IT spend a concern? These ideas may help…

Embrace Change

The world is changing rapidly and keeping up with the newest technological advancements will give you options to lower IT expenditure.
Some strategies you could adopt include:
  • Removing manual processes – first identify where your staff could potentially improve, then research methods to decrease paperwork and automate processes.
  • Implementing cloud computing – it can be cheaper to store information, do your accounts, and run a content management system online.
  • Communicate with your staff, suppliers and customers over the Internet at lower cost or even no cost.
  • Allow flexible work hours – depending on your type of business, you may be able to let your staff work when they prefer, and even from home.

Look to the Cloud

Moving data and applications to the cloud will save you money. According to data, from market research firm Gartner, companies who use cloud technology save over 15% on IT procurement and more than 16% on IT maintenance costs. Additionally, those businesses discovered that adopting the cloud fuelled growth and efficiency.
Software-as-a-Service (SaaS) is a good example of the cloud at its best. This is where, rather than owning the software outright, you pay a monthly fee to use the software for as long as you need. Platforms such as Microsoft’s Office 365 allow you to use Office products; for example on a pay as you use basis. You can add or remove users as you wish, plus you get the latest versions at no extra cost.
Smaller businesses may want to consider investing in a cloud server instead of having a physical server on their site. Like SAAS above, customers pay as they use and can increase or decrease resources accordingly.

If all fails…HaaS

Hardware-as-a-service (HaaS) is a procurement model that is similar to leasing or licensing.
In the hardware-as-a-service model, hardware that belongs to a HaaS service provider (HSP) is installed at a customer’s site and a service level agreement (SLA) defines the responsibilities of both parties. Sometimes the client pays a monthly fee for using the hardware; sometimes its use is incorporated into the HSP’s fee structure for installing, monitoring and maintaining the hardware. Either way, if the hardware breaks down or becomes outdated, the HSP is responsible for decommissioning it and replacing it. Depending upon the terms of the SLA, decommissioning may include wiping proprietary data, physically destroying hard drives and certifying that old equipment has been recycled legally.
The HaaS model can be a cost-effective way for small or mid-sized businesses to provide employees with state-of-the-art hardware in a cost-effective manner. Our lead article in next month’s newsletter will be all about Hardware-as-a-service and we will also look at our own Haas offering. 

5 Easy Ways To Disaster Proof Your Business

1. Connect to the Office from Wherever You Are

Our engineers could connect to Supreme and access office tools and files using VPN which stands for Virtual Private Network. We won’t bore you with too much technical information, but a VPN provides a connection via the Internet between a remote PC and your office’s server. It’s like taking a network cable at your office and walking home with it, pulling it through the streets, and plugging it into your laptop when you get home. When you want to access the office server from a remote location, VPN software on your laptop establishes a secure point-to-point tunnel through the Internet with your office to access your data.

There are other remote access tools that allow you to do the same thing. Teamviewer and Logmein are great alternatives but speak to our Service Delivery Team (SDT) about which tool would be suitable for you.

2. Receive & Make Landline Calls Like You Were in the Office

We are massive fans of VOIP. Not only is VOIP so much cheaper than traditional landlines, it is also very portable. Using Supreme as an example, all team members have our VOIP application on their laptops and on their mobile phones so users working from home could continue making and receiving calls as if they were in the office.

3. Get a WPRS

What if the disaster stops you from using the office at all? This happened to a client recently who suffered flooding at their offices. They were unable to use the office for three weeks so staff were moved to a temporary Work Place Recovery Site (WPRS). Typically, a WPRS would be a replica of your main office which will allow for core services to continue.

Maintaining a dedicated WPRS may prove quite expensive so consider sharing a WPRS site with other businesses or even coming to an agreement with serviced office providers. Many will provide office space and internet connectivity at short notice and for flexile terms.

4. Collaborate and Meet Online

If getting a WPRS is not an option, do consider meeting online. Great applications such as Skype for Business or Google+ Hangouts allow you and your team to make conference calls, have online meetings and collaborate remotely on projects.

5. Get a DR solution

We are massive advocates of having a robust DR solution – which goes further than a standard data backup. A good DR solution in our opinion is “insurance” for your critical IT systems and should provide as a minimum, bare metal recovery (i.e. everything restored “as is”) with a range of restore points. Our DR solution 999RESTORE does all this plus provides customers with a loan server if anything were to happen to their server. Find out more about our DR services here or give Julian a call on 0121 309 0126.


“I must, I must, I must improve IT!” – Top 5 New IT Considerations

1. Get going with GDPR

On 25 May 2018 most processing of personal data by organisations will have to comply with the General Data Protection Regulation (GDPR). Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

Our account managers will be talking to all customers about their GDPR preparations but you can find out more from the Information Commissioner’s Office.

2. Reinforce your Human Firewall

FACT: The cyber thieves are getting smarter at finding ways to steal your information. However it seems like the smarter they get they more complacent we seem to become. When it comes to cyber security there is simply no room for complacency. Hardware and software protection such as Supreme Systems’ ANPS service can only go so far in protecting your IT environment. It is also essential that we all have processes in place that govern the human element in the fight against cyber crime. Our cyber crime seminars have been well received in terms of highlighting some common dos and don’ts. We are looking at more ways to help you reinforce the “human firewall” so watch this space!

3. If all fails…DR?

A recent Gartner survey showed that over 50% of UK businesses have no provision for Disaster Recovery. Statistics such as this are puzzling particularly as most businesses understand the importance of protecting against the unexpected. We all have insurance to protect our buildings, contents, employees and the work we do so why not get protection for your IT systems?

Disaster Recovery in our opinion is “insurance” for your IT, in fact most insurance companies that provide cyber security cover will insist on some sort of disaster recovery plan and system that safeguards your business critical systems. Our DR solution provides a complete bare metal restore (i.e. everything restored “as is”) with a range of restore points. To find out more give Julian a call on 0121 309 0126 for more information.

4. Switch to VOIP and save, save, save!

VOIP has come a long way since the dark days of poor call quality, yet take up in the UK is still not to the levels seen in America. Which is surprising considering businesses stand to save up to 60% on call costs. We are fans of VOIP ourselves and as a 3CX partner we are able to recommend one of the best VOIP solutions in the industry. To find out more give Julian a call on 0121 309 0126 for more information.

5. Time for an upgrade?

Manufacturers recommend a refresh cycle of every 3 – 5 years but not all businesses adhere to this. We have seen 10 year old PCs and servers, bought 15 years ago, that are still in production and these will no doubt cause productivity bottlenecks. We understand that upgrades can be costly so why not spread the cost with HAAS?

HAAS stands for Hardware As A Service and it allows businesses to lease IT Hardware perpetually. It is great for businesses as it reduces capital expenditure and affords for better IT budgeting. Next month our newsletter will focus on the benefits of HAAS but get in touch now if you would like to know more.

12 Steps to Preparing for GDPR

1 . Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.

Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You should particularly use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming. You may find compliance difficult if you leave your preparations until the last minute.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within business areas.

The GDPR updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you must tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this as doing so will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently must give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice.

Under the GDPR there are some additional things you must tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the Information Commissioner’s Office if they think there is a problem with the way you are handling their data.

Note that the GDPR requires the information to be provided in concise, easy to understand and clear language. The Information Commissioner’s Office’s privacy notices code of practice reflects the new requirements of the GDPR.

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The main rights for individuals under the GDPR will be:
• subject access
• to have inaccuracies corrected
• to have information erased
• to prevent direct marketing
• to prevent automated decision-making and profiling, and • data portability.

Overall, the rights individuals will enjoy under the GDPR are the same as those under the Data Protection Act but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.

This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?

The right to data portability is new. This is an enhanced form of subject access where you must provide the data electronically and in a commonly used format. Many organisations will already provide the data in this way, but if you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make any necessary changes.

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria. You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected.

If your organisation handles many access requests, the impact of the changes could be considerable so the logistical implications of having to deal with requests more quickly and provide additional information will need thinking through carefully. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online. Organisations should consider conducting a cost/benefit analysis of providing online access.

6. Legal bases for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Many organisations will not have thought about their legal basis for processing personal data.

Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly the same as those in the Data Protection Act so it should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this to help you comply with the GDPR’s ‘accountability’ requirements.

7. Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent must be freely given, specific, informed and unambiguous. Consent also must be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.

If you rely on individuals’ consent to process their data, make sure it will meet the standards required by the GDPR. If not, alter your consent mechanisms or find an alternative to consent. Note that consent must be verifiable and that individuals generally have stronger rights where you rely on consent to process their data.

The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.

8. Children

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent to process their personal data lawfully. This could have significant implications if your organisation aims services at children and collects their personal data.

Remember that consent must be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.

9. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the Information Commissioner’s Office (and possibly some other bodies) when they suffer a personal data breach.

However, the GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches must be notified to the Information Commissioner’s Office – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.

You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach. In some cases, you must notify the individuals whose data has been subject to the breach directly, for example where the breach might leave them open to financial loss.

Larger organisations will need to develop policies and procedures for managing data breaches – whether at a central or local level. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

10. Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the Information Commissioner’s Office has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally? It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.

Note that you do not always have to carry out a PIA – a PIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals. Note that where a PIA (or DPIA as the GDPR terms it) indicates high risk data processing, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

11. Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

Therefore, you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.

12. International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in several Member States.

Put simply, the lead authority is determined per where your organisation has its main administration or where decisions about data processing are made. In a traditional headquarters (branches model), this is easy to determine. It is more difficult for complex, multi-site companies where decisions about different processing activities are taken in different places. In case of uncertainty over which supervisory authority is the lead for your organisation, it would be helpful for you to map out where your organisation makes its most significant decisions about data processing. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.


2017 IT Resolutions

1.       Do Some IT Housekeeping.
March is traditionally the time for a good spring clean and this should also apply to business as well! Organise a clear out of defunct machines, tidy up your server room do away with unruly cables. Get labelling and…
2.       …create an asset register.
This way you know what IT assets you have avoiding any unnecessary expenditure in the future. An asset register also ensures that you can better prepare for future investment in IT (refresh cycles).  We maintain asset registers on behalf of all our clients, if you need help creating your own asset register there are some great software that will help you do this automatically such as this one
3.       Start thinking ahead and plan for the future.
Many businesses already know what their short, mid and long term goals are, so ensure IT is aligned by having an IT Strategy. Do a Google search, you will find some great templates.
4.       Think of the environment and Go Green!
There are so many ways in which you can adopt a Green IT ethos into your business. Looking to The Cloud is one way to achieve your green credentials. Cloud Computing can mean so many different things (hosted server, hosted mails, hosted applications). Throughout 2017, we will be extolling the virtues of The Cloud and showing you ways in which your business can benefit from it.
5.       Reduce Your Phone Bill…with VOIP.
VOIP stands for Voice Over IP and it basically means making calls using the internet. Although it’s take up is growing, the use of VOIP still has not reached the levels as seen in America for example. Which is surprising given how much money you can save over standard PSTN. We will be discussing VOIP as part of our Cloud Computing series so watch this space…
6.       Are You Secure?
Along with the IT Housekeeping how about organising a Security Audit? Good IT security is essential in these times so audit your IT environment to plug any gaps in your security. See our guide here for some tips
7.       Get Smart, Get DR!
There we go again sounding like a broken record but…having a good DR solution is the most important resolution you can make this year. Look for something that ensures that you are back up and running in the shortest time possible. Our 999RESTORE service is a great DR solution if you are looking. We guarantee a 1hr Return Time of Service (how much time you are down for) and a 1hr Return Point of Service (how much data max you will lose). Find out more here

Are We Secure?

This is without doubt the question we get asked most by our clients – and it demonstrates that security is upper most on their minds. Our answer is always yes…although there is no such thing as 100% security (be weary of companies that promise you 100% security). The dark types as we like to call them are a clever bunch and constantly develop sophisticated ways to bypass even the most robust security.
What we advocate is a layered approach to security and this simply means employing a number of precautionary measures to tackle the problem. The central idea behind layered security is the belief that the most effective way to protect IT systems from a broad range of attacks is by employing an array of counteracting strategies. Layered security efforts attempt to address problems with different kinds of hacking or phishing, denial of service attacks and other cyber attacks, as well as worms, viruses, malware and other kinds of more passive or indirect system invasions.
Our mantra at Supreme is Reduce, Remove, Secure. Some of the strategies we employ include:
1.       Physical Security –  seems like an obvious one but it is amazing how many businesses still take this for granted! Physical security is an important layer in any layered approach. Guards, gates, locks and key cards all help keep people away from systems that they shouldn’t touch or alter.
2.       Network Security – A key layer, good network security measures should include firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as switches and routers configured with their security features enabled. Establish trust domains for security access and smaller local area networks (LANs) to shape and manage network traffic. Manufacturing companies may consider having a demilitarised zone between the industrial plant floor or space and the IT and corporate offices allowing data and services to be shared securely.
3.       Computer Hardening – Well known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of Computer Hardening include the use of:
  • Antivirus software – Best of breed only. The top AV vendors have invested greatly to ensure that they can respond to the latest attacks.
  • Application white-listing
  • Host intrusion-detection systems (HIDS) and other endpoint security solutions
  • Removal of unused applications, protocols and services
  • Closing unnecessary ports
4.       Access Controls – An important layer, access controls give organisation the ability to control, restrict, monitor, and protect resource availability, integrity and confidentiality. Some measures may include force username/password logins, password frequency change / combinations, disabling local admin permissions etc.
5.       The Human Layer – By far the most important precautionary layer because as we mentioned above there is no such thing as 100% security so constant user vigilance is key. The best antivirus software in the world will not prevent a user from clicking on a link within a malicious email
Absolute security may not be within reach however businesses effectively tackle the risks posed by these threats by following good practices.

To coincide with the Government’s £1.9bn cyber-security initiative, Supreme Systems are offering a Free IT Security Audit for any West Midlands company that registers an interest in November! To discuss your security needs please contact Julian Brettle on

0121 309 0126 

10 things to consider when thinking about Disaster Recovery

1. Have a plan

Many organisations do not have a DR plan, or their plan is outdated. Keep it fresh. New applications are constantly deployed, and storage is growing by 50% per year on average. Be sure your plan keeps pace with business needs.

2. Test the plan
Your DR plan should be tested at least once a year. If you’re really serious about testing, try locking your workers out of the building and say ‘go’. Yes, this may be extreme, but this will ensure they know what to do if a disaster really strikes…
3. Decide what is important
You should identify what applications are vital and how long it will take to recover them. This will allow you to prioritise your recovery efforts and also help you identify what level of data protection your business requires for each application. It’s important to understand that not all applications have equal recovery requirements.
4. Recovery point?

Decide how much data you can afford to lose in the event of local (e.g., server/storage) and/or site failure. A couple of hours? Last night? Weekly? Then architect your plan accordingly.

5. Recovery time?
It’s also important to understand how soon your business critical applications must be back online after a failure before it starts to impact your business seriously? So how long before it starts to hurt…minutes? hours? Days? This information (as well as point 4 above) will help you choose the right DR solution for your business.
6. Disk-based snapshots to protect against Ransomware

Not all disasters are physical. Ransomware is becoming increasingly common (usually costing between £200 and £5,000) and can impact users and systems. Schedule frequent snapshots of your data, enabling granular file, folder, share recovery, to combat these attacks.

7. Keep real-time copies of your data

Data storage redundancy is your friend and can prevent hardware failure from becoming a disaster recovery situation at all.

8. “Deduplication” and “compression”- Tools for efficiency

When replicating storage, look to utilise bandwidth efficiently as this will directly affect your time for recovery. Deduplication and compression technologies are key to achieving this.

9. Encryption in flight
Take extra security precautions by utilising encryption. Even if you’re using private networks, prying eyes may be watching you.
10. Company image and reputation

Companies don’t expect to declare a disaster. If they do, protecting the company’s image is just as important as getting the information back online. If disaster strikes be honest with customers about the impact. Brand loyalty is extremely hard to rebuild. Many companies don’t recover from disasters.

Reducing Cyber Risk – User Education and Awareness

Reducing Cyber Risk – User Education and Awareness

Unfortunately, the use of a business’s IT by its users brings with it various risks. As such it is essential for all staff to be aware of their personal security responsibilities and the need to also comply with corporate security policies.

This can be achieved through regular security training and awareness programmes designed to increase the levels of security expertise and knowledge across the organisation as well as developing a security-conscious culture. 

What is the risk?

Organisations that do not produce user security policies or train their users in good

security practices will be vulnerable to many of the following risks:

  • Unacceptable use
    Without a clear policy on what is considered to be acceptable, certain actions by users may contravene good security practice and could lead to the compromise of personal or sensitive commercial information that could result in legal or regulatory sanctions and reputational damage
  • Removable media and personally owned devices
    Unless it is clearly set out in policy and regularly communicated, staff may consider it acceptable to use their own removable media or connect their personal devices to the corporate infrastructure. This could potentially lead to the import of malware and the compromise of personal or sensitive commercial information
  • Legal and regulatory sanction
    If users are not aware of any special handling or the reporting requirements for particular classes of sensitive information the organisation may be subject to legal and regulatory sanctions
  • Incident reporting
    If users do not report incidents promptly the impact of any incident could be compounded
  • Security Operating Procedures
    If users are not trained in the secure use of their organisation’s ICT systems or the functions of a security control, they may accidentally misuse the system, potentially compromising a security control and the confidentiality, integrity and availability of the information held on the system
  • External attack
    Users remain the weakest link in the security chain and they will always be a primary focus for a range of attacks (phishing, social engineering, etc.) because, when compared to a technical attack, there is a greater likelihood of success and the attacks are cheaper to mount. In many instances, a successful attack only requires one user to divulge a logon credential or open an email with malicious content
  • Insider threat
    A significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others. Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources


How can the risk be managed?

  1. Promote an incident reporting culture
    The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination.
  2. Support the formal assessment of Information Assurance (IA) skills
    Staff in security roles should be encouraged to develop and formally validate their IA skills through enrolment on a recognised certification scheme for IA Professionals. Some security related roles such as system administrators, incident management team members and forensic investigators will require specialist training.
  3. Establish a staff induction process
    New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment (contracts for contractors and third party users) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally, the initial user registration process should also be linked to the organisation’s technical access controls.
  4. Produce a user security policy
    The organisation should develop and produce a user security policy (as part of their overarching corporate security policy) that covers acceptable use. Security procedures for all ICT systems should be produced that are appropriate and relevant to all business roles and processes.
  5. Maintain user awareness of the cyber risks faced by the organisation
    Without exception, all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals.
  6. Monitor the effectiveness of security training
    Establish mechanisms to test the effectiveness and value of the security training provided to all staff. This should be done through formal feedback and potentially by including questions in the staff survey on security training and the organisation’s security culture. Those areas that regularly feature in security reports or achieve the lowest feedback ratings should be targeted for remedial action.
  7. Establish a formal disciplinary process
    All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them.

Our top tips to better business security

  1. Managing user privileges – Some of you might say, “Why do we need to prevent colleagues from accessing certain areas on the systems or internet?” Well… If an important file gets corrupted or deleted by accident, it can cause a huge dilemma in the office! Managing user privileges stops your colleagues from accessing certain files on a computer, such as not being able to get into the programme files that could cause serious damage to a computer they are using or even a server! This won’t prevent anyone at the office from being able to work, however It will only prevent the worst from happening.
  2. Malware Prevention –Malicious Software are hidden files that latch onto a computer or system and infect it with a Virus, Trojan, Ransomware etc. Malicious Software has many ways of getting on to your system and you want to contain viruses before they reach the core of your infrastructure. So how can we barricade computers getting viruses? We recommend that every computer has Anti-Virus software installed, such as MacAfee or our Managed Antivirus services to prevent your system from being in harm’s way.
  3. Monitoring Systems – If there is a document that is highly valued to the business and if someone were to get a copy of this file it could potentially put the business at risk, what impact do you think it could have? Money Loss, Downtime, you name it. It can happen if nothing is being monitored. So, how would one cease this from happening? Monitoring Systems allow you to see where files have been transferred and who has transferred them, and can also block users if they are doing something that is against the rules. This will give you the upper hand if you have noticed files being deleted or a security issue that keeps occurring.
  4. Disaster Recovery and backups – Files can always be lost, but it’s how it is recovered and how long it takes that makes the issue important. In some cases, I have seen Businesses lose all of their data and have no way of recovering it, which then causes a major downtime that leads to loss of money or even closure. We all know that work keeps the food on the table and roof over your head and we want to make sure that no one is affect by data loss or any significant issues caused by Cyber Attacks or Downtime.
  5. Educating Colleagues – I know you’ve probably heard this over and over, but educating users on how to use a computer correctly can prevent security threats from happening. From Social Media sites to Websites, these can cause security breaches within businesses. As Social Media sites grow every year threats occur more often and can be a large issue if used within a business environment. Attackers have set up accounts where they will either obtain email address or social media profile and then send an attachment which contains a virus. Without knowing the process, the hackers can carry out deploying viruses on computers so that they become vulnerable to a devastating attack.


This article has been shared from the UK governments Centre for the Protection of National Infrastructure (CPNI) – the website is full of advice as to how businesses can better prepare for a disaster. Find out more at

Response pack

Article Summary

A Response pack should include key documents and items that may be needed by those who will manage the incident room or work with the emergency services. Example contents are set out below, however these lists are not exhaustive and other items should be added as required.


Business Continuity Plan and Communications Plans
Contact details for nominated response staff, plus list of all employees, their home and mobile numbers
Emergency services contact details
Details of any local utility companies, emergency glaziers, salvage organisations,building contractors, local authority contingency planners Building plans, including the location of gas, electricity and water shut off points and heating and ventilation controls. Also, any protected areas where staff will be sheltered.
A recent stock and equipment inventory
Financial and banking information
Product lists and specifications


Stand-alone laptop computer, compatible with the local network
USB memory sticks or flash drives
Spare keys/security codes
Torch and spare batteries
Hazard and cordon tape
Small cash resource
Card and marker pens for temporary signs and other stationery (pens, paper, etc)
Mobile telephone with charger and appropriate credit