Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
Episode 10 - Andy Larkum - ADL Consulting - Identifying and mitigating risks in your business image

Episode 10 - Andy Larkum - ADL Consulting - Identifying and mitigating risks in your business

S1 E10 Β· Survey Booker Sessions
Avatar
92 Plays2 years ago

In this episode we speak with Andy Larkum, a consultant helping companies to achieve ISO 27001 certification and external auditor for BSI.

In this episode we cover:

πŸ›‘οΈ The foundations of ISO 27001: Confidentiality, Integrity, Availability and what in your business could affect these

🎯 Understanding risks to your business and putting your efforts in the right places

πŸ“œ When is the right time to put good business policies and processes in place

πŸ™‹ The importance of why before the how

πŸ’½ What constitutes a data breach - it’s not just data theft

πŸ§‘β€βš–οΈ The misconceptions around GDPR

Recommended
Ep 42 - The Impact of Flooding, How to Manage the Risk and Supporting Schemes with Mary and Kelly image
Ep 42 - The Impact of Flooding, How to Manage the Risk and Supporting Schemes with Mary and Kelly
S3 E12 Β· Survey Booker Sessions
01:04:41Β·8 months ago
Episode 41: The Realities of Spray Foam Insulation with Steve Hodgson, Steve Hodgson Building Consultancy image
Episode 41: The Realities of Spray Foam Insulation with Steve Hodgson, Steve Hodgson Building Consultancy
S3 E11 Β· Survey Booker Sessions
00:41:38Β·9 months ago
Episode 40: The Changing Trends of Negligence Claims in Surveying with Nik Carle, Browne Jacobson LLP image
Episode 40: The Changing Trends of Negligence Claims in Surveying with Nik Carle, Browne Jacobson LLP
S3 Β· Survey Booker Sessions
01:22:10Β·1 year ago
Episode 38 - Part 3: Venture building to decarbonise the built environment with Vighnesh Daas image
Episode 38 - Part 3: Venture building to decarbonise the built environment with Vighnesh Daas
S3 E22 Β· Survey Booker Sessions
00:21:14Β·1 year ago
Episode 38 - Part 2: Challenges and Drivers in Adopting New Building Materials with Vighnesh Daas image
Episode 38 - Part 2: Challenges and Drivers in Adopting New Building Materials with Vighnesh Daas
S3 E21 Β· Survey Booker Sessions
00:17:54Β·1 year ago
Episode 38 - Part 1: Exploring New Building Materials and Decarbonisation in Construction with Vignesh Daas image
Episode 38 - Part 1: Exploring New Building Materials and Decarbonisation in Construction with Vignesh Daas
S3 E20 Β· Survey Booker Sessions
00:26:42Β·1 year ago
Episode 38 – Part 3: Top Tips When Applying to the RICS Matrics Awards - Zoe Baker and Joe Ellison image
Episode 38 – Part 3: Top Tips When Applying to the RICS Matrics Awards - Zoe Baker and Joe Ellison
Survey Booker Sessions
00:13:24Β·1 year ago
Episode 38 - Part 2: Did Anything Change After Winning the RICS Matrics Awards with Zoe Baker and Joe Ellison image
Episode 38 - Part 2: Did Anything Change After Winning the RICS Matrics Awards with Zoe Baker and Joe Ellison
Survey Booker Sessions
00:14:42Β·1 year ago
Episode 38 - Part 1: What Motivated You to Apply to the RICS Matrics Awards with Zoe Baker and Joe Ellison image
Episode 38 - Part 1: What Motivated You to Apply to the RICS Matrics Awards with Zoe Baker and Joe Ellison
Survey Booker Sessions
00:16:09Β·1 year ago
Episode 37 - Part 2: Applications of Charging Concrete with Mauricio Esguerra from Magment image
Episode 37 - Part 2: Applications of Charging Concrete with Mauricio Esguerra from Magment
S3 E19 Β· Survey Booker Sessions
00:22:28Β·1 year ago
Episode 37 - Part 1: Innovative Magnetic Concrete: Wireless Energy Transmission for Vehicles - Marcucio Esguerra image
Episode 37 - Part 1: Innovative Magnetic Concrete: Wireless Energy Transmission for Vehicles - Marcucio Esguerra
S3 E18 Β· Survey Booker Sessions
00:27:29Β·1 year ago
Episode 36 – Part 2: The process of moving towards ESG in valuations with JoΓ«l Scherrenberg image
Episode 36 – Part 2: The process of moving towards ESG in valuations with JoΓ«l Scherrenberg
S3 E17 Β· Survey Booker Sessions
00:20:34Β·1 year ago
Episode 36 - Part 1: Understanding ESG and Its Impact on Property Valuation with JoΓ«l Scherrenberg image
Episode 36 - Part 1: Understanding ESG and Its Impact on Property Valuation with JoΓ«l Scherrenberg
S3 E13 Β· Survey Booker Sessions
00:28:29Β·1 year ago
Episode 35 - Part 3: Navigating New Fire Safety Regulations: Insights & Future Trends - Jay Ridings image
Episode 35 - Part 3: Navigating New Fire Safety Regulations: Insights & Future Trends - Jay Ridings
S3 E18 Β· Survey Booker Sessions
00:24:42Β·1 year ago
Episode 35 - Part 2: Comprehensive Insights into Internal Fire Safety with Jay Ridings image
Episode 35 - Part 2: Comprehensive Insights into Internal Fire Safety with Jay Ridings
S3 E17 Β· Survey Booker Sessions
00:19:46Β·1 year ago
Episode 35 - Part 21: Fire Safety & Building Regulations: External Fire Safety with Jay Ridings image
Episode 35 - Part 21: Fire Safety & Building Regulations: External Fire Safety with Jay Ridings
S3 E13 Β· Survey Booker Sessions
00:25:42Β·1 year ago
Episode 34 - Part 3: Improving marketing in the surveying industry image
Episode 34 - Part 3: Improving marketing in the surveying industry
S3 E12 Β· Survey Booker Sessions
00:31:43Β·1 year ago
Episode 34 - Part 2: Surveyors UK - what’s in it for you and the industry? image
Episode 34 - Part 2: Surveyors UK - what’s in it for you and the industry?
S3 E11 Β· Survey Booker Sessions
00:18:11Β·1 year ago
Episode 34 - Part 1: New talent troubles in the surveying industry image
Episode 34 - Part 1: New talent troubles in the surveying industry
S3 E10 Β· Survey Booker Sessions
00:25:47Β·1 year ago
Episode 33 - Part 3: How to get the most out of the transformation process with Gavin O'Neill image
Episode 33 - Part 3: How to get the most out of the transformation process with Gavin O'Neill
S3 E9 Β· Survey Booker Sessions
00:33:56Β·1 year ago
Transcript

Introduction

00:00:00
Speaker
Again, drive it by risk, right? This supplier, what are the chances they're gonna go wrong? And if it goes wrong, how bad's that gonna be for me? And that'll give you a nice risk score. And based on the risk score, you can decide whether or not you need to do further work to understand how scary they are.
00:00:18
Speaker
Welcome to Survey Booker Sessions. Tune in to hear from people working in a range of industries and roles to provide you ideas that you can take away and use in your own business. I'm your host, Matt Nalley, the founder and director of Survey Booker, which is the leading CRM and survey management system for surveyors.

What is ISO 27001?

00:00:33
Speaker
So on today's episode, we've got Andy Larkham from ADR Consulting. So thanks for having me, Andy. Not at all. Thanks for having me.
00:00:40
Speaker
Do you want to start by giving us a bit of an overview as to what you do in terms of ADL consulting? Sure, that's fine. So ADL consulting, we are specialist ISO 27001 consultants. So essentially we help companies to achieve all the requirements for ISO 27001 so they can get that badge.
00:01:01
Speaker
I guess we'll talk a bit more about what 27001 is later. So I won't bore you with that right now, but that's the mainstay. But because of that, there's a lot of information security and data protection stuff wrapped up in there. So we also get involved in GDPR, helping companies understand what that is and what they need to do about that too. That's it in a nutshell.
00:01:23
Speaker
And that's actually very much why I wanted to get you on is to look at how surveying businesses might be able to improve their information security perspective and things that people might not think about and what are the realities around GDPR and all that kind of stuff. So it might be a good place to start actually then with what is ISO 27001 to get rid of the jargon side of

Understanding Information Security Risks

00:01:44
Speaker
it.
00:01:44
Speaker
Okay, cool. Yeah, no, so so 27001 it is. So ISO is the international standards organization. So essentially, they are internationally recognized standards. That's quite key. And 27001 is their information security standard.
00:02:01
Speaker
And I think it's fairly safe to say that in the information security world, 27,001 is kind of held up as the gold standard. It's a big old piece of work. It's a big standard, as you know, because you've been through it. A lot of work to do, but it's...
00:02:17
Speaker
Essentially, it's a framework for helping companies to understand the risks that they're facing to their information security and to figure out what they should be doing to protect themselves from those risks. So done right, it's an awesome tool for helping businesses operate securely. Done badly, it's terrible, so don't do it badly.
00:02:39
Speaker
I think it's surprising when you go through all the different aspects of 27001 and realizing how much there is that can affect a business in terms of information security, whether it's how you're backing up data or whether it's your people and how you're training them or when they leave, there's so many aspects that we'll come onto.
00:03:01
Speaker
What are the core aspects of 27,001? So I think there's three pillars on the CIA. What's the, I suppose, those different parts?
00:03:13
Speaker
Sure. Okay. So yeah, you're right. Foundational concepts in information security, the CIA, confidentiality, integrity, and availability is what those three things stand for. And essentially what we're trying to do is say, look, within your business, what are the things that are likely to affect
00:03:33
Speaker
the confidentiality, integrity, and availability of your information.

ISO 27001 in Practice

00:03:37
Speaker
Right at the heart of 27,000, one is this concept of risk. We should do everything driven by an understanding of risk. If we said, for example, we are concerned that one of our employees might download our client database and take it to a competitor, that is a risk to the business. What we should do is think about,
00:04:04
Speaker
Firstly, if that happened, how bad would it be for us as a business? We can think about that from a number of fronts. What might that cost us? What might that do for our reputation? What might that do in terms of legal ramifications? Technically, it's a data breach, right? Might we have to report that? Could we get fined for it? There's all these things we can think about when we talk about
00:04:28
Speaker
consequence. So historically, we used to talk about impact. And just lately, there's a new version of the standard that's just came out in October last year, the 2022 version of 27001. And they've changed the wording there ever so slightly from impact to consequence. And I thought, well, it's the same thing, right? But then I got thinking about it a little bit. I thought, well, actually, impact sounds very immediate where consequence
00:04:53
Speaker
wow, that might be huge and go on forever. It's quite a good change actually. We think about what are the consequences of that happening and how likely is that to occur? We bundle those two things together, that gives us our risk score and that drives everything we then do. If it's a really low risk score, it's probably not going to happen or even if it did, it wouldn't matter that much. Why are we wasting time fixing that?
00:05:20
Speaker
where in the meantime, there's this other thing over here that's tremendously scary and extremely likely to happen and would ruin us as a business, we should probably get to fixing that first, right? So we understand what our risks are, then we do stuff about the risks. And the management system is driving all of that. So the ISO information security management system, that's kind of what it designs for you. And as I say, it's this framework, but the key bit, and this is really key, right? If I can drive this home,
00:05:49
Speaker
as keenly as possible, it's all about understanding your risk for your business. So it should never be imposed on you. It's why template kits actually are a bit of a disaster because you get this massive template kit of all these documents. Do we need all these documents? Probably not, no. I mean, actual prescribed documents in 27,000, there's only about like 12 or 13 documents you actually have to have. The rest of them are up to you, right? So framework.
00:06:17
Speaker
understand risk, do stuff about risk.

Challenges for SMEs

00:06:21
Speaker
That's how it works. Sorry, that was a long answer. I just started chatting. No, no, it's good. I think it's, yeah, it's important not to look at it as a copy and paste from another business for the sake of doing something because it's like taking Ts and C's off someone's website. You can't be bothered to create your own or pay for your own. So you take another version, change the company names and that does actually achieve the benefit. Is ISO 27001
00:06:47
Speaker
Is it just for big businesses or are the concepts still applicable to a sole trader and SME? That's an awesome question. In fact, I did a lot of kind of soul searching actually around a little while back and I think I wrote a blog article on this subject. When's the right time to do 27,000? Well, I think the honest answer is there's never a good time.
00:07:09
Speaker
Literally never. There might be better times. And I think, you know, in terms of sort of business size and scale, you know, I've helped companies, you know, one man bands right up to multinationals and everything in between. So there's no it's not
00:07:28
Speaker
ruled out for any type of company. But there are certain truths, like the bigger you are, the harder it is to bring change. So if we decide, well, we need to change the way we're doing this particular activity in a small company or in a one-man band, you go, all right then, and you change. In a multinational, it might take you 12 months to roll that change out because there's a lot of people that have to listen.
00:07:55
Speaker
So, and, you know, getting policies approved, you know, if you're a one man man, you go, you're the managing director, write a policy, you're happy with that? Yeah. All right. That's the policy. You know, in a big company, it can take you months to get approval for that kind of stuff. So.
00:08:11
Speaker
I think probably sweet spot is somewhere between kind of 10 and 50 employees. If you're that kind of size, actually you're in the perfect place because you've got a generally speaking, you've got a bit more money than the very micro businesses.
00:08:28
Speaker
it does cost. I mean, there is an intrinsic cost in time, but then you've got also the cost of your audits, because you have to pay an auditor to come and check that you're okay. And you've got cost of any help that you might need to get you over the line, right? So there is a cost associated. And if it is
00:08:49
Speaker
just you in the business, then time out of your business is expensive, because you're just trying to make the business happen, right? And anytime you're not doing the work, you're not earning money, so.
00:09:00
Speaker
that hurts. But once you kind of hit the 10 to 50 stage, you might have some capacity across your 10 to 50 people to release some time to help with this process. And like I say, you've probably got a little bit more money to be able to spend on bringing help in. Once you go over that number, you start getting into the slightly larger companies, it takes longer to do stuff problem. But that's
00:09:27
Speaker
perfectly manageable, you've just got to set your expectations, right? So anyway, I'm giving you answers. Sorry. No, they get the details. Nice. I think, I think from my my understanding my perspective is it's great to do at least the policy side, you don't have to necessarily do all the audits and get the certification. But if you're smaller, going through the policies and procedures around all the different aspects that it covers, whether it's gaining access to your property, which is probably
00:09:56
Speaker
more straightforward on for most people if you're smaller. But through to, you know, when someone leaves, as you say, how can they take everything? Or have you got processes in place to remove access from systems and, you know, protect them from things from being deleted, because they they're left on the bad note, whatever it might be.

Standardizing Processes and Audits

00:10:11
Speaker
And I think if you're implementing that, you can be more confident in your general processes, and you probably got a more fluid, you know, process for everything in your business then in terms of how the customers are handled. So it ties in, I think, with
00:10:24
Speaker
not just its security necessity, but how you then operate generally more smoothly. Totally. I mean, look, I would say 27,001 has got a bad rap, right? You know, a lot of people, their impression of their experience perhaps with 27,001 is not healthy. It's not been positive. And usually that's because
00:10:47
Speaker
Companies have implemented template kit systems. And they've gone, well, here's this thing that was built to work in any setting, every setting, everywhere in the world. So it's going to work in my business, right? Of course it isn't. And you're going to drown in paperwork and frustration. It's not going to be helpful at all. But you're right, at the heart of it, the essence of it of getting your policies right, your processes right, your systems in place, and making sure we're managing those to protect
00:11:16
Speaker
The thing that we built, right? I mean, particularly if you're a business owner listening to this, this is your baby. You want to protect it, right? And put things in place to make sure that you're looking after it, right? And 27,000 one gives you a framework to do that. Again, it's not prescriptive. It's a framework. We have to figure out how it applies to us. I'll stop here. Sorry. And I think it's one of those ones as well. If you're a business owner that is wanting to scale up,
00:11:42
Speaker
and build up the number of employees that you're working with, it's much easier to look at something like this generally now in terms of, you've then just got procedures in place for when you bring people on, in terms of how do you onboard them and give them the right knowledge and all that kind of stuff. So it's just useful, I think, as a general tool beyond the- Yeah, that's a good point, actually. So I think probably two words I've used with you in the past about formalizing standardized.
00:12:08
Speaker
kind of two key words in 27001. They're not that much in the standard, they're just ones that work for me. Formalise, we're going to work out what it is we do and all agree that that's how we do it. If you've got 10 people in the business doing the same thing 10 different ways, that's tremendously inefficient and probably quite insecure because
00:12:27
Speaker
there's gaps there. So if we can formalize that, agree how we do it, or sorry, standardize that, agree how we do it, and we've got it, this is the standard, this is what we do, and then formalize that. Let's write that down so we can all see that's how we've done it. And a lot of implementation work is around understanding how we do something, agreeing that that's how we do it, and then documenting that's how we do it so that we can see if we ever deviate from that.
00:12:51
Speaker
Yeah, it gives you a very nice framework to work to. And I think because you have to be meant obviously, what you will do, sorry, if you're actually certified, but obviously if you're not, then you don't have to do this part, but it's useful to build in those reviews. So you can check actually, are we doing what we said we're doing? And other than issues because we're not, it's something to refer back to if something goes wrong or not as well as you wanted it to. Yeah, I think one of the bits I was interested to talk to you about as well around this was,
00:13:20
Speaker
You obviously get to be the person that people like to work with in terms of setting policies and so on up, but you also get to be the person that everyone hates, which is the auditor. What are the things that you see firms do really well on the whole, and then we'll come on to the juicy bit potentially after. Honestly, that's such a mixed bag. It's really difficult to answer that question is generally what do people do well. I think
00:13:50
Speaker
In my experience, what auditors do badly is

Supplier Risk Management

00:13:54
Speaker
they come in in sort of a war footing. And I think equally what companies aren't very good at is recognizing that that shouldn't be the approach. As an auditor, I should not be there to catch you out. It's not my job to be clever. It's my job to have a look at your system and help you see if you've missed anything.
00:14:15
Speaker
And that comes with consequences, right? If we have missed too many things, then I can take your badge away from you. But much more helpful is, look, you've got a problem here that you need to fix. And again, from the company's perspective,
00:14:30
Speaker
If I'm being audited and you found something that I've missed, I should be grateful, right? And go, well, thank you very much. You spotted something that could have cost me massively. And I want to fix that. I need to solve that. So that's how it should work.
00:14:50
Speaker
And in terms of systems, yeah, I've seen some spectacularly good systems and I've seen some dreadfully awful systems. I had one audit where we got just out of the the opening meeting, and which if you've ever been audited, you know that that's how the day starts. And and I asked if we'd waited an hour for for people to turn up to this meeting. And it was just just this poor guy who was like, well,
00:15:18
Speaker
It's not me you really need to speak to. I've just been thrown under the bus here. We got an hour in. I'm like, look, if we wait any longer, I'm not going to be able to finish the audit today. So we need to get started. I said, let's make a start. I said, just this is the scope I've got for you. This is the statement of applicability I've got for you. Is that correct? And he said, what's the statement of applicability?
00:15:40
Speaker
I was like, okay, we just need to stop and failed them. I was like, sorry, you can't pass this audit. So that was pretty bad. Are there aspects of running a business that people generally do well because it's something that most people will find easier and it's not as painful to think about and therefore they're better at it and therefore there are bits that you consistently see
00:16:10
Speaker
people try to put off because it's a bit of a pain and there's an area that they're weaker in as a business. Yeah, I'll tell you the one area that consistently companies struggle with is supplier management.
00:16:25
Speaker
Nobody likes supplier management. It's annoying, it's boring, it's time consuming, it's frustrating. Unless of course that's your job, in which case I take it all back. I'm sure you're very good at what you do and you love the job. But for most people, particularly in smaller businesses where you're trying to just make stuff happen, right?
00:16:44
Speaker
having to go and check your auditors, your suppliers. I'm flipping heck. What a frustrating job. So it's actually one of the things I do really early on with my clients is say, look, this is supplier management. It's something we have to do. I'm really sorry. You got to do this. And I make it as light touch as possible. There are some great sort of cheat routes that
00:17:14
Speaker
make the whole process easier. If we can say, again, drive it by risk, this supplier, what are the chances they're going to go wrong? And if it goes wrong, how bad is that going to be for me?
00:17:26
Speaker
And that will give you a nice risk score. And based on the risk score, you can decide whether or not you need to do further work to understand how scary they are, right? So a company like me, I'm coming in toward at you, right? So let's say that's the supplier relationship. So you'd risk assess that and go, well, if Andy screws up,
00:17:48
Speaker
as a business, how bad is that for us? Probably not that bad. I might have seen some stuff, but I haven't got any of your data, right? You're not giving me things. And then you go, well, how likely is he to screw up? Well, he sort of works in information security, so we're going to believe not that likely, hopefully. Well, that would give me a tiny risk score.

Simple Security Measures for Small Businesses

00:18:07
Speaker
So you say, well, at a risk score like that, we don't need to go any further. We'll just go, thanks very much. Make sure we've got terms and conditions, and they talk about information security in there somewhere. All done. That's easy.
00:18:18
Speaker
The ones that are more likely to screw up or have greater access to your data, bit more risk. So we do a little bit more work and just go and ask them for some sensible badges and assurances and insurance and that kind of stuff. But again, it's the kind of stuff that if it's your business and if you had the headspace to think about this stuff, you start going, actually, it really does matter, doesn't it? If I'm giving my data to that business and that business screws up, I'm finished. Probably ought to check they're not going to do that.
00:18:48
Speaker
that kind of thing, right? Anyway, sorry, lots of talking again. No, no, no, it's good. The information's always helpful. I think one of the things I'm interested in then, what are the, because we've discussed before, we've obviously had audits and stuff together,
00:19:06
Speaker
different tools and so on that are useful for just keeping things safe. I think one of them you showed me was AFI for backing up all of your emails, for example. Regardless of someone going in and deleting everything, you've got a backed up copy pretty much instantly elsewhere.
00:19:22
Speaker
What are the types of things, though, that the simple things that smaller businesses can put in place to really protect themselves? We've spoken on a previous podcast on cybersecurity about having multi-factor authentication on your emails. Have you got to do it on nothing else? Do it on there, because once someone's in your emails, they can reset everything else. But are there other tools like AFI and backing up emails that are easy wins for companies to implement?
00:19:50
Speaker
There are some. I say to my clients, I am incredibly lazy. If I don't have to do something or if I can automate something, I'm going to do that. But I recognize that someone said, no, Andy, you're incredibly efficient. That sounds way better, but I'm not sure that's true. I think I'm just lazy. But I'm willing to pay a bit.
00:20:17
Speaker
to be lazy because ADL is my business. I run this business. I'm very busy in this business, thankfully. People seem to like working with me. But that brings challenges, like how do I stay on top of all the other stuff? So anything I can automate that gives me assurance that stuff's happening, I'll spend some money on that.
00:20:40
Speaker
So you're right, AFI is a tool that you can use to back up Google Workspace or Microsoft 365 or other platforms. And it's literally a set it and forget it. So you turn it on, you point it at the accounts you want backed up, it will just do it. And you can go in and check periodically to make sure it's doing its job, but it's just doing it. I use a tool called Ninja One. It's a remote monitoring and measuring tool, RMM solution. And it's great because I can connect to my,
00:21:10
Speaker
company machines to essentially install an agent on it, and it will take care of patching them for me. And it will just patch and update and maintain not just the operating system, but a whole bunch of software on there as well. And again, switch it on, set it, pretty much forget it. I check in on it, obviously, because you're supposed to do that too. But it's just taking care of my stuff, and I haven't got to remember to go and do that as a separate job. These things are great. So any opportunities to automate stuff
00:21:40
Speaker
Take him that that would be my key thing and then if you've got a project management system Monday dot com or a sauna or something like that.
00:21:49
Speaker
or ISMS online, I knew you're using that for your sister. If you're using those kinds of, use the repeat features so that you get a reminder to go and do the task so you can go and do the task, because there's a lot to remember in 27001. But just from a general security perspective, the tips you've had there already, use decent passwords, use multi-factor authentication anywhere and everywhere it's available.
00:22:15
Speaker
Yes, if you put in money in it or if you put in personal data in it, turn on MFA and don't blink about that. Yes, I know it's tremendously inconvenient and annoying. Well, more so for the hackers than for you. So let's do that.
00:22:31
Speaker
I suppose more inconvenient for yourself when you only get hacked. And when someone's pushing that stuff out from your emails and you got to then go after people and say, by the way, this wasn't me. Yeah. And my industry is particularly guilty of doing how before we do why. And most people need that the other way around, right?
00:22:51
Speaker
we don't understand why we've got to do something so the how part of doing that is just annoying. If we'd explained the why first and got you on board with why this is so important, maybe the how goes away a little bit. What is stopping me from hacking your email if it's just your password?
00:23:11
Speaker
What happens if I intercept your password or guess it? Well, it's game over for you. I literally game over for you as a business. So let's not let that happen. Turn on MFA. It's an easy step, right? A little bit more inconvenient every now and then when you have to put the code in. So what? Get over it.
00:23:29
Speaker
The one that doesn't know what MFA is, you basically get an app that gives you a six-digit code. Yeah, that's right. Ah, schoolboy error. You used the acronym first. It's your fault. Yeah, no, it's an Anti-Factor Authentication, also known as two-step authorization, or two-factor authentication. It gets a bunch of... In fact, I saw the National Cyber Security Center called it something else the other day. I was like, what, no? Oh, right, MFA.
00:23:55
Speaker
two step verification, I think they called it. But yeah, essentially, you've got a little app on your phone that's generating a six digit code that changes usually every 60 seconds. And that's synchronised to the system that you're signing into. So you put in your username, password, it'll ask you for the verification code. And there you go. Sign in. Yeah, you can also use the password manager's got need for
00:24:16
Speaker
like last pass and one password and all that kind of stuff where it will generate a disgusting password that you'll never remember. But because you've got the apps on your phone and it's on your browser extensions and it will pre-fill all of that for you every time you log into something and you're not going to remember it. But you've got something that you won't even be able to hack yourself.
00:24:34
Speaker
Okay, here we go. Let's do the password thing just because it's fun. I do this a lot when we do training and try to explain this is the segue, right? Because nobody, everyone's fed up of hearing about flipping conflicts passwords and how important they are.
00:24:49
Speaker
So we would take a six-character password and we make it all lowercase letters and numbers. I used to have a password that was six characters, lowercase letters and numbers. That's 2.2 billion possible combinations. And I'm going to hack that password. I'm going to do what's called a brute force hack where I'm just going to guess. I'm going to keep guessing and guessing and guessing until I get it right. But that's quite a lot of possible combinations that get sore fingers. So I'm going to use software to do that hack for me.
00:25:18
Speaker
So, Matt, your six-character password, how long do you think it's going to take my software to crack it? Oh, I saw a graph about this, depending on length and whether it includes characters. Oh, you did. I showed you it. I think you did, but I can't remember how long it was. It was something really short, wasn't it? Yeah, it's a blink of an eye. I did this just the other day, and the first guess was five minutes. The second one was two minutes.
00:25:42
Speaker
and the third guest, they went with one minute, I was like, no, it's the blink of an eye. So the ridiculous thing about that, right, is if you have a six-character password that's lowercase letters and numbers, it's going to take you longer to type it in than it's going to take for me to hack it. That's just dumb. So we go from six characters, same rules though, lowercase letters and numbers will take you up to 10 characters and say, how long will it take me to hack that one? And we go from the blink of an eye up to three weeks.
00:26:09
Speaker
So again, this whole why and how, if you understand that adding those four extra characters is gonna take you from a blink of an eye to three weeks to compromise your password, as a hacker, I've now got to really want to hack your password to spend three weeks trying to get it, right? So I'm probably not gonna, I'm gonna move on to the other person who's got six-character password instead. And that's the name of the game, make it harder than everyone else. And password managers do all the heavy lifting for you. You still need a really good password to sign into those,
00:26:37
Speaker
But once you've signed into that, everything else is managed for you and they can be bonkers, you know, 20, 40, 60, 100 character passwords, whatever. Doesn't matter. You haven't got to remember.

Data Storage and Backups

00:26:48
Speaker
Yeah, biggest win. I think it's the biggest win you can have from a security perspective as a small business is doing that. What are the things that people generally do wrong where they end up losing data? Because I think there's
00:27:03
Speaker
Those are different ways in the surveying industry where in terms of how people saw data. So I've seen, you know, the more modern side where people are using a CRM, like serving for example, it's all cloud based and backed up and so on. And then all the way back down to the older style where it's paper records and they're put in storage. And, you know, they've got the other risks then of, okay, fine, you've got a copy, but how do you do a GDPR?
00:27:28
Speaker
report for someone if they say what data did you hold on me and what happens if it gets caught on a flood or a fire, then you've lost everything. What are the most common ways that you see people losing data? Is it just the fact that they don't back stuff up properly and they don't know about that or are there other things that people don't think of? Yes, backups are a key one. The problem with backups is they tend to cost something.
00:27:57
Speaker
as in, you know, financially. And because a lot of business owners, they don't like spending money, you know, because that's their money that they're having to spend. Literally, if it's your business and you're paid by dividends, anything you're spending out of the business is coming out of your profit and you don't get the money, right? So we don't want to spend that money. But the killer is when you lose something that you can't get back and it hurts you more than it would have cost. And that's just stupid at that point. So but the
00:28:26
Speaker
The process in which people go into thinking about backups generally is broken. We have to think about backups in terms of what can we afford to lose. Because if you think about it that way up, it starts driving what you ought to be spending on the solution to back up your data.
00:28:44
Speaker
If I can't afford, let's say I've got, take it into a big business. I've got a thousand employees working on this system. They all work on it all of the time. If that system goes down, I've literally got a thousand people sat on their hands. Our recovery time objective, our RTO becomes important in that setting. How quickly can we get this system back?
00:29:09
Speaker
Then we have to start thinking about, well, how much data can I afford to lose? Now, if I've got 1,000 employees sat working at their desks all day, every day, and I back that solution up once a day, if it blows up before I hit that backup point, I've lost the previous 24 hours work, which is quite a lot of work if I've got 1,000 people who are using it. So can I afford that?
00:29:31
Speaker
can I afford to just throw away a thousand man days? Yeah, person days, sorry. So as businesses, we need to think, how quickly do we need it back? And how much can we afford to lose? Because that needs to drive our decision making process around what the backup solution looks like. In a small business setting, happily, and thankfully, the
00:29:57
Speaker
new day of software as a service, which is not new anymore, but it is still a growing arena, has brought with it the joy of not having to think about backups very much because we are outsourcing that to the software as a service provider. So people using SurveyBooker, for example, they are relying on SurveyBooker to do the backing up and the restoration if it all blows up, which means that SurveyBooker has to have very robust
00:30:27
Speaker
disaster recovery and business continuity plans in place. Take it back into the business setting. The thing that often doesn't get looked at is what about the stuff that people aren't putting into the software as a service solutions? What about the stuff that's actually sitting on desktops, as in laptops, desktop machines?
00:30:49
Speaker
because if those machines blow up, that's a world of pain. And I still, I'm so sorry. See you sweetheart, have a nice day. I was going so well.
00:31:02
Speaker
Might be fun to keep that in. It's that BBC moment, isn't it? I remember working, I used to work at university looking after IT for one of the departments there. I remember one day this guy, he called me up, he said, Andy, my laptop's not working.
00:31:21
Speaker
And so I went over to his office, had a look, and sure enough, this thing was just dead. I absolutely bricked. And I was like, okay, so sorry, it's dead. He said, put all my works on there.
00:31:33
Speaker
I said, no, it's not, we've got the network drive for that. Your work's on there, right? He said, no, no, it was all on my laptop. I was like, well, sucks to be you, fella, I'm sorry. This is dead. I mean, the hard drive had just had enough. And people tend to forget that that can happen, right? That all of that stuff you've been working on can be gone overnight if that's the only place you've

Understanding GDPR

00:31:55
Speaker
got it. So we need to make sure we've got redundancies to bake.
00:32:00
Speaker
That's a key way people lose data. The other is the nasty ways of data breaches and hacks and stuff like that. Breaches tend to be user driven, as in your employees will do something. This is not casting shade on people.
00:32:16
Speaker
I am stupid. I have stupid moments. We all have stupid moments. I'm just going to use that word. One of your employees has done something stupid. They've recognized they've done something stupid, but that's too late now. The horse is bolted. So that's a nasty way. And then the more insidious is we've left a door open or we've left a vulnerability unpatched or something exploitable and some bad actor has exploited that vulnerability and taken data away from us.
00:32:44
Speaker
I'm using lots of words and not even sure I've answered your question. But I think it's an interesting one to think about though because there are challenges with every storage method. So if you are keeping paper records, then really
00:33:00
Speaker
Do you then photocopy everything in case the one location you've stored it in, things get stolen or there's a flood or a fire, then you've lost everything. Because as a surveying firm, once you've done a job, you're meant to keep the records for 15 years for potential claims and all that kind of stuff. Equally, if you put it on a hard drive, like you said, the hard drive can go like a USB stick or an external drive. Or you can put a password onto encrypt it and protect the data. But if you forget the password, you can't get into it. So you've effectively lost it.
00:33:30
Speaker
So then it's yeah, do put it online and then you take backups of what you've put online. So there's different things to think about and risks with each. But yeah, certainly I wouldn't want to store anything on my desktop. No, right. And you're absolutely right. There was an interesting fine issued by the ICO a little while back for a data breach. And you may be familiar GDPR changed the game on what we mean by breach.
00:34:00
Speaker
because they include in that accidental loss or destruction of data. So if you've accidentally lost data or if it's accidentally being destroyed and it shouldn't have been, that's a breach too. And lots of people don't consider that, but this particular fine was for a pharmaceutical, I think a chemist basically, and they'd left some paper data at the back of a warehouse. It had got water damaged and it was unrecoverable and they got fined for that.
00:34:28
Speaker
So coming back to the paper thing, paper data is still a real thing and we do still need to consider it. And like I say, thinking about, well, what is that data? How important is it? If it's just old newspaper clippings, fine, stick it in a box somewhere. If it's really, really important and we can't afford for it to disappear, then fireproof safes and fireproof cabinets and stuff like that, you've got to spend the money.
00:34:57
Speaker
Turns out that's a thing. You've actually got to spend the money to get the right solution. But again, risk driven. What are the chances of it happening? And if it happened, how bad would that be? That should be guiding us. Definitely. I'd like to actually talk about the GDPR aspect because I think, as you say, I think there are a lot of misconceptions as to what it covers or what the principle behind it is.
00:35:24
Speaker
What are the misconceptions around it? Because I think there's sometimes people worry about it too much in the sense of, you know, ICO are going to try and find you for absolutely anything. And actually, it's more of a principle that's there to drive how you treat data. Is that fair to say?
00:35:40
Speaker
Yeah, I think that's a nice description. Okay, so I think perhaps the biggest misconception with GDPR is people believing that it's a bad thing. It's not. It's a really, really good thing. Unfortunately, the way it was sold, you know, they really, they should have got the marketing people involved and they didn't, I think. But essentially, look,
00:36:07
Speaker
Take yourself out of business, what's GDPR about? It's about protecting my data, right? And to stop my data from being abused by other entities, legal people, so companies generally speaking. So to stop another company taking my data and abusing my data and putting me at risk because they're not looking after it properly or because they're treating it wrongly or whatever, right? Long and short of it is I end up suffering.
00:36:35
Speaker
So anything that stops that from happening, that's good news, right? Now, unfortunately, how data works and the value of our personal data is actually quite hard to connect with. And I don't mean this disingenuously or disrespectfully, it is beyond the reach of most people to understand it. So if we ask the question, I'm hoping I don't get in trouble for this, but why is TikTok?
00:37:00
Speaker
bad news. And in fact, if you go and look in the US, they're trying to ban TikTok from being used at all in the US. And one of the reasons they're citing it is because the algorithms that are in place feed you certain types of information, which means it could be used by a state-sponsored actor to start feeding you misinformation, fake news,
00:37:22
Speaker
and stuff that basically is not good and to start influencing how people think. And that over a generation becomes tremendously scary news, right? And we should worry about that. On that note, just quickly to jump in, and I haven't fact checked this, so I'll put that as a caveat. But I was reading that in China for TikTok, if you're below 14, they tend to push you content that is educational and, you know, might be based on
00:37:48
Speaker
science and maths and all this kind of stuff. And of course, in every other country, they're pushing to lead dance videos. So there's obviously a difference in how they're trying to push their own population in terms of, you know, driving intellectually that. So what do we do if a generation down the line, we have incredibly intelligent people in one particular part of the world, and somewhat
00:38:12
Speaker
Good dancers. Yeah, great. Brain numbing stuff. I watch some of my kids watching some of this stuff on, not so much on TikTok, because I've told them not to, but on other platforms, just going, why are you wasting your life on this stuff?
00:38:30
Speaker
Anyway, that's a whole other debate. So back to the GDPR thing. So we want our data protected. And I say because it's beyond the reach of most people to understand that if we do something like that sooner or later, we can start to influence elections and how people vote. And that means democracy is dead. Bad. We said, well, people won't get this. So instead of expecting people to get it, what we're going to do is we're going to put the responsibility for doing things right onto the companies that want to use the data.
00:39:01
Speaker
Now, the problem with doing it that way round, and it's sensible if you think about it, let's go top down rather than bottom up on this. Generally, it's a good approach. The problem with that is that you end up with companies going, oh, well, that's annoying. That's going to cost us money. And then you get people in the companies going, change? I don't like change. And we get stuck in this loop of, oh, GDPR is rubbish. I hate it. No, it's not. It's really good. And we should love it.
00:39:30
Speaker
because of the way it was imposed on us, it got a bad rap. So at its essence, it is about protecting your data from being abused, which ultimately means it's protecting you from suffering consequences because other people couldn't be bothered to do a job right. There you go. That's GDPR in a nutshell. I think it's misunderstood as well from a consumer perspective, because there's a lot of times where someone will shout, that's my rights under GDPR. And you go, well, actually, no.
00:39:59
Speaker
I can't just delete you from our system because I legally need to hold your data because you're a customer of ours, for whatever period, before I can do anything. So yes and no, that's probably not the best example of it, but there are times where a lot of... That's a genuinely good example.
00:40:14
Speaker
Yeah, it is because it's not terribly well understood. And because people have heard this, oh, GDPR, I go, oh, yes, I have rights. You go, well, you do. But it doesn't, data about you isn't necessarily your data. And I know that sounds weird. But there's stuff that I
00:40:34
Speaker
I know about you because I've done work for you. Okay, let's go with this. So I've done work with yourself, Matt, and there's stuff I know about how your business works that I just have in my head. I can't delete that. You don't have rights over this stuff I've managed to collect. Matt's a really great guy. I haven't written that down anywhere. And I'm not paid to say that.
00:40:58
Speaker
But if you ask me to delete your systems and I had somewhere, so this guy called Matt is a great guy and he runs a really cool business. That's information that's valuable to me. It's not necessarily able to identify you, so I don't have to delete that. Understanding what we do and don't have to do, understanding what GDPR is and what it means for your business, it starts with what data are we processing and why. If you've got a lawful basis for processing that information,
00:41:28
Speaker
then sometimes that lawful basis will trump that person's beliefs. Who paid you money? Well HMRC turns out this fellow did. This fellow wants to delete their data. Well HMRC says hang on to it for six plus current years. Go figure.
00:41:49
Speaker
This might be slightly more of a lawyer question, so potentially not one you can answer, but in terms of that GDPR bits and rights, what a lot of surveyors do is they work with estate agents, conveyancers, and so on, and they have a referral relationship. Are there things that
00:42:08
Speaker
need to be considered during that referral process in terms of what consents are needed. And once you receive the data, you become a data controller of that, don't you? You're not then the data processor for the referral partner.
00:42:24
Speaker
Yes, that's right. So understanding where you are controller and where your processor is really helpful. And so really, really quickly, a data controller, that's the entity that decides what information we're collecting and why a data processing or data processor is processing data on behalf of
00:42:43
Speaker
a data controller. In that scenario, Agent has introduced Surveyor to third-party clients. That is just an introduction. Surveyor isn't processing on behalf of the Agent. It's just in the introduction. However, the Agent should be
00:43:04
Speaker
asking me, can I pass your data on to Surveyor? And to begin with, that Surveyor can start processing. If I say yes, right, I've given consent for the introduction, the Surveyor can start
00:43:19
Speaker
using my information on the grounds of legitimate interest, because apparently I've expressed an interest via this agent. They believe I'm interested in hearing what they have to say. So this is a sensible transaction, right? So legitimate interest is quite a tricky one. It's a good one, but it's tricky and often abused. Legitimate interest only works where we can balance our interests. So I'm interested in processing your data, but probably you are interested in me processing your data too.
00:43:48
Speaker
Right. So that's balanced or there's an obvious and reasonable imbalance like you owe me money. And until you paid me that money, I'm not going to remove your data on the grounds of legitimate interest. I have an overwhelming legitimate interest in processing your data. Right. So, yes, on that basis, that introduction thing can work. But like I say, the agents ought to be asking my permission before they pass my data to a third party.
00:44:15
Speaker
Also, that's good to know and it helps clarify and I suppose we'll just put in a caveat that it's not legal advice. It's not legal advice. It's pretty robust advice, but it's not legal advice. Perfect, always good timing though. I suppose that's just on that. Sorry Matt, really quickly as a thought. One of the difficulties with data protection
00:44:37
Speaker
And I'm going to upset some people and I don't mean to upset people here and feel free to take this out of the podcast if you think it's too controversial. One of the challenges for legal entities being involved in data protection is they start from how do I protect the client? And the key to data protection is how do I protect the individual?
00:45:01
Speaker
So we have to start with recognising that GDPR and data protection is all about protecting the rights and freedoms of the individual, not the legal entity that is wanting to process their

Legal Aspects and Employee Training

00:45:12
Speaker
data. If we can start from that perspective, actually it changes our thinking on what we're trying to do with information because we go, hang on a minute, is this actually in the interest of this person or am I
00:45:24
Speaker
Do I have a good reason why it's not in their interest? They don't understand that it's in their interest. They can't, so I'm going to have to do it anyway, like legal protection or something like that.
00:45:34
Speaker
But if we start from the premise of how do I protect the data subjects rather than how to protect my business, we'll end up with a much, much better outcome. And as I say, the danger of asking solicitors to get involved and say, can you help us with our privacy policy or with our records of processing activities that you might be obliged to do, that kind of stuff, is that they will start with, well, okay, so business, we need to protect you. So no, no, no, you need to protect my data subjects.
00:46:04
Speaker
There you go. That was my little rant. I'll stop now. It's good to have different perspectives on things because obviously if you're someone that doesn't deal with data and security and all that kind of stuff every day, then it's not something you necessarily have different perspectives on and viewpoints. I suppose there's a final question.
00:46:30
Speaker
Whether you're starting out or you're a smaller firm and you're looking to grow, what are the best areas to focus on? From say within the ISO 27001 framework, would it be just things like general systems and data security, whether it's how you do your passwords and stuff, and maybe your training and onboarding and off-boarding of people, would they be the best areas to focus on? Or are there other bits that you think would be that this sort of
00:46:58
Speaker
You know, the best wins you can get as a small firm. Yeah, okay. That's a really tricky question. So I'll go in fight slash debate in my industry about, you know, are your employees, are they your first or last line of defense from nasty things? And the sensible answer to that question is yes.
00:47:21
Speaker
Yes, they are. If one of my users has opened up a phishing email, clicked on the link and is about to put their login details into a phishing website, then in that moment, they are the last line of defense. Everything, all of my technical controls up to that point have failed. It's now down to them. Are they going to put their data in to a malicious website?
00:47:45
Speaker
We can flip that the other way round as well and say, well, they have got to this point. Now it's up to them. If they fail as the first line of defense, all of my technical controls are now coming into play to try and protect me from the mistake they've made.
00:48:01
Speaker
So yes, they are first and last line of defense. Both things are true. So training our staff to understand cyber risk. And again, we've got to start with why, not how. If they understand why good passwords are important, they're more likely to use good passwords. If they understand why they don't have access to things that they don't need access to, turns out that's a bad idea and they can put themselves at risk.
00:48:27
Speaker
then they're more likely to leave that kind of stuff alone and not try and access it. There's some good educational stuff that we can get into our team that will help if we can raise awareness, raise understanding, and just literally lift the bar on what security looks like within the business. That will absolutely help us. Then I'd say,
00:48:47
Speaker
Again, come back to be lazy, automate everywhere, spend a bit of money in getting good automation tools in place that will do some of the heavy lifting for you and provide you with visibility and assurance that things are working the way they're supposed to. Those would be my two things. Yeah, I think they're good points because you read a lot that, you know, a breach or something going wrong is down to human error rather than
00:49:16
Speaker
assistance systems do make mistakes, absolutely. But a lot of it is down to human error. And so if you say putting something into the wrong site, or deleting the wrong thing, whatever it might be, one of those things around automation is you might not want to pay into you go, okay, I'll manually be back up each week or day or whatever you want to do.
00:49:33
Speaker
and move stuff on my desktop to the cloud or whatever it might be. The reality is you get so busy that before you realize it, three weeks or four weeks have gone past and you've left it and then suddenly something does happen and you've lost everything. So automation protects you a lot more because it's definitely happening.

Efficiency Through Automation

00:49:51
Speaker
And it's just one less thing to think about when you've got so many other things to do within a business. Yeah, right. And it is a common
00:50:00
Speaker
Mistaken, I am absolutely certain I'm guilty of it myself, is that particularly in small businesses, we get very busy doing stuff. And a lot of it is stuff that probably we don't need to or shouldn't be doing. We could pay a bit of money for someone to automate that. And actually, me not having to do that means I can earn more money, like way more money doing it. I used to, we have some wood burning stoves.
00:50:28
Speaker
And I used to go out and salvage wood and bring it home and chop it all up and everything. And part of it in my head at the time, this was going back quite a while now, in my head at the time was I'm saving money. And then I started adding up how much time I was spending collecting the wood and chopping it all up and splitting it and stacking it and stuff like that. I thought, I am not saving money here. This is costing me a fortune. If I was doing the work, I could have bought that 20 times over
00:50:57
Speaker
instead of having to go and chop it. And we spend time and effort in the wrong areas.

Contact Information

00:51:02
Speaker
So spend some money automating where you can to do the heavy lifting for you so you can focus your time on the more productive stuff that actually earns you money. That's a fair point, which is you don't realize how much time you're wasting on things until you start writing it out and going, actually, I've lost two hours today on Pointless Admin because they're doing all these different things and now I could have spoken to 20 more customers or whatever it would have been. Yes.
00:51:26
Speaker
Yeah, thank you for coming on today. If anyone wants to get in touch to learn more about whether it's ISO 27001 or just general things they can potentially do within their businesses, how do they get in touch?
00:51:41
Speaker
Yeah, cool. So if you want to get in touch with me, that'd be great. You can email me at Andy at ADL, so Alfred Delta Lima Consulting, all one word, ADLconsulting.co.uk. Just ping me an email. So you heard me from Matt and I'll be great to talk to you. Nice. I'll speak again soon. All right. Matt, it's been a pleasure. Thanks for having me.