229
All Enquiries
please call +44 (0)121 241 2299
After 4 years of preparation the EU Parliament has finally approved the GDPR. This directive harmonises all the data protection laws across Europe and comes into effect from 25th May 2018. Heavy fines can be expected for non-compliance.

ISO_27001_and_GDPRWhat about Brexit?
If you sell goods or services to other EU members
and hold data about individuals in those countries, then you will have to comply with the new regulations. Even if you only sell within the UK, it is expected that our regulations will follow the GDPR to maintain access to the EU digital market. Some adjustments may be made once we leave the EU but the fundamental guidance is expected to remain.

What are the implications?
Organisations in breach of the regulations can be fined up to a maximum of 4% of annual global turnover or 20 Million Euros (whichever the greater). The regulations apply to both controllers and processors.

If your organisation holds personal information, you will be responsible for:
  • Identifying where the data is held
  • Managing the risks that could lead to a data breach
  • Maintaining and monitoring security
  • Implementing a robust Information Security Management System (ISMS)
Key points
There is an entire website dedicated to the new regulation and a link is provided at the bottom of this article if you need to find out more. For now, we are simply going to focus on what your business can do to help you comply with the new regulation.

The aim of GDPR is to protect all EU citizens from privacy and data breaches. That means “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Conditions for consent
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”

*Taken directly from the GDPR website (link below).

The website provides detailed information about the implications of not collecting or storing data in the correct way, but does not give much guidance on how to go about preventing a data breach.

A good starting point would be to gain ISO 27001 certification. This international management standard provides a framework for your organisation to identify the risks, implement management systems and continually monitor your procedures to minimise the impact of a security breach.

ISO 27001 certification and GDPR
This international standard covers the security and protection of data and how it is used. Loss or damage could be caused by natural disasters such as fire or flood, accidental loss or mismanagement, corrupted or stolen data. The effects of any of these losses can have catastrophic consequences for organisations.

By integrating an Information Security Management System into your organisation, you will manage the risks and minimise the effect of an incident.

This proven framework will provide the management system needed to help you comply with the new GDPR.

GDPR Website: www.eugdpr.org
 
Further information is also available from:
UK Information Commissioner’s Office ico.org.uk

 
The government is aiming to make the UK “the safest place in the world for young people to go online” (https://www.gov.uk/government/news/government-launches-major-new-drive-on-internet-safety).

This is the latest of a long list of government initiatives put in place recently to combat cybercrime against the general public and businesses.

A recent report from the British Chambers of Commerce found that even though one in five businesses had been attacked in the last year, only 24% had security measures in place.

Cyber-InsuranceISO 27001
ISO 27001 information security management system provides businesses with a framework to identify, cope with and recover from a cyber-attack.

By implementing a companywide management process and recovery strategy, ISO 27001 goes further than other solutions such as Cyber Essentials to help your organisation combat cybercrime.

Cyber Essentials is a government initiative set up to help businesses protect themselves against cyber criminals. Achieving the badge will help to identify risks to your business and protect your organisation from common cyber threats.

However, Cyber Essentials is not a replacement for ISO 27001 but can be used to compliment your security management system. For example, if you are bidding for government contracts, this is a mandatory requirement for some ICT products and services.

Achieving ISO 27001 certification gives you a solid foundation and makes getting a Cyber Essentials badge more straightforward.

ISO 27001 rerelease 2017
Though the actual content of the standard has not changed, there has been a recent update to reflect the new EN status.

BS EN ISO 27001:2017 has now been ratified by each of the 34 CEN-CENELEC member countries.

If you already have ISO 27001 certification, this will not change any of your current management systems for the time being. Updates will be published in the future and we will keep you advised if anything changes.
A 17 year old from Norwich recently pleaded guilty to seven hacking offences relating to data breaches suffered by the communications giant Talk Talk.

The cyber-attack cost the company £42 million and it was fined £400,000 for security failings which enabled the teenager to access customer’s data “with ease”.

These breaches are becoming more frequent and with this in mind, the government has recently announced a new 5 year plan to tackle the problem. The government will pump £1.9 billion into a scheme to help fight cyber-crime and develop a world class cyber security industry and workforce.

Part of the strategy is to ensure organisations have the necessary processes in place to help prevent cyber-attacks.

Cyber-crimeNational Cyber Security Strategy 2016 to 2021
Chancellor of the Exchequer, Philip Hammond said:
“Britain is already an acknowledged global leader in cyber security thanks to our investment of over £860 million in the last Parliament, but we must now keep up with the scale and pace of the threats we face. Our new strategy, underpinned by £1.9 billion of support over 5 years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked.”

Protect your business with ISO 27001
It is not only large corporations that are under attack; small and medium sized organisations are also being targeted and reporting a rise in cyber-attacks on their businesses.

One way of ensuring that your management team and employees are working to effective processes for minimising the risk of a cyber breach is to achieve ISO 27001 certification. The standard is internationally recognised and establishes processes for identifying data at risk, assessing threats and putting in place systems, controls and procedures to minimise the risk.

ISO 27001 will provide a strategic plan for your business that will ensure you and your workforce are capable and ready to deal with a cyber threat.

ISO 27001 certification will also demonstrate to your customers that you have implemented controls and procedures that will help to maintain continuity of supply and security of their data. In some cases, it may be a requirement when tendering for business, particularly in the public sector.

Find out more about what is involved in achieving ISO 27001 by talking to one of our experienced advisors.
The growth in online business is benefitting companies throughout the UK, but there are risks involved with this continuing expansion.

UK businesses of all sizes are vulnerable to hacker-attacks that aim to steal data that can be sold on the open market to fraudsters. Hacking can also disrupt business operations and systems, this can have a devastating impact. The time and resources needed to recover from a breach, loss of data and damage to a company’s reputation can run into the millions of pounds.

However, it is not just large organisations that are at risk; figures indicate that 74% of small businesses have suffered a cyber breach (figures reported in 2014/2015).

How can ISO 27001 protect my business?

Cyber_risk_insuranceRisks can come from a variety of sources including:
  • Employees, deliberate act or accidental through lack of understanding
  • Hacker-attacks, on computers and servers
  • Phishing, via emails
  • Loss of hardware, such as laptop or removable media that get into the wrong hands
  • Home and mobile working, leading to a reduction in security levels
  • Malware infection
Any one of the above risks could cripple an organisation and lead to an expensive and time consuming recovery.

Certification to ISO 27001 provides an effective information security management system (ISMS) that can be implemented throughout the organisation.

An effective ISMS will identify potential risks and establish a management processes that will help to eliminate, or minimise the effect of an incident, when it occurs.

A disaster recovery plan is established to ensure organisations can get back to “business as usual” as quickly as possible following a breach.

Continuous monitoring and improvement of the system is carried out through annual audits to maintain your ISO 27001 certification. This will identify any new threats or gaps in procedures, to help you maintain a high level of protection.

For more information call one of our team to discuss how ISO 27001 can benefit your organisation.
 
One of the risks facing businesses in 2016 is the increase in cyber crime.

Balloon-popping-business-riskThe ISO 27001 international standard provides an effective information security management system (ISMS) focused on identifying areas of risk and developing a system for managing and minimising those risks.

Areas at risk include:
  • Computer hardware and systems
  • Data stored locally and off site
  • Intellectual property
  • Employees’ personal details
  • Data and equipment belonging to contractors
  • Suppliers’ assets
  • Customer information
Threats come from a variety of sources including natural disasters, hacker attacks, computer viruses and the consequences of stolen information.

As a result of an incident, an organisation could not only be faced with the costs of putting right the damage and coping with the effects on the business, but could face legal implications connected with the breach.

Costs can run to millions of pounds and with cyber attacks and unpredictable weather conditions increasing, it is more important than ever to manage the risks to your business.

How will ISO 27001 protect my business?
First stage is to appoint an experienced ISO 27001 consultant who will help you to set up an effective management system tailored to your business. They will identify the risks to your business and develop a process to manage those risks together with an ongoing system of monitoring and continual improvement.

Working with members of your team, your appointed consultant will be able to apply industry best practice and using their experience, provide a workable system that will:
  • Review current procedures
  • Identify risks
  • Assess threats to assets
  • Highlight gaps and areas for improvement
  • Establish a system of management and control
  • Provide processes and procedures
  • Continually improve the system with audits and reviews
ISO 27001 Certification
Once you are satisfied that your ISMS is established in line with the requirements of ISO 27001, you will be ready for auditing by an independent accredited certification body. In the UK, you should check they are UKAS accredited.

For more information contact one of our team.
Companies continue to be vulnerable to hackers with the latest cyber attack affecting TalkTalk. This follows a number of other high profile incidents in 2015.

Breaches like these are not limited to large companies; small businesses are just as vulnerable. The latest report from the Department for Business Innovation and Skills - “2014 Information Security Breaches Survey” found that although security breaches were slightly down from 2013, the overall costs to deal with incidents was up:

81% of large organisations had a security breach (down from 86%* a year ago)

60% of small businesses had a security breach (down from 64%* a year ago)


£65k - £115k is the average cost to a small business of its worst security breach of the year (up from £35 - £65k a year ago)

Full survey available from https://www.gov.uk/government/uploads

Cyber_security_policyISO 27001 Information Security Management System (ISMS)
Every business should be taking precautions and assessing the risks of cyber crime by putting in place a written security policy.

The ISO 27001 information security standard is one way of protecting your business from future attacks. Certification will introduce a management structure to identify risks to your business. It will also establish a plan to recover from a breach should the worst happen.

Taking precautions to prevent a breach before it happens is more cost effective than recovering from an incident given the fact that costs for dealing with events are continuing to increase.

Direct costs to get your business back on track after a breach are not the only implications. Reputation with clients, compensation pay outs and, as in the case of TalkTalk, a drop in their share value, could have a devastating effect on the future of a business.

Certification provides peace of mind and demonstrates your company’s commitment to security of information.

 
ISO_CertificationCertification to any of the ISO standards provides tangible benefits for your organisation. If you want to grow your business, increase profits and operate more efficient working practices, achieving certification will help, as well as giving you an edge over your competitors.

Whether you operate locally or globally, the standards are recognised worldwide and are relevant to all sizes of business.

Other benefits include:
  • Improved internal processes and efficiency
  • Reduced waste resulting in environmental benefits and cost savings
  • Increased sales
  • Better access to new markets
  • Industry expert consultants providing guidance

Next steps

When choosing a certification body, it is worth pointing out that you should check they are UKAS accredited. UKAS has government recognition and is licensed by the Department for Business Innovation and Skills (BIS). You can be sure to receive the most appropriate advice by choosing a UKAS accredited certification body. Your long-term success could be undermined if you use an independent evaluation service.

Continual improvement

After successfully completing your first audit, your assessor will set up a process to monitor and improve systems and arrange regular (six monthly or annual) surveillance visits.

These visits will ensure your management systems remain effective and continue to meet the standard.
Ongoing checks will help to maintain your conformity and make your next certification renewal assessment run as smoothly as possible.

To find out more call ACS Registrars (a UKAS Accredited Certification Body - No. 0229).

 
This is not the first time we have written about the vulnerability of businesses to cyber-attacks and the latest government survey does nothing to allay those fears. Though the statistics show that incidents of cyber-crime have reduced slightly, the costs of dealing with these breaches has almost doubled.

ISO_27001The following statement has been taken from the 2010 to 2015 government policy paper published 7th May 2015.

81% of large corporations and 60% of small businesses reported a cyber-breach in 2014.
With the cost for the worst cyber-security breach estimated between £600,000 to £1.15 million for large businesses and £65,000 to £115,000 for smaller ones, the government must look at new ways to protect businesses and make the UK more resilient to cyber-attacks and crime.”

Businesses affected by cyber crime
There have been some high profile cases:

eBay
Hackers managed to access an eBay corporate account to gather user’s personal information.

JP Morgan Chase
A neglected server provided access to contact details for its account holding customers.

Home Depot
Payment systems were infected with malware that allowed hackers to steal credit card details.

Employees’ responsibility
It is not just about server access; employees are much more mobile these days and carry around company information on laptops and mobile phones. Data is stored on removable media which can be copied or lost.
Malware can infect company computers and mobile phones. To protect against these risks, you will need to establish policies to ensure employees know what they should and shouldn’t do.

ISO 27001 information security management system
There are numerous ways an organisation can protect against cyber-crime. Choosing an internationally recognised standard that provides an auditable method of monitoring, protecting and managing information is one option.
Achieving ISO 27001 certification provides a framework of policies and procedures that will help prevent a security breach and limit the impact of a cyber-attack.

Using experienced consultants, you will be guided through the process, identifying any risks and tailoring the management process to your individual requirements. This will help to keep costs and disruption to a minimum should an incident occur.

Other benefits include:
  • Customers and business partners will have more confidence in your ability to keep their information safe.
  • Continuity of supply following an attack.
  • More reliable systems for storage of information.

ISO 27001 provides for a regular auditing procedure so you can continually improve your processes and keep up to date with the latest security measures to stay one step ahead of the criminals.

 

Cyber_crimeAccording to the FSB (Federation of Small Businesses, The Voice July/August 2014), a smaller number of businesses are experiencing information security breaches and cyber attacks than a year ago.


This sounds like good news but the downside is that the cost of dealing with incidents has increased significantly (research carried out by PricewaterhouseCoopers).


In 2012, the average cost of the worst security breach they experienced was between £35,000 and £65,000 and in 2013 it was between £65,000 and £115,000. These amounts are significant enough to severely damage your business.


Think about all of the data that your organisation stores on digital devices; client and employee information, business critical data, accounting records.


Prevention is always better than cure and one way to mitigate the risks of cyber crime is to have a robust system of management in place. This will not only minimise the chances of a breach but will also reduce its impact on the business, should an attack get through your defences.


It’s not just the cost of rectification that can damage your company; recent high profile cases have shown that a company’s reputation is also at stake.


Information Security Management System (ISMS)
ISO 27001 accreditation provides an auditable management process to international standards and provides a structure to help you improve the security of your information.


The management process you implement will provide a “best practice” system that will help you to identify the risks and maintain the necessary controls to minimise or eliminate the possibility of a security breach.


ISO 27001 certification will demonstrate that your company’s security management system has been independently assessed and verified.


Benefits of ISO 27001 certification include:

 

  • An internationally endorsed best practice framework to manage cyber threats and attacks
  • Supplier and customer confidence in your security systems
  • Reduces costs if a breach does occur
  • Protects your company’s reputation
  • A plan to limit data loss and return business systems to normal


ISO 27001 auditors
You should always use a trusted certification body, which is UKAS accredited.


This is a specialist area and you will need an experienced auditor to work with your team to provide a system that will work for your particular information protection requirements.


Ideally they will have experience of your particular industry sector and can use their knowledge of best practice to provide the best possible system.