Sean Huggett, Evalian: "security culture is hard to maintain when people are scattered and working in their own homes"
With the hit of the pandemic, cybersecurity has been categorized as a critical aspect by almost all enterprises. Employees switching to remote working have created new security gaps that increase the risk of successful cyberattacks. So, now companies must protect their data more than ever.
Securing a business network at an office is relatively easy, yet it becomes challenging to ensure best cybersecurity practices when employees are working from home. While people use security tools, such as VPNs to protect sensitive information, it’s often not enough to combat sophisticated attack techniques.
Today, we asked Sean Huggett, the Director of Evalian – a company that offers data protection services, to explain what are the most effective ways to protect company data, comply with existing regulations, and reduce the risks associated with data breaches.
How did Evalian originate? What has your journey been like so far?
My wife and I founded Evalian back in 2018. I originally qualified as a lawyer working in areas including data protection before moving into information security later in my career. When we started the business, we aimed to provide real-world, risk-based data protection and security advice for organizations that were being sold services based on fear of massive fines and regulatory penalties.
We were very much a spare room start-up back then, with me working in whatever room of the house was available and winning business based on networking and referrals. Since then, we have grown quickly.
Now, we have 33 employees working from our office and remotely. They specialize in data protection, cybersecurity, penetration testing, and ISO 27001 certification consultancy. Like everyone, we were unsure what impact the pandemic would have on our business, but we continued to grow as organizations recognized that cybersecurity and data protection compliance remained critical.
In 2020, we were certified to ISO 27001 and ISO 9001. In 2021, we were certified Cyber Essentials Plus and became CREST accredited for penetration testing services. This year, we launched new cybersecurity services focusing on supply chain security assurance, incident response planning and exercising, and cloud security configuration. We are also developing a suite of secure web applications to support the delivery of our consultancy services.
Can you introduce us to what you do? What are the main issues you help solve?
Our four consultancy practices cover the following:
- data protection compliance and outsourced DPO services
- cybersecurity consultancy
- penetration testing
- ISO certification consultancy
We help clients to understand and improve security management and data protection compliance, based on risk management and assurance. We're not a technology reseller, but we are tech-savvy. We can help clients understand their security and data protection issues and prioritize them for remediation based on their business objectives and obligations.
Our clients range from start-ups to multinational organizations. We work across numerous industry sectors: healthcare, financial services, travel, hospitality, marketing, education, construction, property management, technology, software development, Software-as-a-Service (SaaS), local government and legal services, critical infrastructure, and other sectors.
Our team includes lawyers, information assurance practitioners, cybersecurity specialists, penetration testers, compliance specialists, business continuity practitioners, and auditors. As such, we provide a complementary set of skills for clients, and it's increasingly common that we start working with a client to help with one challenge before being invited to assist with others.
You state that there is no "one size fits all" approach to privacy and security. Would you like to share more about your vision?
Clearly, every business and organization is different. Whilst our core skills and experience are transferable between them, our starting point is to always understand more about the client, including the following:
- Nature of their business
- Clients they work with
- Expectations for security and privacy
- Countries they operate in
- Current and future IT plans
- Business objectives for the current and future years
In working through these aspects, we start to get a feel for their in-house skills and capabilities, their tolerance for risk, and the types of threats they are likely to face. Some clients have apparent objectives at the start of an engagement, whereas others know they need to improve but are unsure what that means.
Understanding the context at the outset helps us scope and deliver an engagement that meets the clients' needs rather than providing a service for the sake of a service. This sounds like something every organization like ours should do, but we see a lot of cookie-cut type services delivered with recommendations that don't make sense in the context of the client's business.
It seems like the pandemic put the global cybersecurity industry to the test. What would you consider the main challenges that emerged?
Organizations have been talking about digital transformation for years, but the pandemic accelerated it with remote working. This shift has seen new suppliers onboarded quickly, many more SaaS solutions being adopted, and people working in their own homes.
Some of the challenges we have seen have been entirely understandable given the pace of change, and organizations are now busy catching up where they can. A security culture is hard to maintain when people are scattered and working in their own homes, so security awareness remains critical.
Supply chain security has become ever more critical. We've seen several high-profile supplier security breaches over the last year but, even at a more basic level, organizations need to verify that their suppliers are not a soft underbelly in their own security posture. With new SaaS tools adopted quickly, a secure configuration may have been missed, and we are increasingly helping organizations define and implement security standards for SaaS tools.
Finally, incident response planning and exercising remain critical. As organizations become more digital, they will suffer a breach. Preparing a plan and supporting documentation is important but exercising the plan through multiple scenarios – from data shared in error to a ransomware attack – helps organizations understand how they can be more resilient to attacks.
What data privacy issues would you like to see resolved in the next few years?
The data protection space is a continually evolving one, and there are many issues that we could list here, but there are two important ones that spring to mind.
The first one is the international transfer regime for sharing personal data from the UK/EEA to third countries. The fallout from the Schrems II decision by the CJEU is being felt by organizations everywhere as they struggle to understand what is required around contracts and risk assessments and how to manage compliance.
Against that backdrop, new standard contractual clauses were issued for EU controllers, and post-Brexit, the ICO has issued its own IDTA. We await news of the latest transfer mechanism between the EU and the US whilst also awaiting news on the proposed adequacy arrangements between the UK and other countries, including the US, and what those will mean for UK adequacy.
We, privacy practitioners, get wrapped up in this stuff, but clients don't understand it or want to understand it when they can sign up for cheap, highly functional SaaS services provided by organizations in the US.
Secondly, the UK government plans to change its data protection regime following Brexit. What this means remains to be seen, but the messaging feels quite political in many ways. For organizations selling into the EU, it feels like it will add complexity as there will be two regimes to navigate.
What would you consider the biggest mistakes companies make when it comes to handling large amounts of data?
I would consider the following as the biggest mistakes a company might make:
- Not understanding what data it has
- Where that data is
- Who has access to the information
- Why do they have access to the data
This ultimately comes down to accountability. Someone needs to own the different categories of data and be accountable for ensuring it is managed and secured appropriately. They don't have to be experts on security or compliance. Instead, they need to ensure the specialists in these areas have been consulted, risks and opportunities have been identified, and are being managed.
What threats can arise if compliance audits and other checkups are not conducted regularly?
In line with the previous answer, it can lead to a lack of accountability. Audits for the sake of auditing are never a good thing, but a proportionate assurance program should increase accountability and identify opportunities for security and data protection improvement.
Talking about individual users, what personal security tools do you see trending in the next few years?
Trending feels like the wrong word for well-established tools, like password managers and multi-factor authentication. Still, consumers are increasingly going to have to adapt both to manage the proliferation of personal online accounts we are all building. At least I hope they do!
Share with us, what's next for evalian®?
We have an exciting time ahead as we are set to launch our new security supply chain software SupplyIQ. It will support organizations in ensuring they have a secure supply chain. We have built the platform in-house with our development team, and we are delighted that we can now offer this as part of our supply chain security service packages. It will be a huge step forward in terms of enabling our clients to take control and have visibility over possible vulnerabilities in their third-party supply chain.
We are continuing to grow our team with more skilled SMEs across all our areas of expertise. We have just launched our new paralegal apprenticeship scheme this month and are happy to welcome a young, keen workforce and support them in taking the first step in their career.
Not only that, as restrictions ease, we are looking forward to attending more in-person events to network and continuing to build on our existing relationships with our clients by offering our support across other critical areas, such as cyber incident response preparation planning and exercises, as well as cloud-based security.