Message

Send us a message
and we'll get back
to you shortly

EMAIL US

Stick or Twist: The GDPR Gamble

Stick or Twist: The GDPR Gamble

The closer we get to May 2018, the more buzz there is around GDPR. As a business owner you will be used to making decisions and it is clear that you need to make one now. Stick or twist. Ignore the pending legislation or understand the impact. At least if you understand the impact and still chose to ignore it, you’ve made an informed decision. By reading on you will be more informed than when you started.

It would be easy to think of it the same way as the current UK Data Protection Act (it only matters if there is a breach/incident, it is too complicated to try to understand, we cannot afford to have someone committed to data protection, it does not apply to us). However, a big difference with the new regulation is that the risk of action from the ICO has moved from impact of a breach, to not being compliant. That’s right, once GDPR kicks in; simply not being compliant carries the risk of action.

A couple of the new requirements are things like getting clear consent to hold data, responding to requests about what data you hold on individuals and the right to be forgotten (deleting personal data). It is now a requirement to respond to requests within defined timeframes. Not having the appropriate controls or procedures in place puts employees, clients and the business at risk. However, the tricky part is to reach a balance of appropriate controls while not killing productivity.

Given the numerous differences from the current DPA, the potential affect to our reputation, and the nature of our business (holding data on clients, employees and prospects), we have decided it is vital for us to do everything possible to understand and be compliant to GDPR. The more we learn, the more apparent it becomes there are many boxes that need to be ticked. As a starting point, we are carrying out a GAP analysis to understand how our current policies and procedures compare to the requirements of GDPR. Because there are so many changes coming, we wanted to ensure it is being done correctly. This led us to using a proven and formatted approach.

As a business that holds personal data such as names, phone numbers, email address or sensitive information on clients, employees or prospects, there needs to be a decision on what your business is going to do about GDPR. It’s stick or twist again; wait until there is an incident, request or knock on the door from the ICO, or make your business more secure by updating your approach to information security and data protection. We see the benefits of the latter and believe it is going to make a world of difference for our clients and ourselves.

If you would like to understand more about GDPR in relation to your business, we would be happy to have a chat.

Modern day risks and GDPR

Modern day risks and GDPR

By now, you should understand that GDPR is happening next May. No avoiding it.

At the centre of GDPR are Individual rights for data protection. This affects all of us. No one wants to have private information such as bank account and credit card details made publicly available or sold somewhere online.

So when it comes to making sure your business is doing the most to protect sensitive employee and client information, a common question is where do you start?

A good place to start is to assess the threats to any information that is not for public consumption. These threats come in all shapes and sizes. Some of the common ones are:

  • Using unapproved apps (popular among millennials)
  • Increase in cybercrime such as phishing (baby boomers are especially susceptible), ransomware and viruses
  • Bad work habits

Each of these threats bring their own risks and affect to the business. Loss of client trust, reputational damage, disruption to client services and the possibly fines.

We frequently speak with clients who assume that data protection, and the broader idea of information security, is entirely an IT issue. This could not be further from the truth. Look back at the three bullet points above. The one thing they have in common is people, i.e. your employees.

We equate information security to buying insurance. It is a business decision that needs to be made based on risks, and how to mitigate them, in the hope that you never need it. Unfortunately, just like insurance, there is a cost. This comes in the form of time and/or money required to mitigate the risks. It is common for this to lead to putting information security on the back burner. Fortunately, companies have a lot of control over how to deal with these threats and risks.

We began our journey to GDPR and ISO 27001:2013 compliance a few months ago. Here are a few things we learned along the way:

  • Senior management must understand the threats and potential impact of increasingly effective cybercrimes, lack of awareness, more onerous compliance requirements and accept that something needs to be done to address these. Business risk is something senior management care a lot about but if they do not already understand the information security risks and the impact of non-compliance, someone has to sell it to them.
  • The business needs to assign an internal person to be responsible for information security. Some aspects of information security can be outsourced but the responsibility to protect data resides with the business. This person must have the support of senior management. It is also a good idea to allocate a budget for information security.
  • Identify the most valuable information the business has, the risks and impact caused by threats. Imagine your business was victim of the recent Wannacry ransomware. What would that cost you financially? What would be the impact to productivity and more importantly reputation?
  • A gap analysis will identify weak points. Put measures in place to mitigate the risks. This could involve investing in more secure solutions or employee awareness training.
  • Data protection is not a “one and done” type of thing. It is an ongoing process which regularly checks into the business to see if there new threats or improvements that can be made.

At the end of the day, all businesses are caretakers of certain sensitive information whether that be employee bank details, legal case files or intellectual property. Being able to demonstrate that you are trying to ensure these are as secure as possible is an indication to regulators that you are making an effort which will be viewed favourably if they ever coming knocking on your door.

While the General Data Protection Regulation may seem over baring due to a lot of new rules, it does require everyone to step back and look at current process and resources to ensure that the appropriate measures are in place.

If you would like to talk about how to be better prepared for the May 2018 deadline, we would love the opportunity to talk with you. Feel free to get in touch with us here

Topics: GDPR, data security

 

Will GDPR cripple productivity?

Will GDPR cripple productivity?

There are arguments around the technical approach to GDPR that have ringing similarities to those presented when ‘Consumerisation of IT’ first became a thing towards the end of the last decade. I have delved into my archive and found a diagram that was used by one of the big global vendors in their slide deck to demonstrate the benefits of the transition that consumerisation heralded. Then the focus was on empowering the staff, especially as the millennials started to hit the workforce, and enabling the business in the process. The suggestion at the time was that IT teams zealously controlled all matters IT and determined how and where employees were able to interact with systems. Consumerisation was an ideal that placed the emphasis on the users making that determination.

Consumerisation.png

A natural reaction to the impending GDPR deadline, and the potential impact it could have on the viability of an organisation, is to lock down all systems and infrastructure in an effort to prevent any breach. The heavy penalties that are available to the ICO in the legislation will frighten many organisations into a knee jerk reaction as they seek to mitigate all risk. Reasonableness will not apply and the walls of the fortress will be constructed. In seeking to remove all risk in this manner businesses will unintentionally introduce more.

Many of the workforce are used, thanks to consumerisation, to having access to the information they need to be productive when and where they need it. Clamping down on these practises certainly seems like a sensible step; restricting access to data from outside the secure environment of the office or network. Personal devices get forbidden, BYOD becomes a thing of the past. You have control. Your data is safe. The ICO won’t get you for 4% of your global turnover.

This approach is bound to have an effect on productivity. It places restrictions on where and how the staff can operate. It places no trust in their ability to look after and respect the company’s data. People will still want to work in a way that suits their style and lifestyle thus introducing conflict. Sooner or later they will find a way to get the data out of the network and into to a location where they can operate effectively. It usually starts with a C level demand to work away from the office either on holiday or in the comfort of the home late at night. Slowly, and unbeknown to the IT team, the controls are eroded to a point where there is no control over the data. That massive fine could be in the bag.

The alternative approach is to adopt a balance of systems and policies that enable working practises for effective and productive staff. Training your teams to manage data appropriately but also give them the chance to achieve the work life balance. Security measures should back this up and be an enabler and not an inhibiter. This will enable true control and businesses will know where their data actually resides. If there is a breach then it should be identified quickly and reported in a timely manner.

There are elegant solutions that will enable freedom for the users and control for the business. A healthy balance that will enable compliance with GDPR and not inhibit users or the business. The regulations require reasonably appropriate technical steps and not draconian measures, so it is an opportunity to review your IT and systems, improve them where necessary and ensure staff have the appropriate training.

It is important to remember that GDPR is about personal data, not just IT. While IT has tools in place to help secure data and systems, it is only as good as the company’s policies and procedures regarding how data is being handled, and the education of the people handling it; both of which are outside the normal scope of the IT department.

A good starting point for the technical elements of GDPR is an understanding of cyber awareness.  We have created a handy guide to this which can be downloaded by clicking below.

Topics: GDPR

 

Tic Toc goes the GDPR clock

Tic Toc goes the GDPR clock

“How did it get so late so soon?” Dr Seuss

It is now less than 1 year before the new European General Data Protection Regulation (GDPR) comes into effect.   This new legislation is the biggest change to data protection in many, many years.  The current regulation was created before so much of our lives and personal information was online and used for other purposes.

GDPR has been created to update data protection practices to be more in line with the way the world operates today.  It requires a fundamental shift in the way personal data is handled.  This will be a big change for many companies, especially in the SME space, where personal data exists but is not a primary element of the business.  GDPR will require changes to policies and procedures, documentation, IT configurations and possibly legal agreements you have with customers and suppliers.  Simply put, it touches a number of different areas of your business.  For that reason, it is not something that can be addressed in a few days.   Every company in the world who does business in Europe is going to be affected by this.

With such a big change, coming it would be easy to think that the ICO will be busy with enforcement on large companies.  However, there are suspicions that the ICO will easily be able to identify companies who have not addressed GDPR.  Once the new regulation kicks in on May 2018, you must be able to demonstrate that you take data protection seriously and this can involve things as basic as public facing transparency statements and opt – in features on your website.  It is no longer a case of facing fines from the ICO just because of a data breach.

The ICO is selling GDPR as a business benefit to offset the fact that this is going to be a BIG deal for SMEs.  Most small to medium size businesses are not set up to effectively deal with data protection in the first place.  Currently, an issue only comes to light when there is a problem (reactive).  From May 2018, its more about proving compliance (being proactive).

Numerous changes will need to be made to your organisation and procedures.  Don’t underestimate it!  We encourage you to start the journey sooner rather than later.

Topics: GDPR, Compliance, EU

 

Keeping your business safe from the outside in

Keeping your business safe from the outside in

The task of securing your IT assets and data is increasingly complex, not least because your own systems are becoming more complicated too. Every application or piece of information that comes into your network from the outside world represents a potential hazard, a weak point that can be exploited by cybercriminals.

It is possible to plug most of these gaps, hardening your systems and educating your users so that they can’t be exploited. This is an expert job though, and getting it wrong may actually cause your systems to become even less secure. Which is why you should seriously consider outsourcing IT security to an expert like On Line Computing.

Blocking threats before they reach your company

The point where your company network connects to the Internet is your first line of defence against malware, viruses and hackers. Typically you will have some defences to manage what can, and cannot, pass through – called a firewall. Once past the firewall though, it becomes much easier for hackers to steal data.

The most effective security provisions identify and block attacks before they ever touch your firewall. Outsourced security systems use the power of the Cloud to scan all traffic passing in and out of your network remotely. Anything identified as suspicious or dangerous is immediately blocked.

This active blocking is not unlike the way your own computer handles spam. All of your incoming messages are scanned for signs that they may be unsolicited marketing messages, or contain inappropriate or dangerous content. Any email identified as suspicious is immediately shifted to “quarantine”. The process is completely transparent, automated, and because the message is not in your inbox, far less likely to be opened.

Outsourced security is very similar in operation, but it analyses all of the traffic coming into your network, not just emails.

There are several benefits to adopting outsourced security:

1. Enhanced security for your network

By blocking attacks before they can reach the edge of your network, you dramatically reduce the chances of anything malicious making it through. Your network firewall may be very good, but there is always a risk it could be compromised.

Protecting your data is an exercise in de-risking. So it makes logical sense to move security off-site to lower the risk of a security breach.

Outsourced security systems also tend to employ several safety techniques to ensure traffic is “clean” before it is allowed onto your network. These enterprise grade systems are more effective (and more costly) than the typical SME firewall, offering a far higher level of protection. You get all these benefits without the significant capital spend attached to buying them yourself.

2. Improved network performance

Scanning network traffic is resource intensive, slowing your network down in the process. Any deterioration in IT performance has a knock-on effect for the rest of your business. Your network may be secure, but productivity drops.

Where security scanning takes place outside your network, your own resources are left unburdened. All of the scanning is performed by high-end, dedicated hardware at the provider’s data centre. Which means that you should see fewer security-related bottlenecks and a boost in productivity.

3. Security systems managed by experts

Enterprise-class data security is actually essential for every business, regardless of their size. But these systems are expensive to buy, and very complicated to manage and maintain, requiring a team of experts to keep things running smoothly.

An outsourced security service is managed and run by a team of highly skilled engineers, tasked with ensuring your network traffic is being properly scanned and managed. You get all the benefits of a dedicated security team without actually having to employ anyone.

Enterprise class security without the headaches

Maximum IT security relies on using reliable technology effectively to block new and emerging threats. The most cost-effective way for businesses without a dedicated IT security team to stay secure is through an outsourced security solution that relieves them of the administrative burdens.

To learn more about outsourced security and how On Line Computing can help your business protect its data, please get in touch