EASYLIFEIT™ CYBER SECURITY AUDIT
TOO MUCH TO DO, TOO LITTLE TIME
It’s hard work running an SME. Limited time. Limited resources. Ever growing burden of regulation. It can be difficult to know what to prioritise.
One useful tool for setting priorities is to evaluate risk using a simple five step approach:
- Identify all possible risks facing your business
- Rate the likelihood of that risk becoming reality using a scale of 1 – 5 (with 5 being the most likely)
- Rate the impact on your business if that risk became reality using a scale of 1 – 5 (with 5 being the most severe)
- Multiply your ‘likelihood’ and ‘impact’ scores together.
- A score of 15 or more represents a high risk. Prioritise taking steps to reduce that risk score.
I DIDN’T REALISE HOW MUCH I RELY ON MY IT SYSTEMS
Most businesses rely very heavily on IT systems. The impact of an event such a loss of the internet to an office is typically felt very quickly. If it goes on for more than a few hours, the impact on business continuity can become severe, often starting to affect service to customers.
The sheer number of possible events which could have consequences for systems illustrates why IT invariably scores 15 or more in a risk analysis:
- Cyber crime (e.g. virus, ransomware)
- Power failure
- Hardware failure
- Loss of internet
- Illness amongst key staff
- Loss or theft of data
- Damage to premises e.g. fire
- Financial failure of a key supplier
CYBER CRIME – A DOUBLE THREAT
Cyber crime is an obvious threat to business continuity. A ransomware attack for example, where malicious software gains access to your systems and threatens to wipe your data unless you pay a ransom to the criminal can cause severe disruption and financial pain.
However, it is a potential a data protection threat as well. The General Data Protection Regulation (GDPR) came into force on 25th May 2018 amid much hype and no little confusion about what businesses should be doing. If a cyber attack has resulted in unauthorised access to your systems, it is very likely this would also be considered a “data breach”. And if that data breach has resulted in personal data about your staff or customers being compromised, then you now have a data protection problem to deal with as well as a business continuity issue.
THE LINK BETWEEN GDPR AND CYBER SECURITY
A key pillar of GDPR is the “security principle”. This states that you should process personal data securely by means of “appropriate technical and organisational measures”. The aim is to guard against unauthorised or unlawful processing, as well as against accidental or unlawful loss, destruction, alteration, unauthorised disclosure of or access to personal data.
The Information Commissioner’s Office (ICO), the body responsible for enforcing data protection legislation in the UK, advises the following in respect of steps businesses should be taking:
- Consider things like risk analysis, organisational policies, and physical and technical measures
- Measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them
- Measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident
- Ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements
What the guidance does not explain is exactly how to implement all of the above. This has left some businesses wondering what practical steps to take.
IS THIS GOING TO BE EXPENSIVE?
The guidance from the ICO is that actions have to be practical, but this does not necessarily equate with expensive. The ICO is clear that businesses can consider the state of the art and costs of implementation when deciding what measures to take. However, whatever measures you take must be appropriate both to your circumstances and the risk your processing poses.
One of the fears many businesses have over GDPR is the significant increase in the maximum level of fines available to the ICO. However, it is worth noting that the ICO is not required to impose fines, even in the event of a data breach. In making their assessment of appropriate action, they must take into account a number of considerations. These include the degree of responsibility of the data controller or processor took in terms of the technical and organisational security measures they implemented.
The cost of implementation does not necessarily have to be expensive. Additionally, the investment in good data safeguarding has the added incentive of potentially reducing the size, or removing the risk completely, of a fine from the ICO.
IF YOU ONLY DO ONE THING, DO THIS
Cyber Essentials is a government-backed cyber security certification scheme that sets out a baseline of cyber security suitable for all organisations. Although there is no requirement within GDPR to achieve Cyber Essentials, it is nevertheless a structured and well-recognised scheme which gives clear evidence that an organisation is taking its system security seriously. It fits well with an overall objective of taking sensible steps to reduce business continuity risk whilst complementing what needs to be done for GDPR compliance.
Cyber Essentials requires businesses to complete a questionnaire and provide evidence to demonstrate that they meet minimum standards around the following key themes:
- Password-based authentication - to ensure users are who they say they are
- Firewalls – to ensure only safe and necessary services can be accessed from the internet
- Secure configuration – to reduce the level of vulnerabilities such as running untrusted programmes on devices such as PCs
- User access control – so that only users who need access can gain access
- Malware protection – to prevent harmful software from causing damage or accessing sensitive data
- Patch management – to ensure that devices and software are not vulnerable to known security issues for which fixes are available
Meeting the Cyber Essentials requirements will not guarantee any organisation complete safety from cyber crime. However, it will help to reduce the risk. Furthermore, it can be recognisable evidence to present to the ICO and your customers that you take information security seriously.
Further details about Cyber Essentials can be found via this link:
EASYLIFEIT™ CYBER SECURITY AUDIT
EasylifeIT can help your organisation provide evidence of its effort and commitment to solid technical and organisational controls by facilitating and documenting a cyber security audit. Using the Cyber Essentials questionnaire as the framework, our consultant will work directly with staff members who have responsibility for your company’s IT infrastructure and data security.
The end result will be a gap analysis – providing a measure of the organisation’s current level of preparedness and the gaps (if any) which need to be addressed. This analysis will be provided in EasylifeIT’s report which is included as part of the Cyber Security Audit. Following the Audit, you will be able to make an informed choice about whether you wish to go further and pursue external assessment to achieve full Cyber Essentials certification. And if so you will also have a clearer picture of the scope and the likely effort needed to get there.
The programme of work typically takes between 1 and 2 days, depending on the size of your organisation. The programme comprises:
- A site visit by a Cyber Essentials qualified EasylifeIT consultant to conduct the gap analysis, working directly with nominated representatives from your company
- Production of a written report of findings and recommendations arising from the site visit
- An independent analysis delivered by qualified and experienced professionals
- An action plan from which to build and maintain evidence of commitment to good data privacy and security practice
STRATEGIC IT CONSULTANT. EASYLIFEIT NORWICH
JAMES IS AN EXPERIENCED AND VERSATILE BUSINESS PROFESSIONAL WHO HAS WORKED ACROSS MULTIPLE SECTORS. HE PROVIDES COMPLEMENTARY SKILLS TO EXECUTIVE TEAMS, ADVISING ACROSS A RANGE OF DISCIPLINES INCLUDING IT STRATEGY, BUSINESS CONTINUITY PLANNING AND IT PROJECT MANAGEMENT