News, opinions and updates from the Virtuoso team.


News, opinions and updates from the Virtuoso team.

Greg McCallum

Greg McCallum has not set their biography yet

Recent Posts


What, when, why, how, and everything you need to know about the new GDPR

Posted by Greg McCallum in Opinion

What? The General Data Protection Regulation (GDPR) is the new legislation from the European Union which replaces the 1995 Data Protection Directive (DPD).

The DPD consisted of a now-outdated set of laws designed to protect the personal data of UK citizens. The GDPR make data protection rules standard across the board (Europe).

When? The GDPR comes into effect on 25th May 2018, and even though the UK is leaving the EU, the GDPR will take effect before the two-year timeframe of Article 50 meaning businesses will still need to conform to new regulations in the meantime. CTO of Virtuoso, Greg McCallum says, It's essential that your IT systems meet the technical requirements of GDPR before the regulation comes into effect.

Proper data governance is only possible with a well-designed, well-managed infrastructure platform that is both agile and stable. We can help you bridge that gap, saving time and money, to ensure your company can become compliant as soon as possible.

Why? The reason for the new legislation comes from an urgent need to update current regulations in the digital age.

The EU wants to ensure that individuals have more control over how their personal data is being seen, used and stored. Many online companies only allow the use of their services once people have submitted personal information.

The DPD came into play before cloud technology and the internet meant that peoples data could be exploited in different ways.

The GDPR aims to tackle the privacy challenges in the new digital economy by improving the levels of trust amongst its data holders and givers. Also by making the data protection law identical across the single market, the EU aims to give businesses an easier, clearer legal environment in which to operate.

How? The GDPR applies to the ͂Controllers̓ and ͂Processors̓ of data. A controller states how and why the data is processed, and a processor does the actual processing of said data. The new changes will affect all companies who deal with EU data even if the companies themselves are based outside of the EU. Under the GDPR controllers must keep accurate records of consent from individuals in relation to data storage, the format for consent being given changes under the GDPR, individuals must give consent in an active way rather than the passive way under some models (pre-ticked boxes are an example of this). Individuals are free to withdraw their consent at any time.

Companies that currently use passive ways of obtaining consent must ensure their data collection method is updated before the 2018 inception date or else must stop collecting data.

Data controllers must allow for individuals to access their personal data and comply within one month of the request. It is up to the controller to ensure that people can securely review the information a controller holds about them and the processors and controllers must be able to clearly explain how and why their data is stored and processed. People will now also have the right to request their data is deleted if it is no longer necessary, this is now known as the right to be forgotten. This will affect the controllers whose responsibility it will be to inform other organisations to delete any links to copies of the data in question. If a person wants their data to be moved elsewhere the controller must conform to this request within one month. It is each companies responsibility to inform their data protection authority of any data breach that might cause a risk to peoples rights and freedoms within 3 days of the company being aware of the breach. Harsh penalties will be in place for those who fail do comply within the deadline. Data protection authorities can issue penalties of up to €20 million or 4% of your global annual turnover (whichever is greatest) for any company or organisation who fails to comply with the new regulations set out in the GDPR.

Concerns? One of the biggest changes of the GDPR compared to the DPD is that what can be defined as ͂personal data̓ now encompasses IP addresses, economic and cultural information, and even mental health information. Anything that previously counted as personal data under the DPD still stands under GDPR. Data audits must take place to meet GDPR requirements, this may cause issues for some companies as they will have to ensure that they are aware of and have access to a full and accurate list of data-storing assets. Ultimately, the sooner companies conform to the new legislation laid out in the GDPR, the better to avoid heavy penalties and leave themselves open to risk.

Continue Reading
Tags: #Opinion

Keeping Small Businesses Safe: Combating Cybercrime on a SMEs Budget

What happens on the hight street stays on the hight street

When hackers breach the security of corporations it makes headlines, yet there is rarely a mention when cybercrime hits small to medium sized enterprises (SMEs). Very few people are even aware that today’s cybercriminals are targeting SMEs, not just super-sized global businesses.

According to Verizon’s 2013 Data Breach Investigations Report, 71% of the data breaches investigated by the company’s forensic analysis unit targeted small businesses with fewer than 100 employees. Of that group, businesses with less than 10 employees were the most frequently attacked.

Everyone is a victim when it comes to cybercrime

The loss and exposure of confidential data from a cyber attack is costly to both the people victimised and the businesses whose data was compromised.

For the victim, hackers typically retrieve personal information, bank account, credit card and financial data resulting in identity fraud. The stress and time involved to reclaim their identity and get their financial house back in order is beyond measure.

Cypercrime comes at a high price for SMEs

According to research compiled by the Ponemon Institute in their 2nd Annual Cost of Cyber Crime Study, the average cost per breached record in the U.S. is anywhere between $150 to $200 and will of course be similar in the UK. This amount factors in the costs of the investigation and notification process, fixing the issue that led to the breach, possible liability and litigation costs, lost business, and the time and effort that go into damage control. In many cases, a damaged reputation may prove to be irreparable. Nearly two-thirds of victimised companies are out of business within six months of a significant cyber attack, making cybercrime the death knell for many SMEs. This is because the consequences of cybercrime extend well beyond the actual incident and have long-lasting implications.

Small businesses obviously don’t have the same financial footing to rebound and carry on with business as usual in the way organisations like Amazon, Apple, or Citibank can.

Symantec’s research found that customers affected by security breaches are generally less forgiving of smaller businesses, especially smaller online retailers, than larger companies. SMEs are contending not only with lost revenue and expenses, but also the possibility of never regaining the trust of customers, clients and business partners.

Symantec’s 2012 State of Information Survey found that nearly half of all SMEs admitted to a data breach damaging their reputation and driving customers away.

The trend of cybercriminals preying on smaller businesses doesn’t seem to be waning. According to Symantec, the number of cybercrime attacks targeting firms with fewer than 250 employees jumped from 18 percent of all attacks in 2011 to 31 percent in 2012.

Why cybercrminals are zeroing in on small business

Large corporations have the resources to invest heavily in the most sophisticated security strategies and successfully stop most cybercrime attempts. A typical large enterprise may have over twenty in- house IT dedicated employees ensuring that every device connecting to their network is adequately protected.

In comparison, SMEs have neither the money nor the manpower of large enterprises and can’t afford the same level of security. Very few SMEs have full- time IT dedicated personnel on hand to run routine security checks. Even those who do have in-house IT support often find that their internal resources are too bogged down with other tasks to properly address security upkeep.

A joint survey of 1000 SMEs conducted in September of 2013 by McAfee Internet Security and Office Depot further confirms how relaxed many SMEs are when it comes to protecting their data.

Not only have SMEs become easy prey for cybercriminals, but their sheer abundance also makes them an alluring target. In 2013, there were 4.9 million businesses in the UK, over 99% of which were small and medium enterprises. Even in a struggling economy, it’s projected that there are still an estimated 200,000 startups launching every month with only a handful of employees.

SMEs are not "too small to matter"

Since most cybercrimes affecting smaller businesses go unreported by the media, there is no sense of urgency by SMEs to prepare for cyber attacks. Too many SMEs mistakenly view their operations and data as trivial to hackers. They feel that large online retailers, global banks, and government entities are much more attractive targets for hackers.

The goals and methods of cyber attackers are evolving and will continue to evolve. The era of one “big heist” for hackers is over. Cybercriminals today often prefer to infiltrate the data of many small businesses at once, stealing from victims in tiny increments over time so as to not set off an immediate alarm. This method takes advantage of those SMEs who are especially lax with their security processes and may not even realise there has been a security breach for days or sometimes even weeks.

SMEs must end the “It will never happen to us” mindset. For instance, political “hactivists” have been responsible for a number of high-profile Denial-of-Service (DDoS) attacks in recent years. The goal of a hactivist is to disrupt the status quo and wreck havoc on the technology infrastructure of larger corporations and government entities. It’s a form of cyber anarchy: A “stick it to the man” philosophy spearheaded by groups like 4chan, Anonymous, LulzSec, and Anti- Sec.

An owner or Chief Information Officer (CIO) at a SME may read of these high publicised attacks in the press and not think anything of it. They aren’t Sony, Apple, or the Department of Defence, so why would a hactivist target their data? But it’s estimated that there are on average 1.29 DDoS attacks throughout the world every two minutes and such activity is much broader in scope than the press may lead us to believe.

SMEs- The access ramp to bigger & better data

One reason small businesses are more vulnerable is they’re often the inroad to larger better-protected entities. They are often sub-contracted as a vendor, supplier, or service provider to a larger organisation. This makes SMEs an attractive entry point for raiding the data of a larger company. Since larger enterprises have more sophisticated security processes in place to thwart cyber attacks, SMEs often unknowingly become a Trojan horse used by hackers to gain backdoor access to a bigger company’s data. There is malware specifically designed to use a SMEs website as a means to crack the database of a larger business partner.

For this reason, many potential clients or business partners may ask for specifics on how their data will be safeguarded before they sign an agreement. Some may require an independent security audit be conducted. They may also ask SMEs to fill out a legally binding questionnaire pertaining to their security practices.

An SME that is unable to prove they’re on top of their infrastructure’s security will likely lose out on potentially significant deals and business relationships. More large enterprises are being careful to vet any business partners they’re entrusting their data to.

To stay secure a good defence is the best offense

SMEs must understand that the time has come to get serious with their security. Sadly, many small businesses have a false sense of security. In the McAfee/ Office Depot joint survey of 1000 SMEs, over 66% were confident in the security of their data and devices despite admitting to obvious flaws.

Cybercrime is only one cause of compromised data. There are 3 primary causes of breached security at businesses according to the June 2013 Symantec Global Cost of a Data Breach study. Only 37% are attributed to malicious attacks. The remaining 64% are human error and technology errors.

Data breaches aren’t always about bad people doing bad things. Many are the result of good employees making mistakes or of technology failure. SMEs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMEs budget. Here are a few steps to improving data and network security.


Know all devices connection to your network

Keep a frequently updated list of every device that connects to your network. This inventory is especially important given today’s BYOD (Bring-Your-Own-Device) workplace where employees can access your network through several different devices. Knowing what these devices are and ensuring they’re all configured properly will optimise network security.

All it takes is a regularly scheduled review to add or remove any devices and affirm that every end point is secure. Much of this process can be inexpensively automated through a Mobile Device Monitoring (MDM) tool. A MDM tool will approve or quarantine any new device accessing the network, enforce encryption settings if sensitive information is stored on such a device, and remotely locate, lock, and wipe company data from lost or stolen devices.


Educate & train employees

Every employee should participate in regular general awareness security training. This will not only reduce security breaches directly tied to employee error or negligence but also train employees to be on the defence against cybercrime. Employees are critical to your security success and the prevention of data breaches. Hackers commonly break into networks by taking advantage of unknowing employees. Phishing attacks – legitimate looking emails specifically crafted to mislead recipients into clicking a malicious link where they’re asked to provide their username and password - are still successfully used by hackers to capture login credentials.

If a large company makes the news for a data breach tied to an infected email, be sure to share that news with employees with a warning. Come up with fun ways to teach employees how to identify spear-phishing email attempts and better secure their systems and devices.

It is also important to have a security policy written for employees that clearly identifies the best practices for internal and remote workers. For example, password security is critical and passwords should be frequently updated to a combination of numbers, lower case letters and special characters that cannot be easily guessed. Security policy training should be integrated into any new employee orientation. This policy should be updated periodically. More important than anything, this security policy must be enforced to be effective.


Perform an audit of sensitive business information

If you want to keep your most sensitive business information secure, it’s important to know exactly where it’s stored. A detailed quarterly audit is recommended.


Use Cloud and Managed Service Providers

Overall, the cloud is likely a more secure data solution for small business. Any conception that the cloud isn’t safe is outdated. Most of 2013’s security breaches were the result of lost or stolen devices, printed documents falling into the wrong hands, and employee errors leading to unintended disclosures. It’s fair to speculate that many of these breaches wouldn’t have occurred had this information been stored in the cloud rather than computers, laptops, and vulnerable servers. SMEs with limited budgets are actually enhancing their security by moving to the cloud. Since there is no way a SME can match a large enterprise’s internal services, moving services like emails, backups, and collaborative file sharing to the cloud not only reduces total-cost-of- ownership, but gives access to top-level security to better defend against internal and external threats.

Meanwhile, a Managed Service Provider (MSP) can assume responsibility for security measures like the administering of complex security devices, technical controls like firewalls, patching, antivirus software updates, intrusion-detection and log analysis systems.

MSPs are also capable of generating a branded risk report for any potential client or business partner reviewing your security measures. This third- party manual assessment of your network security can instill confidence in prospective business partners by proving to them that any possible security risks or vulnerabilities will be properly managed and addressed.


Continue Reading

The Sky’s the Limit for SMEs Taking to the Cloud

Posted by Greg McCallum in Cloud

There has been a lot of hype about cloud computing transforming the way small-to-medium sized businesses do business. Proponents of the cloud say that cloud computing has levelled the playing field, allowing SMBs to finally compete with bigger companies despite their limited financial resources and staffing.  Still, many are apprehensive to make the jump. They’re hesitant to give up control and they fear the cloud will expose them to greater security risks. Moving to the cloud definitely requires a leap of faith, but a recent ComScore study, completed on behalf of Microsoft, suggests that those who are froggy enough to take the leap (sorry) have no regrets once they do.

In fact, more than half of those surveyed wish they had adopted it earlier and feel that the benefits far outweigh their initial worries.
What are those benefits?

Enhanced Privacy and Security

According to the study, 94 percent of companies who’ve adopted cloud services believe they’re now more secure than they were before, thanks to the cloud’s up-to-date systems and antivirus protection.

Less Downtime and More Confidence

61% of those surveyed reported fewer instances of downtime since their move to the cloud. Even those who still experienced downtime events felt that they were shorter in duration and that full recovery could be achieved much quicker.
93% indicated that they were more confident in their ability to fully recover after an outage. Comparatively, 73% responded that they felt the integrity of their data in the cloud was stronger than previously, which is interesting since data integrity has often been the biggest worry about the cloud.

Environmental Friendliness

Any company striving to be more “green” will appreciate the environmental benefits of moving to the cloud. A recent six-month study conducted by the Berkeley Lab found that moving 86 million U.S. office workers to the cloud resulted in the use of 87% less energy, leaving enough leftover electricity annually to power a city the size of London for twelve months.

Cost Effectiveness

Cost effectiveness and greater ROI (return on investment) are the most important factors in getting CEOs and major decision makers to support shifting to the cloud. A Rackspace commissioned study conducted by Vanson Bourne, found that 62% of respondents felt that adopting cloud computing strategies freed up money that could be reinvested in other operations like marketing, customer service, product development, and expansion into new markets.

While there is a competitive advantage that can be realized by moving to the cloud, those who are still apprehensive should migrate to the cloud at a pace they’re comfortable with. Once they implement cloud monitoring, and understand it a bit more, most SMEs grow more comfortable with the cloud and expand their use of it.

Continue Reading
Tags: #Cloud

Enquire now