This week’s Knowledge Update talks about how all NHS trusts have failed their Cyber Essentials, A flaw in TLS/SSL Certificates allowing covert data transfer and businesses with poor cyber security will have to pay fines up to £17m.
All NHS Trust have failed their Cyber Essentials
A parliamentary committee has said that every NHS Trust has failed to meet the recommended data security standards.
Rob Shaw, who is the NHS’s Digital deputy chief executive, has told a Public Accounts Committee hearing that after completing 200 on-site assessments, no Trust had managed to meet the recommendations that were set out by Fiona Caldicott, who is the Chair of the Oxford University Hospitals NHS Foundation Trust.
The national data guardian for health and care had set out 10 data security standards which were confirmed by the government in July 2017. These data security standards include accreditations to the government-backed Cyber Essentials Plus scheme.
Protecting customer data is a legal duty. Cyber Essentials provides a framework, backed by the UK government, for businesses to improve their information security. More information can be found here.
A Flaw in TLS/SSL Certificates allows covert data transfers
According to Jason Reaves, who is a threat research principal engineer at Fidelis Security, there’s a new flaw in the way certificates are exchanged which could allow them to be stolen for Command-and-Control (CnC) communications. This process also ends up bypassing common security measures.
Essentially, the certificates will be exchanged during the TLS handshake, before the secure connection is made. This is done by placing arbitrary binary data into the certificates themselves. Jason Reaves has uncovered a system that could be used to send and received different data from both, the client and server perspective.
Implementing DMARC, Encryption and Digital Signatures across your business will secure your sensitive data and reduce phishing attacks. More information on implementing DMARC can be found here or contact the London Digital Security Centre for more information here.
Fines up to £17m for firms with poor cyber security
The government has announced that companies who fail to protect themselves effectively online from cyber-attacks are liable to face fines of up to £17m.
Regulators will be able to inspect various cyber-security things that are put in place for companies in various sectors such as Energy, Transport, Water and Health Companies.
However, In August last year, Matt Hancock, who is a former Digital Minister has said that imposing these fines would be a “last resort”.
Margot James, who is our current Minister for Digital has said that “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and resilient against major disruption to services”.
Organisations should ensure that staff are appropriately trained in regard to regulations such as the Data Protection Act (a checklist can be found here).
More information on Flaws and the risks they pose can be found here.