Cyber Security and Compliance

15 minute read

The Problem

IT security is often seen as a cost burden and is more of a ‘nice to have’ rather than a necessity for a small or medium sized organisation. The reality is that most organisations could not operate without their computers, Internet connection and their data (including e-mail, quotes, CRM etc), so protecting this is crucial.

Small and medium sized businesses are at greater risk than large corporations when faced with cyber threats. The bigger the organisation, the more likely they are to be able to weather a storm following a cyber-attack. Commonly data breaches result in the loss of reputation, loss of earnings due to lost data, and loss of liquid cash through fraud and phishing scams.

In the UK, The National Federation of Self-Employed & Small Businesses (FSB) have published data revealing 20% of businesses surveyed have been the victim of cyber-crime in the two years leading up to January 2019 source. This equates to 10,000 cyber-attacks daily targeting small and medium sized businesses in the UK, totally an annual cost of £4.5 billon with an average cost of an individual attack at around £1300.

Modern IT

It has never been more attainable for small and medium sized organisations to secure their IT, and achieve levels of security that only 5 years ago would have been only available to large enterprise with big IT budgets.

Over the past few years we have witnessed more and more services and software move to and run from the ‘cloud’ (remote servers accessible via the Internet). This has resulted in end users having to purchase and maintain less and less costly infrastructure such as servers. The same can be said for expensive software licenses that eventually become obsolete, as now most software is sold on a more cash-flow friendly subscription basis that gives the subscriber access to latest versions of software on an ongoing basis.

Services which used to only be available to those with the budget for powerful servers are now available on a SaaS (Software-as-a-Service) subscription via the cloud. Identity management is a great example of this and is a vital core service for all organisations. Identity management is the implementation of a centrally managed directory of users (such as Microsoft Active Directory) for access to services such as computer workstations, Wi-Fi and server authentication. Identity management services can be employed by organisations of any size, using a range of operating systems including macOS, Windows and some Linux distributions.

With the cloud, far more is now possible to securely manage an estate of computers spread far and wide. Device management software can remotely wipe, enforce disk encryption, add and remove restrictions and software all from a central web portal. This gives organisations the breathing space to not only work without the shackles of traditional IT limitations but also choose the devices that they are most comfortable working with, whether that’s a Windows PC, Mac, Android or iOS device.

Compliance

All organisations working within the UK and EU are required by law to protect individual’s personal data under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA:2018), even if the organisation is based elsewhere in the world. The term ‘personal data’ can be attributed to information as simple as employee, customer and supplier contact information and so virtually all organisations will need to meet some compliance with the regulations and legislation.

Guidance for determining the levels of compliance needed when operating in the UK can be found on the Information Commissioner’s Office (ICO) website [https://ico.org.uk]. The ICO are the governing body for regulating data protection and enforcing the GDPR in the UK.

For IT and data protection, as a rule of thumb the ICO recommends that organisations “put in place basic technical controls such as those specified by established frameworks like Cyber Essentials”. Whilst Cyber Essentials is not a one-stop-shop checklist to meet all GDPR requirements, it does form a good starting point for an organisation’s IT.

Cyber Essentials is a basic-level cyber security framework developed by the UK government’s National Cyber Security Centre (NCSC). Organisations wishing to mitigate some of the most common cyber security threats and demonstrate a commitment to data protection can become Cyber Essentials certified. The certification process will validate existing risk mitigations, as well as highlight any potential holes which could be exploited. Once certified, an organisation can display a Cyber Essentials logo on their website, and on communications to their clients such as proposals and quotes to highlight their commitment to protecting personal data.

Security and Compliance by Design

Employee Zero works with clients to help them meet and exceed their cyber security requirements. Our site audit document was written with Cyber Essentials requirements in mind and scored using a green/ yellow/ red traffic light system so it is easy to identify the priorities. We conduct this audit when we first on-board a new client, and then annually thereafter.

At Employee Zero, we curate a cloud software and services vendor list which we recommend and implement for our clients. This list includes basic core services such as e-mail and anti-virus software, which are all vetted to ensure they demonstrate ‘security by design’ and the products themselves help our clients to comply with regulations and the law rather than place them outside of compliance.

A good example of this is an organisation’s e-mail or CRM data. Is it stored within the EU or UK? To meet compliance, personal data, which could be contained within an e-mail could be stored on servers outside of the UK or EU. By simply selecting the right service to store and manage data, compliance can be more easily met.

Why Employee Zero?

We have selected industry leading products and services from our partners who are some of the most respected and reliable vendors in the industry to help our clients mitigate as much risk as possible in the face of an ever-increasing threat from cyber-attacks.

The engineers at Employee Zero collectively have a wealth of experience designing intelligent, appropriately sized and scalable security solutions for our clients. Every organisation has its own unique needs, and so each solution we present is bespoke. It is widely agreed that the best approach to effective cyber security is to ensure there are multiple layers in place. At Employee Zero we evaluate the needs of each client and present an appropriate solution; one which will can be augmented and grow as their needs change.

Our clients range from small three-person outfits to multi-national organisations with hundreds of employees based in offices around the world. Our engineers have experience designing and deploying security solutions of varying levels of complexity taking into consideration access controls, remote workers and the ability to enforce settings such as firewalls and disk encryption on remote computers.

We specialise in supporting clients who have a mixture of Windows and macOS users, treating all devices the same when it comes to security. The technologies we use in the background ensures the security-by-design principles we adhere to are not sacrificed based on operating system.

Implementing cyber security solutions is a passion of our team of highly skilled engineers.