Information Assurance and Protection

Cyber, Data and Information Protection

As recent attacks by both would-be hero-geeks and nation states have shown there is no shortage of actors willing to exploit weaknesses in the information technology and systems that businesses of all sizes use as a matter of daily routine.

Are you confident that your business is secure and safe from potential attack? If you are not certain this brief commentary summarises the risks, consequences and potential solutions that exist.

If you are still unsure of your next steps AMDS Consultants Ltd will conduct a two-hour consultation workshop on your behalf to help you build prevention into their operations.

Cyber Security The primary risk to a business is the comprehensive loss of all operations dependent on information technology and systems. The threat is aggravated by a lack of awareness of cyber security within a business and the failure to ensure all IT is current, protected and monitored. The consequences can be severe ranging from simple financial loss through reputational damage to business collapse and prosecution. Key solutions include hardening of systems, a security culture driven from the top, along with constant monitoring and regular auditing

Data Protection In the modern world where data is not held on copperplate ledgers, but on computers or a server farm, either locally or over a distributed network, data loss through accident or intent is a major risk to business operations. Should a business lose its data not only will it have catastrophic financial and operational impacts it also has the potential to put a company and its owners in breach of the GDPR (General Data Protection Regulations replacing the Data Protection Act in April 2018). Prevention of loss should be a business imperative. Data protection techniques include: regular encrypted backups to secure storage, strict control of access to and utilisation of data, organisational awareness of the importance of data and the consequences of a loss as well as physical and digital security.

Information Assurance Failure to meet the principles of the ISO standard for Information Security Management Systems (ISO27001), even if a business does not feel that it needs to be accredited, presents a major risk to continuity, resilience and growth. Assuring customers that their data, personal information and their business systems are safe is increasingly important. Failures in assurance will impact sales, profitability and retention. Further, gaining a reputation for poor information security will significantly damage business reputations. The requirements of ISO27001 are well documented and readily accessible. Managing a business in accord with the standard will mitigate the information assurance risk at a reasonable cost.

The Worst-Case Scenario. The consequences of a cyber-attack or data loss through a lack of information assurance within a business can go well beyond the consequences highlighted. Should a business be found to be at fault for a breach of the GDPR, or fail to meet the standards of credit and debit card transaction protection, the penalties are draconian. Penalties for a breach of the GDPR can rise to a maximum of €20 million or 4% of global annual turnover whichever is the larger sum. A failure to protect a credit or debit card transaction will lead to fines of £100/transaction for every transaction undertaken during the month when the fraud occurred.

Insurance Options Insurance is your “reserve parachute” you really do not want to have to use it!

There are two types of supplier, large well-known companies such as Hiscox, AIG, AXA and Chubb and these are quickly being supplemented by a significant number of small, usually web-based, niche providers. In many respects the cyber, data and information insurance market is following a similar growth pattern to pet insurance where uncertainties in risk lead to high premiums. That said, as I hope we have shown that businesses of all sizes need to make intelligent choices to address this developing threat.

The AMDS Consultants Offer. The way we approach things is not to recommend a particular software solution, suite of protection or data storage provider. Rather we look at the issues from the organisation’s point of view helping them put in place processes, systems and structures that reduce their information assurance risks as well as helping business understand the threats and consequences.

We will travel to your business’ location and discuss your issues and potential options using a workshop format. Any session will be two hours long and will start with an overview briefing before working on solutions with the local team.

Subsequently we can support your acquisition of the right solutions for your identified needs as well as conduct an information security audit of the business against key standards such as ISO27001, PCI DSS (credit and debit cards) and GDPR (General Data Protection Regulations).

© Dr Alan Morpeth July 2017.