Message

Send us a message
and we'll get back
to you shortly

EMAIL US

Stick or Twist: The GDPR Gamble

Stick or Twist: The GDPR Gamble

The closer we get to May 2018, the more buzz there is around GDPR. As a business owner you will be used to making decisions and it is clear that you need to make one now. Stick or twist. Ignore the pending legislation or understand the impact. At least if you understand the impact and still chose to ignore it, you’ve made an informed decision. By reading on you will be more informed than when you started.

It would be easy to think of it the same way as the current UK Data Protection Act (it only matters if there is a breach/incident, it is too complicated to try to understand, we cannot afford to have someone committed to data protection, it does not apply to us). However, a big difference with the new regulation is that the risk of action from the ICO has moved from impact of a breach, to not being compliant. That’s right, once GDPR kicks in; simply not being compliant carries the risk of action.

A couple of the new requirements are things like getting clear consent to hold data, responding to requests about what data you hold on individuals and the right to be forgotten (deleting personal data). It is now a requirement to respond to requests within defined timeframes. Not having the appropriate controls or procedures in place puts employees, clients and the business at risk. However, the tricky part is to reach a balance of appropriate controls while not killing productivity.

Given the numerous differences from the current DPA, the potential affect to our reputation, and the nature of our business (holding data on clients, employees and prospects), we have decided it is vital for us to do everything possible to understand and be compliant to GDPR. The more we learn, the more apparent it becomes there are many boxes that need to be ticked. As a starting point, we are carrying out a GAP analysis to understand how our current policies and procedures compare to the requirements of GDPR. Because there are so many changes coming, we wanted to ensure it is being done correctly. This led us to using a proven and formatted approach.

As a business that holds personal data such as names, phone numbers, email address or sensitive information on clients, employees or prospects, there needs to be a decision on what your business is going to do about GDPR. It’s stick or twist again; wait until there is an incident, request or knock on the door from the ICO, or make your business more secure by updating your approach to information security and data protection. We see the benefits of the latter and believe it is going to make a world of difference for our clients and ourselves.

If you would like to understand more about GDPR in relation to your business, we would be happy to have a chat.

Modern day risks and GDPR

Modern day risks and GDPR

By now, you should understand that GDPR is happening next May. No avoiding it.

At the centre of GDPR are Individual rights for data protection. This affects all of us. No one wants to have private information such as bank account and credit card details made publicly available or sold somewhere online.

So when it comes to making sure your business is doing the most to protect sensitive employee and client information, a common question is where do you start?

A good place to start is to assess the threats to any information that is not for public consumption. These threats come in all shapes and sizes. Some of the common ones are:

  • Using unapproved apps (popular among millennials)
  • Increase in cybercrime such as phishing (baby boomers are especially susceptible), ransomware and viruses
  • Bad work habits

Each of these threats bring their own risks and affect to the business. Loss of client trust, reputational damage, disruption to client services and the possibly fines.

We frequently speak with clients who assume that data protection, and the broader idea of information security, is entirely an IT issue. This could not be further from the truth. Look back at the three bullet points above. The one thing they have in common is people, i.e. your employees.

We equate information security to buying insurance. It is a business decision that needs to be made based on risks, and how to mitigate them, in the hope that you never need it. Unfortunately, just like insurance, there is a cost. This comes in the form of time and/or money required to mitigate the risks. It is common for this to lead to putting information security on the back burner. Fortunately, companies have a lot of control over how to deal with these threats and risks.

We began our journey to GDPR and ISO 27001:2013 compliance a few months ago. Here are a few things we learned along the way:

  • Senior management must understand the threats and potential impact of increasingly effective cybercrimes, lack of awareness, more onerous compliance requirements and accept that something needs to be done to address these. Business risk is something senior management care a lot about but if they do not already understand the information security risks and the impact of non-compliance, someone has to sell it to them.
  • The business needs to assign an internal person to be responsible for information security. Some aspects of information security can be outsourced but the responsibility to protect data resides with the business. This person must have the support of senior management. It is also a good idea to allocate a budget for information security.
  • Identify the most valuable information the business has, the risks and impact caused by threats. Imagine your business was victim of the recent Wannacry ransomware. What would that cost you financially? What would be the impact to productivity and more importantly reputation?
  • A gap analysis will identify weak points. Put measures in place to mitigate the risks. This could involve investing in more secure solutions or employee awareness training.
  • Data protection is not a “one and done” type of thing. It is an ongoing process which regularly checks into the business to see if there new threats or improvements that can be made.

At the end of the day, all businesses are caretakers of certain sensitive information whether that be employee bank details, legal case files or intellectual property. Being able to demonstrate that you are trying to ensure these are as secure as possible is an indication to regulators that you are making an effort which will be viewed favourably if they ever coming knocking on your door.

While the General Data Protection Regulation may seem over baring due to a lot of new rules, it does require everyone to step back and look at current process and resources to ensure that the appropriate measures are in place.

If you would like to talk about how to be better prepared for the May 2018 deadline, we would love the opportunity to talk with you. Feel free to get in touch with us here

Topics: GDPR, data security

 

Get Smart on Cyber Security

Get Smart on Cyber Security

Get Smart on Cyber Security

There seems to be a never-ending stream of statistics about data security and ransomware these days.  Everybody wants to raise your awareness of cyber security (don’t worry, we’re not going throw any more stats at you).  We’re assuming that by now you’re aware that it is an issue.

However, there is a big difference between awareness of a problem and actually doing something about it.  If your business is something other than IT, the idea of sorting out cyber security probably makes you want to bury your head in the sand.  So, it gets put on the back burner.  And there it stays.

Cyber security isn’t fun or sexy and it’s not going to directly lead to any more revenue.

Or will it?

More and more businesses are inquiring about cyber security, and here are three key reasons why;

  1. Due to the increasing number of cyber-attacks, clients are asking more of their partners and service providers who hold or process confidential or personal information for them.
  2. The UK government has confirmed that the EU General Data Protection Regulation (GDPR) will apply as of May 2018, regardless of the decision to leave the EU. Although the current UK data protection act is similar to the GDPR, there are additional requirements and increased penalties, enforced by the ICO, for organisations not adhering to good governance practices.  Responsibility lies with both the client and the provider.  Business is starting to take notice because to ignore it will affect their ability to trade in Europe.
  3. Organisations that work with government departments handling sensitive and personal information must be certified to a certain standard that ensures they protect themselves against cyber-attacks.

Fortunately, there is a UK government backed scheme designed to help businesses figure out how to approach cyber security.  There are two levels to consider based on the goals of the business.  The first is a templated self-certification process called Cyber Essentials.  The second is Cyber Essentials Plus that goes one step further to include an independent audit of your Cyber Essentials certification.

Regardless of the level chosen, there are a few key benefits of the scheme.

  1. It provides a way for you to demonstrate to your clients that you have reviewed your security measures and they are at least as good government standard. In addition, by placing the certification badge on your website and marketing material, you can set your business apart from competitors by showing you take security seriously.
  2. Even if the UK were not to participate in GDPR, any organisation doing business in the EU must be aware of, and adhere to, the GDPR principals. They can be held liable for GDPR breaches.  Putting the Cyber Essentials framework into a business is a great way to ensure the proper security measures are in place for data protection.  This will help towards compliance with GDPR which in turn can facilitate commerce with the EU after Brexit.
  3. Having Cyber Essentials certification opens the door to working with UK government departments.

Hopefully by now, you’re thinking this all makes sense.  However, there is still the challenge of doing something about it.  In reality, you could go to the Cyber Essentials website, download the information and try to go through it yourself.  But if you are a legal, architect or other professional services firm, with limited time or budget to address it, you’ll move on to “more important” things.

Why not hand this off to someone who has been through the process (we are Cyber Essentials Plus certified), and have developed a systematic approach to assess your business security, can identify any areas of weakness and help take remedial actions to help you become Cyber Essentials or Cyber Essentials Plus certified, in the shortest amount of time possible.

It really is the easiest way.

If you have any questions about Cyber Essentials, security or any other IT related issues, feel free to add a comment below or reach out to us by clicking here

Topics: Blog, cyber security

 

 

How to lock down data security outside the network perimeter

How to lock down data security outside the network perimeter

Flexible working arrangements mean that your workforce is becoming increasingly mobile. Previously your IT team needed only deal with data access requests from the field sales team, but the number of remote workers is growing.

Freelancers, homeworkers and “I just need access to my files so I can do some work in the evening”-types all require access to key data and applications. And that’s before you start looking at Bring Your Own Device (BYOD) initiatives that see your IT team supporting employees’ personal devices.

Every single network attached device represents a very real security risk – particularly as employees carry more corporate data stored on each. Which means that criminals have a multitude of potential attack points.

So how do you overcome these challenges without breaking your budget?

Reduce the amount of data being transported

Data stored on mobile devices is extremely vulnerable to loss or theft. A mislaid smartphone could, in the right hands, completely compromise your company’s intellectual property. So you need to take steps that limit the amount of data being held on these remote devices.

Cloud file storage

Office 365 gives remote workers access to key productivity tools – but it also comes with dedicated Cloud storage to hold your files. Because the data is held in the Cloud, the loss or theft of a device means that the data is not lost.

Office 365 has the added benefit of using Microsoft’s data centres, which means that your files are protected by enterprise-grade security provisions. Even more helpfully, Microsoft are fully responsible for maintaining security – so you get all the benefits, with none of the overheads.

You will find that moving core business applications into the Microsoft Azure Cloud delivers similar advantages, your data is secured off site, and is accessible anywhere at any time. And because you have outsourced the underlying infrastructure, the costs of managing and maintaining hardware falls to the service provider too.

Location of data is an important consideration as well.  Just because data is in the cloud, doesn’t mean you don’t, or shouldn’t, care about where its is.  Microsoft recently announced the opening of their first UK data centres meaning businesses can be more comfortable knowing exactly where their data is stored.

Hosted desktops

Hosted desktops are a great way to standardise your operating environment. Whether connecting from the office, at home, or using a mobile device on the road, a consistent computing experience does wonders for productivity – everything is right where your users expect it.

And because all the data accessed via hosted desktop is stored in that session, none of it is downloaded to the user’s device. If they lose their tablet, or a burglar steals their home PC, corporate data remains safely stored in the Cloud, away from prying eyes.

And just like Office 365, all of the hosted desktop data is stored in an enterprise-class Cloud data centre located in the UK, protected by industry standard security provisions. By outsourcing management of your PC environment to On Line Computing, resources are freed up for maintaining other key aspects of your IT infrastructure.

Enforce the rules

You can also restrict what happens on mobile devices using Mobile Device Management (MDM) tools. By enrolling smartphones in the platform, you can apply security settings, such as enforcing password controls to unlock the device, or remotely wiping devices that are lost or stolen. You can even limit the apps being installed on a device to prevent information being leaked.

On Line Computing’s MDM solution operates entirely in the Cloud, so there’s no need for additional investment in hardware or software. And like all the other Cloud solutions discussed here, the responsibility for managing the back-end of the system lies with our team of expert engineers. And we’re always on hand to provide help and guidance on using the system too.

To learn more about how to secure your data in the age of the mobile workforce, please give us a call