Episode 10: Identifying and mitigating risks in your business with Andy Larkum, ADL Consulting

This week we speak with Andy Larkum, a consultant and owner of ADL Consulting helping companies to achieve the ISO 27001 certification and external auditor for BSI.

In this episode, we discuss:

✅ What is ISO 27001?!
✅ The foundations of ISO 27001: Confidentiality, Integrity, Availability and what is in your business could affect these
✅ Understanding risks to your business and putting your efforts in the right places
✅ When is the right time to put good business policies and processes in place
✅ The importance of why before the how
✅ What constitutes a data breach – it’s not just data theft
✅ The misconceptions around GDPR

View on Zencastr

Transcript

This text is autogenerated

Andy Larkum  00:00

Again, drive it by risk, right this supplier? What are the chances they’re going to go wrong? And if it goes wrong, how bad is that going to be for me, that will give you a nice risk score. And based on the risk score, you can decide whether or not you need to do further work to understand how scary they are.

Matt Nally  00:18

Welcome to the Survey Booker sessions. Tune in to hear from people working in a range of industries and roles to provide you ideas that you can take away and use in your own business. I’m your host, Matt Nally, the founder and director of Survey Booker, which is the leading CRM and server management system for surveyors. So on today’s episode, we’ve got Andy Larkum from ADR Consulting. So thanks for coming up today.

Andy Larkum  00:38

Thanks for having me.

Matt Nally  00:40

Do you want to start by giving us a bit of an overview of what you do in terms of ADR consulting?

Andy Larkum  00:46

Sure, that’s fine. So, at ADL Consulting, we are specialists, ISO 27001 consultants. So essentially, we help companies achieve all the requirements for ISO 27001. So they can get that badge. So I guess we’ll talk a bit more about what 27001 is later. So I won’t bore you with that right now. But that’s the mainstay, and because of that, there’s a lot of information security and data protection stuff wrapped up in there. So we also get involved in GDPR. Helping companies understand what that is and what they need to do about it, too. That’s it in a nutshell.

Matt Nally  01:23

And that’s actually very much I wanted to get you on is to look at how civilian businesses might be able to improve their information security perspective, and things that people might not think about and what the reality is around GDPR, and all that kind of stuff. So it might be a good place to start actually then with what is ISO 27001. To get rid of the jargon side of it.

Andy Larkum  01:44

Okay, cool. So, ISO is the international standards organization. So essentially, they are internationally recognized standards, that’s quite key. And 27001 is their information security standard. And I think it’s fairly safe to say that in the information security world, 27,000 is kind of held up as the gold standard. It’s a big old piece of work. It’s a big standard, because you’ve had a lot of work to do, but essentially, it’s a framework for helping companies understand the risks that they’re facing to their information security, and to figure out what they should be doing to protect themselves from those risks. It’s an awesome tool for helping businesses operate securely, but it’s done badly. It’s terrible. So don’t do it badly.

Matt Nally  02:39

I think it’s surprising when you go through all the different sorts of aspects of 27001. And realizing how much there is that can affect the business, in terms of, information security, whether it’s how you’re backing up data, whether it’s your people in how you’re training them, or when they leave, there’s so many aspects that we’ll come on to what are the core aspects of 27001. So I think there are three pillars on the CIA, what are those different parts?

Andy Larkum  03:13

Sure. You’re right, foundational concepts in information security, CIA confidentiality, integrity, and availability. So what do those three things stand for? And essentially, what we’re trying to do is say, Look, within your business, what are the things that are likely to affect the confidentiality, integrity and availability of your information? So right at the heart of 27001, is this concept of risk. And we should do everything driven by an understanding of risk. So, if we said, for example, that we are concerned that somebody, one of our employees might download our client database and take it to a competitor, that is a risk to the business. And so what we should do is think about, well, firstly, if that happened, how bad would it be for us as a business? And we can think about that from a number of fronts. Like, what might that cost us? What might that do for our reputation? What might that do in terms of legal ramifications? Or potentially, it says, technically, it’s a data breach. So might we have to report that, Could we get fined for it? So there’s all these things we can think about when we talk about consequences. So historically, we used to talk about impact, and just lately, there’s a new version of the standard that’s just come out. They came out in October, last year, the 2022 version of 27001. And they’ve changed the wording there ever so slightly from impact to consequence. And I thought that’s the same thing. But then I got to thinking about it a little bit. Actually, your impact sounds very immediate, while consequence, that sounds huge. And go on forever. So it’s quite a good change. So we think about what are the consequences of that happening? And how likely is that to occur.  And we bundled those two things together, which gives us our risk score, and that drives everything we then do. So if it’s a really low-risk score, it’s probably not going to happen. Or even if it did, it wouldn’t matter that much, why are we wasting time fixing that, where in the meantime, there’s this other thing over here, that’s tremendously scary and extremely likely to happen and would ruin us as a business. We should probably get to fixing that first. So we understand what our risks are, then we do stuff about the risks, and the management system is driving all of that. So the ISO Information Security Management System, that’s kind of what it designs for you. And as I said, it’s this framework, but the key bit and this is really key. If I can drive this home as keenly as possible, it’s all about understanding the risk for your business. So it should never be imposed on you. You can’t, that’s why template kits actually are a bit of a disaster. Because you get this massive template kit of all these documents, do we need all these documents? Probably not? I mean, actual prescribed documents in 27001. There are only about 12 or 13 documents, you actually have to have the rest of them are up to you. So framework, understand risk and do stuff about risk. That’s how it works. Sorry, I was long.

Matt Nally  06:25

No, that’s good. I think it’s important not to look at it as a copy and paste from another business for the sake of doing something because it’s like taking T’s and C’s off someone’s website, you can’t bother to create your own or paying for your own See, you take another version and change the company name. And that does achieve the benefit. ISO 27001. Is it just for big businesses or the concepts applicable to a sole trader? And SME?

Andy Larkum  06:51

That’s an awesome question. In fact, I did a lot of soul-searching a little while back, and I think I wrote a blog article on this subject. When’s the right time to do 27,000? Well, I think the honest answer is that there’s never literally never, there is might be a better time. And I think in terms of sort of business size and scale. I’ve helped companies, one-man bands right up to multinationals, and everything in between. So if there’s no, it’s not ruled out for any type of company, but there are certain truths, like the bigger you are, the harder is to bring change. So, if we decide we need to change the way we’re doing this particular activity in a small company or in a one-man band, you go, all right, and you change in a multinational, it might take you 12 months to roll that change out because there are a lot of people that have to listen, so getting policies approved if you’re a one-man band, you’re the Managing Director, write a policy, if you’re happy with that. All right, that’s the policy. In a big company, it can take you months to get approval for that kind of stuff. So I think probably sweet spot is somewhere between 10 and 50. Employees, if you’re that kind of size, you’re actually in the perfect place, because you’ve got a bit more money than the very, micro businesses. And there is an intrinsic cost in time. But then you’ve also got the cost of your audits because you have to pay an auditor to come and check that you’re okay. And you’ve got the cost of any help that you might need to get you over the line. So there is a cost associated with it. And if it is just you in the business, then time out of your business is expensive. Because all you’re trying to do is make the business work. And anytime you’re not doing the work, you’re not earning money. But once you kind of hit the 10 to 50 stage, you might have some capacity across your 10 to 50 people to release some time to help with this process. And like I said, you’ve probably got a little bit more money to be able to spend on bringing help in. Once you go over that number and start getting into the slightly larger companies, it takes longer to fix stuff problems. But that’s perfectly manageable. You’ve just got to set your expectations right.

Matt Nally  09:34

Now to get the details nice, I think from my perspective it’s great to do it, at least on the policy side. You don’t have to necessarily do all the audits and get the certification, but if you’re smaller, going through the policies and procedures around all the different aspects that it covers, whether it’s, gaining access to your property, which is probably more of a straightforward on for most people with a smaller property, but through to you When someone leaves, as you say, how can they take everything? Or have you got processes in place to remove access from systems and protect them from sick things, from being deleted because they left on a bad night, whatever it might be? And I think if you’re implementing that, you can be more confident in your general processes, and you’ve probably got a more fluid process for everything in your business and in terms of how the customers are handled. So it ties in, with not just being a security necessity, but also how you then operate generally more smoothly?

Andy Larkum  10:29

Totally. I mean, I would say 27,000 ones got a bad rap. A lot of people, the impression of their experience, perhaps with 27001, is not healthy. It’s not been positive. And usually, that’s because companies have implemented template kit systems. And they’ve gone well, here’s this thing that was built to work in any setting, in every setting, everywhere in the world. So it’s going to work for my business, right? Of course it isn’t, you’re going to drown in paperwork and frustration. It’s not going to be helpful at all. But you’re right at the heart of it, the essence of it of getting your policies, processes, and systems in place and making sure we’re managing those to protect the thing that we’ve built. If you’re a business owner listening to this, this is your baby, you want to protect it right, and put things in place to make sure that you’re looking after it. And 27001 gives you a framework to do that. Again, it’s not prescriptive, it’s a framework, and we have to figure out how it applies to us. I’ll stop here.

Matt Nally  11:38

And I think it’s one of those ones where if you’re a business owner that is wanting to scale up and build up the number of employees that you’re working with, it’s much easier to look at something like this generally. Now in terms of you then just what procedures are in place for when you bring people on, it says it has you onboard them and give them the right knowledge and all that kind of stuff. So it’s just useful, I think, as a general tool.

Andy Larkum  12:02

I think the very two words I’ve used in the past were formalized and standardized, like two keywords in 27001. They’re not that much above the standard. They’re just once work for me is formalized here, we’re going to work out what it is we do, and we all agree that that’s how we do it. If you’ve got 10 people in the business doing the same thing in 10 different ways, that’s tremendously inefficient and probably quite insecure, because there are gaps there. So if we can standardize that we agree on how we do it, and we’ve got it, this is the standard, this is what we do. And then formalize that, let’s write that down. So we can all see that’s how we’ve done it. And a lot of implementation work is around understanding how we do something, agreeing that’s how we do it, and then documenting. That’s how we do it so that we can see if we ever deviate from that.

Matt Nally  12:51

It gives you a very nice framework to do work. And I think because you have to be meant obviously, we will be sorry if you’re actually certified. But obviously, if you’re not, then you don’t have to do this part. But it’s useful to build in those reviews. So you can check, actually, what we doing, what we said we’re doing, and other issues? Because we’re not, it’s something to refer back to if something goes wrong or doesn’t go as well as you wanted it to. And I think one of the bits I was interested in talking to you about as well around this was that you obviously get to be the person that people like to work with in terms of setting policies and so on, but you also get to be the person that everyone hates, which is the auditor. What are the things that you see firms doing well on the whole? And then a couple of juicy bits potentially after.

Andy Larkum  13:37

So, it honestly is such a mixed bag? It’s really difficult to answer that question, as you know generally, what do people do? Well, in my experience, what auditors do badly is they come in sort of a war footing. And I think equally, what companies aren’t very good at is recognizing that shouldn’t be the approach. As an auditor, I should not be there to catch you out. It’s not my job to be clever, it’s my job to have a look at your system and help you see if you’ve missed anything. And that comes with consequences. If we have missed too many things, then I can take your badge away from you. But much more helpful is that you’ve got a problem here that you need to fix. And again, from the company’s perspective, if I’m being audited and you find something that I’ve missed, I should be very grateful and go thank you very much. You spotted something that could have cost me massively. And I want to fix that I need to solve that. So that’s how it should work. And in terms of systems, I’ve seen some spectacularly good systems and some credibly awful ones. I had one audit where we got just out of the opening meeting. And which if you’ve ever been audited, that’s how the day starts. And I asked if we’d waited an hour for people to turn up to this meeting, and it was just this poor guy who was like, Well, it’s not me, you really need to speak to, I’ve just been thrown under the bus. We got an error. And I’m like, if we wait any longer, I’m not going to be able to finish the audit today. So we need to get started. I said to her, Let’s make a start. I said, this is the scope I’ve got for you. This is the statement of applicability I’ve got for you. Is that correct? And he said, What’s the statement of applicability? We just failed them, and I was like, sorry, you can’t pass this audit. So that was pretty bad.

Matt Nally  15:53

And are there aspects of running a business that people generally do? because it’s something that most people will find easier, and it’s not painful to think about, so they’re better at it. And therefore, there are bits that you consistently see that people try to put off because it’s a bit of a pain. And there’s an area where they’re weaker in as a business.

Andy Larkum  16:15

Yeah, I’ll tell you the one area that consistently companies struggle with is supplier management. Nobody likes supplier management. It’s annoying, it’s boring. It’s time-consuming. It’s frustrating. Unless, of course, that’s your job, in which case I’d take it all back. I’m sure you’re very good at what you do, and you love the job. But for most people, particularly in smaller businesses where you’re trying to just make stuff happen, having to go and check your audit that your suppliers are flippin heck, what a frustrating job! So it’s actually one of the things I do really early on with my clients is say, Look, this is supplier management, it’s something we have to do. I’m really sorry. You’ve got to do this. And I make it as light as possible. There are some great cheat routes to that make the whole process easier. If we can say, again, drive it by risk, right, this supplier? What are the chances they’re going to go wrong? And if it goes wrong, how bad is that going to be for me? And that will give you a nice risk score. And based on the risk score, you can decide whether or not you need to do further work to understand how scary they are. So, your company, like me, is coming in to audit you. let’s say that’s the supplier relationship. So, you’d risk assess that and go, well, if Andy screws up as a business? How bad is that for us? Probably not that bad. I might have seen some stuff, but I don’t get any of your data. You’re not giving me things? And then you go, Well, how likely is it to screw up? Well, he sort of works in information security. So, we’re going to believe not that likely, hopefully, that would give me a tiny risk score. So you say, Well, at a risk or like that, we don’t need to do any further. We’ll just go, thanks very much, make sure we’ve got terms and conditions, and they talk about information security in there somewhere. All done. So you see the ones that are more likely to screw up or have greater access to your data, bit more risk. So we do a little bit more work and just go and ask them for some sensible badges, assurances, insurance and that kind of stuff. But again, it’s the kind of stuff that, if it’s your business, and if you had the headspace to think about this stuff, you start going national really does matter, doesn’t it?  if I’m giving my data to that business, and that business screws up, unfinished, you probably ought to check. They’re not going to do that. That kind of thing. Anyway, sorry. Lots of talking again.

Matt Nally  18:54

No, it’s always helpful. I think. One of the things I’m interested in is, as we discussed before, we’ve obviously had audits and stuff but together. So different tools and so on are useful for just keeping things safe? I think one of them he showed me was AFI for backing up all of your emails, for example. So regardless of someone going in and deleting everything, you’ve got a backup copy pretty much instantly as well. What are the types of things, though, that are simple things that smaller businesses can put in place to really protect themselves? On previous podcasts on cybersecurity, we spoke about having multi-factor authentication on your emails. I’ve got to do nothing else on there because what songs in your emails can reset everything else? But are there other tools like AFI and backing up emails that are sort of easy wins for companies to implement?

Andy Larkum  19:51

There are some Yeah. I say to my clients that I am incredibly lazy. If I don’t have to do something or if I can automate something, I’m going to do that. someone said, no, Andy, you’re incredibly efficient. That sounds way better. But I’m not sure that’s true. I think I’m just lazy. And I’m willing to pay a bit to be lazy, because it’s you. ADL is my business I run this business. I’m very busy in this business, thankfully, people seem to like working with me. But that brings challenges, like how do I stay on top of all the other stuff? So anything I can automate, that gives me assurance that stuff’s happening, I’ll spend some money on that. So you’re right. AFI is a tool that you can use to backup Google workspace or Microsoft 365, or other platforms. And it’s literally set it and forget it. So you turn it on, point it at the accounts you want backed up, and it’ll just do it. And you can go in and check periodically to make sure it’s doing its job. But it’s just doing it. And I use a tool called Ninja One. It’s a remote monitoring and measuring tool RMM solution. And it’s great because I can connect to my company’s machines to essentially install an agent on it. And it will take care of patching them for me. And it will just patch, update and maintain not just the operating system, but a whole bunch of software on there as well. And again, switch it on, set it pretty much forget it, I check in on it, obviously, because you’re supposed to do that too. But it’s just taking care of my staff, and I haven’t got time to go and do that as a separate job. These things are great. So any opportunities to automate stuff, take them that would be my key thing. And then if you’ve got a project management system, like monday.com, or Asana or something like that, or ICMS online, are you using that for your system, if you’re using those kinds of use the repeat features, so that you get a reminder to go and do the task. So you can go and do the task, because there’s a lot to remember in 27001, but just from a general security perspective, the tips you’ve had there already include using decent passwords, and multi factor authentication anywhere and everywhere. It’s available. Yes, if you’re putting money in it or if you’re putting personal data in it, turn on MFA and don’t blink about that. Yes, I know. It’s tremendously inconvenient and annoying. Well, more so for the hackers than for you. So let’s do that.

Matt Nally  22:31

But I suppose more inconvenient for yourself when you get hacked. And when someone’s phishing, notice stuff from emails, you got to then go off. By the way, this wasn’t me.

Andy Larkum  22:41

Yeah. And my industry is particularly guilty of doing how before we do why, and most people need that the other way around, right? We don’t understand why we’ve got to do something. So the how part of doing that is just annoying. If we’d explained the why first and got you on board with why this is so important. Maybe the how goes away a little bit, which is what is stopping me from hacking your email. If it’s just your password. What happens if I intercept your password or guess it? Well, it’s game over for you. I mean, it’s literally game over for you as a business. So let’s not let that happen. Turn on MFA. It’s an easy step. A little bit more inconvenient every now and then when you have to put the code in. So get over it.

Matt Nally  23:28

Anyone that doesn’t know what MFA is? It’s you basically get an app then you that is your six-digit code.

Andy Larkum  23:36

Yeah, that’s right. Our school where I’ve reversed is your fault. Yeah, no, two-factor authentication, also known as two-step authorization or two-factor authentication, it gets a bunch of if I saw the National Cybersecurity Centre called it something else. The other day I was I want to, I will write MFA. Two Step Verification, I think they called it. But yeah, essentially, you’ve got a little app on your phone that’s generating a six-digit code that changes usually every 60 seconds. And that’s synchronized to the system that you’re signing into. So you put in your username and password, it will ask you for the verification code, and you sign.

Matt Nally  24:13

Yeah, you can also use the password managers currently for LastPass, and one password and all that kind of stuff, where it will generate a disgusting password that you’ll never remember. But because you’ve got the apps on your phone, and it’s on your browser extensions, and it will pre-fill all of that for you every time you log into something and you’ll have to remember it, but you’ve got something that you won’t even be able to hack yourself.

Andy Larkum  24:33

So, okay, here we go. Let’s do the password thing just because it’s fun. I do this a lot when we do training and trying to explain this is the segue. Because everyone’s fed up with hearing about flipping complex passwords and how important so we do this, they say we take a six-character password right? And we make it all lowercase letters and numbers. I used to have a password that was six characters, lowercase letters, and numbers, that’s 2.2 billion possible combinations, right? And I’m going to hack that password. I’m going to do what’s called a brute force hack, where I’m just going to guess keep guessing and guessing and guessing until I get it right. But that’s quite a lot of possible combinations, which can get sore fingers. So I’m going to use software to do that hack for me. Okay. So, Matt, what’s your six-character password? How long do you think it’s going to take my software to crack it?

Matt Nally  25:24

I saw a graph about this depending on length and whether it includes characters. I think you did. I can’t remember how long it was it was something really short, wasn’t it?

Andy Larkum  25:33

Yeah, it’s a blink of an eye. I did this just the other day, and the first guest was five minutes. The second one was two minutes. And the third guest was one minute. I was like, No, it’s the blink of an eye. So the ridiculous thing about that is that if you have a six-character password that’s lowercase letters and numbers, is going to take you longer to type it in, than it’s going to take for me to hack it. That’s just dumb. So we go from six characters, same rules, though lowercase letters and numbers will take up to 10 characters, and say, How long will it take me to hack that one? And we go from the blink of an eye up to three weeks. So again, this whole why and how, if you understand that, adding those four extra characters is going to take you from a blink of an eye to three weeks to compromise your password. As a hacker, I’ve now got to really want to hack your password to spend three weeks trying to get it, right. Yeah, so I’m probably not going to, I’m going to move on to the other person who’s got a six character password instead. And that’s the name of the game, make it harder than everyone else and password managers do all the heavy lifting for you. You still need a really good password to sign into those. But once you’ve signed into that, everything else is managed for you. And they can be bonkers. 2040 60 100, character passwords, whatever, doesn’t matter. You have not got to remember.

Matt Nally  26:48

I think it’s the biggest win you can have, from a security perspective, as a small business is doing that. What are the things that people generally do wrong? Where they end up losing data? Because I think there’s those different ways in the surveying industry where in terms of how people saw data, so I’ve seen, the more modern side where people are using a CRM, like server, because example. It’s all cloud-based and backed up and so on. And then, all the way back down to the older style, where it’s a paper records, and they’re put in storage. And they’ve got the other risks than of okay, fine, you’ve got a copy. But how do you do a GDPR? Report for someone? Or they say, what data do you hold on me? And what happens if it gets caught on a flood or a fire? Then you’ve lost everything? Yeah. What are the most common ways that you see people losing data? Is it just the fact that it does not back stuff up properly? And they don’t know about that? Or are there other things that people don’t think of?

Andy Larkum  27:49

Yes, but backups are key. And the problem with backups is that they tend to cost something, as in, financially. And because a lot of business owners, don’t like spending money, because that’s their money that they’re having to spend, if it’s your business, and you’re paid by dividends, anything you’re spending out of the business is coming out of your profit and you don’t get the money. So we don’t want to spend that money. But the killer is when you lose something that you can’t get back, and it hurts you more than it would have cost. And that’s just stupid at that point. But the process by which people go into thinking about backups, generally is broken. And we have to think about backups in terms of what can we afford to lose. Because if you think about it that way up, it starts driving what you ought to be spending on the solution to back up your data. If I can’t afford it yet, let’s say I’ve got to take it into a big business. I’ve got 1,000 employees. Working on this system, they all work on it all of the time. And if that system goes down, I’ve literally got 1000 people sitting on their hands. Our recovery time objective (RTO) becomes important in that setting. How quickly can we get this system back? Then we have to start thinking about, well, how much data can I afford to lose? Now if I’ve got 1000 employees working at their desks all day, every day, and I backed that solution up once a day. If it blows up, before I hit that backup point, I’ve lost the previous 24 hours, which is quite a lot of work if I’ve got 1000 people using it. So can I afford that? Can I afford to just throw away 1,000 man days? Yeah, personal days. So we, as businesses, need to think about how quickly we need it back. And how much can we afford to lose because that needs to drive our decision-making process around what the backup solution looks like in a small business setting. Happily, and thankfully, the new day of software as a service, which is not new anymore, but is still a growing arena and has brought with it the joy of not having to think about backups very much because we are outsourcing that to the software as a service provider. So people using Survey Booker, for example, are relying on Survey Booker to do the backing up and the restoration, if it all blows up, which means that Survey Booker has to have very robust disaster recovery and business continuity plans in place. So take it back into the business setting. The thing that often doesn’t get looked at is what about the stuff that people aren’t putting into the software as service solutions? What about the stuff that’s actually sitting on desktops? As in laptops, desktop machines? Because if those machines blow up, that’s a world of pain, and I am so sorry, I was going so well, BBC moment, isn’t it? Yes. So it’s, I remember working, I used to work at the university, looking after it for one of the departments there. I remember one day, this guy called me up, and said, Andy, might my laptop’s not working. And so I went over to his office to handle it. And sure enough, this thing was just dead. Absolutely bricked. And I was like, Okay, so sorry. Instead, he said, put all my work on there. I said, No, it’s not. We’ve got the network drive for that. That’s your work on that. Right? He said, no it was all on my laptop. I was like, well, sucks to be you fell or I’m sorry, this is dead. I mean, the hard drive just had enough. And people tend to forget that can happen. That all that stuff you’ve been working on can be gone overnight. If that’s the only place you’ve got it. So we need to make sure we’ve got redundancies to be at because that’s a key way people lose data. The other is the nasty ways of data breaches, hacks and stuff like that. breaches tend to be user-driven, as in your employees will do something. This is not casting shade on people. I am stupid. I have stupid moments. We all have stupid moments, I’m just going to use that word. One of your employees has done something stupid. They’ve recognized they’ve done something stupid, but that’s too late. Now the horses bolted. So that’s a nasty way. And then the more insidious is that we’ve left a door open, or we’ve left a vulnerability unpatched or something exploitable, and some bad actor has exploited that vulnerability and taken data away from us. I’m using lots of words, and I’m not even sure if I answered your question.

Matt Nally  32:50

But I think it’s an interesting one to think about, though, because there are challenges with every storage method. So if you are keeping paper records, then really do then photocopy everything in case of, the one location you’ve stored in, things get stolen, or there’s a flood or a fire, then you’ve lost everything. Because there’s a surveying firm. Once you’ve done a job, you’re meant to keep the records for 15 years for potential claims and that kind of stuff. Equally, you put it on a hard drive, like you said that the hard drive can contain anything like a pet purchase, a USB stick, or an external drive. Or you can put a password on it to encrypt it and protect the data. But if you forget the password, you can’t get into it. So you’ve effectively lost it. So then, do put it online. And then you take backups of what you’ve put online. So there’s different things to think about risks with each, but I certainly wouldn’t want to store anything on my desktop.

Andy Larkum  33:41

You’re absolutely right, there was an interesting fine, issued by the ICO A little while back, for a data breach, and you may be familiar, GDPR changed the game on what we mean by the breach because it includes that accidental loss or destruction of data. So if you’ve accidentally lost data, or if it’s accidentally been destroyed, and it shouldn’t have been, that’s a breach too. And some people don’t consider that. But this particular fine was for a pharmaceutical, I think, a chemist, basically. And they left some paper data at the back of a warehouse, it got water damaged and was unrecoverable and they got fined for that. So coming back to the paper thing, paper data is still a real thing. And we do still need to consider it and like I said, thinking about it well. What is that data? How important is it? If it’s just old newspaper clippings, fine, stick it in a box somewhere. if it’s really important, and we can’t afford for it to disappear, then fireproof safes and fireproof cabinets and stuff like that are where you’ve got to spend the money. That turns out that’s a thing you’ve actually got to spend to get the right solution. But again, risk-driven, what are the chances of it happening? And if it happened, how bad would that be? That should be guiding us.

Matt Nally  35:11

Definitely. I’d love to actually talk about the GDPR aspect. Because I think there are a lot of misconceptions as to what it covers or what the principle behind it is. What are the misconceptions around it? Because I think sometimes people weren’t worried about that too much in the sense of, Ico, we’re going to try and find you for absolutely anything. And actually, it’s more of a principle that’s there to drive how you treat data. Is that fair to say?

Andy Larkum  35:41

I think that’s a nice description. Perhaps the biggest misconception with GDPR is people believing that it’s a bad thing. It’s not, it’s a really good thing. Unfortunately, the way it was sold they really should have got the marketing people involved, and they didn’t, I think. But essentially, let it take you out of business. What was GDPR about? It’s about protecting my data and to stop my data from being abused by other entities, legal people or companies, generally speaking, so to stop another company from taking my data and abusing it and putting me at risk because they’re not looking after it properly, or because they’re treating it wrongly or whatever. The long and short of it is that I end up suffering. So anything that stops that from happening is good news. Unfortunately, that how data works, and the value of our personal data is actually quite hard to connect with. And I don’t mean this disingenuously or disrespectfully, it is beyond the reach of most people to understand. So if we ask the question, I’m hoping I don’t get in trouble for this. But why is Tik Tok bad news. And in fact, if you go and look in the US, they’re trying to ban TikTok from being used at all in the US. And one of the reasons they’re citing it is because the algorithms that are in place feed you certain types of information, which means it could be used by a state-sponsored actor to start feeding you miss news or misinformation and fake news. And stuff that basically is not good. And to start influencing how people think, and that over a generation becomes tremendously scary news. And we should worry about that.

Matt Nally  37:35

Well, on that note, just quickly to jump in, I haven’t fact-checked this. So I put that as a caveat. But I was reading that, in China for TikTok. If you’re below 14, they tend to push you content that is educational that might be based on science, maths and all this kind of stuff. And of course, in every other country, they’re pushing the dance videos. So there’s obviously a difference in how they’re trying to push their own population in terms of driving Intellectual.

Andy Larkum  38:00

So, what do we do if a generation down the line, we have incredibly intelligent people in one particular part of the world, and somewhat…

Matt Nally  38:12

Good dancers?

Andy Larkum  38:15

Brain-numbing stuff. Yeah, watch some of my kids watching some of the stuff not so much on TikTok, because I’ve told them not to. But on other platforms, just go, why are you wasting your life on this stuff? But anyway, that’s a whole another debate. So back to the GDPR thing. And so we want to get our data protected. And I say that because it’s beyond the reach of most people to understand that if we do something like that, sooner or later, we can start to influence elections and how people vote. And that means democracy is dead. Bad. We said, well, people won’t get there. So instead of expecting people to get it, what we’re going to do is put the responsibility for doing things right onto the companies that want to use the data. Now, the problem with doing it that way around and it’s sensible, if you think about it, Let’s go top-down rather than bottom-up on this. Generally, it’s a good approach. The problem with that is that you end up with companies going, Ah, well, that’s annoying. That’s going to cost us money. And then you get people in the companies who can change or they like change. And we get stuck in this loop of GDPR, which is rubbish. No, it’s not. It’s really good. And we should love it. But because of the way it was imposed on us, it got a bad rap. So at its essence, it is about protecting your data from being abused, which ultimately means it’s protecting you from suffering consequences because other people couldn’t be bothered to do the job right. There you go. That’s GDPR in a nutshell.

Matt Nally  39:48

I think it’s misunderstood as well from a consumer perspective, because there’s a lot of times where someone will shout, and that’s my rights under GDPR. And you go, well, actually, no, I can’t just delete you from our system because I legally need to hold your data because you’re a customer of ours for whatever period before I can do anything, so yes and no, that’s probably not the best example of it.

Andy Larkum

That’s a genuinely good example because it’s not terribly well understood. And because people have heard this, GDPR I go, Oh, yes, I have rights. You go, we do. But, data about you isn’t necessarily your data. And I know that sounds weird. But there’s stuff that I know about you because I’ve done work for you. Let’s go with this. So I’ve done work with yourself, Matt. And this stuff I know about how your business works that I just have it in my head, I can’t delete that. It’s over this stuff. I’ve managed to kill it. And that’s a really great guy. I haven’t written that down anywhere. But if you asked me to delete your systems and I had somewhere so this guy called Matt is a great guy and he runs a really cool business, that’s information that’s valuable to me it’s not necessarily able to identify you. So I don’t have to delete that information and understanding what we do and don’t have to understand what GDPR is and what it means for your business. It starts with what they are reprocessing. And why, if you’ve got a lawful basis for processing that information, then sometimes that lawful basis will trump that person’s beliefs. Who paid you money? Well, HMRC. It turns out this fella did. Okay. This fella wants to delete their data and HMRC says hang on to it for six plus current years.

Matt Nally  41:49

This might be slightly more of a lawyer question. So potentially not anyone can answer. But in terms of that. GDPR bits and right. So what a lot of surveys do, Is they’ll work with estate agents, commenters and so on? And they’ll have a referral relationship? And they’re things that need to be considered during that referral process in terms of what consents are needed? And do because once you’ve received the data, you become a data controller of that, don’t you, then the data processor for your referral partner?

Andy Larkum  42:24

Yes, that’s right. So understanding where you are controller and where your processes are is really helpful. And so, really quickly, a data controller, is the entity that decides what information we’re collecting, and why a data processing or data processor is processing data on behalf of a data controller. So in that scenario, the agent has introduced the surveyor to a third-party client, that is just an introduction, that the surveyor isn’t processing on behalf of the agent. Right? So it’s just in the introduction, however, the agent should be asking me, Can I pass your data on to a surveyor? And to begin with, that surveyor can start processing? If I say, yes, right, I’ve given consent for the introduction. The surveyor can start using my information on the grounds of legitimate interest because apparently, I’ve expressed an interest in this agent. They believe I’m interested in hearing what they have to say. So this is a sensible transaction. So legitimate interest is quite a tricky one. It’s a good one. But it’s tricky, and often abused, legitimate interest only works where we can balance our interests. So I’m interested in processing your data, but probably you are interested in me processing your data, too. Right? So that’s balanced, or there’s an obvious and reasonable imbalance like you owe me money. And until you’ve paid me that money, I’m not going to remove your data on the grounds of legitimate interest. I have an overwhelming legitimate interest in processing your data. Right? So yes, on that basis, that introduction thing can work. But, as I say, the agents ought to be asking my permission before they pass my data to a third party.

Matt Nally  44:15

Also, that’s good to know, to help. So clarify, and I suppose we’ll just put in a caveat that it’s not legal advice.

Andy Larkum  44:21

Not legal advice, it is a good advice, but it’s not legal advice.

Matt Nally  44:26

Always good timing.

Andy Larkum  44:28

Really quickly is a thought. One of the difficulties with data protection. I’m going to upset some people and I don’t want I don’t mean to upset people here and feel free to take this out of the podcast if it’s controversial. One of the challenges for legal entities being involved in data protection is that they start from how do I protect the client? And the key to data protection is how do I protect the individual? All right, so we have to start with recognizing GDPR. And data protection is all about protecting the rights and freedoms of the individual, not the legal entity that wants to process their data. If we can start from that perspective, it actually changes our thinking on what we’re trying to do with information because we go hang on a minute, is this actually in the interest of this person? Or am I? Or do I have a good reason why it’s not in their interest? They don’t understand that it’s in their interest. They can’t say, Well, I’m going to have to do it anyway, like legal protection or something like that. But if we start from the premise of how do I protect the data subjects, rather than how to protect my business will end up with a much better outcome. And as I said, the danger of asking solicitors to get involved and say, Can you help us with our privacy policy or with our records or processing activities so that you might be obliged to do that kind of stuff? Is that they will start with, well, okay, so business, we need to protect you. So no, you need to protect my data subjects. Yes, that was my little rant. I’ll stop now.

Matt Nally  46:08

That is good. It’s good to have different perspectives on things. Because obviously, if you’re someone that doesn’t deal with data and security and all that kind of stuff every day, then it’s not something you necessarily have different perspectives on and viewpoints. I suppose as a final question, if you’re, whether you’re starting out, or you’re a smaller firm, and you’re looking to grow, what are the sort of best areas to focus on? If you’re from former say, within the ISO 27001? Framework? Would it be just things like, general systems and data security? whether it’s how you get your passwords and stuff and maybe your training and onboarding and offboarding of people? Would they be the best areas to focus on? Are there other bits that you think would be the sort of best wins you can get as a small firm?

Andy Larkum  47:01

That’s a really tricky question. There’s such an ongoing fight slash debate in my industry about whether your employees are your first or last line of defence from nasty things. And the sensible answer to that question. Yes, they are. If one of my users has opened up a phishing email, clicked on the link, and is about to put their login details into a phishing website, then in that moment, they are the last line of defence. Everything, all of my technical controls up to that point, have failed. It’s now down to them—are they going to put their data on a malicious website? We can fit that the other way around as well and say, Well, they have gotten to this point. Now it’s up to them. If they fail, as the first line of defence, all of my technical controls now come into play to try and protect me from the mistake they’ve made. So yes, they are the first and last line of defence. Both things are true. So we are training our staff to understand cyber risk. And again, we’ve got to start with why, not how. If they understand why good passwords are important, they’re more likely to use good passwords if they understand why they don’t have access to things that they don’t need access to. It turns out that’s a bad idea. And if they can put themselves at risk, then they’re more likely to leave that kind of stuff alone and not try to access it. Yeah, there’s good educational stuff that we can get into our team that will help if we can raise awareness, raise understanding, and just literally lift the bar on what security looks like within the business that will absolutely help us, then I’d say, again, come back to being lazy, automate everywhere, and spend a bit of money in getting good automation tools in place that will do some of the heavy lifting for you and provide you with visibility and assurance that things are working the way they’re supposed to. That would be my two things.

Matt Nally  49:04

Yeah, I think they give you good points, because you read a lot that a breach or something going wrong is down to human error rather than a system. The systems do make mistakes, absolutely. But a lot of it is down to human error. It’s as if you say, putting something on the wrong site or deleting the wrong thing, or whatever it might be. One of those things around automation is that you might not want to pay, and so you go, Okay, I’ll manually backup each week or day or whatever you want to do. It moves stuff on my desktop to the cloud, whatever it might be. The reality is that you get so busy that before you realize it, three or four weeks have gone by and you’ve left it, and then suddenly something does happen. You lost everything. So yeah, automation protects you a lot more because it’s definitely happening. And it’s just one less thing to think about when you’ve got so many other things to do within a business here.

Andy Larkum  49:56

It is a common mistake, and I am absolutely certain I’m guilty of it myself, that, particularly in small businesses, we get very busy doing stuff. And a lot of it is stuff that we probably don’t need to or shouldn’t be doing. We could pay a bit of money for someone to automate that. And actually, not having to do that means I can earn way more money doing it than I used to. We have some wood burning stoves. And I used to go out and salvage wood, bring it home, and chop it all up. And part of it in my head at the time—this was going back quite a while now—was that I was saving money. And then I started adding up how much time I was spending collecting the word and chopping it all up, splitting it, stacking it, and stuff like that. I thought, I am not saying this is costing me a fortune. If I were doing the work, I could have bought that 20 times over instead of having to go and chop it up. And we spend time and effort in the wrong areas. So spend some money and automate where you can to do the heavy lifting for you. So you can focus your time on the more productive stuff that actually earns you money.

Matt Nally  51:10

That’s a fair point, which is that you don’t realize how much time you’re wasting on things until you start writing it out and going, I’ve lost two hours today on pointless admin because you’re doing all these different things. Now, I could have spoken to 20 more customers, or whatever it would have been. Thank you for coming on today. If anyone wants to get in touch to learn more about whether it’s ISO 27001 or just general things they can potentially do within their businesses, How’d they get in touch?

Andy Larkum  51:41

So, if you want to get in touch with me, that’d be great. You can email me at [email protected] Just ping me an email. Say you heard me from that, and it’ll be great to talk to you. 

Scroll to Top