In last weeks blog we talked about a company that was forced, by COVID restrictions, to move to working from home, and how that affected the organisations’ structure and ability to continue in business, and some of the difficulties they faced. 

We reached a point where they had started to get back into the office but had decided to adopt the hybrid method of working, saving money on floor space, fuel and light etc.  But this has come with problems of its own which we’ll look at now.

Hybrid working is something that many SMEs like because of the cost savings, providing of course that the business doesn’t require people on site, such as manufacturing, transport etc.  Company’s such as lawyers, financial advisors/accountants, HR facilitators, recruiters and the like, can support hybrid working quite easily, from an operational standpoint.

Last week we saw that the 2 partners are aware that they hold a growing amount of personal and corporate data, not just about their own staff and systems but also about their clients.  They were also aware of the Data Protection Act 2018 and GDPR but at a very surface level and were not sure about how much this will affect them.  For example, in terms of policies, they have very little that references the DPA 2018 and/or GDPR.  Their website does not contain the necessary privacy statement or statements regarding the use of Cookies.  They don’t have an overarching security policy or a cyber security strategy in place.

So, what’s are the issues arising from last paragraph?  Well, the DPA 2018, or UK GDPR as it’s becoming colloquially known, requires that data is processed and stored securely and that managers and staff are aware of the regulations regarding the safe processing and storage of information, which are quite extensive and can be daunting, but needn’t be an issue for SMEs, if not ignored.  The ICO is, in my experience, very helpful in this regard and are not there to hand out heavy fines, threatening to put you out of business. If you can demonstrate that you have done your very best to obey the law, then they will be helpful and conciliatory.  On the other hand, if you’ve been neglectful and even a little cavalier about it, then not so much.

But getting back to the case in point, these guys were now at the juncture where they had their staff working from home for about 3 days a week, and coming into the office on 2 days, unless of course they were consultants who were visiting client sites and were working on the move.  Everyone now had a company laptop, including admin staff, and data was held on the cloud.

But what didn’t they have, and how would that affect the?  Well, firstly they didn’t have a cyber security strategy in place.  So, what is a cyber security strategy?    It’s a plan that outlines an organisation’s approach to protecting its digitally held assets and information from cyber threats. This strategy typically includes policies, procedures, technologies, and practices that are designed to prevent, detect, respond to, and recover from cyber-attacks.  People, Process and Technology combined and integrated to provide protection.

This needn’t be scary, and you can pick and choose what is important to your organisation, what needs to be comprehensive, and what can be less so.  The level of risk you are prepared to take, is entirely your call.  Key components might include:

• Risk assessment: Identifying and prioritizing potential threats and vulnerabilities to the organization’s systems and data.
• Security controls: Implementing technical and procedural measures to protect against cyber threats, such as firewalls, encryption, access controls, and employee training.
• Incident response plan: Establishing protocols for responding to and recovering from security incidents, including communication plans, containment strategies, and forensic analysis.
• Continuous monitoring: Monitoring systems and networks for suspicious activity or anomalies that could indicate a security breach.
• Compliance management: Ensuring that the organization complies with relevant laws, regulations, and industry standards related to data protection and privacy.

What the management is doing here, is laying down a framework for how things need to be developed.  It doesn’t need to happen all at once,

Not having formulated a strategy, the company didn’t have much of this in place, and what it did have wasn’t well structured and integrated.  The security products in use were stand alone, working independently of each other.  Another major flaw was that they had no cyber awareness training in place, neither did they have effective policies.  Those that they had were downloaded from the internet as a box ticking exercise.  They were in fact a cyber disaster looking for somewhere to happen.

The 2 partners were aware of these issues and yes, they took some time to get around to addressing them simply because recovering the business from the issues arising from COVID, took precedence.  But they realised that this couldn’t be put off for any longer and took action.

They engaged with us to first carry out a Cyber Maturity Assessment.  This covered:

• Cyber Security Strategy.
• Cyber Security and Data Protection policies.
• Protective monitoring and vulnerability assessment.
• Incident response and business continuity planning.
• Access control.
• Employee awareness training.
• Compliance.
• Technical Security

The strategy they needed could be very much simplified to meet their requirements, but it did cover the salient points and gave a clear indication of what was needed immediately, what could follow and what was more of a nice to have rather than a necessity.  To that end we were able to structure remediation that was phased over a number of months, covering 2 budgetary periods.

End result, they had a solution that was affordable as well as appropriate to them.  It covered staff in the office, working from home and on the move.  It kept them compliant with the relevant legislation and set them up to achieve a standard such as Cyber Essentials, which is next on their list.  If necessary, they could even go as far as ISO2700x series, although that might not be appropriate for them at their current size.