Month: June 2021

by Laura Spencer Laura Spencer No Comments

Routed in the Past

Passwords, every 2 or 3 months they should be changed or adjusted slightly in order to keep your password protected account/device secure. So why do we not change our Wi-Fi password for our router? Most of us will still be using the awkwardly long password written on the back of our router or on a card, and not think twice about changing it.  In reality we should probably be changing this password as soon as we can, and then regularly modifying it to keep a secure network.

The complacency that we approach our router security with is quite frankly appalling – it  is so easy for an individual with malicious intentions to hack into a router. Particularly when working from home networks which are not designed for intensive business use. Throughout the  pandemic, working from home has been a necessity for millions of people  working in business of all shapes and sizes, however, the reality of the scenario is that our Wi-Fi routers are vulnerable and we need to adapt them in order to make them less susceptible to hacking as well as other security risks.

With lockdowns and COVID restrictions slowly coming to an end its foreseeable that more and more visitors will be coming into your home. And what is the first thing that most ask?

“What is the Wi-Fi password?”

So what?

Giving the Wi-Fi password to a visitor to your house seems so innocent and somewhat a rite of passage in this day in age. Even my grandad in his 70s asked for the Wi-Fi password when in my garden this weekend! However if working from home, individuals should perhaps consider partitioning your home Wi-Fi, one for work devices such as your computer and work phone as well as one for normal usage for both your personal devices, smart speakers, TVs, and any other internet enabled technology and keep a separate partitioned network for guests. On the same front you could also consider using a guest Wi-Fi and keeping a separate Wi-Fi for those who live with you.

The importance of outdated routers as well as router security comes after a recent report by Which? The report details problems found by its lab during extensive tests.

The main concerns highlighted by the report include:

  • Weak default passwords cyber-criminals could hack were found on most of the routers
  • A lack of firmware updates, important for security and performance
  • A network vulnerability with EE’s Brightbox 2, which could give a hacker full control of the device

The UK Government plans to ban default passwords being pre-set on devices, as part of upcoming legislation covering smart devices. This would come under the UK’s Internet of Things (‘IoT’) ‘Security by Design’ law. The law is aimed at enhancing the security of consumer devices, this comes after the government introduction of a security code of practice for IoT device manufacturers back in 2018 – with the forthcoming legislation intending to build on that with a set of legally binding requirements. This therefore would encourage the individual to keep their device and network more secure – similarly in highlighting it in such report as this and equally solidifying it in legislation will aid the public’s understanding of the importance of keeping a secure home network.

The ‘Security by Design’ law is also planning to make manufacturers:

  • Tell customers for how long their device will receive security-software updates
  • Provide a public point of contact to make it simpler for anyone to report a vulnerability

This will enable individuals to have greater access to information and help in regards to their device security.

by Laura Spencer Laura Spencer No Comments

Pandemic Business Boom: Website Blunders

Living in the 21st Century it is increasingly easy for individuals to start their own businesses, especially during the pandemic new businesses have risen to around 407,510 new businesses were formed during this period (according to SKY news https://news.sky.com/story/covid-19-record-number-of-new-businesses-predicted-as-uk-comes-out-of-coronavirus-lockdown-12236841). However when it comes to marketing and advertising for your brand there are a few key points which need to be considered.

The first being what sort of platform are you going to use to build your website?

It is common and only natural to see an advertisement of a company on the TV or see an advert online which uses fancy advertising with offices around the world. However, often the knee jerk reaction is ‘this must be a good company, look at how well advertised they are’ and therefore you make the decision to build your platform using their platform and tools. This is not always the case. The most important aspect when looking to build an online presence is the legal and regulatory compliance of the platform. Read through their privacy policy in detail; read through their terms and conditions and then decide whether you think that they are in fact compliant – you would be surprised as to what the platforms that  spend money on advertising on the TV and online hide in regards to their compliance, or potentially lack of it. Recently we have been working for a client which has been using one of the highly advertised sites as his website platform and going through his website compliance documents raised too many red flags to ignore – hence the inspiration for this post!

In this case there were a few major red flags.

  • Their storage limitation (data retention)
  • Their data minimisation
  • Their server base location

Starting with the storage limitation of our client’s website provider; the Information Commissioner’s Office (‘ICO’) directs companies and organisations:

  • You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

The UK General Data Protection Regulation (‘GDPR’) does not dictate how long you should keep personal data for. It is up to the company or organisation to justify their retention of such data, based on their purposes for processing it. Personal data for many companies and organisations are kept for a maximum of 6 years – this is because UK statutory limitation – the period of time for which a contract could be subject to a legal dispute resulting in a court claim – is 6 years. After 6 years a transaction or contract cannot be the subject for a court case and by default many corporations destroy all such records after 6 years.

Ensuring that you erase or anonymise personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimisation and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.

But why is storage limitation so important?

Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention (e.g. 6 year statutory Limitation as outlined above). From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security, either in hard copy or online. Remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need. Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.

Data minimisation is also covered under UK GDPR. The ICO directs companies and organisations, when processing data to ensure that the data is processed in way that are deemed:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

The idea of minimisation is based around companies and organisations only collecting data that they need, and is necessary. The website provider our client was using was ‘hoovering’ up information which why did not necessarily need – taking information from it’s users users. Minimisation is important because orgnisations should not be collecting more data than they need for the specific task the personal data is collected for.

Finally the server location through our client’s website provider is vague. It is important for companies and organisations to know where your data is being stored, whether the data is encrypted and if so to what standard (e.g. SSL 128- bit, TSL 256-bit). If your data is hosted with a cloud provider where the physical servers are not within the EU, then you can’t use that service unless the appropriate GDPR compliant international transfer conditions are met (adequacy, a data transfer agreement containing standard contractual clauses or binding corporate rules). These conditions are complex, hence it is helpful to know where the personal data, for which your organisation is responsible, is actually being stored. Any provider who either cannot confirm this simple information, or obfuscates when the question is asked, should be avoided. Even if they do have lots of shiny offices and a slick TV advertising campaign.   

Top