SRM Blog

GDPR: a question of confidence

In a recent interview with SC Media, Amazon Web Services (AWS) Chief Information Security Officer (CISO) Stephen Schmidt explains how his organisation is set up for full General Data Protection Regulation (GDPR) compliance. Not only does Schmidt say that 72 hour reporting holds no fears for Amazon but that all other requirements of GDPR are well in hand. Yet, leading up to 25th May 2018, few others can have such self-belief. So how can other organisations achieve similar levels of confidence?

In short, professional CISO support will provide expert guidance on building GDPR compliance into an organisation’s systems in the most cost-effective and robust manner.  The first step is to know your environment and to scope what data you hold and where it is. This is a major component of then being able to move forward and determine what needs to be done and where. SRM offers both strategic level CISO support and a Virtual CISO (vCISOTM) service for smaller organisations unable to employ a resident CISO.

So, as the implementation of the General Data Protection Regulation draws closer and organisations across the UK consider their state of preparedness, it is perhaps worth considering why Stephen Schmidt is so confident that his company is ready.

A former FBI intelligence analyst, Schmidt’s confidence is not the only unusual thing about him. Firstly, he has held the CISO post at AWS for over ten years which, considering the average CISO is only in post for 2.2 years, is remarkable in itself. The second notable thing about him is that he considers it a ‘wonderful job’; not the view expressed by many resident CISOs who feel acute stress knowing that when it comes to security and compliance the buck really does stop with them. The fact is, however, that resident CISOs of this calibre are hard to find and expensive to retain.

To read the full interview with Stephen Schmidt, see here. In summary, however, he makes (among many others) the following points:

  • ‘We comply with the law in every jurisdiction in which we operate… Unlike some other folks, we don’t have to bolt privacy controls onto our services afterwards – they’re built from the beginning. Which means it’s much easier for us to be compliant with things like GDPR.’
  • ‘The guiding principle here is, our customers own their data.  It’s something that we give them a lot of tools on how to protect. It’s an area where we give them a lot of opportunity to encrypt, appropriately, and control their own encryption keys if they wish, and it’s up to the customer then to choose “How do I want to manage my privacy?” and “how do I want to manage access to information?”’
  • ‘We do the same things that anybody else should be doing, that is, know your environment intimately, monitor it thoroughly, alarm when things exceed your normalcy thresholds, and most importantly, have a very narrowly confined long term blast radius so that if something does go wrong it can find the critical error.’

What can be learned from this? Well, firstly that GDPR compliance goes far deeper than simply a tick box exercise. Secondly, that unless you are as experienced as Mr Schmidt, it is advisable to seek professional CISO support.

SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from GDPR compliance to disaster recovery.

If you would like to find out more about gaining GDPR confidence, contact Mark Nordstrom at or phone 03450 21 21 51.

Visit our website:

Or read our blog:

UK research highlights the lack of Chief Data Officers at C-Suite level

After GDPR, what will happen to ICO notification fees?

How a CISO can exert influence at board level


Gibson & Co launches eDiscovery service

(left to right: Mark Nordstrom (SRM), Jane Gibson, James Hopper (SRM), Toby Gibson, Tom Fairfax (SRM), Alan Batey (SRM)

(Press release 11/01/18)

Leading North East litigation practice Gibson & Co. has invested in a world class eDiscovery service to support client litigation cases. By partnering with Gosforth-based Security Risk Management (SRM) Ltd, Gibson & Co. obtains access to its own Relativity platform, the market leading eDiscovery solution, coupled with the technical and forensic expertise and experience of a highly regarded and established eDiscovery provider.

A vital tool in the management of electronically stored data (ESI) as evidence in litigation, eDiscovery is the process of sifting, sorting, reducing and redacting data for legal expert review in a way that meets the ultimate test of court acceptance.

Tom Fairfax, Managing Director of SRM, says: ‘Gibsons wanted to go further than simply buying into an eDiscovery platform; they wanted to be able to provide their clients with an exceptional service experience from the outset. By working in partnership with SRM they are able to provide a cost-effective and fully managed process which optimises the best available technology while also using the forensic skills of an expert team. In this way, the initial stages which usually take several weeks are completed in just a few hours.’

Toby Gibson, partner at Gibson & Co. says: ‘We face two important and related challenges to our litigation practice.  The first is costs pressure from clients.  The second is how to make best use of the available technology.  Our cases often involve the management of a large volume of data and we need to store, review and use that data as efficiently as possible.  In SRM we have found a partner that has been able to provide a bespoke product to meet that technology challenge.  We are convinced that we have an excellent collaboration tool in Relativity which will be of potential benefit to all of our clients.  This partnership will make us more efficient via the inherent collaboration benefits while keeping costs down. We are delighted to have teamed up with SRM.’

The SRM eDiscovery team is made up of forensic professionals drawn from law enforcement, government agencies and the military with over 60 years’ combined eDiscovery experience. SRM has conducted thousands of successful eDiscovery projects since the company established in 2002.  Gibson & Co. is ranked highly by the Legal500 as an ‘incredibly well-regarded’ litigation team.  In 2018, Chambers & Partners awarded both Toby and Jane Gibson ‘Top Ranked’ lawyer status for the seventh year running.


The global growth of the eDiscovery market

The global eDiscovery market is forecast to rise from $6,000 million in 2016 to $13,000 million by 2023. Law firms across the world are therefore increasingly looking to develop their eDiscovery services to retain their competitive edge in this market and provide a valuable service to win and retain clients.

The ‘Global eDiscovery Market Analysis and Forecast to 2023’ by Research and Markets attributes this growth to several factors. Firstly to the rise of electronically stored information (ESI) and the increase in the number of litigation cases. Secondly, the researchers cite the continuous drive to bring down the functional costs of legal departments, the necessity to comply with rules and regulations and the increased usage of mobile devices.

Although North America accounts for 65 per cent of the global eDiscovery revenue in 2016, other geographical areas are predicted to experience increased growth in coming years. In the UK, eDiscovery is comparatively well-developed compared to other parts of the world, with many now working with established eDiscovery providers to deliver a seamless, professional and cost-effective service to their clients.

This trend is due largely to the significant cost of purchasing an eDiscovery platform and the vast technological and forensic resource required to deliver the service in-house. A managed eDiscovery service combines the technical skills and experience of a specialist team working in partnership with the legal team. In addition to providing the tools required to discover relevant ESI, a full eDiscovery Managed Service provides the expertise to manage all elements of the process, including case management, all pre-processing, searching and filtering data for relevance, the redaction of files and the reduction of the sheer volume of data which meets the ultimate test of court acceptance.

SRM first began developing its eDiscovery service in 2002 and its team includes experts drawn from law enforcement, government agencies and military with over 60 years’ combined experience. The team has delivered thousands of cases supporting law firms, government agencies and commercial organisations in the accurate production of case papers and reports to be tendered in court. Through SRM’s managed service, law firms benefit from working with this reputable team while also having affordable access to Relativity, the market leading eDiscovery review and collaboration platform.
For a free demonstration and introduction to the SRM eDiscovery Managed Service please contact Mark Nordstrom at SRM: or telephone 03450 21 21 51.

See our website: eDiscovery


Or visit our blog:

eDiscovery: the issues facing law firms and solicitors

eDiscovery and eDisclosure: why, what, how and who?



Shipping news: how to manage a ransomware attack

Disproving the idea that there is no such thing as bad publicity, the shipping company Clarksons is doing its level best to limit the PR damage caused by a recent ransomware attack. They have so far done an admirable job, demonstrating that transparency is key in the early days of a breach.

Firstly, the world’s largest ship broker has admitted to the fact that the breach has taken place and that data is soon to be released. Secondly the company has clearly setting out the steps they are taking to minimise the potential damage. They have announced that they have taken immediate steps to manage the incident and are working with specialist police and data security experts. The initial investigation has shown that unauthorised access was gained via a single and isolated user account which has now been disabled.

At the moment, the exact extent of the data stolen is unknown but, having refused to pay a ransom to the hacker who carried out a criminal attack on the company’s computer systems, a large scale leakage of private data is to be expected.

In the short term, the company has been hit by the announcement. Shares in Clarksons fell by more than 2 per cent, despite the company’s insistence that the hack would not affect its ability to do business. In the longer term, however, their diligent and principled stance should stand them in good stead. Hiding a breach from the media and even more importantly, those who have potentially been affected, is much more damaging in the longer term. Consider Uber’s recent exposure for having tried to cover up a large scale breach.

Issues of cybersecurity are now at the forefront of most board agendas. The imminent enactment of the EU General Data Protection Regulation (GDPR) in May is bringing the issue into even sharper focus. Under the terms of GDPR and the proposed UK Data Protection Bill, fines will be significantly higher if an organisation is considered to have been negligent in the event of a breach. Investments in providing support and resource to Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is now considered a cost-effective investment.

Yet in today’s digital and commercial landscape even the best-resourced companies will be prey to this type of criminal attack. The most important thing is to recognise this probability and ensure that a proactive approach is taken to both defence and, in the event of an attack, incident response.

A robust defence will include an expert scoping of the system which identifies gaps in compliance and security. This is likely to include advanced penetration testing as well as retained forensics. Having a cyber security specialist involved in the correct mapping and identification of data means that, in the event of an unforeseen attack, they have the knowledge and capability to minimise and mitigate the effect of the incident swiftly. As the Clarksons incident demonstrates, the ability to deploy an immediate response is an important element of damage limitation.

For more information:

Retained forensics


Disaster recovery

Or see some of our blogs:

What is Red Team engagement?

It’s not a question of if, but when

US statistics warn of new trends in cybercrime: how retained PFI can mitigate the risks

What is the password?

By Gerard Thompson, Information Security Consultant

With over 3,500 MPs, lords and staff, being a computer security administrator in the Houses of Parliament must be a stressful job. They have a lot to think about. There is the possibility of state-sponsored brute force cyberattacks, much like the one that compromised 90 ministerial accounts in June 2016. There are also other, more delicate issues to be negotiated; like the fact that there were 113,208 attempts to access pornographic material within Westminster in 2016 alone. Yet in actual fact one of the most alarming revelations from the Houses of Parliament this month, has been the admission by a number of MPs that their passwords are far from secure.

Admittedly, the social media admissions by MPs that they shared log in details with staff were posted to help defend Damien Green who has recently been accused of accessing thousands of pornographic images on his House of Commons computer back in 2008. They wanted to make the point that it might not have been him, given the fact that others might have his password information. Yet, for information security professionals, these admissions were probably more shocking than the news story they were attempting to deflect.

One MP tweeted: ‘My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!’

The same MP went further that afternoon: ‘All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’’

Unsurprisingly, cybersecurity professionals on Twitter have been shocked by such admissions, with many pointing out that it demonstrates a severe lack of privacy and security understanding within Westminster. To the consternation of the information security industry, however, other MPs have proceeded to jump in, tweeting their own confessions. One such tweet said: ‘I often forget my password and have to ask my staff what it is.’

Another tweeted: ‘Less login sharing and more that I leave my machine unlocked so they can use it if needs be.’

With these admissions, it might be believed that the House of Commons does not have an Information Security policy. Of course it does. The House of Commons Staff Handbook has a specialised section on Information Security Responsibilities and the House of Commons Advice for Member and their staff specifically states that MPs should not share passwords. It is therefore more a question of awareness and training rather than policy. After all, the majority of breaches occur through user error so Westminster staff need to be reminded of their responsibilities.

Other government departments are exemplary in their information security procedures, providing best practice examples of how it should be done. With GDPR and the UK Data Protection Bill soon to be enacted, making the responsibilities of data holders even more stringent, the Houses of Parliament should also lead the way in demonstrating a robust stance on data defence.

SRM provides a complete range of information security services, from GDPR compliance to advanced penetration testing; from its Virtual CISO service to full blown Incident Response. To find out more, for a no-obligation discussion contact or call 03450 21 21 51.

SRM Blog