Success stories

Our customers come in all shapes and sizes.

We work with organisations from all walks of life, with different ambitions and requirements. Explore how we’ve helped them reimagine everyday, and align technology with their culture and business goals.

Digital transformation in legal – 5 steps to embrace change

Digital transformation in legal is a significant paradigm shift. To learn how to embrace change and get the benefits of transformation, read our blog.
View case study >

We are ISO 27001 accredited!

Cloud Business has recently secured ISO 27001 accreditation. Find out more about this standard and the benefits to our customers in this article.
View case study >

Data backup: are you backing up and protecting your business’s data correctly?

How does your business back up its data? There are many risks to a business’s data and not all data backup solutions are equal.
View case study >

Cost of a data breach to UK businesses

What is the cost of a data breach for UK businesses, and how can you calculate the cost for your business? Read this blog to find out.
View case study >

Our key cloud technology predictions for 2021

The pandemic has created a challenging and threatening environment for businesses over the last year. Perhaps a silver lining to a bleak 2020 was that many teams were forced to modernise their IT practices in order to remain buoyant. With mass adoption of cloud technology to enable flexible working, and an unprecedented surge in AI and machine learning, it feels like the future cloud-first era has arrived early. In 2021, however, there are still plenty of ways that cloud technology can evolve. Its explosive growth is unlikely to slow any time soon, and companies will continue to provide innovative offerings to the demanding market. Here are our five predictions for the evolution of cloud technology throughout this year. 5 cloud technology predications 1. Public cloud will increase in dominance Public cloud adoption has increased by 83% since 2010, and Forester research predicts a 35% growth in 2021 alone, as organisations look to utilise its productivity advantages to recover from the ongoing pandemic. SMEs will benefit greatly from public cloud. After a period of rapid digital transformation due to Covid-19, many will be looking to capitalise on their investments and take greater advantage of the valuable tools it can offer. 2. Microsoft will strengthen its position amongst the ‘big three’ cloud providers While Microsoft Azure isn’t experiencing the same revenue spike as it did in the early 2010’s, analysts still believe it’s growing faster than main competitor AWS. This year, researchers expect Microsoft to exceed $25 billion in Azure revenue alone; maintaining strong year on year growth. According to Gartner, Microsoft’s ability to provide “a complete end-to-end set of solutions related to a broad range of workloads and applications” is a one reason Azure is so popular. Microsoft have also focused a lot on developing strategic alignments with major European enterprises, so is well-poised for further expansion. 3. The intelligent technology boom will trigger a demand for cloud-to-edge applications As mentioned, the pandemic has marked a rise in AI, robotics, IoT, and autonomy as businesses look to both reduce human contact and make up for lost productivity. With major benefits to be enjoyed, it’s unlikely businesses will ever switch back to manual processes – even when social distancing is no longer required. Microsoft’s latest IoT report reveals that 64% of companies’ decision makers believe AI and IoT are critical to their success. As a result, cloud providers will see more demand for ‘intelligent edge’ workloads. Automation is driven by data, which must be collected, processed and analysed efficiently. According to Microsoft’s insights, its ‘edge computing’ offerings are valued by businesses for their ability to enable more connectivity via protocol translation, reduce the internet bandwidth burden, and improve privacy. 4. Data governance will be a key focus for IT managers The effects of the pandemic and a general increase in cloud utilisation is creating a world in which IT departments will have to put governance and compliance first every time. Many businesses are already undergoing projects to ensure secure and compliant data migration to the cloud, and this will continue in 2021. However, some analysts also predict that there will be changes to data regulations around the world. Following the EU’s GDPR, a Privacera analyst predicts governments will look to provide individuals with more control over their personal information. The analyst further predicts that compliance tools, such as Microsoft Compliance Manager, are likely to play a more central role in businesses security protocols. 5. Augmented reality will support training and enablement of remote employees The benefits of mixed and augmented reality have been proven since the upturn in remote working. Increasingly, augmented reality technologies will supplement or even replace in-person training, especially in the IT sector. Microsoft’s Remote Assist app provides a first-person view to instructors who will be able to walk new hires through step-by-step training with visual aids. The addition of Windows Autopilot can provide further support. IT professionals can easily pre-configure HoloLens 2 headsets via zero-touch tools and ensure the end-user doesn’t need to perform a complex setup process. Mixed reality headsets can help workers far beyond just training – users can preview products, plan architectural builds, and create virtual experiences for consumers. While predictions aren’t always reality where technology is concerned, the technologies mentioned have been growing in prominence since before the pandemic. Unsurprisingly, all of these predictions will build on lessons learnt throughout 2020 – that flexibility is advantageous, effective communication is key, and data needs protecting now more than ever. Developing technological trends can be difficult for businesses to decipher and respond to, so we are here to support you in understanding which technologies and processes could be key to your business development this year.
View case study >

GDPR Assessment and Data Discovery Service

Cloud Business is pleased to announce the launch of our new Data Privacy and Compliance Service powered by eSpyder. We have been working with eSpyder for several years on a GDPR assessment and data discovery service to meet demand from our customer base. During this time we have been refining the service to help companies ultimately gain a competitive advantage through effective data privacy compliance. GDPR Compliance Platform Cloud Business and eSpyder’s GDPR Compliance Platform has been developed to support Data Processing Officers (DPOs) and ensure company compliance with GDPR regulations and global data privacy legislation. Our service includes: Data discovery & review GDPR compliance assessment & implementation Automated monthly data discovery & reporting Our GDPR assessment and data discovery service also ensures your DPO can respond to Data Subject Access Requests (DSARs) quickly and easily, tracking progress and reducing the cost of compliance. Typically, when a DPO receives a DSAR it’s the IT team that needs to locate PII, which is why our service provides a solution both for DPOs, CTOs and IT Directors and Managers. eSpyder is a system, platform and device agnostic solution that integrates into existing IT environments with no need for additional server infrastructure. It will scan PCs, laptops, data servers (cloud and on premise) regardless of location and get visibility to what data resides in each system or datastore. Click here for further details about the service > Or get in touch if you would like to discuss your IT environment in more detail.
View case study >

Do you really know where your sensitive data (PII) resides?

Last month we ‘celebrated’ the anniversary of GDPR legislation becoming legally enforceable. 2 years on, a lot has happened. Some of which, as our guest blogger Tim Dunn explains below, may have distracted some organisations from gaining real visibility over their sensitive data and PII. As you’ve probably heard before, GDPR compliance is a journey not a destination. There is no magic button that can be clicked to make your organisation 100% compliant. However, as Tim discusses below, going on that journey and taking the steps he outlines in the GDPR compliance maturity model, can deliver significant benefits over and above compliance. Read on to find out more about these benefits and the steps to take to gain visibility of PII and your organisation’s sensitive data. The General Data Protection Regulation (GDPR) came into force in May 2018. In the subsequent 2 years UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions.  It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 25th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where Personally Identifiable Information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Furthermore, a majority of companies still struggle to track and protect PII on an on-going basis.  Common barriers to gaining visibility of PII One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes.    Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT. Whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a Data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading.   GDPR compliance: 4 steps to maturity Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability.  Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance.  It greatly reduces costs associated with managing data protection and management.  It saves time and limits the resource required to gain visibility and control over data.  It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services.  Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy.  If you would like support understanding where your business’s sensitive data resides, please get in touch with our team.    About Tim Dunn    Tim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies.   As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA.    In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.    eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise.   The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine. 
View case study >
data subject access requests

A to Z of GDPR Data Subject Access Requests (DSARs)

Data Subject Access Requests (DSARs) are on the increase as awareness increases and individuals want to take control of their PII. Read on for advice.
View case study >
remote working and GDPR compliance

Are your remote workers GDPR compliant?

Rapid deployment of remote working to address the Covid-19 crisis has resulted in many B2C businesses failing to meet their own GDPR policies and data protection practices. While the Information Commissioner’s Office (ICO) has stated that it “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period” However, this extension won’t last forever. Companies need to ensure they know what data they hold and where it resides, on premise and remotely, the pandemic is not an excuse for non-compliance.  As DPOs and CIOs retro-fit GDPR tools to a remote environment, we asked Tim Dunn, CEO of eSpyder, for his insights into the current conditions. In the interview below he talks through the challenges of data privacy compliance with a remote workforce and how to ensure your businesses and your Personal Identifiable Information (PII) are protected.   To learn more about effective data privacy compliance, and what’s required to achieve it, download our guide here >  Remote working and GDPR with Tim Dunn from eSpyder  Q: What are the main implications of remote working for GDPR compliance?  Tim Dunn: “There are a number of challenges and implications associated with remote working, particularly in the current climate where these working practices have been implemented under extreme pressure and aggressive timescales. As a result, often the supporting business continuity policies and measures have been inadequate.  “A primary issue is that remote users are outside the boundaries of your internal IT infrastructure and therefore the internal security measures and systems that are in place to protect your employees and corporate data are no longer effective in controlling data access, storage and sharing.  “Also many users are resorting to using their personal PCs and laptops, which typically don’t have the necessary security and controls in place. Fundamentally, many companies are losing visibility and control over the access and storage of critical and sensitive corporate data.  “Now that the immediate goal of “keeping the lights on” has passed, there is a need to ensure that remote working has the same protections, visibility controls as traditional corporate data protection. This way of working will become “business as usual” from now on.”  In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March?  TD: “It is fair to say it was immediately identified as a concern and business risk, but organisations typically continued in the knowledge that they would have to address this as soon as possible.   “Maybe the risk has been underestimated. Fraud and cyber crime have risen sharply during the crisis and personal information is a prime target for fraudsters. It’s a sad fact that fraudsters are often more agile in identifying vulnerabilities and exploiting them than companies are at resolving them.  “Certainly, it should now be priority number one for any organisation.”  What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown?  TD: “That’s difficult to quantify, but certainly a large majority of businesses had to move very quickly to move from office–based environments such as call centres to home based workers providing the same business functions. Even where policies existed (which they often don’t), they were not necessarily implemented.”  Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR?  TD: “Understandably no. Many employees do not appreciate the risks and appropriate working practices. Training in protecting data has not been undertaken by many companies since national lockdowns started. This is compounded by the fact that fraudsters are very sophisticated and do understand how to exploit the deficiencies in business practices and the IT systems underpinning them.”  For advice on achieving effective data privacy compliance, download our free guide >  Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP?  TD: “The picture is mixed, though in general companies are behind the curve in terms of addressing effective data protection under remote working conditions. One of the main issues was that many companies didn’t know what personal information was held on employees’ machines before the crisis, so now that those machines are outside the protection of the corporate network, there was a potential immediate risk, which has grown as data is being accessed and stored remotely.”  Q: Do personal devices present a bigger problem than corporate laptops and desktops?  TD: “Probably yes. Some companies support “bring your own device” (BYOD) and have policies and technology in place to protect the personal device. However, many companies are using both corporate machines and personal devices whilst at home and sharing data across both. This is typically against corporate policy, but not enforced effectively.”  Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices?  TD: “There are various types of sensitive and commercially valuable data that may be at risk. For example, trade secrets, internally confidential communications and financial data.  “There are also other regulatory requirements such as the storage of Card Payment Data (PCI DSS) which need to be enforced.”  Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy?  TD: “I think it is reasonable to protect company information and IT assets, indeed there is a regulatory duty to do so for data such as PII. If you allow people to use their own machines, then ensuring that sensitive data is protected on that machine is fair. Ring fencing a work area on the machine is one way to ensure boundaries of privacy.  “As much as possible, without compromising data protection, it is preferable to adopt a “Trust, but Verify” approach to monitoring data storage and sharing. At the end of the day though, the company is liable for any data breach and the associated penalties. These will be severe if the appropriate controls weren’t in place.”  Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company?  TD: “It’s a little early to highlight trends, but sales, marketing, customer support and finance teams are all working from home and require access to sensitive data. Whilst many of the supporting business systems maybe cloud based, such as the CRM, Service Desk Solution or ERP, users are often exporting data locally to review and manage.”  Q: It’s been reported that some companies are seeing an increase in DSARs
View case study >

BYOD risks, and how to mitigate against them

What are the BYOD risks and how can you increase mobility while protecting your people, organisation and data? Find out here.
View case study >

What is ISO 27001 and why should you get certified?

ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector. ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers. Background to ISO 27001 Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud. ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee. Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems. There are seven areas that companies need to manage, to achieve ISO 27001 compliance. Context of an organisation ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system. With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards. Leadership Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies. Planning Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike. Support ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats. Operational planning & processes Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies. Evaluation process Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals. Improvements Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future. Why get accredited? Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information. Innovation Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here > Differentiation ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here > Win more business Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here > Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months. “Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.” Warwick Taylor, Experian Data Quality IT Manager If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >
View case study >

Digital transformation in legal – 5 steps to embrace change

Digital transformation in legal is a significant paradigm shift. It is impacting legal counsels both within the corporate world as well as at law firms, and management consultants have made a tidy practice of it. Practically speaking, you can barely open a business or legal publication without finding a headline that discusses embracing digital.

General counsel, in-house legal departments, and contract teams are not immune to the business paradigm. Digitisation continues to take hold of all aspects of the consumer and corporate life. When this happens in the legal industry, embrace the change. On a broad stroke, it is easy to state. But is this really the case? Below is our 5 step guide to help you.

Explore CB Legal for in-house legal teams and law firms. Click here >

1. Incremental change – not big bang

There are many different approaches to tackling digital transformation in legal departments. However, from our experience, in-house legal teams that take an incremental approach are more likely to succeed with their initiatives.

Nobody said that change management is easy. Digital technologies bring a significant improvement in cost-effectiveness to many traditional functions. It has to be applied with a sound strategy of a step-by-step approach that doesn’t leave your people behind. In fact, your people are the most important aspect of ensuring the change takes root. In this light, adjusting your corporate culture is among the greatest challenges. Digital technologies bring improvement to cost-effectiveness.

Taking a “land and expand” approach means that changes are made progressively. Lessons are learned along the way and the culture can also adapt along the way.

2. Out-of-the-box, not bespoke

When you think about digital transformation in legal, too many people immediately think about custom coded projects. Upon choosing a legal technology product, think along the lines of getting up and running out-of-the-box (OOTB). Whether it is a legal artificial intelligence system or a specialised application, bespoke invariably delays projects. It adds costs. Worse yet, it increases the risk of failure.

A major tip to remember is to avoid the temptation to go down a bespoke route. It is better to deploy an OOTB digital system, use it and learn it’s capabilities. Then configure and adapt it to your own new need. After that, consider whether the solution is good enough for your requirements. In many cases, you will discover that the initial reaction to customise the solution was simply not needed. Usually, the digital product provides for all user needs without incurring additional costs, deployment time, and headaches.

3. Find internal champions

Digital transformation in legal teams and corporations involves people. Specifically, it means gaining momentum within the organisation through user adoption. This is true of any initiative, whether it is bringing on new legal services, machine learning analytics, or new contract management technology. At Cloud Business, we find that an industry best practice is to appoint user/product champions.

Champions are well-recognised employees who are respected internally. They know the existing systems and standard processes used by your organisation. They also become the voice of the product and socialise its benefits within the employee groups and legal teams. 

Establish goals your team can make to achieve one KPI using the new system. Cultivating these champions are important as they become your key drivers of behaviour change. Through their influence, respect, and ground-floor knowledge; they help adapt to the organisation and culture. Embracing digital becomes less of a stress and burden. Rather, with the help of the champions, it becomes an opportunity for success.

4. It’s about the business outcomes

Don’t get trapped in the details of features and the functionality of your new digital system. Yes, these are great. They may even be strides ahead of your old methods. Instead, keep the conversations focused on the business outcomes that your team and company set out to achieve. At every opportunity, establish goals your team can make for your team to achieve one project or KPI (key performance indicator), using the new system.

As an example, with a new contract management system, you should first find out how the analytics work. Then, set a goal that for the next executive meeting where the legal contracts team will run a discovery phase. Finally, provide the general counsel with a report with statistics about your typical contract financial expectations.

5. Setting realistic benchmarks

Although it is tempting, don’t give in to set excessively ambitious targets. Setting a return on investment (ROI) benchmark is a good thing but setting the bar too high can only demoralise your team. Remember, digital transformation in legal is as much about shifting a cultural mindset as it is introducing new processes, ways of working, and new technology systems.

Instead, think through what you should reasonably expect within the next six, twelve and even twenty-four months. Engender a willingness to experiment. Do this by being willing to forgive the occasional miss on your targets. After all, if you hit all your ROI goals and KPI targets, then you simply did not set realistically aggressive-enough goals.

Ultimately, it comes down to supporting your in-house legal team’s long-term success. Keep the team motivated and focused on pursuing excellence. Digital transformation in legal is all about a shift in mindset, a goal-oriented team, and building a culture of success.

Feel free to connect with us at Cloud Business to discuss how we can help you on your journey of digital transformation in legal, specific to contract management.

We are ISO 27001 accredited!

Breaking news at Cloud Business HQ. We’re delighted to announce that we’ve secured ISO 27001 certification after many months of hard work by the team. Regular readers of our blog will know that we take information security very seriously – we regularly feature information security issues here – ISO 27001 is another step in demonstrating this and ensuring best practice.

What is ISO 27001?

This is an international recognised best practice standard for information security, and is highly relevant for those organisations like us working in the IT sector where the protection of information is critical.

It’s also highly appropriate for organisations that manage high volumes of data and information on behalf of clients, such as in datacentres, making it even more relevant to Managed Service Providers like ourselves.

The main objective of the ISO 27001 standard is to establish and maintain an effective Information Security Management System (ISMS), using a continual improvement approach. The standard requires that we systematically examine any risks to the organisation’s information security and put in place comprehensive policies to manage those risks of which we have control over.

ISO 27001 is a proactive approach to managing risk and securing data and information, planning ahead and pre-empting threats rather than reacting to threats when they happen.

In demonstrating that we comply with this standard, Cloud Business has designed and implemented a set of controls and measures to manage any threats to data and information assets, as well as refining existing systems to comply with standards. Going forward we will maintain and continually improve these as new threats emerge and new solutions and systems are developed.

The benefits to our clients are:

  • ISO 27001 increases the security of their confidential information,
  • It gives clients and stakeholders confidence that we are managing risk,
  • It improves the secure exchange of information internally and externally,
  • It helps our clients comply with regulations impacting on their business,
  • It improves the consistency of the delivery of our service to our clients,
  • It manages and minimises risk exposure for clients and ourselves,
  • It builds a culture of security within Cloud Business that will also be communicated to our clients through our day-to-day contact with them.

What happens next?

Having achieved ISO 27001 we now have to maintain it and part of this is the continual improvement element. This means we will be regularly reviewing our information security management system and updating our controls and measures as appropriate. We will also undergo regular surveillance audits by the Certification Body, as well as a full audit every 3 years.

While our ISO 27001 certification will benefit your business, if you work with us, you may also be interested in achieving this certification yourselves. We have helped other organisations, such as Experian Data Quality, achieve ISO 27001. You can read a case study on this ISO 27001 project here >

Data backup: are you backing up and protecting your business’s data correctly?

Your data is one of your business’s most important assets. Without it your business wouldn’t be unable to operate. Most companies have a disaster recovery plan in place to protect its data, however 23% of businesses have never tested their plans. 

Business data is at risk from various threats, so it is important  to test and reassess your disaster recovery plans regularly to limit data loss. The backbone to any disaster recovery plan is proper data backup, in this article we will discuss the risks to your business’s data and how to ensure your backups effectively support your disaster recovery plan.

What is your organisation’s current Cyber Security Posture? To understand what risks to prioritise and where your vulnerabilities are, explore the benefits of a Cyber Security Posture Assessment here >

Key risks to a business’s data

When considering the importance of data backup, first you must consider the common causes of data loss within a business. In the past, the three main risks to data were hardware malfunction, accidental deletion and natural disasters. 

  1. Hardware malfunction is when a storage device ceases to work, this is most common in disk drives where the disk or the arm fails causing data to be lost. 
  2. Human error is a common cause of data loss, this occurs when employees permanently delete or overwrite critical data. 
  3. Physical disasters are not as common, however fire, floods and other natural disasters pose a risk to on-premises and off-premises data storage locations. 

Whilst these risks are remain relevant in 2021, in the past 5 years the most prominent risks to data have been cybersecurity incidents. 

This includes the rise of ransomware attacks and system breaches leading to data loss. With the prevalence of these attacks, it is no longer a case of ‘if’ a business will fall victim to an attack, it is ‘when’. For this reason, businesses should have a comprehensive backup plan in place to ensure business continuity when these incidents happen.

Types of backup storage

The simplest form of backup is data backup to local disks. This is where data is regularly backed up to another drive on a PC or to an external hard drive. Although this is a fast and convenient method of backup, it offers no protection against a natural disaster, or a ransomware attack if it is stored on the local drive. Depending on the amount of data and employees, this solution is often not suitable for large environments.

One of the most common form of backup storage is data backup to NAS. A NAS or Network Attached Storage is a network device that allows all users connected to the network to access and backup their data. As data is regularly backed up it can be quickly recovered in the event of a cybersecurity incident or accidental deletion. The main downside to this data storage method is, as it is on-premises it offers no protection to natural disasters.

To overcome the risk of natural disasters, at least one copy of data should be stored off-premises. A traditional method of off-premises storage is data backup to tapes. This is where data is stored on tape devices over 100 miles away from the business location. This enables business continuity if there is a data loss incident or natural disaster at the business location, however the time to recover is increased as the tapes need to be collected or shipped from the off-premises storage location.

The modern equivalent of tape storage is data backup to cloud storage. This has all the benefits of tape storage but can be quickly accessed to avoid downtime within a business. It is also a more flexible solution as it does not require any additional infrastructure within a business.

Data backup best practices

The traditional backup best practice is the 3-2-1 rule. This states that business should keep copies of all data, this includes one primary copy and at least 2 backups, copies of data should be on at least types of storage and copy of the data should be stored off-premises. Although this method is still effective, with businesses undergoing a digital transformation, the advent of cloud technologies and the ever-evolving cyber security threat landscape, this rule is being superseded by the 3-2-2 rule.

The 3-2-2 rule states that a business should keep copies of all data, one primary, a synced version through One Drive for Business and a cloud copy. The data should be stored on 2 different clouds. This means that the data is stored in off-premises locations for maximum redundancy. Moving to this rule allows for faster recovery from a data loss incident and easy access of all necessary data, regardless of where employees are working.

Backup software solutions

For a business to ensure that backups are completed regularly and effectively, a software solution should be in place to limit downtime after an incident and ensure business continuity. Look for solutions that combine backup, recovery, protection management and cyber security. Full-image and file-level backups should be completed regularly and stored in the cloud or on a NAS. Data backup solutions that deploy cyber security tools like AI-based behavioural detection for zero-day attack prevention and built in ransomware recovery, gives you an additional level of protection from cyber threats too.

To find out more about data backup and how to protect your business from cyber security threats, speak to our team >

Cost of a data breach to UK businesses

Data protection is at the forefront of most CEOs minds this year as the inevitability of a data breach has become very much a reality for most organisations. While many public data breaches appear to be predominately in the US, we can’t afford to be complacent here in the UK.

The infamous data breach at TalkTalk in 2015 (actually the second that year, if not the third) certainly caused many people to wake up to this reality, not least after TalkTalk revealed that the cost of the October data breach amounts to £60 million. For a company with projected earnings before interest, tax and other items for the year ending in March of £255-£265m, and a dividend increase of 15%, this is not an insignificant amount.

Consider what it would mean to your business to have approximately a quarter of your income wiped out by a data breach. While we don’t know the breakdown of where the £60 million has been spent, we have a good idea of the costs a data breach incurs.

Stay safe by understanding current threats and your organisation’s risk level, explore our Cyber Security Posture Assessment here >

Calculating the cost of a data breach

The following factors can all contribute to the overall cost of a data breach. Although the average total cost of a data breach has risen year on year, £2.37 million based on the Ponemon Institute’s most recent benchmarking report, 2015 Cost of Data Breach Study: United Kingdom, where this money is spent as a percentage of the overall total has remained fairly stable.

  • Lost Customer Business: 43%* TalkTalk estimated they lost 101,000 customers following the October hack, but other estimates put this figure closer to 250,000.
  • Investigation and forensics: 16%*
  • Customer acquisition cost: 9%*
  • Inbound contact costs: 8%*
  • Outbound contact costs: 7%*
  • Audit and consulting services: 5%*
  • Public relations and communications costs: 3%*
  • Legal services – defence: 3%*
  • Legal services – compliance: 3%*
  • Free or discounted services: 2%*
  • Credit monitoring services: 1%*

Actual figures will naturally vary depending on the sector an organisation operates in, and the nature of the data breach. For example, ‘lost customer business’ will not be such a significant cost if the data breach only impacts on employee records. However, when looking at these figures CEOs should be aware that they may have higher risks and costs because of the sector they operate in. The table below shows the per capita cost by industry of those benchmarked organisations:

How to reduce the cost of data breaches

It’s not all doom and gloom. While another study by PwC – 2015 Information Security Breaches Survey – commissioned by HM Government, found that 9 out of 10 businesses in their survey had suffered some form of data breach; there are ways to reduce the cost to businesses. The Ponemon Institute study identified the following as factors that can reduce cost of a data breach:

  • Extensive use of encryption: up-to-date data protection methods protect both from malicious attacks and human error,
  • Incident response team: clear systems, procedures and key staff to deal with any data breach ensures that no time is lost addressing the breach and militating against it,
  • BCM involvement: awareness, training and planning for getting business critical systems back up and running in the event of an incident can reduce the costs associated with loss of business significantly,
  • Board-level involvement: sponsorship from the Board will ensure that cyber security and data protection procedures are embedded in the organisation,
  • Employee training: clear guidance and training on how to deal with a data breach, and how to recognise one (as well as prevention training), will result in a swifter and smoother response,
  • CISO appointed: fortunately for any Chief Information Security Officer reading this, your role is an important factor in preventing and reducing the risk and cost of data breaches,
  • Insurance protection: Data breach insurance naturally reduces the overall costs for the organisation, but may also be instrumental in putting better data breach planning in place so that incidents are managed effectively.

So although in all probability most businesses will experience a data security breach at some point, the risk can be managed and therefore the impact on your organisation reduced.

* Percentage of total cost for 2015, 2015 Cost of Data Breach Study: United Kingdom

Our key cloud technology predictions for 2021

The pandemic has created a challenging and threatening environment for businesses over the last year. Perhaps a silver lining to a bleak 2020 was that many teams were forced to modernise their IT practices in order to remain buoyant. With mass adoption of cloud technology to enable flexible working, and an unprecedented surge in AI and machine learning, it feels like the future cloud-first era has arrived early.

In 2021, however, there are still plenty of ways that cloud technology can evolve. Its explosive growth is unlikely to slow any time soon, and companies will continue to provide innovative offerings to the demanding market. Here are our five predictions for the evolution of cloud technology throughout this year.

5 cloud technology predications

1. Public cloud will increase in dominance

Public cloud adoption has increased by 83% since 2010, and Forester research predicts a 35% growth in 2021 alone, as organisations look to utilise its productivity advantages to recover from the ongoing pandemic.

SMEs will benefit greatly from public cloud. After a period of rapid digital transformation due to Covid-19, many will be looking to capitalise on their investments and take greater advantage of the valuable tools it can offer.

2. Microsoft will strengthen its position amongst the ‘big three’ cloud providers

While Microsoft Azure isn’t experiencing the same revenue spike as it did in the early 2010’s, analysts still believe it’s growing faster than main competitor AWS. This year, researchers expect Microsoft to exceed $25 billion in Azure revenue alone; maintaining strong year on year growth.

According to Gartner, Microsoft’s ability to provide “a complete end-to-end set of solutions related to a broad range of workloads and applications” is a one reason Azure is so popular. Microsoft have also focused a lot on developing strategic alignments with major European enterprises, so is well-poised for further expansion.

3. The intelligent technology boom will trigger a demand for cloud-to-edge applications

As mentioned, the pandemic has marked a rise in AI, robotics, IoT, and autonomy as businesses look to both reduce human contact and make up for lost productivity. With major benefits to be enjoyed, it’s unlikely businesses will ever switch back to manual processes – even when social distancing is no longer required. Microsoft’s latest IoT report reveals that 64% of companies’ decision makers believe AI and IoT are critical to their success.

As a result, cloud providers will see more demand for ‘intelligent edge’ workloads. Automation is driven by data, which must be collected, processed and analysed efficiently. According to Microsoft’s insights, its ‘edge computing’ offerings are valued by businesses for their ability to enable more connectivity via protocol translation, reduce the internet bandwidth burden, and improve privacy.

4. Data governance will be a key focus for IT managers

The effects of the pandemic and a general increase in cloud utilisation is creating a world in which IT departments will have to put governance and compliance first every time. Many businesses are already undergoing projects to ensure secure and compliant data migration to the cloud, and this will continue in 2021.

However, some analysts also predict that there will be changes to data regulations around the world. Following the EU’s GDPR, a Privacera analyst predicts governments will look to provide individuals with more control over their personal information. The analyst further predicts that compliance tools, such as Microsoft Compliance Manager, are likely to play a more central role in businesses security protocols.

5. Augmented reality will support training and enablement of remote employees

The benefits of mixed and augmented reality have been proven since the upturn in remote working. Increasingly, augmented reality technologies will supplement or even replace in-person training, especially in the IT sector. Microsoft’s Remote Assist app provides a first-person view to instructors who will be able to walk new hires through step-by-step training with visual aids.

The addition of Windows Autopilot can provide further support. IT professionals can easily pre-configure HoloLens 2 headsets via zero-touch tools and ensure the end-user doesn’t need to perform a complex setup process. Mixed reality headsets can help workers far beyond just training – users can preview products, plan architectural builds, and create virtual experiences for consumers.

While predictions aren’t always reality where technology is concerned, the technologies mentioned have been growing in prominence since before the pandemic. Unsurprisingly, all of these predictions will build on lessons learnt throughout 2020 – that flexibility is advantageous, effective communication is key, and data needs protecting now more than ever.

Developing technological trends can be difficult for businesses to decipher and respond to, so we are here to support you in understanding which technologies and processes could be key to your business development this year.

Book a discovery call advert

GDPR Assessment and Data Discovery Service

Cloud Business is pleased to announce the launch of our new Data Privacy and Compliance Service powered by eSpyder.

We have been working with eSpyder for several years on a GDPR assessment and data discovery service to meet demand from our customer base. During this time we have been refining the service to help companies ultimately gain a competitive advantage through effective data privacy compliance.

GDPR Compliance Platform

Cloud Business and eSpyder’s GDPR Compliance Platform has been developed to support Data Processing Officers (DPOs) and ensure company compliance with GDPR regulations and global data privacy legislation.

Our service includes:

  • Data discovery & review
  • GDPR compliance assessment & implementation
  • Automated monthly data discovery & reporting

Our GDPR assessment and data discovery service also ensures your DPO can respond to Data Subject Access Requests (DSARs) quickly and easily, tracking progress and reducing the cost of compliance. Typically, when a DPO receives a DSAR it’s the IT team that needs to locate PII, which is why our service provides a solution both for DPOs, CTOs and IT Directors and Managers.

eSpyder is a system, platform and device agnostic solution that integrates into existing IT environments with no need for additional server infrastructure. It will scan PCs, laptops, data servers (cloud and on premise) regardless of location and get visibility to what data resides in each system or datastore.

Click here for further details about the service >

Or get in touch if you would like to discuss your IT environment in more detail.

data privacy and compliance service

Do you really know where your sensitive data (PII) resides?

Last month we ‘celebrated’ the anniversary of GDPR legislation becoming legally enforceable. 2 years on, a lot has happened. Some of which, as our guest blogger Tim Dunn explains below, may have distracted some organisations from gaining real visibility over their sensitive data and PII.

As you’ve probably heard before, GDPR compliance is a journey not a destination. There is no magic button that can be clicked to make your organisation 100% compliant. However, as Tim discusses below, going on that journey and taking the steps he outlines in the GDPR compliance maturity model, can deliver significant benefits over and above compliance.

Read on to find out more about these benefits and the steps to take to gain visibility of PII and your organisation’s sensitive data.

The General Data Protection Regulation (GDPR) came into force in May 2018. In the subsequent 2 years UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions. 

It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 25th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where Personally Identifiable Information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Furthermore, a majority of companies still struggle to track and protect PII on an on-going basis. 

Common barriers to gaining visibility of PII

One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes.   

Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT. Whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a Data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading.  

GDPR compliance: 4 steps to maturity

Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability. 

GDPR compliance majurity model

Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance. 

  • It greatly reduces costs associated with managing data protection and management. 
  • It saves time and limits the resource required to gain visibility and control over data. 
  • It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services. 
  • Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy. 

If you would like support understanding where your business’s sensitive data resides, please get in touch with our team.   

About Tim Dunn   

tim dunnTim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies.  

As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA.   

In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.   

eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise.  

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine. 

data subject access requests

A to Z of GDPR Data Subject Access Requests (DSARs)

Data Subject Access Requests (DSARs) are on the increase. Here’s how A to Z of what they are and how to respond to one.

A key component of the General Data Protection Regulation (GDPR) is the ‘Right of Access’. This is your right, and mine, to obtain a copy of all personal data a company or organisation processes and stores. Individuals have the right to obtain the following: 

  • Confirmation that you (a company or organisation) are processing their personal data,
  • A copy of their personal data, and 
  • Other supplementary information such as the purpose of your data processing (scroll down for a list of supplementary information). 

When an individual wants to request this information, it’s known as Data Subject Access Request or DSAR. You may also see it referred to as a SAR, dropping the ‘data’ although that’s the important bit! 

Why would an individual want to request their data? 

It’s helpful to understand why the right to access is part of GDPR and data privacy legislation, as this can help you explain to business leaders why they need to take DSARs seriously.  

GDPR and the Data Protection Act 2018 (the UK’s implementation of GDPR) updates our data protection legislation for a digital age. It’s very difficult to live in a digital age without sharing your personal information and leaving a data trail wherever you go – both on and offline. 

With so much PII (Personable Identifiable Information) in other people’s hands, it’s only right that individuals have a way to get visibility on what information organisations, businesses and government has on them, and get reassurance that it’s being protected appropriately. 

Since GDPR came in force, awareness has increased amongst the general public too. The Cambridge Analytica scandal has also highlighted what some organisations are doing with this data, as well as other stories that have made the headlines such as the recent EasyJet data breach. As a result, DSARs are on the increase as individuals know what their rights are and are justifiably concerned about data privacy. We’re also seeing a spike in DSARs during the current crisis which could be because people have more time to initiate a subject access request. 

Individuals don’t need to give a reason to submit a DSAR. And the only questions an organisation may ask when a DSAR is submitted are to verify the individual’s identity or for information that will help locate the requested data. 

Download our guide on how to achieve effective data privacy compliance for more advice on GDPR and data discovery >

What do DSARs look like? 

There are no formal guidelines on how an individual instigates a DSAR. They can ask you verbally or in writing. Even if you have developed a DSAR process for individuals, they don’t have to adhere to it. Therefore, you could receive a DSAR via social media, email, messaging app, phone call or by letter. It doesn’t have to be sent to a specific person within the organisation either, such as your DPO. So, an individual could in theory make this request to a member of staff in a store, or your IT support team could receive a DSAR via a chatbot or as a support ticket. 

Companies must comply with a request without undue delay and at the latest within one month of receipt of the request; or (if later) within one month of receipt of receiving any information requested to confirm the subject’s identity, or (in exceptional circumstances) a fee. For this reason, it really is essential that all customer-facing staff understand what a DSAR is and who to escalate a request to so it can be responded to within this strict timeframe. 

Many companies include a form on their website for an individual to complete to submit a DSAR. This can make it easier for you to recognise a DSAR and for the individual to provide the information you need to identify their PII. Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. 

However, providing a form does not override the individual’s right to initiate a data subject access request by other means, and you must make it clear that completing the form is not compulsory or use it as a way to delay your response. 

Fees and Data Subject Access Requests 

In normal circumstances you cannot charge a fee for complying with a DSAR. However, if the request falls under one of these 2 factors a ‘reasonable’ fee to cover administrative costs can be charged: 

  1. The DSAR is manifestly unfounded or excessive; or 
  2. An individual requests further copies of their data following a request. 

In these situations, the 1 month clock starts when you receive payment. Although you must respond promptly to the initial request to inform the individual of the fee. 

8 steps to comply with a DSAR 

The following graphic takes you through the steps from DSAR to handing over the information requested: 

respond to a data subject access request

Supplementary Information 

As well as a copy of their personal data, companies and organisations must also provide individuals with the following information: 

  • The purposes of your processing, 
  • The categories of personal data concerned, 
  • The recipients or categories of recipient you disclose the personal data to, 
  • Your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it, 
  • The existence of their right to request rectification, erasure or restriction or to object to such processing, 
  • The right to lodge a complaint with the ICO or another supervisory authority, 
  • Information about the source of the data, where it was not obtained directly from the individual, 
  • The existence of automated decision-making (including profiling), 
  • The safeguards you provide if you transfer personal data to a third country or international organisation. 

Much of this information may already be included in your privacy notice. 

Is your organisation in good shape to respond appropriately to DSARs? 

For many organisations a DSAR is more of a threat to business than the ICO’s much publicised fines for non-compliance.  

The cost of responding within one month to a DSAR can run into the tens of thousands of pounds if you’re not prepared. Data discovery, especially if you need the support of a consultancy firm, is expensive and time consuming – taking your IT team away from projects and support roles in the race to comply in the one month timeframe. 

There is also an alarming trend in DSARs being ‘weaponsied’ by disgruntled employees to disrupt business, damage companies’ reputations and hit former employers in the pocket. Cases of employment lawyers advising their clients to initiate a DSAR are not unheard of. 

Companies that have the tools and processes in place to respond to DSARs quickly and with the minimum of disruption, and cost, to normal business are at an advantage. No more so than in this challenging time where business as normal looks very different with many employees working remotely and handling PII from their own desktops and devices.  

For advice on achieving effective data privacy compliance, download our free guide below. If you want to discuss any of the subjects touched on in this article with reference to your own IT estate, please get in touch. 

remote working and GDPR compliance

Are your remote workers GDPR compliant?

Rapid deployment of remote working to address the Covid-19 crisis has resulted in many B2C businesses failing to meet their own GDPR policies and data protection practicesWhile the Information Commissioner’s Office (ICO) has stated that it

“won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”

However, this extension won’t last forever. Companies need to ensure they know what data they hold and where it resideson premise and remotely, the pandemic is not an excuse for non-compliance. 

As DPOs and CIOs retro-fit GDPR tools to a remote environment, we asked Tim Dunn, CEO of eSpyderfor his insights into the current conditions. In the interview below he talks through the challenges odata privacy compliance with a remote workforce and how to ensure your businesses and your Personal Identifiable Information (PII) are protected 

To learn more about effective data privacy complianceand what’s required to achieve it, download our guide here > 

Remote working and GDPR with Tim Dunn from eSpyder 

Q: What are the main implications of remote working for GDPR compliance? 

Tim Dunn: There are a number of challenges and implications associated with remote working, particularly in the current climate where these working practices have been implemented under extreme pressure and aggressive timescales. As a result, often the supporting business continuity policies and measures have been inadequate. 

A primary issue is that remote users are outside the boundaries of your internal IT infrastructure and therefore the internal security measures and systems that are in place to protect your employees and corporate data are no longer effective in controlling data access, storage and sharing. 

Also many users are resorting to using their personal PCs and laptops, which typically don’t have the necessary security and controls in place. Fundamentally, many companies are losing visibility and control over the access and storage of critical and sensitive corporate data. 

Now that the immediate goal of “keeping the lights on” has passed, there is a need to ensure that remote working has the same protections, visibility controls as traditional corporate data protection. This way of working will become “business as usual” from now on. 

In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March? 

TD: It is fair to say it was immediately identified as a concern and business risk, but organisations typically continued in the knowledge that they would have to address this as soon as possible.  

Maybe the risk has been underestimated. Fraud and cyber crime have risen sharply during the crisis and personal information is a prime target for fraudsters. It’s a sad fact that fraudsters are often more agile in identifying vulnerabilities and exploiting them than companies are at resolving them. 

Certainly, it should now be priority number one for any organisation. 

What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown? 

TD: That’s difficult to quantify, but certainly a large majority of businesses had to move very quickly to move from officebased environments such as call centres to home based workers providing the same business functions. Even where policies existed (which they often don’t), they were not necessarily implemented. 

Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR? 

TD: Understandably no. Many employees do not appreciate the risks and appropriate working practices. Training in protecting data has not been undertaken by many companies since national lockdowns started. This is compounded by the fact that fraudsters are very sophisticated and do understand how to exploit the deficiencies in business practices and the IT systems underpinning them. 

For advice on achieving effective data privacy compliance, download our free guide > 

Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP? 

TD: The picture is mixed, though in general companies are behind the curve in terms of addressing effective data protection under remote working conditions. One of the main issues was that many companies didn’t know what personal information was held on employees machines before the crisis, so now that those machines are outside the protection of the corporate network, there was a potential immediate risk, which has grown as data is being accessed and stored remotely. 

Q: Do personal devices present a bigger problem than corporate laptops and desktops? 

TD: Probably yes. Some companies support “bring your own device” (BYOD) and have policies and technology in place to protect the personal device. However, many companies are using both corporate machines and personal devices whilst at home and sharing data across both. This is typically against corporate policy, but not enforced effectively. 

Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices? 

TD: There are various types of sensitive and commercially valuable data that may be at risk. For example, trade secrets, internally confidential communications and financial data. 

There are also other regulatory requirements such as the storage of Card Payment Data (PCI DSS) which need to be enforced. 

Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy? 

TD: I think it is reasonable to protect company information and IT assets, indeed there is a regulatory duty to do so for data such as PII. If you allow people to use their own machines, then ensuring that sensitive data is protected on that machine is fair. Ring fencing a work area on the machine is one way to ensure boundaries of privacy. 

As much as possible, without compromising data protection, it is preferable to adopt a “Trust, but Verify” approach to monitoring data storage and sharing. At the end of the day though, the company is liable for any data breach and the associated penalties. These will be severe if the appropriate controls weren’t in place. 

Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company? 

TD: It’s a little early to highlight trends, but sales, marketing, customer support and finance teams are all working from home and require access to sensitive data. Whilst many of the supporting business systems maybe cloud based, such as the CRM, Service Desk Solution or ERP, users are often exporting data locally to review and manage. 

Q: It’s been reported that some companies are seeing an increase in DSARs during the pandemic because people have more time on their hands. Is this something you’ve witnessed?  

TD: We have seen an increase in DSARs. To be fair this is not only due to people having more time on their hands, but also because there has been more awareness of privacy issues. 

One interesting issue is ex-employees “weaponising” DSARs and requesting data from their ex-employers. In fact, there are a number of law firms who are using this as a strategy for disgruntled ex-workers taking action against their former employers. 

Q: Can you share some advice for handling a DSAR when users are working remotely? 

TD: The key to effective DSAR handling is to make the process agnostic to where the systems and datastores reside. This means that you should be able to scan PCs, Laptops, Data Servers (cloud and on premise) regardless of location and get visibility to what data resides in each system and store. 

Q: What additional tools should companies deploy to protect data in a remote working environment? 

TD: Solutions that ensure data can only be stored and access from the authorised system / datastore. Also ensure that data is encrypted both whilst stored (at rest) or when being accessed (in transit). 

Most important is a solution that provides visibility to where all your sensitive data is storeand provide a clear view of you regulatory compliance status. 

Q: If a DPO or CIO is concerned that PII is not being handled compliantly, but because of remote working can’t identify where, what can they do to get visibility over the company’s data? 

TD: GDPR Data Discovery and Compliance Reporting Services can help. Not only do these identify where data is held and provide GDPR assessment and implementation, they can also reduce the cost of compliance significantly 

For many companies the cost of handling DSARs is more damaging than the threat of a fine for an infringement. It can involve weeks, even months, of data discovery and consultancy services to respond to just one DSAR if you don’t have effective data privacy compliance in place. Services like Cloud Business’s GDPR Compliance Platform makes it quick and easy to undertake DSARs and tighten up data protection regardless of whether users are on site or working remotely.” 

Cloud Business has partnered with eSpyder to support our customers with a GDPR Data Discovery and Compliance Reporting Service. For further information please contact your Account Manager or, for new customers, call 08456 808538 or email hello@cloudbusiness.com 


About Tim Dunn 

tim dunnTim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies. 

As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA. 

In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.  

eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for usersbut fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers estate no matter if on servers, clients, visible or hidden, remote or on premise. 

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine 

 

BYOD risks, and how to mitigate against them

Bring Your Own Device (BYOD) is a relatively recent trend (c. 2009) in behaviour where employees use their own mobiles, iPads, and laptops at work, for work. The drivers for BYOD are often to do with convenience but also because the technology individuals own is often more advanced than the hardware your average IT department would deploy. Many IT departments struggle to keep right up to date with every aspect of the latest technology, and an ever-increasing amount of people (e.g. millennials) are now more likely to be IT ‘self-sufficient’. 

While in some industries BYOD has been common practice for some time, in others it’s only just gaining traction. This is causing business leaders, information security professionals and IT support a few sleepless nights. While there are clear benefits for promoting BYOD working for most companies and organisations, there are also risks that can have serious implications for IT security, data protection and compliance.

Benefits of BYOD

There are plenty of upsides to BYOD. It can bring employees increased satisfaction through better and easier access to corporate data, emails, and grant the flexibility they need to use the Cloud to get work done; particularly when working remotely.

Likewise, for an employer, BYOD can bring a subsequent increase in productivity, as well as reduced hardware costs, licencing fees and resource needed for carrying out maintenance.  

However, it could be argued that the sheer number of downsides relating to BYOD mean that your business or organisation could be allowing additional risk factors into your corporate infrastructure.

What are the biggest risks of BYOD?

Here, we look at the key risks organisations should be aware of when it comes to BYOD:

1) No BYOD policy exists

Perhaps the biggest risk factor of all. All organisations should have a BYOD policy in place to protect themselves against being exposed to an attack through, for example, a virus or a hacker – both of which could lead to both financial or legislative penalties and reputational damage.  An effective BYOD strategy will enable your IT department to secure both the devices and the data.

2) Complex security issues

Security issues will often clash with the overall convenience BYOD can bring. These include:

  • Data loss through physical loss or theft of the device, or through ‘cross contamination’, where corporate data may be accidentally deleted due to the fact it can be so intertwined with the user’s personal data.
  • Data leakage through the device not being adequately secured
  • Local exposure – where data being transmitted is not subject to the right controls
  • Public exposure – unacceptable use of a personal device by a family or friend, or a vulnerability through public Wi-Fi usage and connecting to personal networks – including the use of Bluetooth.
  • Malicious and rogue apps – downloaded to a personal device and not pre-approved / controlled by IT to protect the user.
  • An increased vulnerability to insider attacks due to the inherent use of an organisation’s local area network.

3) Definite privacy issues

Due to the fact that employees’ BYODs will naturally be accessing a number of different platforms, servers and networks during the course of a working week, their employer could also legally access them.

It can all seem a bit ‘Big Brother’ when you start to realise that your organisation has the potential ability to read private emails, messages, and access other personal data. There’s a fine line, though most experts agree that employers aren’t really interested in individuals’ personal lives; they just want to ensure that company data and systems are effectively secured.

How do you counteract the risks caused by BYOD?

The ideal scenario for both employees and the organisation is that your IT department has secured all organisational and employee-owned devices appropriately, that mobile applications have the right controls applied, and that corporate and personal data is not subject to leakage or security threats.

Underpinning this is the presence of: 

  • comprehensive BYOD policy, including pairing solutions which work well together in tandem, such as Next Generation Network Access Control (NAC) and Mobile Device Management (MDM) for example
  • Your IT capability extending to 24/7 monitoring to identify potential threats – with the ability to respond to any incidents ‘intelligently’ through disaster recovery and back-up procedures
  • IT solutions which embody rules which are practical, yet not too intrusive. This could include the ability to remotely wipe data, or device tracing (e.g. in case of theft or loss)
  • An effective Data Loss Prevention (DLP) strategy which is built with effective rules to ensure that commercially sensitive data is not sent outside of the internal network

Occasionally, you may come across a ‘rogue’ employee, who either pays no mind to general policies and conduct rules or just thinks that they simply know better.  Effective internal training to upskill and educate staff on topics such as data security, identity fraud and cybercrime can work wonders in turning behaviours like this around.

Successfully mitigating against BYOD risks means that your workforce will ultimately benefit from gaining increased working mobility and flexibility, and your business needs not fear its IT security being compromised via BYOD.

To find out more about how we’ve supported clients with their BYOD policies, read our case study on Dutton Gregory. This solicitors firm needed to give their partners and staff the ability to work remotely from different sites, but also balance compliance regulations and their clients’ concerns over data protection. We enabled them to get the benefits of a more mobile workforce and BYOD, without compromising sensitive data. Read our case study here.

cloud readiness

What is ISO 27001 and why should you get certified?

ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector.

ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers.

Background to ISO 27001

Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.

ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee.

Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems.

There are seven areas that companies need to manage, to achieve ISO 27001 compliance.

  1. Context of an organisation

ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.

With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards.

  1. Leadership

Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.

  1. Planning

Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike.

  1. Support

ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats.

  1. Operational planning & processes

Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies.

  1. Evaluation process

Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals.

  1. Improvements

Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future.

Why get accredited?

Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information.

Innovation

Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here >

Differentiation

ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here >

Win more business

Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here >

Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months.

“Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.”

Warwick Taylor, Experian Data Quality IT Manager

If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >

Book a discovery call advert

Cloud Business Logo - white
Microsoft Gold Partner Logo - Cloud Business

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

Microsoft Gold Partner Logo - Cloud Business

2021 © Cloud Business Limited
Registered Company in England and Wales 06798438