As we were the first business in the Highlands and Islands that had achieved the UK government backed Cyber Essentials scheme badge for cyber security, we are the first needing to complete the annual renewal process. We are very pleased to announce that we have achieved Cyber Essentials again with this demonstrating the level of security that we have in place within our IT systems.
While writing up a report this week for a client for their Cyber Security strategy I took a call from a UK number with a very kind and polite person from Microsoft calling me to assist me with a problem that my computer is suffering from. I knew very quickly that this was a scam but I wanted to see how mature this was so I put some time into this but also playing hard to get by constantly questioning what they were asking me to do and asking if it was a scam to give them a chance to end the call.
I have had cause to review a number of support contracts since releasing the article ‘Why do I need a contract?‘ with one in particular highlighting many things that I thought would be of interest to those who contacted me about this subject. I will not mention any names to protect the privacy of my client and the supplier but all of this is genuine extraction from a contract that covers data backups where it appears in quotes and italics. This particular contract is a general outsourced IT support contract aimed at the small to medium sized business without an internal IT resource and I understand that this contract has been used across a reasonably large client base.
We have all been in the position where we have needed to call a help desk and once we have managed to traverse the automated call handler, we should hopefully get to speak to someone about our problem. Subject to the type of service that you are calling and the contract that you operate within, you should get either a call logging service that uses a script or get to speak with someone who can actually help you. You may find that your help desk hides behind a web based support portal or operates an automated email monitor but the result should be the same. In every support case you should fall into a support process that formally logs the incident and you should get an incident reference number. You will note the word ‘should’ is being used a lot in the opening and that is because many help desks do not operate this way, which is the topic of this article from my From the Trenches series.
I regularly find that problems that I speak with clients about are due to poor change management when I asked to review risk management within their business data systems. I would suggest that this problem exists in equal quantity where businesses outsource or insource their IT services. Where Cloud or hosted services are being used there is generally a good level of change management in that service but this is not always the case and should not be assumed.
You outsource your IT help desk, your email services and your website but do you know what protection you have and what you get for your money in the contract? I have many conversations with clients about the risk profile of their outsourced IT service contracts that offer critical business dependency. In some cases the discussion happens before a problem but in many cases it is after some unplanned downtime when their Service Level Agreement (SLA) contract was found to be wanting. In this article I will discuss some common problems that I find and what you can do to protect yourself and this is targeted to customers and service providers alike.
We have all seen the many recent news items with high profile and large business related Cyber Security attacks but when talking with clients of all sizes and across all sectors, they all share a concern for the threat at varying levels. When talking further with these clients, they generally feel confused as to what they can do to protect themselves but commonly feel that ‘IT have it covered’ so they are protected and as a result do not need to do anything about managing this risk.
The number one problem that I discuss with clients is backup and recovery with this initiated by both of us in equal quantities. It constantly surprises me that businesses of all sizes have inadequate backup processes for their business systems. Many businesses, whilst having implemented a backup strategy, fail to monitor and test it often resulting in them finding out their backup strategy doesn’t perform adequately when they need it most. In this article I will be covering data protection through backup and recovery to meet clear business, rather than technically, defined objectives.
I have worked with a number of organisations over the last 2 years from the very small micro business to large multi‑national organisations purely in a consultancy role. What has struck me during these engagements is that, since I am no longer selling any hardware, software or solutions, client discussions cover much more and get deeper into the business quicker than in any previous role that I have held and feedback suggests that this is better for the client.
Insurers need to find a better way to assess cyber risk
Due to the ever increasing utilisation of digital technology and the volume of data being processed and stored electronically, every business needs to become much more aware of the risks that they face. We have all heard of the high profile data leakages by Sony and Ashley Madison but how many data leakage events have occurred in the last 12 months that we have not heard about? In both cases it is thought that the leakage was caused through a socially engineered attack or weak internal systems control but this is now outside the interest of mainstream media and forgotten about. It is often the case that the reputational costs of a data breach are higher than the monetary value of the data leaked and, as a result, businesses should not focus purely on data that has a perceived high value.