My main client has in the process of renewing our preferred supplier contract decided to go online and copy paste a fuck ton of cybersecurity bits and pieces from all over the place and throw them into the appendix of the contract expecting us to meet these.
Anyone got any experience of how to respond as a small business, and some of the practical things needed for compliance beyond writing a policy etc?
Apart from a whole bunch of other stuff they’ve thrown in about security cameras to monitor access to business premises etc, the substantive things appear to be about encryption on stored and transmitted client data, and use of a Data Loss Prevention solution ( ) etc.
Grateful for advice from anyone who’s had to sort this kind of thing before
Cyber is the great buzz word at the moment
For CCTV you/they need to be considering GDPR as the recordings are personally identifiable data (ICO has good info on GDPR)
For cyber the best approach is to get yourself certified for “cyber essentials”, it’s cheap, accepted in industry and will highlight anything you need to address as well as giving you an understanding of what the requirements look like and what the industry approach is.
There’s loads of stuff on the NCSC around cyber essentials and it’s not as horrible as it looks
PS don’t go for “Cyber Essentials Plus” it’s a massive leap from basic to plus and we’re going through the audit at the moment (aaaggghhhh!!!)
it is - tell me about it!!! along with Data Science…
DLP can be turned on in 365 I believe. It senses card details and other sensitive information in emails and the like. Definitely other products that do it too
Absolute pain in the arse.
Every time any external supplier sends me a spreadsheet it gets blocked by Mimecast (works with Outlook in 365) and I am having to send release requests to IT.
I have asked them to ‘whitelist’ certain email addresses but it never happens.
Where we already have a SFTP set up for data transfer I get every file sent that way as it is less hassle than email