How vishing works: A real life example of a phone scam

IT security - Our experience with a vishing attack

The story

At 27 minutes past 2 on a Monday afternoon, the phone on my desk rang. Picking it up I was greeted by Faye Langford (a name I was unfamiliar with) asking if she could speak to the company’s CEO, Robert Rutherford. She said she was calling from one of our suppliers (which has been left intentionally unnamed) about an earlier email regarding problems with a credit card.

As Rob was out of the office, I asked if there was anyone else who could help. I was informed that Rob was the only person on the account and so I told Faye that I would pass on the message. She wished me a good day and that was the end of our conversation.

I emailed Rob the details of the call and was content that the issue would be resolved now it was in the appropriate hands.

This all seemed quite ordinary but here are two things which change that:

  • There are two people at this supplier who would normally call us regarding card information. Faye Langford is not one of them.
  • There are over 15,000 employees who work at this supplier. Faye Langford is not one of them.

So, what had just happened?

The scam

What had happened was an attempt at voice phishing – also known as vishing. When you think of phishing, you probably think of emails but unfortunately, phishing can occur on any channel. Phone calls, SMS or social media are all platforms which scammers can use to fraudulently acquire your details.

But there are some things which make this attempt particularly alarming.

  1. They already knew Rob’s full name and that he was the company’s CEO
  2. They knew that we use this supplier and are familiar with the name
  3. They didn’t probe further when asked if there was anyone else at the company they regularly spoke to

While the information in point one is widely available – on LinkedIn and the company website – it serves as a reminder that scammers will use personal details to make their attacks more targeted and realistic. Had Faye asked to speak to “the CEO”, I would have delved much deeper into what the purpose of the call was. But since she was on first-name terms and was purportedly calling from a known supplier I was more inclined to trust her.

The second point is alarming because it’s narrowly accurate. Since the supplier is well known and works with many companies, this may have simply been a fluke. Alternatively, this may be an emerging worst-case scenario. It’s possible that the supplier has at some point suffered a data-breach and had client information leaked. This would explain how they knew we worked with that supplier and may have been the source of Rob’s details as well.

As it turns out, a few days preceding the call from Faye, the supplier had suffered a data breach. This breach included client’s names, job titles, and partial payment information including cardholder name and card type. This makes it hard to doubt the two events are unrelated.

The third and final point is the most alarming whilst also being seemingly insignificant. When Faye called, she wanted to speak with Rob and was clear that no one else could help when told he was unavailable. This indicates that the scam wasn’t just a scattergun approach but targeted at Rob specifically. Considering that cardholder name was part of the data leaked in the breach mentioned previously, this may be why.

How do vishing scams work?

Based on the articles covering the breach, the information given during the call and other attempts we’ve seen before, the scam would have likely gone like this:

The supplier’s data is breached and acquired by cyber-criminals. This may be sold on a dark-web marketplace to the scammer or the scammer might have been the one to directly take the data.

The scammer creates a fake email pretending to be from the supplier and sends it to the target company stating they need to resubmit card details due to ‘an issue’. This email may include a website link or telephone number to ‘update’ the card details – both of which will be fake.

(I should note that we never actually discovered an email. It’s possible that it was blocked by our email security system due to coming from a known malicious address or linking to a known malicious URL. Alternatively, the email may be entirely fabricated and only used to imply there’s ongoing communication and build trust in the call.)

The scammer now calls the organisation and requests to speak to the target regarding the email about card information. Once they reach the intended target they would likely say that there’s an issue with billing and until the card details are resubmitted, all orders will be frozen and no additional payments can be made.

If the target is worried by this and not suspicious of the request, they will likely be happy to hand over their card details to resolve the issue. The scammer would then check the details are real and maybe say something like “Excellent, I can see the payments are going through now.”, before hanging up.

How can you protect your business from vishing?

Undertake user training

You’ve probably heard this reiterated a hundred times before, but one thing often left unmentioned is that you must ensure your training program is grounded in the scope of the business.

The more abstract training is from employee’s day to day roles, the less engaged they will be and the less they’ll remember. A simulated vishing call against employees whilst in the workplace is not only realistic but will likely leave a lasting impression – making it incredibly valuable.

Don’t rely too heavily on caller ID

Caller ID allows you to put a name to a phone number and identify who’s calling. This sounds like a useful tool in preventing scammers masquerading as someone they’re not. But caller ID can be easily spoofed to show what the scammer wants to show.

There are many online services which offer caller ID spoofing – making it easy for scammers to take advantage of the trust a caller ID can give. This doesn’t mean caller ID is completely useless though as it can be helpful in filtering out nuisance calls, but you should not blindly trust the system.

Don’t respond to requests for details

It’s easy to say this, but if it were easy to do, vishing wouldn’t exist. To keep your details secure, you must get yourself and your employees into the mindset that unless the request is coming from an official channel which the caller can prove is genuine, don’t divulge company details.

Establishing and enforcing acceptable channels of communication for clients can make this much simpler. If you establish in company policy that certain details may never be communicated via certain channels (i.e. never disclose a mobile number over email), it’ll be far easier to stop scammers who are trying to siphon information out of the business.

Take the time to check

If there’s a suspicious call about an urgent bank transfer or new card details, get approval on whether it’s genuine off the phone and ideally face-to-face with who usually deals with the issue (e.g. the finance director). If the caller is genuine, they won’t mind you taking the time to check and if they aren’t, checking is a good way to avoid a disaster.

It’s worth building this approval process into policies so that people know who to go to for each request. Having the process in company policy also shows that asking about the authenticity of a suspicious request isn’t something for employees to be worried about doing.

Employ zero-trust

This policy sounds severe, but zero-trust simply means employees who don’t need to know something, aren’t told it. If you store credit card details in a secure digital wallet which everyone has access to, it only takes one successful vishing call for those details to be compromised.

If only the finance department has access to those details though, it’s much harder for a scammer to get lucky off an unaware employee who was trying to be helpful.

Establish and communicate a list of acceptable requesters

Like with establishing acceptable channels, you should ideally have a list of names for which it is acceptable to give details to. If you’re employing zero-trust, this list only needs to be known amongst those who have access to the details; otherwise, you’ll need to communicate it to the entire company.

… To summarise

Before this experience with vishing, I had only experienced it once before and it had been a rather poor attempt (a very robotic voice asking about the ‘accident’ I had been involved in). I had been fairly certain that this was the way vishing would stay – easy to spot, scattergun and done by text-to-speech. But this latest call has unfortunately proved me wrong.

Not only was it done by an actual real human, but it was pointed at a very specific individual. This is a trend which mirrors the evolution of other cyber-attacks and the increased weight cyber-criminals are placing on social engineering in their toolset. Whilst this threat is old and not uncommon in high-end security breaches, it seems it’s now also coming to the masses.

If you’re uncertain about whether phishing, vishing or any other type of cyber-crime is happening on the scope and scale it’s reported at, I hope this experience opens your eyes to the reality of what’s happening. It certainly did for me.

The Optimisation Contradiction: One key thing manufacturers forget when optimising their factory

Manufacturing - The Optimisation Contradiction: How to improve factory efficiency

It is well known that inefficient operations reduce margins and weaken your competitive position in the global market. It is also well known that manufacturers are famous for their dedication to cutting out inefficiencies wherever they can in their operations.

But whilst the shop floor has received the benefits of technologies such as robotics, softer practices such as visual management and initiatives such as lean, manufacturers’ dedication to optimisation is seemingly contradicted by how many of them have forgotten to apply the same fervour to another key area of their operations: the back office.

This is the Optimisation Contradiction.

Why should you optimise the back office?

What happens in the back office doesn’t stay in the back office. Inefficiencies here directly counter the rewards of your wins on the shop floor and since inefficiencies are often allowed to build up, their counterproductivity is multiplied.

As an example, there’s little point holding the shop floor to incredibly high-efficiency standards if at the same time as much as 68% of the paper being printed in the back office is unnecessary. Imagine if there was a 70% material wastage on the shop floor. That would be unacceptable.

So how can you make your back office a productivity powerhouse like the shop floor? We believe that through the intelligent application of IT, it’s not just possible but it provides additional opportunities to improve your firm.

How to make IT deliver an advantage in the back office

1. Embrace Software as a Service

Monthly instalments will give you more control over your IT budget, better-optimised software and often live support to assist with overcoming roadblocks. All of which keeps operations in the back office running smoothly.

However, there is some ill will towards Software as a Service (SaaS), as many manufacturers see subscriptions as more expensive.

The issue with this mindset is that it looks at the software in a static point of time and ignores the continual updates and support SaaS applications have. When you buy a one-off piece of software, you get what it is and nothing more. Any bug fixes, feature updates or integrations will need to be acquired separately, either as an add-on or as part of the next major release. When you buy software on a subscription, you get continual updates and new features as standard.

2. Categorise and control your talent

To complete work effectively, you need people with the right skills in the right place. This might seem obvious but so many firms fail to assign their talent optimally – probably because they’re trying to assign 100 people with different skillsets to 20 tasks which require different combinations of these skillsets. It’s impossible to do in your head but IT systems excel at this sort of thing.

With a talent management system, your HR team can see exactly the skills each employee has and therefore allows you to intelligently recruit whilst controlling and developing your existing talent. Employees also gain visibility into their training program – resulting in greater engagement.

By managing your talent pool this way, it leads to a better-skilled workforce, better allocation of these skills and an overall more engaged and efficient workforce.

3. Optimise processes with ISO

Every manufacturer should have already strived to ensure their shop floor processes are to ISO standards, but few turn their sights to the back office once this goal is achieved.

In the back office, ISO 22301 and ISO 27001 are the two key accreditations.

  • ISO 22301 is about minimising IT downtime and ensuring data integrity with redundancy and network resilience, and backups and encryption.
  • ISO 27001 is about securing your assets (personal information, intellectual property e.t.c.) through policy, software and hardware with the aim to prevent an intrusion or breach.

If you do decide to proceed with accreditation, an external consultant can help you to identify and resolve any weaknesses before the assessment process. Once you’re adhering to ISO principles and have become ISO certified, you’ll not only be far more resilient against disruptive incidents which threaten your efficiency and productivity but it’ll be easier to pick up business since it’s proof of your dedication to continual improvement.

4. Secure your position

In March 2019, Norsk Hydro – a global manufacturer of aluminium – was hit by the LockerGoga ransomware. The malware spread from the back office into networked machines on the shop floor and ended up impacting global processes, forcing the company into manual operation mode. Overall predicted losses were £41.2 million.

To put this into perspective, Norsk’s quarterly sales volumes for Extruded Solutions were 333,000 tonnes. Factoring in the losses equates to an increased unit cost of £123.72 per tonne or 12.4 pence per kilogram. Cleary a massive hit to the bottom line.

Cyber-security in the back office should now be important for obvious reasons. But despite being essential, some companies negligently assume they can get away without basic security in place. Typical areas of negligence are multi-factor authentication, patch management and rights management – the lack of even one of which instantly compromises the optimisations you’ve worked so hard for, not to mention endangering your reputation.

If you want to improve your security posture but don’t know how then Cyber Essentials accreditation is a good place to start. You’ll need to go beyond this since it only addresses the basics so something like ISO 27001 should be your true goal since it’s much more robust.

5. Digitise and automate

Another clear sign of the Optimisation Contradiction is that whilst manufacturers have strived for 100% automated shop floors in their quest for efficiency, they have at the same time forgotten to automate and digitise even the simplest tasks in the back office.

For example, even something as simple as obtaining a signature requires a long, physical process. First, you would need to print and hand over the paper for the person to sign. Then, scan the document to send a digital copy to the requester and shred the physical one for security. Finally, upon arrival, the digital signature would be stored in a safe location. With e-signatures, you can remove the physical processes of printing, sharing and shredding.

Automation can also help tackle highly repetitive or routine tasks in the back office, to free up time for more strategic, value-add work. By implementing automation in the back office, you should see more KPIs being hit and a more efficient workforce overall.

6. Modernise legacy systems

The general rule for hardware is you should refresh laptops or PCs every 3-5 years and servers every 4-5 years. Whilst it’s tempting to sweat IT assets, the lost efficiency and increased volatility means doing so will likely cost you much more than you ‘save’ by not upgrading.

Updating hardware allows back-office workers to work much faster. Less waiting and more responsive systems result in more streamlined workflows and therefore higher employee uptime.

But it’s not just the raw speed and efficiency values to look at. There’s also the matter of reliability. As hardware ages, it rapidly becomes more prone to failure. A study undertaken by Google revealed that one-year-old hard drives have an average failure rate of >2%. A figure which quadruples to 8% by the time the hard drive is two years old.

The wasted time and potential for data loss due to ageing hardware is something to bear in mind when considering the cost of an upgrade. Ask yourself if you can afford to spend time recovering or recreating key data and then decide whether you should upgrade to current hardware.

7. Make things lean

Much like the ISO standards, lean is something many manufacturers already apply to the shop floor, but you can gain similar benefits in the back office. By managing the IT systems in use, eliminating excessive bureaucracy and redistributing talent and resources, you can create major improvements to efficiency.

Lean in the back office ranges from small changes such as moving the office printer into a more ergonomic location to undertaking upgrades to IT infrastructure and setting up a rolling upgrade cycle for hardware.

Performing a thorough analysis of back-office functions against lean can give you valuable insights into where problems are arising, allowing you to make genuine process improvements and cost savings.

Below is an infographic to help you with applying lean in the back office.

Applying lean can help with improving factory back office optimisation

In summary…

To truly improve the efficiency of your firm, you need to be directing attention to the processes and systems both on the shop floor and in the back office. It’s easy to think that processes not directly related to production have no influence on efficiency, but they do.

What is shadow IT and how can you control it?

IT security - What is shadow IT and why do you need to control it?

Lurking deep beneath your surface IT infrastructure is a malignant force. Its creeping tendrils extend into every department of the business and like a rot it spreads.

Whilst it started out innocent, as it grew more prevalent it’s evil nature emerged. Twisting roots buried deeper into the IT environment, corrupting business processes. Tendrils probed out, undermining defences whilst creating unseen vulnerabilities. And a maw guzzled and swallowed all the data it was fed.

But the worst part of all about this malevolent infestation is this. It wasn’t an attacker who planted this thing in your network, no. It was you.

And you continue to let it grow, feeding it and adding to it, all whilst unaware of the peril you have created…

Okay, whilst that description was a little dramatic, shadow IT poses an undeniable risk to your business. Gartner predicted that 1 in 3 security breaches will be the result of shadow IT applications by 2020. And Research from Cisco indicated CIOs underestimate the amount of shadow application running on the network by a factor of 14. That is to say, the CIO thought the business was running 51 cloud services when in reality it was using 730!

These stats highlight how many businesses still don’t have a grasp on the extent of their shadow IT. The risks and controls have been around for years, yet many businesses wait until they get burned to take action.

Discuss your shadow IT concerns with a security consultant an gain actionable advice you can take to your board

What is shadow IT?

Shadow IT is hardware or software (often cloud-based) used by staff without knowledge or approval from the IT team.

Shadow IT can present itself in many ways, a few examples being:

  • Staff sharing files between themselves, suppliers and customers. Often with a cloud file store such as OneDrive, Dropbox or Google Drive.
  • A member of the sales team using an online CRM solution to work on a campaign.
  • An account manager using a personal Skype account to conference with clients.
  • An employee using an online tool from their previous job, instead of the software their current employer uses.

In each example, it’s obvious that these systems will be outside of the control of the IT department. This is a concern because it increases the business’ attack surface and adds many fun and exciting ways in which your sensitive data could leak.

Shadow IT plays on the idea of “if you can’t see it, you can’t control it”. As a result, it creates a lot of invisible risks and security gaps which the IT team is unable to address.

Of course, shadow IT may be bringing in benefits to a business. If an employee is more comfortable with their tools, they’ll work more effectively. But allowing it to run wild introduces gaping security holes and puts you at higher risk.

Why does shadow IT occur?

Shadow IT arose with the boom in cloud-based technologies and applications. This application explosion allowed employees to gain access to IT solutions through a web interface. And with so much variety, employees could buy an entire suite of tools with little no involvement from the IT department.

The popularity of having sudden access to a plethora of applications was compounded by the fact that in the past, IT projects would have to stop or grind their way through the IT department before becoming usable. Whilst this wasn’t done with malice, the delay it caused frustrated power users who wanted rapid solutions to their issues.

In short, the demand for change was louder and faster than the IT team’s resources, and even their awareness. Technology had come to the masses and they wanted to use that technology. Now.

But blaming everything on the IT department isn’t fair and nor is it accurate. Another fundamental cause of shadow IT is misalignment within the business. Something which involves many departments and generally the board.

A lack of control on the IT estate tends to make identifying a single reason for shadow IT impossible. This means the cause for shadow IT can vary from business to business.

How can I manage shadow IT?

Whilst the idea of prohibiting the use of any applications outside of an acceptable list seems like it would work fantastically, it doesn’t.

Not only will it annoy employees and disrupt their workflows, but people will likely find a way around the filtering or will pester the IT team to add certain applications to the whitelist. Circumventing the point of the system in the first place and only resulting in a net negative.

Instead, the business needs to address the root cause of its shadow IT by installing policy controls and technical controls to reign it in. Here are 7 simple steps to give you an idea of where to start.

1. Review what’s going on

The first step is to use your internal monitoring and control solutions to analyse who is going where and doing what. It’s also worth auditing laptops and desktops if you allow users to install applications on their own devices (not advisable!).

2. Evaluate and prioritise risk

Go through your reports and work out which shadow IT elements pose the greatest risk. Staff sharing sensitive information or accessing the dark web through .tor browsers should both be big red flags.

Whilst doing this, you may also find out you are breaking regulatory obligations without evening knowing it. For instance, by storing files in regions that are unacceptable.

3. Lockdown

Shut down anything that is dangerous or breaking regulation immediately. If it’s illegal or breaks company policy then block it and take appropriate action at a management or HR level.

4. Give an amnesty

Once you’ve dealt with the immediate dangers and know what’s going on give everyone the chance to stop using the unapproved shadow IT applications.

Give them a week or two to alert you why certain applications are necessary and you can then manage the exceptions. After the week is up shut everything unapproved down.

5. Manage relationships

As you work through this process, take care to manage the external perception of the board and IT. People often use shadow IT to better fulfil their roles. So you should be trying to understand why they are using it and how you can fulfil their needs.

You may even find that some shadow applications are of benefit elsewhere in the business and adopting them could be a net positive. You don’t want to turn the business against the IT team as everyone then suffers.

6. Create policies

It’s unlikely that regular employees are aware of the danger of shadow IT and why they shouldn’t use it. Clear policies with training and regular reminders should help minimise risks.

7. Continually manage

You should always be monitoring and evaluating what’s going on in your network. People forget what they’re told, and the odd employee does go rogue. The technologies are out there and are nothing new. So there’s no excuse for not monitoring and blocking employees from doing things that could harm your business.

Are you concerned about your security and want to know how to better protect your business? Click here to book an online review with one of our security consultants today

The Cloud Migration Guide – Part 4: How to achieve a successful cloud migration

Cloud - How to achieve success in your cloud migration

Welcome to the final instalment of the Cloud Migration Guide. If you’ve missed an earlier part or would like a recap, click here to view: Part 1: What is a cloud migration | Part 2: The risks and rewards of migration | Part 3: Factors which influence cloud readiness.

Cloud migration has a lot to offer businesses.

  • Enables increased efficiency, collaboration and productivity with cloud-based software like Office 365.
  • Establishes a disaster recovery system that restores data and IT systems in minutes.
  • Lets you create online backups and live replicas of your IT environment to minimise data loss and increase reliability.
  • Boosts business flexibility and performance with hosted infrastructure and hosted desktops.

But many businesses don’t find success when undertaking their migration. Here are the most common pitfalls and traps that stop businesses from experiencing cloud migration success and how you can avoid them.

1. Trying to do it alone

Cloud migration is much more complicated than it seems. Going it alone means the project can easily become mismanaged. There are hundreds of different variables to consider, each of which must be mapped out to identify interdependencies. Some applications may need some development work to become cloud-ready and everything must be timed perfectly to prevent major disruptions to your operations.

Creating a thorough, comprehensive cloud implementation plan is no easy feat but fortunately, specialists are available who can give consultancy advice to ensure your migration is successful.

Getting a consultant on-board for your cloud migration can help you draw up a plan that carries you through your migration and ensures the end solution delivers on your business objectives. All without embarrassing and costly mistakes on the journey.

Choosing an experienced consultant de-risks the project and enables you to get assistance beyond just preliminary advice. This can include setting out the business case and getting stakeholder buy-in, through to the actual implementation of your solution. Experienced consultants are there to take responsibility for your business outcomes.

Even for businesses with an internal IT team in place, it’s often not feasible to have them perform the migration. They may have the technical capabilities, but the experience of delivering multiple cloud migrations will typically allow a consultant to deliver a better business result faster, at a reduced cost and without the levels of risk.

An internal IT team can certainly be involved in the whole migration process, but by working alongside a vastly experienced cloud architect they can deliver truly impactful results and grow themselves at the same time.

2. Choosing a supplier based solely on price

As one benefit of the cloud is how it can deliver an enterprise-class IT solution whilst saving money on infrastructure and running costs, it’s tempting to just choose the absolute cheapest supplier and call it a deal.

However, the cheapest suppliers often struggle with project delivery and lack the knowledge for important areas such as troubleshooting and capacity planning. These failings can easily mount up and ultimately jeopardise the migration, reduce the performance of the solution or eliminate any cost savings.

Ultimately, IT should be seen as an investment, as it is an investment at the core of your business. If you’re migrating your entire IT environment, you want to ensure that you’re getting value in terms of support, resilience, flexibility and advice beyond the initial sale. Otherwise poor performance, downtime and redundant spend can quickly overtake any initial savings.

Along with price, you should also be checking the service level agreement (SLA) a provider is offering. A 99% uptime guarantee sounds good but is actually on the lower end of the spectrum for quality. You don’t want to be suffering outage after outage without any come-back against your supplier.

3. Lacking a concrete goal

Undertaking a cloud migration is not in itself a strategic business objective. Migration must be done to achieve a business outcome. Failing to have a concrete case for why you are choosing cloud can easily lead to a failed project in terms of tangible results.

Being unclear on the true drivers of change can actually leave you in a more restricted state with increased costs. So you need to know why you are migrating to the cloud and whether there’s a better alternative far before you begin considering implementing a solution.

We covered how your strategic objectives can influence what you should migrate in the third part of our cloud migration series which you can find here.

But in short, if you want to reduce costs and improve flexibility you could utilise cloud-hosted servers or desktops instead of building, supporting, maintaining and securing traditional on-premise solutions. If you want to increase efficiency and collaboration you can consider migrating to Office 365 to take advantage of applications such as Teams and Yammer. To improve reliability, you could deploy cloud-based replicas of key systems. And to improve performance you can migrate desktops or servers to a powerful cloud platform.

4. Underestimating storage requirements

Knowing exactly how much data your business has which needs to be transferred over in migration is an important factor needing consideration. It’s very easy to underestimate the quantities a typical business has and failing to factor in growth patterns is an equally common mistake. Although the cloud is highly scalable in its storage ability, needing to resize early on can lead to unanticipated costs and reduce the efficacy of your migration.

But size isn’t the only factor to consider. The speed of the storage is an equally, if not more, important factor to look at. As it’s directly tied to the performance of your applications and files stored in the cloud. This is an area where an inexperienced consulting firm will typically let you down as they’re unable to ensure their cloud platform delivers the performance you require at the cost you expect.

5. Not checking the provider’s security

Your cyber-security is only as strong as your weakest supplier. If you choose a cloud provider who can’t prove that they have taken their security seriously then you’re putting your data at risk, probably your customers data and certainly your reputation.

To avoid choosing a provider with poor security, at the bare minimum ensure that they’re ISO 27001 certified. ISO 27001 is the world-leading industry standard for information security management. It’s no small undertaking so indicates that the provider takes security seriously.

Do be aware though that some providers will state that they “use an ISO 27001 certified cloud platform”. This does not mean that they are certified themselves, just that the platform they are using is certified. It’s a big difference. Ideally, the whole chain should be compliant, otherwise, much of the benefit is negated. So make sure the provider themselves have achieved the certification and not just the platform they are using.

6. Being unprepared

It’s important to check your business is ready for a cloud migration before undertaking one. There are several factors influencing how ready your business is for migration including business size, company culture and Internet connection. You can read more about this in part #3 of the Cloud Migration Guide.

Once you’ve determined which area you want to migrate, based on the business case, you’ll need an implementation plan. This should document exactly what, how, when and in what order you’re going to migrate.

Additionally, flexible roll back and testing plans are imperative to ensure you can get back to a stable state quickly, should things go awry.

7. Taking things too fast

Most industry experts agree that it’s not a case of “if” your business should move to the cloud, but “when”. But, you still shouldn’t rush to migrate everything at once or have unrealistic time goals.

Migrating to an entirely new platform is a big undertaking and rushing in can get you into trouble. You need to have an implementation plan, based on experience and specifically tailored for your organisation.

Doing an all-at-once forklift migration without proper planning can lead to horrendous issues for your business. Businesses try to go to the cloud in one jump and regret it – typically because they’ve rushed testing. Failing to test the environment under load and not ensuring every aspect of the workflows continue to function can destroy the performance, creating further productivity problems.

In the main, being lax on testing is the biggest cause of failure of IT projects. You need a full testing plan, buy-in and sign-off from all departments to ensure a smooth and orderly transition.

Want more information on the cloud?

The Cloud Migration Guide – Part 3: Is your business ready for cloud?

Cloud - How to know your business is ready for the cloud?

There are very few businesses that would see zero benefits from the cloud.

In fact, it’s expected that the clear majority of businesses will use cloud services in the next few years. With a considerable proportion of them having a 100% cloud-based environment. However, like all projects, there’s the best time to undertake a migration.

There are four main factors determining if your business is ready for cloud migration. These are:

  • Internet connection
  • Business size
  • Company growth goals

How much they influence the cloud-readiness is roughly in the order they appear.

1. How Internet connection affects cloud readiness

Cloud is reliant on the Internet or a leased private network connection (we’ll just refer to it as an Internet connection for simplicity). If your Internet connection fails, then whatever is being stored or hosted on a cloud platform will become inaccessible until the connection is restored. Therefore, you should only consider a cloud migration if your current Internet connection can support the increased load it’ll bear.

If you’re a large firm with an Internet connection which is good but already under heavy load, you should consider upgrading. The added burden of cloud traffic could cause your connection speed to slow down due to all available bandwidth being used up.

As well as certifying you have a suitable Internet connection, you need to ensure your connection won’t have issues. Assuming leased Internet connections are immune to outages is a dangerous mistake. Leased lines go down. And when they do, they’ll typically be down for a long time.

Installing a backup Internet connection with another provider to your main one is vital to ensure constant connectivity to your cloud.  Ideally, it will also come into your building from a physically separate direction. If you don’t yet have two Internet connections, you can still undertake a migration. But getting a backup line should become a high priority.

2. How business size affects cloud readiness

Generally, the smaller the businesses, the more suitable it is to migrate into the cloud and the readier it is. This is for two main reasons.

Firstly, a large business needs to do more preparation before undertaking a migration. There are more workstations, more files, more hardware, complex applications and workloads which all need to be migrated. This needs precise planning and testing.

A small business comparably may only have a single server, less than 50 workstations, a few applications and 2 or 3 terabytes of data between all their users. This can be migrated much easier and has a much lower cost and risk overhead associated with it.

Secondly, the positive impact of the cloud being a subscription is more pertinent for smaller businesses than bigger ones. Large firms may have the heavyweight IT teams already in place and can run their own private clouds within their own data centres, or at least manage them in others. And if the cloud platform charges per user, access to the cloud service can become expensive after factoring in several thousand users.

For small and mid-sized businesses though, the subscription specifically means they can gain access to all of the same applications and benefits that the big firms have but they don’t pay any of the associated costs. They simply reap the benefits of economies of scale without any of the complexities and overheads, including ongoing management and support.

This doesn’t mean large businesses can’t gain benefits from the cloud. Large businesses can very easily reap great rewards from a cloud migration but it’s a much larger undertaking, in terms of planning and the migration process itself.  The ROI timescales may also be longer.

3. How business growth goals affect cloud readiness

The broad applicability of cloud means that regardless of what specific areas you want to foster growth in, cloud migration is likely able to help. However, depending on your goals, what parts of your current infrastructure or systems should be migrated first can change. Here are a few examples to consider:

Increase flexibility

To achieve a goal of improved flexibility, you should consider hosted desktop or migrating servers over to cloud hosting. This gives you access to an enterprise-grade IT platform that you can scale up, down or out with ease. You can open a new office anywhere in the world or add a new employee with all their applications in minutes.

Save money

If you aim to save money with cloud migration, any type of migration can help. But for a large impact, you should consider moving expensive-to-buy and run hardware and applications such as central servers (file, mail, web, backup, ERP, CRM) to a replica hosted in the cloud. This cuts down on the operating costs and can save money on the costs of buying, running supporting and managing the environment in your own business.

Increase productivity

To increase business productivity and boost efficiency, you might consider migrating from the standard Office suite to Office 365. It comes with a range of benefits for any business such as added functionality, security and greatly improved internal and external collaboration features that all promote better workflows and improved business processes.

Improve reliability

If you intend to improve the reliability of your business, Disaster Recovery as a Service (DRaaS) can help in that regard. You can have a full replica of your IT environment sitting in the cloud-ready to go should disaster strike at a fraction of the historical costs.

What else should you consider?

It’s important to understand that the cloud is not a golden chalice, nor the only way to run your IT infrastructure and systems.

Too often businesses state that they have a strategic objective to move to the cloud. This is not a business objective. Perhaps the business wants to prepare for expansion and needs greater flexibility, but don’t just move to the cloud for the sake of it.

Typically, except for small businesses, the greatest business results can be gained from working in a hybrid environment. This is in effect a mix of cloud and on-premise solutions.

It’s also important to note that cloud migration is not a single leap. It’s a process where different applications and workloads are moved over one at a time. Rushing migrations for the sake of moving to the cloud can be disastrous.

The final part of the Cloud Migration Guide looks at the biggest pitfalls businesses face when trying to migrate. Learn how to prevent your migration from falling into these same traps.

See also:

The Cloud Migration Guide – Part 2: Risks and rewards of a cloud migration

Cloud - Risks and rewards of a cloud migration

Choosing to migrate some or all your business systems to the cloud can provide a significant return on investment. However, as it is with all significant IT projects, cloud migration is not without its risks, whether moving into a private cloud or a public cloud, such as Microsoft Azure

But just because there are risks doesn’t mean that you should shun the idea of cloud migration. Gartner predicts that by 2020, businesses with a no cloud policy will be as rare as businesses with a no Internet policy. So avoiding the cloud will almost certainly leave you behind your competitors.

Instead of focusing solely on the risks, an equal amount of emphasis needs to be put on the benefits of cloud migration and the ways in which the risks can easily be mitigated.

Reward: Reduces upfront costs

The CapEx requirements for the infrastructure which supports standard IT – disaster recovery, live backup, central file, mail and web servers, not to mention security – can be significant.

As a result, growing businesses may find it difficult to make the investments required to compete in their field. The high costs can also lead to sweating assets beyond their usable life, causing productivity and potentially business continuity issues. Fortunately, though, the cloud has brought enterprise-class IT solutions to the masses.

Cloud is sold as a service, meaning instead of an uncompromising upfront fee, monthly usage fees are paid instead. A subscription is much more manageable for expanding businesses as it allows them to budget their IT requirements simply, as a monthly expense, rather than getting into chunky and changing investment cycles.

The scalability of the cloud also means that you simply pay for what you use, rather than over purchasing and having expensive resources sat idle. It also saves businesses from underinvesting now and having to catch up later. In essence, spending twice.

reduces the cost of IT

Risk: Reliant on a third party’s security

The most common and long-held fear about the cloud is security. When your data is under the protection of someone else, how do you ensure they uphold the strict security policies, frameworks and management policies as you?

This is a genuine concern and it’s unfortunate that there are cloud providers who don’t take security seriously. There are several ways to assess the security of a provider though. Ranging from inspecting the premises to asking them to provide certifications. You should expect ISO 27001 as a minimum.

Testimonials are another way of gauging how good a provider is. You’ll never be shown a negative testimonial though, so ask some further questions to find out more. Ask to what security standards they operate, what their SLA is and what backs it up, where their data centres are, what the exit policy is, who has access to the stored data and what happens in the event of a breach. If you’re unsure, ask. A good provider will give you a straight answer as it should be considered standard information.

If a provider can’t prove they will protect your data, even if they’re half the price of the competition, don’t risk it. The money you ‘save’ is likely to be outstripped by the financial and reputational damage incurred following a data breach.

open padlock

Reward: Improved performance

The hardware which cloud providers use to power their cloud service tends to be high-performance. For example, using fast-access flash storage over much slower magnetic storage to increase file access speed and having modern generation processors to speed up nearly every operation done by the machine.

This means that switching to a cloud service, such as a hosted desktop setup, can deliver increased workstation performance without a hardware upgrade and should thus also enhance productivity.

Furthermore, the scalable nature of the cloud means that even when more load is added (for example, more users logging in as the morning progresses), performance will not decrease because resources will flex to accommodate this.

This lets systems constantly run at peak performance, whilst you are only paying for what you’re using.

speedometer showing a high speed

Risk: Migration can be mismanaged

Choosing to undertake a cloud migration without fully understanding why you’re doing it causes all sorts of problems.

Firstly, you need to establish what the end goal for the project is. It’s important that you think long-term here and don’t let short-term factors, such as upfront costs, cloud your thoughts. Once you have your goals in mind, you can work out what needs to be done at each stage of the project to achieve it. Use this to map out a cloud strategy – a vital piece of documentation for navigating the complexity of migration.

Secondly, you need to make sure the whole business is on board. Cloud migrations will affect many areas, so it’s vital that you’re fully invested in the process and that you obtain buy-in for the initiative from department heads and the board. Drive, direction and support from the most senior level of the business will give those in charge of the project the necessary authority to make changes. Whilst keeping employees informed throughout the project will make them feel involved and give a much more positive outlook on any associated changes to processes.

Finally, once you have a clear vision and buy-in from across the business, the next step is engaging with the right cloud services provider. For a smooth transition, you’ll be looking for a provider with the required experience and capabilities to not only deliver the technical aspects of the solution but to help you achieve your desired business goals.

To achieve this, you’ll want to look for a cloud services provider with a significant and positive experience with cloud migrations. However, your business also has a responsibility to communicate clearly with the provider in terms of your end goals. Providing a clear brief and engaging in a two-way transparent conversation increases the chance of successful migration and one which runs as close to time and budget as possible.

broken arrow between physical infrastructure and cloud. A failed cloud migration

Reward: Enables agile working

Agile working is dismissed by some as a passing trend and has been banned outright by some firms. But even if you aren’t keen on working from home, agile working is a much wider area and has the potential to deliver a greatly enhanced and productive working environment

Migrating applications and services to the cloud can help employees to remain productive whether they’re at a client site, travelling, attending a meeting or working from home. It’s particularly beneficial for multi-site businesses with remote workers, as cloud deployments can streamline access to applications and data, ensuring consistency across all channels.

For example, using cloud-based Office 365 you could have Sales and Procurement simultaneously working on a proposal and pricing document together or you could use Microsoft Teams to host a virtual meeting with the Heads of Departments from each office.

remote working or agile working is possible through the use of cloud

Risk: Added latency

Have you ever had trouble loading a web-based application? Or found aeons passing as you waited for a file to upload to storage? Perhaps your screen has frozen for a few seconds when working on an application? These problems can arise because the back-end IT cloud platform doesn’t have enough grunt, resources in essence. It can also be caused by not having enough bandwidth on your local Internet connection. These delays (also known as latency) causes frustration for end-users and ultimately costs the enterprise.

Latency, when it’s severe and persistent, dramatically reduces productivity and can quite quickly destroy morale. If you’re pressing a key, then waiting for several seconds for that keystroke to register (the result of high latency) then that’s a lot of time being lost over the course of a day.

The solution to this problem is to ensure that the cloud platform has been designed and built correctly before you perform a full migration to the cloud. Your new environment should be rigorously tested under load to ensure it can and will perform when things get busy, both now and in the future. Also, make sure you have sufficient and reliable Internet connections in place prior to a move.

buffering loading icon

Reward: Enables business continuity

Business Continuity and Disaster recovery were once significant investments for any firm, in terms of time as well as money. The ongoing management of the system was heavy and expensive, continually updating policies and procedures was a nightmare and soon led to the whole DR and/or Business Recovery Plan becoming redundant.

Cloud-based disaster recovery and continuity have slashed the cost and past hassles of ensuring a business can respond to incidents or complete disasters. It’s also brought down the time-to-recover from days down to minutes. This is possible through creating a cloud-hosted copy of all or core parts of a business’s IT environment, which is always up-to-date and can be failed over and back with ease.

The true beauty of cloud-based solutions to continuity and disaster recovery is that they are always available and can be isolated and tested at any time. You can also automate testing, daily if you like, to ensure you are protected.

an office surviving a catastrophic event thanks to business continuity

Reward: Reduced operating costs

Not only are the upfront costs reduced when undertaking a cloud migration but so are operating costs. It’s estimated that a single server uses 500 – 1,200 watts per hour to run. Extrapolated over a day, a month, a year, these basic running costs grow rapidly. But they are a cost that can be transferred to increase the ROI of moving to a cloud environment.

By hosting server environments in the cloud instead, the cloud provider will be the one covering all the costs of power, cooling, security and other areas. Whilst that is incorporated into the monthly fee, it will be just a fraction of the cost of delivering the same function internally. You are gaining the benefit of economies of scale, shared between you, others and the cloud provider.

Furthermore, with the cloud, there’s no need to have the IT team focus on just ‘keeping the lights on’. They can focus back on the business, working on enhancement projects, rather than being concerned about the day to day of running the back-end of an IT environment.

cloud reduces the running cost of IT

Are you ready to begin your cloud migration?

Don’t forget to follow us @QuoStar to be the first one notified about new releases along with access to free cloud migration resources, not available anywhere else!

Part 3 of the Cloud Migration Guide goes into depth on the main factors determining if your business is ready for the cloud. As well as how your business objectives influence what type of cloud migration you should undertake. Read part 3 here.

See also:

The Cloud Migration Guide – Part 1: What is a cloud migration?

Cloud - What is a cloud migration?

A cloud migration is the process of moving files, software, desktops or infrastructure to a cloud-hosted environment. Cloud migrations are often undertaken by businesses who are seeking to expand beyond their current hardware, storage or space limits. Or alternatively, a cloud migration may be the first step on a digital transformation for the business, opening the ability to undertake new IT projects which may not have been feasible before.

What types of cloud migration are there?

Cloud migrations will typically fall into one of the following categories:

  • Migrating from physical infrastructure to cloud infrastructure
  • Migrating from one cloud platform to another platform from a different supplier

However, we can break these down into further subcategories:

Lift-and-Shift

In-house applications are replicated in the cloud without redesign. This is typically the fastest method for migrating applications and the one which causes the least disruption. However, without a redesign, the migrated applications may not be taking full advantage of the speed, scalability and versatility the cloud offers. This is sometimes known as a “forklift approach” or “rehosting”.

Software as a Service (SaaS) migration

Some applications are moved to the cloud whilst others remain on-premise. Email and payroll are two functions often moved to a SaaS solution as it reduces hardware requirements and maintenance costs.

Replatforming

A small amount of upversioning is done whilst moving applications to the cloud, allowing them to take greater advantage of cloud architecture. While slightly slower, this method allows businesses to take better advantage of cloud functionality without draining their resources.

Application Modernisation

Instead of moving the application, it is remade (known as refactoring) to be optimised for a cloud environment. The result is a refactored application that fully utilises every benefit cloud architecture has to offer. This approach is particularly beneficial for the migration of legacy applications but it takes far longer than any of the other methods.

Choosing which type of migration is best suited for your business is a strategic decision. And to get optimal results, you need to consider your migration goals, your timescale and the importance of the application itself.

How can a cloud migration help?

Depending on your specific business goals, a cloud migration helps you in a range of different ways.

  • If you’re aiming to reduce the upfront costs of IT infrastructure then transferring your backups, disaster recovery and general file storage over to the cloud is an advisable course of action.
  • To get increased workstation performance you should consider hosted desktop or if you want all-round performance increases then you should look at cloud hosting for your servers.
  • For streamlined business processes and increased efficiency, you could migrate to cloud-based Office 365.

How can businesses move to the cloud?

Migrating to the cloud is not a singular activity and there are many ways your business can do it. It can be done with Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Below are some examples of ways you can migrate to the cloud.

1. Office 365 migration

Migrating from the old, license-based versions of the Office suite to an Office 365 subscription that is cloud-based can lead to a range of business efficiency improvements.

Not only is the software regularly updated with additional security and bug fixes, but new features are often added, and performance increases are made. This further boosts the efficiency of the programs and can increase productivity and collaboration.

Because Office 365 can save files in the cloud, this also lets you access your important documents from anywhere with an Internet connection on any device that has the relevant app installed. This allows for a much more agile approach to work as you can access the files you need, wherever you are.

2. Backup as a service

Migrating to the cloud enables more than performance upgrades. It can also offer security and resiliency improvements such as Backup as a Service (BaaS).

Also known as cloud backup or online backup, BaaS is a method of offsite data storage, where a third party regularly backs ups files, folders or hard drives to a secure cloud-based repository. This protects the data and enables it to be restored should it be lost, damaged or destroyed.

Businesses using Software as a Service (SaaS) applications are common users of BaaS, as SaaS vendor’s backup policies often don’t guarantee the swift and complete restoration of lost data that BaaS does.

With BaaS it’s also possible to take live backups. Instead of taking backups every night or every week (you should be really backing up at least once every day) a backup can instead be made every time a file is saved or changed. This means that instead of losing a whole day’s work, a few minutes’ worth, or potentially no data is lost.

Furthermore, migrating your backup to the cloud removes the worry of rotating and managing tapes or hard disks and ensuring they are taken offsite at regular intervals.

cloud file backup

3. Hosted desktop

Hosted Desktop is a relatively old use of cloud technologies – but is still popular. Having hosted desktops means that rather than the workstation located in the business office doing the processing, a copy of the workstation hosted in the cloud does it instead. Mouse clicks and key presses are transmitted to the hosted machine and a live feed of the screen is sent back to the physical machine to be displayed.

By migrating desktops to the cloud, businesses can increase the performance whilst simultaneously decreasing the cost of hardware.

This has the benefit of reducing the overall processing power required for each individual workstation (and thus the price of the workstation) as the cloud hardware (which has superior performance to the workstation hardware) is doing all the processing already.

Hosted desktop also means that you can access the hosted machine from nearly anywhere. If the machine you are using has the software that allows you to connect to the hosted machine, you can work on the go and access the files stored on the hosted machine from anywhere.

cloud hosted desktop or cloud hosted infrastructure

4. Disaster recovery as a service

DRaaS is where a copy of the core server infrastructure, including critical data and applications, is hosted in the cloud. In the event of an emergency where the IT environment is down, i.e. through hardware failure, natural disaster, or cyber-attack, everything can switch over to the hosted version and the business can continue as normal with minimal downtime.

Compared to legacy disaster recovery systems, DRaaS is significantly easier, less expensive and more accessible for businesses. It also doesn’t accrue the costs of having duplicate hardware constantly running in case of an outage.

The failover process can additionally be set up to occur automatically, letting access be restored in minutes. This significantly reduces downtime and avoids the crippling financial losses caused by an outage.

Why should I undertake a cloud migration?

Moving to the cloud allows you to experience a range of benefits. Reduced infrastructure costs, increased performance, scalable storage and improved cyber-security are just a few examples.

Part 2 of the Cloud Migration Guide looks at the rewards of a cloud migration along with the potential risks and how to mitigate them. Read part 2 here.

See also:

Eight ways to avoid phishing scams

IT security - 8 ways to protect against phishing attacks

Phishing is a form of online scam in which fraudsters trick Internet users into submitting personal information to what they believe is a legitimate organisation. This can lead to scammers gaining your personal login credentials or the information needed for identity theft.

Phishing scams usually arrive as an email pretending to come from a legitimate source. Most commonly, Microsoft and Amazon are used as the credentials for those accounts offer a wealth of personal and financial information. However, other companies scammers often pose as include Apple, DropBox, LinkedIn and PayPal.

Because phishing is one of the most devious forms of identity theft, it is important to become familiar with various types of phishing scams as well as learn how to protect against them.

How to protect against phishing attacks

1. Guard against SPAM

Many phishing emails follow a preset script or are sent out in bulk. Having a SPAM filter in place allows you to filter out the majority of these mass emails and can allow you to block messages which come from known malicious addresses. Even with a SPAM filter, you should be especially cautious of emails that:

  • Come from unrecognised senders
  • Ask you to confirm personal or financial information over the Internet or make urgent requests for this information
  • Aren’t personalised
  • Try to upset you into acting quickly by threatening you with frightening information

2. Communicate personal information only via the phone or secure website

When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or an “https:” URL, whereby the “S” stands for secure, rather than an “http:”.

Do not blindly trust a website which uses https though. Many phishing sites now use https and the green padlock to imply they are more genuine or to instil more trust. But this is just another piece of social engineering. All https means in this scenario is that you’re securely handing your details over to a scammer.

However, you should also be aware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.

3. Don’t click on links, download files or open attachments from unknown senders

It is best to only open attachments when you are expecting them and know what they contain, even if you know the sender. Some email clients come with the ability to preview the contents of an attachment and this can be used to determine if the contents are malicious or not.

Additionally, if a link is present in an email, don’t click it. Instead, navigate to the legitimate site via a web browser and continue from there.

4. Never email personal or financial information, even if you are close to the recipient

As a general rule, you shouldn’t be sending personal information over an insecure channel like email. You never know who may gain access to your email account, or to your recipient’s account either and then be able to find that information.

If you must send personal information, many email clients now have the ability to send a self-destructing email which can prevent it from being intercepted.

5. Beware of links in emails that ask for personal information

Even if the email appears to come from an enterprise you do business with you should still be cautious. Phishing websites will often copy the entire look of a legitimate website, to make it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you.

6. Beware of pop-ups

  • Never enter personal information in a pop-up screen
  • Do not click on links in a pop-up screen
  • Do not copy web addresses into your browser from pop-ups
  • Legitimate enterprises should never ask you to submit personal information in pop-up screens, so don’t do it.

7. Protect your computer

At a minimum, ensure your computer is protected by a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure you are blocking new viruses and spyware.

Additionally, setting up two-factor authentication on your accounts can add an additional layer of security and prevent scammers from accessing your personal information.

8. Check online accounts and bank statements regularly

If you’ve been the victim of a phishing scam or think you have, it’s important to constantly monitor the activity of that account. A scammer may lie low for a while to trick the victim into thinking they weren’t affected and that can make the damage much more potent.

Conclusion

You should always be careful about giving out personal information over the Internet. Luckily, companies have begun to employ tactics to fight against phishers, but they cannot fully protect you on your own.

Remember that you may be targeted almost anywhere online, so always keep an eye out for those “phishy” schemes and never feel pressured to give up personal information online.

Read next >>> 4 types of scam emails to watch out for

What are your options for upgrading IT infrastructure?

IT strategy - What are your options for an IT infrastructure upgrade?

An IT infrastructure refresh can result in mixed feelings from IT managers. On one hand, you have the cost, complexity and risk of migrating systems but on the other, you have a great opportunity to significantly enhance your environment.

Given that a typical refresh cycle is now 4-5 years – due to the financial climate and the increased reliability of hardware – it is likely that you can greatly increase value when refresh time comes around.

Server Virtualisation

One option is a like-for-like deployment. Server virtualisation makes the transition to new platforms fairly straightforward. This is because workloads are portable, utilisation is visible and IT Managers are typically familiar – and confident – with the underlying technology.

However, there are limitations to consider, particularly around the agility of this model. It is difficult to efficiently accommodate changes in capacity, whether that’s an increase or decrease, compared to traditional infrastructure.

Hyper-Converged Platforms or HCI

A second option is to go for new technology, like HCI. While hyper-converged platforms are still relative newcomers, the market is definitely developing and maturing.

HCI is a modular approach to IT infrastructure and allows rapid, vast scaling through small form factor nodes that provide integrated RAM, CPU and Storage without complexity. This type of efficiency simply isn’t possible with traditional infrastructure. This option also offers advanced functionality and integrated services, such as deduplication, backup and disaster recovery.

Yet this doesn’t mean this approach is without its limitations. Relying on platform efficiencies can making sizing complicated and implementations more intricate. Furthermore adopting a platform over hardware could mean you end up locked into a specific vendor – something which some would view as a risk. Finally, HCI also represents a CapEx approach to IT infrastructure refresh which, given the financial climate, may not be desirable.

Cloud Services

An alternative approach could be to opt for cloud services. There are certainly many benefits and it does address some of the shortfalls of traditional infrastructure. As a utility-based, OpEx approach to IT, the cloud offers greater agility, greater elasticity and relieves the pressure of “keeping the lights on”.

Despite this, it doesn’t mean it’s suited to all opportunities. While moving to the cloud can relieve the pressure on networking or application delivery, it does not guarantee cost saving. Furthermore migrating to the cloud can be complex and time-consuming, so you need to ensure you have the resources on hand. At QuoStar our team specialise in zero downtime migrations and can manage your migration project from end-to-end.

What option should you choose?

There’s no one right answer here. You need to weigh up your available options and see which one aligns best with your business objectives. While the variety of options may seem daunting, it doesn’t need to be. Prior to undertaking an infrastructure refresh is often a good idea to seek out an independent consultant who has experience in this area and can offer an unbiased perspective.

Need to get more from a limited IT budget? A cost-neutral audit is the answer. Recover wasted IT spend.

How to protect personal data and comply with GDPR

GDPR - How to protect personal information and comply with GDPR

In order to comply with the GDPR, organisations must implement appropriate technical measures that ensure compliance. This is established under Article 32, which delineates the GDPR’s “security of processing standards”, and is required of both data controllers and data processors.

When implementing these measures the Regulation does state that “the state of the art and the costs of implementation” and “the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” must be taken into account.

Due to the different ways organisations collect, store and process data, as well as the different levels of risk this present to users, there will not be one universal set of technical and organisational measures. However, the GDPR has set out some suggested methods for data protection.

Privacy by Design and Privacy by Default

Although supervisory authorities have typically advised that organisations take this approach, for the first time GDPR actually lays out “privacy by design” and “privacy by default” as specific obligations. Under this requirement, companies will need to design compliant policies and systems from the outset.

Under Article 25, a data controller is required to implement appropriate technical and organisational measures at the time of determining the means of processing and at the time of the actual processing. When determining what measures to implement, the controller should take into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the likelihood and severity of risks to the individual posed by the processing of their data”.

In addition, organisations must give individuals the maximum privacy protection as a baseline. For example, explicit opt-ins, safeguards to protect consumer data, restricted sharing, and retention policies. For example, if someone creates a new social media profile, the most privacy-friendly settings will be enabled. Then it would be up to the user to reduce these if they so wished. This approach directly lowers the data security risk profile. The less data you have, the less damaging a breach will be.

Data Minimisation

An essential principle of data protection, data minimisation establishes that personal data should not be retained or further used unless it is necessary for purposes clearly stated at the time of collection. The principle applies to the entire lifecycle of personal data. This includes the amount collected, the extent of the processing and the period of storage and accessibility.

Data must be “adequate, relevant and limited to what is necessary, in relation to the purposes for which they were processed”. This means controllers need to make sure that they collect enough data to achieve their purpose but not beyond that.

Privacy Impact Assessments

These are an integral part of the “privacy by design” approach and can help you identify and reduce the privacy risks of your projects. They allow organisations to find and fix problems at the early stage of any project, reduce the associated costs and reputational damage that may otherwise accompany a data breach.

Some situations where organisations should carry out a Privacy Impact Assessment (PIA) include:

  • A new IT system for storing and accessing personal data
  • A business acquisition
  • A data-sharing initiative
  • Using existing data for a new and unexpected or more intrusive purpose
  • A new surveillance system
  • A new database that consolidates information held by separate parts of an organisation

Under Article 35 of the GDPR PIAs are mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights and freedoms of data subjects. However, they are a good strategic tool for any organisation which processes, stores or transfers personal data.

GDPR Rights

Pseudonymisation

Article 4(5) of the GDPR defines pseudonymisation as “the processing of data in such a way that it can no longer be attributed to a specific data subject without the use of additional information”. For a data set to be pseudonymized, organisations must keep the “additional information” separate and secure from the de-identified data.

The GDPR incentivizes data handlers to implement this method because it allows them to use personal data more liberally without infringing on individuals’ rights. This is outlined in Article 6(4)(e) which states that pseudonymised data may be processed for uses beyond the process that data was originally collected for. This is because the data only becomes identifiable when held with the “additional information”.

However, it is important to note that pseudonymisation is not a cast-iron guarantee of data protection. It does not mean organisations using this method would not need to report a data breach to their supervisory authority.

The effectiveness of pseudonymisation hinges on its ability to protect individuals from “re-identification”. This depends on a number of things including;

  • the techniques used for pseudonymisation;
  • the location of the additional identifiable elements in relation to the pseudonymised data; and
  • the likelihood that non-identifiable elements could uniquely identify a specific individual

Unfortunately, the GDPR is quite vague on the level of data protection pseudonymisation provides itself. Only in Recital 26 does it mention that data handlers should take into account whether re-identification is “reasonably likely”.

There no official guidelines as to what constitutes “reasonably likely”, the GDPR merely advises that data handlers take into account “all objective factors”. For example, “the costs of and the amount of time required for identification, the available technology at the time of the processing and technological developments.”

What should organisations do?

The bottom line is that organisations should embed privacy into every process, procedure and system which handles data. Under GDPR organisations need a proactive approach to data privacy and protection. It should be an important part of the planning process and throughout the entire lifecycle.

There are many security measures that businesses can implement. Ideally, you should be looking at solutions that cover multiple angles. Relying solely on encryption or pseudonymisation won’t cut it.