New Government Initiative: Cyber Essentials

Cyber Essentials is a Government initiative to protect us all from cyber crime.

The five basic elements are:

  1. Boundary Firewalls and Internet Gateways.
  2. Secure Configuration.
  3. Access Control.
  4. Malware Protection.
  5. Patch Management.

It is not really new in that it was launched in June, but the new feature is that from tomorrow, 1st October, it will be compulsory to demonstrate compliance with the guidelines if you want to do business with Central or Local Government.  Other bodies may also be following this example.  Anyway, it is worth complying so as to protect your business.  Perhaps you comply but cannot demonstrate it.  In any case if you want to know more Google “cyber essentials” or go to or  or contact me on 01925 445215 or e-mail



More words I hate to hear.

I have written not long ago about certain phrases I hate to hear:

  • There’s nothing I can do about it.
  • It couldn’t happen here.
  • I can’t afford it.

Well here’s another one in popular use:

“Statistics prove…”

In reality, statistics only very rarely prove anything.  There is almost always room for doubt or for a different interpretation of the facts and/or figures.

What would be more appropriate in most cases would be:

  • “Statistics indicate…”
  • “Statistics show…”
  • “This view is supported by statistics.”

Now, I do not mean to be too pedantic, but words do have meanings.  Proof means something very specific in Law or in Science and it should not be watered down or else people will not take you seriously when you really do have proof of something.

I fully agree with George Orwell, who, in his book  “1984” shows how a totalitarian state would want to devalue words to reduce their power to criticise or seriously debate issues the authorities want to keep muddled.

For more on the misuse of statistics see my book How to Avoid Being Misled by Statistics or go to





The West Lothian Question

Am I the only one who thinks this issue is being blown up out of proportion?

So Scottish MPs can vote on matters affecting only England and/or Wales.  Does it matter?  Is there any evidence anyone is worse off because of it?  Surely MPs are elected not only to serve their constituencies, but also to play a part in the governing of the UK as a whole.

If we are to limit the powers of Scottish MPs because of some kind of fear they cannot act fairly or have no right to do so, when dealing with English/Welsh issues, we are on a slippery slope.  What about limiting the right of Birmingham’s MPs to legislate on fisheries policy?  Or those with rural constituencies from voting on urban regeneration?  Does anyone not remember the arguments over foxhunting, when the Countryside Alliance tried to argued that we townies had no right to interfere in things we did not understand, i.e. rural pursuits? And what right have MSPs from Glasgow or Dundee got when it comes to matters only affecting the Highlands and especially the Islands?

Nothing I have said contradicts the case for more devolution in England, nor addresses the concern that many people in the North of England have about being governed by the Conservatives when Tory voters are an endangered species in many places, but focusing on the Midlothian Question is a distraction from the real issues.


Data Protection FAQs

I said in a recent blog I had added two new pages to my website and put a copy of the one on Risk Management on the blog.  Well here is the second one, on Data Protection.

As before, if you have another question please let me know either as a comment on the blog or by e-mail to


  1. Who is Responsible for Data Protection AND can you transfer this responsibility?
  • A lot of people still seem to think that Data Protection is a matter for their IT manager. In fact the buck really does stop with the man, or woman, at the top.  There may be disciplinary repercussions for the IT manager or whoever else caused the breach, but the primary responsibility lies with the business owner.
  • Similarly, a lot of people think that if they outsource IT services or even payroll, accountancy, or other services, the responsibility for the data involved will transfer to the business providing the service.
  • This is all untrue. The Act places all the responsibility on the business whose data it was in the first place, defined as the “Data Controller”.  The other business is defined as the “Data Processor”.  Changes are being introduced currently which will allow the authorities to fine the Data Processor as well, but they will not remove the burden from the Data Controller.
  • If you have written your contracts carefully enough, you may be able to obtain some compensation from the business actually responsible for the data breach, but that will probably be after you have been prosecuted and fined.
  1. Do I Offer IT Solutions When I Offer Data Protection Services?

I do not.  I would like you to think about the following points.

  • In a recent survey IBM found that 40% of data breaches were caused by human error and that another 35% were caused maliciously, leaving IT issues a poor third.
  • Having great IT security does not stop people leaving laptops on trains or printouts on photocopiers, just as great physical security is ineffective if staff forget to lock doors.
  • It is too easy to find that you cannot see wood for trees if you get too involved in the details of IT systems without stepping back and looking at the big picture.
  • Once an issue has been identified it is often possible for the client’s existing IT provider, internal or external, to resolve it.
  • Where the client agrees that an IT solution is required, I have several highly competent IT experts whom I can call upon for advice or support.
  • It is very easy to spend a lot of money on improving your IT when all you really need is to use your existing hardware and software properly and to establish realistic but secure procedures for everyone in the business to follow online and offline.


Faith and Hope.

You may have noticed that I have written a number of Ezine articles about my faith, such as The Seven Gods I Do Not Believe In and Eight Tips For Overcoming Obstacles To Reading The Bible, Prayer, The Church, and Miracles.    and,-Whether-You-Are-a-Christian-Or-Dont-Know&id=8627080

I have sometimes written about my faith in my blog, but these are my first Ezine articles of this nature.

As you might expect, I write from my own experience and understanding, that of an amateur not a professional.  I have always worked in a secular job and now am in business.  I hope those of you of different faiths or none, or don’t know, will find them worth reading.  But if not I hope you will still enjoy my blogs and articles on risk, business, claims and other topics, which I will of course continue to write.


Linkedin Profile

You may have noticed from my website that I have been writing Ezine Articles for some time.  I usually post these on my Linkedin Profile, but for the last few months I have missed this step.  Today I have updated my profile and corrected that omission so do have a look.

Frequently Asked Questions

I have recently added two new pages of FAQs to my website.  The fisrst is on Risk Management and here is a copy of it.  If you have any other questions about it please send them to me  either as a comment on this blog or by email to


Q1. What is the link between risk management and insurance?

Insurance is a means of managing some of the financial effects of risk.  It is important to remember:

  • The need to manage the underlying causes
  • Not all risks can or should be insured
  • Good risk management helps reduce the cost of insurance.

You may find this link helpful,-or-at-Least-Control,-Your-Insurance-Premiums&id=7309130

Q2. What risks do we have to manage?


Q3. What are the biggest risks?

  • That depends entirely on your business and on your particular circumstances.
  • A growing but neglected class of risks are those around data protection. See separate page of FAQs.


Q4. Are there any risks you cannot manage?

  • Some things, such as the weather and national events are beyond the control of most of us
  • even if you cannot prevent something, you can mitigate its effects by having a recovery plan for instance.


What is going on with this blog?

If you are wondering why you have not seen any new blogs on this site for a while and then a load of them turn up at once like buses, this is why.

I have had my WordPress blog integrated  into my website.  When that was done I then had two blogs and had been inadvertently continuing to post onto the old, separate one.  Once I realised that, I had the blog posts re-posted onto the new one on the website.

I will try very hard to remember to only post on the website from now on to avoid confusion.


Is Risk Management not the same as Health & Safety?

I still find a lot of people are confused as to the difference between Risk Management and Health & Safety. So let me just remind everyone again.

Do manage your H & S risks properly, but do not forget all the others.

A Good and Bad Example of Data Protection by a Prime Minister.

I have just heard about the theft of a laptop and other items from the car of Elio de Rupo, the Prime Minister of Belgium.
• The bad thing is that his driver left the car unattended with the laptop in the boot outside the gym.
• The good thing is that it was encrypted and in any case did not hold any secret or sensitive information, according to a spokesman. We will probably know whether that is true or not in due course.
The lessons to be learnt are:
1. You cannot be too careful: anything left in an unattended car is at risk.
2. If you do not keep sensitive data on your computer is makes stealing it rather unrewarding.
Many of us could benefit from studying this example.
• Too many people keep far too much information on their laptops and other devices.
• Too many people seem to collect data for the sake of it without even asking why they need it.
Perhaps we should all ask whether all our data is really necessary. And we should be careful where we park.