Our fifth Interview with Andy Larkum deals with the issues relating to GDPR and Cyber Security. You can engage with Andy on LinkedIn or Twitter. Andy is a director at ADL Consulting.
Taking A Look At Cyber Security
Andy, thank you very much for agreeing to participate on the CMM platform. I realise that GDPR [General Data Protection Regulation] and Cyber Security are hot topics at the moment. I would like to try and understand how these subjects fit into the Construction world.
CMM: Let’s start by telling us a little bit about yourself, family life and your role at ADL Consulting.
ANDY: I’m the husband of 1 wife, and dad of 9 (yup, 9) kids. I have 7 daughters and 2 sons, ranging in age from 18 years to 18 months. We home educate our kids, and could really do with more sleep. I set up ADL Consulting nearly 14 years ago. Until recently it’s been very much a lifestyle business serving our (unusual?) family life. More recently I’ve been restructuring the business to be more self-sustaining and to allow it to grow beyond me.
CMM: Andy what motivated you to pursue a career within Cyber Security?
ANDY: ADL Consulting started life developing high-performance websites in Drupal. We still manage, maintain and host a number of websites, but this is less the focus for the business now. We became aware that we were quite unusual among our website developing peers in that we always had an eye towards security. I took a sabbatical back in 2014 to help a friend build his business in the Cyber Security arena and rather fell in love with the subject. Since returning full time to ADL in 2017, I’ve entirely refocussed the business around ISO 27001 (the international Information Security standard), GDPR and Cyber Essentials (the UK Government’s benchmark for entry-level security).
CMM: Can you give us a basic understanding of what GDPR entails for the small Construction company? It seems so complex and there has been a lot of mixed messages coming through.
ANDY: GDPR is all about people data. If your business holds data about people, then GDPR will apply. As most businesses usually have staff, and/or clients, then there is a good chance that GDPR applies!
As a very rough overview, for data you hold about people you need to be able to tell me:
- What data you hold
- Where do you hold it
- Why you have it
- Where you got it from
- When will you get rid of it
Once you can answer those questions, you need to think about how you are securing it. As a basic rule: “Do to others as you would have them do to you”. If the business was holding your personal data, and something happened to it, would you:
- Be satisfied that they had tried hard enough to look after it
- Accept that they had taken necessary precautions
- Not want to sue them for negligence!
…then you are probably ok. As a minimum, I would suggest that business should have met the requirements of the Cyber Essentials scheme. If they haven’t, I’m not sure I’d be happy with their answers to the questions above.
CMM: What are some of the typical questions that you are asked at a GDPR Training event?
ANDY:
Q: Is this something I need to care about?
A: Yes. Yes, it is.
Q: We think we’re 100% GDPR compliant
A: Then you haven’t understood compliance. GDPR is a journey, not a destination. Every time something changes so does your picture of compliance.
Q: Will anyone care if we’re not GDPR compliant?
A: That depends on your size. If you’re tendering for work, then increasingly there will be a demand to demonstrate how you are complying with GDPR and basic cybersecurity principles. It’s a drop-down approach – if you’re secure, the weak link is someone else, so you want to eradicate the weak links.
Q: Are we likely to be fined 4% of our global annual turnover, or £17m?
A: No, probably not. You would have to negligently lose a significant amount of very sensitive data, and be a big enough business for those to apply. That said, you might be fined if you are found to be negligent, regardless of how much of what type of data you lose.
Q: Where do I start?
A: Start by figuring out the answers to the questions given above. It’s often helpful to bring in someone from outside the business (like me!) to help you with this, as they don’t know your business, so will ask the stupid questions that reveal things you wouldn’t normally think of. Once you know what you’ve got, think about where it goes, and how you’re going to protect it.
Q: What’s it going to cost?
A: That’s always impossible to answer. Every business is unique, and it will depend on the answers to the questions already presented above. I also think that whilst it’s the right business question, it’s being asked the wrong way around. Instead of what it will cost, you should be asking what it’s likely to cost you if you don’t do it right. For example, if you lost all of your data tonight, everything, what would that cost the business in terms of time, money, loss of revenue etc (consider financial records, receipts, blueprints, customer details, staff records) to get up and running again?
CMM: In your opinion where are small businesses most vulnerable?
ANDY: Ignorance and/or busy-ness. If you don’t know what to do and you’re busy, you don’t have time to work it out. This means you either don’t do it, or you do it badly – both of which leave you exposed. The bigger risk is not the fine from a GDPR issue, but a direct loss resulting from some kind of cyber-related incident, be it fraud, ransomware, or failure. Those are all hard to recover from, but most of them are actually quite easy to avoid in the first place.
CMM: GDPR and Cybersecurity procedures generate a lot of sighing and they could be viewed as boring and unnecessary. Is there anything you could suggest making the process of implementation more enjoyable?
ANDY: Get me involved! Seriously though, find someone who can help you with this stuff, actually enjoys it and is willing to help you understand it too. Most of my clients admit to having genuinely enjoyed the process – honestly! Also, remember that Cyber Security goes beyond your business. Given that most incidents are actually caused by automated attacks or personal failures (i.e. someone initiated something by mistake), your personal life is just as at risk as your business. You almost certainly have broadband at home, use online banking, email etc. Take what you learn in the business and apply the same principles at home.
CMM: On another note Andy your work must be quite stressful. What relaxing activities keep you sane?
ANDY: Not sure I understand the term “relaxing activities”? Outside work is very busy with family life – they’re all pretty awesome and there’s so much going on that it’s not difficult to park work until I’m ready to start again.
CMM: Thank you so much, Andy, for taking the time to share with us. If you need further clarity about either of these issues or you want to arrange a training event please contact Andy direct on social media.