Global Investigators & Security Consultants
0333 6000 300

Monthly Archives: October 2016

How Organisations Can Avoid Data Breaches And Thus Meet Their Security Obligations

  • October 15, 2016
  • 3 comments
  • Circuit board with lockStay on top of security developments by following these five pieces of advice

    With cyber attacks becoming increasingly common in the present day, it is vital for companies to ensure that they keep their data safe from breaches. If a data breach occurs, your company’s financial information will be at risk, as will potentially sensitive customer information. As well as being bad for the image of your business (and losing you several customers), data breaches can make companies liable to pay fines. This is due to the fact that the Data Protection Act of 1998 legally requires companies and other organisations to keep people’s private information safe and secure, imposing penalties if this requirement is not fulfilled. Good security is thus not just convenient for you, it is also an obligation. Luckily, it is pretty easy to keep your IT infrastructure safe from attack – all that you need to do is to cover the five basic points listed below. If you do not feel comfortable covering all of the baselines below yourself, then hiring an IT professional to do so for you is a smart choice.

    1. Keep your IT infrastructure in good health

    Knowing and understanding your IT infrastructure is an essential first step for keeping it safe and sound. Get to know what types of software you are using and what new updates or patches are available. Install new security and safety features as soon as they become available. Ensure that you know where and how your infrastructure intersects with the law: what types of security are you legally obliged to provide? Make sure that you provide that level of security as a basic minimum. Under the Data Protection Act, if you take no action to attempt to prevent or to halt a data breach then you can become liable for even bigger fines. This was the case with Talk Talk last year when they were fined £400, 000 (a record amount) for a data breach that saw sensitive customer files leaked. Monitor your IT infrastructure at all times to make sure that you catch any attempted breaches as soon as possible, and, when a breach does occur, use it as an opportunity for learning: attempted breaches can teach you numerous things, including where your company’s perceived weak points are when it comes to IT infrastructure and also what hackers’ current methods are. If a data breach does occur and you have fulfilled all of your legal obligations under the Data Protection Act, then it is unlikely that you will have to pay a penalty.

    2. Opt for automation to keep your security up to date

    Monitoring IT security should be a 24/7 job as attacks can happen at any time. That is why it can be hard for human eyes alone to monitor every aspect of your IT infrastructure. So, why not put in place encryption policies, intrusion detection and prevention programs, regular automatic assessments (where the system checks itself for weak spots and security breaches and applies patches and updates where necessary) and backup programs that prevent files from being lost permanently if a hacker attempts to wipe your system’s memory. Another good policy to put in place is to stop new files from downloading automatically until they have been checked manually, as a key method of cyber attackers is to send you a malicious file to download as an email attachment. These automatic features will keep everything safe and secure whilst you get on with running or working for the company.

    3. Educate all company members about IT security

    Get everyone on board when it comes to monitoring the security of your IT infrastructure. Train employees to encrypt their information and to recognise attempted cyber attacks. Create a set of employee regulations which require employees to encrypt and password protect the data that they use and to apply software patches where necessary. Think about where your company’s hardware is, too, and where necessary prevent employees from taking hardware home. If it gets into the wrong hands, a single lost laptop can result in a huge data breach. One very good policy to implement here is data minimisation: this means only sharing data with the minimum number of top level employees. The fewer people who have access to data, the less likely it is that employees’ negligence will facilitate a data breach.

    4. Have a detailed plan about what to do in the event of a data breach

    Plans about how to respond to suspicious activity (which, of course, you will be monitoring as per step 1 above) should be built in to your day to day IT policies. Set up real time alerts which enable you to identify threats straight away and then have a plan that you can quickly put into action to protect sensitive information – for instance, shutting down some parts of the system or getting a resident IT professional right to work on creating barriers for hackers. Integrate prevention and response strategies into your day to day operations, for instance by informing employees about attempted data breaches so that they can change their passwords instantly. Be aware of your legal obligations when it comes to reporting attempted breaches: remember, if you take no action to repair or report a breach you can become liable for penalties. And, if an attempted breach does occur, make it part of your policy to analyse the breach to help you to be stronger against the next attack.

    5. Be smart about who you hire

    Hiring an IT professional (or a team of professionals) to keep your IT infrastructure safe is a very good idea. Think of this additional hire as an investment rather than a loss of money! After all, the average cost of a single data breach last year was over £100, 000 for a UK company. Do not just look close to home, either: tap in to the global talent pool to ensure that you hire the perfect person for the job. Many security professionals can work remotely for much of the time (though there are definite benefits to having an in house professional keeping an eye on your IT security) so you could even hire a team that involves someone in a different city or country if needs be. Find out who the best qualified security professionals are and offer them an attractive post to tempt them over to your company. As well as this, it is important to include some elements of IT security training for all of your staff – not just those people whose job it will be to protect your IT infrastructure. If any potential new employee comes to you and you see that they have experience or qualifications that relate to cyber security, then that should definitely figure as a huge positive for your company! Hiring a dedicated person, or group of people, to deal with your company’s cyber security, moreover, is very good for business. It shows the world that you care a lot about keeping all of your customers’ and also any business partners’ data safe and secure at all times.

    read more
    by alex

Warning to Councils over Cuts to Statutory Services

  • October 10, 2016
  • 3 comments
  • A Council’s eleventh hour decision to conduct a more wide-ranging review of its trading standards function has served as a reminder to other authorities to think carefully about their statutory duties when making cuts – or risk being hauled before the courts.

    Liverpool City Council has faced a two-year legal challenge from a former employee after it slashed its trading standards officers from 19 to four. The former employee is being supported by the Chartered Trading Standards Institute (CTSI).

    Trading standards is responsible for discharging about 250 statutory duties1 concerning everything from disease outbreak and medical weighing equipment to product safety and rogue trading.

    The council has now agreed that it will appoint an independent and professionally competent person to conduct a review. It must consider statutory and European Union consumer protection duties as well as the government’s enforcement priorities.

    It is second time Liverpool City Council has faced pressure to review its trading standards services, in light of cuts. Last week’s contempt of court proceedings, at the High Court sitting in Manchester, were expected to focus on whether an earlier review was adequate.

    By agreeing to the second review the council has not admitted any wrongdoing. Experts say the issue has far reaching consequences for councils that are having to make difficult choices on how to deliver essential services, while faced with unprecedented cuts.

    A CTSI report found2 that the total GB budget for trading standards has fallen from £213 million to £124 million, since 2009, resulting in a 53% cut in staff. Meanwhile, shoddy goods and services are known to cost the economy £23 billion3 while fraud alone is estimated to cost a further £52 billion4.

    Professor Keith Brown, director of the National Centre for Post Qualifying Social Work at Bournemouth University, said robust trading standards services are essential for the delivery of adequate adult social care5.

    He said: “Section 42 of the Care Act requires local authorities to protect vulnerable people from financial abuse but most councils only prosecute one or two rogue traders a year.

    “The Office of Fair Trading tell us that 6.5% of adults have fallen victim to mass marketing scams. That’s just one type of scam but it gives you an indication of the scale of the problem.”

    Jonathan Goulding, a barrister with Gough Square Chambers, said well-funded and well-staffed trading standards departments are essential to protecting consumers from the many unfair practices they face.

    He said: “It’s encouraging that the Liverpool review will consider consumer protection duties and it will be interesting to see the weight given to them in the exercise of decision making and the funding of essential services.”

    Leon Livermore, chief executive of CTSI, said it was not just statutory duties that place obligations on councils.

    He said: “Councils must also consider the government’s enforcement priorities, the first of which focuses on consumer protection, doorstep crime, counterfeit goods and mis-selling by measurement.

    “Rarely have we been able to find any reference to these trading standards duties being taken into account and it will be interesting to see Liverpool consider them.”

    Liverpool City Council’s trading standards services first came to the attention of the courts when its former employee, Stephanie Hudson, sought a judicial review. The council instead agreed to conduct a review by way of an undertaking.

    Mrs Hudson, who has now left the trading standards profession, said it was extremely worrying that councils were making cuts with little regard to how they will discharge their duties.

    She said: “Liverpool showed they have no knowledge or understanding of the value of trading standards, that’s very clear. The amount they spend on trading standards is very small, but its impact is quite immense.”

    http://www.tradingstandards.uk/extra/news-item.cfm/newsid/1964

     

    read more
    by dave

Overview of our Investigation Services

  • October 7, 2016
  • 3 comments
  • Surelock Investigators & Security Consultants We are pleased to announce our new slideshow video which we put together so that those who only have a minute spare (82 seconds, to be exact) can a get a good overview of our investigation services – from Brand Protection and Fraud Protection through to Internal Audits and Security Surveys and Assessments. Just click here and enjoy.

    read more
    by alex