For all businesses operating in the digital world today, it’s paramount for companies to protect their clients’ sensitive data. Be it manufacturing, financial or technology companies, all businesses are facing an increasing number of cyber threats, data breaches, and regulatory requirements.
Amidst all these challenges, achieving ISO 27001 certification stands out as a powerful way to bolster your business’s reputation and trust. But what exactly is ISO 27001, and how can it benefit your organisation?
With this article, we want to help you explore the key advantages of ISO 27001 certification and why it’s a worthwhile investment for any business concerned with information security.
What is ISO 27001?
ISO 27001 or ISO/IEC 27001 is an international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a framework for managing sensitive company information to ensure it remains secure. The standard covers a wide range of controls, including legal, physical, and technical aspects of information risk management.
Why ISO 27001 Matters
Data breaches and cyber-attacks are becoming more frequent and sophisticated, and ISO 27001 provides businesses with a robust methodology to protect their information assets. By achieving ISO 27001 certification, companies demonstrate their commitment to managing information security risks effectively, which can significantly enhance their reputation and build trust with clients, partners, and stakeholders.
Enhancing Reputation Through ISO 27001
Demonstrating Commitment to Security
One of the most significant benefits of ISO 27001 certification is that it shows your commitment to information security. This commitment can enhance your business’s reputation in several ways:
Client Confidence: Clients are more likely to trust businesses that have proven they take information security seriously. ISO 27001 certification provides clients with the assurance that their data is being handled securely and responsibly.
Competitive Advantage: In many industries, ISO 27001 certification is seen as a mark of excellence. Being certified can give your business a competitive edge over rivals who have not achieved the same level of security compliance.
Brand Image: A strong reputation for security can enhance your brand image, making your business more attractive to potential clients and partners.
Meeting Regulatory Requirements
Many industries are subject to stringent regulatory requirements regarding data protection and information security. ISO 27001 certification helps businesses meet these requirements, which can prevent legal issues and fines, further boosting their reputation.
For example, companies in the healthcare sector must comply with regulations like HIPAA in the United States. Achieving ISO 27001 certification can help demonstrate compliance with such regulations, ensuring that your business is seen as trustworthy and reliable.
Building Trust with Stakeholders
Supplier and Partner Confidence
ISO 27001 certification also helps build trust with suppliers and partners. When your business is certified, it signals to your supply chain that you adhere to high standards of information security. This can facilitate stronger partnerships and smoother collaborations, as partners feel more secure working with your business.
Investor Assurance
Investors are increasingly aware of the risks associated with information security. ISO 27001 certification can provide them with the assurance that your business is proactively managing these risks. This can make your company a more attractive investment opportunity.
Employee Trust
Internal stakeholders, such as employees, also benefit from your business’s ISO 27001 certification. When employees know that their company values and protects information security, it fosters a culture of trust and responsibility within the organization. This can lead to higher employee morale and retention.
Practical Steps to Achieve ISO 27001 Certification
Understanding the Requirements
Achieving ISO 27001 certification involves several key steps. Firstly, it’s important to understand the requirements of the standard. ISO 27001 specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements.
Implementing an ISMS
Implementing an Information Security Management System (ISMS) is at the heart of ISO 27001. An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process.
Conducting a Risk Assessment
Risk assessment is a critical part of ISO 27001. It involves identifying potential threats to your information and evaluating the risk they pose. This helps in prioritizing security measures and allocating resources effectively.
Developing Security Policies
Based on the risk assessment, your business needs to develop and implement security policies. These policies should address various aspects of information security, including data handling, access control, and incident response.
Training and Awareness
For ISO 27001 to be effective, it’s crucial that all employees understand their role in maintaining information security. This involves regular training and awareness programs to ensure everyone is aware of the policies and procedures.
Regular Audits and Continuous Improvement
ISO 27001 is not a one-time effort. Regular audits and continuous improvement are essential to maintain certification. This ensures that your ISMS remains effective in the face of evolving threats.
The Long-Term Benefits of ISO 27001
Enhanced Business Resilience
ISO 27001 helps businesses build resilience against cyber threats. By identifying and mitigating risks, companies can reduce the likelihood and impact of data breaches and other security incidents.
Cost Savings
While achieving ISO 27001 certification requires an initial investment, it can lead to significant cost savings in the long run. Preventing data breaches and minimizing downtime can save your business substantial amounts of money.
Improved Customer Satisfaction
Customers are increasingly concerned about how their data is handled. ISO 27001 certification can improve customer satisfaction by providing assurance that their information is protected.
Global Recognition
ISO 27001 is recognized worldwide. This means that certification can help your business expand into new markets and attract international clients.
Why you should be renewing your ISO 27001 certification
Spector IT is an ISO/IEC 27001:2022 certified MSP, and for businesses who are looking to either get the ISO 27001 certification or the ones who are looking to renew their ISO 27001:2013 certification, we have got you covered.
Here are 4 reasons why you should be renewing your ISO 27001 certification with Spector:
You work with a lot of client’s sensitive and confidential data
Certification to ISO 27001:2022 is valuable to organisations looking to enhance their cybersecurity posture and demonstrate their commitment to protecting sensitive information.
You have moved your infrastructure to the cloud
The new standard incorporates new set of cloud controls, focusing on cloud configuration and cloud security.
Your ISO 27001:2013 certification is soon to be outdated
AIl ISO/IEC 27001:2013 certificates shall expire or be withdrawn no later than 31st October 2025.
Your policy, procedure and governance documents are all over the place
With the correct approach and adopting an ISMS(Information Security Management System), one can manage policy, procedure and governance documents efficiently, resulting in time and cost saving.
In a world where information security is increasingly important, ISO 27001 certification is not just a nice-to-have – it’s a necessity. Start your journey towards certification today and reap the benefits of a stronger, more trustworthy business.
Schedule a call with us today and learn more about how we can help you with the implementation of your ISO 27001:2022 certification.
In our years of experience in this industry, one pivotal truth has always been crucial: human vulnerability is often the weakest link in the security chain. It is estimated that 4 out of 5 cyber incidents begin with what can be termed as “human error.”
Despite significant technological advancements and the deployment of sophisticated security measures, human vulnerabilities continue to play a substantial role in cyber breaches. This blog post explores why people are susceptible to cybercrime and discusses strategies to mitigate these vulnerabilities.
The Human Element in Cyber Vulnerability
Humans are naturally inclined to engage and interact with online content, which can sometimes lead to cybersecurity lapses. These lapses might occur due to oversight, a lack of awareness, a momentary distraction, or even deceitful social engineering tactics. Examples include clicking on malicious links, inadvertently sharing sensitive information, or falling for scams that manipulate psychological vulnerabilities.
The Role of Psychology in Cybersecurity
Human psychology is a critical factor in cyber vulnerabilities. Cybercriminals expertly leverage psychological tactics, such as exploiting fears, arousing curiosity, or creating a sense of urgency, to manipulate individuals into compromising their security. For instance, phishing attacks may invoke a sense of panic, prompting hasty actions without proper verification of the message’s legitimacy. Offers that seem too good to refuse or sensational headlines can cloud judgement, leading to the disclosure of sensitive information or the downloading of malicious files.
The Digital and Remote Work Explosion
The widespread use of digital devices and the increasing interconnectivity of cyberspace have opened new avenues for cybercriminals to exploit human vulnerabilities. The blurring of boundaries between personal and professional digital spaces, especially with the rise of remote work, has increased the exposure to potential cyber threats. This constant connectivity provides cybercriminals with numerous opportunities to target individuals across different platforms and exploit weaknesses in security measures.
Mitigating Human Factors in Cybercrime
Addressing the human aspect of cybercrime requires a multifaceted approach. Here are several effective strategies:
1. Education and Awareness
Empowering individuals through education is fundamental. Cybersecurity training and awareness programs for employees, students, and the broader public can significantly enhance the ability to recognize and mitigate cyber threats. These programs should teach participants how to identify phishing attempts, secure their digital assets, and adopt safer online behaviours.
2. Fostering a Culture of Cybersecurity
Creating a cybersecurity-centric culture within organisations is essential. Employers must prioritise ongoing cybersecurity training and encourage employees to take an active role in safeguarding sensitive data and adhering to established security protocols. Regular updates and drills can keep security top of mind and help integrate it into the corporate culture.
3. Implementing User-Friendly Security Measures
Enhancing security measures that are easy to use can significantly reduce human error. For example, deploying multi-factor authentication (MFA) adds an extra layer of security that can prevent unauthorised access, even if someone mistakenly discloses their credentials.
4. Leveraging Technology
Advances in technology, such as artificial intelligence (AI) and machine learning (ML), can augment human efforts in cybersecurity. AI-powered tools can predict and prevent cyber threats in real-time, automating the detection process and reducing the chance of human error. These technologies can act as a second line of defence, particularly in identifying and responding to sophisticated cyber threats.
5. Robust Backup and Disaster Recovery
Despite best efforts, breaches may occur. Having a robust backup and disaster recovery plan is essential. Such plans ensure that organisations can recover critical data swiftly and continue operations with minimal disruption, thereby mitigating the impact of cyber incidents.
6. Leadership Commitment to Cybersecurity Education
A notable challenge in many organisations is the lack of C-level commitment to comprehensive cybersecurity education programs. Leaders must adopt a governance-first approach, ensuring top-level buy-in and fostering open communication about cybersecurity. This commitment from the top can drive a more proactive and responsive cybersecurity posture across the organisation.
Conclusion
By understanding and addressing the root causes of human susceptibility in cybersecurity, we can significantly enhance our defences against cyber threats. Gentle education, awareness initiatives, user-friendly technological solutions, and a strong organisational culture of security are pivotal in building resilience against cyber threats. As we continue to navigate the complexities of the digital age, strengthening the human aspect of cybersecurity is not just a technical necessity but a strategic imperative for long-term digital safety and security.
Ready to Take Action?
If you’re ready to strengthen your cybersecurity defences and reduce the human factor in cyber incidents, we’re here to help. Schedule a call with us today and take the first step towards a more secure digital future.
Cyber threats are evolving rapidly, the importance of early detection in cybersecurity cannot be overstated. A comprehensive cybersecurity strategy is not just about defending against attacks but also about identifying potential threats before they can cause harm.
Despite the balanced approach of the NIST framework, many organisations, especially those less mature in their cybersecurity practices, tend to focus heavily on Protection and Recovery. This focus is often driven by the cybersecurity and backup industries’ marketing efforts, which emphasise the need for robust malware protection and backup strategies. However, this post aims to highlight the critical, yet often underappreciated, role of early detection in preventing cyber incidents.
According to study results, it can take up to9 months by average before a security incident is detected. That is precious time in which it would be possible to avert or limit damage.
Why Early Detection Matters
Over the past five years, we’ve seen first-hand the benefits of early detection systems in identifying early warning signs of malicious behaviours in several client networks. These breaches were primarily due to the shift to remote working, targeted phishing emails, and, in some instances, poor identity controls and management. The ability to detect these vulnerabilities early played a pivotal role in mitigating potential damages that could have been far worse.
Here are the key benefits of having a robust early detection system:
Minimising Damage
Early detection allows organisations to identify and address security threats before they escalate into significant breaches. This proactive approach is crucial in minimising the impact of cyber attacks, potentially preventing data loss, financial damage, reputational harm, and legal liabilities. By catching threats early, organisations can significantly reduce the severity of attacks and the costs associated with them.
Cost-Effectiveness
Addressing cybersecurity issues after a breach is often far more expensive than preventing them in the first place. The costs associated with data recovery, regulatory fines, legal expenses, and remediation can be substantial. Investing in early detection not only helps prevent these outcomes but also saves significant resources that would otherwise be spent on damage control.
Preserving Trust and Reputation
A cybersecurity breach can severely damage an organisation’s reputation and erode trust among customers, partners, and stakeholders. Demonstrating a proactive approach to risk management through early detection and prevention can enhance trust and confidence in an organisation’s commitment to security. Maintaining a strong reputation is essential for customer loyalty, attracting new business, and achieving long-term success.
Safeguarding Critical Assets
Early detection systems play a vital role in protecting an organisation’s most critical assets, including intellectual property, financial data, and customer information. By proactively identifying vulnerabilities and threats, organisations can prevent unauthorised access and ensure the confidentiality, integrity, and availability of their valuable assets.
Ensuring Compliance
Many industries face stringent regulatory requirements related to cybersecurity. Early detection helps organisations comply with these regulations, avoiding penalties and legal consequences for non-compliance. Effective security measures and a commitment to staying ahead of emerging threats are crucial for demonstrating compliance and effective risk management.
Implementing Early Detection in Your Organization
Understanding the importance of early detection is the first step; implementing it effectively is the next. For organisations uncertain about how to integrate early detection strategies or those seeking to evaluate their current cybersecurity posture, seeking expert guidance is advisable. A Cybersecurity Gap Analysis, for example, can reveal vulnerabilities in your current setup and provide a roadmap for enhancement.
Conclusion
In conclusion, early detection is a critical component of a comprehensive cybersecurity strategy. It allows organisations to be proactive rather than reactive, dealing with threats before they develop into a full-blown crisis. By investing in early detection, organisations not only enhance their security posture but also ensure the long-term resilience and safety of their digital operations.
For those looking to improve their cybersecurity measures or understand more about implementing early detection solutions, consider reaching out for professional advice.
Book a call today to discuss your cybersecurity strategies and understand how we can provide valuable insights and practical steps to enhance your organisation’s security measures effectively.
In the complex landscape of cybersecurity, where threats loom large and data breaches can cripple businesses, ensuring robust IT security isn’t just a precaution—it’s a necessity. However, aligning the priorities and perspectives of IT teams with those of C-level executives can be challenging. There exists a fundamental divide in many organisations, often referred to as the “have to” versus “want to” divide in cybersecurity. This gap can lead to misalignment, communication gaps, and ultimately, vulnerabilities in cybersecurity measures.
Understanding the “Have to” and “Want to” Divide
The “have to” element typically stems from a sense of duty, necessity, or external coercion. In the context of cybersecurity, it often manifests as actions taken to comply with regulations, avoid penalties, or meet minimum standards. It’s a reactive approach, driven by the fear of consequences rather than a proactive commitment.
Conversely, the “want to” approach is driven by internal motivation, such as personal values, goals, or a genuine understanding of the benefits of robust cybersecurity. This proactive stance not only aligns with the organisation’s strategic goals but also fosters a culture of security and resilience.
The Role of C-Level Executives and IT Teams
A common scenario in many organisations is a disconnect between C-level executives and IT teams. IT professionals may feel that their C-level counterparts do not fully comprehend the critical nature of cybersecurity. On the other hand, C-level executives often view IT teams as cost centres, constantly demanding more resources without considering broader financial implications.
This misalignment can create significant challenges in adequately securing an organisation. Without a unified approach, cybersecurity measures may be inconsistent, leaving the organisation vulnerable to attacks.
ISO 27001: A Framework to Bridge the Divide
ISO 27001, a leading international standard for information security management, offers a comprehensive framework that can help bridge the “have to” and “want to” divide. By adopting ISO 27001, organisations can systematically examine their information security risks, including threats, vulnerabilities, and impacts, and implement a coherent and comprehensive suite of information security controls and risk management practices.
Enhanced Information Security
Implementing ISO 27001 helps protect sensitive information, intellectual property, and customer data, thereby safeguarding an organisation’s reputation. This is not merely about avoiding negative outcomes; it’s about actively pursuing a secure operational environment.
Improved Client Confidence
Certification fosters trust with clients and partners, particularly those handling sensitive data. In industries where data security is paramount, being ISO 27001 certified can give a significant competitive edge in securing contracts and attracting new clients.
Reduced Operational Costs
By preventing data breaches and cyberattacks, organisations save on the costs associated with data recovery, forensic investigations, and reputational repair. A proactive approach to information security minimises these risks, reducing unexpected expenditures.
Competitive Advantage
Demonstrating a commitment to information security distinguishes a company from its competitors. Certification enhances the brand image and positions the company as a security-conscious organisation, which can be a decisive factor for potential clients.
Improved Business Continuity
Certified companies have robust disaster recovery planning in place, ensuring business continuity in the event of a cybersecurity incident. This preparedness is crucial for maintaining operations under adverse conditions.
Increased Employee Awareness
The process of implementing ISO 27001 raises awareness of information security risks among employees. This empowerment encourages them to adopt secure practices and contribute to the overall security posture of the organisation.
Realising Business Gains Through ISO 27001
Adopting ISO 27001 can help align the objectives of C-level executives and IT departments. The certification process is not just about meeting an external standard but about realising real business gains. Through this process, both parties come to understand and appreciate the tangible benefits of enhanced cybersecurity measures.
A goal such as ISO 27001 certification can alleviate the tensions between the need to comply (“have to”) and the desire to protect (“want to”). It allows both C-level executives and IT teams to see beyond the cost and perceive the value in investment, driving a more unified approach to cybersecurity.
Conclusion
In the complex interplay of business operations and cybersecurity threats, ISO 27001 emerges as a critical tool that can bridge the divide between “have to” and “want to.” By fostering a shared understanding and commitment to cybersecurity, organisations can not only protect themselves from immediate threats but also build a resilient and secure foundation for future growth. Embracing ISO 27001 is not just about achieving certification; it’s about adopting a mindset that values security as an integral part of business success—a true win/win situation for all stakeholders involved.
Contact us today to schedule a no-commitment Discovery Call to discuss how we can help you strategize your cybersecurity roadmap with ISO 27001 certification and get your company ready for the future while ensuring compliance with the industry standards.
Many thanks for reading! To learn more about Business Technology, read our blogs.
In the dynamic realm of professional services, the cornerstone of every successful project is the symbiotic relationship between clients and service providers. This partnership thrives on a foundation of effective communication, where understanding and collaboration are not just ideals but prerequisites for success.
The Initial Steps
Consider a scenario where a client, armed with a carefully nurtured vision, seeks the expertise of a professional service company to bring their dream to life. This initial meeting, charged with anticipation and the promise of collaboration, sets the stage for a journey where effective communication is paramount.
The essence of this relationship is mutual understanding. Clients share their aspirations, needs, and what success looks like to them, while service providers listen, ask probing questions, and ensure that even the quietest voices are heard. This practice is crucial in our work—it encourages inclusivity and ensures that every stakeholder feels valued and understood from the outset.
Growing Importance of Communication
As the project progresses, communication acts as the glue that binds each phase, decision, and milestone. Establishing clear, consistent channels of communication ensures that clients remain engaged and informed, fostering a sense of ownership and active participation in the process. Regular updates, feedback sessions, and progress reports become landmarks on a path marked by transparency, collaboration, and shared goals.
However, this journey is not without its hurdles. Challenges such as conflicts, shifting timelines, and diverging expectations are inevitable. Yet, it is precisely in these moments that the true power of communication comes to the fore. By replacing silence with open dialogue, discord with constructive conversations, and confusion with clarity, we navigate these challenges together, finding solutions rooted in mutual understanding.
Drawing a parallel to personal relationships, where emotions and unspoken assumptions often complicate communication, the professional realm demands a higher standard. Miscommunication, unmet expectations, and erosion of trust can easily derail relationships. The contrast between these narratives underscores the transformative power of effective communication in overcoming obstacles, building trust, and fostering long-lasting partnerships.
Communication is the bridge that connects differing perspectives, the tool that repairs breaches in understanding, and the thread that weaves through the fabric of successful relationships—both professional and personal. By embracing the art of listening, the courage to articulate thoughts, and the commitment to mutual understanding, we cultivate a foundation of respect and collective achievement.
We recognize that no single individual holds all the answers, but together, through asking the right questions and challenging assumptions, we can uncover paths to mutual success. Starting from a place of understanding and respect significantly enhances the probability of achieving shared objectives.
If you’re seeking a relationship with an IT service provider that truly listens and excels in translating ideas into tangible results, we invite you to book a discovery call with us.
Many thanks for reading! To learn more about best practices for ensuring effective communication channels with your clients, read our blogs.
In today’s rapidly evolving market landscape, technology is not just an operational tool but a pivotal driver of business success. The journey toward leveraging technology effectively, however, can be complex, especially for companies entangled in transactional or siloed approaches to their tech investments. Such perspectives often lead to inefficiencies, with businesses grappling with escalating costs and a lack of coherence in their technology strategy.
Gap Analysis
Reflecting on this, the first step we take is a deep, introspective look at where our clients stand technologically and where we aspire them to be in the next one to three years.
This process, known as Gap Analysis, became our compass, as understanding the critical role of technology in business growth necessitates a strategic overhaul.
This process involves evaluating the current state of your:
Strategic Business Alignment
In today’s rapidly evolving digital landscape, the alignment of business strategy and technology is not just beneficial; it’s imperative for organisations aiming to achieve sustainable growth and competitive advantage. The concept of Strategic Business Alignment focuses on harmonising an organisation’s technology investments with its business goals, ensuring that every technological advance propels the business forward. This alignment is crucial for bridging the technology gap, a divide that can hinder an organisation’s ability to adapt, innovate, and ultimately succeed in the modern marketplace.
The Essence of Strategic Business Alignment
At the core of Strategic Business Alignment is the understanding that technology should not exist in isolation from the business it serves. Instead, technology should be a driving force that supports and enhances the organisation’s objectives. This paradigm shift requires a deep integration of IT strategies with overall business strategies, ensuring that every technological initiative, from software development to IT infrastructure upgrades, is directly linked to achieving specific business outcomes.
Key Vendor Relationships
In an era where technology is a pivotal force in driving business success, the relationships companies maintain with their technology vendors have never been more critical. These key vendor relationships stand at the heart of an organisation’s ability to innovate, adapt, and excel in a competitive marketplace. As businesses strive to bridge the technology gap—a divide that can significantly impact their operational efficiency and market relevance—fostering strategic partnerships with technology vendors emerges as a vital strategy.
The Role of Vendor Relationships in Bridging the Technology Gap
The technology gap refers to the disparity between an organisation’s current technological capabilities and the potential it must reach to meet market demands or achieve strategic goals. Bridging this gap is essential for businesses looking to leverage technology for growth, innovation, and competitive advantage. Key vendor relationships play a crucial role in this process by providing access to cutting-edge technologies, expertise, and support that might otherwise be out of reach for many organisations.
IT Infrastructure & Cloud Services
In the quest to bridge the technology gap and drive business success, IT infrastructure and cloud services play a pivotal role. As businesses grapple with the need for agility, scalability, and efficiency, the transition to cloud-based solutions has become more than just a trend—it’s a strategic imperative. This shift not only addresses the immediate challenges of the technology gap but also lays the groundwork for future innovation and growth.
The Role of IT Infrastructure in Bridging the Gap
Traditional IT infrastructure often struggles to keep pace with the rapid changes and scalability demands of modern business environments. This is where cloud services come into play, offering a flexible, scalable, and cost-effective solution. By leveraging cloud services, businesses can:
Enhance Scalability: Cloud services provide the ability to scale resources up or down based on demand, ensuring businesses can handle growth and fluctuations without the need for significant upfront investments in physical infrastructure.
Improve Agility: The cloud enables businesses to deploy and update applications quickly, experiment with new ideas, and adapt to market changes more efficiently, fostering an environment of continuous innovation.
Reduce Costs: With cloud services, companies can move from a capital expenditure (CapEx) model to an operational expenditure (OpEx) model, paying only for the resources they use. This can significantly reduce IT costs while freeing up capital for other strategic investments.
Enhance Collaboration: Cloud services facilitate better collaboration both within organisations and with external partners, enabling real-time sharing and editing of documents and streamlining communication across geographical boundaries.
Cybersecurity Measures
In an age where digital transformation shapes the landscape of global business, cybersecurity has emerged as a foundational pillar for bridging the technology gap and ensuring sustained business success. As organisations leverage new technologies to enhance operational efficiency, innovate products and services, and engage with customers, the sophistication and frequency of cyber threats have also escalated. Bridging the technology gap, therefore, is not solely about adopting advanced technologies but also about implementing robust cybersecurity measures to protect these technologies and the valuable data they handle.
The Critical Role of Cybersecurity in Modern Business
Cybersecurity measures are no longer optional; they are essential for safeguarding business assets, maintaining customer trust, and ensuring the integrity of digital operations. The consequences of cybersecurity breaches extend beyond immediate financial losses to include long-term reputational damage, legal liabilities, and compromised intellectual property.
Business Continuity Planning
In today’s fast-paced and increasingly digital business environment, the ability to maintain continuous operations in the face of unexpected disruptions is more critical than ever. Business Continuity Planning (BCP) represents a strategic approach to ensuring that organisations can quickly recover from disruptions while minimising impact on operations, reputation, and revenue. As businesses work to bridge the technology gap—that is, the divide between current operational capabilities and those needed to compete effectively in a digital marketplace—BCP emerges as a crucial element for sustaining growth and ensuring long-term success.
Understanding the Importance of Business Continuity Planning
At its core, Business Continuity Planning is about proactive risk management. It involves identifying potential threats to operations, such as natural disasters, cyber-attacks, or supply chain disruptions, and developing plans to mitigate these risks. Effective BCP ensures that critical business functions can continue during and after a crisis, safeguarding both the short-term operational capacity and the long-term viability of the organisation.
Policies and Procedures
In the modern business landscape, where technology evolves at an unprecedented pace, the importance of having robust policies and procedures cannot be overstated. These guiding documents play a critical role in bridging the technology gap, ensuring that organisations can not only adopt new technologies efficiently but also manage the risks and challenges that come with digital transformation. As businesses strive for success in a competitive and rapidly changing environment, well-defined policies and procedures become the blueprint for sustainable growth and innovation.
The Foundation of Effective Technology Management
At the heart of bridging the technology gap is the ability of an organisation to manage its technology resources effectively. This involves more than just acquiring the latest tools and systems; it requires a structured approach to integrating technology into the business processes, safeguarding data, and promoting a culture of compliance and best practices. Policies and procedures provide this structure, offering clear guidelines on the use, management, and security of technology.
Strategic Alignment and Governance
One of the key benefits of having well-crafted policies and procedures is their role in ensuring strategic alignment between technology initiatives and business objectives. By defining how technology decisions are made, who is responsible for these decisions, and how technology investments are aligned with the overall business strategy, organisations can ensure that their technology efforts are directly contributing to their success.
Furthermore, policies and procedures establish a framework for governance, ensuring that technology resources are used responsibly and efficiently, and that risks are managed proactively. This governance framework is essential for maintaining operational integrity, compliance with laws and regulations, and the trust of customers and stakeholders.
The Shift
By identifying and addressing these gaps, companies can streamline their operations, enhance productivity, and ensure their technology investments are directly contributing to their strategic objectives. Transitioning from a fragmented to a unified technology approach enables organisations to achieve standardisation, operational efficiency, and a competitive edge.
Consider the transformative journey of a professional services client with offices across Europe. Initially hindered by decentralised technology decisions, the company faced significant challenges in maintaining efficiency and alignment. By adopting a unified technology strategy, they not only streamlined their operations but also set a foundation for sustainable growth, despite the initial resistance and the complexities involved in transitioning from legacy systems.
This narrative underscores the essence of a strategic technology roadmap, which lies in simplifying and standardising processes while effectively managing change. It’s about fostering a culture that embraces technological advancements and aligns them with business goals to drive efficiency, innovation, and collaboration. Key to this journey is involving all stakeholders in the change process, prioritising cybersecurity to protect valuable data and systems, and seeking external expertise when the scope of transformation exceeds internal capabilities.
In crafting a technology roadmap, businesses embark on a strategic endeavour that requires foresight, collaboration, and adaptability. It’s about envisioning an ideal future state where technology not only supports but accelerates business objectives, navigating the complexities of digital transformation with a clear purpose, and adopting a proactive approach to change.
As businesses navigate the intricacies of technology integration, the value of a well-constructed roadmap becomes increasingly apparent. It acts as a beacon, guiding companies toward technological empowerment and enabling them to harness the full potential of their digital investments. In an age where technology dictates market dynamics, a strategic approach to technology planning is not just beneficial; it’s imperative for success.
Contact us today to schedule a no-commitment Discovery Call to discuss how we can help you strategise technology roadmap and get your company ready for the future.
Many thanks for reading! To learn more about Business Technology, read our blogs.
Some hackers use code to commit cybercrime; others use simple social engineering. Phishing attacks rely on hacking (psychologically manipulating) the user’s brain to gain access to sensitive information. Unfortunately, this has proved to be rather easy for hackers to do. In fact, 97% of people around the world are unable to identify a sophisticated phishing email, according to cybersecurity expert Estelle Derouet.
Not only are phishing attacks likely to be successful due to widespread user ignorance, but they are very easy for the cybercriminal to administer using automated Phishing-as-a-Service campaigns. This is why over half of all internet users get at least one phishing email a day.
Of course, there are enterprise-grade IT security services that companies use to stop the majority of these malicious emails entering users’ inboxes in the first place. But, no matter what companies do, a few will manage to find their way through. These are the more sophisticated phishing campaigns, and, therefore, you can bet that if they have got this far that they are more likely to be successful.
Stop social engineering attacks in their tracks
Defence really is the best form of retaliation when it comes to suspicious email activity. There is not yet a helmet invented that you can pop on the user’s head to ward off social engineering attacks. But, luckily, a bit of user training can do the trick! Educating your employees on how to identify a suspicious email is the best protection against any scammer that gets through your security measures. Read the tips below in the infographic and list to remain vigilant.
8 tell-tale signs that an email is not safe
Still not sure if your brain is being hacked? Some scams are very clever and will leave you guessing. If you are not sure about the authenticity of an email, always take the precautionary step of contacting the company featured in the email. Large companies are very often aware of scams that are circulating and may have alerts on their website or social media accounts. By reporting a scam email to the company that has been misrepresented, you are helping them to raise awareness and reduce the damage done by such scams.
Are you looking for a company to take your IT support to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your IT challenges and needs. We are always happy to offer some sound advice on how you can best support your growing business.
List Format
1. Check the sender’s email address
Scammers usually try to mimic the email address of the company they are pretending to represent. The display email address in the user inbox will, therefore, contain a well-known company name or brand. While this tactic gives a sniff of authenticity to the email, it is not difficult to find out whether there is a fraudster behind what looks like a genuine sender.
By simply hovering your mouse over the display name the real email address behind it will be displayed. Right-clicking on the sender name should reveal the same information. A bizarre email address behind what looks like a respected sender name is a sign that the email is suspicious.
2. Check links in the email (but do not click!)
Again, do not click on any links contained in a suspicious email! You can test links by opening a new window in your browser and typing in the company name. If the email purports to come from a big brand or company, open a new tab and search for the official website of that company. You can then compare the URL address to that which has been sent to you in the email.
3. Are they seeking personal information?
Scammers posing as banks, lenders, or other legitimate businesses will often request personal information. Some email scams use information that they already have to make you believe that they just need you to “confirm” or validate the remaining details. Banks and legitimate businesses will never request personal information via email.
4. Are you made to feel under pressure?
Beware of instructions to log-in to your account for an urgent message or update. Recipients are often threatened with account closure or service termination if they fail to click on the link and log-in to their account. You can do a quick check by simply logging into your account in a separate window or contacting your service provider directly.
5. Put your detective hat on to find mistakes
Poor spellings and grammar are obvious signs that the email does not come from a legitimate source. But look out for less noticeable mistakes too. UK Consumer Rights Organisation, Which, reported detecting an email scam because of a mistaken date. The email, sent in March 2017 contained details of a competition with a closing date of December 2016.
6. Consider the greeting
Do they know your name? Many email scams will address the recipient with impersonal language such as “Dear valued customer” instead of using a name. This one isn’t full proof because some legitimate companies simply do not use personalised marketing, but it is still worthwhile adding to your checklist, just in case.
7. Unexpected attachments (do not open them!)
Attaching files that contain malware or viruses is a common phishing tactic. Clicking on these files can put your computer at risk and can enable a scammer to damage your files or steal your passwords. If you cannot tell what the attachment is, then do not open it.
If you really must open it, then do it with Notepad to have a look at the data without it automatically running. However, keep in mind there is still a small chance the code could be designed to exploit Notepad. In this case, a sandbox is your safest bet.
8. Does that logo look blurry to you?
Just like using a well-known brand name in the display email address, scammers will often insert a logo or brand name into the email header. Keeping a watchful eye on the appearance of logos contained in an email can pay off. A poor quality or out of date logo is a sure sign of a fake email. Double-check by opening the last genuine email you received from the company.
IT infrastructure extends far beyond the office these days. Business-on-the-go once referred to the travelling salesman, checking in with the boss at the next pit stop with a payphone! Today, people can check-in to the office from virtually anywhere. Remote working, working from home and digital nomads are all viable and common work practices made possible by unified communications, multi-device software and continuous improvements in consumer technology.
Do you bring your mobile/laptop/tablet to work? Do you access work-related data and applications from your personal device? The BYOD (bring your own device) culture has gathered momentum, but businesses should be aware of the implications it can have on your IT security.
BYOD is not going anywhere
BYOD is a practice that is expected to continue to grow in popularity. The United States is leading the way, where 87% of companies rely on their employees using personal devices to access business apps. This is becoming less of a choice and more of a requirement. There are many reasons for the BYOD explosion:
BYOD is cost-effective
With annual licencing costs, software updates and maintenance costs, IT resources can be expensive. BYOD decreases the investment businesses make on IT. Not only is this good news for the business, but it is easy to put into effect because nearly everyone has a smartphone.
According to Deloitte:
“90% of Irish adults have a smartphone while the number of people with access to a tablet has increased from 64% to 71%. We are increasingly using our phones and tablets for purposes which we traditionally used PCs and laptops for including work.”
Benefit from better technology
Not only are Irish people already using their phones for work, they are also likely to look for a device upgrade 12 months after their initial purchase. It follows that consumer technology is often further developed than the typical company-wide IT infrastructure. Few Irish companies can keep their technology this up to date.
Benefit from productivity increases
There have been a number of studies conducted on this subject, with Cisco finding that on average employees saves 81 minutes every week in productivity if they are using their own device. This is attributed to ease of use. People are familiar with their own device and do not need user training to navigate the interface. Not only does this feel more comfortable, but it offers people the potential for a better work/life balance.
BYOD offers flexibility
This leads us back to business-on-the-go. Employees and employers benefit from the flexibility of being able to work outside of the office. Take ‘the beast from the east’ as an example! People all over the country were forced to stay at home, many for at least three working days. BYOD and the ‘anywhere access’ it provides makes unpredictable occurrences such as this a non-issue.
“But what about our IT security?”
What happens if an employee loses their device or it is stolen? Are devices used for personal reasons more likely to encounter malware? These are justifiable concerns for any business.
The primary risks associated with BYOD are:
Data loss, by mistake or by theft
Data leakage if the device is not secure
Public exposure, especially in Wi-Fi zones
Malicious apps on the device
Cross-contamination of user data and corporate data
The general loss of control over sensitive data
The importance of IT security has become increasingly apparent since 2017, the year which reminded businesses all across the world that cyberattacks are a real and constant threat. So, where does BYOD fit into IT security? The answer is the combination of a strong mobile security solution and a clear BYOB policy.
Robust mobile security
It is essential to choose an enterprise-grade mobile security solution for your entire mobile infrastructure. Comprehensive end-to-end security ensures that there are no vulnerable links in your network and continuously scans traffic for usual behaviour. While defending your devices from malicious attacks, a sophisticated mobile security solution will enforce your security policies across all devices and users.
Draw up a BYOD policy
BYOD should not be a free-for-all, although right now in many businesses it is. This is simply because of the enduring fact that culture struggles to keep up with technological developments. However, a simple and straightforward BYOD policy can get everyone quickly up to speed.
Set boundaries for user behaviour
In the policy, outline exactly what is an acceptable use of BYOD for your company. Assume your sensitive data will go everywhere: to the user’s home, on their commute to work, to cafes and restaurants, and probably even on holiday. It may be helpful to list the applications that are permitted during work hours, and others which are not.
Remember that personal devices are notorious for distracting users towards personal errands, so a clear statement of the company’s opinion on this kind of activity during work hours can be worthwhile. Alongside this should be the usual necessary references to appropriate behaviour in the workplace.
How will reimbursement work?
Does the company offer any kind of reimbursement towards the cost of the device? Typically the user’s device will need to store business applications which eat up storage and energy. Determine what exactly are the company requirements from the user’s device and from there decide the level of reimbursement necessary.
What technical support will you offer?
What devices does the company support? Who is responsible for technical issues? What problems are the IT team’s responsibility? These questions need clear answers to avoid confusion when an issue does arise.
Give good security advice
As with the company computers, it is a good idea to have a security guide for BYOD users. This section should include recommendations for setting and storing passwords, device security settings, application privileges and general mobile security awareness.
Setting boundaries and disclaimers
This section should define what happens if various unfortunate events should arise. Recommendations should be made about what course of action the user would take and what the company’s response would be. The company’s right to access data and wipe data from devices should be defined. Equally, the protection of users’ personal data should be guaranteed. Where liability falls for each eventuality should be stated and what rights the company reserves in worst-case scenarios.
With the right framework in place, both employers and employees can benefit from a BYOD practice. Setting boundaries and implementing security measures will ensure there are no inherent risks, leakage, or misunderstandings. Get in contact today to strengthen your IT security against cyberattacks and network security breaches!
Are you looking for a company to take your IT support to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your IT challenges and needs. We are always happy to offer some sound advice on how you can best support your growing business.
Cloud-based storage systems and applications are now a huge part of how business operates. The shift towards using cloud computing has resulted in an increase in Software as a Service (SaaS) and Platform as a Service (PaaS) applications.
Using cloud software and applications alleviates the burden of updating services, managing downtime and staffing an in-house IT department. It’s also cost-effective, with many providers offering fixed-cost monthly subscriptions allowing you to pay only for what you use.
Balancing access and control
Getting the most out of SaaS/PaaS means striking a balance between providing users with enough access to do their job while at the same time protecting company data and resources. A robust identity management and access control policy will reduce security risks, increase efficiency and ensure compliance with regulations that govern the privacy of personal data.
Managing users
Creating and managing users involves deciding who can access what and how. Individual users can be assigned Single Sign-On (SSO) capabilities and often need to access company resources across a range of platforms and applications on-site and remotely. Advanced security measures that require more than single step sign-in are also available. Multi-factor authentication (MFA) provides an extra layer of safety. For example, in addition to the traditional username and password, users may need to enter a code received by text, or use a smart card or fingerprint.
Identity Providers (IdPs)
Directory services or identity providers can create, maintain and manage identity information. Microsoft Active Directory is an IdP developed for Windows domain networks. Active Directory is an umbrella title for a broad range of directory-based identity-related services. In many cases, user information is sourced from different repositories. Identity providers must not only manage identities in different systems but also be able to synchronise information and provide a single source of truth when required.
Putting together your company’s Identity management strategy
With so many services, applications and platforms and so much security at stake, the composition of an efficient identity management policy can appear daunting. The process can, however, be simplified by considering four basic factors.
1. What do you need to protect?
List the assets you need to protect when implementing your identity management and access control system. Databases, customer and employee information, company statistics, software, transaction information; these are precious commodities. The purpose of identity management and access control is to confer those who need it with maximum access to these assets at minimum risk.
2. Assess the risk
Now that you know what you have, classify all your assets according to their value. The value of an information asset pertains to how damaging it would be to have that data or application altered or accessed by a non-authorised person. For example, identity theft is a serious and common crime.
Databases containing customer and employee information might, therefore, be considered high risk. For assets such as these, you might consider investing in a multi-factor authentication (MFA) service.
Assessing the risk of each asset will provide a foundation for deciding how protected each one should be, who should access it and how.
3. Choose your management system
Your choice of management system will depend on what systems you are currently using. Microsoft Active Directory is a popular management system for those operating with Windows. If you use an OS such as Unix or Linux, Lightweight Directory Access Protocol (LDAP) might be the application for you.
No matter what computer infrastructure your business is using, there is a compatible access management programme available with options for even the most diverse platforms.
4. Implementation
Having assessed your company’s data and assets and chosen your management system, it’s now time to implement your identity management and access control strategy. Users should be aligned with an appropriate level of access that affords convenience and security.
Depending on staff numbers and distribution, you may decide to allow remote access to certain applications. If there are multiple applications with different user id and password systems, an enterprise-wide single sign-on (SSO) system would be advantageous. SSO products range from Imprivata (used by medium-sized companies) to IBM’s Tivoli (for larger companies).
Flexibility
Once established, your identity management system should provide the flexibility to modify the access levels of its users. Rights of access can be conferred in blocks by establishing groups with specific privileges reflecting job function or staff locations. Other employees will need customised access. Request and approval procedures for modifying privileges should be built-in to your access management programme.
The keys to the castle
Identity management technologies represent the keys to your castle; they allow you to protect your business, manage user identities and access permissions in an automated fashion. A clear and universally upheld identity management policy will allow your company to extract the very best of what these digital keys have to offer.
If you’d like to discuss ways to better manage identities and access in your company, talk to Spector about the different ways we can help.
Can you remember what it was like to not have a mobile phone? Although we may harbour some gripes about our increasing dependence on technology, it is difficult to imagine leaving the house without this object of security and resourcefulness in our pocket. Sure, we might take the odd Sunday OTG (that’s off-the-grid, to you and me), but for the majority of us, the advantages modern technology brings to our daily lives are simply overwhelming.
This is our personal experience of technology, but what about in the competitive realm that is business? Obviously, technology provides advantages here too, but, more than that, it is utterly crucial for growth as well as basic survival.
Survival of the fittest, aka the most innovative, efficient, knowledgeable…
Don’t get us wrong; the successful modern workplace still relies on people. In fact, it is fuelled by knowledgeable individuals using their time effectively on tasks that produce real results for the growing business. This sounds fairly obvious and straightforward, that is until you break it down.
What defines a knowledgeable worker? Are the majority of daily tasks directly affecting the business’s goals? Or is a lot of time spent on menial tasks that must be done to get to the ‘’real’’ work? If this is so, how can people be truly effective? And how can a business grow when the brains it relies on are wasted in this vicious cycle?
Today’s business technology can provide answers to each of these concerns. How? By gathering and relaying knowledge in the form of real-time data to inform daily decision-making and by automating tedious office housework to free up employees for the high-value tasks. This is what makes growth possible. That is why we have made up a quick list of some of the most noteworthy productivity tools on the market that will help you take your business to the next level!
4 productivity tools for the growing SME
Trello – project management
How do you currently track your projects? Valuable information and time are often lost in emails and quick conversation by the water fountain. Trello is a project management tool that keeps everything in the one place. It uses the Kanban system, developed by Toyota for lean processes and just-in-time manufacturing.
With Trello, each project has its own Board and the tasks to complete the project are organised by Cards, which can be edited in real-time and moved across the board until the project reaches its completion. The interface resembles sticky notes on a whiteboard, keeping it simple for everyone to use while remaining productive. Your whole team can get involved, adding comments, images, files, checklists, and deadlines to tasks during the entire process.
Project management tools, such as Trello, allow for real-time collaboration. Everyone on the team is kept up to date with what is going on, and momentum is maintained by the drag-and-drop function, assigned accountability and explicit deadlines. The particularly great thing about Trello is that it is free and available on all devices.
Slack – unified communication
The power of unified communication cannot be underestimated because, after all, effective communication is the bedrock of good business. Yes, we all have email accounts, but emails have their own specific (somewhat stuffy) culture. The user-friendly interface instant messaging apps such as Slack provide results in more streamlined conversations.
In Slack, communication is succinct and actionable because of the instant aspect. This increased response time leaves email in the dust. Of course, email is still necessary for external communications, but, for your teams, Slack can greatly increase efficiency as the crux of important decisions is unearthed faster. However, Slack offers more than just texting for business. It allows for presence management by showing who is available online in real-time, supports file and image sharing while also organising multiple conversations over numerous streams.
Due – invoicing software
Cloud technology is empowering the smallest of businesses to push their production capacity further than ever before. Due is an invoicing software that takes the hassle out of chasing payments. Here all your invoices are organised by what stage they are currently at, Sent, Received, Saved or Paid. Invoices can be set to send recurrently, and you can even automate late payment reminders!
With notifications to remind you what payments are due and billing timers to keep the cash flowing, this is an accounting solution that not only simplifies the nuts and bolts of the invoicing process but it also helpfully communicates with the user and their clients directly. Due is free for up to three invoices a year. After that the most expensive plan is only $49 a year.
IFTTT – app integration
Can’t find an automation tool that does what you need? Why not make your own ‘’recipe’’ of automated actions with IFTTT? IFTTT stands for ‘’if this then that’’ and this cloud service offers a library of simple automated processes, or Applets, to make your workday easier. If you still can’t find one that answers your specific needs, you also have the opportunity to make your own. Do you need every email attachment to be automatically downloaded as a PDF into a certain folder? Or do you want every new email contact to be listed in an Excel document? There are Applets on IFTTT to ease the pain of all kinds of tedious tasks, and the great thing is this service easily integrates with hundreds of third-party tools. But more importantly, is it free. Yes, it is!
If you are not the techy type, the word ‘‘automation’’ can sound complex and alien, but we hope we’ve showed you that with some simple and very inexpensive tools your SME can flourish while competing in the modern digital landscape.
Are you ready to take your SME to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your current IT infrastructure. We are always happy to offer some sound advice on how you can grow your business with productivity tools.
Aaron Nolan and Mark Hurley of Spector, with Michael Brophy, CEO of Certification Europe
Estimated Reading Time: 6 Minutes
by Mark Hurley – Managing Director, Spector
With GDPR just around the corner, it’s clear that implementing robust security policies will be essential for every business. Cybersecurity is an ongoing concern for companies everywhere, from SMEs to large multinational corporations. Ensuring your IT environment is secure is important not only for the protection of your own sensitive data but also because of the potential impact on clients and suppliers.
I was pleased to be able to get an insider’s perspective on what the future of cybersecurity will look like when I interviewed the CEO of Certification Europe, Michael Brophy. He has a longstanding career in all matters of international standards and compliance and is considered a leading expert on standardisation in Ireland. Michael has served as an authority on data security for numerous EU Commission committees and was closely involved in the development of electronic signature standardisation.
During our chat, we discussed Cyber Essentials and ISO/IEC 27000, ‘’self-assessment’’ certificates, the impact such certifications have on GDPR compliance and what the future of Certification Europe will look like.
Mark Hurley and Michael Brophy
Mark Hurley: Hi Michael. Welcome to Spector! We cross paths once again. Many thanks for your help with the set-up of ourISO/IEC 27001 certification. Today we have a few questions for you around cybersecurity…
When we look at Cyber Essentials, for example, we approach it from a security policies foundation. The policies and evidence we gather around these policies are what we submit, with the guidance of your team, to Cyber Essentials for our SME clients. But cybersecurity is a continuous event, rather than a single event. I’m wondering, how do you see this approach changing in the future?
That’s right, Cyber Essentials and ISO/IEC 27001 approach cybersecurity as a journey, not a destination. It’s the start of the process, which has to be maintained. But at least now we have a reference point. For 27001, Cyber Essentials provides a marker. It is a grid reference point.
If you are a hard-pressed managing director and you have no internal IT support, the worry is knowing just how exposed you are. How do you determine how good your security is? This is why it’s good to have the likes of Cyber Essentials for peace of mind. They can tell you whether you are doing it right or not; if you’re not, at least you’ll have the resources at hand to quickly get on top of it.
MH: How do people come to you? Do they get in contact directly looking for training or management in cybersecurity, or do they come through managed IT service providers such as Spector?
There are two main ways.
We deal with about a thousand organisations around the world, most of which are SMEs in Ireland. Often, they will have encountered other standards to which they have had to adhere, such as quality or environmental standards, so they are already members of our client base.
The second route to us is very much via companies such as Spector. They are questioning what they should be doing and are now looking for a reference point to anchor this process. Cyber Essentials seems to be the main reference point for SMEs in Ireland.
MH: When we began looking at Cyber Essentials, in particular in the UK, we saw it as a crest that displayed our cybersecurity standards as certified by Europe. When we applied for the certificate, it was a stringent process, but now there is the option of the ‘self-assessment’, which would seem to devalue it. Would you agree with this?
I agree. In general, the idea of self-certification or self-approval is always somewhat lacking. It will always be open to question because it essentially comes down to the company stating ‘We are great!’ Well, who says so? ‘We do!’ That will always be contentious.
Whereas, in the case of an independent assessment, people tend to feel a lot more certain that the security standards are up to scratch.
MH: Regarding the gap between a Cyber Essentials certification and moving up the ranks to ISO/IEC 27001, is this about the size of the company, or something else?
Certainly, ISO/IEC 27001 is a step up. The reason some companies start at this level of certification and others work up from Cyber Essentials might be because of size. Particularly if you’re a large company in the tech sector or financial sector, you would be looking at going straight for ISO/IEC 27001.
Also, it has to do with the type of customers you deal with. Major drivers are customer expectation and supplier-side pressure. It could be that the companies you work with simply expect you to have ISO/IEC 27001. In certain sectors, it is virtually mandatory, especially for data centre hosting, online hosting or cloud-based services.
On the other hand, SMEs that are simply wondering if their security is up to standard and whether they are leaving themselves exposed, tend to go for Cyber Essentials.
MH: We’ve found that ISO/IEC 27000 series seems to go a very long way when it comes to GDPR compliance. Do you find people are taking this route because of GDPR?
I think you’re spot on. We find that clients who have had ISO/IEC 27000 (especially for a few years, as they are quite mature systems) not only experience a cultural change within the company, but it also provides a framework that can be used for things other than IT security.
For these companies, GDPR is a natural progression as there are a lot of areas they will already be able to tick the box for. Of course, some elements are very specific to GDPR and will still need attention, but our ISO/IEC 27000 clients say that they have 75%-80% of the compliance already done, so they are just making up that 20% difference to be assured they have met the requirements.
MH: Is Certification Europe providing any services to fill that gap?
That’s a good question and very pertinent at the moment. It’s a case of watch this space! Once GDPR comes into effect in May, one of the first things we can expect is that the EU will make a pronouncement on what certification schemes are recognised. I think it is unlikely they will say that any sort of certification is compliant. But what we have seen in other fields is that certification will be given due recognition, particularly from a risk point of view.
One could assume that when the Data Protection Commissioner or the Information Commissioner’s Office are looking at organisations to possibly audit, and assessing risk profiles they need to regulate, companies that have voluntarily sought certification will be further down their lists.
MH: How much interest is there about GDPR from your current client base?
At the moment, the clamour is getting louder and louder! What’s interesting is that there are already moves for potential certification schemes. There is a standalone management system, called ISO 10012, which is especially for data privacy. It is a standalone standard, so you can go for it without previous certifications.
Another interesting development is a current working document called 27225, which is a bolt-on to the 27000 world series. It’s still in draft format but is specifically about managing the privacy of information. For a company that already has 27001, rather than going for another certification which sits in isolation, this will allow you to build on to 27001 and bring in data privacy requirements – in line with GDPR. It will be an integrated management system. I’d say a lot of 27001 clients will be keen to look at this in the future.
MH: My final question is, what does the future look like for Certification Europe?
In a general sense, I think independent verification is going as a business. Information security continues to grow in importance. In many sectors, it is now mandatory. Clients are aware that this is a crucial question to ask of providers and vendors, and they know to question the standards that are in place. That’s why certifications such as ISO/IEC 27000 matter and will continue to grow.
There are three areas that we are focusing on. They may be two, three, four years down the line, but sectors such as artificial intelligence, blockchain technology (it will be very interesting when it moves out of the financial services sector) and the fintech sector are developing rapidly. They haven’t reached our purview yet, but soon enough there will be new discussions to be had around acceptable standards and certifications. It’s something we are already preparing for and will be a fascinating area of development.
MH: Fascinating stuff! Thanks very much for your time, Michael. We look forward to working with you into the future.
[Featured image shows (l-r) Aaron Nolan and Mark Hurley of Spector, with Michael Brophy, CEO of Certification Europe]
