We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.
We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.
This update includes Information Security, Environment, Health & Safety and Quality topics
Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.
Legislative Changes
The following security-related legislation came into effect during Q2 2023. Of these; The Data Protection (Adequacy) (United States of America) Regulations 2023 is likely to have the most relevance to infosec legislation customers. It should help simplify data sharing with entities in the US.
Infosec clients; Please let us know if you require any of these to be added to your legislation portfolios:-
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
The Data Protection (Adequacy) (United States of America) Regulations 2023 |
Security |
Significant |
This is the latest personal Data Protection equivalency agreement, recognising the United States of America as a country which provides an adequate level of protection of personal data for certain transfers for the purposes of Part 2 of the Data Protection Act 2018 and the UK GDPR. This means that personal data which will be in the scope of the EU-US Data Privacy Framework Principles can be transferred to persons in the United States of America who participate in the UK Extension to the EU-US Data Privacy Framework without the need for any specific authorisation. This will be cross-referenced from GDPR and the Data Protection Act 2018 on Infosec. |
The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 3) Regulations 2023 |
Security |
Low |
Enacts provisions in the Product Security and Telecommunications Infrastructure Act 2022 relating to communications providers who are part of the electronic communications code. |
****Breaking News****
During preparation of this newsletter, the UK Government finally released its much-publicised Online Safety Act 2023. This has been a long time coming, having started life in 2019 as a white paper on ‘online harms’. Its path to law has been controversial, not least because it has become a hot topic for privacy campaigners following its expansion to include requirements for ‘user-to-user’ and internet search service providers to be able to comply with requests from OFCOM to identify potential communications relating to terrorism. This is not currently achievable with end-to-end encryption of messages.
We are currently reviewing the act to determine its applicability to Infosec customers and will make necessary amendments. The full act is available on www.legislation.gov.uk
Other Updates
Microsoft
Patch Tuesday roundups
-
September-Included fixes for 59 issues, including two actively exploited zero-days. Five issues were rated as ‘critical’.
-
August – Addressed 87 flaws, of which 23 were remote code execution vulnerabilities. Two flaws were known to be actively exploited.
-
July – Addressed 132 flaws including six which were known to be actively exploited. Nine ‘critical’ remote code execution vulnerabilities were fixed.
Other
-
W11 Support for passkeys – the latest release of Windows 11 includes support for passkeys as its next step toward eliminating passwords entirely and secure login to websites via Windows Hello using face, fingerprint, or PIN.
-
New faster, lighter teams app – The new version of MS Teams was made generally available for Windows and Mac on 5th October. Microsoft claim that it’s twice as fast and uses half as much memory.
-
Reminder issued that TLS 1.0 & 1.1 to be disabled in future versions of Windows.
-
Stolen Key – Following initial disclosure that a stolen cryptographic key was used to access Exchange Online and Outlook email at US Government agencies and other organisations, it was determined that the key may have been used to access other MS cloud applications including SharePoint, Teams and OneDrive. The key was revoked, and Microsoft published key indicators of compromise, as well as agreeing to make cloud security logs available to all users for free from September (the latter was previously a premium option).
Apple
Key apple updates and security fixes
-
September- Apple had a busy September with 20 updates and releases in the month including new operating systems across most devices – macOS Sonoma 14 (released 26th), iOS 17, iPadOS 17, tvOS 17 and watchOS 10 (all released on 18th). Major app updates included Xcode 15 (released on 18th) and Safari 17 (released on 26th).
A fix for actively exploited Zero day flaw that could allow installation of spyware was released in iOS 16.6.1 and iPadOS 16.6.1 on 7th September
-
August – Was a very quiet month with only two updates released – macOS Ventura 13.5.1 was released on 15th August and watchOS 9.6.1 on 15th
-
July – Eight updates were issued including Rapid Security Response for macOS Ventura and iOS and IPadOS that was pulled and reissued due to reports of the first release causing browser crashes.
More information can be found on Apple’s security updates page
Android & Google
-
Weekly chrome updates – Google announced in early August that security updates to Chrome will be published weekly to the stable channel to reduce patch gap
-
A heap buffer overflow bug in Chrome was reportedly fixed in a security fix, released 11th September.
-
Google search indexed Bard conversations – In late September it was reported that, where users chose to ‘share’ a Bard conversation with friends etc. by creating a sharing link, the search engine was indexing those links and making them available to a wider audience in search results. Google said it was working on a fix.
Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
- New principles for making cloud backups more resilient against ransomware
-
Supply chain security resources – including guidance and e-learning modules
-
AI – ‘prompt injection’ attacks and data manipulation – Explores two specific vulnerabilities in Large Language Model (LLM)-type AIs like GhatGPT and Google Bard. Prompt Injection involves users creating a specific input/request designed to make the model behave in an unintended way e.g., to expose confidential information. Data manipulation or ‘data poisoning’ could allow attackers to bias LLMs or compromise security.
-
Spotlight on Shadow IT – new guidance to help organisations manage rogue devices and services
-
Updated advice for organisations considering a Security Operations Centre (SOC)
-
Top tips for staff e-learning course – the course covers phishing, password security, device security and reporting incidents. The guidance is generic, and could conflict with organisational rules, so organisations should take steps to ensure their staff understand the organisations’ rules, but this training can be a useful ‘baseline’ for staff
Roundup of recent blog posts by the Information Commissioner’s Office (ICO)
- Simple data protection tips – the ICO has released new video guides in their e-learning suite
-
Data Protection Officer Community Forum launched – The forum is intended to offer space to network, explore topics in detail and share experience. This would appear to be a helpful way for DPOs of organisations holding ISO 27001 certification to demonstrate ‘contact with special interest groups’. DPOs can register for the forum
-
Guidance on lawful monitoring in the workplace – Guidance to stay on the right side of the law
Recent noteworthy cyber incidents
-
UK Police Services – It hasn’t been a good period for UK police services…
-
-
Police Service of Northern Ireland – A man was arrested and bailed following a Freedom of Information (FoI) request that resulted in the PSNI posting a spreadsheet online identifying 10,000 serving officers.
-
Metropolitan Police – London’s Met Police suffered a breach via a supplier’s IT system. Data relating to all 47,000 employees was reportedly exposed.
-
Norfolk & Suffolk Police – reported a ‘technical issue’ that led to raw data relating to crime reports being included in FoI reports.
-
Cumbria Constabulary – announced that the names and salaries of all its officers and staff had been uploaded to its website in March.
-
In September, Greater Manchester Police revealed that names and pictures of its officers had been accessed in a ransomware attack on a third party supplier of its ID badges.
-
-
Okta – on 19th October, Okta, a provider of MFA and SSO tools, informed some users of a breach affecting recent support cases where files uploaded by some customers were exfiltrated from Okta’s systems. BeyondTrust claim that they identified and escalated the issue to Okta on 2nd October after identifying an apparently successful attack on an Okta administrator account.
-
1Password – a password manager provider has reported that it was affected by the above Okta breach. It claims no user data has been breached.
-
MGM Resorts and Caesar’s Entertainment both suffered significant ransomware attacks in September, again linked to the Okta breach. Caesar’s reportedly paid a $15M ransom.
-
-
Microsoft – AI researchers working for Microsoft failed to secure 37TB of passwords, private keys and internal Teams messages, via an unsecured Azure/GitHub environment.
-
It was reported in September that Kettering-based KNP Logistics Group in the UK had entered administration as a direct result of a ransomware attack in June. Around 730 employees were made redundant. If you’re struggling to get management buy – in for information security.
-
A Ransomware attack on Danish Hosting firms CloudNordic and AzeroCloud resulted in loss of the majority of its customer’s data, highlighting the need to ensure that you have good backups of information in cloud storage.
-
Airbus suffered a data breach via a customer. Malware in an unauthorised version of Microsoft’s .NET framework resulted in the cybercriminal gaining access via a Turkish Airlines computer which was able to connect to Airbus’s web portal. Information relating to the airline was then downloaded from Airbus’s systems.
And the list goes on:- Save the Children, UK Electoral Commission, a number of UK ambulance trusts, Barts Hospital, Dublin Airport, NATO, Tesla and Tempur to name a few, all suffered or reported significant direct or supply-chain-led breaches or attacks in the quarter.
New and emerging malware and malware and phishing techniques
- New spin on ZeroFont phishing – a trick first documented back in 2018 has a new spin in 2023. The trick involves using zero-point (zero sized) fonts in formatted emails to make malicious emails appear as if they have been scanned and passed by Outlook security. The new spin works on message previews viewed in preview pane in Outlook and other mail apps. A fake scan message is embedded in the email. The zero-sized font means the text is not visible in the full message, but Outlook displays it in the preview pane, giving false assurance to the reader that the email has been scanned.
-
Permanent Zoom links – system settings may allow unauthorised persons to initiate Zoom conference meetings as valid employees. The company-specific Zoom links include embedded ID and passcode information that work indefinitely, potentially opening employees or customers to phishing or social-engineering attacks.
-
Cisco routers backdoored – by Chinese state actors, according to US and Japanese agencies
-
Thumb drives – what’s old is new again – Mandiant notes the use of thumb drives as a malware vector is on the rise. You have blocked them, haven’t you?
-
Malware loaders responsible for 80% attacks in 2023
-
Another BlackCat ransomware variant
Other infosec news
-
Evidence is emerging that some LastPass vaults were breached following the breach disclosed in November 2022. Researchers have speculated that a number of high-value cryptocurrency thefts indicate that the owners’ LastPass vaults were cracked to access their cryptocurrency wallets.
-
GitHub has made passkeys generally available – All users must enable 2FA on GitHub by the end of 2023. To facilitate this GitHub released passkeys to all users in September.
-
OpenAI investigated by FTC – The US Federal Trade Commission opened an investigation to determine how it handles, uses and secures information including personal information
-
WinRAR Zero day vulnerability – allows installation of ransomware
-
Ubuntu privilege escalation flaws – up to 40% of Ubuntu users may be vulnerable.
-
MikroTik router privilege escalation vulnerability – may affect up to 900,000 routers. Users are urged to upgrade.
-
Your colleague’s loud typing could be more than just annoying – researchers claim to have translated the sound of keystrokes to work out what was being typed with up to 95% accuracy, using an iPhone and 93% over Zoom.
Environment
Legislative changes
We are aware of five legislative changes since the last newsletter that may be relevant to some or all our clients. The first two below have the potential to be significant for organisations carrying out packaging work in England and Northern Ireland respectively. The remaining three are likely to be low or minor and relate to new or modified penalties for environmental breaches.
Infosec clients; Please let us know if you require any of these to be added to your legislation portfolios:-
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
The Packaging Waste (Data Reporting) (England) (Amendment) Regulations 2023 |
Environment |
Potentially significant |
Corrects errors in The Packaging Waste (Data Reporting) (England) Regulations 2023 (S.I. 2023/219), clarifying when a brand owner is a producer under the act, to assign responsibility to packer/fillers rather than brand owners and to importers. Some organisations in England who previously disregarded this act as not relating to them, may find this clarification brings obligations on them. |
The Packaging Waste (Data Reporting) (No. 2) (Amendment) Regulations (Northern Ireland) 2023 |
Environment |
Potentially significant |
Corrects errors in The Packaging Waste (Data Reporting) (No.2) Regulations (Northern Ireland) 2023 (S.R. 2023 No. 25), clarifying when a brand owner is a producer under the act, to assign responsibility to packer/fillers rather than brand owners and to importers. Some organisations in Northern Ireland who previously disregarded this act as not relating to them, may find this clarification brings obligations on them. |
The Environmental Civil Sanctions (England) (Amendment) Order 2023 |
Environment |
Low |
Amends Environmental Civil Sanctions (England) Order 2010 (S.I. 2010/1157) to allow the EA and Natural England to employ a range of sanctions in dealing with environmental offences |
The Environmental Permitting (England and Wales) (Amendment) (England) (No. 2) Regulations 2023 |
Environment |
Low |
Amends The Environmental Permitting (England and Wales) Regulations 2016 to allow the EA to employ a range of civil sanctions including monetary penalties |
The Environmental Offences (Fixed Penalties) (Amendment) (England) Regulations 2023 |
Environment |
Minor |
Modifies the penalties that may be levied for breaches of aspects of the Environmental Offences (Fixed Penalties) (England) Regulations 2017 and the Environmental Protection Act 1990 relating to graffiti, litter, fly posting and waste disposal. |
Biodiversity net gain rule implementation delayed
The UK Government has delayed the implementation of new rules required under the Environment Act 2021. The rules require developers to deliver at least 10% biodiversity gain as a condition for granting planning permission. The requirement was originally scheduled to come into effect in November 2023. It will now come into effect in January 2024 for large developments and April 2024 for smaller sites, with guidance published by the end of November 2023.
Health & Safety
Legislative changes
We are aware of five legislative changes since the last newsletter. These are likely to be relevant to organisations with obligations around domestic property management, specifically where those properties are defined as ‘high risk’ as described in the Building Safety Act 2022.
Infosec clients; please let us know if you require any of these to be added to your legislation portfolios:-
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
The Building (Approved Inspectors etc. and Review of Decisions) (England) Regulations 2023 |
Health and Safety |
Specialist |
Commencement of elements of the Building Safety Act 2022 that was brought in following the Grenfell fire disaster. These regulations are part of a number of regulations that implement part 3 of the Building Safety Act in England. |
The Building (Higher-Risk Buildings Procedures) (England) Regulations 2023 |
Health and Safety |
Specialist |
Commencement of elements of the Building Safety Act 2022 that was brought in following the Grenfell fire disaster. These regulations are part of a number of regulations that implement part 3 of the Building Safety Act in England. |
The Building Regulations etc. (Amendment) (England) Regulations 2023 |
Health and Safety |
Specialist |
Commencement of elements of the Building Safety Act 2022 that was brought in following the Grenfell fire disaster. These regulations are part of a number of regulations that implement part 3 of the Building Safety Act 2022. Specifically, these regulations amend the Building Regulations 2010 in England to reflect requirements of the Building Safety Act 2022 |
The Building Safety (Leaseholder Protections etc.) (England) (Amendment) Regulations 2023 |
Health and Safety |
Specialist |
Amends the Building Safety (Leaseholder Protections) (Information etc.) (England) Regulations 2022 (S.I. 2022/859) and the Building Safety (Leaseholder Protections) (England) Regulations 2022 (S.I. 2022/711), to implement leaseholder protection provisions in the Building Safety Act 2022 |
The Higher-Risk Buildings (Management of Safety Risks etc) (England) Regulations 2023 |
Health and Safety |
Specialist |
Commencement of elements of the Building Safety Act 2022 that was brought in following the Grenfell fire disaster. These regulations are part of a number of regulations that implement part 3 of the Building Safety Act 2022 in England and a number of elements of Part 2 of that act. |
Round up of recent posts and announcements by the by the Health and Safety Executive (HSE)
Asbestos – The HSE is seeking feedback from organisations who have commissioned asbestos surveys and/or asbestos analysts from appropriate contractors.
Workplace facilities – guidance on welfare requirements for staff including those with disabilities and specifically about toilet and washing facility requirements
World Mental Health Day was on 10th October and National Inclusion Week was in the week commencing 25th September – The HSE issued a reminder about the UK Government’s ‘Working Minds’ mental health campaign
Guidance on supporting staff with disabilities or long term health conditions
The deadline for registration of high-rise residential buildings was 1st October 2023. Principal accountable persons (the organisation that owns or is accountable for the building’s safety) must register relevant buildings with the Building Safety Regulator.
Safety Climate Tool – assess the attitudes of your staff with a simple online questionnaire – info and links to training courses
2022-23 Fatal injury at work statistics published
Covid-19 – Health & Safety Executive has all the latest Covid information and advice here
Quality
Legislative changes
We are aware of five legislative changes since the last newsletter that may be relevant to some or all our clients.
-
The first three are likely to be relevant and significant to organisations.
-
The first two below relate to changes to some workers’ rights.
-
The third below may not seem to be immediately relevant to organisations, but implications of breaches of the Protection of Sex-Based Harassment in Public Act by workers while on company business and/or where those workers can be associated to the organisation via uniforms etc., could lead to potential reputational damage.
Many organisations already have ‘codes of conduct’ for workers that would forbid such behaviour, but if yours does not, it would be advisable to consider one to ensure that workers understand how their actions may reflect on the organisation and to set out your expectations on them.
While the Retained EU Law (Revocation and Reform) Act 2023 is unlikely to be directly relevant to organisations, EU laws that are revoked under it may be.
A further amendment to the Russia Sanctions Act was published in the period.
Infosec clients; Please let us know if you require any of these to be added to your legislation portfolios:-
Name |
Potentially affected Management Systems |
Anticipated impact on Infosec subscribers |
High level summary |
Employment Relations (Flexible Working) Act 2023 |
All |
Potentially significant |
Modifies the Employment Rights Act 1996 with respect to aspects relating to flexible working, including when it may be requested and refusals |
Workers (Predictable Terms and Conditions) Act 2023 |
All |
Potentially significant |
Amends The Employment Rights Act to give employed and agency workers the right to request a predictable work pattern. This has the potential to affect organisations in England, Wales or Scotland that have variable working patterns and demands, and/or who rely on temporary or agency workers. |
Protection from Sex-based Harassment in Public Act 2023 |
All |
Potentially significant |
Amends the Public Order Act 1986 to bring legal protections against intentional harassment, alarm or distress in relation to a persons’ sex or presumed sex. While the offence applies to the individual carrying out the harassment or causing alarm or distress, employers may need to consider the potential impacts on the organisation of an employee being charged for committing an offence under this act while working for the organisation. |
Retained EU Law (Revocation and Reform) Act 2023 |
All |
Low |
An enabling act to further implement changes to UK law brought about by Brexit. It revokes a number of EU legislative instruments, all directly effective EU law, the modified principle of supremacy of EU law, the general principles of EU law. It also allows lower courts to depart from the body of EU case law when making decisions. In practice, this act is unlikely to directly affect most UK organisations, however changes to, and revocation of some EU law has affected UK organisations and will continue to do so as further changes are made. |
The Russia (Sanctions) (EU Exit) (Amendment) (No. 3) Regulations 2023 |
Quality |
Low |
Extends the scope of the restrictions of the sanctions to cover additional products and services and introduces exceptions relating to emergencies |