The reality of today’s cybersecurity landscape is that a company’s security extends to its third-party relationships.
Whilst many businesses are still grappling with their own IT security, it is evident that they must also consider security strategies across the entire supply chain.
Many companies, particularly those with tight regulatory bodies or running against standards such as ISO 27001, will understand the need for managing third parties in terms of data security. Different types of data can be classed as asset-types and categorised, with suitable controls in place. You have to identify what you are trying to protect before you’ll see the potential issues revolving around it.
Theoretically, many businesses will be unable to easily control the security of their data once it’s with a third party. However, it can check the third party’s controls and sign them off or demand stricter ones. For example, Data Leak Prevention, encryption at rest etc., if necessary. This check should form part of the outsourcing contract. It makes sense if both parties work to a standard, like ISO 27001, to ease integration and integrity of documentation.
Businesses and their suppliers must take steps to minimise their own IT security risks in the event of a compromise. Many IT users fall into the habit of using similar passwords, if not identical ones, for all their applications, leaving the business vulnerable. To avoid the risk of a data leak, organisations should consider implementing unique passwords for every application, account, and user.
Using multi-factor authentication will add another layer of security. It will make it more difficult for a cybercriminal to use stolen third-party credentials. The rise of the GDPR will also help businesses understand the data they hold and process, both for themselves and others. Provide real-life examples of breaches to help staff understand their role in IT security. This will remind them that they are, in fact, the first line of defence.
One of the most common misconceptions which can put people off outsourced IT support is the belief that only an internal IT team can provide reliable, efficient support and ensure that any issues are resolved quickly.
This simply isn’t the case.
The advent of modern technologies allow the vast majority of IT issues to be fixed remotely and Service Level Agreements (SLAs) hold external IT teams accountable for performance, response and fix time. Even those companies who have their own internal IT team can benefit from the support of an external IT team to take responsibility for day-to-day maintenance, provide additional help in the event of a crisis or add specialist skills to the team’s repertoire.
However, sadly this does not mean that every outsourcing relationship runs perfectly 100% of the time. Like any business relationship, for outsourcing to be successful there needs to be certain elements in place to ensure that both parties fully reap the rewards and benefits.
1. Trust
It can be daunting to place a business-critical function such as IT in the hands of a third party, but trust is essential for a smooth working relationship. Of course, you should take the time to find the right IT support partner, but once you feel confident you must trust that your partner will deliver.
The emphasis here really is on finding a “partner” and building a “partnership”. If you have an IT support provider who understands your business, your goals and is dedicated to ensuring that IT supports the achievement of those goals, you will have an infinitely better working relationship than with a provider who’s just focused on the cycle of break-fix.
Discuss exactly what the service will include, who is responsible for what and whether there is any flexibility for customisation. It is important to make sure everyone is on the same page. If one side thinks understand differently you will never achieve alignment, nor achieve the results you want.
2. Communication
Communication is vital for a successful partnership. While you should expect regular updates from your provider and a consistent point of contact, you should be open in your communication. If you have a concern then you should feel comfortable raising it with your provider. They should also be able to respond and alleviate that concern – or provide an action plan for addressing it. Constructive feedback keeps the relationship running smoothly. For example, your external IT team may have facilities that allow feedback upon the completion of a service ticket. This feedback is invaluable because it allows both parties to learn from the experience.
3. Metrics
Agree on what success looks like from the outset, as this will be the benchmark for measuring performance. Use metrics to track the external IT team’s performance and their customer service. You want your employees to be happy with the service they are receiving.
Considerations
It’s important to understand that outsourcing your IT support is not a once and done thing. Successful outsourcing requires both parties to work in partnership with a clear understanding of each other’s responsibilities.
Of course, it may be necessary to adjust the Service Level Agreement in the future. But, the best part about a true partnership with your provider is you can have a two-way discussion and achieve mutual benefit.
By taking the time to find the right IT support provider, aligning their service delivery and your goals, and ensuring open, straightforward communication at all levels you will develop a lasting business relationship which truly elevates your organisation.
IT is a critical part of almost every department, yet many businesses are not taking full advantage of new technology or realising the full potential of their IT investments. This where an IT strategy comes in.
An IT strategy, when done right, is a powerful tool for driving growth, increasing efficiency, achieving goals and supporting staff.
Below we’ve provided an overview of the five key steps involved in creating an effective IT strategy. Whether you’re completely new to the process or an experienced IT professional, this guide is an ideal starting point.
1. Outline business goals and objectives
In order to create an effective IT strategy, you must make sure it is aligned with your overall business strategy. This is because the primary function of an IT strategy is to support your business and help you to achieve your goals.
You should begin by outlining your business needs, goals and high-level objectives. Key areas to look at will include:
Your sales pipeline and targets
Future plans regarding partnerships, mergers or acquisitions
Growth strategies and plans for the company
Any other “actions plans” departments are working towards
2. Define your scope, stakeholders and timeline
Everyone must be clear about the purpose of your IT strategy, who is responsible for delivery and to whom it applies.
As part of this process, you should meet with key people from each department. They will be able to tell you how they’re currently using technology and their future business plans. With their input, you can ensure that your strategy provides the right IT support for each business unit.
Just as you would define a timeline for achieving specific goals, your IT strategy should also have a lifespan. Most IT strategies are long-term, but you might want to review and refine your strategy more frequently. For example, you may have a five-year roadmap, which gives a high-level overview of what you are aiming to achieve, but it is reviewed annually to define key phases and projects (e.g. implementations, integrations etc.).
Technology develops at a rapid rate so it is important that your IT strategy is flexible so it can adapt not to new technologies but to new organisational circumstances, changing business priorities, budgetary constraint and available skill sets.
3. Review your existing setup
When developing an IT strategy it is important to review your current IT infrastructure. This will help you to identify current problems, see what’s working and where resources are being used, all of which can be addressed by your strategy. Some key points to consider are:
How are teams and departments using technology
What tools, software and systems do they use?
Think critically about how IT is being used, and analyse what is delivering the most value. This will enable you to plan a strategy which utilises resources you already have and ensure better allocation.
4. Create a roadmap
This may appear to be the largest, most difficult step but as long as you have been following the right resource then it should actually be relatively easy to create a roadmap which defines resource allocation and architecture.
You should start by defining the overall technology architecture, this is made up of the major software, hardware and other tools you’ll be using. Then break it down to department-specific technology which may be required to meet business goals. Finally consider how the different parts of your architecture fit together, and what processes govern their integration.
Keep all the information related to your technology architecture in a document or spreadsheet so you can easily review.
5. Establish your metrics
Measurement is an essential part of any strategy, and without it, you will be unable to identify any gaps or weaknesses. You need to make sure that the IT strategy is functional and cost-effective. In order to do this, you should identify KPIs you can use to analyse performance over time. It is important to track a range of metrics as this can help your business to be more proactive in identifying and solving issues (e.g. resolving performance issues before they impact end-users).
Some examples of metrics you may wish to track include:
Budget variance – Actual costs vs. budgeted costs
Resource cost – The average cost of a technology resource
Project delivery – The percentage of projects delivered “on time”. You may also want to track project satisfaction by using a set survey to solicit feedback from business partners
Project cost – The percentage of projects delivered within budget
Production incident – The number of problems in order of severity
SLAs met – The percentage of jobs which finish on time
Application availability and performance – The percentage of time an application is functioning properly, and the average time it takes to render a screen or page
Employee satisfaction, feedback and reviews – Constructive feedback from employees can be highly useful for increasing productivity
Number of help desk calls
If your leadership team is not particularly technology-savvy, then metrics are a simple and effective way to demonstrate the success of the company’s IT strategy, which will help to secure the confidence of management. Furthermore, being able to demonstrate that the IT strategy is aligned with the overall business strategy may assist in securing funding for future IT projects.
Business continuity planning involves creating a strategy to prevent, reduce and recover from risks to an organisation.
Many organisations still have business-impacting IT outages that should be avoidable, or quick to recover from.
There are six key reasons why these types of IT outages continue to impact businesses.
1. Not understanding risk
Most businesses would be surprised if they listed out every asset or asset type within their business and then looked at every risk associated with it. What’s the likelihood of that risk type affecting the asset or the wider business? What would the impact be on the business? It’s impossible to protect against something you are unaware of. It’s critical that a business understands, at the very least, the IT assets they have and the associated risks to the business. However, when you’re talking business continuity it’s best to include other types of asset, such as key employees or sites.
2. Having no controls in place
Once you understand the risks, you can put controls in place to reduce or mitigate the risk. This can be something as simple as protecting a laptop from Trojan software with anti-virus protection, through to protecting against a systems outage by replicating all data and systems into the cloud, or into another site. Controls need to be sensible and considered, hence why it’s critical for a business to understand the true cost of a system outage.
3. No reviews
Business continuity must be a living entity within a business. Every new asset should be logged, have its associated risks identified and have applicable controls put in place. The controls, particularly around continuity, must be regularly reviewed and tested. And by ‘regularly’ that means you should be testing as often as feasibly possible. If you’re waiting for longer than a year between reviews, you’re leaving yourself highly vulnerable.
4. Not using the right technology
Over the last decade, technology has dramatically decreased outage windows and costs when it comes to business continuity. So it’s critical that you review requirements and evaluate the technology. This process takes time and experience to do correctly, so you may want to contact a consultant so you can keep focused on your own business and have confidence in your choice. You should be assessing technology every three years (at most) to look for continuity improvements, easier management and reduced costs.
5. Senior management don’t take responsibility
In businesses of all sizes, senior management, typically at the board level, do not take responsibility for business continuity. It’s usually up to IT to undertake this function, often with heads of departments. So when a disaster strikes, whatever happens, IT gets the blame – even though they’ve identified the risks and applied the controls. This is why it’s critical to get senior management to understand the risks to the business and to accept or reject controls.
Cost factors usually determine whether management accept or reject controls. The controls’ stated Recovery Point Objective (RPO) – how much data they can afford to lose – typically determine these factors. Recovery Time Objective (RTO) is also crucial to understand. This is how long certain systems can be down for without serious consequences. You will often hear a board state that no downtime and no data loss is acceptable, however, this viewpoint often changes when viewing the budget.
6. Thinking it’s just about IT
While IT is important, businesses will have a vast array of assets which will cause different levels of impact if unavailable. What happens if the Operations Manager disappears tomorrow? If a site burns down? Or if listeria from the onsite canteens takes out 30% of the workforce? There are so many scenarios that need to be understood, and suitable controls and processes need to be in place to deal with them if they arise.
IT is critical for the day-to-day operations of the majority of businesses, and when used effectively it has the potential to drive dramatic growth. Though small businesses often do not have a large budget, there are areas of their IT management that can easily be improved – without the need to invest a lot of financial resources. Here are five common IT problems facing SMEs, and how to resolve them.
1. Migration and integration pain
New technologies do not always slot in well with older systems and applications, and this can result in duplicate data entry and other inefficiencies. If you don’t have the time, experience or resources to deal with more complex migrations then the IT project that was supposed to transform your business can end up being painful and time-consuming. Thorough planning before implementation and a migration strategy can help your business to avoid these issues. Alternatively reach out to a provider who specialises in zero downtime migrations, and who has the experience and dedicated resources to make the change as painless as possible.
2. Reactive approach
“If you’re proactive you focus on preparing. If you’re reactive you focus on repairing”. Systems need regular maintenance to ensure they run properly and securely. Without that issues can quickly turn into expensive and time-consuming emergencies. When there is a process for tracking issues, it allows IT teams or providers to analyse and identify trends. Upon further inspection of a trend, they may find that the issue is a symptom of a greater problem. Instead of solving the same recurring issue every time it crops up, take a proactive approach and find a solution to the root cause. This would make the issue go away for good, and allow your business to be more productive – instead of firefighting problems.
3. Business strategy and IT strategy disconnect
Business leaders are often disconnected from IT and can fail to see how technology fits into the bigger picture. Others can go even further. Viewing IT simply as a necessary evil that demands spend without delivering any real value. If your business views IT in this unfavourable light then you are missing out on a world of potential, likely making it harder to achieve your goals. If you’re planning on doubling the size of your business in the next three years but don’t inform IT, how will you ensure you have the infrastructure, systems and processes in place to support that growth, in that timeframe. When IT and business strategy are truly aligned, and working in partnership, a business can scale without limits.
4. Increasing security risks
This not just an issue for SMEs, but the number of cyber-attacks on growing businesses is rising. SMEs are often more at risk simply because they don’t believe they are a target for a cyber-criminal. Communications, customer information and HR records are all of interest to hackers, as they can exploit them for financial gain. The reputational damage a successful breach causes is enough to severely weaken – and in some cases permanently destroy – even the strongest of brands.
Of course, there’s a number of security solutions to consider. But in order to truly mitigate the risks, you need to think beyond technology. Staff training is one of the most valuable investments a small business can make. Your people are your first line of defence. If they can spot the signs of attack, they can be an effective barrier against cyber-criminals.
The pace of change in the IT sector is incredibly fast. It seems that every day there is a new solution that will transform your business. Not only do you need to keep up with all the changes, but you also need to be able to spot the necessities among the gimmicks.
Ideally, you need to have someone in a management role who deals directly with IT advancement and works consistently with other departments to ensure seamless integration. However this can be a challenge for small businesses who lack resources, so another alternative is to work with an IT support provider who have the resources, expertise to keep up with technological change and who can advise you on making the right investments. A quality IT support provider will make recommendations backed by a clear business case. Not just use a new release as a sales opportunity.
The continual running of IT operations in your business is essential for it to survive. This means you need to have a qualified team on hand to manage your systems. But the cost of hiring and retaining such a team internally is something only the largest companies have the time and budget for. To gain the competitive advantage big players get from their internal teams, smaller businesses have turned to IT outsourcing as a way to strike a balance between performance and cost. One of the most talked-about benefits of IT outsourcing is the cost savings it can bring, although the benefits extend far beyond this. However as there’s no one set pricing model it can be difficult to understand exactly what’s included, and if the service is priced appropriately.
Below are some of the most common pricing models you are likely to be presented with when exploring IT outsourcing providers.
Monitoring only pricing model
This pricing model typically provides network monitoring and alerting, but with different levels of service. For example, for a small business, it may include patch management, antivirus and anti-spam updates, disk optimisation and backup monitoring on a flat monthly fee. Additional remediation work, identified through monitoring, would be an additional charge.
For larger businesses, the internal IT team would receive monitoring alerts, with the provider responsible for all incident resolution.
Per-user pricing model
Most per-user pricing models charge a flat monthly fee per end-user to cover IT support across all devices. This is a very straightforward pricing model and ideal for those companies with a tight budget as it allows you to budget for your IT support exactly. It also makes it easy to forecast for any business growth. Planning to take on an extra 20 employees this year? You can see exactly how much that growth is going to cost you in terms of IT support.
Per-device pricing model
Another option is for IT support providers to charge per device, e.g. desktop, laptop, mobile, server. There would usually be one flat price per device type, which again makes it relatively easy to see exactly where your costs are coming from and allow you to budget for future additions e.g. you decide you want every member of the sales team to have a tablet for remote working. The per-device model will often come out marginally more expensive than the per-user model – owing to the fact a single user will likely have multiple devices which need covering.
Ad-hoc pricing model
The ad-hoc model means rather than paying a flat monthly fee you pay as and when you require support. This may sound good but, since prices can’t be normalised, you will likely end up paying far more overall. Additionally, as IT becomes increasingly critical, a purely reactive approach to IT support will leave you hurting after a major incident due to prolonged downtime and a large bill from your support provider. Because of this, the ad-hoc model is becoming increasingly rare with most businesses having transitioned to a fully managed service or “all-you-can-eat” model.
Tiered pricing model
Tiered pricing is where different bands of support are available. The higher the band, the more services or perks you’ll gain access to but at a greater cost. For example, you may see bronze, silver and gold tiers.
This is one of the most common pricing models but it does have its difficulties. As each tier includes its own services and limits, what can initially seem like great value can become a headache. For example, you take out a bronze level IT support contract which includes data backup. Imagine the worst happens and you lose your files. Then, on top of that, you find out your backup only covers a certain period – excluding the period you’ve lost.
It’s not to say that tiered pricing won’t work for some businesses, but if IT is critical for your operations it’s probably not something to gamble on. A fully managed service should be fully managed. There should be no limits on what your support includes.
‘All you can eat’ pricing model
The all you can eat model allows for an unlimited amount of support at a fixed rate each month. This makes it ideal for nearly every type of business looking to outsource their IT. It’s technically the same as the top level of a tiered pricing model, but without the artificial inflation from the lower tiers. This typically makes the all you can eat model better since it will include everything you need whilst being at a predictable cost.
When looking at this model, it’s important to check if it includes out-of-hours support as standard. Depending on the provider, 24/7 support might be there by default or it might have an additional charge. Although, it’s typically worth the extra money to have full peace of mind and to be able to prevent a late-night incident impacting the following day.
Email can quickly become a drain on time if not managed correctly. The average worker now spends 28% of their time managing email. This means if you work Monday-Friday, 9am-5pm, over one whole workday is dedicated to your inbox.
There are many suggestions out there on how we can better manage our inbox and email communications, but some of them aren’t that practical for the majority of people to use.
Luckily by using a few of the inbuilt tools in your inbox and some time management skills, you can organise your email inbox, read and process incoming mail more effectively and become more productive.
1. Unsubscribe, unsubscribe, unsubscribe
Set aside time to blitz your inbox and unsubscribe from any irrelevant newsletters and communications. Fear of missing out (FOMO) on the latest news can make us reluctant to hit unsubscribe but think how often you actually read those emails? There’s a chance that you open many of them to mark as “read” because they don’t deliver any real value.
Of course, if there’s a weekly newsletter you love seeing in your inbox and enjoy reading as soon as it arrives then keep on subscribing, but if you keep receiving weekly “offers” from that stationery supply company you placed an order with once, then hit unsubscribe. Don’t forget there’s nothing to stop you from re-subscribing if you find yourself missing a newsletter.
2. Make use of rules and folders
Quickly scan your emails and create a list of “big” categories. Depending on which department you are in you may have categories like Vendors, Customer Service, Receipts, Recruitment etc. If you want you can also create subfolders within each category to further divide your emails, but don’t worry about being too specific. You just want recognisable categories which make it easier to manage your inbox.
Don’t forget you can use Microsoft Outlook’s search function if you need to find a particular email, so there’s no need to create sub-folders by sender name, date, subject etc.
Another feature you might want to take advantage of is “Rules”, which automatically file messages away into their correct folders as they arrive. You can choose whether you want these messages to be displayed in the New Alert window (ideal for high priority messages) or to play a selected sound.
There’s also a whole host of Advanced Options to choose from such as mark as important, mark as read, delete or send an automatic reply so you can ensure you prioritise important communications.
3. Don’t check email so often
Checking email has become synonymous with work, but often it just distracts us from more important tasks. How often have you been in the middle of something only to be distracted by an email notification?
We immediately feel the need to check our inbox but it’s rarely urgent, and then it’s difficult to get refocused. Even if each new email only distracts you for 30 seconds, if you receive 100 emails a day that’s 50 minutes you’ve wasted on checking your inbox.
Luckily there’s an easy way to prevent emails from distracting – simply turn off your audio and visual notifications. Log into your email account and go to File > Options > Select Mail in the left-hand column > Scroll down to Message Arrival > Untick all the message alerts.
Worried about missing a specific email? You can set up a “Rule” that will override this setting. For example, you could choose to have any emails from your manager to play a selected sound.
If you’re getting distracted by the thought of new emails then try setting aside specific periods to check your inbox. You could check once when you first arrive at the office, once around lunchtime and once in the afternoon.
If checking three times a day doesn’t work for you then try once per hour. For example, 45 minutes of focused work and 15 minutes of email management. Chances are you’ll find it easier to focus if you have regular, allotted breaks.
4. Try to get to inbox zero every day
There’s nothing worse than logging in and finding your inbox overflowing with hundreds of messages. It can be tempting to just select all and hit delete but you never know what you might miss.
Instead of allowing emails to build up, try to set aside some time at the end of each day to review your inbox. Reply to important communications, file away emails in the relevant folders and unsubscribe to anything irrelevant as you go.
Tackling your email in a more strategic fashion should make it more manageable. Of course, you will get some emails overnight, but in the morning you’ll have significantly fewer unread ones than normal.
With a cloud-based email archiving solution you have long-term, ultra-secure and forensically compliant storage for your emails without clogging up your inbox. Emails are automatically archived and remain so even if deleted from your inbox. Every email will have a digital fingerprint and time stamp to ensure authenticity. You can even restore emails direct to your inbox if required.
Email is a necessary part of a business, but it doesn’t have to be a necessary evil. With a few simple tricks, you can prevent email from draining all your time and focus on your business instead. Don’t forget to encourage employees to pick up the phone, or speak to you in person, for urgent matters. Not everything needs to be done over email.
Email retention policies are all about decreasing the risk to your company. But for a truly successful policy, you need to strike the balance between a retention period which is too long and keeps useless mail around and one which is too short and loses mail that was important.
Your policy needs to take into account any applicable legal or industry regulations whilst not going overboard trying to store every email indefinitely. If your company does not yet have an email retention policy then it’s certainly worth drafting one, and here are five best tips to get you started.
How do I create an email retention policy?
1. Start with the regulatory minimums
Every business will be subject to different regulations, so the first thing you should do when creating your policy is to review the regulations your company is subject to and the relevant document retention requirements involved in each one. Some regulatory bodies you may need to consider include:
The Data Retention Regulations 2009
Freedom of Information Act
Financial Services Act
Sarbanes-Oxley Act (for US-related firms)
The Data Protection Act 1998
If the retention period is unknown then six years is often the common safe denominator. This is because it’s possible to bring a “breach of contract” up to six years later. If your business is concerned about particular records then you should seek legal advice.
2. Segment your data by type of use
Once you have the regulatory minimums you will notice that the recommended periods vary widely. With this in mind, you may wish to segment emails by type, use or department to prevent having to store all content for the maximum retention period.
For specific documents like PAYE records, maternity pay or statutory pay it is up to employers to assess retention periods based on business needs. If an employment tribunal may require the document as evidence then a retention period of six years makes sense. If the document could be needed for HMRC reviews, then a minimum retention period of three years after the end of the tax year in which the payments were made would be necessary.
3. Draft a real policy
Creating a policy, and getting it approved by senior management and legal professionals, will give you the ability and authority to implement all the IT, security and process controls you need to enforces your email retention requirements. Your policy should include the following sections
Purpose of the policy
Retention time, including any segments you are using to define the retention periods. Durations are often listed as years or may be permanent
Difference between paper and electronic documents – although ideally there should be none
What constitutes destruction (e.g. shredding, deleting, overwriting, degaussing of media
You do not have to include specific technologies and processes, but it is a good idea to refer to capabilities and requirements (e.g. offsite archival). You should also omit areas you will not or can not support, such as the types of segmentation you are unable to determine or support. If you haven’t seen a full retention policy before there are plenty of examples online for you to reference.
4. Review the preferred solutions
Once you have the main points of your policy established, you can estimate your minimum requirements for a solution based on the number of users, the expected volume of email and the expected rate of growth. With this information, you may be able to loosely price out a solution, but you may also wish to obtain indicative quotes from suppliers. You should also prepare for any changes to the email retention policy which may affect your pricing e.g. the minimum retention period increases from 18 months to three years.
5. Involve legal in the policy process
If it is the IT department’s responsibility to draft the email retention policy, then it is important to involve legal. Whether that’s an internal legal team or an external law firm. The main reason for this is so they can review the viability of the policy and if it will meet your regulatory obligations.
Allowing legal to view the policy at this stage means you can present a unified front to the board. It also allows you to evaluate the options you have laid out, and remove any of the amendments legal have made that will drastically increase the price.
To conclude…
Given the number of different regulatory bodies and how they affect organisations, every business is likely to have an individual email retention policy. Following these best practice tips will help you to create a policy that is effective, sensible and which you can enforce.
In recent years insurance firms have been targeted by numerous cyber attacks, both internal and external, including those by disgruntled former employees and organised cybercriminals. With the UK insurance industry alone managing investments of £1.9 trillion it is no surprise these firms are such an attractive target. Not only do these firms have a lot of capital funds on their systems at any one time, but they also have access to a wealth of customer data – the perfect tool for hackers to use for blackmail or to release to the public with the intent of causing reputational damage.
How do cybercriminal target insurance firms?
Gone are the days when individuals just hacked for “fun” or to prove that they could access a company’s system. Now their motives are far more calculated. This, in turn, has also changed the method of attack. Cyber attacks are rapidly becoming more sophisticated and for the hacker who is willing to be patient and clever the rewards stand to be substantial, whether that’s financial gain or the potential to damage – in some cases irreparably – a firm’s identity and reputation.
While insurance firms can be exploited through software vulnerabilities, social engineering is another popular tactic for many hackers. It essentially involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. Examples include calling targeting employees pretending to be from IT or maintenance, and requesting login details in order to “fix a problem”. As this can be a common helpdesk request some users may respond, which highlights the need for continual end-user training. Employees are often a firm’s first line of defence and, as such, must be able to recognise any red flags – such as suspicious emails or calls – and understand the appropriate escalation process.
How can insurance firms protect themselves?
When it comes to determining a security strategy, and overall IT strategy, the insurance sector faces pressure from multiple angles. The sector faces additional regulatory burdens, in comparison to some other sectors. They are also under continual pressure, from a technical aspect, to modernise their systems to ensure customer data is highly secure. Yet this data still remains accessible for review and processing.
These pressures combined can result in increased overheads and reduced margins, which can lead to decreased technical investment. However, when it comes to cybersecurity, technology should actually be the last piece of the puzzle.
Determining a security strategy should really begin with a firm understanding what their assets are, and then assessing them to determine potential risks. A reliable starting point is the ISO 27001 standard. This is a global accreditation which essentially covers best practice in regards to information security. It helps firms manage security by reviewing assets, assigning controls and monitoring processes.
Education will always be a key element of any security strategy. Social engineering is developing at a rapid pace and employees remain vulnerable as these attacks essentially manipulate trust. A comprehensive security policy should cover basic elements such as password strength, disclosing confidential information and physical security. You should then share the policy with the whole company. A security-aware culture will mean that potential threats will flag up with employees, who can then make the correct decisions. Even when the request seems genuine.
Recent high-profile breaches must serve as a warning that they are a prominent target for cybercriminals. This is likely to continue, if not increase. Taking steps to protect customer and financial data will protect your brand reputation and profitability. Therefore it makes sense to implement policies and systems to secure your business and review these regularly. The consequences of failure can be devastating, or even fatal, so cybersecurity must be a priority.
Documents are a business asset. If an asset is lost, stolen or damaged, it becomes a risk. Both for the business and for their client.
This means having control systems in place to understand these risks is critical. And having the controls to counter them is equally as important.
It sounds simple. But after a decade of working with businesses, it’s clear that few of them have suitable controls in place. To address this, we’ve created 10 points to guide you through the process of creating your information classification policy.
1. Keeping it simple
When looking at security in any way, it’s important to keep it as simple as possible. This is particularly true when it’s something so regular as dealing with documents.
To make it simple, businesses need to invest in technology. In this case, there are three main technologies worth investing in:
A document getting into the wrong hands is going to cause your business, or a client’s business, damage. That is a fact. So aiming to implement all three is the best way to get a comprehensive solution.
2. Mapping your classifications
Before you get into classifying documents it’s important to ignore technology. Technology comes after you have decided the policies and processes you wish to follow.
What this means is that you need to map documents or types of documents into distinct groups. To do this, you should look at two key areas: the sensitivity of the document and their intended audience. This information will make up the foundation of your Information Classification Policy.
Many businesses already have classifications in place. But they’re often created, implemented and forgotten – quickly becoming unusable without weeks or months of additional work. You need to create an Information Classification Policy and not hide it away. It needs to be clear and easy for everyone to work with and conform to with little effort.
3. Building the Information Classification System
The foundation of any Information Classification Policy is categorising information. Here are a few example document classifications that will fit most business requirements:
Public: Documents that are not sensitive and there is no issue with release to the general public i.e. on a website
Confidential: Documents only to be viewed internally or with third parties that have signed a non-disclosure agreement
Employee Confidential: Documents only to be viewed by employees at the company
Management Restricted: Documents only to be viewed by the senior management at the company
Private: Documents which contain personal information (useful for managing GDPR compliance)
In general, you don’t want to go over 10 classifications because classification should be as simple as possible. If you find that you have too many classifications, consider only looking at sensitivity or only looking at intended audience to begin with then filling in any gaps.
4. Assembling the Information Classification Team
A policy needs board-level support to ensure the business buys into and uses it. Once you have this, you should form a team which includes key departments in the business to enforce the policy.
This team may include people from technical, HR, legal and any other departments that are suitable for your industry. An appropriate team will be able to protect a business from security breaches whilst letting people access the information they need. And whilst it is important, the technical solution should be the last point to consider.
5. Designing the Information Classification Policy
Once you have your team assembled, you need to start going through your documents. In most organisations, it can be hard to know where to start.
To solve this, you should group documents at a high level. Looking at the impact that a data breach of that type could cause. Focus on the most sensitive document types first. And once that’s locked down, you can move through the less sensitive list.
When going through this process there are a few tips you can follow.
For company documents, it’s advisable to put your company name first. This helps them stand out from any other classification, i.e. from a client or a partner business.
It’s also useful to colour code classifications to help distinguish documents by eye. This helps you identify a sensitive document that’s left on a screen, printer or vacant desk. The beauty of colour classification is that it aids you in taking action internally or externally. It’s simple to prove that the defendant knew the information was restricted.
It’s important that you make it easy for staff to label and classify documents. If it takes more than three clicks to label a document, staff will find ways to circumvent the system. People naturally take the path of least resistance. So if your system is obtuse, employees will find ways to bypass it.
6. Enforcing control with automation
Once you’ve designed the Information Classification System, it’s finally time to look at the technology. Automation is very helpful to ensure enforcement. You shouldn’t rely on people alone as things will drop through the cracks.
It’s important that any technology links back into the core authentication system within a business. This will typically be Active Directory – the system you use to log in to your PC at the office.
Doing this simplifies things as you can use existing user groups to give access to certain classifications. There’s likely to already be an Active Directory group called “Board Members” for example, which you can use straight away.
Of course, grouping people doesn’t guarantee a user will know who they can and can’t send specific documents to. Nor will it prevent them from sending a document to a recipient by mistake.
This is why a business should be using a Rights Management system. Rights Management ensures that the systems know who has permission to access the document. So even if someone does send a restricted document, the recipient won’t be able to view it.
7. Educating employees
One of the largest reasons for data leakage is employees. Make sure to train them on how to use systems and refresh them periodically.
Also educate them on any security risks to the business – known, current or potential. They need to understand why following policies is important and how not following them can impact the business and therefore them.
8. Controlling leavers
So many organisations do not manage ex-employees. It’s important to disable their accounts once they leave the company. Even if they left on good terms, it’s best not to take a risk.
Loose accounts complicate the system at best and act as a open hole for attackers at worst. Hackers or insiders can hijack old accounts and make use of the access privileges. So you need to shut down accounts or strip them of all access rights to reduce the risk to your data.
9. Continually improving
It’s best if you adhere to common processes and document them somewhere accessible. To do this, you need robust information classification and risk policies that integrate with a wider standard. A good example to use as a framework is the ISO 27001 standard.
Doing this ensures that you assess and improve how you are controlling your risks within the business. Keeping you protected from an evolving threat landscape.
10. Widening the focus
It would be ridiculous to only focus on document security whilst ignoring the other risks to your business. So understanding all the risks your business faces and assigning suitable controls is something you must do.
Again, the ISO 27001 standard is a good framework to use for managing your information security on a wider basis. But this shouldn’t stop you going ahead and dealing with document security first. Getting this done will make things easier in the long term.
Summary
Businesses must control their risks, as failing to do so has catastrophic consequences. The key is to start simple and then improve. You don’t have to adopt everything at once.
A good starting point is to understand the sort of data you have and then classifying it. A good percentage of your business information could be used to extort or embarrass you. Or even worse, a client.
Once you’ve got your classifications, tie them into document templates. Then automate management and workflow automatically with technology. When done right, businesses can dramatically improve their security since it’s embedded onto the asset. Rights Management can then control who can edit, copy, paste, print, email, transfer or view it at a later date.
Once in place, this can be overlaid with network controls such as Data Leak Prevention. This watches documents flow in and out of the business and can isolate, sandbox or alert relevant people that a breach may occur.
To take it further, systems at the perimeter, such as gateway encryption solutions, can identify sensitive information. Encrypting it to ensure it won’t pass over the open Internet in clear text.
The list can go on but it’s important you start at the beginning by creating an Information Classification System. You need to understand what you have and what the risks and potential controls are first though.
