Cloud Business Logo - white

Success stories

Our customers come in all shapes and sizes.

We work with organisations from all walks of life, with different ambitions and requirements. Explore how we’ve helped them reimagine everyday, and align technology with their culture and business goals.

Remote working, VPNs and DDoS attacks

Why are VPNs vulnerable to DDoS attacks and why has wide-spread remote working because of Covid-19 and the lockdown increased this risk? Find out here.
View case study >

ISS World ransomware attack – who’s next?

Another high profile ransomware attack demonstrates why having a Prevent, Detect and Respond approach to cyber security attacks is best practice. Read on >
View case study >

Tackle IT security risks with these 5 strategies!

How can you keep your organisation safe from IT security risks? Explore these 5 strategies to protect your organisation, people and data.
View case study >

Security and compliance risks when migrating to the Cloud

More businesses than ever are migrating core operations to cloud platforms. From storage to connectivity and whole IT systems, cloud providers are responsible for multiple mission-critical services. Companies benefit from this in many ways: reduced costs, greater flexibility, improved productivity and security. However many businesses believe – 83% according to backup software firm, Veritas – that cloud providers are wholly responsible for keeping customer data safe. In a stricter regulatory environment, that is something companies can’t afford to assume and shouldn’t leave to chance. If you have already migrated some or all of your IT infrastructure to the cloud, or are planning a digital transformation project, here’s what you need to know: Regulatory and compliance risks in the Cloud Businesses face a combination of risks. Cyber attacks are more frequent; a combination of ransomware, malware, DDoS and bots are all working to undermine corporate and SME defences. Your data is worth something to someone, regardless of how large your company is or what sector you operate it. It can be sold or published online, making it a valuable target. At the same time, regulators are going to be tougher on firms that don’t take every reasonable effort to keep that data secure. With the General Data Protection Regulation (GDPR) now in force, companies can be fined “€20m or 4% of annual worldwide turnover, whichever is greater”, exceeding the £500,000 maximum fine under the Data Protection Act.  Other regulations, such as an updated PCI-DSS standard for payment processing, have forced further action on how companies collect and process data. Keeping it secure is mission critical. Isn’t data protection down to cloud providers? Under GDPR, the definition of “personal data” has increased. Many small and medium businesses, for example, are registering with the ICO to ensure they’re compliant under GDPR, once they realised that they’re also responsible for collecting personal – client – data. This means that more companies than ever are responsible for collecting, processing and safeguarding information under the law. Unfortunately, passing that responsibility of security onto cloud providers isn’t an option. Even if a cloud provider is proud of the cyber security systems they have in place – and many will talk about this – as these are key selling points – under the Data Protection Act it’s still the responsibility of the company collecting and using the data. If a breach occurs, you can’t blame a supplier. Companies need to know the following, as a minimum: Where data is stored (is your cloud on-site, an external data centre or more than one centre in multiple locations, or a hybrid)? How does it travel (encryption is essential)? Why it might be moved and where does it go; e.g. does it move between cloud-providers and software services and if so, is it secure? And ultimately, who is responsible for all of this, on a daily basis and in the event of a breach? All of this is designed to protect your customers, your ‘data subjects’. Disaster recovery scenarios should be worked out, in the event of a server failure or a system goes down within this environment. Even data that is apparently “clean”, could fall within the scope of regulatory requirements, if combining it with other sources could result in personal identification. When you are working with multiple vendors and SaaS providers, it can be harder to know where your data is. To be safe, carry out an audit. Make sure you can trace where data goes and how secure it is, then only work with vendors with complete accountability and is fully compliant with GDPR.  Staying safe in a stricter regulatory environment involves taking proactive steps to secure data wherever it goes. This responsibility falls squarely on the company collecting and using the data, not cloud suppliers they’re working with. Naturally, there is help at hand to navigate the cloud vs. compliance vs. cyber security landscape. If you would like to talk to a consultant informally about your requirements and what steps can be taken to ensure you get the benefits of cloud computing without exposing your business to risk, please get in touch.
View case study >

How much do you know about cyber security vulnerabilities?

How vulnerable is your organisation and people to cyber security threats? Take our cyber security vulnerability quiz to find out how aware your team is.
View case study >

BYOD risks, and how to mitigate against them

What are the BYOD risks and how can you increase mobility while protecting your people, organisation and data? Find out here.
View case study >

Are your remote workers compromising security?

How can you ensure remote workers are not compromising security or increasing IT risks? Read this blog post for 4 ways to secure your remote workforce.
View case study >

Are my Office 365 files at risk of infection by Ransomware?

Cyber attacks have been on all of our minds since the recent WannaCry ransomeware on the NHS. However, it is important to remember that ransomware attacks can affect any size business and cause a multi-plus of problems. Infected data can become inaccessible and pave the ransom fuel for further attacks of this nature. In this post we will look at the risks when storing file data in Office 365 and what can be done to protect your Office data. Book a free Cyber Security Health Check to learn how to protect your business. Click here > Where is my data stored in Office 365? There are various options for storing file data in Office 365. The majority of this data resides in a SharePoint farm that Microsoft host and you connect to via the internet, but the front end that users interact with could be OneDrive for Business, Office 365 Groups/Microsoft Teams or a SharePoint site. What files does Microsoft scan for Malware? Microsoft does scan for malware for files over 25MB as they are uploaded to Office 365 and if identified, it sets a property flag against the document. Microsoft do however say “These antivirus capabilities in SharePoint Online are a way to contain viruses. They aren’t intended as a single point of defence against malware for your environment.” How can ransomware infect office 365 files, particularly SharePoint Online or OneDrive? Ransomware must run on a local computer or server, it cannot run in the Office 365 service. This means ransomware can infect files stored in Office 365 in two ways. If you use the ‘open with explorer’ feature to map network drives to document libraries in Office 365 – the ransomware can scan for connected drives and will infect all files it finds. If you synchronise files from document libraries using the OneDrive sync client – these files are a copy of the online files sitting locally on your PC/Mac, the infected files are then synchronised to Office 365. What does the end user see when an infected file is downloaded? Microsoft adds additional warnings when there is an attempt to download a file that is infected, however there is no way an administrator can get an overview of files that have been flagged as containing Malware and users can override this warning and still download the file. The OneDrive client will also fail when trying to sync an infected item and show an alert in the system tray.  What backup and recovery options does Microsoft offer? Microsoft backs up data from SharePoint Online every 12 hours and retains this data for a period of 14 days. The options for restoring this data are limited, for example you can only restore data at site collection level and the data restoration is in place, meaning it will overwrite any data currently sitting in the Site Collection or OneDrive for Business site. These days site collections support up to 25TB. Can I use version history to recover non-infected files? If versioning is enabled on your document libraries then you may be able to recover the data. First you will want to disconnect the mapped network drive or stop syncing the data from the devices that are infected. The ransomware that has infected your files may only have infected a single version, this provides the opportunity to delete the current version and revert to a previous copy which is not infected. The only way to achieve this for all files in a library or OneDrive would be to script this process or use a third-party tool. Recovery by version history may not help in all cases as it is possible that historical versions of files have been infected also. What can I do protect my Office 365 data from infection? To fully protect your Office 365 data from being affected by a crypto locker virus you would need to disable the ability to sync files and only allow users access files using ‘Open with Explorer’ but not permit the mapping of SharePoint Online as a network drive. This would mean that files are always accessed via an https address either through a web browser or file explorer. Backup Solutions Backing up data to another service from Office 365 is the only way to empower you to quickly and easily recover files at a granular level and to alternate location from the original. There are various options offered by third parties including: AvePoint – Cloud 2 Cloud backup – 1GB of backup storage per user included – Minimum 3 Year Subscription – Includes a suite of management and audit tools for managing permissions, structure, content. – Subscription licensing SkyKick – Cloud 2 Cloud backup – 5GB of backup storage per user included – Subscription licensing CloudAlly – Cloud 2 Cloud backup – Unlimited retention – No minimum subscription – Subscription licensing Metalogix – Cloud 2 on-premises backup while maintaining file formats/file level access – Requires setup and Infrastructure to run the software – Perpetual licence – Support cost is optional After the WannaCry Cyber attacks on the NHS, cyber security has been on all of our minds. That’s why we’re offering a free cyber security health check to help inform the important decisions about your IT system. Click here or below to find out more.
View case study >

Six reasons why cyber crime is increasing, and what you can do about it

Why is cyber crime increasing and what threats do you need to protect your organisation from? Find out here >
View case study >

What is ISO 27001 and why should you get certified?

ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector. ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers. Background to ISO 27001 Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud. ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee. Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems. There are seven areas that companies need to manage, to achieve ISO 27001 compliance. Context of an organisation ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system. With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards. Leadership Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies. Planning Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike. Support ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats. Operational planning & processes Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies. Evaluation process Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals. Improvements Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future. Why get accredited? Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information. Innovation Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here > Differentiation ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here > Win more business Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here > Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months. “Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.” Warwick Taylor, Experian Data Quality IT Manager If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >
View case study >

Remote working, VPNs and DDoS attacks

Covid-19 and the lockdown has dramatically increased the use of Virtual Private Networks (VPNs). At the beginning of 2020 most organisations would have had the majority of users connecting to the network locally, and just a handful of remote workers connecting via a VPN. Since March 23th that dynamic has changed, with the majority of users now relying on remote connectivity for work. 

This has naturally come with a few challenges. Connectivity issues are common when a user doesn’t have enough bandwidth. But this can often be resolved by ensuring that other people sharing the home WiFi are not on Netflix or House Party while a remote worker is trying to work!  

via GIPHY

The biggest challenge is security and specifically Distributed Denial of Service (DDoS) attacks. VPNs are easy targets and multiple users accessing the network via VPNs dramatically increases the surface area for these attacks. 

What is a Distributed Denial of Service (DDoS) attack? 

DDoS attacks take advantage of network capacity limits and will send multiple requests to a network resource with the aim of exceeding its capacity to handle multiple requests. As a result it overloads the system and prevents the network resource from functioning properly.  

Typically, attackers target website resources with the goal of a ‘total denial of service’ so that the victim’s website won’t function. This may be for the purpose of demanding payment to stop the attack, to discredit a company or as a smoke screen to steal sensitive data. Targets are often online businesses like ecommerce retailers, IT and telecom companies, financial service providers and banks, and government organisations. 

The financial consequences of an attack vary depending on the size of business and the network resource attacked. A DDoS on an ecommerce website will cost the business in lost sales, remediation and potentially any payments to stop the attack.  

Why are Virtual Private Networks (VPNs) vulnerable? 

While hackers generally target website infrastructure, the Covid-19 pandemic and widespread remote working has presented them with another opportunity. There has been a significant increase in malicious attackers launching DDoS attacks on VPN infrastructure at a time when they know the impact will be most felt. 

Even low volume attacks can overwhelm VPN concentrators and firewalls, and low volumes are likely to go undetected by DDoS defences – as they don’t get triggered. Secure Socket Layer (SSL) VPNs are also vulnerable to SSL floods, where they are unable to handle high volume of SSL handshake requests. Randomised UDP floods or IKE floods are also an issue. Internet Key Exchange (IKE) is used by IPSec VPNs for authentication and encryption handshaking. 

What can you do to secure your network? 

As your remote VPN applications and concentrators may be old and previously only used as gap-filling IT infrastructure for a small number of remote users, you may not have optimised DDoS protection for your VPN or have tested your VPN infrastructure against this type of attack. 

To identify threats and attacks your cyber security tools need to know what normal looks like, and VPN traffic currently looks very abnormal compared to what it looked like at the beginning of the year. 

Monitoring and alerting are therefore essential to initially build a picture of what’s normal behaviour, and for real-time visibility on what’s happening on your network. With this information you can fine-tune DDoS policies to ensure attacks are identified in real-time. 

To help address this challenge our recently launched cloud based Virtual SOC service now extends visibility beyond the perimeter to include VPN activity. This new feature will enable vulnerable businesses to quickly and cost effectively address the significant risks faced through the increase in VPN activity 

In response to Covid-19 and the increase in remote working, we are also offering customers a free Cyber Security Health Check. For further details please visit this webpage or contact us directly to find out more. 

Stay safe 

View Case Study

ISS World ransomware attack – who’s next?

Earlier this month we learned that ISS World had suffered a ransomware attack in which 500,000 employees were affected. At the time ISS World published this update on Twitter:

Screen Shot 2020-02-25 at 10.19.27

In line with the company’s standard operating procedure (SOP), ISS World disabled access to shared IT services across its sites and countries to isolate the attack. Company websites and employees’ access to email were affected, although websites were restored by the end of the week. In a press release ISS World said:

“The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

“The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.

“We are currently estimating when IT systems will be fully restored and are assessing any potential financial impact.”

If you’re worried about ransomware and the impact these and other cyber attacks might have on your organisation, book a free consultation with me to discuss what solutions you have in place and where you might be vulnerable to attack. Click here to arrange a call >

Thousands of ransomware attacks go unreported

ISS World’s ransomware attack made the news but due to the large number of cyber attacks being conducted on a daily basis, many go unreported. Just because you don’t hear about them, don’t be complacent. Ransomware attacks on UK businesses soared by 195% in the first half of 2019, and the UK is the second most attacked nation after the US. Criminals are focussing their efforts on businesses where the impact of disruption is most likely to result in ransoms being paid.

Events like ransomware attacks can bring a company to its knees with primarily two options available should it happen: Pay Up or restore/rebuild. The problem with paying up is that it funds other criminal activities and it also makes you a target for further attacks.

Instead a Prevent, Detect and Respond approach is the best protection against ransomware attacks:

Prevent

Businesses need to ensure that they have uniform levels of protection across their entire estate, whether that is on premise, Azure, AWS or other hosting provider. If you haven’t already, invest in cyber security solutions to prevent phishing and ransomware attacks.

Also consider the source of these attacks.

Are your employees properly trained to spot unsolicited or suspicious emails? These are designed to trick staff into handing over confidential information or clicking on hostile links and have become increasingly sophisticated. Staff need adequate training with regular refresher courses.

Detect

Do you have the ability to detect attacks, or recognise the indicators of a likely breach? While you’ll know about a ransomware attack as soon as you receive a ransom demand, many cyber breaches go undetected for months.

With the exception of ransomware and DoS attacks, most cyber attacks are designed by their instigators to go undetected. For example, when Ticketmaster was breached between September 2017 and June 2018, it wasn’t until customers received replacement payment cards approximately 9 months later that it became apparent that customer data had been breached.

Real-time detection solutions will help your organisation respond rapidly to attacks and minimise the impact on your business.

Respond

Do you have a clearly defined plan should you become the victim of a cyber attack? The best way to help prevent disaster if you’re hit by a ransomware attack is to set up a simulation attack. This will help you identify problems that might not be documented in your disaster recovery plans, and help you develop a more robust response.

Cyber attacks are happening more and more frequently and many security analysts say it’s inevitable that all organisations across all industries and of all sizes will suffer a security incident at some point. Everyone’s in it together, so it’s important to protect your employees, be transparent and do the right thing. Trying to attribute blame or covering up is not the best approach. Instead preventing, detecting and responding to incidents with transparency and clarity will help you reduce the impact of breaches.

Book a free cyber security call to explore whether your organisation is vulnerable to ransomware attacks and what you can do to prevent, detect and respond to them. Click here >

View Case Study

Tackle IT security risks with these 5 strategies!

IT security is a hot topic. Companies everywhere need to watch out for new viruses, incidents of ransomware and malware, with cyberattacks more of a risk now than ever. Here are 5 strategies for tackling IT risks.

As a business owner, you need to know that your IT security, networks, storage and devices are secure. Under GDPR and other regulations you also need to take every reasonable step to safeguard the data that you are entrusted with, and to keep your confidential information – such as financial and client details – secure.

Cyber threats can come from any angle. In the IT industry, these are known as attack vectors. Hackers and criminals can try and access your networks and secure data through internet connections, software, email, and even Excel and PDFs aren’t safe.

The question is, as a business owner, how do you reduce the risk of falling victim to a potentially crippling cyber attack?

Find out more about our Cyber Security Posture Assessment to understand your organisation’s security posture and reduce IT security risks >

The following steps don’t require an expensive outlay in technology or cyber security solutions – many ‘out of the box’ SaaS solutions can help shore up you defences without breaking the bank. Best practices like good password hygiene and cyber threat awareness raising exercises don’t need to cost your business anything, and could actually save substantial amounts of money and reputational damage if they prevent an attack. Have you implemented the following?

5 ways to mitigate IT security risks

 #1: Passwords

It sounds simple, even obvious, but whenever you, or your employees, leave a device – a tablet, phone or computer – alone for a moment, make sure it’s protected with a strong password. It is far too easy to assume you’re safe when working in an office with colleagues. But what if someone is looking to steal data? What if a client is in the building? Or a contractor that you don’t know?

Without a password, you are taking too much of a risk and haven’t taken a reasonable step to mitigate a serious and avoidable security risk.

An IT team or external provider should also make sure that the passwords on every device – including personal mobiles – that contain sensitive data are secure. Don’t make it easy for cyber attackers. Use a combination of upper and lower case letters, numbers and symbols. In the world of passwords, longer more involved combinations are statistically far more secure. It sounds simple, but you run a much higher risk of a data breach without secure passwords.

If your office has public WiFi, you need to take the same approach with this password, and make sure it is changed every few months. Put a password policy in place for everything that constitutes an attack vector, therefore mitigating the risk of a cyber breach.

#2: Virtual Private Networks (VPN)

With smartphones we can work anywhere. Many professionals access emails and sensitive documents on the go, wherever they are, often over public WiFi.

Public WiFi and phone networks aren’t secure. Neither is the WiFi in your house or favourite coffee shop. Sure, network providers take every reasonable step to maintain high levels of security, but that doesn’t mean that cyber attackers haven’t found ways to implement attacks that steal data.

The only way to guarantee the security of your company’s data on-the-go is with a virtual private network (VPN). Once this is setup, your employees and anyone else who needs to access work email and files can do so through a secure network that can be monitored and protected. Again, maintain a password policy that changes every few months for an extra layer of security and be careful who is granted access.

#3: Multi-factor authentication

Another way to increase security is with multi-factor authentication. When logging in, a code can be sent to a registered mobile device. The person trying to gain access then needs to enter that code and the login sequence is complete. It is a common feature of financial service websites, the Government gateway and many other secure websites. 

It is recommended that you provide that extra layer of safety for your network and employees. It can involve two or more steps, depending on how critical the systems being accessed. 

#4: Remote lock-down/wipe

Finding out that your phone or laptop has been stolen is a nightmare. Especially when this is a company device full of sensitive information. 

Make sure you have a lock-down and wipe procedure in place that can be implemented automatically 24/7. Whenever possible, ensure this is something an employee can initiate themselves through access to a secure website or on another device they own, even if that is a personal phone or laptop. 

Wiping a computer or phone after it has been taken needs to happen quickly, which is why this isn’t something that should wait until the next working day. Even if a cyber criminal is able to hack the password you want to make sure there is nothing for them to find and potentially use to damage the reputation of the company.

#5: Use access prevention and controls

Do you know where all of your secure data is and who has access?

If not, then this is something you need to get serious about. In any company, there are always going to be files that need to be more secure than others. Know what they are, where they are and ensure there are ways to control and monitor access.

Set passwords and an access protocol around the relevant files and systems that are more sensitive. When access is granted, make sure any files that are downloaded are only accessed on secure work devices, or through the VPN. Have policies in place so that staff know they’re not allowed to send sensitive documents to personal devices.

Learn more about Identity and Access controls here >

Finally, provide regular training and cyber security awareness raising exercises so your staff understand the risks, adhere to cyber security policies, and know what to do if they suspect an attack or attempted breach.

Point them in the direction of our Cyber Security Vulnerability Quiz to test their knowledge and identify where further training could help. 

With these security measures, your data should be safer and risks of being hit with a cyber attack are reduced. Taking measurable steps to improve security will keep your company compliant under GDPR and other regulations designed to protect customer data. 

View Case Study

Security and compliance risks when migrating to the Cloud

More businesses than ever are migrating core operations to cloud platforms. From storage to connectivity and whole IT systems, cloud providers are responsible for multiple mission-critical services.

Companies benefit from this in many ways: reduced costs, greater flexibility, improved productivity and security.

However many businesses believe – 83% according to backup software firm, Veritas – that cloud providers are wholly responsible for keeping customer data safe. In a stricter regulatory environment, that is something companies can’t afford to assume and shouldn’t leave to chance.

If you have already migrated some or all of your IT infrastructure to the cloud, or are planning a digital transformation project, here’s what you need to know:

Regulatory and compliance risks in the Cloud

Businesses face a combination of risks. Cyber attacks are more frequent; a combination of ransomware, malware, DDoS and bots are all working to undermine corporate and SME defences. Your data is worth something to someone, regardless of how large your company is or what sector you operate it. It can be sold or published online, making it a valuable target.

At the same time, regulators are going to be tougher on firms that don’t take every reasonable effort to keep that data secure. With the General Data Protection Regulation (GDPR) now in force, companies can be fined “€20m or 4% of annual worldwide turnover, whichever is greater”, exceeding the £500,000 maximum fine under the Data Protection Act. 

Other regulations, such as an updated PCI-DSS standard for payment processing, have forced further action on how companies collect and process data. Keeping it secure is mission critical.

Isn’t data protection down to cloud providers?

Under GDPR, the definition of “personal data” has increased. Many small and medium businesses, for example, are registering with the ICO to ensure they’re compliant under GDPR, once they realised that they’re also responsible for collecting personal – client – data.

This means that more companies than ever are responsible for collecting, processing and safeguarding information under the law. Unfortunately, passing that responsibility of security onto cloud providers isn’t an option.

Even if a cloud provider is proud of the cyber security systems they have in place – and many will talk about this – as these are key selling points – under the Data Protection Act it’s still the responsibility of the company collecting and using the data. If a breach occurs, you can’t blame a supplier.

Companies need to know the following, as a minimum:

  • Where data is stored (is your cloud on-site, an external data centre or more than one centre in multiple locations, or a hybrid)?
  • How does it travel (encryption is essential)?
  • Why it might be moved and where does it go; e.g. does it move between cloud-providers and software services and if so, is it secure?
  • And ultimately, who is responsible for all of this, on a daily basis and in the event of a breach?

All of this is designed to protect your customers, your ‘data subjects’. Disaster recovery scenarios should be worked out, in the event of a server failure or a system goes down within this environment.

Even data that is apparently “clean”, could fall within the scope of regulatory requirements, if combining it with other sources could result in personal identification. When you are working with multiple vendors and SaaS providers, it can be harder to know where your data is. To be safe, carry out an audit. Make sure you can trace where data goes and how secure it is, then only work with vendors with complete accountability and is fully compliant with GDPR. 

Staying safe in a stricter regulatory environment involves taking proactive steps to secure data wherever it goes. This responsibility falls squarely on the company collecting and using the data, not cloud suppliers they’re working with.

Naturally, there is help at hand to navigate the cloud vs. compliance vs. cyber security landscape. If you would like to talk to a consultant informally about your requirements and what steps can be taken to ensure you get the benefits of cloud computing without exposing your business to risk, please get in touch.

View Case Study

How much do you know about cyber security vulnerabilities?

Is your business at risk from cyber attack because employees aren’t aware of security risks? Find out by asking them to take this quiz! If they score poorly it’s time to put in place some robust cyber security policies, raise awareness of the risk and provide training and support so that your staff are not a cyber risk. 

Cyber Security Vulnerability Quiz

Answer the questions below, then scroll down to find the answers and learn more about keeping your organisation safe from cyber attack.

Q1. Which of the following passwords is most secure, according to IT experts?

a. F00tBall1!

b. football

c. 123456

Q2. Which type of cyber-attack is commonly performed through emails?

a. Trojans

b. Phishing

c. Ransomware

Q3. If you receive an email containing an attachment from a sender you don’t recognise, should you:

a. Open it

b. Delete the email

c. Alert the IT security team

Q4. What kind of cybersecurity risks can be minimized by using a Virtual Private Network (VPN)?

a. Key-logging

b. Use of in-secure Wi-Fi networks

c. De-anonymisation by network operators

Q5.  Whilst online, you notice a new pop-up window which tells you that a virus has been found on your computer and is harmful. The window provides a button to click, which will allow you to start rectifying the issue. The best thing you can do now is:

a. Hit the back button and see if the pop-up window disappears

b. Hover your cursor over the button and take a look at the URL shown. If the address looks legitimate to you, click on it. If it looks like a scam link, close the window immediately

c. Immediately close down both the browser window and the pop-up window

Q6. When it comes to backing-up your computer, how often should you be doing this, ideally?

a. Whenever you upload new photos, files or create important documents which you don’t want to risk losing

b. Only when you think there might be an imminent problem in retrieving files in future

c. Once a week

Q7. Which of the following could help protect your computer against malware and viruses?

a. Only downloading software from trusted sources

b. Ensuring that, via your IT Team, a credible antivirus program and a two-way firewall is installed

c. Ensuring you always update your computer with system updates when prompted

Q8. What does ‘social engineering’ mean in a security context?

a. A form of social deception driven by gathering information, fraud or accessing systems

b. Particular systems built in a certain way, so that society finds them easier to use

c. Where somebody takes advantage of social media channels in order to steal personal data

Q9. When you’re using public networks, what’s the best way to protect any communications made from your mobile device?

a. Use your browser’s ‘private browsing’ function

b. Turn off your mobile device’s file sharing ability

c. Use a Virtual Private Network or VPN

Q10.  Over the last few years, there’s been an emerging IT security threat, and it can happen anywhere in the world. Cyber criminals are able to lock down a user’s computer through the use of malware, and then demand money from the user in order for the access to be restored.  

What is this emerging threat called?

a. Botnet

b. CryptoLocker

c. Ransomware

How did you do? Here are the answers to our cyber security quiz:

Q1. Answer – a. ‘F00tBall1!’

According to 2017 stats published by SplashData, ‘123456’ is the most commonly used user password, with ‘football’ ranking 9th.

Answer ‘a’ of ‘F00tBall1!’ however, embodies some best practice tips – including the use of at least one special character, a mixture of numerical characters, uppercase and lowercase letters, and it is at least 8 characters long.  Therefore, this is the most secure password you could have chosen out of the three options.  (Ideally though, your password won’t be based on any existing word from the dictionary!) 

Q2. Answer – b. ‘Phishing’  

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, password and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Q3. Answer – c. ‘Alert the IT security team’

You should never open an attachment from an unknown source, and you should also be wary of any attachments send by trusted sources if you’re not expecting them (they may have had their email accounts compromised). If you think it’s a phishing email or is simply not of interest to you, just delete it. But if you think the information may be important but you’re not 100% certain of the source, let your IT support team know.

Q4. Answer – b. ‘Use of in-secure Wi-Fi networks

A Virtual Private Network (VPN) allows users to create an encrypted connection between their devices and the internet, making it much harder for anyone other than the user to see their activity. 

Q5. Answer – c. ‘Close the browser window and pop-up window’

It’s the type of situation where it’s best to take no chances. It could be that the website you were on has been hacked without the business’s knowledge – or, it’s a fake site which has been built with the sole purpose of defrauding people. If you think it may be the former, get in contact with the business in question to make them aware of what’s happened – they might not know that their site has been compromised.

Q6. Answer – a. ‘Whenever you upload or create new and important files’

It depends on how often you create new files, documents, upload pictures and so on, but if you’re doing this kind of thing frequently, you ought to back up your system on a regular basis to prevent loss / not being able to revert to an original file if it ever gets corrupted. A good frequency to follow for most people is once a week.

Q7. Answer – a, b and c!

A trick question! The answer here, is all three. These steps should be taken together as ‘bare minimum’ measures to protect your hardware from hacking attempts, malware, data loss and viruses.

Q8. Answer – a. ‘A form of social deception’

Social engineering is a complex form of social deception, which takes advantage of vulnerable people so as to manipulate them with the main aim being to defraud them. An example might be where someone is fooled into revealing their password for something.  

Q9. Answer – c. ‘Use a Virtual Private Network or VPN’

Whilst it would be partially correct to have picked ‘turning off your device’s file sharing ability’ as an answer, it would not ultimately prevent risks from the public network.  However, ensuring that you’re employing the use of a VPN would be a solution – think of it as a secure, private ‘tunnel’ that is built over a public network. It guarantees that there’s end-to-end communication security.

Q10. Answer – c. ‘Ransomware’

Answer b. – ‘CryptoLocker’ is actually an example of a ransomware. In a nutshell, it’s a type of malicious software (malware) used by attackers to restrict access to computer systems or data. Today, a large proportion of phishing emails link to ransomware.

If you didn’t score as well as expected, speak to your IT team or information security officer about some additional training or support. If you head up your IT department and would like to us to help you protect your systems and data with awareness raising exercises and training, please get in touch.

View Case Study

BYOD risks, and how to mitigate against them

Bring Your Own Device (BYOD) is a relatively recent trend (c. 2009) in behaviour where employees use their own mobiles, iPads, and laptops at work, for work. The drivers for BYOD are often to do with convenience but also because the technology individuals own is often more advanced than the hardware your average IT department would deploy. Many IT departments struggle to keep right up to date with every aspect of the latest technology, and an ever-increasing amount of people (e.g. millennials) are now more likely to be IT ‘self-sufficient’. 

While in some industries BYOD has been common practice for some time, in others it’s only just gaining traction. This is causing business leaders, information security professionals and IT support a few sleepless nights. While there are clear benefits for promoting BYOD working for most companies and organisations, there are also risks that can have serious implications for IT security, data protection and compliance.

Benefits of BYOD

There are plenty of upsides to BYOD. It can bring employees increased satisfaction through better and easier access to corporate data, emails, and grant the flexibility they need to use the Cloud to get work done; particularly when working remotely.

Likewise, for an employer, BYOD can bring a subsequent increase in productivity, as well as reduced hardware costs, licencing fees and resource needed for carrying out maintenance.  

However, it could be argued that the sheer number of downsides relating to BYOD mean that your business or organisation could be allowing additional risk factors into your corporate infrastructure.

What are the biggest risks of BYOD?

Here, we look at the key risks organisations should be aware of when it comes to BYOD:

1) No BYOD policy exists

Perhaps the biggest risk factor of all. All organisations should have a BYOD policy in place to protect themselves against being exposed to an attack through, for example, a virus or a hacker – both of which could lead to both financial or legislative penalties and reputational damage.  An effective BYOD strategy will enable your IT department to secure both the devices and the data.

2) Complex security issues

Security issues will often clash with the overall convenience BYOD can bring. These include:

  • Data loss through physical loss or theft of the device, or through ‘cross contamination’, where corporate data may be accidentally deleted due to the fact it can be so intertwined with the user’s personal data.
  • Data leakage through the device not being adequately secured
  • Local exposure – where data being transmitted is not subject to the right controls
  • Public exposure – unacceptable use of a personal device by a family or friend, or a vulnerability through public Wi-Fi usage and connecting to personal networks – including the use of Bluetooth.
  • Malicious and rogue apps – downloaded to a personal device and not pre-approved / controlled by IT to protect the user.
  • An increased vulnerability to insider attacks due to the inherent use of an organisation’s local area network.

3) Definite privacy issues

Due to the fact that employees’ BYODs will naturally be accessing a number of different platforms, servers and networks during the course of a working week, their employer could also legally access them.

It can all seem a bit ‘Big Brother’ when you start to realise that your organisation has the potential ability to read private emails, messages, and access other personal data. There’s a fine line, though most experts agree that employers aren’t really interested in individuals’ personal lives; they just want to ensure that company data and systems are effectively secured.

How do you counteract the risks caused by BYOD?

The ideal scenario for both employees and the organisation is that your IT department has secured all organisational and employee-owned devices appropriately, that mobile applications have the right controls applied, and that corporate and personal data is not subject to leakage or security threats.

Underpinning this is the presence of: 

  • comprehensive BYOD policy, including pairing solutions which work well together in tandem, such as Next Generation Network Access Control (NAC) and Mobile Device Management (MDM) for example
  • Your IT capability extending to 24/7 monitoring to identify potential threats – with the ability to respond to any incidents ‘intelligently’ through disaster recovery and back-up procedures
  • IT solutions which embody rules which are practical, yet not too intrusive. This could include the ability to remotely wipe data, or device tracing (e.g. in case of theft or loss)
  • An effective Data Loss Prevention (DLP) strategy which is built with effective rules to ensure that commercially sensitive data is not sent outside of the internal network

Occasionally, you may come across a ‘rogue’ employee, who either pays no mind to general policies and conduct rules or just thinks that they simply know better.  Effective internal training to upskill and educate staff on topics such as data security, identity fraud and cybercrime can work wonders in turning behaviours like this around.

Successfully mitigating against BYOD risks means that your workforce will ultimately benefit from gaining increased working mobility and flexibility, and your business needs not fear its IT security being compromised via BYOD.

To find out more about how we’ve supported clients with their BYOD policies, read our case study on Dutton Gregory. This solicitors firm needed to give their partners and staff the ability to work remotely from different sites, but also balance compliance regulations and their clients’ concerns over data protection. We enabled them to get the benefits of a more mobile workforce and BYOD, without compromising sensitive data. Read our case study here.

cloud readiness
View Case Study

Are your remote workers compromising security?

The trend to remote working is highly beneficial for both employers and employees. Remote workers (whether working from home, from a customer’s office or from hotels or cafes) are more productive, they often have better work-life balance, and they can also save their companies money.

IT are you keeping up with the pace of change?

According to a Canada Life survey, home or remote workers rank their productivity at 7.7/10 compared to those in the office, ranking themselves at 6.5/10. Remote workers, even those who only occasionally work this way, also have lower levels of stress.

Employees with the option to work remotely are also less likely to look for other employment. Businesses save money and benefit from a more productive workforce, a more creative, solutions-focused team of employees. A Cisco study found that 90% of managers “believe that workers are more productive when given the flexibility to choose when and how they work.”

However, benefits aside, security is always going to be a concern for managers and IT teams. How can you make sure remote working won’t compromise information security and data?

In this post we share 4 ways to get the benefits of a remote workforce without compromising security and increasing IT risks.

How to keep remote workers secure

#1: Know what devices they’re using

Employees are more inclined to use a device familiar to them than a works device: a laptop, tablet or smartphone. It makes it easier, keeping texts, apps, email and work-related services on one or more devices that they use all the time.

The challenge can be keeping those devices secure. Accessing work email, productivity apps, shared drive or customer data over an insecure network is opening the door to a potential data breach. Even home Wi-Fi networks aren’t failsafe, and public networks are even more vulnerable. Staff access should be secured through an encrypted Virtual Private Network (VPN), making access as secure for those working off site as for those employees who are working on site. Are your employees working remotely, safely?

#2: Secure app/email and server access

To keep internal and sensitive data safe, you should know who has access to servers, emails and shared apps. Maintaining admin level identify and access control, and a digital trail, should safeguard your organisation from any potential data breaches and, a threat that companies sometimes have to deal with; internal data theft.

These controls will reduce the risk of an unhappy employee stealing data, such as taking customer details to a competitor and putting your business in breach of GDPR.

#3: Proactive IT security

All too often, cyber attacks occur after malicious software – such as malware – has been roaming around inside your systems for a while. With modern security software, it can automatically identify unusual activity and resource use and then react to neutralise the threat.

When staff work remotely there is a greater risk that something could slip through the net and cause damage. Reduce the risk by deploying cyber security tools that monitor and proactively identify and prevent cyber threats escalating.

#4: IT support

Remote workers need the same level of IT support as those working from the ofce. If something goes wrong, they need to know that IT support can x the problem. Make sure your internal or external IT support team can provide a resolution to support tickets, calls or emails just as quickly as though the employee is in the ofce. Preventing IT risks for business continuity is important for companies.

At the same time, ensure IT support is providing the most up-to-date self-serve options, including AI-powered messenger bots and resources that can help staff solve problems themselves. Remote workers want to be more efcient. With robust IT support, you can drive forward your whole team’s productivity.

Remote working is a trend more employers are embracing. It improves productivity, morale, and gives staff the ability to work the same number of hours whilst tting in other commitments as needed. Flexibility helps everyone. Companies immediately notice a productivity boost.

Help your team help you, with tools that make remote working more efficient and secure. Working with a trusted IT partner can equip you with the information and systems needed to keep remote workers, and the data they can access, safe and secure whilst giving them the support necessary to keep working in case anything goes wrong.

Contact our team if you would like to discuss any of the subjects covered in this blog post in more detail.

View Case Study

Are my Office 365 files at risk of infection by Ransomware?

Cyber attacks have been on all of our minds since the recent WannaCry ransomeware on the NHS. However, it is important to remember that ransomware attacks can affect any size business and cause a multi-plus of problems. Infected data can become inaccessible and pave the ransom fuel for further attacks of this nature. In this post we will look at the risks when storing file data in Office 365 and what can be done to protect your Office data.

Book a free Cyber Security Health Check to learn how to protect your business. Click here >

Where is my data stored in Office 365?

There are various options for storing file data in Office 365. The majority of this data resides in a SharePoint farm that Microsoft host and you connect to via the internet, but the front end that users interact with could be OneDrive for Business, Office 365 Groups/Microsoft Teams or a SharePoint site.

What files does Microsoft scan for Malware?

Microsoft does scan for malware for files over 25MB as they are uploaded to Office 365 and if identified, it sets a property flag against the document. Microsoft do however say “These antivirus capabilities in SharePoint Online are a way to contain viruses. They aren’t intended as a single point of defence against malware for your environment.”

How can ransomware infect office 365 files, particularly SharePoint Online or OneDrive?

Ransomware must run on a local computer or server, it cannot run in the Office 365 service. This means ransomware can infect files stored in Office 365 in two ways.

  1. If you use the ‘open with explorer’ feature to map network drives to document libraries in Office 365 – the ransomware can scan for connected drives and will infect all files it finds.
  2. If you synchronise files from document libraries using the OneDrive sync client – these files are a copy of the online files sitting locally on your PC/Mac, the infected files are then synchronised to Office 365.

What does the end user see when an infected file is downloaded?

Microsoft adds additional warnings when there is an attempt to download a file that is infected, however there is no way an administrator can get an overview of files that have been flagged as containing Malware and users can override this warning and still download the file.

The OneDrive client will also fail when trying to sync an infected item and show an alert in the system tray. 

What backup and recovery options does Microsoft offer?

Microsoft backs up data from SharePoint Online every 12 hours and retains this data for a period of 14 days. The options for restoring this data are limited, for example you can only restore data at site collection level and the data restoration is in place, meaning it will overwrite any data currently sitting in the Site Collection or OneDrive for Business site. These days site collections support up to 25TB.

Can I use version history to recover non-infected files?

If versioning is enabled on your document libraries then you may be able to recover the data. First you will want to disconnect the mapped network drive or stop syncing the data from the devices that are infected. The ransomware that has infected your files may only have infected a single version, this provides the opportunity to delete the current version and revert to a previous copy which is not infected. The only way to achieve this for all files in a library or OneDrive would be to script this process or use a third-party tool.

Recovery by version history may not help in all cases as it is possible that historical versions of files have been infected also.

What can I do protect my Office 365 data from infection?

To fully protect your Office 365 data from being affected by a crypto locker virus you would need to disable the ability to sync files and only allow users access files using ‘Open with Explorer’ but not permit the mapping of SharePoint Online as a network drive.

This would mean that files are always accessed via an https address either through a web browser or file explorer.

Backup Solutions

Backing up data to another service from Office 365 is the only way to empower you to quickly and easily recover files at a granular level and to alternate location from the original.

There are various options offered by third parties including:

AvePoint

– Cloud 2 Cloud backup

– 1GB of backup storage per user included

– Minimum 3 Year Subscription

– Includes a suite of management and audit tools for managing permissions, structure, content.

– Subscription licensing

SkyKick

– Cloud 2 Cloud backup

– 5GB of backup storage per user included

– Subscription licensing

CloudAlly

– Cloud 2 Cloud backup

– Unlimited retention

– No minimum subscription

– Subscription licensing

Metalogix

– Cloud 2 on-premises backup while maintaining file formats/file level access

– Requires setup and Infrastructure to run the software

– Perpetual licence

– Support cost is optional

After the WannaCry Cyber attacks on the NHS, cyber security has been on all of our minds. That’s why we’re offering a free cyber security health check to help inform the important decisions about your IT system. Click here or below to find out more.

View Case Study

Six reasons why cyber crime is increasing, and what you can do about it

There is a disconnect between Security and Operations within many companies, which can lead to a ‘SecOps Gap’.

In turn, this lack of coordination can lead to a loss of revenue, increased costs, and damage to a company’s brand, as well as the failure to meet regulatory requirements and big fines.

Get a free cyber security health check here >

The 6 key reasons that cyber crime is increasing are:

  1. The cost of data breaches continues, which has increased 29% to an average of $4 million per incident.
  2. Breaches caused via mobile devices.
  3. Malware embedded in legitimate applications, targeting poorly secured Wi-fi spots, stealing passwords, and more in their quest to steal information.
  4. Unauthorised products with weak security controls in the corporate cloud.
  5. Zombie servers.
  6. Known vulnerabilities that are not patched in time. 

What can you do to protect your organisation from cyber crime?

We recommend focusing on the following areas:

Security architecture: Do you know where your weak spots are? Penetration testing will help you understand where your vulnerabilities are, then deploy the right solutions to protect your network.

Vulnerability management: In an ever-changing threat landscape you can’t afford to stand still. On going vulnerability management services keep pace with new threats and identify new vulnerabilities so you can deploy appropriate solutions, or modify information security policies and procedures.

Identify & Access Management (IAM): Manage access levels and block hackers & unauthorised login attempts with a robust IAM strategy and the right tools to ensure your users can get on with work, without compromising security.

If you’re concerned about cyber security threats and the impact they could have on your organisation, book a free cyber security health check with our expert team.

Further details can be found here >

View Case Study

What is ISO 27001 and why should you get certified?

ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector.

ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers.

Background to ISO 27001

Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.

ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee.

Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems.

There are seven areas that companies need to manage, to achieve ISO 27001 compliance.

  1. Context of an organisation

ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.

With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards.

  1. Leadership

Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.

  1. Planning

Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike.

  1. Support

ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats.

  1. Operational planning & processes

Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies.

  1. Evaluation process

Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals.

  1. Improvements

Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future.

Why get accredited?

Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information.

Innovation

Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here >

Differentiation

ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here >

Win more business

Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here >

Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months.

“Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.”

Warwick Taylor, Experian Data Quality IT Manager

If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >

Book a discovery call advert
View Case Study

Cloud Business Logo - white
Microsoft Gold Partner Logo - Cloud Business

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

0845 680 8538
hello@cloudbusiness.com

Twitter Linkedin-in
Microsoft Gold Partner Logo - Cloud Business

2023 © Cloud Business Limited
Registered Company in England and Wales 06798438

Technology

Get connected

Work smarter

Stay safe

Who we help

Success stories

Legal

Public sector

Who we are

About us

Leadership team

Technology partners

Work for us

Resources

Blog

Knowledge hub

Get in touch

Contact us