Deciding who is in charge of data security within your business is way from clear-cut. Individual errors may have led to the breach, but these may have only been possible as a results of poor security policy, at which point blame often shifts towards the IT team. However, within the wake of a knowledge breach, it's important that companies don't start throwing accusations around wildly. Determining who is ultimately liable for company security isn't about realising who is responsible , but rather who is responsible of creating sure similar mistakes aren't repeated.
Recent research administered by VMWare, however, has found that cyber defence can not be left to the IT team alone. In fact, 29 per cent of IT Decision Makers (ITDMs) and office workers believe that the CEO should be held liable for a big data breach. Similarly, when asked who should be most conscious of the way to answer a knowledge breach, 38 per cent of office workers and 22 per cent of ITDMs said the board, while 53 per cent of office workers and 40 per cent of ITDMs believed it had been the remit of the CEO.
Evidently, the response to cyber attacks is changing and it's important for businesses to know why. Firstly, organisations are coming to terms with the very fact that it's often a case of if, not when, a knowledge breach occurs. 24 per cent of companies expect a significant cyber attack to hit their organisation within the next 90 days and one check out last year’s headlines will reveal how harmful they will be. Reputational damage as a results of a knowledge breach are often difficult to get over , because the likes of TalkTalk and Ashley Madison are now discovering. With the frequency and impact of knowledge breaches becoming better understood, it's not surprising that companies are moving towards a more holistic security policy, one that comes all the way from the C-suite.
“The issue around accountability is diagnostic the underlying challenge faced as organisations seek to push boundaries, transform and differentiate, also as secure the business against ever-changing threats”, explained Joe Baguley, CTO, VMware, EMEA. “Today’s most successful organisations can move and respond at speed also as safeguard their brand and customer trust. With applications and user data on more devices in additional locations than ever before, these companies have moved beyond the normal IT security approach which can not protect the digital businesses of today.”
The need to constantly innovate mentioned above has proven difficult to integrate with existing security measures for a few companies. the increase of mobile devices and cloud computing has created much more access points, and hence vulnerabilities, for corporate data, and therefore the expected growth in IoT technologies is merely getting to exacerbate the difficulty .
Technical solutions, including a software-defined approach to security and encryption on data at rest and in transit, will help, but cultural changes also are so as . IT security must be demystified if businesses are to become better protected and for that to happen, clear and continuous dialogue must happen between the IT team and therefore the board. That way, security becomes less of a blame game and more about collaborative solutions.How to avoid the info breach blame game
Modern Finance: The story thus far
In today’s world, cloud-based process automation is becoming omnipresent in everything from banking to shopping, and businesses are starting to feel the advantages of smoother processes and ROI.
However, this wasn't always the case. a couple of years ago, if you asked a finance or accounting professional about the state of their work processes, more often than not, they’d tell you they were snowed under with laborious, time-consuming manual processes, and cloud-based business solutions were an unknown and frightening prospect.
In fact, it wasn’t until quite recently that companies began to adopt cloud-based software solutions designed specifically for finance and accounting professionals – which, once you believe the large benefits, is amazing . The automation of monetary processes, or as we at BlackLine wish to call it, the fashionable Finance approach, not only makes life easier for finance professionals by saving time, cutting costs and virtually eliminating risk of error, but benefits the broader business in ways in which a couple of years ago, we couldn’t have begun to imagine. And it all started with an idea…
The birth of BlackLine and therefore the Modern Finance prototype
The concept of recent Finance was designed by BlackLine back within the early Noughties. Founder and CEO Therese Tucker, comfortably retired from her position as CTO of SunGard Technologies, was enjoying maternity leave and had no intention of going straight back to work. Until, that is, she began to reconnect with former clients and heard their horror stories about being kept within the office in the least hours, perusal spreadsheets and box files monthly in an attempt to finish their reconciliations on time.
The primary issue was that, whilst other areas of business were embracing process automation and thus moving forward in terms of efficiency and productivity, finance and accounting departments were finding themselves left behind. Staff were overworked, spending hours on manual data entry in spreadsheets, which by its very nature wasn't a secure process and was left wide hospitable mistakes – accidental or otherwise. Time, money and paper was being wasted and something had to be done. it had been from these conversations that Therese formulated the thought for an automation solution, something that might modernise the way accountants worked. From this concept , BlackLine’s original account reconciliation automation solution was born.
The solution essentially automated and controlled the financial close process – by providing visibility into data, the answer enabled accountants to rapidly detect any anomaly, thereby limiting the potential for mistakes to happen. the method enabled a more continuous approach to accounting – rather than a spike in activity at month end, accountants could opened up their duties over the month, resulting in a smoother close.
Therese developed the primary BlackLine solution entirely on her own and was sole investor within the product for the first five years. It wasn’t long before former clients began requesting an attempt of the new solution. Very quickly, BlackLine’s success began to select up speed. In 2009, Therese led her now-burgeoning company through a migration to SaaS, a risky move at the time and one which could alienate users. Luckily, it paid off, and enabled BlackLine to later develop a full suite of solutions for accounting departments.
Modern Finance today: Still a requirement for automation education
Today, the fashionable Finance revolution is fully swing. Not only are businesses acknowledging the advantages of process automation, they're continuing to create on the first reconciliation solutions they need purchased, enabling them to require the ‘next step’ in automation. Increasingly, businesses are seeing less errors, more timely month-end close, and happier staff. One such example would be BlackLine customer Western Union which, following the adoption of BlackLine’s solutions, was ready to sync up over 20 global accounting offices, enabling the Group Accounting Director to look at in real-time which reconciliations were complete and which were outstanding.
And BlackLine? We now have over 1300 customers in over 100 countries; large and mid-sized corporates including LV, KFC, British Gas and RSA, to call just a couple . In late 2014, BlackLine’s Finance Controls and Automation Platform – a scalable, unified cloud platform built around Therese’s original solution – was recognised by Gartner as a ‘best of breed’ solution within the newly-created category, Enhanced Finance Controls and Automation (EFA). Further to the present , BlackLine is additionally an SAP Gold Partner, Oracle Gold Partner, and participates within the partner programs of NetSuite and a number of other other ERP providers.
Despite the success of BlackLine – and therefore the happy customers – it’s clear that there's still an excellent deal of labor to try to to when it involves educating finance and accounting departments on the advantages of automation. In 2008, it had been estimated that on the brink of 90 per cent of spreadsheets had errors in them. Whilst we don’t have any data handy that conveys the extent to which this has decreased, we all know that those using automation tools report a better level of job satisfaction and are confident within the accuracy of their data. Some recent BlackLine research found that in 2014, around 27 per cent of CFOs were concerned about the accuracy of their financial data. This rose to a whopping 44 per cent in 2015, likely thanks to increasingly tight regulation, which businesses must suits . The threat of cyber security breaches has loomed large on the business agenda for the past few years and this is often only becoming more prominent. What many of those businesses still don’t realise is that a contemporary Finance approach can help them to make sure compliance, will keep their data secure from threats and can also enable them to identify potential errors earlier on.
It’s clear that cloud-based process automation, particularly within the finance industry, is that the future. subsequent step is to make sure that companies of all sizes are better educated about the advantages , learning from those that have successfully embraced a replacement era – the age of recent Finance.What the ecu General Data Protection Regulations (GDPR) mean for your business
Following the approval of the new General Data Protection Regulation (GDPR), businesses must be prepared for a replacement set of standards surrounding processing . Although there remains a two-year lead in period, organisations must begin work now if they're to satisfy the regulations.cloud computing technology Crucially, businesses must be ready to distinguish between fact and fiction when it involves deciphering what impact the GDPR is probably going to possess going forward. Making sense of the mixture of speculation, misunderstanding and erroneous interpretations could mean the difference between success and failure when it involves complying with the ruling.
Lisa Dargan, Business Development Director for Ultima Risk Management, has taken a glance at a number of the GDPR myths already circulating and what impact the legislation will really wear your business.
Myth 1 – you want to appoint a professional , independent Data Protection Officer (DPO)
It was strongly suggested that the GDPR would require every organisation with quite 250 employees, or processing in more than 5,000 personal data records, to appoint a knowledge Protection Officer. However, this proposal was faraway from the legislation at the drafting stage. Instead, Section 4 of the GDPR states that DPOs are required if you are:
a public body
a private sector controller whose core activities involve ‘regular and systematic monitoring of knowledge subjects on an outsized scale.’ (Notice that what constitutes “large” is hospitable interpretation.)
a private sector controller whose core activities involve the processing of special categories of private data (i.e. sensitive information).
Businesses should even be conscious of the importance of an independent DPO. they will still be an existing employee, but they need to have an independent reporting line, and directly report back to the Board without interference. they ought to even have a radical and up-to-date understanding of knowledge protection law if your businesses is to satisfy compliance standards.
Myth 2 – i'm an SME, therefore the GDPR doesn’t apply to me
The GDPR applies to all or any businesses ‘engaged in economic activities’ that involve the processing of private data. Although there are some exemptions for micro and little businesses when it involves record keeping, SMEs still got to remember of the new ruling. Smaller firms could also be working with large customers then will got to make sure that the relevant data is managed appropriately.
Myth 3 – I’m acting as a knowledge processor– my customers, because the data controllers, can affect the difficult stuff
Over subsequent two years data controllers will got to review all of their supplier contracts to make sure that they meet the new regulations, but data processors even have direct responsibilities under GDPR, including a requirement that they (or their representatives) maintain a record of processing activities including:
The name and get in touch with details of the processor or processors, or where applicable, the processor’s representative
The name and get in touch with details of every controller (or the representative) the processor is acting for and their data protection officer
The categories of processing administered on behalf of every controller
Transfers of private data to a 3rd country or a world organisation, including the identification of that third country or world organization and therefore the documentation of appropriate safeguards (e.g. contractual clauses within inter-company data transfer and sharing agreements supported risk assessments etc.)
Where possible, a general description of the technical and organisational security measures the recipient of the transfer has implemented
The records got to be in writing, including in electronic form and made available to a supervisory authority for the asking
Myth 4 – I encrypt my personal data so there’s no way I’ll get fined
Security is vital , but fines are often issued for failure to satisfy data controller/processor obligations, also as security breaches.information technology management Regulators can impose penalties of between two and 4 per cent of annual turnover, counting on the severity of the infringement. Some considerations taken under consideration before issuing a fine include:
The nature, gravity and duration of the infringement
The purpose of the processing concerned
The number of knowledge subjects affected
The level of injury suffered by data subjects (including infringement of their rights)
Whether the infringement was intentional or negligent
Any action taken by the controller or processor to mitigate the damage suffered by data subjects
The degree of responsibility of the controller or processor, taking under consideration technical and organisational measures implemented
Any relevant previous infringements
The degree of cooperation with the supervisory authority so as to remedy the infringement and mitigate the possible adverse effects
The categories of private data suffering from the infringement
The manner during which the infringement became known to the supervisory authority, especially whether, and if so to what extent, they were notified
Whether any previous measures ordered against the controller or processor concerning an equivalent subject-matter were complied with
Whether approved codes of conduct or approved certification mechanisms were in situ
Any other aggravating or mitigating factors like financial benefits gained, or losses avoided, as a results of the infringement
Encryption won't solve all of your problems. you'll also got to consider ‘organisational and technical’ measures, not just in reference to security management and data protection, but potentially in terms of documented privacy impact assessments. These are now mandatory where new processing operations are likely to end in a high risk to the rights and freedoms of knowledge subjects. Businesses should also make sure that they need a radical governance and compliance regime in situ so as to make sure their accountability obligations are met.
In response to the GDPR ruling, data processors and controllers got to think ahead and steel oneself against the approaching impacts on their IT infrastructure. Is your business able to:
Identify where personal data is stored, processed and transmitted by utilising data discovery and data audit tools
Record how consent for processing personal data was obtained, who it had been obtained from, who it's been shared with, whether it's been changed, its accuracy disputed and approval for disclosure under data sharing agreements (internal, external and inter-company)?
Do your applications/systems developers understand the GDPR implications?
Are you preparing to perform documented privacy impact assessments and criteria for prior consultation with data protection authorities as a part of your compliance regime?
Are your applications/systems ready to support the GDPR data deletion requirements?
Are you planning application changes to support the new rights of knowledge subjects to receive copies of their personal information in common (interoperable) electronic format and/or forward that data to a different entity (portability)?
Are you proactively lecture your software suppliers, service providers and data processors? have you ever identified them and planning contract reviews? Are you a knowledge processor or software solutions provider?
Will your incident management and investigation procedures enable compliance with data breach notification obligations, to notify supervisory authorities where necessary within 72 hours? Are you considering what, how and once you may have to notify data subjects that a breach has occurred and what assistance you'll provide them?
How will you review online privacy information notices and achieve online consent? How will online consent translate into recording that consent and subsequent withdrawal of consent trigger potential data erasure?
How will the info erasure/portability requirements impact your current data retention and archiving arrangements?
What resources and support will you would like for your GDPR reform project?
Myth 5 – The GDPR won't be relevant if we leave the EU, so businesses should wait before acting
This is not an advisable approach to require . If the united kingdom remains within the European Union , the GDPR will supersede the united kingdom Data Protection Act, but if we leave, the complex withdrawal process could mean that the united kingdom is forced to implement similar legislation so as to suits the EU rules. The free flow of data will remain vital to the success of UK businesses whether or not they are based in or out of the EU, meaning that organisations are more happy complying now, before it’s too late.
For further guidance on the way to suits the GDPR, the knowledge Commissioner’s Office has published guidelines via it’s new micro-site: https://dpreform.org.uk/.
Dealing with ransomware: Why data protection needs a more holistic approach
Ransomware refers to a strain of malware that attacks computers, encrypts the files on them then demands payment to unlock them. From being a rare sort of attack around a year ago, thousands of organisations are now being hit by this type of attack a day . The attacks themselves are indiscriminate, hitting public sector bodies like police forces, hospitals and councils, also as private companies and individuals.
Ransomware is additionally spreading beyond the normal Windows PC into targeting Linux and Mac machines, also as now mobile phones using versions of Android. As more and more potential targets for ransomware are created, it’s important that each one organisations check out their approach to data protection in additional detail.
Step 1 – EducationThe most common route for all malware attacks into organisations remains email, with attacks disguised either as a link or an attachment.virtual technology this is often not a classy approach, but it's still successful. instead of the mistake-ridden missives of the past, better design and grammar within the emails makes them harder to identify .
At an equivalent time, workforces within companies are becoming more mobile, taking them increasingly outside the perimeter security implementations which will help to prevent attacks getting through. Use of company assets outside the business – or employees using their own devices for work purposes – can exacerbate this risk further.
Education here can help. Users can and will be trained to identify attacks on them, whether these are for the newest phishing attacks that are supported social engineering or designed to urge payloads opened. Encouraging users to manage their work and not get rushed into opening potentially suspect emails – even once they have the acceptable name or branding on them – can help prevent a number of these issues within the first place.
Step 2 – Backup and data protection across all devices, not just a few
While education can help, it’s not the sole answer. It relies on every user being 100 per cent vigilant all the time, and precludes the likelihood of human error. Alongside keeping staff up so far on problems, it’s therefore important to seem at data backup.
Backup is one among those tasks that's often checked out centrally by IT. However, the confluence of IT industry trends has made backup tougher . the expansion of mobile working, the utilization of multiple devices and more deployments of cloud applications all have an impression on backup strategies. However, protecting data across all assets – not just those held centrally – is significant when it involves defeating ransomware.
However, backup has got to move out from being something only finished centrally-held IT. As ransomware can strike at almost any IT asset – from a phone, laptop or tablet through to the files held centrally – backup has got to cover each and each device equally. Alongside this, holding multiple versions of every file is required too, just just in case files are infected previously before being spotted.
Protecting data on each device does mean brooding about the way to get data off those IT assets. Mobile or remote workers might not inherit the office for normal imaging of their devices, while counting on users to guard data themselves runs the danger of steps not being completed. Instead, client backup should be as unobtrusive as possible.