At Macnamara our service is focussed around what we call Information Management and Information Security. Through good planning we aim to drastically reduce these risks and make business and staff more productive and efficient in the process.
As an additional benefit, with good information management, it’s easier to achieve security certifications such as Cyber Essentials all the way through to ISO27001. This helps to not only make you more secure but also better able to obtain cyber insurance and win contracts and business from clients and partners that are increasingly requiring, at a minimum Cyber Essentials, from their suppliers as proof of good governance.
Planning Information Management
When we engage with a new client, there are many things that may govern the structure of their information management system, both in terms of the layout (SharePoint sites, Libraries and folders, for example) but also the requirements for access. These may vary depending on the sector, company size, regulatory obligations, and company culture, and may also cover location, device compliance, or other factors.
However, while it’s easy to get carried away and go straight into setting up sites and folders, it’s worth stepping back and looking at it from a higher more conceptual level first.
What Do We need To Know?
The following are the kinds of questions we may explore when establishing the requirements for Information Management:
- Is there any difference for you when staff work from the office or from home? And how do you feel about that from a business control perspective?
- What kind of process do you have for people who want to work from home?
- How do people access your data when working from home?
- Are you happy with people using their own personal mobile phones with accessing company data?
- Are you happy that only your staff can access your data that way?
- How much control do you feel you have over this process?
- Is there someone in your organisation that is fully aware and up to speed with the fully online systems that you are using?
The context of the requirement is important in order to establish what measures need to be put in place for staff to access company data. For example, for Cyber Essentials it’s required that as an organisation you know what devices staff are using to access data, what operating systems they are using, and what anti-virus and other security protections are in place on those devices. After examining the answers, as a business you will be better placed to decide whether you want to allow personal devices to be in use and if so, what requirements you need to advise staff to adhere to. You may even decide that you do not want personal devices to be in use at all, and allow only company devices.
Planning Information Security
There’s a lot of noise around information security but what is it really about? We can summarise it into 3 main areas of:
Fraud Prevention
This could include phishing, CEO Fraud, or other types of fraud, for example where a malicious actor gets unauthorised access to a user account. If you have good information security policies in place you are far less likely to suffer the consequences of common scams, such as CEO Fraud, but also the potentially more serious cases where third parties inject a last minute change of bank details into an email chain right before purchase.
The sprawling of data across multiple un-managed systems leaves the possibility that data may be obtained by 3rd parties in a variety of ways. This could include both company and personal devices as well as other cloud systems used for sharing data such as DropBox, WeTransfer and others outside the core system. It may even include that core system if the manner by which people are allowed to share data is not restricted or at least monitored.
Keeping on the Right Side of the Law
Since Brexit, many people have either given up or forgotten about GDPR entirely, but it is still very much a part of UK law and needs to be adhered to. Your legal obligations around what you hold, where you hold, and how you store personally identifiable information (PII) are an important piece of the legislative jigsaw in terms of a company’s legal obligations. While the UK is no longer in the EU, certain directives and EU law still apply, especially if you are dealing with any businesses based there.
There are of course many other areas you may need to adhere to as well, including employment law, construction, money laundering, and other financial obligations. Whether you choose to either store information for ever or only for the necessary minimum length of time required to meet your obligations, you need to have proper policies and procedures in place. There are important considerations for both scenarios.
Winning Contracts
Increasingly when dealing with larger corporations or local and central government agencies, they require minimum levels of assurance that you as a business are covering the basics of cyber security. More often than not this is Cyber Essentials, though there may also be other standards that you need to meet depending on your sector. There may also be a requirement to have basic cyber insurance in place, which is also easier to get if you have Cyber Essentials and/or other certifications.
What Do We Need To Know?
The following are the kinds of questions we may explore when establishing the requirements for Information Security:
- What – if anything – does information security mean for you?
- Do you worry at all about fraud? The police don’t care and rarely follow up, and SMEs are the primary target because they usually don’t have security controls in place, and online fraud is – from a criminal point of view – much easier and safer than burglary and mugging.
- Do you ever have any customer relationships that go sour? How confident would you feel if a customer reported you to the ICO for the way you handled their data? (Increasingly, it’s worth treating information security like business taxes; whether you like it or not, you have to do it).
- Would you like to do business with large corporates, local government, or central government? If you would, you will need to get your security in order and consider certification.
- If you take payments from your customers, do you remember that PCI-DSS questionnaire you had to fill in? What do you think the consequences are if you weren’t honest in your answers? The same goes for that insurance questionnaire you had to fill in; do you think they will pay out if you weren’t honest in your answers?
Of course we’re not suggesting businesses are dishonest in their dealing with insurance companies or try to avoid their legal obligations around payments or data processing, but the law is pretty clear that ignorance is no defence, and if you have made any assurances that turn out to be wrong, you may be on the wring side of a hefty fine, or worse.
Summary
You can’t tackle Information Management or Information Security without very good IT support, but even very good IT support only gives you a starting point.
Security certifications are nice-to-have, but your responsibilities are there regardless of what certifications you have.
In legal terms, you can’t outsource responsibility. If you believe your IT company is looking after your security, but you’re not talking to one another about security, you’re exposing yourself to a lot of business risk. Just like with company accounts, if your accountant doesn’t file your tax liabilities with HMRC, you can blame the accountant, but the legal responsibility still lies with the business owner.
For some official guidance on Cyber Security for Business, see the UK Government webpage here: Cyber security guidance for business – GOV.UK (www.gov.uk)
