Success stories

Our customers come in all shapes and sizes.

We work with organisations from all walks of life, with different ambitions and requirements. Explore how we’ve helped them reimagine everyday, and align technology with their culture and business goals.

Digital transformation in legal – 5 steps to embrace change

Digital transformation in legal is a significant paradigm shift. To learn how to embrace change and get the benefits of transformation, read our blog.

View case study >

We are ISO 27001 accredited!

Cloud Business has recently secured ISO 27001 accreditation. Find out more about this standard and the benefits to our customers in this article.

View case study >

Data backup: are you backing up and protecting your business’s data correctly?

How does your business back up its data? There are many risks to a business’s data and not all data backup solutions are equal.

View case study >

Cost of a data breach to UK businesses

What is the cost of a data breach for UK businesses, and how can you calculate the cost for your business? Read this blog to find out.

View case study >

GDPR Assessment and Data Discovery Service

Cloud Business is pleased to announce the launch of our new Data Privacy and Compliance Service powered by eSpyder. We have been working with eSpyder for several years on a GDPR assessment and data discovery service to meet demand from our customer base. During this time we have been refining the service to help companies ultimately gain a competitive advantage through effective data privacy compliance. GDPR Compliance Platform Cloud Business and eSpyder’s GDPR Compliance Platform has been developed to support Data Processing Officers (DPOs) and ensure company compliance with GDPR regulations and global data privacy legislation. Our service includes: Data discovery & review GDPR compliance assessment & implementation Automated monthly data discovery & reporting Our GDPR assessment and data discovery service also ensures your DPO can respond to Data Subject Access Requests (DSARs) quickly and easily, tracking progress and reducing the cost of compliance. Typically, when a DPO receives a DSAR it’s the IT team that needs to locate PII, which is why our service provides a solution both for DPOs, CTOs and IT Directors and Managers. eSpyder is a system, platform and device agnostic solution that integrates into existing IT environments with no need for additional server infrastructure. It will scan PCs, laptops, data servers (cloud and on premise) regardless of location and get visibility to what data resides in each system or datastore. Click here for further details about the service > Or get in touch if you would like to discuss your IT environment in more detail.

View case study >

Do you really know where your sensitive data (PII) resides?

Last month we ‘celebrated’ the anniversary of GDPR legislation becoming legally enforceable. 2 years on, a lot has happened. Some of which, as our guest blogger Tim Dunn explains below, may have distracted some organisations from gaining real visibility over their sensitive data and PII. As you’ve probably heard before, GDPR compliance is a journey not a destination. There is no magic button that can be clicked to make your organisation 100% compliant. However, as Tim discusses below, going on that journey and taking the steps he outlines in the GDPR compliance maturity model, can deliver significant benefits over and above compliance. Read on to find out more about these benefits and the steps to take to gain visibility of PII and your organisation’s sensitive data. The General Data Protection Regulation (GDPR) came into force in May 2018. In the subsequent 2 years UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions. It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 25th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where Personally Identifiable Information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Furthermore, a majority of companies still struggle to track and protect PII on an on-going basis. Common barriers to gaining visibility of PII One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes. Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT. Whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a Data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading. GDPR compliance: 4 steps to maturity Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability. Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance. It greatly reduces costs associated with managing data protection and management. It saves time and limits the resource required to gain visibility and control over data. It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services. Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy. If you would like support understanding where your business’s sensitive data resides, please get in touch with our team. About Tim Dunn Tim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies. As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA. In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation. eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise. The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine.

View case study >

A to Z of GDPR Data Subject Access Requests (DSARs)

Data Subject Access Requests (DSARs) are on the increase as awareness increases and individuals want to take control of their PII. Read on for advice.

View case study >

Are your remote workers GDPR compliant?

Rapid deployment of remote working to address the Covid-19 crisis has resulted in many B2C businesses failing to meet their own GDPR policies and data protection practices. While the Information Commissioner’s Office (ICO) has stated that it “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period” However, this extension won’t last forever. Companies need to ensure they know what data they hold and where it resides, on premise and remotely, the pandemic is not an excuse for non-compliance. As DPOs and CIOs retro-fit GDPR tools to a remote environment, we asked Tim Dunn, CEO of eSpyder, for his insights into the current conditions. In the interview below he talks through the challenges of data privacy compliance with a remote workforce and how to ensure your businesses and your Personal Identifiable Information (PII) are protected. To learn more about effective data privacy compliance, and what’s required to achieve it, download our guide here > Remote working and GDPR with Tim Dunn from eSpyder Q: What are the main implications of remote working for GDPR compliance? Tim Dunn: “There are a number of challenges and implications associated with remote working, particularly in the current climate where these working practices have been implemented under extreme pressure and aggressive timescales. As a result, often the supporting business continuity policies and measures have been inadequate. “A primary issue is that remote users are outside the boundaries of your internal IT infrastructure and therefore the internal security measures and systems that are in place to protect your employees and corporate data are no longer effective in controlling data access, storage and sharing. “Also many users are resorting to using their personal PCs and laptops, which typically don’t have the necessary security and controls in place. Fundamentally, many companies are losing visibility and control over the access and storage of critical and sensitive corporate data. “Now that the immediate goal of “keeping the lights on” has passed, there is a need to ensure that remote working has the same protections, visibility controls as traditional corporate data protection. This way of working will become “business as usual” from now on.” In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March? TD: “It is fair to say it was immediately identified as a concern and business risk, but organisations typically continued in the knowledge that they would have to address this as soon as possible. “Maybe the risk has been underestimated. Fraud and cyber crime have risen sharply during the crisis and personal information is a prime target for fraudsters. It’s a sad fact that fraudsters are often more agile in identifying vulnerabilities and exploiting them than companies are at resolving them. “Certainly, it should now be priority number one for any organisation.” What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown? TD: “That’s difficult to quantify, but certainly a large majority of businesses had to move very quickly to move from office–based environments such as call centres to home based workers providing the same business functions. Even where policies existed (which they often don’t), they were not necessarily implemented.” Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR? TD: “Understandably no. Many employees do not appreciate the risks and appropriate working practices. Training in protecting data has not been undertaken by many companies since national lockdowns started. This is compounded by the fact that fraudsters are very sophisticated and do understand how to exploit the deficiencies in business practices and the IT systems underpinning them.” For advice on achieving effective data privacy compliance, download our free guide > Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP? TD: “The picture is mixed, though in general companies are behind the curve in terms of addressing effective data protection under remote working conditions. One of the main issues was that many companies didn’t know what personal information was held on employees’ machines before the crisis, so now that those machines are outside the protection of the corporate network, there was a potential immediate risk, which has grown as data is being accessed and stored remotely.” Q: Do personal devices present a bigger problem than corporate laptops and desktops? TD: “Probably yes. Some companies support “bring your own device” (BYOD) and have policies and technology in place to protect the personal device. However, many companies are using both corporate machines and personal devices whilst at home and sharing data across both. This is typically against corporate policy, but not enforced effectively.” Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices? TD: “There are various types of sensitive and commercially valuable data that may be at risk. For example, trade secrets, internally confidential communications and financial data. “There are also other regulatory requirements such as the storage of Card Payment Data (PCI DSS) which need to be enforced.” Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy? TD: “I think it is reasonable to protect company information and IT assets, indeed there is a regulatory duty to do so for data such as PII. If you allow people to use their own machines, then ensuring that sensitive data is protected on that machine is fair. Ring fencing a work area on the machine is one way to ensure boundaries of privacy. “As much as possible, without compromising data protection, it is preferable to adopt a “Trust, but Verify” approach to monitoring data storage and sharing. At the end of the day though, the company is liable for any data breach and the associated penalties. These will be severe if the appropriate controls weren’t in place.” Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company? TD: “It’s a little early to highlight trends, but sales, marketing, customer support and finance teams are all working from home and require access to sensitive data. Whilst many of the supporting business systems maybe cloud based, such as the CRM, Service Desk Solution or ERP, users are often exporting data locally to review and manage.” Q: It’s been reported that some companies are seeing an increase in DSARs

View case study >

BYOD risks, and how to mitigate against them

What are the BYOD risks and how can you increase mobility while protecting your people, organisation and data? Find out here.

View case study >

What is ISO 27001 and why should you get certified?

ISO 27001 is a framework for managing IT security. Whilst it doesn’t sound exciting, ISO 27001, known under its full title as ISO/IEC 27001: 2013, is an information security management system (ISMS) that helps keep consumer data safe in the private and public sector. ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers. Background to ISO 27001 Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud. ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee. Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems. There are seven areas that companies need to manage, to achieve ISO 27001 compliance. Context of an organisation ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system. With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards. Leadership Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies. Planning Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike. Support ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats. Operational planning & processes Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies. Evaluation process Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals. Improvements Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future. Why get accredited? Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information. Innovation Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here > Differentiation ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here > Win more business Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here > Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months. “Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.” Warwick Taylor, Experian Data Quality IT Manager If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >

View case study >

Digital transformation in legal – 5 steps to embrace change

Digital transformation in legal is a significant paradigm shift. It is impacting legal counsels both within the corporate world as well as at law firms, and management consultants have made a tidy practice of it. Practically speaking, you can barely open a business or legal publication without finding a headline that discusses embracing digital.

General counsel, in-house legal departments, and contract teams are not immune to the business paradigm. Digitisation continues to take hold of all aspects of the consumer and corporate life. When this happens in the legal industry, embrace the change. On a broad stroke, it is easy to state. But is this really the case? Below is our 5 step guide to help you.

Explore CB Legal for in-house legal teams and law firms. Click here >

5 steps to embrace digital transformation in legal

1. Incremental change – not big bang

There are many different approaches to tackling digital transformation in legal departments. However, from our experience, in-house legal teams that take an incremental approach are more likely to succeed with their initiatives.

Nobody said that change management is easy. Digital technologies bring a significant improvement in cost-effectiveness to many traditional functions. It has to be applied with a sound strategy of a step-by-step approach that doesn’t leave your people behind. In fact, your people are the most important aspect of ensuring the change takes root. In this light, adjusting your corporate culture is among the greatest challenges. Digital technologies bring improvement to cost-effectiveness.

Taking a “land and expand” approach means that changes are made progressively. Lessons are learned along the way and the culture can also adapt along the way.

2. Out-of-the-box, not bespoke

When you think about digital transformation in legal, too many people immediately think about custom coded projects. Upon choosing a legal technology product, think along the lines of getting up and running out-of-the-box (OOTB). Whether it is a legal artificial intelligence system or a specialised application, bespoke invariably delays projects. It adds costs. Worse yet, it increases the risk of failure.

A major tip to remember is to avoid the temptation to go down a bespoke route. It is better to deploy an OOTB digital system, use it and learn it’s capabilities. Then configure and adapt it to your own new need. After that, consider whether the solution is good enough for your requirements. In many cases, you will discover that the initial reaction to customise the solution was simply not needed. Usually, the digital product provides for all user needs without incurring additional costs, deployment time, and headaches.

3. Find internal champions

Digital transformation in legal teams and corporations involves people. Specifically, it means gaining momentum within the organisation through user adoption. This is true of any initiative, whether it is bringing on new legal services, machine learning analytics, or new contract management technology. At Cloud Business, we find that an industry best practice is to appoint user/product champions.

Champions are well-recognised employees who are respected internally. They know the existing systems and standard processes used by your organisation. They also become the voice of the product and socialise its benefits within the employee groups and legal teams.

Establish goals your team can make to achieve one KPI using the new system. Cultivating these champions are important as they become your key drivers of behaviour change. Through their influence, respect, and ground-floor knowledge; they help adapt to the organisation and culture. Embracing digital becomes less of a stress and burden. Rather, with the help of the champions, it becomes an opportunity for success.

4. It’s about the business outcomes

Don’t get trapped in the details of features and the functionality of your new digital system. Yes, these are great. They may even be strides ahead of your old methods. Instead, keep the conversations focused on the business outcomes that your team and company set out to achieve. At every opportunity, establish goals your team can make for your team to achieve one project or KPI (key performance indicator), using the new system.

As an example, with a new contract management system, you should first find out how the analytics work. Then, set a goal that for the next executive meeting where the legal contracts team will run a discovery phase. Finally, provide the general counsel with a report with statistics about your typical contract financial expectations.

5. Setting realistic benchmarks

Although it is tempting, don’t give in to set excessively ambitious targets. Setting a return on investment (ROI) benchmark is a good thing but setting the bar too high can only demoralise your team. Remember, digital transformation in legal is as much about shifting a cultural mindset as it is introducing new processes, ways of working, and new technology systems.

Instead, think through what you should reasonably expect within the next six, twelve and even twenty-four months. Engender a willingness to experiment. Do this by being willing to forgive the occasional miss on your targets. After all, if you hit all your ROI goals and KPI targets, then you simply did not set realistically aggressive-enough goals.

Ultimately, it comes down to supporting your in-house legal team’s long-term success. Keep the team motivated and focused on pursuing excellence. Digital transformation in legal is all about a shift in mindset, a goal-oriented team, and building a culture of success.

Feel free to connect with us at Cloud Business to discuss how we can help you on your journey of digital transformation in legal, specific to contract management.

We are ISO 27001 accredited!

Breaking news at Cloud Business HQ. We’re delighted to announce that we’ve secured ISO 27001 certification after many months of hard work by the team. Regular readers of our blog will know that we take information security very seriously – we regularly feature information security issues here – ISO 27001 is another step in demonstrating this and ensuring best practice.

What is ISO 27001?

This is an international recognised best practice standard for information security, and is highly relevant for those organisations like us working in the IT sector where the protection of information is critical.

It’s also highly appropriate for organisations that manage high volumes of data and information on behalf of clients, such as in datacentres, making it even more relevant to Managed Service Providers like ourselves.

The main objective of the ISO 27001 standard is to establish and maintain an effective Information Security Management System (ISMS), using a continual improvement approach. The standard requires that we systematically examine any risks to the organisation’s information security and put in place comprehensive policies to manage those risks of which we have control over.

ISO 27001 is a proactive approach to managing risk and securing data and information, planning ahead and pre-empting threats rather than reacting to threats when they happen.

In demonstrating that we comply with this standard, Cloud Business has designed and implemented a set of controls and measures to manage any threats to data and information assets, as well as refining existing systems to comply with standards. Going forward we will maintain and continually improve these as new threats emerge and new solutions and systems are developed.

The benefits to our clients are:

ISO 27001 increases the security of their confidential information,
It gives clients and stakeholders confidence that we are managing risk,
It improves the secure exchange of information internally and externally,
It helps our clients comply with regulations impacting on their business,
It improves the consistency of the delivery of our service to our clients,
It manages and minimises risk exposure for clients and ourselves,
It builds a culture of security within Cloud Business that will also be communicated to our clients through our day-to-day contact with them.

What happens next?

Having achieved ISO 27001 we now have to maintain it and part of this is the continual improvement element. This means we will be regularly reviewing our information security management system and updating our controls and measures as appropriate. We will also undergo regular surveillance audits by the Certification Body, as well as a full audit every 3 years.

While our ISO 27001 certification will benefit your business, if you work with us, you may also be interested in achieving this certification yourselves. We have helped other organisations, such as Experian Data Quality, achieve ISO 27001. You can read a case study on this ISO 27001 project here >

Data backup: are you backing up and protecting your business’s data correctly?

Your data is one of your business’s most important assets. Without it your business wouldn’t be unable to operate. Most companies have a disaster recovery plan in place to protect its data, however 23% of businesses have never tested their plans.

Business data is at risk from various threats, so it is important to test and reassess your disaster recovery plans regularly to limit data loss. The backbone to any disaster recovery plan is proper data backup, in this article we will discuss the risks to your business’s data and how to ensure your backups effectively support your disaster recovery plan.

What is your organisation’s current Cyber Security Posture? To understand what risks to prioritise and where your vulnerabilities are, explore the benefits of a Cyber Security Posture Assessment here >

Key risks to a business’s data

When considering the importance of data backup, first you must consider the common causes of data loss within a business. In the past, the three main risks to data were hardware malfunction, accidental deletion and natural disasters.

Hardware malfunction is when a storage device ceases to work, this is most common in disk drives where the disk or the arm fails causing data to be lost.
Human error is a common cause of data loss, this occurs when employees permanently delete or overwrite critical data.
Physical disasters are not as common, however fire, floods and other natural disasters pose a risk to on-premises and off-premises data storage locations.

Whilst these risks are remain relevant in 2021, in the past 5 years the most prominent risks to data have been cybersecurity incidents.

This includes the rise of ransomware attacks and system breaches leading to data loss. With the prevalence of these attacks, it is no longer a case of ‘if’ a business will fall victim to an attack, it is ‘when’. For this reason, businesses should have a comprehensive backup plan in place to ensure business continuity when these incidents happen.

Types of backup storage

The simplest form of backup is data backup to local disks. This is where data is regularly backed up to another drive on a PC or to an external hard drive. Although this is a fast and convenient method of backup, it offers no protection against a natural disaster, or a ransomware attack if it is stored on the local drive. Depending on the amount of data and employees, this solution is often not suitable for large environments.

One of the most common form of backup storage is data backup to NAS. A NAS or Network Attached Storage is a network device that allows all users connected to the network to access and backup their data. As data is regularly backed up it can be quickly recovered in the event of a cybersecurity incident or accidental deletion. The main downside to this data storage method is, as it is on-premises it offers no protection to natural disasters.

To overcome the risk of natural disasters, at least one copy of data should be stored off-premises. A traditional method of off-premises storage is data backup to tapes. This is where data is stored on tape devices over 100 miles away from the business location. This enables business continuity if there is a data loss incident or natural disaster at the business location, however the time to recover is increased as the tapes need to be collected or shipped from the off-premises storage location.

The modern equivalent of tape storage is data backup to cloud storage. This has all the benefits of tape storage but can be quickly accessed to avoid downtime within a business. It is also a more flexible solution as it does not require any additional infrastructure within a business.

Data backup best practices

The traditional backup best practice is the 3-2-1 rule. This states that business should keep 3 copies of all data, this includes one primary copy and at least 2 backups, copies of data should be on at least 2 types of storage and 1 copy of the data should be stored off-premises. Although this method is still effective, with businesses undergoing a digital transformation, the advent of cloud technologies and the ever-evolving cyber security threat landscape, this rule is being superseded by the 3-2-2 rule.

The 3-2-2 rule states that a business should keep 3 copies of all data, one primary, a synced version through One Drive for Business and a cloud copy. The data should be stored on 2 different clouds. This means that the data is stored in 2 off-premises locations for maximum redundancy. Moving to this rule allows for faster recovery from a data loss incident and easy access of all necessary data, regardless of where employees are working.

Backup software solutions

For a business to ensure that backups are completed regularly and effectively, a software solution should be in place to limit downtime after an incident and ensure business continuity. Look for solutions that combine backup, recovery, protection management and cyber security. Full-image and file-level backups should be completed regularly and stored in the cloud or on a NAS. Data backup solutions that deploy cyber security tools like AI-based behavioural detection for zero-day attack prevention and built in ransomware recovery, gives you an additional level of protection from cyber threats too.

To find out more about data backup and how to protect your business from cyber security threats, speak to our team >

Cost of a data breach to UK businesses

Data protection is at the forefront of most CEOs minds this year as the inevitability of a data breach has become very much a reality for most organisations. While many public data breaches appear to be predominately in the US, we can’t afford to be complacent here in the UK.

The infamous data breach at TalkTalk in 2015 (actually the second that year, if not the third) certainly caused many people to wake up to this reality, not least after TalkTalk revealed that the cost of the October data breach amounts to £60 million. For a company with projected earnings before interest, tax and other items for the year ending in March of £255-£265m, and a dividend increase of 15%, this is not an insignificant amount.

Consider what it would mean to your business to have approximately a quarter of your income wiped out by a data breach. While we don’t know the breakdown of where the £60 million has been spent, we have a good idea of the costs a data breach incurs.

Stay safe by understanding current threats and your organisation’s risk level, explore our Cyber Security Posture Assessment here >

Calculating the cost of a data breach

The following factors can all contribute to the overall cost of a data breach. Although the average total cost of a data breach has risen year on year, £2.37 million based on the Ponemon Institute’s most recent benchmarking report, 2015 Cost of Data Breach Study: United Kingdom, where this money is spent as a percentage of the overall total has remained fairly stable.

Lost Customer Business: 43%* TalkTalk estimated they lost 101,000 customers following the October hack, but other estimates put this figure closer to 250,000.
Investigation and forensics: 16%*
Customer acquisition cost: 9%*
Inbound contact costs: 8%*
Outbound contact costs: 7%*
Audit and consulting services: 5%*
Public relations and communications costs: 3%*
Legal services – defence: 3%*
Legal services – compliance: 3%*
Free or discounted services: 2%*
Credit monitoring services: 1%*

Actual figures will naturally vary depending on the sector an organisation operates in, and the nature of the data breach. For example, ‘lost customer business’ will not be such a significant cost if the data breach only impacts on employee records. However, when looking at these figures CEOs should be aware that they may have higher risks and costs because of the sector they operate in. The table below shows the per capita cost by industry of those benchmarked organisations:

How to reduce the cost of data breaches

It’s not all doom and gloom. While another study by PwC – 2015 Information Security Breaches Survey – commissioned by HM Government, found that 9 out of 10 businesses in their survey had suffered some form of data breach; there are ways to reduce the cost to businesses. The Ponemon Institute study identified the following as factors that can reduce cost of a data breach:

Extensive use of encryption: up-to-date data protection methods protect both from malicious attacks and human error,
Incident response team: clear systems, procedures and key staff to deal with any data breach ensures that no time is lost addressing the breach and militating against it,
BCM involvement: awareness, training and planning for getting business critical systems back up and running in the event of an incident can reduce the costs associated with loss of business significantly,
Board-level involvement: sponsorship from the Board will ensure that cyber security and data protection procedures are embedded in the organisation,
Employee training: clear guidance and training on how to deal with a data breach, and how to recognise one (as well as prevention training), will result in a swifter and smoother response,
CISO appointed: fortunately for any Chief Information Security Officer reading this, your role is an important factor in preventing and reducing the risk and cost of data breaches,
Insurance protection: Data breach insurance naturally reduces the overall costs for the organisation, but may also be instrumental in putting better data breach planning in place so that incidents are managed effectively.

So although in all probability most businesses will experience a data security breach at some point, the risk can be managed and therefore the impact on your organisation reduced.

* Percentage of total cost for 2015, 2015 Cost of Data Breach Study: United Kingdom

GDPR Assessment and Data Discovery Service

Cloud Business is pleased to announce the launch of our new Data Privacy and Compliance Service powered by eSpyder.

We have been working with eSpyder for several years on a GDPR assessment and data discovery service to meet demand from our customer base. During this time we have been refining the service to help companies ultimately gain a competitive advantage through effective data privacy compliance.

GDPR Compliance Platform

Cloud Business and eSpyder’s GDPR Compliance Platform has been developed to support Data Processing Officers (DPOs) and ensure company compliance with GDPR regulations and global data privacy legislation.

Our service includes:

Data discovery & review
GDPR compliance assessment & implementation
Automated monthly data discovery & reporting

Our GDPR assessment and data discovery service also ensures your DPO can respond to Data Subject Access Requests (DSARs) quickly and easily, tracking progress and reducing the cost of compliance. Typically, when a DPO receives a DSAR it’s the IT team that needs to locate PII, which is why our service provides a solution both for DPOs, CTOs and IT Directors and Managers.

eSpyder is a system, platform and device agnostic solution that integrates into existing IT environments with no need for additional server infrastructure. It will scan PCs, laptops, data servers (cloud and on premise) regardless of location and get visibility to what data resides in each system or datastore.

Click here for further details about the service >

Or get in touch if you would like to discuss your IT environment in more detail.

Do you really know where your sensitive data (PII) resides?

As you’ve probably heard before, GDPR compliance is a journey not a destination. There is no magic button that can be clicked to make your organisation 100% compliant. However, as Tim discusses below, going on that journey and taking the steps he outlines in the GDPR compliance maturity model, can deliver significant benefits over and above compliance.

Read on to find out more about these benefits and the steps to take to gain visibility of PII and your organisation’s sensitive data.

The General Data Protection Regulation (GDPR) came into force in May 2018. In the subsequent 2 years UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions.

It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 25th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where Personally Identifiable Information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Furthermore, a majority of companies still struggle to track and protect PII on an on-going basis.

Common barriers to gaining visibility of PII

One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes.

Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT. Whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a Data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading.

GDPR compliance: 4 steps to maturity

Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability.

Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance.

It greatly reduces costs associated with managing data protection and management.
It saves time and limits the resource required to gain visibility and control over data.
It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services.
Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy.

If you would like support understanding where your business’s sensitive data resides, please get in touch with our team.

About Tim Dunn

Tim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies.

As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA.

In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.

eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise.

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine.

A to Z of GDPR Data Subject Access Requests (DSARs)

Data Subject Access Requests (DSARs) are on the increase. Here’s how A to Z of what they are and how to respond to one.

A key component of the General Data Protection Regulation (GDPR) is the ‘Right of Access’. This is your right, and mine, to obtain a copy of all personal data a company or organisation processes and stores. Individuals have the right to obtain the following:

Confirmation that you (a company or organisation) are processing their personal data,
A copy of their personal data, and
Other supplementary information such as the purpose of your data processing (scroll down for a list of supplementary information).

When an individual wants to request this information, it’s known as Data Subject Access Request or DSAR. You may also see it referred to as a SAR, dropping the ‘data’ although that’s the important bit!

Why would an individual want to request their data?

It’s helpful to understand why the right to access is part of GDPR and data privacy legislation, as this can help you explain to business leaders why they need to take DSARs seriously.

GDPR and the Data Protection Act 2018 (the UK’s implementation of GDPR) updates our data protection legislation for a digital age. It’s very difficult to live in a digital age without sharing your personal information and leaving a data trail wherever you go – both on and offline.

With so much PII (Personable Identifiable Information) in other people’s hands, it’s only right that individuals have a way to get visibility on what information organisations, businesses and government has on them, and get reassurance that it’s being protected appropriately.

Since GDPR came in force, awareness has increased amongst the general public too. The Cambridge Analytica scandal has also highlighted what some organisations are doing with this data, as well as other stories that have made the headlines such as the recent EasyJet data breach. As a result, DSARs are on the increase as individuals know what their rights are and are justifiably concerned about data privacy. We’re also seeing a spike in DSARs during the current crisis which could be because people have more time to initiate a subject access request.

Individuals don’t need to give a reason to submit a DSAR. And the only questions an organisation may ask when a DSAR is submitted are to verify the individual’s identity or for information that will help locate the requested data.

Download our guide on how to achieve effective data privacy compliance for more advice on GDPR and data discovery >

What do DSARs look like?

There are no formal guidelines on how an individual instigates a DSAR. They can ask you verbally or in writing. Even if you have developed a DSAR process for individuals, they don’t have to adhere to it. Therefore, you could receive a DSAR via social media, email, messaging app, phone call or by letter. It doesn’t have to be sent to a specific person within the organisation either, such as your DPO. So, an individual could in theory make this request to a member of staff in a store, or your IT support team could receive a DSAR via a chatbot or as a support ticket.

Companies must comply with a request without undue delay and at the latest within one month of receipt of the request; or (if later) within one month of receipt of receiving any information requested to confirm the subject’s identity, or (in exceptional circumstances) a fee. For this reason, it really is essential that all customer-facing staff understand what a DSAR is and who to escalate a request to so it can be responded to within this strict timeframe.

Many companies include a form on their website for an individual to complete to submit a DSAR. This can make it easier for you to recognise a DSAR and for the individual to provide the information you need to identify their PII. Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’.

However, providing a form does not override the individual’s right to initiate a data subject access request by other means, and you must make it clear that completing the form is not compulsory or use it as a way to delay your response.

Fees and Data Subject Access Requests

In normal circumstances you cannot charge a fee for complying with a DSAR. However, if the request falls under one of these 2 factors a ‘reasonable’ fee to cover administrative costs can be charged:

The DSAR is manifestly unfounded or excessive; or
An individual requests further copies of their data following a request.

In these situations, the 1 month clock starts when you receive payment. Although you must respond promptly to the initial request to inform the individual of the fee.

8 steps to comply with a DSAR

The following graphic takes you through the steps from DSAR to handing over the information requested:

respond to a data subject access request

Supplementary Information

As well as a copy of their personal data, companies and organisations must also provide individuals with the following information:

The purposes of your processing,
The categories of personal data concerned,
The recipients or categories of recipient you disclose the personal data to,
Your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it,
The existence of their right to request rectification, erasure or restriction or to object to such processing,
The right to lodge a complaint with the ICO or another supervisory authority,
Information about the source of the data, where it was not obtained directly from the individual,
The existence of automated decision-making (including profiling),
The safeguards you provide if you transfer personal data to a third country or international organisation.

Much of this information may already be included in your privacy notice.

Is your organisation in good shape to respond appropriately to DSARs?

For many organisations a DSAR is more of a threat to business than the ICO’s much publicised fines for non-compliance.

The cost of responding within one month to a DSAR can run into the tens of thousands of pounds if you’re not prepared. Data discovery, especially if you need the support of a consultancy firm, is expensive and time consuming – taking your IT team away from projects and support roles in the race to comply in the one month timeframe.

There is also an alarming trend in DSARs being ‘weaponsied’ by disgruntled employees to disrupt business, damage companies’ reputations and hit former employers in the pocket. Cases of employment lawyers advising their clients to initiate a DSAR are not unheard of.

Companies that have the tools and processes in place to respond to DSARs quickly and with the minimum of disruption, and cost, to normal business are at an advantage. No more so than in this challenging time where business as normal looks very different with many employees working remotely and handling PII from their own desktops and devices.

For advice on achieving effective data privacy compliance, download our free guide below. If you want to discuss any of the subjects touched on in this article with reference to your own IT estate, please get in touch.

Are your remote workers GDPR compliant?

“won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”

However, this extension won’t last forever. Companies need to ensure they know what data they hold and where it resides, on premise and remotely, the pandemic is not an excuse for non-compliance.

As DPOs and CIOs retro-fit GDPR tools to a remote environment, we asked Tim Dunn, CEO of eSpyder, for his insights into the current conditions. In the interview below he talks through the challenges of data privacy compliance with a remote workforce and how to ensure your businesses and your Personal Identifiable Information (PII) are protected.

To learn more about effective data privacy compliance, and what’s required to achieve it, download our guide here >

Remote working and GDPR with Tim Dunn from eSpyder

Q: What are the main implications of remote working for GDPR compliance?

Tim Dunn: “There are a number of challenges and implications associated with remote working, particularly in the current climate where these working practices have been implemented under extreme pressure and aggressive timescales. As a result, often the supporting business continuity policies and measures have been inadequate.

“A primary issue is that remote users are outside the boundaries of your internal IT infrastructure and therefore the internal security measures and systems that are in place to protect your employees and corporate data are no longer effective in controlling data access, storage and sharing.

“Also many users are resorting to using their personal PCs and laptops, which typically don’t have the necessary security and controls in place. Fundamentally, many companies are losing visibility and control over the access and storage of critical and sensitive corporate data.

“Now that the immediate goal of “keeping the lights on” has passed, there is a need to ensure that remote working has the same protections, visibility controls as traditional corporate data protection. This way of working will become “business as usual” from now on.”

In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March?

TD: “It is fair to say it was immediately identified as a concern and business risk, but organisations typically continued in the knowledge that they would have to address this as soon as possible.

“Maybe the risk has been underestimated. Fraud and cyber crime have risen sharply during the crisis and personal information is a prime target for fraudsters. It’s a sad fact that fraudsters are often more agile in identifying vulnerabilities and exploiting them than companies are at resolving them.

“Certainly, it should now be priority number one for any organisation.”

What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown?

TD: “That’s difficult to quantify, but certainly a large majority of businesses had to move very quickly to move from office–based environments such as call centres to home based workers providing the same business functions. Even where policies existed (which they often don’t), they were not necessarily implemented.”

Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR?

TD: “Understandably no. Many employees do not appreciate the risks and appropriate working practices. Training in protecting data has not been undertaken by many companies since national lockdowns started. This is compounded by the fact that fraudsters are very sophisticated and do understand how to exploit the deficiencies in business practices and the IT systems underpinning them.”

For advice on achieving effective data privacy compliance, download our free guide >

Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP?

TD: “The picture is mixed, though in general companies are behind the curve in terms of addressing effective data protection under remote working conditions. One of the main issues was that many companies didn’t know what personal information was held on employees’ machines before the crisis, so now that those machines are outside the protection of the corporate network, there was a potential immediate risk, which has grown as data is being accessed and stored remotely.”

Q: Do personal devices present a bigger problem than corporate laptops and desktops?

TD: “Probably yes. Some companies support “bring your own device” (BYOD) and have policies and technology in place to protect the personal device. However, many companies are using both corporate machines and personal devices whilst at home and sharing data across both. This is typically against corporate policy, but not enforced effectively.”

Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices?

TD: “There are various types of sensitive and commercially valuable data that may be at risk. For example, trade secrets, internally confidential communications and financial data.

“There are also other regulatory requirements such as the storage of Card Payment Data (PCI DSS) which need to be enforced.”

Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy?

TD: “I think it is reasonable to protect company information and IT assets, indeed there is a regulatory duty to do so for data such as PII. If you allow people to use their own machines, then ensuring that sensitive data is protected on that machine is fair. Ring fencing a work area on the machine is one way to ensure boundaries of privacy.

“As much as possible, without compromising data protection, it is preferable to adopt a “Trust, but Verify” approach to monitoring data storage and sharing. At the end of the day though, the company is liable for any data breach and the associated penalties. These will be severe if the appropriate controls weren’t in place.”

Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company?

TD: “It’s a little early to highlight trends, but sales, marketing, customer support and finance teams are all working from home and require access to sensitive data. Whilst many of the supporting business systems maybe cloud based, such as the CRM, Service Desk Solution or ERP, users are often exporting data locally to review and manage.”

Q: It’s been reported that some companies are seeing an increase in DSARs during the pandemic because people have more time on their hands. Is this something you’ve witnessed?

TD: “We have seen an increase in DSARs. To be fair this is not only due to people having more time on their hands, but also because there has been more awareness of privacy issues.

“One interesting issue is ex-employees “weaponising” DSARs and requesting data from their ex-employers. In fact, there are a number of law firms who are using this as a strategy for disgruntled ex-workers taking action against their former employers.”

Q: Can you share some advice for handling a DSAR when users are working remotely?

TD: “The key to effective DSAR handling is to make the process agnostic to where the systems and datastores reside. This means that you should be able to scan PCs, Laptops, Data Servers (cloud and on premise) regardless of location and get visibility to what data resides in each system and store.”

Q: What additional tools should companies deploy to protect data in a remote working environment?

TD: “Solutions that ensure data can only be stored and access from the authorised system / datastore. Also ensure that data is encrypted both whilst stored (at rest) or when being accessed (in transit).

“Most important is a solution that provides visibility to where all your sensitive data is stored and provide a clear view of you regulatory compliance status.”

Q: If a DPO or CIO is concerned that PII is not being handled compliantly, but because of remote working can’t identify where, what can they do to get visibility over the company’s data?

TD: “GDPR Data Discovery and Compliance Reporting Services can help. Not only do these identify where data is held and provide GDPR assessment and implementation, they can also reduce the cost of compliance significantly.

“For many companies the cost of handling DSARs is more damaging than the threat of a fine for an infringement. It can involve weeks, even months, of data discovery and consultancy services to respond to just one DSAR if you don’t have effective data privacy compliance in place. Services like Cloud Business’s GDPR Compliance Platform makes it quick and easy to undertake DSARs and tighten up data protection regardless of whether users are on site or working remotely.”

Cloud Business has partnered with eSpyder to support our customers with a GDPR Data Discovery and Compliance Reporting Service. For further information please contact your Account Manager or, for new customers, call 08456 808538 or email hello@cloudbusiness.com

About Tim Dunn

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine.

BYOD risks, and how to mitigate against them

Bring Your Own Device (BYOD) is a relatively recent trend (c. 2009) in behaviour where employees use their own mobiles, iPads, and laptops at work, for work. The drivers for BYOD are often to do with convenience but also because the technology individuals own is often more advanced than the hardware your average IT department would deploy. Many IT departments struggle to keep right up to date with every aspect of the latest technology, and an ever-increasing amount of people (e.g. millennials) are now more likely to be IT ‘self-sufficient’.

While in some industries BYOD has been common practice for some time, in others it’s only just gaining traction. This is causing business leaders, information security professionals and IT support a few sleepless nights. While there are clear benefits for promoting BYOD working for most companies and organisations, there are also risks that can have serious implications for IT security, data protection and compliance.

Benefits of BYOD

There are plenty of upsides to BYOD. It can bring employees increased satisfaction through better and easier access to corporate data, emails, and grant the flexibility they need to use the Cloud to get work done; particularly when working remotely.

Likewise, for an employer, BYOD can bring a subsequent increase in productivity, as well as reduced hardware costs, licencing fees and resource needed for carrying out maintenance.

However, it could be argued that the sheer number of downsides relating to BYOD mean that your business or organisation could be allowing additional risk factors into your corporate infrastructure.

What are the biggest risks of BYOD?

Here, we look at the key risks organisations should be aware of when it comes to BYOD:

1) No BYOD policy exists

Perhaps the biggest risk factor of all. All organisations should have a BYOD policy in place to protect themselves against being exposed to an attack through, for example, a virus or a hacker – both of which could lead to both financial or legislative penalties and reputational damage. An effective BYOD strategy will enable your IT department to secure both the devices and the data.

2) Complex security issues

Security issues will often clash with the overall convenience BYOD can bring. These include:

Data loss through physical loss or theft of the device, or through ‘cross contamination’, where corporate data may be accidentally deleted due to the fact it can be so intertwined with the user’s personal data.
Data leakage through the device not being adequately secured
Local exposure – where data being transmitted is not subject to the right controls
Public exposure – unacceptable use of a personal device by a family or friend, or a vulnerability through public Wi-Fi usage and connecting to personal networks – including the use of Bluetooth.
Malicious and rogue apps – downloaded to a personal device and not pre-approved / controlled by IT to protect the user.
An increased vulnerability to insider attacks due to the inherent use of an organisation’s local area network.

3) Definite privacy issues

Due to the fact that employees’ BYODs will naturally be accessing a number of different platforms, servers and networks during the course of a working week, their employer could also legally access them.

It can all seem a bit ‘Big Brother’ when you start to realise that your organisation has the potential ability to read private emails, messages, and access other personal data. There’s a fine line, though most experts agree that employers aren’t really interested in individuals’ personal lives; they just want to ensure that company data and systems are effectively secured.

How do you counteract the risks caused by BYOD?

The ideal scenario for both employees and the organisation is that your IT department has secured all organisational and employee-owned devices appropriately, that mobile applications have the right controls applied, and that corporate and personal data is not subject to leakage or security threats.

Underpinning this is the presence of:

A comprehensive BYOD policy, including pairing solutions which work well together in tandem, such as Next Generation Network Access Control (NAC) and Mobile Device Management (MDM) for example
Your IT capability extending to 24/7 monitoring to identify potential threats – with the ability to respond to any incidents ‘intelligently’ through disaster recovery and back-up procedures
IT solutions which embody rules which are practical, yet not too intrusive. This could include the ability to remotely wipe data, or device tracing (e.g. in case of theft or loss)
An effective Data Loss Prevention (DLP) strategy which is built with effective rules to ensure that commercially sensitive data is not sent outside of the internal network

Occasionally, you may come across a ‘rogue’ employee, who either pays no mind to general policies and conduct rules or just thinks that they simply know better. Effective internal training to upskill and educate staff on topics such as data security, identity fraud and cybercrime can work wonders in turning behaviours like this around.

Successfully mitigating against BYOD risks means that your workforce will ultimately benefit from gaining increased working mobility and flexibility, and your business needs not fear its IT security being compromised via BYOD.

To find out more about how we’ve supported clients with their BYOD policies, read our case study on Dutton Gregory. This solicitors firm needed to give their partners and staff the ability to work remotely from different sites, but also balance compliance regulations and their clients’ concerns over data protection. We enabled them to get the benefits of a more mobile workforce and BYOD, without compromising sensitive data. Read our case study here.

What is ISO 27001 and why should you get certified?

ISO 27001 has been around a while, superseding the original ISMS compliance framework that came into effect in 2005. This was updated in 2013, to reflect the changing nature of IT security and new threats against organisations and consumers.

Background to ISO 27001

Protecting data, passwords and computer services are more important than ever, with everything from banking to vital infrastructure connected to the internet and vulnerable to cyber attacks. Over the last few years, attacks have increased in complexity and frequency, exposing millions of people and businesses to security breaches, theft and fraud.

ISO 27001: 2013 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.” It was established, implemented and monitored jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), under a joint subcommittee.

Despite ISO 27001 focusing on information security, this is a platform/technology neutral framework, designed around how organisation’s manage IT risks and systems.

There are seven areas that companies need to manage, to achieve ISO 27001 compliance.

Context of an organisation

ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.

With a 360 view of an organisation in place, you can determine an ISMS scope document, the boundaries of these policies (including considering the impact of the bring your own device – BYOD – trend) and write ISMS policies following ISO 27001 standards.

Leadership

Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.

Planning

Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike.

Support

ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats.

Operational planning & processes

Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies.

Evaluation process

Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals.

Improvements

Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future.

Why get accredited?

Not only is ISO 27001 compliance valuable for large organisation’s and the public sector, but when dealing with third-party suppliers, such as IT companies, these standards mean your customer’s data is safe in their hands. This establishes a higher trust rating between organisations of different sizes since IT infrastructure will carry the same security requirements, making it easier to transfer and store sensitive information.

Innovation

Accreditation can also help you innovate. We helped Experian Data Quality achieve ISO 27001 so the company could expand its product range. Accreditation is a vital part of product development for its leading international address management software. Learn more here >

Differentiation

ISO 27001 is helping other organisations compete and differentiate in the marketplace. Leading specialist recruitment and human resources service provider, Reed Managed Services, wanted to demonstrate to their clients, employees and temporaries that they take IT data seriously and manage it using international best practice. When they achieved ISO 27001 with our help, they were the only recruitment company to have the accreditation. Read the case study here >

Win more business

Businesses and organisations that want to work with government departments and agencies, increasingly find that ISO 27001 is a standard requirement for doing business. Our customer Mouchel, a consulting and business services group, needed to achieve ISO 27001 in order to pick up government infrastructure projects. Find out how we helped them with rapid certification here >

Typically achieving ISO 27001 takes up to 18 months but we’ve helped organisations get accredited much faster. Experian Data Quality were accredited in a record 3 months.

“Within just 60 days of consultancy, we passed the BSI inspection first time. I believe that this was achieved so quickly because Cloud Business committed 50% of its time to gain a complete understanding of how our business worked.”
Warwick Taylor, Experian Data Quality IT Manager

If you would like to find out more about how we can help you achieve ISO 27001 please get in touch. Book a discovery call below or contact us here >

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

0845 680 8538
hello@cloudbusiness.com

Cookie	Duration	Description
__cfruid	session	This cookie is set by the provider Cloudflare. This cookie is used for load balancing and for identifying trusted web traffic.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__RequestVerificationToken	session	This cookie is set by web application built in ASP.NET MVC Technologies. This is an anti-forgery cookie used for preventing cross site request forgery attacks.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
MS0	30 minutes	No description available.
MSFPC	1 year	No description available.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
__lotl	5 months 27 days	This cookie is set by the provider Lucky Orange. This cookie is used to identify the traffic source URL of the visitor's orginal referrer, if there is any.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_lo_uid	2 years	This cookie is set by the provider Lucky Orange. This cookie shows the unique identifier for the visitor.
_lo_v	1 year	This cookie is set by the provider Lucky Orange. This cookie is used to show the total number of visitor's visits.
_lorid	10 minutes	This cookie is set by the provider Lucky Orange. This cookie is used to identify the ID of the visitors current recording.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
ANONCHK	10 minutes	This cookie is used for storing the session ID for a user. This cookie ensures that clicks from advertisement on the Bing search engine are verified and it is used for reporting purposes and for personalization.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year 24 days	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_gd1624628211813	session	No description
AADNonce.forms	session	No description available.
CONSENT	16 years 6 months 6 days 10 hours 23 minutes	No description
DcLcid	3 months	No description available.
GetLocalTimeZone	session	No description
lfuuid	9 years 7 months 6 days 10 hours 24 minutes	No description available.
MC1	1 year	No description available.
SM	session	No description available.
SRM_B	1 year 24 days	No description available.
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Success stories

￼Digital transformation in legal – 5 steps to embrace change

We are ISO 27001 accredited!

Data backup: are you backing up and protecting your business’s data correctly?

Cost of a data breach to UK businesses

GDPR Assessment and Data Discovery Service

Do you really know where your sensitive data (PII) resides?

A to Z of GDPR Data Subject Access Requests (DSARs)

Are your remote workers GDPR compliant?

BYOD risks, and how to mitigate against them

What is ISO 27001 and why should you get certified?

￼Digital transformation in legal – 5 steps to embrace change

5 steps to embrace digital transformation in legal

We are ISO 27001 accredited!

What is ISO 27001?

Data backup: are you backing up and protecting your business’s data correctly?

Key risks to a business’s data

Types of backup storage

Data backup best practices

Backup software solutions

Cost of a data breach to UK businesses

Calculating the cost of a data breach

How to reduce the cost of data breaches

GDPR Assessment and Data Discovery Service

GDPR Compliance Platform

Do you really know where your sensitive data (PII) resides?

Common barriers to gaining visibility of PII

GDPR compliance: 4 steps to maturity

A to Z of GDPR Data Subject Access Requests (DSARs)

Why would an individual want to request their data?

What do DSARs look like?

Fees and Data Subject Access Requests

8 steps to comply with a DSAR

Is your organisation in good shape to respond appropriately to DSARs?

Are your remote workers GDPR compliant?

Remote working and GDPR with Tim Dunn from eSpyder

Q: What are the main implications of remote working for GDPR compliance?

In your experience, how high on the agenda do you think GDPR high was when organisations started rolling out remote working en masse in early March?

What percentage of B2C companies do you think had a remote working policy that included GDPR prior to lockdown?

Q: A critical part of data privacy compliance is ensuring employees understand their responsibilities, do you think employees in general understand the implications of remote working and GDPR?

Q: In your opinion has this changed over the last 10 weeks? Has awareness increased, are staff being given the tools to protect Personally Identifiable Information (PII) and sensitive data like a company’s IP?

Q: Do personal devices present a bigger problem than corporate laptops and desktops?

Q: Is it just company PII that’s impacted by remote working, what about other data which employees may be storing on their personal devices?

Q: We’ve heard of some organisations deploying monitoring software to track how employees use work laptops and devices to protect against misuse. Is this an option you would recommend? What about the employees’ right to privacy?

Q: Have you seen any trends in terms of the kind of data that is being accessed remotely in a non-compliant way? Is this a problem for specific departments within a company?

Q: It’s been reported that some companies are seeing an increase in DSARs during the pandemic because people have more time on their hands. Is this something you’ve witnessed?

Q: Can you share some advice for handling a DSAR when users are working remotely?

Q: What additional tools should companies deploy to protect data in a remote working environment?

Q: If a DPO or CIO is concerned that PII is not being handled compliantly, but because of remote working can’t identify where, what can they do to get visibility over the company’s data?

BYOD risks, and how to mitigate against them

Benefits of BYOD

What are the biggest risks of BYOD?

How do you counteract the risks caused by BYOD?

What is ISO 27001 and why should you get certified?

Background to ISO 27001

Why get accredited?

Innovation

Differentiation

Win more business

We value your privacy

Technology

Who we help

Who we are

Resources

Get in touch

Digital transformation in legal – 5 steps to embrace change

Digital transformation in legal – 5 steps to embrace change