Monthly Archives: August 2017

What do you do after a data breach?

Has your company suffered a data breach, like the company I wrote about a couple of days ago?

What do you need to do about it? Who do you have to tell?

I found this article in continuity central and thought it may help but don’t forget, GDPR will come into force in May 2018 and that will introduce much stricter rules about what you have to do after a data breach. For example, you will have to tell the ICO within 72 hours of uncovering the breach!

For now, this is a useful article:

My business has had a data breach, what next?

Emma Roe provides some advice to UK organizations on incident communications following a data breach: who should you inform and what should you tell them?

Any type of data breach, whether due to an external hacking incident or an internal staff error, is a significant issue that needs immediate attention.  A key aspect of the legal requirements surrounding a data breach is to demonstrate that your business or organization takes the issue very seriously and is proactively seeking to not only protect any individuals who may be affected but is also taking active steps to improve systems and processes quickly to prevent a similar issue occurring again.

Communications following a data breach, both internally and externally, need to be carefully managed to convey these key messages effectively.

In the immediate aftermath of a breach the most important thing to establish, as quickly as possible, is exactly what data has been compromised and the number of individuals affected.

You need to focus on confirming exactly what has happened and how any risks created can be mitigated, prepare your statement and reassure your customers and employees that you are in control of the situation.

Knowing precisely what you are dealing with is key in the early stages to allow you to manage the next steps around communication.  Whilst it is important to act without delay, don’t feel that you need to rush to make available information about a data breach incident until you have been able to verify it. Internally, communications need to take a structured approach to support a swift investigation and establish exactly what data has been compromised and to what extent.

Under current UK laws, there is no mandatory requirement to notify the regulator, the Information Commissioner’s Office (ICO), or the individuals affected. However, changes to the data protection laws, which will come into effect within the next 12 months, will require any business that experiences a data breach to report it to the ICO within 72 hours of becoming aware of it, and then to notify affected individuals if the breach is likely to impact on their rights and/or freedoms. In turn, this will mean that having a rapid response approach to breaches will become even more critical in the near future.

Once you’ve determined which legal requirements you are required to fulfil regarding notifying the ICO and affected individuals, and whilst ensuring you are not disclosing any confidential information, key messages to be relayed publicly should be kept short and aim to include:

  • Any reassurances you can give regarding how serious the breach is;
  • General information you can give about what type of data is affected;
  • Advice to individuals on how to prevent identity fraud which could occur as a result of using the information which may have been compromised.

This information should only be issued in a manner which does not impact on any ongoing investigation into the incident itself or any attempts to further protect systems and data following the breach.  However, if you are able to confirm that no payment related data or medical or health related data is involved, this can be a useful message to begin reassuring the public.

You should also provide information regarding the communication that the affected individuals can expect from your business following the breach.  Where possible, share security assurances such as confirming that you won’t be contacting any of your employees or customers via email or phone asking for passwords or account details in the coming weeks.  This will provide reassurance to your community; it shows that you care about their individual safety and that you are working towards a solution.  If personal passwords have been compromised, sharing details of how users can change their passwords is also a good place to start.

Finally, it’s worth bearing in mind that it’s not just the breach that needs your attention during the immediate incident response phase, but also the channels of communication you use to contact the affected individuals to educate and inform them about the situation.  It’s important to think about how best you can ensure that any messages surrounding the data breach efficiently reach those who may be affected.  In addition to a press statement, you should also consider issuing information to your customers and employees either via an email newsletter, by post, or even a banner and news article on your website homepage.  This will ensure that the message reaches anyone affected as quickly and as transparently as possible.

The author

Emma Roe is Partner and Head of Commercial at Shulmans LLP.


How to Write an Incident Response Plan in 10 Steps

Category : Preparedness

I am in the process of developing an incident response plan for a client and thought that it would be good to share the 10 points you need to consider when writing your incident response plan. Having spent almost 3 decades responding to emergency situations I have learned that the key to successfully overcoming an emergency event is preparedness.  Preparedness means that you have thought about what might happen, have taken steps to minimize the impact of the risk, written a plan about what to do with those risks that can’t be eliminated, tested it and trained all concerned in its use.  This post will concentrate on developing the plan. I’ll talk about the other aspects in other posts.

Impact Analysis

  1. The first thing you need to consider is what could be the impacts on your business from a variety of events. You may think about floods, fire, pandemic flu, power failure, loss of telecoms, loss of water supply, terrorist activity etc.  The key here though is not to write a plan that addresses each of the possible scenarios, that would be too much like hard work and would end up in plans for events that would never happen.  Instead, you need to focus on the impacts of those type of events. The impact of a telecoms outage, power failure or a fire could be similar and amount to a loss of internet connection for example. Transport disruption from a heavy snowfall may have the same impact as a flu pandemic, both may prevent staff getting to work.  So it’s the loss of internet connection or staff shortage you are planning for, not the event itself.

Flexible Plans

  1. Your plan is going to have to be flexible. You can’t write a plan that addresses every eventuality that you have meticulously thought through. Life isn’t like that and the incident you find yourself in will be unique so you will need flexible response modules covering the broad areas of staff shortage, supply chain issues, infrastructure issues for example. The aim is to have a series of response plan checklists that you can use but that is not so rigid and prescriptive that they hamper the response.

Chain of command

  1. Once you have an idea of what your plan should contain you need to think about the chain of command. During my time in the emergency services, the chain of command was fairly easy to identify because everyone has rank and levels of training appropriate to their role. It’s not so easy where people don’t wear uniforms or have emergency response as their main role so you will have to give careful thought to whom in your organisation does what. It may be that you think the CEO should head the response but my experience has taught me that this is probably not the best use of the CEO. An operational director is probably most suited to leading a response to an operational issue, an HR director to a human resources issue for example. This strategy releases the CEO to carry on running the company and ensuring business as usual as much as possible or to being the talking head for the media if the incident warrants it.

Activation of the plan

  1. Activation protocols are really important. How do you know when you are in an emergency and the plan needs to be activated? Who will be responsible for activating the plan? How will the plan be activated and those involved alerted? These are all questions that need to be answered in the plan and it needs to be absolutely clear or the plan will fail.

Emergency Response Room

  1. Where are the response team going to work from? Is there a conference room that can be converted to an incident response room or are you looking to outsource the incident response room? Some hotels and conference centres, as well as dedicated providers, can provide facilities you can use if you don’t have suitable premises or don’t want theEmergency response room expense of maintaining them. An important point to remember here is that it may be the premises that your incident response room is in that has the problem so you may need to deploy elsewhere.

Communications

  1. Communications! In almost every sizeable incident or exercise debrief that I have been involved with, communications is the area that always could have been better. You need to be really clear about communication channels. Not just the mechanics of it like providing an emergency response email account everyone can use during the incident or a special telephone number but you also need to detail who is going to communicate with whom. The incident commander clearly shouldn’t be spending much time talking on the phone so the team need to understand their role, for example, one person should be dealing with the emergency services, another should be communicating with the media, another should be talking to suppliers etc.

Testing the Plan

  1. Test the plan or it won’t work. I guarantee that your plan won’t work when you first come to test it. Not because you or your consultant expert haven’t written a good plan but because the devil is in the detail. It’s a bit like playing golf. You can read about it as much as you like, you can practice it on your PlayStation and you can watch YouTube videos forever but it’s only when you get out on the course and start hitting balls you really begin to understand what to do. I have spent a lot of time approving plans and it’s worth telling the story about the time one senior manager came to me with his ‘finished’ plan. He had never tested it. The plan involved relocating him and his team to another office in the city. As I ran through the plan with him it became clear that neither he nor his team had ever been to the standby office, they didn’t know how they would get in there as it was not normally manned and they didn’t know what equipment they had at their disposal once they got in. It quickly became apparent that the plan was all but useless as they hadn’t really thought it through. The office they were going to use was seriously inadequate for their purpose so in the end the plan was abandoned and they started again, using different backup premises.

Training

  1. Now you have a plan you are going to have to train your staff in how to use it. This is a good opportunity to also test the plan. If you bring your team together to train and test at the same time you will quickly make changes to the plan that will make it work better. You would be well advised to use someone independent of the planning or response team to facilitate this training/testing. It’s amazing how much confirmation bias comes into play when the planners are running the exercise! What you want to achieve is a team that can be involved in the further development of the plan, can make mistakes and try new ways of doing things in a safe environment and will, therefore, buy into the plan and make it better if you ever have to use it.

Plan Review

  1. After every exercise and incident, you will need to conduct a review. This will almost always lead to some changes to the plan because you will learn something every single time. The questions the review should ask are: What went well? What went badly? What lessons did we learn?  What changes do we need to make? Again, finding someone independent of the planning or response teams to facilitate the review will lead to a better outcome.

Rinse and Repeat

  1. Rinse and repeat. Unfortunately, it’s not all over once you have written the plan and tested it. The world around us changes, your organisation changes and your people change. You will need to keep going round the cycle on a regular basis.  Your staff will have day jobs and emergency response will be something they do infrequently if at all, so they need to be regularly training if your response is to be effective.  Emergency services do emergency response day in day out, this is their day job but they still train for those once in a lifetime events. That’s why our emergency services response is as good as it is and if your response is going to be as good as it can be you need to train. If you don’t your response may well fail and the consequences of that could be catastrophic to the business.

Developing a workable plan isn’t always straightforward and you may not have the people in-house to be able to develop one. I would also recommend that you use someone independent to help with training and testing the plan. My blog here will give you an indication about what consultancy services might cost.


What is Business Resilience?

Category : Preparedness

What Is Business Resilience?

I am often asked ‘What is business resilience’?

A lot of people aren’t sure what it means and that isn’t surprising as it’s a relatively new term and most small businesses and startups don’t factor it into their business planning.  This, I believe is a mistake, especially for a start-up or a business undergoing some kind of restructuring as these times are the ideal opportunity to ensure your business processes are robust.

So, let’s try to unpack what business resilience is. In this article, I will list some of the elements that combine to make a resilience strategy for businesses. These are the main elements but, in order to keep this post reasonably brief, there are a lot more than I mention here such as compliance, finance etc. Each of these elements is an area of specialisation that has experts who deal with them and them alone. The trick that the resilience consultant has to do is to have an understanding of all of these specialist areas and then pull them all together into an overarching strategy, making sure the business is resilient to whatever challenges come its way.

Flood damaged buildings

Business resilience is about running your business in a way that addresses the risks of failure.  Being aware of and controlling those risks allows for better efficiencies and more robust systems for running your company.  The purpose of this blog is to help those who aren’t quite sure what it means to have a better understanding of why they really ought to consider investing in business resilience.

Business Continuity Management

Many people will be familiar with Business Continuity Management (BCM). It’s an industry that’s been around for many years and is concerned with looking at how your business will recover from disruptive incidents such as a flood or fire and making a plan to deal with the impacts. It is still a really important part of looking at resilience and has its place in planning for the unexpected.  In the olden days, we used to call the result of BCM planning a Contingency Plan, which describes pretty much what it was and what it did. It told us what to do when the wheels fell off but it doesn’t really help avoid the incident having an impact in the first place. We need something more holistic to do that.

Crisis Management

Crisis management is another area of expertise but a lot of people misunderstand the term because it isn’t a particularly descriptive name. Crisis management is about what you do when your brand is affected by an adverse event, let’s say your product has been implicated in harming someone. Clearly, there are all the things you have to do to when something like this happens, test the product, withdraw it from circulation etc but the bit we call

crisis management is the bit where you set about to reassure your customers, the public, the regulator or any other interested parties that your company will investigate, find
out what the problem is and put it right. In short, it’s reputation management. With everyone having access to social media it is extremely important that you can react instantly to a crisis and the only way you are going to do that is by having a robust, practised and well-tested plan.

For more on crisis management, you could have a look at another post I did earlier.

Risk management.

Resilience is all about risk management. It’s about mapping out the risks to the business and finding ways of mitigating them. Large companies refer to Integrated Risk Management and invest a great deal of time, money and energy into trying to draw all of the risks together and manage them. It’s difficult because large corporations tend to focus and resource on whatever is niggling them at the time, new regulation, new product lines etc.

What does the resilience consultant do?

One of the roles of a resilience professional is to help people map out their processes and look for areas of vulnerability, spot the risks and think of ways of mitigating them.  Much of the time we can get rid of the risk entirely with good planning. This is what resilience is about, not just about what we do when things go wrong (and they will) but what we do to prevent them going wrong in the first place. It’s about planning for the consequences and not the causes. The cause of the telecoms outage is secondary to the impact it has on your business and business resilience is how you continue to offer your services or products to your customers despite the unexpected.

What does Business Resilience Cost?

The government is pushing the ‘resilience’ agenda for all businesses and communities, and my mission is to make it accessible and affordable so small businesses will have access to the same level of advice as large companies. In many ways, it’s easier because a small business isn’t as complex as a large corporation and that’s why it will be more affordable than you think to ensure your business is set up to deal with whatever comes your way. I have written a blog about expected costs, you can find it here.

 

 

 

 

 


Information Security and Cyber Crime

Category : Uncategorised

Information Security and Cyber Crime

Data is really valuable stuff and we are currently producing it at an unprecedented rate. In 2017 it is predicted that we will produce more data in this single year than already exists.

amount of data being produced

So, if your data is valuable you are going to want to look after it and this post is here to give you some advice on why you need to take precautions, how to do that and how to protect yourself from cyber crime.

What if my hard drive fails?

Not long ago one of the big business continuity issues was making sure your data was backed up just in case your hard drives failed or your building burnt down. Disaster Recovery was all important and very expensive, often involving duplication of hardware servers and expensive telecoms links to remote sites, not something any small business would be able to afford and so looking after your data became a chore involving tapes and manual backups and because it was a chore it sometimes didn’t get done at all. It is even more important now that data is secure but much less expensive and certainly a must for any business, no matter how small. 

With the proliferation of cloud based backup services the risk of losing all your data due to hardware failure has reduced.  It was more difficult and expensive in the olden days but now it’s so cheap and simple to set up there really isn’t any good reason for not doing so, unless keeping fingers crossed is your company’s adopted strategy.

One new worry to think about though is Solid State Drives or SSDs. They are much faster than a Hard Disc Drive (HDD) and getting cheaper so they are now being used more often, especially in laptops. If an SSD has a problem with a bad cell then usually the only solution is to format it and start again or bin it for a new one. They store data quite differently from an HDD and once it’s lost it can’t be recovered, unlike an HDD which data recovery software may be able to salvage files from. This is why you might want to invest in a NAS to backup your entire system to.

Losing your data because of a hardware failure really shouldn’t be keeping you awake at night anymore but your data is under threat from cyber crime. Cybercrime is one of the highest ranking risks on the UK Governments risk register and is in the news almost daily.  A bit more on cyber crime later in this post.

What would the impact on your business be if lost the use of your desktop or laptop?

Because our reliance on IT is ubiquitous most small businesses take it for granted and don’t really think through the impact of losing connectivity and or data, after all, it’s always there and just does what we need it to do, until it doesn’t.

What would you do if you lost your laptop or your desktop stopped working?

Last week my desktop died but I barely missed a beat as everything I have is backed up on a Network Attached Storage (NAS) Drive and all my files are also on the cloud. All I had to do was change to my laptop or use one of the other computers available to me and everything carried on as normal.  When my iMac came back from the iMac fixers it cost me an hour or so bringing it up to date. This is Business Continuity Management. I assessed the risk of hardware failure (it’s a no brainer, hardware will always fail eventually) and took steps to mitigate the risk and everything worked seamlessly as planned. The only interruption to my business was the hour or so to take my broken machine to the repair shop.  I am still surprised at the number of businesses that don’t take these simple steps to protect themselves.

Assessing your vulnerability

Why not take a few minutes to map one of your computerised processes? It could be invoicing or ordering or production schedules or anything else you do on a computer.  Write down each stage of the process, don’t skip steps, the devil is in the detail. Write each step on a post-it and stick it on the wall.  Now think about what could go wrong with each step and what the impact of that would be.  Let’s imagine you use a finance package on your office desktop, what would happen if that desktop computer failed? What would happen if your printer failed? What would the impact be on your business of not being able to send out invoices and how long would you be able to continue like that?  Whatever the answer it is almost certainly costing you money. Someone has to be doing the invoices, how much of their time is wasted? Cash flow is always a problem, how much will the delay in processing cost you in bank charges?

What is the cost of a cyber attack?

Common cyber attacksPotentially devastating is the answer. We often hear about the big companies losing loads of data to hackers or the NHS being attacked by ransomware but we don’t often hear of small businesses being attacked or what the costs are. The Business Continuity Incident found in a recent survey that £3000 is the average cost of a malware attack to a small business.  Have a look at a previous blog for a full rundown. Another worrying statistic is that 60% of businesses who have suffered a serious cyber attack will fail to recover! That’s pretty serious when you consider that about 75% of organisations suffer some kind of security breach at some time in the past 12 months.  See this post for more detail.

Cyber criminals don’t just go for big companies. Who would have thought that a hairdresser in Glasgow would be the victim of a cyber-attack, after all, hairdressing isn’t an IT business, is pretty low tech in terms of delivering their service and probably doesn’t hold much data that’s worth stealing but when you stop to look at how businesses are run, hairdressers rely on IT as much as anyone else.  For the full story about how the business was affected, have a look here but it cost them a lot of money, time and heartache. People often forget about the heartache but when I speak with people who have been affected by any kind of incident they always say how difficult, stressful and draining it has been for them to recover. By all means get insurance but investing in prevention is much much better.

How do you protect yourself against cyber crime?

It’s not really that difficult to be fair.  Protecting yourself from cyber crime isn’t necessarily about expensive software. It’s about processes and protocols so before you go off and spend a fortune on software that may not protect you in the event of an attack (see the Glasgow hairdresser story for how that can happen) put in place some simple measures to prevent an attack.

  1. Use strong passwords and only use them once on each site. To make it easier you could use a password manager to store your passwords or you could just choose a really strong one and then salt it. Salting a password is adding a couple of letters to the end of your one password so you remember it easier.  For example, 76Str@wberr1es could be your password and just add ‘FB’ on the end of Facebook.  You get the idea. You’ll need to change it every so often though, just in case it gets compromised.
  2. It seems obvious but hide your passwords. You would be amazed at the number of people who don’t.
  3. Don’t plug any device you don’t trust 100% into your PC or anything on your network. If you don’t know where it’s been it may well be infected.
  4. When receiving emails never click on untrusted links and make sure your staff don’t either. Funnily enough, it seems to usually be the CEO that clicks the infected link so apply the same discipline to everyone in the company. If there is a link in an email, hover over it and it will show you the URL it points to. Most of the time this will show you a different web address than the one you would expect but not always so be careful. Better to go to your browser and go to the website without using the link.
  5. Be careful when out and about using wifi. I was nearly caught out at Haymarket by a wifi pretending to be ScotRail. They had used the usual Scotrail name but added an underscore at the beginning to fool you. If you connect to wifi you should be using a VPN if you are doing anything other than just surfing the internet.
  6. Make sure all software is up to date! This cannot be over emphasised. I know it’s sometimes a pain and it takes time but the software used to attack you relies on vulnerabilities in your systems. The software companies are constantly plugging these vulnerabilities and issuing updates. The updates will help protect you so make sure you do them.

If you take these simple precautions you will have reduced your risk of cyber attack by around 80% and for no more cost than putting together an IT policy and a little staff training.

I can assist you with all of this if you need some help so please do get in touch.