The multinational impact of GDPR

Many businesses are yet to understand the sheer scale and breadth of changes their company data processing policies will need to undergo to comply with the general data protection regulation (GDPR). Here, Nigel Crockford, Business Development Manager at IT consultancy eSpida, explains how the regulation will impact multinational businesses — and how they must prepare themselves.

Benjamin Franklin once said, “By failing to prepare, you are preparing to fail”. This statement will ring especially true for multinational businesses in the coming months as the GDPR comes into force across the European Union (EU).

By uniting 28 different EU member state laws under one data protection law, GDPR is set to harmonise data protection laws throughout the EU, giving greater rights to individuals.

Taking effect as of May 25, 2018, every business will need to alter their existing procedures to ensure the correct mechanisms to comply with GDPR are in place. Failure to comply with the regulation will result in costly penalties of four per cent of global annual turnover or €20 million, whichever value is greater.

Non-compliant businesses could also be faced with bans or suspensions on processing data, in addition to the risk of class actions and criminal sanctions.

GDPR and multinationals
To enforce the regulation, each country will have its own national data protection act (DPA) regulator that will oversee and manage any breaches. Businesses operating in multiple EU countries have frequently asked since the announcement of GDPR, how an authority will be chosen to enforce action if found non-compliant with the regulation, or if an authority from each EU affiliate would take action.

If a business has conducted non-compliant cross-border data processing activities, only one national DPA regulator must act on the complaint. For instances where a business’ data controller operates in multiple EU countries, the DPA regulator that will take action must be located in the same country as the organisation’s main establishment, or where it’s central administration takes place.

Non-EU affiliates of a multinational business will also be impacted by the GDPR, depending on whether the data is accessible from one central system to affiliates across the globe. Companies operating on this scale will need to have a clear understanding of how data flows in the company to ensure that cross-border data transfers are compliant.

This is just one example of how GDPR is introducing formal processes for issues not previously covered by the DPA. Another area that the ruling focusses on is when a data breach occurs.

In 2016, it was revealed that Yahoo had suffered a cyberattack that resulted in three billion users having their account details leaked. What was appalling to the public, however, was that the attack had taken place three years prior to the incident being reported.

Unfortunately, this is not an isolated incident. In 2017, Uber revealed that data of its users had been held to ransom by hackers in 2016, prompting similar backlash to the Yahoo breach.

Under GDPR, companies are required to report a breach within 72 hours of its discovery. This includes notifying the country’s DPA regulator, which in the UK is the Information Commissioner’s Office (ICO), and the people it impacts. Businesses should also consider taking additional steps to avoid the detrimental impact cyber breaches can have on its employees and customers.

Preparing to succeed
Identity management is just one example that allows companies to restrict access to certain resources within a system. Identity management can define what users can accomplish on the network depending on varying factors including the person’s location and device type.

With the rise in cloud computing among businesses, extra measures should also be taken to safeguard this data. A survey found that 41 per cent of businesses were using the public cloud for their work, with 38 per cent on a private cloud network. By implementing security measures like encryption software, businesses can prevent unauthorised access to digital information.

Taking these precautionary steps is necessary for businesses with more than 250 employees. This is because a business of this size, following the introduction of GDPR, must detail what information they are collecting and processing. This includes how long the information will be stored for and what technical security measures are in place to safeguard the information.

In addition to identity management and encryption software, businesses can also consider various other security tools for their systems, including anti-ransomware, exploit prevention and access management.

Another notable change for companies that have regular and systematic monitoring of individual data, or process a vast amount of sensitive personal data, is that they will now be required to employ a data protection officer (DPO). Sensitive data refers to genetic data and any personal information such as religious and political views.

GDPR will have a wide-ranging impact on multinational businesses. Although some may be more prepared than others, each business’ status in complying with GDPR is different, with no one solution suiting all. By investing in GDPR compliance specialists like eSpida, businesses can avoid costly fines because of discrepancies with the regulation.

It’s fair to say that the GDPR is the most meaningful change in data privacy law since it was first established over twenty years ago. Despite it currently only being enforced in the EU, many believe this will spark a revolution across the globe for the protection of data for individuals.

Businesses must prioritise updating their current systems to ensure their processing policies are compliant with the GDPR. Depending on the current position of a business, some may need more preparation than others. For example, not every business will be required to employ a DPO, but others may need to reorganise its HR team to help enforce GDPR compliance across a company.

With May just around the corner, businesses who have not already started preparing need to act now to avoid financial punishments and reputation repercussions.

Is your HR team the key to GDPR compliance?

GDPR is just around the corner and HR professionals are set to be among the most significantly affected, particularly in terms of recruitment data. So how can companies ensure their HR departments are ready for the change in legislation?

The new General Data Protection Regulation (GDPR) is set to significantly raise the standards for the processing of personal data in the European Union (EU). After May 25, 2018, every business will be impacted by GDPR and failure to comply with the regulation will result in costly penalties of 4% of global annual turnover or €20 million, whichever value is greater.

Many businesses have begun educating themselves on how the new data consent rules will affect them and are working promptly to implement GDPR compliant policies and processes. As such, when making these integral changes, businesses should put their HR departments at the forefront of the operation and utilise their expertise.

A company’s HR team handles sensitive and often confidential information about the business and its employees every day. This means that HR professionals are well equipped to lead by example and demonstrate to other departments how customer data should be handled following the introduction of GDPR.

Generally, most businesses are structured so that HR teams are responsible for reviewing and revising existing company policies. This also includes managing any potential risks posed to employees and ensuring compliance with any legal and regulatory obligations.

As natural enforcers of company policy, it would make sense that HR departments work to help their business develop a holistic approach to the implementation of GDPR compliant strategies. This includes creating a resilience plan to help each segment of a business understand and minimise the current data risks and any future implications regarding GDPR.

With this in mind, what is it that HR departments should bear in mind when ensuring GDPR compliance across a business and how will the regulation impact their current processes?

Change to requests

Subject access requests (SAR) are submitted by individuals who want to see a copy of all the information an organisation has stored about them, including information about whether the personal data is being processed and the source of the data. As it stands, individuals are entitled to request this information under section 7 of the Data Protection Act 1998 but, in some instances, it comes at a cost.

Currently, unless it is relating to an individual’s health record, organisations can charge up to a maximum of £10 before handling a SAR. Under GDPR, organisations will have to scrap fees for SARs and provide the information free of charge. In addition to this, businesses must respond to the request within one month of receipt, rather than the 40-day period that was previously allowed.

How much information?

Internal processes for HR departments will also be greatly affected by GDPR and in some cases on a global scale. Although the regulation has not been employed across the world, multi-national employers will need a detailed understanding of how their global data is circulated. This is particularly true if an organisation uses a centralised storage database to manage the entire company’s HR data.

In this instance, the business will need to ensure it is GDPR compliant across the board even if its main operation is not based in the EU.

As well as thinking about how HR departments are currently processing employee data, there should also be considerations for how long this data is stored and the justification for this. Under GDPR, the right to erasure could also affect the employee information retained by employers.

Traditionally, many HR departments log any formal warnings or other notable issues for employers to track and monitor. Under GDPR, employers will need to make sure that retaining this information on file is only done with employee consent, so that businesses can balance handling historic staff issues with new obligations.

Businesses should, therefore, consider whether existing employee data notices comply with GDPR requirements.

Often, employers gain consent to processing and retaining employee data by including a clause in their employment contract. GDPR mandates that employers will need to explicitly inform employees exactly what the company will do with any personal data, including any plans to process the information in the future.

Overcoming the hurdle

While the management of employee data is a key area for GDPR compliance, it is critical that companies also consider the data held on job applicants. This is often one of the areas where HR departments should make the most changes to ensure compliance.

HR departments can take a number of steps to ensure GDPR compliance from the get-go, by altering their processes for the application or recruitment stage. To do this, HR staff should ensure the information initially captured on an applicant is minimal, for example just their name and date of birth.

To proceed to phase two of the application, individuals should be directed to a template requesting more personal information from the applicant, which the company can retain on file. This stage in the process provides the ideal opportunity for companies to obtain consent and comply with GDPR.

This can be achieved by embedding a feature such as a tick box that confirms and authorises the company to use applicant data. Although many companies do have a terms and conditions agreement box featured in the recruitment application documents, this now must adhere to the specifics of how the data will be processed according to GDPR.

Once completed, the applicant’s data should then be captured and securely transferred onto an encrypted database. Companies can also go one step further and set-up parameters that automatically remove data from the system, to minimise any discrepancies.

This can include notifying unsuccessful candidates that their data will be stored on the company’s database, with the chance to opt out. Companies already regulating their systems to meet with GDPR often send automated e-mails advising that their details will be removed from the system due to the account being inactive. Successful candidates will have their information retained on file.

HR departments already have extensive knowledge on how data should be collated and processed within a business, which provides managers with a foundation when considering the development of their own GDPR strategies. Utilising this expertise will help employers take the appropriate steps in conforming their business to meet GDPR requirements.

With such a broad selection of processes within HR departments being subject to GDPR, businesses will undoubtedly encounter compliance challenges after May 25, 2018. While HR insight forms a strong foundation, businesses must consult with external experts to identify any data blind spots in GDPR strategies and ensure HR can lead by effective example.

Security Best Practices

Most Information Technology security professionals would agree that it is no longer a matter of if you get breached, it is a matter of when. And with the media awash with news informing us of businesses or government organisations suffering data breaches and high-profile attacks, security teams are being held accountable for addressing risks – externally as well as internally.

It is now more important than ever that IT departments take a structured approach to their organisations cyber security. While there are some basic network security measures that every IT department is aware of, such as the use of firewalls and antivirus software, there are also other best practices, policies and procedures that some organisations do not yet follow.

The following security best practices should all be taken into consideration:

Update of Software and Systems

Cyber criminals are constantly inventing different techniques and finding new vulnerabilities.  The majority of malware does not target new and unknown security vulnerabilities, it seeks out well-known and established exploits that have been fixed in the latest versions of firmware in the hope that organisations do not update.

To keep your network protected and optimised ensure that software and hardware security is up-to-date with the latest patches and firmware.

Backup of Data

Data backups are a basic security measure that has gained increased relevance over the past few years.  With the rise in ransomware attacks, designed to encrypt all of an organisations data until the decryption key is paid for, a complete and current backup of all data is crucial.

Backed up data must be properly protected and encrypted with backups made frequently so if a backup does need to be utilised, the information is as up-to-date as possible.

Prevent Data Loss. Protect Your Data

A lot of organisations do rely on the trust and honesty of their employees. However, this does not stop data from leaving the organisation in one shape or form.  In truth users with or without knowing it allow data to be breached, leaked or stolen with more and more security teams admitting that the top security concern in recent years has been data leaving an endpoint.

It is now more important than ever to control user access, monitor activity and know what is happening with company data.

Monitoring User and Third Party Activity

Users with privileged accounts have an increased level of trust, but at the same time can pose one of the biggest threats to data security.  These users have the tools to pilfer sensitive data from organisations and go unnoticed. When undetected, insider threats can be costly to organisations.

The monitoring of user activity allows security teams to detect unauthorised behaviour and verify user actions so they do not violate security policies.

Educate and Train Users

When we talk about cyber security, users are generally considered the weakest link. However, raising user’s awareness around the cyber threats the business faces and educating users on cyber security best practice enables organisations to limit the risk of data breach and loss.

End user training can include topics such as:

  • The ability to identify malicious emails (Spam, Phishing).
  • The importance of creating strong passwords.
  • The risks surrounding the removal of valuable data from the company via various media.

Use Two Factor Authentication

Organisations are being encouraged to apply this security standard to their user accounts as added protection.  It employs an additional device such as a security token or mobile device (for soft tokens) to confirm the identity of the user.

Two factor authentication adds a second layer of security to your network and provides a very reliable procedure for user login activities.

Changing Default Passwords

Many systems now come with a set of default credentials hard coded into the device’s software. These are usually freely available to obtain on the internet and are relatively well known by cyber criminals.

Most malware targeting networks are looking for system that have not had the default credentials changed in order to hijack them.  The only way to ensure that your devices cannot be so easily hijacked and infected is to change all default passwords as soon as possible and ensure that the replacement passwords are complex and unique and are changed on a regular password management cycle.

Handling Passwords Securely

With two factor authentication providing user accounts with extra security, organisations cannot afford for users to view this as an excuse to overlook password handling security policies.

Employees need to be educated to ensure their passwords are long, complex and fully unique.  They must also not share credentials with one another. While they may find this convenient, it is placing the organisation in an unsafe position and at a heightened risk of data breach or leak.

While this seems a lot to implement, once the majority of practices are in place they require very little intervention.  They should be monitored in the background and will only require attention if a security issue arises.

Don’t wait for the worst to happen.  Adopt these security best practices and be prepared for the worst.

How flexible working via cloud can prevent businesses from “freezing”

Aside from the obvious benefits of moving to the cloud; cost savings; improved uptime; and the advantage of operating on the latest infrastructure platforms, as winter rears its ugly head one key benefit shifts to the forefront of the list – flexible working.

A cloud system is always available.

Snowy days and icy conditions can cause havoc on our roads and understandably many employees are unable to make it into their place of work.  An issue which can severely affect business activity.

If employees are unable to get in to the office their job function cannot be fulfilled, which for you could cause serious business disruption.

In this situation the ability to access business information from anywhere, at any time is essential. Cloud computing makes it possible for employees to work outside of the office and helps maintain “business as usual”.

By putting a Bring Your Own Device (BYOD) policy in place, even employees who are usually office based can be set up to work remotely. Many households will own a device of some description and so employees can work from their own device such as home desktop PC’s, laptops and tablets.  They simply require setting up in advance.

Cloud computing limits the impact of shutting down on a snowy day.  However it is not just the cruel winter that makes it worthwhile.

As and when required the system can scale proportionately with your business, so for example if you are a seasonal business and perhaps take on extra staff during the summer months you can simply add users and remove them when they are no longer required.  You purely pay for the users you require and once they are no longer required, you no longer need pay for them.

Despite its increasing popularity, cloud can still be a scary unknown for those with a limited understanding of the service.

In brief, the benefits of cloud include:

  • Offers value for money
  • Ready for any business
  • Makes your business truly mobile
  • Efficient and reliable
  • Scales to grow with your needs
  • Works with your existing IT
  • Highly secure

When working from the office is not an option, be it due to weather conditions, road closures, power outage or natural disaster, the cloud is invaluable to ensure business operates as closely to normal as possible.

The disruption a large number of businesses experienced during the UK’s most recent adverse weather conditions is merely a reminder of how viable cloud computing is for so many businesses.

Contact eSpida today for more information on cloud services.

Rightsourcing: what is it and why do you need it?

Ok, so I made that up.  It doesn’t feature in the dictionary just yet, but my prediction is it’s only a matter of time.

What is rightsourcing?

In brief, rightsourcing is the process of deciding what it is you want and what your business actually needs.

The analysis and decision process could focus on cost, practicality, competences or timeliness, enabling a business to select the most appropriate sourcing arrangement to fulfil a project.

Questions to ask during the decision-making process

Firstly, analyse your internal team:

  • How efficient is the team in each job function?
    • What skills gaps are there across the in-house team?
  • Is there anything the in-house team could be doing that is currently outsourced?
    • Applying the skills matrix to the existing projects to ensure compatibility.
  • Likewise, is there anything the in-house team is currently doing that could be more efficiently fulfilled if outsourced?
    • Recognising any skills gaps for existing and new projects.

Secondly, analyse your contractors:

  • Do you have a good relationship with your contractors; do you have a good level of trust; do you have confidence in their abilities?
    • Experience across multiple vendors is a good start.
  • Do your contractors show a true interest in the success of your business?
    • Understanding the entire over-arching view of the business then where IT is delivered to add true value to the business.
  • Can you rely on them to recommend the most appropriate products and services?
    • Remaining fully aware of new relevant technologies and applying the best value and best advice at all times.

Through this type of analysis every project can be explicitly planned and undertaken, either internally (insourced), via contractors (outsourced) or through a combination of both.

The benefit of consultants

With their heightened expertise, consultants often recognise issues from a different perspective.  This fresh thinking, coupled with the knowledge and understanding of the latest technologies, can offer organisations cutting edge technologies delivering effective solutions to problems that may never have been noticed and considered – and commonly at a much lower cost.

A good outsourced supplier will act as an extension of your workforce: understanding your business requirements and objectives whilst working alongside you and your internal team to deliver the best level of service possible adding value at every stage of the process.

Final thoughts

In summary, rightsourcing selects the right people for the right job, to deliver the best service at the best price.

By tailoring personnel, be it internal or external, to the right processes, businesses’ can accomplish tasks efficiently and effectively and enhance the overall business.

When you plan your next project, consider the options. Rightsource. It’s that simple.

To find out how eSpida can assist you with your next project contact us on 0344 880 6145 or email info@eSpida.co.uk

eSpida supports technical apprenticeship scheme

The recruitment of talented and ambitious individuals is paramount to The Waterdale Group.  As such the group continues to support the Technical Apprenticeship Scheme to map out the company’s future.

Apprentices are aged 16 or over and combine work with studying to a structured programme in order to gain skills and knowledge in a specific job.  By working with experienced staff, an apprentice learns job-specific skills which assist with the academic side of the course and ultimately the progression towards a qualified role.

Our latest apprentice, Charlie Quirk, has been recruited to work across all companies of The Waterdale Group and will be spending part of his week working alongside the eSpida team.  Speaking about joining the business, Charlie says, “I am very happy to have been selected as The Waterdale Group’s latest apprentice. The apprenticeship will help me to develop my technical skills whilst gaining a recognised qualification.  Everyone at Waterdale has been really welcoming and I feel confident that I am working alongside the right people to help me focus on my career goals.”

The Waterdale Group has a positive history of working with young apprentices. Joel Campbell originally joined the group as an apprentice in 2012 and following the successful completion of his accreditation (Level 4 City and Guilds and CompTia A+ and Network+ Industry certification) Joel was offered a permanent role within the infrastructure team.  He comments, “The apprenticeship scheme provided me with a good foundation for working life.  Working whilst studying enabled me to learn from colleagues and expand the knowledge I was gaining at college. Now, 5 years on, I have a great job with a fantastic company and feel proud that the group chose to invest in me and my skills.”

The Waterdale Group’s chosen apprenticeship training agency is TDM Wyre Academy who specialise in technical and digital industries. For more information regarding apprenticeships with The Waterdale Group please contact Danielle Piotet on 0344 880 6145.

Moving from a reactive to a proactive approach to IT

Today’s businesses face threats from two main sources: a lack of strategic alignment internally and malicious attacks from hackers externally. This leads many to fall into the trap of taking a reactive approach to IT, constantly fire-fighting to resolve operational issues. Here, Nigel Crockford, Business Development Manager at IT consultancy eSpida, explains why this approach of running-to-failure is not helping your business grow.

There is a tendency in most businesses for people to work in silos. According to a study by Harvard Business Review, 75 per cent of cross-functional teams are dysfunctional. Whether it’s because of budgets, scheduling, meeting specifications and customer expectations, or aligning the goals of your department with that of the company’s corporate goals, creating a unified approach to IT can be difficult.

This lack of a joined-up approach means that most businesses take a reactive approach to IT, dealing with problems as they arise. Factors such as ageing equipment, a natural disE3aster or a security breach inevitably demand time and attention to solve and can cause costs to spiral.

Optimising IT

A company’s ability to handle such problems can be measured using the infrastructure optimisation (IO) model developed by Microsoft. It categorises an organisation’s level of IT optimisation into one of four categories: basic, standardised, rationalised and dynamic.

Companies with basic optimisation only deal with IT on an ad-hoc and reactive basis. They are driven by problems and simply want to survive with the least downtime possible, which usually propagates a culture of running equipment until it fails. The problem with this approach is that it diminishes the ability of leaders to accurately control growth because they constantly have to fix problems that could directly impact operations.

The standardised approach, while still reactive, is more stable. Here, the business has taken steps to put some procedures related to change management and planning into place. Upgrades are request-driven and there is a mentality of “keeping it running”.

The rationalised approach is the point a business becomes proactive and it’s where most large businesses currently sit. There is usually a dedicated IT department, with well-defined IT roles such as Network Architect, Software Engineer and Project Manager. The business has a good grasp of formal change management methods, there is accountability across the board, increased monitoring and defined service level agreements (SLAs).

As a result, under the rationalised approach, IT management becomes more predictable and the organisation becomes better at dealing with disaster recovery and business continuity problems.

Finally, we come to dynamic optimisation. This is for large scale, usually multinational, businesses such as global courier services and banks that deal with hundreds of thousands of transactions at any one time. This kind of organisation would fail if it didn’t take a proactive approach to IT, as systems are highly optimised and there is a core focus on cost reduction and quality improvement.

Dynamically optimised businesses are agile and better able to recover from malicious attacks and natural disasters. This characteristic means they take the lead in delivering high availability and resiliency and yield a better competitive advantage as a result.

Needs vs. skills

While no organisation actively wants its IT system to only be basically optimised, moving to the next level up is not always easy. Managers that want to improve their IT optimisation need to understand their needs in sufficient detail. To understand their needs, they need the right mix of people with the knowledge, skills and experience to improve processes.

A growing skills gap in the technology sector means that the necessary skills are increasingly becoming more difficult to find in-house. According to the latest Hays Global Skills Index report, “skills shortages remain prevalent, particularly in technical engineering roles, specialist technology and qualified finance roles”.

As a result, 72 per cent of businesses currently outsource their IT infrastructure, according to Deloitte’s 2016 Global Outsourcing Survey.

However, for all the benefits that outsourcing provides, it still has its caveats. Vendor managed services can suffer from poor service quality, a lack of responsiveness, a lack of innovation and a reactive rather than proactive stance to dealing with problems.

IT leaders that outsource without carefully considering exactly how it is helping the business compensate for its own lack of skills might find that they only displace the problem rather than solve it.

Rightsourcing

As a business that provides IT consultancy for a wide variety of customers, eSpida believes in the concept of rightsourcing. Whereas outsourcing involves contracting the work out to a third-party service provider, and insourcing involves keeping the work in-house based on current skills, rightsourcing is about selecting the best way to procure a service.

This might mean upskilling existing staff by improving training or working with third-party suppliers to become better at managing IT to deliver value to the business.

The first step in this process is conducting an IT healthcheck. Here, IT leaders need to audit the business for current and future projects to see where infrastructure problems could occur and whether the current systems and people can meet this demand.

For example, a construction business might have upcoming building projects where an increase in the number of users on site will increase the need for connectivity. The same project might need to cater for the scheduling of delivery vehicles, networked devices, remote working, dispatch and onsite project management tools.

Once the cost, budget and business impact has been considered, IT leaders need to look at whether the business has the right skills to achieve the project in-house. To help match the skills of the workforce to the needs of the business, leaders can use the Skills Framework for the Information Age (SFIA).

The SFIA model rates the IT competency of a business on a scale of one to seven, one being the basic ability of the ICT professional to follow and complete tasks under supervision, and seven being the ability to set policy, inspire and mobilise.

Most businesses operate at around four to five on the scale. Here, departments begin to move out of silos and operate with a higher level of technical skill, using a strategy that enables the IT people to advise the business more proactively.

Moving to the next stage on the model, up to a five to seven on the scale, is the point where many businesses seek help from external consultants to provide specialist support on how they can provide a dynamic response for their entire operations around the world. Moving to a more dynamic position involves the delivery of an IT system with built-in high availability, resiliency and the ability to recover quickly from disasters.

Malicious attacks such as those seen in the recent WannaCry ransomware attack affected around 230,000 computers in 150 countries around the world, including the UK NHS. Some of the systems in the NHS were so badly affected, it had to limit them to an emergency-only basis during the attack. Having a disaster-recovery plan for these situations, means that data can be recovered quickly to get the business operational.

By changing their approach to IT from one of running equipment to the point of failure to one where skills, agility and rightsourcing are prioritised, business leaders can spend less time fire-fighting and more time growing the business.

What’s the next big thing in Cyber Security?

Twenty years ago, security in IT broadly only consisted of firewalls, antivirus, passwords and development patches. Hackers and data thieves soon found ways of attacking these simple devices to gain access to sensitive organisational data.

As a result, security providers and vendors have invested in the development and production of more advanced technologies in order to defend business networks. Many different security products are now available in the defence against cyber criminals such as anti-virus, spyware detection and threat detection software to name just a few.

So, what’s next?
This is the question constantly being asked, along with what will be the next big thing in cyber security? and what will people be talking about in the next year or so?

The answer broadly lies with the cyber attackers. For each method of attacking organisational networks they develop, the vendors will be developing their products and security solutions accordingly, in order to prevent the attacks.

Change is coming
Rather than taking a traditional reactive response to cyber threats, vendors are becoming proactive by developing software to deal with known activity. Having investigated the way in which attackers operate, vendors are introducing this methodology to remove the initiative from the attacker. Realising attackers collaborate between themselves, vendors have now moved into sharing information, such as knowledge and tools, between themselves which in turn decreases the response time to threats.

With this sharing of information, vendors can now look to the future one step ahead of the cyber criminals and by using a more proactive, defensive approach will be better prepared to foresee potential attacks. By adhering to the GCHQ code of conduct guidelines along ISO 27001/2 and by following known practices and a number of elementary processes, businesses can eliminate some of the lower risks.

With cyber criminals constantly developing new threats, it is imperative that organisations keep their cyber security active and up to date.

My recommendation
Businesses should start with basic security best practice, looking at access control as well as applications within the organisation, ensuring these are forced to update and patched as deemed appropriate for your business.

I would welcome your questions on best practice procedures. Please feel free to contact me at jon.dixon@espida.co.uk

Data security: Two factor authentication

In today’s technological world, media reports of website hacks are becoming more and more prevalent. Furthermore, with human error reportedly accounting for almost two-thirds (62%) of data breach incidents, personal details are frequently being compromised.

Nowadays passwords alone, even those considered complex, are no longer satisfactory to keep the hackers at bay. A scary thought for businesses holding hundreds, thousands or, in the case of some large corporations, millions of customer records. However, there are options available to increase security and protect data.

Two factor authentication
To confirm a user’s stated identity, Two Factor Authentication (2FA) uses a combination of two different elements from three categories; knowledge, possession and inherence.

Knowledge
– Passwords
– PIN’s
– Secret questions/memorable information

Possession
– Card readers
– Wireless tags
– USB tokens

Inherence
– Fingerprint readers
– Retina scanners
– Voice recognition

Two factor authentication may be carried out with a hardware token or a soft token such as an authentication app on a smart phone.

Hardware tokens such as the Yubikey from Yubico are becoming more common in the workplace. They add an extra layer of security to networks and user accounts to ensure it is only the authorised user that can access the data with their personal credentials.

Yubikey and Authlite
The Yubikey is a touch sensitive authentication device (hardware token) used for second authentication and is best used with a pin or password. The Yubikey will generate a one-time passcode and provide that second authentication and when used in conjunction with Authlite, a simple yet strong two-factor authentication module (soft token), will provide two factor authentication to the network.

Setting up the system is straightforward and quick to configure from start to finish.

For organisations of all sizes there are many benefits of using the Yubikey for two-factor authentication:
– Prevents unauthorised access by requiring the physical presence of the token to log onto a device
– Easy to use
– Affordable – Total cost of ownership is significantly reduced
– Durable – no moving parts, crushproof and waterproof
– Can be used as part of a business’s ongoing GDPR policies and procedures

Summary
The old adage ‘prevention is better than cure’ has never been more relevant in the world of cyber security, as any organisation that has fallen victim to a data breech will testify.

Making it near impossible for hackers to access your accounts, two factor authentication is one of the cheapest, most simple things to put in place to secure any account. The question isn’t why should you use two factor authentication, it is why wouldn’t you use two factor authentication?

 

For more information about two factor authentication and how we can help you, get in touch on 0344 880 6145 or email info@espida.co.uk

 

Hillgate Travel opts to work with eSpida

London-based Hillgate Travel, has opted to work with Technical Consultancy, eSpida, to design, architect and deliver a highly available, scalable and secure new technical platform, to support the organisation’s double digit growth.

Hillgate Travel is the largest privately owned travel management company offering a global, full service portfolio from passport and visa management, through to group and individual VIP management. With over 175 employees and processing over 400,000 transactions a year, the company has seen rapid growth in demand for its services.

With a traditional data centre model in place, Hillgate Travel was supporting an ever-growing, onerous hardware footprint which was increasingly at odds with its three guiding principles: security, availability and scalability. Antoine Boatwright, Chief Technical Officer for Hillgate Travel comments, “We knew that our model had to change to deliver against the demands of the business as it was becoming harder to manage the current environment. I wanted to create a consolidated solution that would cope with the reality of today and the anticipated growth of the next five years.”

After ruling out public cloud options, the company was approached by Birmingham-based technical consultancy, eSpida, which, after two days of on-site discovery, formulated a proposal for change. The eSpida team quickly grasped the scope of the project within the context of Hillgate’s overall business strategy; it delivered a vision of a new architecture and challenged some of the more traditional, Microsoft-centric policies employed in the company.

eSpida proposed taking Hillgate from a physical to a virtual environment to minimise footprint. Introducing Linux into the hardware portfolio has not only improved performance and availability but drastically reduced the cost basis for the entire solution. “eSpida understood the commercial parameters of our project and made its recommendations based on what we needed and not what it wanted to sell us. That was refreshing. The lead consultant, Paul Hanson, also worked within context; he understood the relevance of our design beyond the scope of the project, to ensure that we were future-proofing our investment.”

Hillgate is half way through the implementation of this project with eSpida, but is already seeing the benefits of the change in cost and end user experience. However, most notable is the change in attitude within the Hillgate technical team which is thinking more creatively about other technical projects. “eSpida is a trusted, strategic business partner to Hillgate; the team is innovative and strategic but incredibly easy to work with. Our engagement has been honest, thorough and has really opened our eyes to new ideas.”