Message

Send us a message
and we'll get back
to you shortly

EMAIL US

Infographic: A visual guide to Information Security

Infographic: A visual guide to Information Security

Whether you’re just getting started or you have information security processes truly embedded, find out where you are in the journey and how you can move forward with our free Information Security Infographic. Click the image below to view and download.

 

Information Security Infographic

Get a free Information Security Risk Self-Assessment

Business risk can have severe consequences if not properly managed. Every business has its own set of assets and risks, and an Information Security Risk Self-Assessment form should be completed to identify the business assets and the risks to them.

We can give you a free Information Security Risk Self-Assessment template – just get in touch with us here.

Where are you on your security journey?

Where are you on your security journey?

Every organisation has already invested in security, installing basic cyber tools like anti-virus and patching vulnerable operating systems. Hopefully. But this is just the beginning of your journey. A journey to bring maturity to your security.

A truly effective security program involves identifying and locating all of your information assets and putting controls in place to protect them all. A risk register and gaining recognised accreditations further demonstrates to everyone that you are taking it seriously.

 

Why are you on this journey?

The journey to maturity is often driven by external factors. Your customers require it before they will buy your products or services, legislation mandates it, you have been the victim of a cyber-attack or you are aware of the increased risk present today.

 

The journey ahead of you

As mentioned earlier, it should start with identifying and locating all of your information assets. Remember that not all information is stored digitally. Once you have identified your assets, you can now consider all of the risks. You can then align the tools that are already deployed. Cyber Essentials is an external accreditation and a first step to proving that you are serious, even if it is self-certified.

The journey can then continue as you broaden the impact of your Information Asset Risk Register, introducing new cyber tools, staff awareness training and enhanced organisational policies to govern the businesses approach to security. Cyber Essentials Plus demonstrates further commitment as you have invited an external body to audit the controls that you have in place.

ISO 27001, an internationally recognised information security certification, shows that your security governance is fully embedded in the business. At this stage the management system, policies and controls are fully ingrained, aligned to the business objectives and subjected to rigorous external audit. Your approach is fully matured and shows staff, customers and suppliers that you are serious.

At On Line Computing information security is at the very core of the services that we provide to our customers. We have given advice and guidance to hundreds of organisations, helping them to improve their information security and achieve recognisable accreditations. Whether you’re just beginning your journey or you’re ready to take on the next stage we are here to support you. Check out our case study about how we helped a global consultancy firm achieve their ISO 27001 accreditation.

Is Cyber Security enough to protect your business?

Is Cyber Security enough to protect your business?

Everyone’s heard of Cyber Security. Breaches of security create great headlines, especially when personal information is involved. Cyber crime is the new frontier with the perpetrators seeking information that has a value to be exploited for financial or political gain. The typical reaction is to deploy technology tools to protect against known external and internal threats, or the threats that the Cyber Security sector is telling you about. It’s a great way to sell stuff.

But, is Cyber Security the whole picture? What about Information Security? What’s the difference between the two?

 

Cyber Security vs. Information Security

Cyber Security focuses on protecting and recovering hardware, networks, devices and applications. It is a technology solution to protect your technology assets.

Information Security, on the other hand, is a more comprehensive approach to protecting your data and assets. It does involve software tools (that’s the cyber piece) but focuses on all the other areas where threats exist. It starts by identifying all of your information assets and considers the confidentiality, availability and integrity of these assets. In addition to the technology assets like network, hardware, applications, databases and devices; information assets include things such as personnel, buildings and office spaces, and suppliers. Each of these can present just as big, if not a bigger risk to your business if not properly considered. These assets may be subject to different threats. Think about paper-based assets, they may contain confidential information. Are they left lying around the office or disposed of without due thought to the risks?

Information Security enables you to consider the risks to all your information assets no matter where they are or what they are being used for. It is an approach that helps determine the right tools or other measures to provide the appropriate protection. You will know where your information assets are and your users will be aware of the threats that could be targeting them or your organisation so that you can put measures in place to reduce the risk.

6 steps to improving your Information Security

ISO 27001 is an Information Security standard. It requires a great deal of effort to achieve certification and it’s not for everyone. There are some steps you can take without embracing the whole thing that will greatly improve your security.

  1. Identify all of your information assets
  2. Categorise them
  3. Assess the risk to each category, remembering confidentiality, integrity and availability
  4. Apply measures to appropriately protect the assets. This will include Cyber Security tools, policies and procedures
  5. Make sure all of your staff are aware of the risks and how you are mitigating them
  6. Periodically review

Cyber Security is a necessary part of our lives and protects our businesses from criminal activity enabled by the internet. But solely relying on Cyber Security tools may leave a chink in your armour. An Information Security approach will help you have a better understanding of your business and identify and patch vulnerabilities you will uncover in the process.

Find out more about Information Security or get in touch with us. Our team are more than happy to answer any of your questions surrounding Cyber Security or Information Security.

Stick or Twist: The GDPR Gamble

Stick or Twist: The GDPR Gamble

The closer we get to May 2018, the more buzz there is around GDPR. As a business owner you will be used to making decisions and it is clear that you need to make one now. Stick or twist. Ignore the pending legislation or understand the impact. At least if you understand the impact and still chose to ignore it, you’ve made an informed decision. By reading on you will be more informed than when you started.

It would be easy to think of it the same way as the current UK Data Protection Act (it only matters if there is a breach/incident, it is too complicated to try to understand, we cannot afford to have someone committed to data protection, it does not apply to us). However, a big difference with the new regulation is that the risk of action from the ICO has moved from impact of a breach, to not being compliant. That’s right, once GDPR kicks in; simply not being compliant carries the risk of action.

A couple of the new requirements are things like getting clear consent to hold data, responding to requests about what data you hold on individuals and the right to be forgotten (deleting personal data). It is now a requirement to respond to requests within defined timeframes. Not having the appropriate controls or procedures in place puts employees, clients and the business at risk. However, the tricky part is to reach a balance of appropriate controls while not killing productivity.

Given the numerous differences from the current DPA, the potential affect to our reputation, and the nature of our business (holding data on clients, employees and prospects), we have decided it is vital for us to do everything possible to understand and be compliant to GDPR. The more we learn, the more apparent it becomes there are many boxes that need to be ticked. As a starting point, we are carrying out a GAP analysis to understand how our current policies and procedures compare to the requirements of GDPR. Because there are so many changes coming, we wanted to ensure it is being done correctly. This led us to using a proven and formatted approach.

As a business that holds personal data such as names, phone numbers, email address or sensitive information on clients, employees or prospects, there needs to be a decision on what your business is going to do about GDPR. It’s stick or twist again; wait until there is an incident, request or knock on the door from the ICO, or make your business more secure by updating your approach to information security and data protection. We see the benefits of the latter and believe it is going to make a world of difference for our clients and ourselves.

If you would like to understand more about GDPR in relation to your business, we would be happy to have a chat.

Modern day risks and GDPR

Modern day risks and GDPR

By now, you should understand that GDPR is happening next May. No avoiding it.

At the centre of GDPR are Individual rights for data protection. This affects all of us. No one wants to have private information such as bank account and credit card details made publicly available or sold somewhere online.

So when it comes to making sure your business is doing the most to protect sensitive employee and client information, a common question is where do you start?

A good place to start is to assess the threats to any information that is not for public consumption. These threats come in all shapes and sizes. Some of the common ones are:

  • Using unapproved apps (popular among millennials)
  • Increase in cybercrime such as phishing (baby boomers are especially susceptible), ransomware and viruses
  • Bad work habits

Each of these threats bring their own risks and affect to the business. Loss of client trust, reputational damage, disruption to client services and the possibly fines.

We frequently speak with clients who assume that data protection, and the broader idea of information security, is entirely an IT issue. This could not be further from the truth. Look back at the three bullet points above. The one thing they have in common is people, i.e. your employees.

We equate information security to buying insurance. It is a business decision that needs to be made based on risks, and how to mitigate them, in the hope that you never need it. Unfortunately, just like insurance, there is a cost. This comes in the form of time and/or money required to mitigate the risks. It is common for this to lead to putting information security on the back burner. Fortunately, companies have a lot of control over how to deal with these threats and risks.

We began our journey to GDPR and ISO 27001:2013 compliance a few months ago. Here are a few things we learned along the way:

  • Senior management must understand the threats and potential impact of increasingly effective cybercrimes, lack of awareness, more onerous compliance requirements and accept that something needs to be done to address these. Business risk is something senior management care a lot about but if they do not already understand the information security risks and the impact of non-compliance, someone has to sell it to them.
  • The business needs to assign an internal person to be responsible for information security. Some aspects of information security can be outsourced but the responsibility to protect data resides with the business. This person must have the support of senior management. It is also a good idea to allocate a budget for information security.
  • Identify the most valuable information the business has, the risks and impact caused by threats. Imagine your business was victim of the recent Wannacry ransomware. What would that cost you financially? What would be the impact to productivity and more importantly reputation?
  • A gap analysis will identify weak points. Put measures in place to mitigate the risks. This could involve investing in more secure solutions or employee awareness training.
  • Data protection is not a “one and done” type of thing. It is an ongoing process which regularly checks into the business to see if there new threats or improvements that can be made.

At the end of the day, all businesses are caretakers of certain sensitive information whether that be employee bank details, legal case files or intellectual property. Being able to demonstrate that you are trying to ensure these are as secure as possible is an indication to regulators that you are making an effort which will be viewed favourably if they ever coming knocking on your door.

While the General Data Protection Regulation may seem over baring due to a lot of new rules, it does require everyone to step back and look at current process and resources to ensure that the appropriate measures are in place.

If you would like to talk about how to be better prepared for the May 2018 deadline, we would love the opportunity to talk with you. Feel free to get in touch with us here

 

Get Smart on Cyber Security

Get Smart on Cyber Security

Get Smart on Cyber Security

There seems to be a never-ending stream of statistics about data security and ransomware these days.  Everybody wants to raise your awareness of cyber security (don’t worry, we’re not going throw any more stats at you).  We’re assuming that by now you’re aware that it is an issue.

However, there is a big difference between awareness of a problem and actually doing something about it.  If your business is something other than IT, the idea of sorting out cyber security probably makes you want to bury your head in the sand.  So, it gets put on the back burner.  And there it stays.

Cyber security isn’t fun or sexy and it’s not going to directly lead to any more revenue.

Or will it?

More and more businesses are inquiring about cyber security, and here are three key reasons why;

  1. Due to the increasing number of cyber-attacks, clients are asking more of their partners and service providers who hold or process confidential or personal information for them.
  2. The UK government has confirmed that the EU General Data Protection Regulation (GDPR) will apply as of May 2018, regardless of the decision to leave the EU. Although the current UK data protection act is similar to the GDPR, there are additional requirements and increased penalties, enforced by the ICO, for organisations not adhering to good governance practices.  Responsibility lies with both the client and the provider.  Business is starting to take notice because to ignore it will affect their ability to trade in Europe.
  3. Organisations that work with government departments handling sensitive and personal information must be certified to a certain standard that ensures they protect themselves against cyber-attacks.

Fortunately, there is a UK government backed scheme designed to help businesses figure out how to approach cyber security.  There are two levels to consider based on the goals of the business.  The first is a templated self-certification process called Cyber Essentials.  The second is Cyber Essentials Plus that goes one step further to include an independent audit of your Cyber Essentials certification.

Regardless of the level chosen, there are a few key benefits of the scheme.

  1. It provides a way for you to demonstrate to your clients that you have reviewed your security measures and they are at least as good government standard. In addition, by placing the certification badge on your website and marketing material, you can set your business apart from competitors by showing you take security seriously.
  2. Even if the UK were not to participate in GDPR, any organisation doing business in the EU must be aware of, and adhere to, the GDPR principals. They can be held liable for GDPR breaches.  Putting the Cyber Essentials framework into a business is a great way to ensure the proper security measures are in place for data protection.  This will help towards compliance with GDPR which in turn can facilitate commerce with the EU after Brexit.
  3. Having Cyber Essentials certification opens the door to working with UK government departments.

Hopefully by now, you’re thinking this all makes sense.  However, there is still the challenge of doing something about it.  In reality, you could go to the Cyber Essentials website, download the information and try to go through it yourself.  But if you are a legal, architect or other professional services firm, with limited time or budget to address it, you’ll move on to “more important” things.

Why not hand this off to someone who has been through the process (we are Cyber Essentials Plus certified), and have developed a systematic approach to assess your business security, can identify any areas of weakness and help take remedial actions to help you become Cyber Essentials or Cyber Essentials Plus certified, in the shortest amount of time possible.

It really is the easiest way.

If you have any questions about Cyber Essentials, security or any other IT related issues, feel free to add a comment below or reach out to us by clicking here

Topics: Blog, cyber security