Urban Fantasist
Menu
URBAN FANTASIST |
We love the new banner for the 2017 SCI-FI-LONDON Film Festival (27 April - to - 6 May). We're also got some exciting news about the Flash Fiction Challenge – further details soon.
0 Comments
Guest cybersecurity comment by Tim Hyman* of 2Twenty4 Consulting The General Data Protection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. There is a much greater emphasis on accountability and the principle aim is to move control back to the end user or data subject. To reinforce this there are many new auditable obligations and whilst the maximum penalty of 4% of global revenue grabs the headlines there are a number of other significant changes. One of these relates to the lesser known penalty of 2% of global revenue for administrational non-compliance. New powers of audit mean that a data breach is not required before penalties kick in, lack of the appropriate documentation and/or protective processes are enough to warrant penalty. The person responsible for overseeing and maintain the new compliance requirements is the DPO or Data Protection Officer. Not all businesses will be obliged to appoint one but even those that do not will still need someone to monitor compliance and take responsibility for data processing records and liaising with the authorities and data subjects. GDPR states that a firm will require the appointment of a DPO in the following circumstances: Data controllers (law firms) and processors (cloud service providers) shall designate a data protection officer in any case where: • the processing is carried out by a public authority or body • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature require regular and systematic monitoring of data subjects on a large scale; or • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 For law firms, it is the latter of these categories that will almost certainly apply. Having someone responsible for Data Protection is nothing new and it should be a straight forward conversion from the existing COLP or Head of Compliance to the new formal DPO role. DUTIES The duties of the DPO are unsurprising but with the additional requirement to deliver internal user awareness which when aligned with existing Information Security education will be a welcome addition to other compulsory learning participation such as anti-money laundering. DPO duties include: • to inform and advise the law firm of their obligations pursuant to this Regulation; • to monitor compliance with GDPR, • awareness-raising and training of staff • internal audits • to provide advice regarding the data protection impact assessment and monitor its performance • to cooperate and act as the contact point with the supervisory authority; Perhaps more interesting however, and the reason for a close IT/DPO alliance going forward are the new obligations of a business regarding the role. LAW FIRM OBLIGATIONS All firms will have the following obligations to a DPO when in existence: • ensure that the data protection officer is involved in all issues which relate to the protection of personal data (this will include IT solutions and services) • provide resources necessary to carry out those tasks and access to personal data and processing operations, • He or she shall not be dismissed or penalised by the firm for performing his tasks. • report to the highest management level of the firm The fact that a firm is obliged to ‘provide the resources necessary’ represents an excellent opportunity for IT to work with the DPO to achieve the appropriate budget and resources to deliver a robust Information Governance strategy – something that IT Directors have been struggling to justify on best practice principles as opposed to obligation. So, with the DPO responsible for ensuring appropriate data protection measures are in place and with the new power to ensure resources are provided, a much closer alliance between IT and Risk will be the ideal way to provide the technical and legal expertise required to ensure compliance. This is also borne out in the work needed to prepare the business for the May 29 2018 compliance deadline. To develop a GDPR Compliance Plan, it is first necessary to document current data practices and processes and understand any risk. This is achieved by first carrying out an Impact Assessment which can be broken down into three phases, Discovery, Risk Assessment and Mitigation Planning. IMPACT ASSESSMENT A Data Protection Impact Assessment is a tool designed to enable firms to work out the risks that are inherent in proposed data processing activities before either the legislation deadline in May or in future when planning a new system or process. This, in turn, enables firms to address and mitigate those risks before the processing begins. It may also even be mandatory as where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks. Essentially the Impact Assessment has 3 key activities: Data Mapping: A comprehensive and documented survey of all systems and processes where personal data is at play Risk Assessment: An assessment of potential non-compliance based on the findings of the data and process mapping Mitigation Plan: A documented approach to the risks discovered using a REMOVE, REMEDIATE or ACCEPT approach. GDPRREADY COMPLIANCE FRAMEWORK To assist firms with the initial preparation phase including the Impact Assessment we have developed a GDPRready Compliance framework that has 4 key phases Step 1 – EDUCATE GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process. Step 2 – DISCOVER Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans. Step 3 – PLAN GDPR Preparation Plan – document actions needed to prepare for and maintain GDPR compliance. Understand budget required and systems and processes that require modification. Step 4 – MAINTAIN Maintain compliance by aligning processes with our 12 best practice Information Security policies SUMMARY GDPR is only 18 months away and any firm that has already started an Impact Assessment will know that they need all the time available to prepare. This a business project, owned at board room level but best managed and delivered by the IT/Risk team. This is an excellent opportunity for IT to provide leadership in a high-profile business project, get budget for Information Governance projects and now mandatory Security Awareness training and provide Impact Assessment advice to the firm’s clients. The Data Protection Officer will have a far reaching range of new responsibilities and powers – make them your best friend. * Tim Hyman is also producing The Essential Guide to GDPR - email HERE for details. Greg Bufithis, a writer, digital/telecom attorney and founder of GP Media Studios/The Project Counsel Group has just reported back from attending the annual Slush event in Helsinki last week... "More than 17,500 people came to Helsinki for the annual Slush event which matches startups with investors. Bigger than almost any other event, the 2300+ startups came from around the world to match-make with 1100+ investors, plus attendees that just want to see the next "new new thing". Held at the Messukeskus Convention Centre ("cyberpunk gothic-tech" as noted by many) it was wall-to-wall with applications that ranged from AI applied text analytics/text extraction to augmented reality to chat bots to food to robotics. I think after Brexit and Trump it was an affirmation that technology and innovation is thriving in a country that gave birth to Linux (still the most influential operating system in the world) and Nokia. Oh, and Angry Birds. Oh, and Clash of the Clans, too. "As I have written before, European technology (and more generally, technology outside of the U.S.) has now broken the mould of trying to be the next Silicon Valley and created its own identity and momentum. U.S. companies ... Apple, Cisco, Facebook, Google, IBM, Microsoft, etc., etc. ... were here in force because as one attendee told me: "there are something like 4.8 million professional developers in Europe compared to 4.1 million in the U.S. Given Trump's threats to curtail work visas, we need to be here looking for talent for our research and development centers." "As I have noted before, in the last two years U.S. companies have opened more new R&D centers in Europe than in the U.S. or anywhere else in the world." The Slush event is described as a Burning Man meets TED event (with rock music) and is now Europe's leading event for startups and the focal point for the Euro tech scene. The 2017 Slush event is scheduled for November 30 to 1 December 2017. Another event Greg recommends is the Cannes Lions conference for the advertising and media industries, but which also has a big focus on the impact of technology, the visualization of data, creativity, and how to create a high level of quality storytelling. The next Cannes Lions runs 17 to 24 June 2017 The owner of my local art supplies shop found this hare as roadkill, had it preserved by a professional taxidermist and now it enjoys a degree of immortality as a model for artists and sculptors.
So why do tech journalists never take industry "gurus" seriously? Here's the thing: if you have a real job* and are at the sharp end of technology R&D and innovation, then we want to hear from you. Unfortunately, the majority of "gurus" don't have real jobs – their only vocation is travelling the world being a professional guru. (*Sorry, to any academics out there but unless you work in a seriously boffin-intensive field – science, engineering etc – then you too also don't qualify as having real jobs.) If you can walk the walk then we are happy to listen to you talk the talk. But, if you are just talk, talk, talk, then you are not a guru, you are just a consultant flogging your services, latest book, report or whatever. Incidentally, "gurudom" is not a status you can confer upon yourself. You are only a guru if other people say you are – and those "other people" do not include your mother or your publicist! If someone were to publicly announce that they were "beautiful" or "charismatic," we'd all laugh at their deluded vanity. The same applies to self-annointed gurus. As for "social media maverns" and "LinkedIn ninja"... pass the sick-bag Alice, as the great newspaper editor and columnist John Junor would have said. Yesterday it was reported that both TalkTalk and Post Office broadband customers have had their online access cut by an attack targeting certain types of internet routers. A spokeswoman for the Post Office told the BBC that the problem began on Sunday and had affected about 100,000 of its customers. Talk Talk also confirmed that some of its customers had been affected, and it was working on a fix. It is not yet known who is responsible for the attack. (It would also appear that local telco KCOM in Hull suffered similar problems last Saturday.) In the light of these developments, Andy Green, a senior technical specialist at Varonis, comments: The lessons that should be learned from these ongoing Mirai attacks is just how vulnerable we were as a result of our own IT laziness. Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it. So what excuse do professional IT types have for this rookie-level behaviour? Not much! Unfortunately, default-itis still plagues large organisations. As long ago as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras. Even if hackers use other methods to get inside a corporate network (phishing, most likely) they can still take advantage of internal enterprise software in which defaults accounts were never changed. For those organisations who think that the Mirai botnet incident has nothing to with them, or have to convince their board of this, here are two points to consider. 1. The lesson of the Mirai botnet attack is that the perimeter will always have leaks. For argument’s sake, even if you overlook phishing scenarios, there will continue to be vulnerabilities and holes in routers, network devices, and other core infrastructure that allow hackers to get inside. 2. Human nature tells us that IT will also continue to experience default-itis. Enterprise software is complicated. IT is often under pressure to quickly get apps and systems to work. As a result, default accounts and weak passwords that were set for reasons of convenience – thinking that users will change the passwords later – will always be an issue for organisations. You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders. In a way, we should be thankful for the “script kiddies” who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs. |
Charles Christian was an English barrister, Reuters correspondent-turned editor, author, blogger, podcaster, award-winning tech journalist, storyteller, and sometime werewolf hunter, who sadly passed away in 2022.
Prior to his sudden death he completed one of his largest works to date: The Witches Almanac, the definitive guide on the history of magic and folklore, including 359 of the most important witches and sorcerers in history. This site also has links to Charles' books and the Weird Tales Show videos and podcasts. Latest Video PostLatest book: The Wold Newton TriangleVirtual Tip JarYou can now support Urban Fantasist, its podcasts and its new video channel through our Virtual Tip Jars on PayPal and Patreon, giving you a choice of ad hoc or regular payments.
Contact DetailsEmail: urbanfantasist@icloud.com
Tel: +44(0)1986 788666 Tel/Txt: +44(0)7786 738172 WhatsApp etc: +44(0)7786 738172 Skype: ChristianUncut Twitter: @urbanfantasist Quote, Unquote"The only way to keep folklore alive is to share it" ...comment from viewer on YouTube channel
"Charles Christian... a man of paranormality" ...Howard Hughes, Talk Radio UK "Cynicism has always been a part of your (very impressive) brand" ...Kirk Fackre "Your storytelling set the scene for a fascinating evening of stunning music and terrifying drama" ...Chris Caswell "I can't help myself. Yesterday, I went back to this post over and over again and it made me laugh out loud each time. So now I'm bringing it to all my followers with the recommendation to follow Charles Christian because he posts lots of stuff that brightens my day and will brighten yours, too" ...LinkedIn commentator "A great witty intelligence in the world. We need more CC and less monkey-brained politicians" ...Julia Bohanna "I love your posts, always something interesting to read and often funny" ...Karen Morton "I was saddened to see you have retired your podcast. I never would have found your books without it. Well if a good story deserves rereading a good podcast demands relistening. Looking forward to your next stage with the time this change will afford you. Happy Trails, Pardner" ...Jonathan Neuhaus "You are a great and generous host" ...Patti Negri, The Hollywood Psychic "I host a daily morning show in Las Vegas and I like your shows very much. I love the way you pace your voice and thoughts is fantastic and you have a way of making your guest interviews sound more like conversations. Just wanted to let you know" ...Clay Baker "The ever wonderful Charles Christian and his Weird Tales Show"...Into The Portal Podcast "The Master of Mysteries & Folklore" ...Fantasy Radio UK "The witty and knowledgeable Charles Christian." "We poled our fans on their favorite podcasts and that's how I heard of Weird Tales Show. You are well loved by the geekiverse, and fans of folklore history and monsters!" "Charles Christian is really out there cool." "Charles Christian defiantly makes my world a brighter, funnier place." "The legendary Charles Christian at his eclectic best..." "Charles Christian is my inner spirit animal, thank you for making me laugh." "You always make me laugh! Thank you for brightening my day with your dark humour." "the funny, wonderful and slightly cantankerous Charles Christian" Charles Christian's Books |
Copyright © Charles Christian
& Urbanfantasist Limited 2022 |