Cyber Resilience: Essentially Commercial

Businesses registered in the United Kingdom that process data ought to be registered with the Information Commissioner's Office, are obliged to comply with the General Data Protection Regulations (GDPR), and report in the event of a data breach (visit Information Commissioner's Office (ICO) for information).

With GDPR obligations at the forefront of business leaders' minds, one ought then to be interested in the status of business data security, that which is regulated or of high value to the company.

Business Security Compliance

Businesses today are, without a second thought, outsourcing their most important Internet Assets and vast amounts of sensitive data to cloud-based service providers and other managed service providers (MSPs), such as Salesforce, Google, Amazon, Microsoft, without a second thought to understanding:

1. the terms and conditions of these licensing agreements.
2. the security status of these platforms in real-time; and
3. the affordability of recovery in the event of customer data tampering and abuse (easy and subtle, to easy and public).

Ensuring basic security measures and compliance of your third parties with regulations such as ISO 27001 and GDPR is paramount to safeguarding your business sensitive and regulated data.

Case Study: Compromised Suppliers

Over the past year, many of us have woken up to the horrors of what happened to innocent people in The Post Office scandal over a 25+ year period in the United Kingdom.

Had a post-Master or Post-Mistress, small business owners, known that Horizon was insecure, they could have chosen to mitigate their losses and the miscarriage of justice would not have gone as far as it did for so many.

Instead, the Post Office victims were none the wiser and the harm got so bad it cost them livelihoods, jail sentences and suicides.  How much more harm do we need to see before the courts and Government realize that it is the open access via insecure third-party servers that is so very dangerous to people, places, and economies?

Understanding Security Breach 

The Post-Office Scandal case is an extremely important to all businesses for several reasons.  Understanding the fundamental nature of Fujitsu’s breach and the impact this has on all its Horizon customers and users is very important here.

Newboulds has invested a significant sum to risk assess the status of the world's largest security companies and cloud service providers – due diligence that most businesses in the United Kingdom do not yet have access to.

The discovery that these companies are all using insecure third-party servers which are exposed 24/7/365 and provide open unlimited access to unknown, unauthorized, third-party intruders online means that business customers are under a duty to act, fast to ensure compliance with GDPR for your customers and other security standards your business has agreed to comply with.

The harms liability for using insecure third parties cannot be underestimated.

We think The Post Office scandal using the Fujitsu Horizon platform and the harms caused by their system’s back door access for data abuse is just the tip of the iceberg.

Expertise, Intelligence & Evidence

The discovery of what global security experts is terming “insecurity entrapment” caused by the world's largest technology companies, such as Salesforce, Google, Amazon and Microsoft, to all its customers is matter of fact.

This fraudulent misrepresentation as to the security of their systems for $billions worth of annual license sales is wholly illegal, not only considering their claims of being “secure” and “trustworthy” but the fact is their platforms are plagued with third-party DNS security breaches which makes all of them rich breeding grounds for cyber criminals and nation state attacks.

Newboulds' experts can prove that these world's biggest providers have the same insecurity position as Horizon (see Cyber Resilience for Business diagram below).

How therefore is the sale of multi-billion-dollar companies selling commercial licenses legal when they know of this critical insecurity?  They can afford to choose to ignore it.  The profit on licenses is worth the risk of fines from the regulators, yet they continue to sell your company licenses labelled as secure and trustworthy?

Business customers (small and large) remain in the dark and are none-the-wiser, exposed and exploitable, 24-7-365 at the fault of these tech giants and their sales partners intentional negligence, just like The Post Office, keep this issue buried deep and hope no-one finds out.

Not anymore.

UK Law Remedies

Newboulds & its experts have made this discovery and will be fighting for its clients for fraudulent misrepresentation and compensation to bring these fundamental security breaches to light.  There are no liability caps in the UK for fraudulent misrepresentation.

The harms liability companies such as Salesforce, Google, Amazon, and Microsoft operate on is global.  Serious easy attacks are already harming the UK’s economy every second of the day, some breaches detectable, most not (so many small businesses and larger institutions/corporates using these platforms are none-the-wiser).

During the term of your licenses, to this day, all mentioned platforms remain in breach of security standards that they purport to comply with, e.g., ISO27001, which they rely on to represent secure status to the public and critical Government databases.

UK business GDPR compliance is literally automatically compromised as soon as you start to process data on these platforms such as Salesforce.  How can the trading authorities allow Salesforce for example to continue to represent security as priority and trust as a number 1 value on their website whilst they continue to trade on the insecure servers that our have identified, which risk the survival of our businesses?

We have informed some of these companies that they have Zero Day security issues.  We know that they are willing to ignore our issues because negligence and corruption has set in at a very high level.

Are you a sitting duck company?

Surely, your brand stands for its purpose to serve clients.  So why put that at risk by paying these third parties to hold your data for you?  It doesn't make sense.

The facts, the evidence, the laws, the impacts are not new, but for several reasons have not been meaningfully applied yet to B2B contracting on security, largely because the technical evidence and knowledge has not been readily available.

Your Duty to Stop Cybercrime Rising

Companies like these tech giants that are blatantly using insecure third-party servers, do not prevent cybercrime and espionage, they can’t.  Instead, it seems these are companies so big, that they are complicit in enabling it which must be stopped.  Newboulds believes the law and these cases will be the most powerful tool available to take the right impact action.

A Note For Small & Medium Businesses

Your business is just one of 5.6 million small business in the UK.  Founders sweat blood and tears building small businesses.  Sophie Newbould and her team of security experts have invested more into this cause of cybersecurity and justice than any of these multi-billion-dollar platforms ever will.

When bringing these actions, the impact litigation will have on your business finance and time effort will not go ignored, plus the impact on growth for an SMB taking on litigation is so much greater than for a corporate.  The comparisons need to be made because the harm is not in proportion.

Premature exit from these platforms can risk close downs, but you must consider what your company values actually are as your actions today will impact who you are tomorrow.

The longer these companies can operate fraudulently and insecurely, the longer they misrepresent to UK SMBs and expose our industries to crime, the more I, Sophie Newbould, am beside myself with the state of justice across commercial technology, and business generally in this country and worldwide.

It will seem we learn nothing if we do nothing at this critical juncture.