integrated into the processes (all the way down to the suppliers and partners). This governance framework is in turn distributed and customised into all operating countries to ensure full alignment with local ways of working and applicable legislation.” – explains Meijer.

 The future

Interestingly Meijer admits that the perfect security can’t be kept, but managing risk consistent with the organisation’s risk posture and business objectives is what needs to be done in the future. “We have to assume that our security will be breached and we have to make sure that we are ready to respond, recover, provide maximum resilience and have backups in place where needed to secure continued business operation” – he explains.

While GEODIS’ Brabers is confident that the company will continue embracing digital opportunities while managing the risks associated with it, Nokia’s Erkkilä believes that industry 4.0 will drive a big change to supply chains.

After all, cyber security is everyone’s business. And as Meijer points we should “understand that everyone is, and has to be, accountable within the risk ecosystem to help the overall global requirements better align”.

Huawei Technologies’ Cyber Security Officer & Advisor, Jaap Meijer alongside Nokia’s Supply Chain Information Security Program Lead, Santtu Erkkilä and GEODIS Freight Forwarding’s Head of Global Supply Chain Security, Tom Brabers will share further insights on the topic at the Third Party & Supply Chain Summit 2017 on 29-30 June in Amsterdam.

Other speakers include Head of Global Security, Philips Lighting, Chief Information Security O?cer, Iberdrola, Chief Information Security O?cer, MENAT, GE, Global Head of Cyber Risk, Aspen Insurance Group and more. View the Summit programme here.

Photo credit: Flickr/ SiteLock



Internet of Things Security – are you failing to prepare?

By Ian Kilpatrick, Executive Vice-President Cyber Security at Nuvias Group

Flickering lightbulbs, scary Barbie dolls, infected computer networks and cities out of action. Could this be the brave new world of the Internet of Things (IoT), if we neglect IoT security? Ian Kilpatrick, EVP Cyber Security for Nuvias Group, discusses the unstoppable growth of IoT and the necessity for organisations to take appropriate measures to protect their computer networks.

For several years, the IT industry has enthusiastically extolled the virtues of the Internet of Things (IoT), eager to enlighten us to the difference that living in a connected world will make to all our lives.

Now the IoT is here – in our homes and in the workplace. Its uses range widely, from domestic time-savers like switching on the heating, to surveillance systems, to “intelligent” light bulbs, to the smart office dream.

This proliferation of devices and objects collect and share huge amounts of data. However proliferation also has the potential to create greater opportunities for vulnerabilities. Moreover, because these devices are connected to one another, if one device is compromised, a hacker has the potential opportunity to connect to multiple other devices on the network.

Indeed, there have been a number of high-profile cases where everyday items have been used to force websites offline. Recently, hackers harnessed the weak security of internet-connected devices, like DVRs and cameras, using botnets implanted on the devices, to take down sites such as Amazon, Netflix, Twitter, Spotify, Airbnb and PayPal. More recently, security vulnerabilities in the new, Wi-Fi enabled Barbie doll were discovered, turning it into a surveillance device by joining the connected home network!

Elsewhere, researchers said they had developed a worm that could potentially travel through ‘smart’ connected lightbulbs city-wide, causing the web-connected bulbs to flick on and off.

These are just a few examples of the security failures in devices for the IOT. Unfortunately, they are not the exception. Manufacturers are rushing to make their devices internet-connected but, in many cases, with no thought (or indeed knowledge) around security.

The next step on IoT’s journey is connected or smart cities, where the consequences of an attack are enormous. It’s not just one lightbulb – a hacker can potentially plunge an entire city into darkness, or disable surveillance systems, causing chaos.

With IoT devices now moving into the workplace, organisations are increasingly vulnerable to attack. A survey by analyst group 451 Research predicts that enterprises will increase their IoT investment 33 percent over the next 12 months, but that security remains a concern with half of respondents citing it as the top impediment to IoT deployments.

Nevertheless, it says that organisations are forging ahead with IoT initiatives and opening their wallets to support IoT deployments.

There’s no turning back the tide of any of these IoT applications – and in fact we shouldn’t try to halt progress. However, checking the security capabilities before deployment isn’t a bad strategy. Especially as it is important to ensure that the advance of IoT isn’t providing hackers and criminals with another entry point for attack.

Securing the IoT

The IoT challenge is backfilling security onto IoT devices. Because these devices are not running on standard operating systems, they are often invisible to a large part of an organisation’s defences. And if a device is compromised, and you end up with malware within your organisation, you must firstly spot the breach, and then find out where it’s coming from – not an easy task.

Cleaning the device won’t necessarily fix the problem, as you will have a compromised IoT device within your security perimeter, which will just continue to re-infect other devices.

There are many different types of solutions available. Kaspersky Labs, for example,  has Kaspersky OS, a secure environment for the IoT. Other suppliers, including Tenable Networks and Check Point, also provide solutions that are relevant here.

A key action for organisations is to pay close attention to the network settings for IoT devices and, where possible, separate them from access to the internet and to other devices.

Also IoT devices should be identified and managed alongside regular IT asset inventories; and basic security measures like changing default credentials and rotating strong Wi-Fi network passwords should be used.

As much as IoT manufacturers need to embed adequate levels of security into their devices, the ultimate responsibility for ensuring an organisation is secure is with the user. This is particularly true as Chief Information Security Officers (CISOs) are under more pressure than ever to maintain the integrity of their organisations, in the face of increasing legislation such as the General Data Protection Regulation (GDPR), which carries potentially crippling fines for data breaches.

Ultimately, IoT is here, and it isn’t secure. It won’t be secure until IoT device manufacturers make it secure, which will be many years in the future. In the meantime, it’s down to organisations to make sure they are protected. User education should be a key element in defence around IoT deployment, partly because of the increased risks of shadow deployment in the workplace with IoT devices.

Business leaders need to ask their IT department or CISO for a strategic plan to deal with IoT vulnerabilities, rather than burying their head in the sand. As the saying goes, a failure to plan is planning to fail.



Will WannaCry pave the way for future ransomware attacks?

Author: Etienne Greeff, CTO & Founder of SecureData

The aptly named ‘WannaCry’ ransomware attack, which brought organisations around the globe to their knees when it first appeared on Friday 12th May, is the latest in an ongoing tidal wave of ransomware cyber attacks. At the time of writing, WannaCry has hit 150 countries and over 200,000 computers leaving a wake of destruction.

For the organisations who have felt the full wrath of the attack and any others who are storing data on vulnerable software, this should be deemed as a serious wake-up call. After all, WannaCry exploits a flaw in vulnerable, end-of-life versions of Microsoft Windows (most notably Window XP an Windows 7). To unlock the hijacked data, the WannaCry hackers are demanding a payment worth £230 per infected user.

Ransomware was the number one type of malware in 2016. It works by encrypting, or hijacking, files until a ransom is paid. In the meantime, the user sees a displayed message stating payment is required before they can access their files. To avoid payments being traced or blocked, cyber criminals typically used cryptocurrency platforms such as Altcoin and Bitcoin.

Assessing the extent of the damage

As the saga continues to rumble along, many large organisations have already faced the consequences of exploited vulnerabilities. Alongside the NHS in the UK, infected organisations include Germany’s main rail company Deutsche Bahn, Spain’s Telefonica, French carmaker Renault, US logistics company FedEx, and thousands of victims in countries such as Russia, India, China, Ukraine and Taiwan. It’s fair to say the extent and scale of the damage caused are significant.

In China alone, nearly 30,000 organisations had been attacked by the end of Saturday 14th May. While the attack attracted significant media coverage in the UK we didn’t even feature as the top 20 countries by hosts infected. The most infected country was the Russian Federation followed by Ukraine, India and Taiwan. What made the UK so newsworthy was the real-life impact caused by attacks on hospitals. The hijack of the NHS meant patients had to be moved, treatments delayed and some even cancelled. Meanwhile, 1000 computers at the Russian Interior Ministry have been infected.

Clearly, the attack is highly aggressive and has been extremely effective. Even though cyber security experts recommend victims not to pay the attackers, many have indeed paid the ransom to obtain the decryption key in a bid to restore normal operations.

Scaled beyond belief

We know that the malware spread exponentially through a worm-borne ransomware, but it lacks scale in decryption and sophistication in ransom payment collections. Simply put, the attacker’s clever use of code has generated vast scale for infections, but they have shown poor business acumen for turning ransoms into profit. So, despite its apparent success, has this attack actually bitten off more than it can chew?

The WannaCry hackers have left much to be desired when it comes to the transactional components for securing the cash. WannaCry’s decryption process is manual, which means someone physically has to provide the decryption key for literally hundreds of thousands of ransoms (assuming anyone pays up of course).

Firstly, this process is fundamentally at odds with the scale of the attack. They simply don’t have the manpower to ‘cash in’. And secondly, Bitcoin, which is used to take the ransom payments, is the most visible and the most traceable of all the cryptocurrency platforms (this is why we are beginning to see Ramsomware attacks using altcoins such as Monero and Zcash as their currency of choice). Therefore, the motivation behind the attack remains unclear.  

Data-hijacking ‘collateral damage’

Our own analysis has led us to believe the attack was actually meant for home users. For example, the malware is targeted at older versions of Windows operating systems, more commonly in use on home computers.  The inclusion of a kill switch is interesting too. Typically, Domain Name System (DNS) based kill switches are used by virus writers to avoid detection by sandboxes (a security mechanism for running typically untested or untrusted programs in isolation). A sandbox would answer to all DNS queries and potential requests to outside sites. Virus writers know this so terminate malware when they see requests answered. This could point to the fact that the malware was targeted at organisations which does not run sandboxes, which would typically be home users.

Combined with the failure to effectively monetize the operation, this suggests the intended targets were not corporate organisations, such as the NHS and Telefonica. It would seem these organisations got caught up as collateral damage, however, they could have easily prevented any ransomware infection through basic security hygiene and up-to-date frontline security.

The proactive defence of data

Organisations should be taking a front-foot approach to avoid being the next in line being held hostage. They need to act now. The ransomware element of the malware could easily be swapped for a more destructive command that would wipe the hard drive of infected machines completely. New and more innovative ‘strains’ of the malware are expected so there is a pressing need to get ready to weather the storm.

The impact of WannaCry could have been significantly suppressed by implementing basic best-practice security hygiene. For example, the NHS left themselves vulnerable as their computer systems were dangerously out-dated. Alarmingly, many NHS Trusts still use Windows XP as their main operating system.

In order to operate a strong security defence, organisations need consistent ingress and egress filtering, regular patching, and backups of all data. Following these basic steps, security should then focus on vulnerability testing and management, improved user-education to stop the opening of dangerous links and attachments, anti-virus endpoint detection, and content filtering.

These are all well-understood practices but need to be implemented consistently in order to break the ransomware kill chain and choke this persistent threat out.

The future threat

From the attackers perspective, WannaCry is a technical success; they have proved their concept for the worm delivery channel. With the enormity and global scale achieved, however, they will rue the day they failed to convert this opportunity into cold hard, real-world currency. Next-time organisations might be so lucky.

Moving forward, this will not be the last we see of large-scale ransomware attacks, or even of WannaCry itself. Cyber criminals are innovative and tech-savvy. They are constantly looking for new ways to infiltrate computer systems and deliver new payloads. Easy wins, such as targeting legacy operating systems, are just the tip of the iceberg.

The techniques for a similar attack will evolve and grow more complex, and more damaging. In the future, we expect to see game-changers such as new payment platforms used for ransom, a greater array of target types, infect-a-friend attacks and ransomware-as-a-service.

The worm success of WannaCry could well spark an avalanche of ransomware attacks. It is time to get ready for the next wave of attack. Whilst the battle versus WannaCry has certainly started, it has only just begun. After all, more than 1.3 million systems still remain vulnerable.




Exploring cybersecurity’s diversity problem

Jarad Carleton, Principal Consultant, Digital Transformation, Frost & Sullivan

The latest report from the Center for Cyber Safety and Education and Executive Women’s Forum on Information Security, Risk Management & Privacy (EWF) on Women in Cybersecurity, sponsored by PricewaterhouseCoopers, Alta Associates, Veracode, IBM Security and (ISC)², confirms that cybersecurity is still a predominantly male, middle-aged profession that is failing to attract female recruits.

The Center’s Global Information Security Workforce Study, sponsored by Booz Allen Hamilton, a study of almost 20,000 cybersecurity professionals worldwide has revealed that the proportion of women in the workforce remains stubbornly low with women comprising only 8% of the UK cybersecurity profession and 11% of the global workforce; a proportion that remains virtually unchanged since 2004. This is despite the fact that the sector has seen double-digit growth over the same period, and a parallel growth in demand for new recruits. The projected cybersecurity skills shortage has soared by 20% in just the last two years, and will leave a staggering shortfall of 1.8 million cybersecurity professionals by 2022.

In this context, the lack of any real progress towards increasing the intake of women in the profession cries out for explanation. The Women in Cybersecurity report explores for the first time some of the barriers to women in the workforce.

The report is the first to uncover a widespread cybersecurity gender pay gap, with a male professional in Europe earning £9,100 more on average than his female counterpart. This is despite the fact that Europe’s female cybersecurity professionals tend to be better educated and a higher proportion of them occupy managerial positions. In the UK, for example, 50% of female cyber professionals hold postgraduate degrees compared to just 37% of men, and 64% of women are in managerial positions compared to 57% of men.

This warrants further investigation to see whether this is caused by women being concentrated in part-time or lower-paid cybersecurity roles, or whether we are witnessing genuine gender discrimination. Whatever the case, more transparency over pay and action towards closing the gap is called for to attract more women into cyber.

Other forms of discrimination may also form an invisible barrier to women entering the profession. In North America, the study found that women are far more likely to experience workplace discrimination in cybersecurity, ranging from unexplained delay in career advancement to verbal harassment.

A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote the profession to women. The lack of women in the profession also creates a self-perpetuating cycle with few established female role models to encourage the new generation.

Other barriers can be found in hiring behaviour. Far fewer women than men study STEM or computing degrees, yet employers tend to prioritise people with computing or STEM degrees in this field. This is not only holding women back, but harming businesses because cybersecurity skills are often found in people outside traditional ‘techie’ fields and such people bring more diverse perspectives to the profession. The required skills for cybersecurity, such as lateral thinking, problem-solving skills and understanding of risk management can be found in disciplines as diverse as business or psychology, and such people can in some cases be more rounded and have greater managerial potential than those more narrowly focused on tech.

Since there are so few women already working in the industry, increasing the intake naturally means being prepared to take on younger people and women who do not have previous ‘experience’ in cyber. Yet 93% of employers in Europe demand previous ‘experience’ and only 12% of the UK workforce is under 35.  Generally, with 53% of the UK workforce over the age of 45, the need to open more entry-level doors is growing in urgency.

There are clear steps that industry could take to attract more women into cyber as they address their growing need for more talent. The government has taken welcome measures to boost cybersecurity education, which now needs to be matched by a greater willingness by employers to reach out to inexperienced millennials and invest in developing talent rather than buying it off the shelf. Employers could also draw from a wider set of backgrounds and degrees, including humanities and arts degrees.

This is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time we survey the workforce, while the UK government recently recognised that this gap represents a “national vulnerability that must be resolved.” Attracting more women into the industry would significantly help reduce the shortfall in skills. Ultimately, the under-representation of women in the workforce can be seen as a threat to our future economic security and making this link this will provide the necessary impetus for change.

These issues were explored in depth in a recent Global Information Security Workforce Study debate –Women in Cyber: Why can’t we Attract Them? – hosted by Frost & Sullivan and featuring industry leaders including Dr. Sue Black, the leading computer scientist who helped save Bletchley Park.





Hack in Paris Competition

DFMag has decided to give away two free passes for talks at the Hack in Paris event taking place this June!

To win these two passes, simply DM us on twitter the name of four sponsors of the Hack in Paris event. The winners will be those who are the first to respond correctly.



Cloud Encryption: Bring Your Own Key Is No Longer Enough

Encryption key management systems are now essential for all companies needing to lockdown data in the cloud, says Matt Landrock, Executive Vice President, Cryptomathic.

‘Trust’ can be both a terrific enabler and a severe inhibitor in cloud services adoption. Keen to benefit from the cloud’s promise of flexible and scalable on-demand computing, businesses everywhere continue to migrate increasing volumes of critical data off-site and into the hands of third party cloud service providers. Each time this happens, however, they must answer the same question: what guarantees do I need before I can trust this provider to protect my data?

Who holds the power to access a firm’s private data in the cloud is a big and thorny issue. Hosting services operate, by definition, across borders whereas the regulations that grant nation states and other third parties power-of-access, do not. Governing authorities around the world therefore vary in their ability to compel cloud service providers to sacrifice customer privacy and comply with their access demands.

As a result, encryption now has a major role to play in the security process. Companies that trade in confidentiality, banks for example, commonly use encryption as a defense against third party intervention from nation states and cybercriminals alike. When rolled into their cloud provider’s managed service contract, however, encryption actually does relatively little to reassure: if the provider can already be strong-armed into granting access, surely they can also be compelled to relinquish their encryption keys, making life pretty awkward for everyone involved. Nonetheless, a study from Ponemon Institute & Thales[1], revealed that 37% companies worldwide still rely on their cloud providers to generate and manage both the keys and the encryption process.

‘Bring Your Own Key’ (BYOK), where the end-user independently generates, backs up and submits its own encryption keys, neatly addresses this concern. If the service provider doesn’t have access to the key in the first place, it can’t be compelled to hand it over, meaning that the user’s data will remain encrypted no matter who tries to access it. Sadly, BYOK creates another set of problems. Assuming sole control over an encryption key, however, is a hefty responsibility. Loss or error could prevent a business from decrypting its own data, resulting in paralysis. Theft of the encryption key puts the entire security operation in jeopardy, meaning that the user’s back up process must itself be subject to high-security measures. What’s more, if the key is lost or stolen, help is very hard to come by. The service provider, having already been relieved of their key liability, is powerless to assist. In many ways BYOK replicates the problems associated with more traditional usernames and passwords. Key ubiquity, like password ubiquity, replaces one security headache with another:  should there be a key to all the keys? How is that key secured? And so on.

BYOK poses operational challenges, too. Once the user’s key has been created and submitted to the service provider it can’t be retrieved, or at least not easily. Security best practice also dictates that each individual cloud service should have its own unique key. Where vast stores of data are concerned, risk mitigation policies encourage firms use a variety of keys and to spread their data between several providers, each of which will have its own unique blend of encryption engines, protocols and messaging formats. This situation is worsening too: Forrester predicts that the practice of blending multiple cloud models will increase in 2017 and calls on companies to take specific steps to secure their whole environment.[2]

When combined, these factors add up to a complex and multi-faceted BYOK challenge, of which nothing less than bullet-proof management is acceptable.

Fortunately, demand for what could now be called ‘Manage Your Own Keys’ (MYOK™) can be well supported by specialist software, purpose-designed to put users back in the driving seat. These platforms enabling users to control and manage the entire lifecycle of their own, unique portfolio of keys; generating, storing, deploying, retrieving, backing-up, restoring, revoking and updating as they go.

Such systems also arm users with the capability to expand their use of encryption. Today’s large enterprises invariably use a host of different cloud models – public, private and hybrid amalgamations of the two. MYOK™ systems enable users to address them all with cryptography, creating and managing keys regardless of their required shape, form and destination. This is democratizing what has, until now, been regarded as a complex and highly technical security process.

This is just the beginning. The number and variety of uses for encryption keys is exploding. Having begun life in network management and financial services, encryption and other cryptographic functions are fanning out rapidly, to secure data created by smart devices, connected cars, intelligent building systems and all manner of other connected consumables that together comprise the Internet of Things.

There is little doubting the level of enthusiasm for cloud-based data storage and transmission services. The big problem has been that major stakeholders have had a hard time balancing their need to guarantee security, control and confidentiality with the huge gains that the cloud can deliver in terms of flexibility, scalability and operational agility. Key management platforms enable this balance to be struck, reducing time to market for those delivering cloud-dependent products and services while, at the same time, ensuring they remain the sole proprietors of their data, regardless of where it is kept or how it is transmitted.

If the encryption industry is to avoid replicating the mistakes of the username and password model, it must promote an approach that has secure key management at the center. Only then can the full promise of the cloud be realized, finally unburdened by issues of trust.



£35 per year – CCTV owners falling foul of ICO registration risk £500,000 fine

Recent fines remind bosses not to fall foul of data protection law

It’s only £35 per year, but businesses are still failing to register  their CCTV systems with the Information Commissioner’s Office (ICO)  and risking a hefty fine.

According to a nationwide CCTV installation and servicing company,  there’s no excuse for this omission, which could leave companies  hundreds of pounds out of pocket and with a stain on their reputation  from the negative publicity.

Yorkshire-based says that it’s vital that businesses stick  to the letter of the law with their camera systems, not only for their  protection of their staff and property, but also for anybody who comes  onto their premises, whether with good or foul intent.

“Some companies think they can skip their Data Protection Act  responsibilities,” says spokesperson Jonathan Ratcliffe,  “But the sad fact is that their lack of compliance will almost  certainly come to light the second they try to use camera footage for  a prosecution.

“And that evidence could even be thrown out of court.”

The most recent case is a prosecution brought by the ICO against a  Coventry-based business which was using a non-registered CCTV system
The case was only brought to court after the owner repeatedly ignored  reminder letters to register their premises.
The owner told magistrates that she thought the ICO’s  reminder  letters were ‘spam’.
Local magistrates fined the owner of the company over £650, including  court costs.

CCTV: Responsibility through technology

“When your system is ‘evidence-ready’ with well-serviced cameras in  the right locations providing date-stamped footage, it’s almost  impossible for a suspect to evade identification,” he says.

Legally-produced camera footage has been responsible for thousands of  convictions and millions of pounds of saving to British businesses,  and it’s not an exaggeration to say that camera systems have literally  saved both jobs and lives. “But they have to be used responsibly,”  says Ratcliffe.

It’s when companies evade their legal responsibilities that they could  find themselves in trouble, and even then the ICO does its best to  avoid court, preferring to advise companies as a first resort.

“It’s all very simple,” says Ratcliffe, “If you record images of  people as part of your business activities, then you must register.

“And there’s no defence in claiming ignorance of the law – we advise  all our commercial clients to get their registration in order before  they switch on their cameras,” he says.

What are your obligations?

Business owners need to ensure that:

They have registered with the ICO  (
Recordings are not kept longer than necessary
Use of recorded data does not breach people’s rights
Data is kept securely and it not passed to foreign countries

ICO can impose penalties up to £500,000 for the most severe breaches  of the regulations.

What if I’ve got a domestic CCTV system?

Most domestic CCTV systems do not fall under the Data Protection Act.
However, if your recordings include people outside of your property  (such as a road, path, or even a neighbour’s property), then you may  have to register.
Use the Self Assesment tool to find out  (

Privacy is everybody’s business’s Jonathan Ratcliffe says that in a society when we are  recorded more than ever before, the law exists to ensure that your  legal day-to-day comings-and-goings remain private.

And that means everybody using a camera system agreeing to the same  set of standards.

“CCTV is a beneficial tool for any company, but you have to play by  the rules,” Ratcliffe says.

“So, if your business collects data, make sure you’re onside. Don’t  think you can dodge the law.”



Lord Sebastian Coe Annouced as Guest Keynote Speaker at Infosecurity Europe 2017

Infosecurity Europe is delighted to announce Rt Hon LordSebastian Coe CH KBE, president of the International Association of Athletics Federations (IAAF) and former chairman of the British Olympic Association, will deliver the show’s final opening keynote presentation on Thursday 8 June at Olympia, London.    This follows the recent announcement that Dame Stella Rimington and Jeremy Paxman will deliver opening keynotes on Tuesday 6 June and Wednesday 7 June respectively.


In his keynote speech, Cyber, Risk and Resilience in Sport and Business, Lord Coe will share his unique perspective on cyber risk, discuss his experience of managing risk and reputation in sport and business, and explain how challenges in the lead-up to the 2012 Olympics were overcome.


Lord Coe said: “Risk comes in many forms, tolerance levels differ greatly which means there are a myriad of handling strategies and solutions. I hope by sharing my experiences across sport, politics and business at Infosecurity Europe next month I will provide a different perspective for attendees as they tackle the challenges facing their own industry.”


Victoria Windsor, Content Manager, Infosecurity Europe, said: “Lord Coe is no stranger to the challenges of managing risk, building resilience and reaching goals that require exceptional levels of performance, dedication and strategic planning. We are honoured that Lord Coe has accepted our invitation to speak, and look forward to hearing about the lessons he has learnt throughout his diverse career, from being a world record breaking athlete to delivering a project of such enormous logistical complexity at the 2012 Olympics. I am sure it will be a very inspirational session for the Infosecurity Europe audience, and provide a fresh outlook on how to address some of the challenges our industry faces.”


Set against a backdrop of global economic and political uncertainty, the theme of this year’s Infosecurity Europe is Cybersecurity at the Speed of Business.


The event will welcome the industry’s leading thought-leaders, practitioners, policy-makers and analysts in its Keynote Stage seminar programme.Speakers will include representatives from companies including Camelot, Costa Coffee, Department of Work & Pensions (DWP), HSBC, KPN Telecom, Marks & Spencer, Microsoft, Metropolitan Police Service, Network Rail, The Economist Group, Telephonica UK, Trainline, Vodaphone and more.



Lord Coe will be speaking at Infosecurity Europe, Keynote Stage Theatre on:

Thursday 8 June, 10.00-10.50 

The full Keynote Stage seminar programme can be viewed here:


MEDIA ENQUIRIES:  Amanda Lovelock,  Tracey Jennings, Hannah Grimmette

Midas PR  Tel: 020 7361 7860 ? Email: / #infosec17 / @infosecurity




Infosecurity Europe takes place at Olympia, London 6-8 June 2017.


To apply for an Infosecurity Europe press pass, please visit: