NHS COVID-19 update blocked for breaching privacy rules

The NHS COVID-19 app, run by the Department for Health and Social Care (DHSC), has had its latest update blocked due to a breach in the privacy terms outlined by Apple and Google.

NHS Coronavirus app, available on Apple and Android devices, was designed to include a new feature that would allow users (upon showing a positive COVID test result) to upload a list of all locations and establishments they have visited using a phone scan QR code.

The Exposure Notification System built into the app’s software would then alert other users who had entered the same venue to monitor their symptoms or to immediately be tested. This update relies on location tracking for its function – a tracking type heavily reliant on Bluetooth monitoring of surrounding devices with the app installed – outlawed by Apple and Google privacy agreements.

This is the latest in a calamitous string of COVID app mishaps by the UK Government who had only recently scrapped plans for their own rival system to the Apple and Android contact tracing system.

Total development of the UK based rival tracking app cost £12 million over a 3 month period, but was eventually rejected due to battery life issues, privacy concerns over Bluetooth’s potentially invasive interaction with, and data collection from, other apps installed on the device such as Facebook and Twitter. As a consequence, the Apple and Android app was adopted even with the concerns over restrictions of location data.

As the UK returns to a quasi-normal state with Phase 2 of lockdown lifting measures being rolled out today, this news comes as a blow for the Department of Health who have released a statement reassuring the public that the update blockage does not affect the overall functionality of the NHS COVID-19 app and that there are “discussions ongoing with our partners to provide beneficial updates to the app which protect the public”

Instead of the updated version, the previous form of the app will still be obtainable in both the Google Play and iOS App Stores.


Microsoft cautions against SMS 2FA

Microsoft have announced they will direct users away from SMS 2FA (‘text-based’ two-factor authentication) for security reasons.

Instead, the company will promote multi-factor authentication methods they consider to be more secure – including biometrics and secure authentication apps such as Microsoft Authenticator – for logging into Microsoft services such as Microsoft 365 and Azure.

SMS-based two-factor authentication, where the user typically receives a passcode text message to their smartphone that acts as a secondary confirmation of who they are, has been a staple of online banking and many other secure online services needing two-factor authentication (2FA) for over a decade.

However many now believes even SMS can be intercepted, and would rather sign users onto authenticator apps or issue secure keys with encoded passcode generation.

Official Microsoft statistics state that users who enable Multi-Factor Authentication (MFA) on their accounts to verify identity block 99.9% of all automated account breaches. Using SMS-based two-factor authentication should not ‘stop’ doing so (despite the flaws of SMS, any 2FA is better than none) but users should consider swapping to other methods.

We’ve talked before about the often-predicted ‘death of passwords’ – and possible scenarios for their phasing out, but in recent years a number of big tech firms, including Apple, Google and Microsoft have all suggested their long-term plans that seek to replace passwords with biometric or other forms of login.

However this modification to Microsoft’s advice will see more of a driving force behind MFA as specifically biometric, authenticator app or secure-key based, rather than relying on mobile networks for one-time passcodes.

 

For cybersecurity expertise and support, please contact out IT team today.


Lineal Becomes Keeper Partner

Lineal Software Solutions has become a managed servicer provider for Keeper Password Management.

We tested a number of different Password Management providers, including 1Password and LastPass, but were particularly impressed with Keeper.

Password management is increasingly recognised as a key pillar of cybersecurity: the UK National Cyber Security Centre admits it is ‘virtually impossible’ for users to use unique passwords for all their accounts without software assistance.

Password managers help users remember all their passwords – but can be a much more powerful tool for dramatically limiting the damage in the event of a single account being compromised.

Criminals increasingly use credential-stuffing attacks where automated tools use previously-breached account details to gain access to the user’s other accounts.

A good password manager ensures you can use a strong, randomly generated and distinct password across each of your accounts to prevent any single breach putting other data at risk.

Keeper can also notify users when breached passwords are identified online, integrate with single sign on tools such as Active Directory, and enforce multi-factor authentication – all important considerations for organisations needing to maintain cybersecurity standards across large teams.

For added convenience, Keeper is available via the web, Windows/MacOS desktop clients, browser extension and Android/iOS mobile app.

 

For Cybersecurity advice and expertise, please contact our team today.

 


Lineal Hosts SW Police Cybersecurity Workshop

Local businesses recently gathered at Barnstaple Library for a special cybersecurity workshop organised by the South West Police Regional Cyber Crime Unit and Lineal Software Solutions Ltd.

Thirty participants from firms across the South West took part in a series of lego-based group exercises highlighting key concepts in cybersecurity, as they sought to protect a fictional utilities company from attack by common real-world cyber crime.

The winning team defended their company by spending their budget on the correct countermeasures at each stage of the exercise, and strategically limiting the damage from any breaches in security.

The South West Regional Organised Crime Unit (SW ROCU) is one of nine regional units across England and Wales that delivers specialist capabilities to target and disrupt serious and organised crime. Designed to raise awareness of coordinated digital threats, the cybersecurity workshop session is part of a new educational initiative being run by the Police right across the region.

Group exercises were followed by a short Q&A including advice for businesses on related topics including network best-practice, password policy, physical security, and the Government’s new Cyber Essentials certification.

Lineal’s Head of Technical Services, Matt Norris, explained: “We were to delighted to be able to organise the Cyber Crime Unit to run this very special workshop for local companies: we see cyber attacks becoming ever more sophisticated, and the SWRCCU takes a really positive and constructive approach to educating business owners about how to protect their organisations and employees.”

“Many businesses struggle to grapple with cybersecurity, but help and expertise is accessible.”

 

You can learn more about the South West Police Regional Cyber Crime Unit’s and their educational work across the South West online here.

For IT support and cybersecurity expertise, please contact Lineal today.


4 Brexit Considerations for your IT

With the Government publishing official Brexit guidance, we take a closer look at 4 items likely to be important for the technology of UK businesses:


 

  • .eu Domains

For UK businesses using .eu registered domains, it’s expected that these will not available for purchase or renewal after April 2019.

Official Government guidance is for businesses to purchase .co.uk, .com and/or .uk versions of important domains, and re-direct traffic in case of a ’No Deal’. Such action is likely to be more challenging for domain-linked services such as email.

This is also a difficult prospect for the unprepared: .com domains alone outnumber their .eu counterparts almost 40-1, so UK businesses may find themselves in a race to grab vital digital real-estate. Web developers and marketing teams might also have built significant reputational presence for the .EU versions of their company websites, and won’t relish the prospect of having to start over.

 

  • Mobile Roaming

UK Mobile users abroad currently benefit from EU roaming regulations that limit mobile operators to a default data usage cost of €50, with alerts generated as the mobile user approaches the roaming limit.

Official Government guidance states that in the event of a Deal this limit would continue during the ‘implementation period’ so mobile workers abroad would temporarily be protected against high roaming costs after 1st April.

roaming after brexit

In the event of ’No Deal’ outcome, EU roaming regulations would no longer applies to UK mobile users abroad, and restrictions on how much European mobile operators could charge roaming UK mobile users would be removed.

The Government states UK networks will soon be bound by new UK laws upholding the same financial penalties for their roamers abroad – although these UK-based networks are ultimately responsible for whether roaming services are available via foreign networks. Mobile users working internationally need to be wary when consuming mobile data abroad after 1st April 2019.

 

  • Data Sharing

Whether UK businesses can access customers’ (or any) personal data from the EU will be determined by an ‘Adequacy Decision’ taken by the European Commission; deciding whether UK data protection rules are sufficiently close to those of the EU for data transfers to be permitted.

The UK formally adopted the EU’s ‘General Data Protection Regulation’ (GDPR) during 2018 and will retain this beyond April 2019, suggesting that a common framework for a company’s ‘Legal Basis’ to process personal data is likely. However, the EC have stated this decision will not be taken until the UK leaves the EU.

Government guidance suggests companies dealing with any personal data from the EU, or with operations abroad, proactively seek legal advice to ensure they continue to be legally watertight when transferring data internationally after 1st April.

 

  • Geo-Blocking

‘Geo-blocking’ certain customers online based on their location is currently not permitted, but this restriction will effectively be lifted after 1st April – for UK trading businesses.

This affects many online retailers: for example those who deliver goods ordered online, online services (such as streaming or cloud hosting) or take bookings for services at physical locations (such as ticketing.)

UK businesses trading to the EU will still be expected to uphold EU rules – for example offering the same service to both French or German customers.

However, the lifting of Geo-blocking restrictions effectively opens the door for UK-based online retailers to offer different services to different UK customers, or UK customers when compared to EU customers. Businesses are still advised to seek independent legal guidance for any variations to their service.

 

Businesses can access GOV.uk’s recommended Brexit guidance specific to their business sector here: https://www.gov.uk/prepare-business-uk-leaving-eu


Top Picks: Best GDPR Resources

Be honest, you’ve read some truly useless things online about GDPR. We all have.

The problem isn’t one of enthusiasm: more and more companies are recognising the impending deadline of the new data protection regulations and acting to implement best practice.

There is, of course, a growing industry of consulting firms and data protection advisers trading on businesses’ lack of expertise and frequently, fear of being left behind. Most organisations begin preparing with a spot of Googling, some light reading, and a bit of browsing online GDPR help articles written by experts.

However, the real experts can’t divulge too much free advice (otherwise why contract their services?) thus much of the available articles and blog posts are deliberately vague. The conundrum has already spawned some unfortunate attempts at humour, but doesn’t really help companies attempting to put in place GDPR compliant policy.

All is not lost: there really is some genuinely useful  guidance out there – here are our pick for some of the best GDPR resources:

 

ICO: Eight Practical Steps

ico eight practical GDPR steps

The Information Commissioner’s Office original ‘eight practical steps’ presentation is a series of slides that are exceptionally clear, and can be worked through in stages. A more recent, formal ’12-step’ version also exists, for a more conceptual understanding of the new regulations.

 

GDPR Readiness Assessment from Microsoft

Microsoft GDPR quiz

A little technical at times, this quick quiz is a useful way of thinking further about protection policy, particularly around access control. For further information on how Microsoft can assist with GDPR in the cloud, look for the blue button in the top right hand corner.

 

ICO Helpline

ICO GDPR helpline

The ICO has a little known helpline via which small businesses and charities can consult a member of ICO staff for extra advice – details of which can be found above.

 

IT Governance Compliance Gap Assessment Tool

IT governance GDPR compliance gap assessment tool

Always a strong source of IT expertise and policy, IT Governance have developed a range of ‘Toolkits’ to assist data protection officers and those implementing GDPR within their organisations. These range from the simple £60 compliance gap assessment tool (a handy Excel Spreadsheet you can work through) to more expensive implementation packs and data flow mapping tools.


Are you in the 46%? Studying 2017’s UK Govt. Cyber Security Report

DCMS has published this year’s 2017 UK Government Cyber Security Report, suggesting a staggering 46% of businesses have been hit by a cyber security breach in the past year.

The average cost of a cyber security breach is reported to be £1,570, although larger businesses (of which 68% reported falling victim) show figures of £20,000 or higher.

The polling, conducted by research institute Ipsos Mori, suggests businesses are increasingly seeking external IT or security advice as insurance against potential losses – particularly basic training for non-specialist staff and information on specific threats to their industry.

Certain positives jump out: basic technical standards laid out in the Government’s ‘Cyber Essentials’ scheme have been rolled out by half of all firms (although this was always a low bar, and the report admits that fewer than one in twenty firms have referred to public sector sources for security advice)

More encouragingly, the most common cyber breaches all involve an element of preventable human error: those reporting a breach in cyber security cited the most common cause as staff clicking links in fraudulent emails (72%) with other typical risks including viruses, spyware & ransomware (33%) and impersonation (27%.)

Specific dangers identified included:

  • Less than 40% of businesses have segregated WiFi networks, or any rules for encrypting personal data.
  • More than 70% do not have any input from someone responsible for IT security at a senior level.
  • Only 20% have run any kind of cyber security training in the last 12 months.

 

With the planned changes next year brought about by the introduction of the General Data Protection Regulations (GDPR), the potential costs associated with a data breach could be set to rise. Having measures in place to mitigate this risk well in advance is sound advice.

 

For IT Security support and advice, contact Lineal today: 01271 375999


2017: Be Prepared

2017

With data security making national news headlines, 2017 is only likely to put increasing pressure on businesses of all sizes to take sensible precautions.

But with IT moving so fast, what innovations are likely to lead the way through 2017? Exactly what sensible precautions will most tech-savvy companies be taking?

 

Cloud is good…

The worldwide push for ever more cloud-based systems appears to be unstoppable. A recent report from Synergy Research Group has suggested the global market for cloud computing grew by 25% to September 2016, reaching a staggering $148 billion in value.

It’s hard to see this not continuing, with companies relying on the convenience and automation of stashing growing quantities off-site backups in the cloud – using services like Office 365 as their private vault. As we’ve covered before: holding assets like email in the cloud actually gives you better protection than most people’s private server.

 

…..But Hybrid Cloud is better still.

But 2017’s smartest will be looking further ahead to Hybrid Cloud systems. As IT Pro recently noted, many companies report using more than 5 backup systems, but have no planning for speed of recovery should that data actually be needed urgently during 2017.

Getting all that data back may present a problem if your organisation is large, meaning hybrid on-site/cloud services like Lineal’s Disaster Recovery Service are likely to become the most flexible middle option. Keeping both a synchronised backup on-site, and a copy with a relatively local cloud service, leaves even the most vulnerable business with the maximum number of options.

 

Change your passwords

If you don’t already change passwords regularly, the security benefits cannot be overstated. Stolen data can often be circulated on the internet many times, so changing passwords regularly keeps not only your business secure, but helps prevent repeat data theft from being profitable. 

Whilst everyone still has a ‘New Year’ mindset and are prepared to accept a little change, it’s worth updating those passwords company wide. Remember to use a variety of different characters and choose something only you would ever guess.

 

Have a 2017 Plan A…. and a Plan B

Ransomware increasingly appears to be the organised criminal world’s cyber-weapon of choice and shows no sign of abating; expect to see more big UK high-street names get compromised this year by malicious emails. 

Antivirus companies may include ever more sophisticated heuristics to intercept malicious downloads before they begin encrypting your files, but ultimately only safe backups will ensure you can always restore to a clean set of data. Every firm should have a ‘Plan B’ for how to carry this out.

 

It’s all about Recovery Time

Expect to see Disaster Recovery (not just back-up and contingency) become a by-word for preparedness, with companies and organisations in every sector being judged not just by their number of backups, but by their costly hours of down-time. 

So if nothing else, start 2017 with an old piece of technology: a pen and paper. Work out what your business’ data recovery plan actually is, and how long it will take –  should the very worst happen.

 

Lineal can provide a range of IT security and business continuity solutions: contact our team today.


The Windows 10 update you didn’t notice

 

Windows 10.1 updates security

With ‘Windows 10.1’ now barely a month old, and the Microsoft operating system already running on over 12 million business PCs, how fares Microsoft’s free updates strategy?

Windows 10.1 update was released with relatively little fanfare (be honest, you didn’t notice) adds features that, understandably with hindsight, might have been a distraction at the main Windows 10 release back in July.

Packaged within were mainly performance and security upgrades – Windows 10.1 will now boot almost 30% faster than an old Windows 7 system on the same device, the Cortana virtual assistant has some new handwriting recognition skills and there are new enterprise tools for mobile devices. Microsoft Edge runs smoother too, offering previews of tabs before viewing and syncing favourites across devices.

Most importantly, after recent corporate data breaches in the news, Microsoft have added a range of new security safeguards. These including ‘Windows Hello’, supporting enterprise grade biometrics including fingerprint and facial recognition – sadly currently only available for US users.

Aside from controversy surrounding user privacy then (if you didn’t notice your Windows 10.1 update, that’s maybe because Microsoft installed it automatically on your device without asking you) the first free update went ahead with relevant additions and limited fuss.

Starting free updates officially moves Microsoft into line with Apple’s OS X business model that has become the industry standard. Yet limited promotion of Windows 10’s ongoing development risks downplaying Microsoft’s progress.

Which would be unfair, because Microsoft is plainly taking extra care to develop the business security of their product range, including the excellent Office365, Microsoft Azure and now Windows 10.1. Microsoft is clearly listening to business’ fears, and businesses should welcome it.

 

For help and support with Microsoft enterprise IT, contact Lineal today.


Bloxx announces discontinuation of products

bloxx

Bloxx to become part of Akamai Technologies

Web filtering provider Bloxx have announced that they will be ceasing support for their products and services, following a shock email from the company’s Chief Executive.

The move comes as part of a cash deal takeover bid by cloud services firm Akamai Technologies, announced on 2nd November 2015, and will see an end to the sale of all Bloxx products.

Bloxx has a good reputation in the UK and beyond for delivering a strong feature set in their appliances that are used to filter online content delivered in sensitive environments. Their products are commonly implemented by educators, healthcare providers, local authorities and businesses.

Although existing contracts will be honoured, those who have invested in physical Bloxx hardware may well find the lifespans are now limited, with little indication of whether Akamai will offer suitable replacements.

Bloxx’s impressive record has drawn the attention of national media before, with the Edinburgh based-company receiving hate mail from teenagers unable to access restricted websites on school computers even with a range of proxies.

With online security stories dominating the news in recent weeks, wider awareness of the need for web, social media and email monitoring is likely to only increase demand for such products. It remains to be seen whether interested parties will consider a cloud-based offering from Akamai to be sufficient, especially when it comes to security and bandwidth management.

Need help with online content filtering and network security for your organisation? Speak to Lineal today: call 01271 375999 or email [email protected]


Keeping your business IT secure – What’s the perfect password?

IT-Security

How to keep your IT Secure

Data breaches can lead to a massive loss of trust among customers, so how do you ensure your IT remains secure?

Despite what many online sign-up forms would suggest, the ‘strongest’ password is not necessarily long and complicated. Whilst complexity makes a password harder to guess or crack with a ‘brute force’ testing of combinations, most security breaches occur from stolen passwords, either physically or by malware attacks.

Very complex passwords do not help in this respect: users still need other IT security, such as antivirus software, errors are more common when typing (particularly on handheld devices) and employees may find complex passwords harder to remember – undermining data security by writing down their login details. The ubiquitous sticky note attached to the monitor is still a trusted solution to working with complex password policies in some organisations!

Routine password changes are a sensible precaution for most businesses, but can make it harder for employees to remember their passwords, leading to the same problem in which users are locked out of work accounts, copy passwords across accounts, or write passwords down at risk of theft.

Phrases can help avoid this problem by making passwords easier to recall: ‘Lineal15theB3st’ is preferable to a 15-digit numeral because a touch of personality adds memorability. Beware profanity though – just imagine trying to explain it to technical support later on!

Here at Lineal we’d also advise against ‘Remember Me’ automated sign-in functions, as well as Windows 10’s new Wi-Fi password sharing ‘Wi-Fi Sense’ Feature, as these make your chosen password redundant.

If you want to see where the future of online security is going, follow the money: most online banking incorporates a two-stage authentication process, requiring both a password and a unique alert code texted to the customer’s mobile phone for identification. This is already a free optional setting for Google, Facebook, Twitter and other popular websites.

Lineal’s advice is to stick to the following basics:

Avoid physical theft:

  • Don’t write your passwords down on a post-it note on your desk! Microsoft has a practical tip: if you absolutely must write a password down, do so in a safe place, without labeling it as a password or to which account it refers. Substitute words should also be used to hide the true password, for example writing ‘Fruit8£’ could refer to a password of ‘Apple8£’.
  • Don’t use an easily guessed word, such as your name, your company’s name, 1234, the name of something on your desk, the word ‘password’, or anything similarly obvious.
  • Never tell anyone your password, and change your password if you suspect it has been compromised.

Ease of Access:

  • If you struggle to remember your passwords, use a password storage program to store some of them. Remember to use a secure password for the program.
  • Mitigate against your own forgetfulness by setting up alternate password recovery options, allowing you to choose more varied, difficult passwords.
  • Consider where users will need to log in from – take full advantage of using numbers and special characters ( ! , £, %, * etc.) for keyboard users.

Preventing digital theft:

  • Use different passwords for your most important accounts, such as online banking.
  • Use two-stage authentication.
  • Maintain up to date anti-virus security software and firewalls on your work desktops, and don’t download untrusted software or open suspicious emails which could be phishing or contain password stealing malware.
  • Consult IT specialists to ensure office networks are protected from outside attacks.

Your security should always be strong enough to give peace of mind. Lineal can provide expert advice and support for securing your IT systems: why not get in contact with us here?

More from Lineal News

Flikr: Jason Baker