Your Security Manager - UK based Independent Information Security Specialist

Welcome

Here to help you improve the security of your information

Information security is always hitting the news;

North Korea hackers stole $400m of cryptocurrency in 2021 (BBC News 14 Jan 2022)
Cyber attack disrupts Gloucestershire Council's website (BBC News 31 Dec 2021)
UK donates 225 million stolen passwords to hack-checking site (BBC News 20 Dec 2021)
Meta bans surveillance-for-hire firms for targeting users (BBC News 16 Dec 2021)
Sainsbury's payroll hit by Kronos attack (BBC News 16 Dec 2021)
Log4shell: US demands Christmas Eve deadline for hack fix (BBC News 15 Dec 2021)
Flaw prompts 100 hack attacks a minute, security company says (BBC News 13 Dec 2021)

Just a handful of stories making the BBC's headlines over recent months.

For many small businesses it is a confusing minefield of technobable and jargon, with terms like "data protection" and "cyber safety" bandied about interchangeably with "information security". Potential customers may be asking you for security and incident response plans, BCP and DR plans, vulnerability scans, penetration tests... Your Security Manager is here to help clarify all these (and many many more!), and help you improve the way you protect data in your business, and so increase the amount of business you can do.

Contact Your Security Manager today to discuss how we can work together to improve your information security.

Our Services

Some of the services we can offer

Information security consultancy is a broad church, and Your Security Manager offers a huge range of services including;

ISO 27001 audit, gap analysis, and project kick off
Information Security Plans for Government (CESG/NCSC) contract tendering
GDPR compliance assistance
PCI-DSS self certification advice and guidance
Cyber Essentials guidance
Information protection, Risk Management, and Business Impact Analysis consultation
Capacity Planning, Business Continuity, and Disaster Recovery consultation
Independent 3rd party supplier audit
Internal compliance audits
Physical security audits
Documentation reviews
ICT support management consultation

I also partner with established service providers, in the Information Protection and Information Security consultation field, and IT Support businesses that have no in-house security expertise. As an ISO27001 Lead Auditor I am adept at sense checking implementations, where an external pair of eyes often finds those little missed details!

If you are seeking to improve the security of your business information then I can be Your Security Manager.

Contact Your Security Manager today to discuss how we can work together.

GDPR

The General Data Protection Regulation

Do not panic!

It might come as a surprise to see this bit of advice, but no official is going to knock on your door demanding proof of compliance with the GDPR, just as no one from the government ever asked for more than proof of your registration with the Information Commissioner's Office (ICO) as required under The Data Protection Act (DPA)^*. However, it's now several years since the GDPR passed into law and you should be familiar with the legislation, have the neccessary protocols in place, and be keeping evidence of compliance in the event that something occurs (like a breach) and you are called upon to demonstrate your compliance efforts. Doubtless your clients will be asking that you demonstrate compliance in some way, as is their duty under the legislation.

Now I am not suggesting you do nothing and just forget about it, this is a legal requirement that all businesses must comply with, but let's put some of the scary headlines into context. The previous DPA was in force for 20 years, and the ICO had the power to fine organisations up to £500,000 for breaches. In the 2016/17 financial year the ICO processed over 17000 breach cases and just 16 of these resulted in a fine. None of these fines reached anywhere near the maximum. The new Data Protection Act 2018 brings in to law the details set out in the GDPR, in which there is provision for a maximum of €20m fine! The ICO is unlikely to be handling down fines of this magnitude for any but the most severe breaches. For example; The ICO recently issued a provisional view to fine Clearview AI Inc over £17 million. The reality for most small businesses is that they are extremely unlikely to be landed with such a cripling fine, if they are fined at all, unless they are utterly incompitent at handling vast quantities of personal data, or deliberately ignore the requirements of the regulations. That said, the fines are gradually rising and the past year has seen records broken across the EU with GDPR sanctions in 2021 exceeding €1 billion.

I'm sure you already did your best to comply with the old DPA, so how has the GDPR changed the new legislation?

Primarily it defines personal data as any information "relating to an identified or identifiable natural person", and has these key provisions;

The right for individuals to access, correct, transfer or delete their personal information if it is held on your systems.
The requirement for you to notify authorities and customers within 72 hours of the discovery of a breach affecting their data.
Fines of up to 4% of global annual turnover (or €20 million, whichever is higher) for the most serious violations.
The requirement for citizens to give explicit consent for you to hold their data (where you do not have other legal reasons to have it), and for you to store this consent.
The GDPR applies globally, to any organisation offering goods or services within the EU, so still applies to UK businesses with EU customers even after Brexit.
The GDPR is enshrined into UK legislation so applies to UK businesses even if it has no EU cutomers.

Key points in ensuring you comply with the GDPR;

you must fully understand what personal data you hold, where the data is stored, and who has access to it, from the moment you receive the information, to the moment it is deleted from your systems.
you must have organisation-wide data protection policies, auditable record keeping, perform data protection impact assessments on particular types of data, and verify that any businesses you partner with are also compliant.
you must have the capability to detect and report data breaches, and the processes in place to find, modify, and delete personal data when requested, all within prescribed time limits.

Technology improvements have meant that personal data became very cheap to hold store and process, so much so that many businesses have vast stores of it. That is changing. Personal data is becoming what is known as a "toxic asset", that is, the risks of holding and storing it are potentially very damaging to your business.

Think of it in the terms of toxicity, and you'll be on the right path. Do you need that personal data in order for your business to function? If not, then remove it. If you do need it, consider anonymising it. If you really need that personal data, then you need to make sure that it is properly protected, and should consider encrypting it.

Do not panic!

I can help you achieve and maintain your GDPR compliance. Please contact me for an initial informal assessment, which will look at your existing approach to data protection and information security. I'll provide you with a simple checklist of recommended actions, to point you in the right direction.

Contact Your Security Manager today to discuss how we can work together.

* The ICO’s register of data controllers is a publicly accessible register. I’m always amazed at how few local businesses appear on it.

About Us

Information Security is my speciality

I am Alex Burnham, an enthusiastic advocate for Information Security, and ISO27001 Lead Auditor. I enjoy working with non-technical SME's that struggle to understand how to improve their data defensibility, and do my utmost to help them comply with DPA and new GDPR regulations. I have practical hands on experience, and a pragmatic approach, in delivering secure technical environments, and implementing ISO27001, PCI-DSS, and CESG/NCSC (including Cyber Essentials) compliant Information Security Management Systems (ISMS).

I have worked with small businesses my whole life. I returned to university as a mature student in the mid '90s to complete a BSc (hons) in Computer Communications. In the early 2000s I was Director of Technology for a web development company, then spent several years as ICT Infrastructure and Support Manager for a national training provider, managing the roll out one of the first virtualised datacentres in the sector. In more recent years as an Information Security Officer in financial services, I worked with the compliance teams of major lenders and government departments, including HMRC.

I am committed to providing you with the best advice, solutions, and value, in all your information security requirements. I understand your need for workable, cost effective, solutions to support the growth of your business. Whether you need assistance completing a security plan for an important customer, help with understanding the GDPR, development of your ISMS, or full ISO27001 compliance, I can help in every case. And if you are running a small business with no in-house information security capability, I can be Your Security Manager.

What is InfoSec?

An explanation for real people

According to several definitions, the term "Information Security" (InfoSec) means "protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction" in order to provide;

Confidentiality: preserving authorised restrictions on access and disclosure, and means for protecting personal privacy and proprietary information. i.e.: only those that need access, have access.

Integrity: guarding against improper information modification or destruction, and ensuring information nonrepudiation and authenticity. i.e.: the data is correct.

Availability: ensuring timely and reliable access to, and use of, information. i.e.: you can find your data when you need it.

It can be helpful to think of Information Security as Health and Safety guidance and compliance for your business data and information. Just like health and safety, some of it is common sense, some of it is advisable, and some of it is governed by legislation. You have to comply with the legislation, but the rest of it is up to you, depending on how you view the risk, the likelihood of something happening, and the resultant consequences should something happen.

Your Security Manager can give you as much, or as little, assistance as you want or need in making the journey to better protecting your business information and data processing systems. Just like health and safety, there is no one size fits all solution to becoming secure. It's not just about technology either, in fact, most of it is about management, evaluating risks, and changing working practices to be more safe. Sometimes you'll need hard hats and harnesses, but often it's about making sure the floor is clean, and you're using a ladder instead of a chair!

Contact Us

Contact

Email us at info@yoursecuritymanager.com
Phone us on 01650 558227
Connect with me on LinkedIn
Write to us at: Dyfi Computer Services, Ty Capel, Darowen, Machynlleth, SY20 8NS

Over the past few years I've found that any contact that arrives through social media invariably ends up involving a phone call or some emails. Social media has become a medium that expects instant response, and that really isn't always possible, so from 2022 I'm cutting it out of the loop. Please contact me by the old methods, the channels over which we have at least a modicum of control; phone or email, or even by the good old post.

YourSecurityManager

Independent Information Security specialist helping your business with data protection, resilience, compliance and auditing.