Tonnik Consulting

28/06/2022

Crown Commercial Service have launched the latest iteration of their Digital Outcomes and Specialists framework (DOS6) today, allowing public sector customers to easily procure pre-vetted suppliers for assistance with delivering defined requirements (outcomes), or to bring in specialist resources.

Tonnik Consulting is available on the DOS framework for cyber security outcomes and consultant resource - you can find us on the GOV.UK Digital Marketplace:

https://www.digitalmarketplace.service.gov.uk

27/01/2017

Tonnik Consulting is pleased to announce that it has been listed on the government "Digital Outcomes and Specialists 2" procurement framework as a supplier of cyber security and usability consultancy to the UK public sector.

This contract is an agreement between a public sector buyer and a Digital Outcomes and Specialists 2 supplier.

25/10/2015

The French have a word – cyberpompiers – ʻcyber firemenʼ – whereas in English we have the unwieldy cyber incident responders.

These are specialists who have the advanced skills needed to work out exactly what happened in a severe hacking incident. The crème-de-la-crème are on the CESG/CPNI Cyber Incident Response scheme and it is now reported that TalkTalk have turned to one of the best of these, BAE Systems Applied Intelligence, to investigate the recent hack they suffered.

One lesson that can be learnt is to prepare to move quickly. We saw how TalkTalk floundered early on, and last year Sony Pictures lost two weeks of recovery time whilst they arranged for outside specialists (a different company on the CESG scheme) to come in. Having an action plan to respond to a hack is crucial for any company, and for large companies they should think about who they will turn to if the situation is beyond their in-house capabilities (and, for nearly any company, that is always a possibility). Have a company in mind, even do preparatory procurement activity - it will all save time if a crisis situation does arise.

The alternative is to have the CEO faltering on television, worsening the public perception of the issue, as the search for answers is delayed.

25/10/2015

The TalkTalk hack has generated a lot of discussion over the lack of clarity on whether the data was encrypted.

It isn't as straightforward as it sounds though.

For example, if you are writing a letter and saving it on your laptop, you can have the file encrypted - or even the whole hard disk.

If someone steals your laptop, that encryption will protect the letter.

However, if you sit reading that letter on the laptop whilst on the train, someone could look over your shoulder and read it - the encryption is no protection against that.

It has been said that SQL injection was used to extract the data. That is an attack that sends commands to the database system to send back all the data, not just the bit you should see.

The database server for the website obviously has to have the encryption key. If you can trick it into sending you everything then it doesn't matter how good the encryption is - it will unlock it for you.

People gain false trust from data encryption, especially on databases.

25/10/2015

The Article 29 Working Party - Europe's data protection commissioner collective - has today issued a statement in relation to the ECJ's recent judgment on the Safe Harbor arrangement.

The statement draws some specific points out, some of which will be challenging to resolve:

- the Court's judgment requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments
- the current negotiations could be part of the solution
any further transfer of personal data under the guise of 'Safe Harbor' is illegal
- the Working Party is analysing the legal implications for Model Contract Clauses and Binding Corporate Rules - the other tools for achieving transfer without consent
- they will reach a decision by the end of January, and if they decide that Model Contract Clauses and Binding Corporate Rules are no longer acceptable, they will commence enforcement action after that date
- in the meantime, the data protection authorities consider that Binding Corporate Rules and Model Contract Clauses can continue to be used

Whilst there are significant political pressures to achieve a resolution, this is clearly putting businesses under notice to start thinking about alternatives to transferring data to the US - to be ready to deal with the eventuality that transfer can only take place with the subject's consent.

25/10/2015

The European Court of Justice has issued a ruling striking down the 'Safe Harbor' agreement as invalid.

Obviously, the loss of Safe Harbor has direct implications for some businesses who rely on it.

However, the reasoning of the court goes deeper. Their concern was that the operation of US law - particularly in the balance of the rights of EU citizens against national security considerations - means that the Fundamental Rights of EU Citizens in the EU Charter aren't upheld (rather than any of the Data Protection specific elements).

The incompatibility of law with the EU's data rights requirements comes about because a contractual arrangement - like Safe Habor - can't override the operation of foreign law.

It would seem that this problem also exists with the other favoured fixes - model contract clauses and binding corporate rules. If they are invalid then there will be very limited opportunity to take EU personal data to the US until the American government amend their laws.