L2 Cyber Security Solutions Ltd.

Cyber Security for Charities

Liam — Wed, 10 May 2023 20:49:56 +0000

In today’s digital landscape, charities face increasing cyber threats that can compromise sensitive data and damage their reputation. Safeguarding your organisation’s information is crucial to maintaining trust and ensuring the continuity of your charitable work. By implementing simple cyber security measures, you can significantly enhance your defences. In this post, I will explore valuable tips to help your cyber security for charities and enable you to bolster your cyber security posture.

Use Multi-factor Authentication (MFA):

Implementing MFA adds an extra layer of security to your accounts by requiring multiple forms of authentication. This significantly reduces the risk of unauthorised access even if a password is compromised. Enable MFA for your email, cloud storage, social media and other critical business applications.

Implement Strong Password Policies:

Encourage your staff and volunteers to use complex passwords that include a mix of letters, numbers, and symbols. Discourage them from reusing passwords across different accounts. Consider implementing a password manager to securely generate and store strong passwords.

Educate Your Staff and Volunteers:

Start by ensuring that all staff and volunteers are aware of the importance of cyber security. Conduct at least annual training sessions to educate them about potential threats, such as phishing emails and suspicious websites. Teach them how to create strong, unique passwords and emphasise the significance of MFA.

Update Software Regularly:

Outdated software can leave your charity vulnerable to cyber attacks. Regularly update your operating systems, applications, and security software to ensure you have the latest patches and bug fixes. Enable automatic updates whenever possible to streamline the process.

Backup Your Data:

Regularly backing up your charity’s data is crucial. Choose a secure, reliable cloud-based backup solution or an offline backup method to protect your critical information. Test the restoration process periodically to ensure the backups are functioning correctly.

Secure Your Wi-Fi Network:

A secure Wi-Fi network is vital for protecting sensitive charity data. Change the default router password and ensure that you use strong encryption, such as WPA2 or WPA3. Additionally, create a separate guest network for visitors and ensure that it is isolated from your internal network.

So that is how you can do cyber security for charities

Cyber security is of paramount importance for charities, as it protects sensitive data and preserves the trust of supporters. By following these essential cyber security tips, charities can significantly strengthen their defences against cyber threats. Maintain a proactive approach to cyber security for charities, regularly review and update your security measures, and stay vigilant to evolving risks. With robust cyber security measures in place, your charity can continue making a positive impact while safeguarding its digital assets.

L2 Cyber Security can help you with all of the above if you want

We are a completely independent cyber security consultancy. We have no solutions or products to sell and are a small business, so we can focus on delivering appropriate and relevant services to this sector. Also, we offer a 10% discount on all of our standard rates to registered charities.

If you want to carry out your own cyber risk assessment, we suggest that you use the ENISA (the EU Agency for Cybersecurity) on-line assessment tool.

Let’s be careful out there.

#SecuritySimplified

The post Cyber Security for Charities appeared first on L2 Cyber Security Solutions Ltd..

Cyber Security for Small Business

Liam — Wed, 10 May 2023 17:20:24 +0000

In today’s connected world, small businesses are increasingly vulnerable to cyber threats. Protecting your business from potential breaches and data leaks is essential for maintaining trust and safeguarding your reputation. Fortunately, there are simple steps you can take to enhance your cyber security. In this post, I will discuss some valuable tips to help your cyber security for small business and stay safe in the online realm.

Use Multi-factor Authentication (MFA):

Implement Strong Password Policies:

Encourage your employees to use complex passwords that include a mix of letters, numbers, and symbols. Discourage them from reusing passwords across different accounts. Consider implementing a password manager to securely generate and store strong passwords.

Educate Your Staff:

Start by ensuring that all employees are aware of the importance of cyber security. Conduct at least annual training sessions to educate them about potential threats, such as phishing emails and suspicious websites. Teach them how to create strong, unique passwords and emphasise the significance of MFA.

Update Software Regularly:

Outdated software can leave your business vulnerable to cyber attacks. Regularly update your operating systems, applications, and security software to ensure you have the latest patches and bug fixes. Enable automatic updates whenever possible to streamline the process.

Backup Your Data:

Regularly backing up your business data is crucial. Choose a reliable cloud-based backup solution or an offline backup method to protect your critical information. Test the restoration process periodically to ensure the backups are functioning correctly.

Secure Your Wi-Fi Network:

A secure Wi-Fi network is vital for protecting sensitive business data. Change the default router password and ensure that you use strong encryption, such as WPA2 or WPA3. Additionally, create a separate guest network for visitors and ensure that it is isolated from your internal network.

So that is how you can do cyber security for small business

Protecting your small business from cyber threats should be a top priority. By following these simple cyber security tips, you can significantly enhance your defences and minimise the risk of breaches and data loss. Remember, a proactive approach to cyber security for small business is the key to keeping your business safe in the digital world. Stay vigilant and regularly review your security measures to adapt to evolving threats.

L2 Cyber Security can help you with all of the above if you want

We are a completely independent cyber security consultancy. We have no solutions or products to sell and are a small business too, so we do offer various services which are suited to this sector.

If you want to carry out your own cyber risk assessment, we suggest that you use the ENISA (the EU Agency for Cybersecurity) on-line assessment tool.

Let’s be careful out there.

#SecuritySimplified

The post Cyber Security for Small Business appeared first on L2 Cyber Security Solutions Ltd..

IT Task Calendar for Small and Medium Businesses

Liam — Wed, 10 May 2023 10:10:24 +0000

If you are a small or medium business owner without an internal IT person or department, you should set up a schedule for performing some simple IT tasks. An IT Task Calendar if you will. This will make sure your IT is working well and everything is being kept up-to-date.

Why do I need an IT Task Calendar?

If you were a larger enterprise, with an IT person/department or an IT Managed Service Provider (IT MSP), part of their responsibility should be carrying out regular maintenance tasks that would keep your IT working well and everything kept up-to-date.

I was inspired to write this post from a SANS Internet Storm Centre Diary that was published last year.

I have my own such calendar embedded in my head and I tend to do these things automatically without thinking. This is likely because it is the habit of nearly 40 years of fiddling with and subsequently working on computers. On my laptop, I close all applications and shut the laptop down every night. This simple act absolves me of having to do the daily and one of the weekly tasks below.

Too Long; Didn’t Read (TL;DR)

Daily:

Restart your browser.

Weekly:

Restart your Laptop/Desktop, Smartphone and Tablet (apply updates if available)
Run an Anti Virus scan (schedule if possible)

Monthly:

Apply Microsoft updates
Apply updates to other software applications
Check your backups

Quarterly:

Printer, Router, Firewall, Switch, IoT device update check
Do a failover check (if applicable)

Daily tasks:

Restart your browser at least once a day

The first item for our IT Task Calendar.

A lot of us spend quite a lot of our time in our internet browser. They are incredible applications that give us such a rich experience using the internet. They are also extremely complicated and prone to there being vulnerabilities present due to such complexity. Because of their ubiquitous nature, they are very much what the criminals like to target. So it is imperative that the vulnerabilities are removed.

The browser makers have gotten very proactive about keeping their browser up-to-date, in a very inconspicuous way. It happens in the background while the browser is open. However, for the updates to properly take effect, the browser needs to be restarted. If you do this once a day, you will be well protected.

If you are the type of person that has multiple browser tabs open all of the time, this might cause you to be reluctant to do so however. There are solutions for you though.

Use the normal update mechanism:

In your browser:

go to the “Help->About Chrome/Firefox/Edge”
this will trigger the update mechanism to get all updates installed
when you see the button to “Restart” the browser, click on it
the browser will close and re-open, including all of the tabs that were previously open on it

Make sure the browser remembers where you were previously:

A word of warning here … this option has been known to fail occasionally and people have lost track of their many, many open tabs. If you don’t want to risk that, do the above instead.

Go into your browser settings and:

Chrome:

On the menu on the left, click “On start-up”
Click “Continue where you left off”

Firefox:

At the top, under Startup should be the option “Open previous windows and tabs” – check that to turn it on

Edge:

On the menu on the left, click “Start, home and new tabs”
Click “Open tabs from the previous session”

Use a browser extension to remember your open tabs:

I’m certain there are browser extensions that can help you to manage and remember your open tabs. I won’t recommend any particular one, as I have no experience of them and I am not keen on the over reliance on browser extensions, other than the two or three I use for ad/cookie blocking and tracking prevention.

Weekly tasks:

Restart your Laptop/Desktop, Smartphone and Tablet once a week

For the same reason that we restart our browser, our devices also need to be restarted to apply any updates that may have been downloaded for the operating system. In Windows this might show as “Update and Restart” or “Update and Shut down”. Be sure to click on the appropriate one if they appear.

But it’s not just about updates in this case. If you keep Windows active and only put it to Sleep by closing the lid every evening, then after a few weeks it may exhibit unusual behaviour. Things like the mouse cursor might jump around the place or applications freeze or crash for no reason. This is because Windows is going a bit crazy (in simple terms).

You know the old IT trope?

“Have you tried switching it off and back on again?”

There’s a very good reason that this is usually the first thing we ask.

It’s because it fixes most problems that people have.

So just restart your device once a week, please. Include your Smartphones and Tablets on this.

♣ Add this to your IT Task Calendar on a Thursday or Friday.

Run an Anti Virus scan

Your anti-virus application should be able to do this on a schedule, so you can set this up to run automatically.

♣ Schedule this in your Anti Virus application to occur at a time you wont be using your device for maybe up to an hour, perhaps over a lunch break.

Monthly tasks:

Microsoft Patch Tuesday

On the second Tuesday of every month, Microsoft release updates to their products. It has become known as Patch Tuesday. We usually get them on a Wednesday in Ireland. The restart your device weekly item above, should take care of this task for you if you do it on a Thursday or Friday.

♣ Add this to your IT Task Calendar on the second Thursday or Friday.

Check for other software updates

A lot of other applications are good at checking for updates when they start up. Try to apply them when they ask for it and don’t just click “Defer” or “Later”, unless you are genuinely stuck for time.

If you do defer the updates, make sure that you have a list of applications that you use frequently. Once a month go through that list, checking their update status and applying any updates that are available.

♣ Add this to your IT Task Calendar on the third Tuesday.

Backup Checks

I have a convoluted backup strategy for my laptop, which utilises cloud storage for my critical data, local network storage and external hard drives for my backups of that data and less important items.

If you don’t have a backup strategy, start with the 3-2-1 methodology:

Three copies of your data – one of which is your live data.
Two backup copies held on separate media (cloud, local storage, external hard drives, magnetic tape, etc.)
One copy offline and another offsite.

The thing about backups is, that they are badly needed, usually at a time of crisis. That is not the time to find out that an external hard drive that you are now depending on for recovering data, was dropped on the ground 6 months ago and hasn’t been properly backing up your data since.

So for each type of backup you take, restore a small, random selection of files from the backup media, to check that you can access them and that they are not corrupted in anyway.

If you want to be very thorough, you should do a complete recovery test once a year.

♣ Add this to your IT Task Calendar on the Friday before the second Tuesday.

Quarterly tasks – IT support may be needed:

Printer, Router, Firewall, Switch, IoT device update check

Virtually all hardware we use runs a type of software that is usually called firmware. Many hardware and other network devices have no robust way to notify you of updates to its firmware. Often, you need to manually check the current firmware version and compare it to the latest firmware available from the manufacturer. Care needs to be taken when updating firmware as a simple disconnection at the wrong time could cause the hardware device to fail completely (also known as being “bricked” – i.e. turning the device into something with all the functionality of a brick).

♣ Add this to your IT Task Calendar on the fourth Tuesday of the second month in the quarter.

Failover checks

This will depend on your set-up – particularly if you have any kind of high-availability requirement for things like internet or power. Carry out these checks at a time that will cause the least disruption to your business if something were to go wrong.

Connectivity:

If you have a secondary internet connection available at all times, then fail your primary connection by disconnecting the router’s WAN port. See if all of your main applications continue to work appropriately and that your staff are able to continue doing their work. Reconnect the router’s WAN port again to restore normal operations.
After completing the previous test, wait for 15-20 minutes. Now fail the secondary connection by disconnecting its router’s WAN port. This will prove that there is no weird configuration whereby a failure of your backup connection can cause you problems.
If you don’t have a secondary internet connection, but plan to rely on a hotspot from a mobile phone, then fail your primary connection by disconnecting the router’s WAN port. Then set up the hotspot/tether on your mobile phone and see what connectivity you are able to achieve on that from your various devices.
Do the above as well if you plan to relocate to another location in the event of power and internet disconnection at your main office.

Power:

If you have generator backup for power, then you should follow the guidance provided by your registered electrician for carrying out power failure testing on the generator.
If you are depending on an Uninterruptible Power Supply (UPS), then test it by removing power to it’s mains connection (e.g.- turning off the switch on the wall socket or tripping it’s circuit breaker on your fuse board). Do not unplug the UPS.

♣ Add this to your IT Task Calendar on the third Friday of the first month in the quarter.

Let’s be careful out there.

How can L2 Cyber Security help you?

We offer a Business Resiliency service which would help you to create a proper plan for all of the above.

#SecuritySimplified

The post IT Task Calendar for Small and Medium Businesses appeared first on L2 Cyber Security Solutions Ltd..

Browser Password Manager is not as secure as you think

Liam — Tue, 18 Apr 2023 08:00:00 +0000

Whenever I talk about password managers I often get asked by people about their browser password manager and whether that is a secure method of storing passwords. They’re not really the best solution. Here’s why.

They store passwords. Surely they must be secure?

The password managers that are built into Chrome, Edge and Firefox are very simplistic and while they do stores things encrypted, the encryption can be easily broken.

A person’s Google Chrome password manager was breached not so long ago.

The thing is, these password managers are very easy to use and browsers are great at pushing them on people. Putting up nice friendly notices going “Do you want me to remember this password?” “Do you want me to remember this credit card number?” Then later on when you come back to sign into the site it will pop the username and password into the page for you. It’s all very convenient. But convenience comes at the cost of security in this case.

How is a browser password manager insecure?

If you think about it, these password managers have no real security in place. So if somebody has access to the browser, when the device is unlocked, they also now have access to your password vault.

If you were using a proper password manager they would need to know your master password and also have access to your multi-factor authentication (MFA) method. That’s because password managers have proper security on their password vaults.

What do you recommend?

The world will be a much better place when passkeys are more widely used.

Until then, I always recommend using a full-featured password manager such as Bitwarden or 1Password. These are designed to be fully secure and keep your passwords, payment card information and secure notes all nice and securely saved. There are other password managers available. Some of these might be classified as being more secure or private than the two I have mentioned. However there are some trade-offs with them in that they may need someone more technical to set them up and use them. This might be off-putting to normal people as it can be inconvenient.

I’ve got a password manager in another application. How good are they?

Some people come to me and say that their anti-virus package or their VPN has a password manager as an add-on feature. I am cautious about using such features because they may not have been developed with the same level of security as a proper password manager. They are likely only being offered as a way to lock somebody into continuing to subscribe to the anti-virus or VPN.

This is because it is easy to switch anti-virus or VPN providers. But when you are are using a password manager it is much more difficult to move and switch provider.

OK! OK! We’ll use a proper password manager. Any tips?

Some quick tips for setting up your password manager as securely as possible:

Choose a master password that is at least 20 characters long. Perhaps choose three or four completely random words to make up this master password. Maybe include some spaces between the words and an occasional number and special character.
You should also secure the password manager with a multi-factor authentication method. Ideally it should be an authentication app that generates codes or a hardware security key that you need to trigger the authentication.
Set the password manager to generate passwords of at least 40 characters, with all the cases, numbers and special characters turned on so that the passwords are nicely complicated. Watch out though for some websites that have limited the number of characters you can use … some as low as 10 or 12 characters, which is ridiculous.

Anything else I need to think about with a proper password manager?

Some security people think that using the browser add-on or plugin for the proper password manager is NOT very good security practice. Yes, there are risks associated with the add-on/plugin, but I think their convenience for the normal person makes password manager use more likely. But it all really depends on your threat model. If you think you’re low risk then using the add-on/plugin is probably also low risk.

Let’s be careful out there.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person.

#SecuritySimplified

The post Browser Password Manager is not as secure as you think appeared first on L2 Cyber Security Solutions Ltd..

Legal Basis for Processing

Liam — Fri, 14 Apr 2023 14:44:07 +0000

The General Data Protection Regulation (GDPR) outlines the conditions under which there is a legal basis for processing personal data.

Download Detailed Guidance Here

The Six Lawful Bases for Processing:

To collect or use personal data legally, you cannot just "want" to do it. You must rely on one of six specific legal justifications (Article 6). If you cannot fit your processing into one of these boxes, you cannot collect the data.

You must identify and document one of these bases before you start processing data.

Consent: The individual has given you clear, specific permission to process their data for a specific purpose.
Contract: You need to process the data to fulfil a contract with the individual (e.g., you need their address to deliver goods they bought).
Legal Obligation: You are required by law to process the data (e.g., keeping salary records for tax purposes).
Vital Interests: It is a life-or-death situation (e.g., giving emergency medical data to a hospital to save someone's life).
Legitimate Interests: You have a genuine business reason (like fraud prevention or network security), and this reason is not overridden by the individual's rights or freedoms.
Public Interest: You are performing a task in the public interest or acting under official authority (usually applies to government bodies, not private companies).

1. Strict Rules for "Consent"

If you choose "Consent" as your legal basis, the bar is set very high. You must be able to prove you obtained it validly.

Freely Given: The user must have a real choice. You cannot force them to consent or punish them if they say no.
Informed: They must know exactly who you are and what you are doing with their data.
Specific: You cannot ask for "blanket consent." You must ask for permission for each specific purpose.
Clear Affirmative Action: The user must do something to consent (like ticking a box). You must also keep a record of this consent being given. Pre-ticked boxes are banned.
Easy Withdrawal: You must tell them they can withdraw consent at any time, and if they do, you must stop processing immediately.

2. Contractual Necessity

When to use it: Use this when you have a contract with an individual (or are about to enter one) and you literally cannot do your job without their data.

The Rule: The processing must be necessary for the performance of a contract to which the individual is a party.

Practical Example: If you sell a product online, you need the customer's address to deliver it. You don't need their consent for the address. You need it to fulfil the contract of sale.

Constraint: You cannot use this for things that are "nice to have" but not essential to the contract (e.g., using that same address for marketing newsletters usually requires a different basis, like Consent).

3. Legal Obligation

When to use it: Use this when you have no choice because the law says you must process the data.

The Rule: The processing is necessary for compliance with a legal obligation.

Practical Example: You are required by tax laws to keep records of employee salaries for a certain number of years. Even if an employee asks you to delete their data, you can refuse because you have a legal obligation to keep it.

Constraint: This must be a statutory obligation (EU or National law), not just a contractual obligation to a third party or your own company policy.

4. Vital Interests

When to use it: This is the "Emergency Only" basis. It applies to life-or-death situations.

The Rule: The processing is necessary to protect the vital interests of the data subject or another person.

Practical Example: If a visitor to your office collapses and is unconscious, you might disclose their medical allergies (if known) to the paramedics. You don't need to wake them up to get consent because their life (vital interest) is at risk.

Constraint: You generally cannot use this for large-scale data processing or health data unless it is truly a medical emergency.

5. Legitimate Interests

When to use it: This is the most flexible basis, often used for business activities like fraud prevention, network security, or direct marketing. However, it requires a careful "Balancing Test".

The Rule: Processing is necessary for your legitimate interests (or those of a third party), UNLESS those interests are overridden by the individual's fundamental rights and freedoms.

The "Balancing Test": You must weigh your benefit against the user's privacy:

Your side: "We need to process IP addresses to stop hackers attacking our website." (This is a strong legitimate interest).

Their side: "Does this hurt the user's privacy?" (Likely minimal impact).

Result: You can probably proceed.

Constraint: If the processing would be unexpected, cause harm, or if the individual is a child, their rights likely override your interests. You must document this assessment.

6. Public Interest / Official Authority

When to use it: This is primarily for public authorities (like schools, hospitals, police, or councils) performing their official duties.

The Rule: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you.

Practical Example: A local council collecting data to organise bin collection or a tax authority collecting income data.

Constraint: Private companies rarely use this unless they are contracted to carry out specific public tasks (e.g., a private utility company maintaining the water supply).

Download Detailed Guidance Here

The post Legal Basis for Processing appeared first on L2 Cyber Security Solutions Ltd..

Principles of the GDPR

Liam — Fri, 14 Apr 2023 14:37:37 +0000

The General Data Protection Regulation (GDPR) sets out the principles of the GDPR that organisations must follow when processing personal data.

Download Detailed Guidance Here

Principles of the GDPR

Here is a simplified guide to the 7 Core Principles of the GDPR (Article 5).

Think of these not just as codes, but as the "Golden Rules" for how you handle data. If you violate these principles, you are violating the GDPR, even if your security is technically perfect.

Lawfulness, Fairness, and Transparency

Your Obligation: You must be honest and open about what you are doing.

Lawful: You cannot process data just because you want to. You need a valid legal reason (like Consent or a Contract).

Fair: You shouldn't do things with data that people wouldn't expect or that could mislead them. You must give them control over their information.

Transparent: You can't hide in the shadows. You must provide clear, accessible information (usually a Privacy Notice) explaining exactly how you process their data.

Purpose Limitation

Your Obligation: Be specific about why you need the data and stick to that reason.

The Rule: You must collect data for "specified, explicit, and legitimate purposes".

No "Scope Creep": You cannot collect data for one reason (e.g., "to deliver a pizza") and then use it for a completely different reason later (e.g., "to sell their address to a gym"), unless you get fresh consent or have another clear legal reason.

Communication: You must tell the individual this purpose at the start.

Data Minimisation

Your Obligation: Collect only what you strictly need.

The Rule: Data must be adequate, relevant, and limited to what is necessary for your specific purpose.

Practical Step: If you don't need someone's date of birth to sell them a book, don't ask for it. Avoid hoarding "just in case" data.

Accuracy

Your Obligation: Keep the data correct and up to date.

The Rule: You must take reasonable steps to ensure data is not incorrect or misleading.

Correction: If you find out data is wrong, you must fix it or erase it without delay. You should also give individuals an easy way to update their own records.

Storage Limitation

Your Obligation: Don't keep data forever.

The Rule: You must not keep personal data for longer than you actually need it for your stated purpose.

Guidance: There may be a statutory requirement for a retention period (e.g. Revenue), or a supervisory body providing guidance. If neither exist, then set your own retention period and document the justification for it.

Retention Policy: You need a clear policy that says when you will delete data. When that time comes, you must securely erase or anonymise it.

Integrity and Confidentiality (Security)

Your Obligation: Keep the data safe.

The Rule: You must protect data against unauthorised access, accidental loss, destruction, or damage.

Measures: This isn't just about firewalls. It includes organisational measures like taking data backups, restricting access so only the staff who need to see the data can see it, amongst other things.

Accountability

Your Obligation: Prove it.

The Rule: It is not enough to just comply with these principles. You must be able to demonstrate that you comply.

Documentation: This requires you to have written policies, records of your processing activities, and internal procedures in place to show regulators that you take these rules seriously.

Download Detailed Guidance Here

The post Principles of the GDPR appeared first on L2 Cyber Security Solutions Ltd..

Rights of an Individual

Liam — Fri, 14 Apr 2023 13:46:30 +0000

The General Data Protection Regulation (GDPR) provides strong rights of an individual, whose personal data is being processed by organisations.

Download Detailed Guidance Here

The Rights of an Individual

The right to be informed

Article 13 and Article 14.

Your Obligation: You must be completely transparent about how you use personal data. You cannot collect data in secret; you must provide "fair processing information," typically through a Privacy Notice.

What to include: You must detail your identity and contact info (and that of your DPO), why you are processing the data and the legal basis for doing so, how long you will keep it, and who else will receive it. You must also list the users' rights, including their right to withdraw consent or lodge a complaint.

Format: The information must be concise, transparent, intelligible, easily accessible, and free of charge. It must be written in clear, plain language—especially if addressed to a child.

Timing:

Direct Collection: If you got the data straight from the individual, give them this info at the time you collect it.
Indirect Collection: If you got the data from elsewhere, you must inform the individual within a reasonable period (maximum one month), or at the point you first communicate with them or share the data with someone else.

The table below summarises the information you should supply to individuals where the personal data has been obtained either directly from the data subject or by another means.

Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer.	The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Any recipient or categories of recipients of the personal data.	Purpose of the processing and the legal basis for the processing.
The right to lodge a complaint with a supervisory authority.	The existence of each of data subject’s rights.
Retention period or criteria used to determine the retention period.	Details of transfers to a different country and what safeguards apply.
The right to withdraw consent at any time, where relevant.	The legitimate interests of the controller or third party, where applicable.

If the personal data was obtained directly from the data subject, then you should provide them with the above information at the time you get the personal data.

The next table summarises the information you should supply to individuals where the personal data has not been obtained directly from the data subject.

The source the personal data originates from and whether it came from publicly accessible sources.

Categories of personal data.

The right of access (Subject Access Requests)

Article 15.

Your Obligation: You must allow individuals to verify that their data is being processed lawfully. If asked, you must confirm you are processing their data and provide a copy of it.

Deadlines: You must respond without delay, and at the latest within one month.

Extension: You can extend this by two months if the request is complex or numerous, but you must notify the individual within the first month and explain why.

Fees: You generally cannot charge a fee.

Exception: You may charge a "reasonable fee" based on administrative costs only if the request is "manifestly unfounded or excessive" (e.g., repetitive) or for additional copies.

Verification: You must verify the identity of the requester using reasonable means before handing over data.

Suggested ways:

- Ask the individual to confirm details only they would know based on the data you already hold. Ask 2-3 specific questions:
  - "Please confirm the amount of your last transaction with us."
  - "What is the reference number on your most recent bill?"
  - "Please confirm the phone number we have on file for you."
- Require the user to log in to their secure account area to submit the request.
- If you must ask for photo ID, ask them to redact unnecessary information – e.g. “Please send a photo of your driving licence, but please black out your licence number and date of birth. We only need to see your name and photo”

Format: If the request is made electronically, you should provide the data in a commonly used electronic format.

The right to rectification

Article 16.

Your Obligation: You must correct inaccurate or incomplete personal data upon request.

Third Parties: If you have shared this data with other organisations, you must inform them of the correction if possible.

Deadlines: You have one month to comply. This can be extended by two months for complex requests, provided you notify the individual.

Refusal: If you decide not to take action, you must explain why and inform the individual of their right to complain to a supervisory authority.

The right to erasure ("Right to be Forgotten")

Article 17.

Your Obligation: You must delete personal data when there is no compelling reason to keep it. BUT this is not an absolute right. You are quite likely to refuse this one, as its scope is quite narrow.

When to delete: You must act if:

consent is withdrawn
the data is no longer needed for its original purpose
it was processed unlawfully
if there is a legal obligation to delete it

Special attention is required for data collected from children online.

Public Data: If you have made the data public (e.g., on a website), you must take reasonable steps to inform other controllers processing that data to erase links to or copies of it.

Exceptions: You can refuse deletion if the processing is necessary for freedom of expression, public health, contractual, legal obligations, or the defence of legal claims.

The right to restrict processing

Article 18.

Your Obligation: In specific circumstances, you must stop using the data but keep it stored. You can retain just enough info to ensure the restriction is respected in the future.

When to restrict: You must apply this if an individual contests the accuracy of data (while you verify it), if they object to processing (while you verify your legitimate grounds), or if the processing is unlawful but the individual prefers restriction over deletion.

Notification: You must inform any third parties you shared the data with about the restriction. You must also tell the individual before you lift the restriction.

The right to data portability

Article 20.

Your Obligation: You must allow individuals to obtain and reuse their data across different services by providing it in a format that allows easy transfer.

Format: Provide the data in a structured, commonly used, and machine-readable form (e.g., CSV files) so software can extract the data.

Scope: This applies only to data the individual provided to you, processed by automated means, based on consent or a contract.

Direct Transfer: If the individual asks and it is technically feasible, you should transfer the data directly to another organisation.

The right to object

Article 21.

Your Obligation: You must respect an individual's right to say "no" to processing in certain cases.

Direct Marketing: If an individual objects to direct marketing, you must stop immediately. There are no exemptions or grounds to refuse.

Legitimate Interests/Public Task: If they object to processing based on these grounds, you must stop unless you can demonstrate "compelling legitimate grounds" that override their rights, or if it is for legal claims.

Communication: You must explicitly bring this right to their attention at the point of first communication and in your privacy notice, keeping it separate from other information.

Rights in relation to automated decision making and profiling

Article 22.

Your Obligation: You must provide safeguards against potentially damaging decisions made solely by computers without human intervention.

The Right: Individuals can refuse to be subject to automated decisions that have legal or significant effects on them.

Safeguards: If you use automated decision-making, you must allow the individual to obtain human intervention, express their point of view, and obtain an explanation of the decision so they can challenge it.

Profiling: If you use profiling (analysing personal aspects like performance, health, or location), you must be transparent about the logic involved and the significance of the consequences. You must use appropriate mathematical procedures and secure the data to prevent errors or discrimination.

Download Detailed Guidance Here

The post Rights of an Individual appeared first on L2 Cyber Security Solutions Ltd..

An Post Scam Email Gaeilge Edition

Liam — Wed, 29 Mar 2023 11:11:48 +0000

I know many people I talk to mention they have received An Post scam messages. These have increased dramatically in the last couple of years. Thank you Brexit! Over the weekend I received a new twist on it. An An Post scam email that was as Gaeilge (in Irish).

The email itself ended up in my spam/junk folder. However, not everybody uses the same email platform that I do. Chances are, because it is in Irish, it might bypass such protective systems.

What did the An post scam email look like?

Here is the email that I received:

For those of you who haven’t got the cúpla focail, it translates as:

An error occurred in the delivery process

Dear customer,
You have a package that needs to be delivered, but it has been put on hold due to an incorrect delivery address.
Edit your personal information and add a valid shipping address to complete the delivery process.

• Tracking number: DA053884562IE
• Re-delivery fee: €1.99.
• Date: 25/03/2023

Redelivery

This is an automated message, please do not reply.

Attention : If you do not update your details and enter a valid shipping address within 3 days of receiving this message, we will return this package.
The job.

I had to laugh at the last line there – An post translates to “The job”. 🤣

What happens if I made a mistake and clicked the button?

You would be brought to a website, that looks remarkably like an An Post website. In keeping with the theme of the email, it will all be in Irish. On this page you would be asked to enter lots of personal data, including payment card information. I’ve translated the various input fields in red in the image below:

One interesting thing here is that the links at the bottom of the page are all genuine An post website links and will take you to the genuine site and social media channels.

I can’t read Irish. Sure how would I know what I’m being asked for?

You mightn’t be able to translate that website. Your browser probably can and so it can be easy to potentially fall victim, particularly where you are waiting for a package to be delivered.

Is there anything that gives this away as a scam?

If this was for a genuine shipment, with some missing address data, they should show you what address information they do have and allow you to correct it. So that is the main giveaway to me.

People like me (a security nerd) will examine the address bar of a website. I know some trainers tell people they need to examine this themselves. However, that’s terrible advice, as most normal people will never do that on a consistent basis. Not only that, how can I be completely sure that this address is not correct? “anpost” is mentioned a couple of times, as well as the .com portion. Website addresses are hard sometimes:

Another big giveaway here is the “Not secure” warning. If you EVER come across that on a website, DO NOT enter any data on that website, no matter whether you think it’s a genuine site or not. Anything you type will not be transmitted in a secure manner.

HOWEVER, the scammers could easily set the website up so that the “Not secure” is not shown, so don’t be completely dependent on that as a way to avoid being scammed.

Well what would you do so mister smarty pants?

If I had something on order, I would refer back to the original shipping email and click the tracking link from that.

If that wasn’t available, then I would copy the tracking number from the An post scam email, go to the An post website and paste it into the tracking facility. It should spit out a message saying that the package can’t be found.

Let’s be careful out there.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person.

#SecuritySimplified

The post An Post Scam Email Gaeilge Edition appeared first on L2 Cyber Security Solutions Ltd..

ESB text message scam.

Liam — Fri, 10 Mar 2023 13:31:57 +0000

My good friend Philipa Jane Farley shared a text message with me, which she received this morning. Her phone had classed it as Spam, but not all smartphones are created equal, so this ESB text message scam might get through.

The ESB text message

The message appears to have come from “ESB” and it cannot be replied to, which gives it a certain degree of legitimacy. If you have taken my training you will know that you simply cannot trust what number is calling you or texting you, as spoofing is so common.

The message says:

You are eligible for a discounted electricity bill under the Energy support scheme.

You can apply here: https[:]//register-electric-refund[.]com

I have “defanged” that link so you cannot go to the site accidentally.

If you go ahead and click the link, you will be taken to the following web site:

The “Government” information page

That looks remarkably like the ACTUAL Irish Government Website which is here:

https://www.gov.ie/en/publication/4ae14-electricity-costs-emergency-benefit-scheme/

That is, all except for the “Verify now” button at the bottom. The criminals have effectively cloned the majority of the government’s page on this scheme. None of the links work on the page that I tested … EXCEPT for that “Verify Now” button. 🤔

The “Registration” pages

Well, if you click that, the “government” now seems to want you to register for the scheme (which is automatically dealt with by the power supply companies), so you are first asked for some personal details:

When you hit “Continue, you will then be asked to provide some billing details.

Billing details?!??!!? I thought they were giving us money, not billing us?

Well, they are probably hoping that you are used to divulging your payment card details onto website.

They do validation on the card number and the page crashed on me as I was attempting to enter a potentially valid number, so I wasn’t able to find out what happened next, but presumably they will start buying stuff on your account!

So there it is … an ESB text message scam, that could just as easily be for any of the other providers, but it’s likely only going to be the ESB as they have the most customers in the country.

Let’s be careful out there.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person.

The post ESB text message scam. appeared first on L2 Cyber Security Solutions Ltd..

eFlow text message scam.

Liam — Mon, 30 Jan 2023 14:54:29 +0000

My good friend Philipa Jane Farley shared a text message with me, which she received this morning. This eFlow text message scam might get through to your phone, so read on for more information.

The eFlow Text Message

The text message she received from “eFlow” was about an unpaid toll. eFlow is an Irish motorway toll operator. (narrator’s voice: It was not from eFlow 🙄).

The message reads:

eFlow: You have an outstanding fee of 6.32 EUR due from a journey made in 2022. Please pay now to avoid incurring any penalty charges via eflow-online-services[.]com

That link has been defanged, so you cannot click on it accidentally.

If you click on the link, you will get taken to a very realistic and similar looking website, to the real eFlow one. This though, seems to have nothing to do with the unpaid toll. 🤔

What do they want you to do?

They want you to update your details with them, including payment card. This is the type of thing that you can look out for. A site asking you for lots of personal data when you’ve clicked a link. eFlow already has your data, if you are a customer. They do not need you to go and type it all in again. No matter what excuse they make up. If this was really eFlow, they would have provided the details they already held on you!

What should I do?

I hope I say this enough. We really need to stop clicking on any link that might be included in text messages. There is just no decent reason to have links sent by text message. The criminals use them, because they tend to get passed a lot of spam filters. If this was sent by email or WhatsApp it would probably get thrown into the junk folder.

I think most of you that have seen previous posts from me, won’t fall victim to such a scam, but please do share this, so others will be aware of it.

If anybody has gone through with this update, please contact your bank’s fraud number immediately.

So there it is. An eFlow text message scam. Please don’t fall for it.

Let’s be careful out there.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person.

#SecuritySimplified

The post eFlow text message scam. appeared first on L2 Cyber Security Solutions Ltd..