The run-up to the GDPR becoming law on May 25th, 2018, saw everyone worried about getting into compliance. And rightly so. Not just because protecting customer and employee data is the right thing to do, but the fines for GDPR non-compliance can be hellish. We are talking big numbers; 20 million euros or 4% of revenue, whichever is higher, being the top level of fine possible.

It is 2020, and in the, not quite, two-years since the GDPR came to be, there have been around £97 million worth of GDPR fines and 160,000 data breach notifications made.

Just when you think things may be settling down, GDPR and the data privacy rights it stands for, could come to haunt you. So, in 2020, what things do you need to consider in making sure you don’t end up fighting the UK’s Information Commissioner’s Office (ICO)?

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

GDPR Checklist for 2020

The GDPR is not a tick box exercise, but it is useful to look at certain aspects of your business to help align business processes with GDPR requirements. Here is our non-exhaustive list of things to think about in 2020, to make sure you remain in compliance with the GDPR.

Data processing and governance

The GDPR is focused on the processing of personal data. This means that to comply with the many GDPR data subject rights (aka an individual’s rights) you need to go back to basics – the data. Understanding the data you collect, where it goes, is stored, and who uses it, is a fundamental step in establishing if any compliance gaps exist.

The process of ‘know your data’, is a good mindset and discipline to foster in your organization. It works for many things above and beyond data privacy. It is very useful for knowing what measures to put in place to prevent data breaches. In 2020, and as an ongoing regular event, keep track of your data and build your data inventory to become updateable. This will feed into your ongoing compliance checks.

Your ‘know your data’ process can also help with the next area in our checklist.

Data minimisation

Article 5 of the GDPR says this about data collection in terms of minimisation:

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”

When you perform the know your data process, make sure that you only collect the minimum data needed to run a service or use a product. For example, do you really need to collect someone’s name prefix, e.g., Mrs. or Miss or Mr.?

Keeping data collection and processing to a minimum, also means that if you suffer a data breach or accidental data exposure, it will only be a minimal dataset that is leaked.

Technology

Technology plays a part in GDPR. Look at the technology measures you have in place. Are they still relevant? Do they need to be updated or augmented with new options?

Encryption plays a part in making sure that any data you collect, and store, is at least protected while it is stored or during transit.

Robust authentication needs to be checked. Perhaps in 2020, some cloud apps now have the option to use two-factor authentication?

Technology also can manage some of the data subject rights you must offer too. If you use customer online accounts, for example, can the customer manage some, or all, of the data subject rights detailed in the GDPR?

  1. Right to be informed (about your data);
  2. Right to access (to data);
  3. Right to data rectification;
  4. Right to data erasure (data deletion);
  5. Right to request the restriction of data processing;
  6. Right to data portability;
  7. Right to object to use of data; and
  8. Right to say no to automated decision-making including profiling.

Also offering an easy method of communication with your organization on data rights, that works across different channels (email, mobile, etc.), is something to consider.

Privacy and security awareness training

Security awareness training for employees primes them to the risks of sensitive personal data. A data breach that puts you at risk of having to make a GDPR breach notification can be as simple as accidental data leaks that can happen because of a lost laptop or a shared password.

Security awareness training should be done on a regular basis to keep up with the ever-changing nature of cyber-threats.

Data Protection Impact Assessment (DPIA)

Not all organizations need to carry out a Data Protection Impact Assessment (DPIA). However, you need to know if you do, so double-check your current status in terms of eligibility.  The GDPR says you should carry out a DPIA if an “individual’s data processing is likely to result in a high risk. This is a little vague, so for further details, check out what this means and who it impacts in the “Working Group 29” (WG29) advisory, which sets out that a DPIA is a process for building and demonstrating compliance.”

A Data Privacy Officer’s Work is Never Done

The work needed to get your organization into compliance with the GDPR may seem like a long time ago, but the world of data is nothing if not fluid.

To make sure fines and unhappy customers remain at arm’s length, keep on top of your compliance by being vigilant, knowing your data, and keeping everyone in your business security and privacy aware using a fun and interactive Security Awareness Training offering.

The Defence Works offers GDPR specific Security Awareness Training that is fun and interactive.

 

Contact us for a free demo of the training that your employees will not only learn from but enjoy: https://thedefenceworks.com/demo/

Gartner Peer Reviews: “The Defence Works team was truly a great experience” 5-Stars.

Share this:

Back at work now and Christmas feels like it is so last year. But cyber-risks never go on holiday. Our workplaces are a battleground when it comes to cybersecurity. Here we take a look at our top 5 cyber-risks and how they impact your work. We will also give you some ideas for de-risking your cyber-risk.

When Cyber-Risk Becomes Security Risk

These are just five of the possible areas where cyber-risk rears its ugly head. However, there are, of course, many more. You will find as you go through them that they ring a familiar bell. The methods we suggest in reducing the cyber-risk should, however, also go some way to generally cutting security risks across all parts of your business.

Accidents do happen

Have you ever clicked the email send button and then looked at the screen in horror as you realise, you’ve sent it to the wrong person? To err is human, so they say. Data exposure does not always have to come down to some external cybercriminal. It can be a simple accident. Leaving a laptop on a train or having a laptop stolen; one of the first UK data protection fines was against a Sheffield company. An employee had taken a laptop home to work from. His house was burgled, and the laptop stolen. It contained the unencrypted personal data of 24,000 people.

To help cut your cyber-risk:

  1. Teach employees about cyber-risk and use security awareness training to help prevent accidental data leaks.
  2. Provide the right security tools to help prevent data exposure. This includes robust login credentials (aka, strong passwords and second factors, like SMS texts), encryption, and data leak prevention solutions.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Messy desks not so tidy cybersecurity risk

A clean desk policy is about stopping security breaches by being tidy. A simple act, like ensuring at the end of the day, things like paper notes, USB fobs, and other items are tidied away, can prevent security breaches. It also helps if you need to meet ISO27001 compliance as it is a basic principle of the standard.

To help cut your cyber-risk:

  1. Create a policy around clean desk actions
  2. Add this policy to a security awareness training package to ensure a full understanding of the implications

Something smells phishy

Phishing is a major cyber-risk for any organization. The UK’s Cybersecurity Breaches Survey for 2019, found that phishing is still the top technique used to steal data. The survey pulls out some of the respondents’ experiences of phishing, one of which states:

Thinking of the phishing emails, they are going to get harder to spot. They are getting better at doing them. They are getting more and more sophisticated.

To help cut your cyber-risk:

  1. Teach your employees how to spot the tell-tale signs of phishing. A security awareness training program will take them through the variety of phishing types.
  2. Create a program of phishing simulation exercises to test your employee’s response to phishing emails.
  3. Use a spam filter. However, cybercriminals are always finding ways to circumvent this type of solution, so always back up technology with employee knowledge.

Not so mobile security

Around 67% of employees use mobile devices at work, often without consent. Cybercriminals are aware of this and mobile devices are, therefore, being increasingly used for phishing purposes. The mobile device is now the scammers favourite. It provides a platform rolled-into-one to target for phishing as SMS texts (SMShing) as well as malware-laden apps. The mobile landscape at work provides many opportunities for stolen login credentials and data breaches.

To help cut your cyber-risk:

  1. Have a security policy that has a strong mobile usage clause with advisories for employees on app downloads, etc.
  2. Use a robust least privilege model of IT resource access – this can prevent accidental access to sensitive resources from a mobile device that may be infected with malware.
  3. Teach your employees about the dangers of mobile malware and SMShing

An inside job

Insider threats are a difficult cybersecurity risk to fix. They are also a present danger as found by a Computer Associates survey which reported that 53% of organizations were impacted by an insider threat. Insider threats come in many shapes and sizes, both accidental and malicious.

To help cut your cyber-risk: 

  1. Create a culture of security through security awareness training.
  2. Know your data, who is allowed to access it, from where, and when.
  3. Use data leak prevention (DLP) tools – some types of DLP have behavioural audit and can alert when unusual events occur
  4. Use a system of least privilege for access to company resources
  5. Try and understand why you have a malicious insider if you do find one, and attempt to alleviate the cause, if possible

Why Security Awareness is a General Security Fix

Cyber-risk ultimately comes down to managing that risk. One key method used to manage many of the cyber-risks at work is through knowledge and understanding. Training employees about risks and how to minimise risk, goes a long way to protecting your company against cybersecurity threats. Security awareness training, when done in a fun and interactive way, is a fundamental way for you to take cyber-risks and shred them.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

2020 has arrived and it is not only a new year but a new decade. We have trudged back to work, switched on our computer, and almost forgotten the sparkle of Christmas day. On a personal level, New Year’s resolutions come and go. But on a corporate cybersecurity level we need to start as we mean to go on. Security threats in the last 5 years of the previous decade were unprecedented. The focus quickly moving towards data breaches and social engineering. We may be in a new decade, but the spectre of cybersecurity attacks lingers. This year, we need to up the ante and make our staff our secret weapon in the fight against cybercrime. How we achieve this, is by using Employee Cybersecurity Training.

Why Bother with Employee Cybersecurity Training?

In Verizon’s Data Breach Investigation Report (DBIR), seen by the industry as the bible of security analysis, the following data, collected over the past 10 years, tells a tale:

  • Financial gain is behind 71% of data breaches
  • External forces are the main (around 80%) cause of data breaches
  • These external forces are using employees and others (manipulating behaviour) to enact their cybercrime goals; phishing and stolen credentials being the top two methods behind a data breach

The other 20% of data breaches are caused either by insider threats (accidental or malicious) or via partners.

In other words, the human-factor is the major contributor to cyber-attacks. This is why cyber training of employees is a vital part of your cybersecurity strategy going into the 2020s.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

What is Employee Cybersecurity Training?

If a human being is being manipulated or used in some manner to make scams work, then it makes sense to change that behaviour. This is the crux of what Employee Cybersecurity Training is all about – modifying behaviour and making employees aware of how cybercrime works.

There are several key areas that Employee Cybersecurity Training focuses in on:

Security hygiene

General security hygiene is often forgotten but it is often a cause of data exposure. Things like leaving sensitive documents out on a printer or writing information on a note left on a desk can be potential data leaks. Poor security hygiene, including lack of security patching of IT systems, has been associated with data breaches in 52% of cases according to a report from McAfee. Security hygiene is also about understanding why you perform certain tasks. This involves knowing about malware and how it comes to infect a network. Security hygiene extends across all devices too, with mobile devices looking set to carry new phishing scams into 2020, awareness of mobile security is also a key part of staying cybersafe.

Passwords and other credentials

Passwords are a prime source of data exposure. They are often weak, shared or reused across multiple services. A report from Preempt, found that 19% of passwords were either shared or weak and so easily compromised. And, 52% of people reuse their passwords across multiple services. Employee Cybersecurity Training works in combination with your security policies on password use, to ensure that employees understand how to create and maintain good passwords. It also encourages the use of more robust authentication measures such as two-factor authentication.

Phishing and other scams

Phishing is the number one way that malware infections propagate. One of the success stories of Employee Cybersecurity Training is in teaching employees how to spot the tell-tale signs of a phishing email or text message. Simulated phishing exercises and interactive videos can help to reduce the success rates of phishing. Other scams such as Business Email Compromise (BEC) use social engineering (e.g. behaviour manipulation and psychological tricks) to steal large amounts of company money. Employee Cybersecurity Training teaches staff about how fraudsters operate and what to look out for.

Best Practises for Employee Cybersecurity Training

Some best practises that should be adhered to when choosing and using an Employee Cybersecurity Training program are:

Collaborate around security

Encourage employees to discuss security. Use an internal warning system to share security information, such as scams. The Defence Works has a weekly Breaking Scams section on our site. We write a regular post that describes the details of the latest scam doing the rounds. Encourage your employees to share what is happening in the world of scams, by copying and pasting the details into an email or mobile message.

Make Employee Cybersecurity Training fun

People learn best when they are actively engaged in something. Choose a security awareness program, designed to be interesting and fun for your employees. Avoid workshop-based learning as it is dry and boring. Instead, opt for scenario-based or “in-the-moment’ security awareness training that sticks in the minds of employees.

Play with cybersecurity

Continuing on the theme of fun, create contests for your employees while they train in cybersecurity awareness. Offer prizes and encourage participation.

Posters and other visual aids are also useful to help in the training process and to drive certain key ideas, like using strong passwords, home.

Talks and presentations

Bring in guest speakers or use your own staff to talk about their experience in cybersecurity. They don’t have to be an expert. Anyone who has experienced a cybersecurity scam at home or work could be involved. You could make the talk interactive, encouraging the audience to think of ways to avoid being scammed in the same way.

Have a Cyber Safe 2020

Employee cybersecurity training can be an empowering process for your staff if you use a fun and interactive program. Instead of employees being a pawn in the cybercriminal’s game, they become a fighter for your business. Our staff are a focus for manipulation by fraudsters, to prevent their exploitation we must give them the gift of wisdom.

A cybersecurity savvy workforce is something to aim for in 2020. Your staff will be your beacon of sanity as the cybercrime statistics, yet again, soar.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

‘Twas the night before Christmas, when all through the company not a creature was stirring, not even a cybercriminal’.

How I’d love to say the above was true, but 2019 was the year where cybercrime only got worse and it dragged our employees down with it, tricking and manipulating them, to create ever-more complex cyber-threats.

In our goodbye to 2019 post, we will look at what the year has meant for the human in the machine. How social engineering has become the cybercriminal’s favourite method to trick us, ransom us, steal personal data, and cause general all round technology chaos.

Let us enter the 2020s with a look back at when human beings become the cybercriminal’s favourite tool.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

2019, Social Engineering Comes to Town

Social engineering is a general term to describe any method that involves integrating human behaviour into a cyber-attack. Typical social engineering tricks involve:

  • Surveillance – to gather intelligence on victims to make the attack go more smoothly
  • Behavioural modification and tricks – manipulating human behaviour to help execute a cyber-attack
  • Grooming – some cyber-attacks involve a degree of social grooming and even coercion

Here are a few examples in 2019, that show how social engineering was used:

Ransomware in 2019

Insurer Beazley, saw a 105% increase in ransomware attacks in Q1 2019. Ransomware is a type of malware that encrypts files and documents before making a ransom demand (usually in bitcoin) to decrypt those files. Getting the ransomware onto a computer to begin the attack is where social engineering begins. Phishing emails that either link to a malicious website or contain a ransomware-infected attachment, are often used as the vector to infect a machine. Once infected, the malware can impact the entire network. When the ransom note appears, it exerts a second layer of social engineering. The ransom makes a demand for payment in a given amount of time or you lose the chance to recover the encrypted files.

The cybercriminals behind ransomware, essentially use human beings as a slave to their whims and then force them to pay for the privilege.

In 2019, we also saw increased use of “Ransomware-as-a-Service”, aka pre-packaged ransomware available on the darknet; the money making part is similar to an affiliate model. As cybercrime toolkits become easier to use and continue to make fraudsters money, we should expect that we have not yet seen the back of ransomware.

Phishing in 2019

Phishing, the social engineer’s go to tool, continued unabated in 2019. The SME favourite, Microsoft Office 365 became the phishers favourite too. Phishing emails have been targeting administrator logins to Office 365 during 2019. The reason for targeting the Office platform is to get at all of that juicy corporate data. Some 2019 fraudsters played a less than subtle trick on targets, by offering a view of the company’s salary increase sheet, once logged in. The login page, was, of course, a carefully disguised spoof of the real Microsoft Office 365 login.

Social media was also a focus for the phishing fraudsters in 2019. Vade Secure saw an almost 75% increase in phishing links on social media sites such as Facebook and Instagram.

Financial Scams in 2019

Fraudsters love to use a carefully crafted scam designed to trick us into doing their bidding. Omni-channel scams abounded in 2019.  In the first half of 2019, £845 million worth of fraud was stopped by the finance industry. UK Finance stated that:

Data compromised through social engineering and ‘digital skimming’ attacks have had a significant impact on fraud losses

Even the old-fashioned cheque is not safe from the grip of the fraudster, with a 172% increase in cheque fraud compared to the first half of 2018.

The Defence Works had enough scam fodder to keep us going all year long in 2019. You can read our weekly Breaking Scam section on the blog for a look back at some of the year’s scams.

Business Email Compromise (BEC) in 2019

2019 was a year that saw Business Email Compromise (BEC) cost business across the globe billions. The FBI keeps a watch on BEC and found a 100% increase in BEC attacks between May 2018 to July 2019. Over the last three years, businesses have lost over $26 billion (around £20 billion).

The cybercriminals behind BEC attacks are also upping their game. 2019 saw the first potential deepfake used to carry out BEC fraud. A British CEO transferred around £200,000 to a fraudster, who is purported to have created a deepfake voice of the parent company boss.

A Happy New Cybercrime Free Year Using Security Awareness Training

Looking back is a good way to evaluate what we can do to make things better going forward. Although the term ‘lessons learned’ can be annoying to hear continually, it is actually a very useful way to make sure you do not repeat old mistakes. A huge number of cybercrimes committed in 2019 had a human element to them. Often involving multi-part manipulation of human behaviour. In 2019, Proofpoint showed evidence of this, when they claimed that 99% of cyber-attacks require human intervention to execute them.

To turn the tables on cybercriminals, we need to educate our staff about the way that fraudsters manipulate them. Using a program of interactive, fun, and effective security awareness training in 2020, will mean your company stays on top of the methods used by cybercriminals. Methods that change but retain a common theme – using your employees to break into your IT network.

In 2020, chose to use security awareness training and beat the cybercriminal at their own game.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: