Viewing archives for Data

13 key steps to cyber security for non-technical Board members

Cyber attacks can be complicated, but in our experience over many years, most are REALLY SIMPLE and EXPLOIT BASIC WEAKNESSES.

In the vast majority of cases, simple steps can make you safe, or minimise disruption in the event of an attack. But, normally, these decisions are taken by technicians and the Board are not able to effectively challenge or lead.

Here is a simple list of 13 questions and answers to allow non-technical Board members to stop hoping for good luck!

  1. How do we get security risks and issues under control?
    Every substantial business should maintain a list of risks and issues, with some analysis of the options and mitigations. Each risk or issue should be owned by someone around the Board table who has the expertise, time and ability to manage it. This document should be reviewed by the Board at least annually. The list and the open discussion drives sensible, productive decision-making and avoids a culture of sweeping issues under the carpet. This approach prevents overspending in the wrong areas – it’s all about “proportionate response”.
  2. What kind of insurance do we need?
    Unfortunately, not all Cyber Insurance is created equal and you need to take care to select an appropriate policy and provider. Check the exclusions on the policy and ensure a member of your Board understands the cover. Cyber Insurance may not give you back money that’s stolen from you – that generally requires Criminal Insurance. Check your IT is compliant with your policy conditions – the devil is always in the detail and your IT team or supplier need to know what they have to do to maintain compliance? Finally are your suppliers’ contracts clear about their liability and are they appropriately insured?
  3. How do I get staff to take security seriously?
    Security systems can be bypassed by canny criminals because they know where the weak link is … it’s your people. Create a “security culture”, where taking this stuff seriously is encouraged. Ensure you and the Board demonstrate good practice – for example, if you write your passwords on post-its then you should fully expect your staff to do the same… and one day you will probably be hacked as a result. Many hackers exploit helpful staff who simply hand over money! Sound financial processes, clear controls, good education and ongoing training are all vital to security. Remind people to “think before you click”!
  4. How do we keep data secure?
    Access to systems and data should only be given to those who need it. This is known as a least-privilege policy. For example, when a person is given access to a system, the default should ensure that person has no rights to anything. Then privileges should be granted according to what that person needs to do in the system, building up to only include the data and processes they require. If you don’t follow a least-privilege system, then you are really exposed to cyberattack, to fraud and to errors. When users’ roles change their access should be reduced if their job doesn’t require it anymore (and their access removed altogether when they leave!)
  5. What are firewalls?
    Start by ensuring your office has sensible physical security. Then make sure the equivalent measures are in place for your systems – these are your firewalls. Knowledgeable and trusted experts who understand the complexities of system and firewall management need to configure this equipment and to keep it up to date. Specifically ask them whether they have minimised points of access (ports) and are using secure ports for email and web access rather than standard ports.
  6. Why is it important to keep security up to date?
    This should be so simple, but most hacks exploit the fact that many companies fall behind. All computers should use up to date operating systems which are properly patched; utilise up to date anti-virus and anti-malware systems. However these systems only work well when they know what they’re up against. Newer protection systems coming on the market look for programmes acting suspiciously and will automatically shut down the programme before it has had time to cause mayhem. These systems provide protection against new attacks (often called “Zero Day”) because they spot the bad behaviour of an application rather than recognise the malware itself.
  7. What is data encryption?
    To protect your data, it should be encrypted and only accessible to those with the approved rights to look at it. Where you have customer data, particularly user accounts and passwords, ask your IT team whether the data is “hashed and salted” which will make it very secure and difficult to break even if your systems are breached. It is unforgiveable nowadays to be holding personal or confidential data unencrypted (known as “clear or plain text”).
  8. How should we backup our data?
    Your data and systems should also be well backed up and the backup must be stored off-site, preferably with no connection to your live systems (known as an “airgap”). Ensure the backups include multiple versions of the same document in case corruption or malicious encryption took place at some point in the past. Having a decent data backup can be the difference between having a business post-disaster and not.
  9. What is a penetration test?
    A penetration test is an assessment by an expert company of your website and network to find weaknesses. This is essential if your website includes custom software or any kind of ecommerce services. Poor technical practices can result in custom software being full of holes and these are well documented in a standard list known as the OWASP top 10. This list are the standard vulnerabilities that almost all hackers focus on – ensure your penetration test includes checks against the OWASP top 10. Simple!
  10. Practical but secure password rules.
    Many hackers don’t have to be clever because users make it easy by choosing “password123” – hackers automate attacks testing thousands of obvious passwords until they get lucky! Users must take passwords seriously, choose long passwords that are hard to guess, use different passwords, and don’t share. Software can be used to store passwords securely, but if people must write down details then these must be locked away. Make sure your systems are configured to enforce good password discipline and lock out users after repeated failure attempts. Sensitive systems should be protected by 2 pieces of information, not just a password (this is called “2 factor” or “multi-factor” authentication).
  11. Sensible Cyber Attack crisis plans.
    Establish how you will handle a crisis in advance. Who’s in charge if you are attacked by ransomware and decisions need to be taken on the spot. GDPR makes specific requirements about notifying the ICO if you suffer a security breach – who is responsible for making this happen; failure to do so will result in a fine.
  12. Why does security certification matter?
    Certification will give a focus and purpose to your efforts to improve security. A good place to start is Cyber Essentials Plus certification. This will provide you with a government standard accreditation that directly demonstrates to you, your company and your customers that you take security seriously and that you’re working to ensure their data is held securely and your systems are well managed. We know of clients that have won new customers simply because they stood out from the competition by having Cyber Essentials Plus accreditation. If your business is complex or has specific security requirements then ISO27001 provides you with a means to go further and embed a “security culture”.
  13. Who should be in charge of Cyber Security?
    Someone around the Board table who has the time, expertise and right commercial attitude! This person needs to start by getting clear on what you’ve got – who are the users, 3rd parties and suppliers who access your systems. List your equipment, networks, software etc. What are the crown jewels that really matter and ensure these are these properly protected. If you want a high-class CIO, CTO or IT Director on your side and sitting around your Board table … then that’s where we come in!

You can download and read our full CEO’s Briefing about Cyber, Legal, Compliance here. And a short video about Cyber security & compliance strategy for non-technical Board members. Or, visit our Knowledge Centre which includes all content related to this topic.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Bitcoin, Blockchain – the next big thing?

Blockchain is yet another new tech that promises to change the business world and, not surprisingly, it’s easy to be cynical about this. But we have to admit that the business world has, many times, been changed by new tech that was initially dismissed by cynics!

So what is Bitcoin? What is Blockchain and why is it important to business? Watch our short video to understand the reality, the potential and the barriers.

Or read this briefing to see how you can position your business to take advantage?

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use technology to beat their competition. Contact Us and we’ll be in touch for an informal conversation. 

 

Why does Blockchain matter to my business?

When the last page is written on the bizarre Bitcoin story, many people believe the conclusion will be that the world was changed… but changed by the Blockchain, not by Bitcoin!

Blockchain promises a way for people to record transactions, for example, currency, information, deals or anything else that can be digital, using a ledger that doesn’t need to have a trusted central body to oversee it.

That could enable significant changes to the way that information and business happens and, more broadly, to the way that information and identity are managed.

If you’re wondering what this is all about then start with my first article Bitcoin? Blockchain? I’m already lost! 

This article is about why Blockchain matters to business

Blockchain could matter because it could allow disparate companies and people to work together even if they don’t know each other, or even trust each other. And it could allow this without the need for a central body to oversee the initiative.

It addresses problems such as: “I sent it”, “No you didn’t”, “Yes I did”. The Blockchain is an unambiguous shared record of what happened and when.

Commonly quoted example of this is are supply chains, perhaps where consumers want a high degree of visibility or where companies demand precise knowledge of the quality and origin of raw materials or components.

For example, in food manufacture each part of the manufacturing process could be recorded in a Blockchain starting with the originators of all the ingredients, through the successive steps in the supply chain to the consumer.

So you could check exactly which farm, and even which cow, went into in your Steak and Ale Pie. And you can check whether it actually went moo or neigh.

A real-life example is the Tracr Blockchain register designed by De Beers to track diamonds “from mine to finger”. Every event in the value chain, each time the diamond is cut, polished, graded or traded – these are all recorded with images, and certificates uploaded to the ledger so everyone can have trust and confidence.

Of course, an unscrupulous user can make false statements or upload false records, but this can be traced precisely back to him so the scope for fraud is much reduced. 

There are endless examples of ideas for Blockchains, particularly in areas like asset management, real-estate, accounting, insurance and health-care. Some of these examples are about publicly available Blockchains, some will be closed or privately run Blockchains. Wherever people and organisations work together Blockchains could enable streamlined, automated record-keeping.

Are these Blockchain ideas actually practical for business?

Right now we are probably at the start of the Blockchain story and quite what this tech can be for is not at all clear. Many of the business ideas that experts offer as Blockchain examples feel like solutions looking for problems.

But radical new tech can often seem pointless until it has matured to the point that it is practical and useful. As each new tech matures, becomes viable and is gradually adopted so attitudes change – and, what used to be slightly pointless, quietly become a necessity!

We are surrounded by, and reliant on, tech that looked pointless when raw, early ideas were first developed.

But imagine an accounting system that not only handles double entry, but creates a 3rd entry in a Blockchain ledger. And imagine if banks kept details of some transactions on Blockchains. This could create an entirely new culture of auditability and confidence and eliminate many kinds of dispute and fraud.

It’s not hard to imagine a future where keeping records in Blockchains like this is normal, expected, and potentially required by law. 

But the smart money is on Smart Contracts

If a Blockchain is used to record contracts between parties then it’s not a great leap of thought to imagine that the contract is actually a programme that connects to the parties’ systems, so automating the transaction.

For example, if one side needs to lodge some documents in return for a payment, then the smart contract could receive the documents electronically, validate them, and automatically trigger the payment. Or the smart contract could provide a code that unlocks access to a physical asset in return.

Complex contractual situations like royalties could be automated by lodging the rights-holding in a Smart Contract, and someone could simply make access to the asset through the Blockchain, automatically triggering their own payment and the onwards distribution of that payment to multiple rights-holders.

As more and more devices become connected to the internet we can envisage that transfers are automatically tracked through supply chains by scanning barcodes or NFC sensors and, as ownership changes, this is recorded immutably and payments are automatically triggered.

 Will any of this actually happen? What are the blockers to Blockchain?

There are plenty of issues and complexities.

Firstly there are technical problems with Blockchains. The complex security mechanisms mean they struggle with high speeds and large volumes. And the encryption maths is so vastly complicated that it consumes huge numbers of servers, all drawing massive amounts of electricity – Bitcoin is already estimated to consume more energy than the entire nation of Austria! It’s no surprise that many Bitcoin servers are located in Iceland and Canada where thermal and hydro power mean electricity is cheaper.

Although the Blockchain is secure, people have had their Bitcoins stolen because they don’t exercise proper controls of their electronic wallets. Or more primitive blunders have included people losing fortunes by disposing of old computers containing their Bitcoin access codes.

Critically, no overseeing authority means there is no one to phone… if you forget your codes, don’t use a proper password, or have some other problem then you’re on your own.

But, more importantly, any venture involving multiple parties can be very difficult to mobilise. Although Blockchains don’t need a central authority, widely-used standards generally gain traction as a result of sponsorship by well-known and trusted organisations.

Simple standards like EDI in manufacturing supply chains have never delivered to their potential and there are many different competing flavours and solutions. It’s extremely difficult to get organisations to cooperate if there is no dominant force imposing uniformity.

And, finally, this tech is still very novel and is difficult to understand. It may just be too far ahead of the market and, to many people, it might just sound like techno-babble. The internet was invented in the 60’s but it took decades to add other standards and other tech to make it usable, understandable and useful for both technicians and consumers.

So what’s the practical effect of Blockchain and Smart Contracts on my businesses?

We see 3 specific areas of change in the coming years that mid-market business owners need to be aware of.

Blockchains will enable new ways to collaborate without existing intermediaries so there will be new opportunities for new entrants and threats to existing incumbents.

1.      Shifts of power

Entrepreneurs who understand specific industry areas will be able to create new commercial models using Blockchain. Of course, gaining widespread usage will be a challenge, but there will be strong interest from investors and a whole new round of wild valuations as markets try to guess who will be the new winners.

At the same time, organisations that have long had control of information and supply chains may find themselves under pressure as new entrants arrive. Some traditional organisations will need to become Blockchain experts to avoid someone else eating their lunch.

The De Beers example may demonstrate how incumbents can further secure their position if they move quickly, but new companies will also find significant new opportunities and there will be shifts of power.

Consider, for a moment, how the last 15 years has seen new ecommerce retailers eclipse old-school bricks and mortar retailers. Debenhams’ proud history of 200 years of retail didn’t count for much!

2.      Smart integration

New Blockchains and Smart Contracts will offer great opportunities but only to companies who can integrate their back-office systems quickly and effectively.

To win in the new world means having a well-structured business, including clean and well-organised data, processes and systems. IT staff will need to understand how to integrate up and down the supply chain rather than how to fix a laptop.

The opportunities for well organised, structured businesses will grow. Manual, admin-heavy businesses will find themselves further disadvantaged.

3.      Increased Opportunities for the Mid-Market

There is no clear benefit to larger players and Blockchains may well undo some economies of scale. And, for many larger businesses, slow decision-making and complex back-office systems will make Blockchain integration more difficult.

So this revolution is likely to open up new opportunities for well-run mid-market businesses who understand their markets and clients.

Wherever auditability and transparency are of value, Blockchains could provide new opportunities. The future will likely favour nimble and intelligent mid-market business who can seize opportunities faster than lumbering corporates. Years of building trust and reputation for honesty will be challenged by this new low-cost technology that will provide a greater degree of trustworthiness at a lower cost.

 Summary

Blockchains offer a radical new future where people and companies can interact and keep records in an unambiguous new way without central authorities overseeing the process. And these records could be automated Smart Contracts that could link back-office systems together to streamline activities that are currently manual and slow.

This opens up new vistas that are currently challenging to understand and describe.

As ever, with change comes both opportunities and threats. Opportunities to companies who position themselves well, are smart and engaged. And threats to companies who are slow to realise that they have built up value in models that will become obsolete.

Blockchain is yet another new tech that promises to change the business world and, not surprisingly, it’s easy to be cynical about this. But we have to admit that the business world has, many times, been changed by new tech that was initially dismissed by cynics!

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use technology to beat their competition. Contact Us and we’ll be in touch for an informal conversation. 

How to avoid a CRM car crash

Any CEO knows that customer information is a very valuable asset. And how you manage customer relationships is vital. So of course you need to implement systems to help you standardise and manage this… But we see countless CRM projects that fail, systems that are mis-used, under-used, or never used at all.

So why is this the project that fails most often? Why do we meet so many CEOs who despair at their company’s attempts to make this work?

Why is this project the one most likely to end up as a car crash?

This CEO’s briefing explains what a CRM system is, why companies use them and presents 10 golden rules in avoiding a CRM project car crash!

If you find this CEO’s briefing relevant, you might also find another recent article from one of our sister businesses of interest. The Marketing Director’s view on CRMs written by The Marketing Centre.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

 

GDPR – The voice of reason

Anyone who is involved with GDPR will know that there are always complexities and dilemmas, and these are often not simple and not quick to fix. The important thing is to start, to address the things you can, and to create a plan for dealing with the difficulties as well.

Here are some examples of how we’ve been working with clients, to illustrate the realities – warts and all!

For many of ours clients internal communications has been a major piece of work. Everyone is busy and this can feel like just another problem so ensuring that people buy-in to the issue is critical. This is partly about understanding the potential fines and reputational damage to the business, but you can also help people to relate to the importance of this by talking to them about how they themselves would want their own data to be looked after.

A common theme is making sure people understand what is caught by GDPR and organising discussions around what amounts to personal data. The best way to reduce your problem is to minimise the personal data you collect in the first place – do you really need the data you’re currently collecting? Many companies collect special data about their employees (GDPR defines special data which is particularly sensitive) they don’t really need, or they are not very good at deleting it even when employees leave.

For many companies, the focus is on marketing. For example, our clients in professional services often have lists of business email addresses that they have built up over years. In many cases these databases are not well maintained and they don’t have routines for cleaning and pruning – they just keep on adding to them! Some companies have embarked on a programme to get consent for continued marketing, some are using legitimate interest justifications (as we are).

Manufacturers and supply chain businesses often have lots of supplier data, whereas facilities management, care home or construction companies may have large numbers of staff, some casual or freelance. They may have lots of details about them that they have historically managed quite “loosely”. At the extreme end, we have modelling agencies with large volumes of images and videos as well as passport and visa details.

Many companies need to overhaul some technical aspects of their IT, including things like encryption, password handling, patching and firewall configuration. As well as backup and disaster recovery plans. And of course being clear on where internal responsibility lies for ongoing maintenance of this.

In almost all cases, contracts have needed some improvements to ensure everyone is clear on their duties. This includes suppliers, staff and partners as well as cookie policies, privacy notices and information security standards.

And most companies have no existing plans for dealing with a breach or request from someone to provide or correct or delete their data. As well as creating policies and plans for this, there is a cultural change to focus on honesty and learning, rather than silence and cover-up.

But whenever we can, our aim is to find a business opportunity. For example, in many cases this is an opportunity to engage with the old sales prospects.

Analysing what data you have, how it moves around the business and why is critical to GDPR compliance but it’s also a starting point for improvements. There are always opportunities for greater efficiency, and reduction in errors as well as serving customers better.

In many cases we are able to use GDPR discussions as a spring-board for serious consideration of radical improvements to processes and systems. Bringing data under control not only positions you for GDPR compliance, it’s also the starting point for integrated and streamlined business. And it’s a solid platform for digital initiatives as well.

You might find our previously published articles also of interest :

GDPR: A simple guide for CEOs (and what to do right now)

GDPR Action Plan: 6 months to go

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.

Graeme Freeman
Co-Founder and Director

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.