Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions


0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

Equifax Data Breach – CEO Retires

The Chairman and CEO of Equifax yesterday became the latest executive to “retire” in the wake of the enormous data breach announced on 7th September; the CIO and CSO having already “retired” two weeks ago.  The previous “retirements” coincide with the bottoming out of a steep fall in share price (roughly 33% or $5b) following the public announcement, but it is impossible to say if the two are linked; there seems to have been little reaction from the market to the CEO’s departure, perhaps it was already expected?

Even if the changes of personnel have calmed the market for now, nothing can detract from the fact that this was a huge data breach; with the private data of 143 million Americans being exposed (as well as 400 000 Brits).  As well as the sheer size of the breach, the company’s initial response seemed to focus on trying to minimise legal liabilities which, unsurprisingly, has attracted much criticism and resulted in a number of class-action law suits taking off anyway.  All in all, the new leadership team have quite a job on their hands.

The International Organization for Standardization (ISO) published the results of their 2016 survey last week and there are big rises in the number of certifications for both ISO 22301 and ISO 27001.

By the end of 2016 there were a total of 3853 organizations globally certified to ISO 22301, a rise of 23% from 2015.  As in previous years, the top three countries were as follows:

  • India – 1607 certificates
  • UK – 574 certificates
  • Japan – 226 certificates

Meanwhile the number of organizations certified to ISO 22301 rose 21% to 33290.   Remarkably, nearly 40% of these (13 889) certificates have been issued in Japan.

Follow the links to find out more about how we can help you achieve ISO 22301 and ISO 27001.

I have really enjoyed this new book from Anthony Fitzsimmons and Derek Atkins, and would thoroughly recommend it to all those with an interest in risk management.

The title is actually somewhat misleading, suggesting a narrow focus on reputation management; whereas the book actually takes a very broad look at a wide variety of behavioural and organisational issues that can lead to crises.  The first section provides a very readable summary of current thinking on areas such as reputation, culture and causation of crises; considering everything in the context of the organisation’s stakeholders.  The second section is, to my mind, the most valuable; with a fine selection of up to date crisis case studies, including:

  • BP Deepwater Horizon;
  • Volkswagen; and
  • Mid Staffs NHS Foundation Trust.

The final section then attempts to translate the insights from the previous two sections into a practical risk management framework.  This is where I find the authors’ use of the term “reputational risk” most problematic and, in particular, their proposals for a “reputational risk management system”.  Nevertheless, I think the authors have made a very valuable contribution in highlighting an array of behavioural and organisational issues to a wider audience.

The October 2015 data breach at TalkTalk, resulting in the theft of personal data of almost 157,000 customers and a record £400 000 fine, has been widely reported  here and elsewhere.  However, another serious breach has not been so widely reported.

TalkTalk began investigating in September 2014, after  receiving complaints from customer that they were receiving scam calls; and discovered that personal details for up to 21 000 customers had been unlawfully accessed by employees of a third-party service provider.  The ICO found that the level of access to the data was unjustifiably wide ranging and put the data at risk; and have now fined TalkTalk £100 000.  As before, the amount of the fine itself is not significant to a firm the size of TalkTalk; but the renewed public attention being focused on their lax security practices is certainly unwelcome.  Bear in mind also that with the implementation of GDPR next year maximum fines increase to 4% of global revenues, which would be £73m for TalkTalk based on their 2016 results!

The Hull-based telecoms firm, KCOM, has been fined £900k by Ofcom over a failure of their 999 call service back in December 2015.  The 4-hour outage resulted in 74 emergency calls failing, so the fine equates to over £10 000 per call (or £225k per hour)!  Although Ofcom accepted that the root cause of the disruption was the flooding of a BT exchange in York, they found “serious weaknesses” in KCOM’s continuity planning: the pre-planned back-up routes also used the same BT exchange in York.

If this fine seems high, much worse could be to come as Digital Minister Matt Hancock has announced a consultation on new proposals for fining critical infrastructure providers for disruptions arising from cyber attacks, power failures and natural disasters.  The government’s plan is to impose fines of up to £17m (or 4% of global turnover) on firms who experience disruptions as a result of failing to manage risks appropriately.  It is very unclear at this stage though what will constitute acceptable risk management.

BA in the News Again (Twice)

Last week attention was drawn once again to BA’s major IT outage back in May, which left tens of thousands of passengers stranded; when their owner, IAG, announced its half-year results.  There were various predictions of the cost of the disruption around the £100m mark at the time of the incident, but IAG announced that the actual cost to the company has now been calculated at £58m.  Despite this, operating profits for BA were actually up 17%!

IAG failed to shed any more light on the root cause of the disruption but did stress that it was an “isolated incident”.   However, yesterday, passengers at both Heathrow and Gatwick experienced significant delays in checking in because of further IT problems.  We await the findings of BA’s investigations with interest…

The Information Commissioner’s Office (ICO) released its 2016/17 annual report on 13th July, which showed another steep rise in the number of data protection incidents. There were a total of 2565 self-reported data protection incidents in 2016/17, an increase of over 30% from the previous year. Once again the top sectors, by number of incidents, were Healthcare (41%) and Local Government (11%). The breakdown of the types of data protection incident is also interesting, with the top causes as follows:

  • Data posted, faxed or emailed to incorrect recipient (26%); and
  • Loss or theft of paperwork (14%).

Visit our Information Security Services page to see how we can assist with keeping your data secure.

Just over 1 month on from the WannaCry attack, there have been reports about a significant ransomware attack on University College London.  The attacks impacted shared drives, with detailed instructions given out on the university website.  By 2.30pm on 16th June, users were told that the ‘first phase of share folders will come back online this afternoon at 2.30pm and the remainder will be restored on Monday morning once full recovery of the corrupted files in these shares has been completed.’  Interestingly, UCL is now updating a security certificate for Eduroam despite earlier stating that ‘Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident. We cannot currently confirm the ransomware that was deployed.’; it is not known whether the two issues are linked.

As ever, this example serves to highlight the need for education to ensure that staff and other users are not clicking on dangerous links in emails or an websites, as well as the need for swift communications to ensure that further damage to systems is not caused by continued access.  It equally highlights the importance of integration between business continuity and information security, showiug how effective back-up practices are vital for the recovery of data.  Indeed, it would be interesting to know if the recovery from this incident is within the paramenters that have been identified in any Business Impact Analysis that may have been completed by the University.


Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

Well, another year, and another Business Continuity Awareness Week, and it certainly seems to have slip out with less of a bang than it started!  This year’s theme has been Cyber Resilience and, given the world-wide problems with WannaCry, it has certainly been a topical theme!

Today’s story looks more towards business continuity in a more traditional setting, and considers the implications that need to be considered for large-scale changes to an organisation.  It has been announced today that London City airport is to alter the way that it does air traffic control, and will be the first UK airport to use remote digital systems.   This presents incredibly huge challenges for continuity and resilience, not least due to the potential impact if something does go wrong over the city.  The reports suggest that there will be 14 high-definition cameras and two cameras which are able to pan, tilt and zoom, each providing a live feed via fibre cables to a the operations room in Hampshire.

The reports explain that there will be three different cables each with different routing; I am presuming consideration has been made for what happens for the last 100m or so of the cabling; I have seen organisations where cabling has been done through different routes and providers, but still enters the building at the same point!  It would also be interesting to know what has been put in place from a business continuity perspective; there are many examples where back-ups to back-ups have failed, such as generators.  From a financial perspective, limitations are required when planning resilience, but all technologies have limitations and may ultimately rely on people; it remains to be seen whether NATS will be able to maintain the skills with a move to digital reliance.  Equally, will adequate plans and procedures have been put in place to ensure a smooth transition to the new arrangements?

Contact Cambridge Risk Solutions to find how we can help you with business continuity planning,  Call us on 0800 035 1231

Written by Helen Molyneux

A quick summary of the cyber news today, and it is clear that the same key lessons are emerging as have already been noted this week.  Indian restaurant guide, Zomato, is reporting the theft of data of some 17 million users.  From the phrasing in their blog, it appears that they have just found the breach, but have not clarified when it occurred, and have stated that ‘So far, it looks like an internal (human) security breach – some employee’s development account got compromised.’  It is interesting to note that, although they state that ‘they take cyber security very seriously’, the actions they are taking now include a ‘layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.’

Meanwhile DocuSign, who ‘move businesses forward securely and reliably’, have reported that a list of email addresses has been breached, and that customers have been sent phishing emails.  Their website has been effectively used to report on the breach and the investigations, as well as posting a detailed FAQ.  The fact that Docsign has certified to ISO 27001 has probably helped to ensure that they have effective incident management processes, but this highlights that even companies that have information security management systems in place can still be susceptible to attacks and breaches.  Both the Docusign and Zomato incidents have had a swift incident response, with clear communications about the steps being taken available on the relevant websites.

In the US, bots are being used to spam a regulator’s website, thought to be some form of protest over a proposed reversal of net neutrality rules.  In this instance, the website is being bombarded with comments, and there are suspicions that stolen data is being utilised in order to make the comments appear real, despite the similarity of the comments.  Also in the US, an Apple software developer has had source code stolen , in a case that demonstrates that even developers can be fooled by the hackers.

All these cases, and more, highlight similar lessons but, in particular, organisations should ensure that information security training is an integral part of business culture, and starts with staff.  Staff need to know what emails are safe to open, and which links should not be clicked.  As stated in ISO 27002, access to information should have ‘rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;


On a personal level, the need for business continuity planning kicked in this morning.  First a puncture; not normally a problem but I simply could not get the wheel off the car.  Finally made it in to the office, and found that, after even more Microsoft updates, it took 2 hours to get onto the network with my new laptop, as well as finding that my existing screen does not fit as technology has moved on, and the new laptop does not take a VGA fitting.  All sorts of lessons for business continuity, including fully understanding that things will take longer than expected (particularly when you need them to be quick!), and technology does move on, so those assumptions that you have made about your recovery strategy may not be quite as easy as you thought, so should be tested!

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux