Posted on

The Link Between Unpatched Machines, Ransomware, and Data Breach Threats Increase Threat Severity for Businesses

cyber landscape report

Boardish has released a cyber landscape report that summarises the latest changes in the threat landscape. As a tool created for CISOs and cyber professionals who work on quantifying the impact of cyber threats and solutions into financial figures, Boardish has recently moved from beta to production. 

The ultimate goal that Boardish wishes to achieve is to simplify the quantification process for CISOs and other cyber professionals, helping them get faster insight into the cybersecurity landscape and impact of new threats and solutions. 

With that goal in mind, Boardish has also released a new monthly cyber report.

Their new cyber landscape report shows that the threat landscape has experienced quite a number of changes at the beginning of the year. One thing that they picked up is that there is a link between the three main threat increases that were registered: unpatched machines, ransomware, and data breaches. 

The Boardish cyber report places unpatched machines to the very top of cybersecurity issues.  This threat experienced the highest increase of 18% after NSA has discovered there is a vulnerability in the Windows 10 systems. The number of machines affected by this vulnerability goes over 900 million, which is more than enough to raise the risk assessment for unpatched machines from medium to high, as it has the potential to be the next nation-state type of attack.

Eternal Blue, the exploit used for the WannaCry ransomware is still affecting machines around the globe. When combined with the number of machines that could potentially be affected and the impact of previous nation-state attacks, any organisation with unpatched machines should treat the risk as a priority. 

This leads us to the next threat highlighted by the cyber report: ransomware. It has increased by 11% across all company size categories. 

It’s connected to the number of unpatched machines and also the fact that there are numerous other attack vectors for ransomware infections, with phishing being the most popular attack vector. 

Ransomware is so popular because it’s the easiest way to get money quickly, but there has been an increase of instances of the ransom NOT being paid, in which case attackers released the data and caused a data breach

This brings the impact level to maximum. Another interesting finding is that the level of turnover days increased by 15%, and the reason for this is twofold: business systems are more complex, and ransomware attacks are more sophisticated. Ransomware should, therefore, be treated as a top priority threat.

Data breach threat has also increased by 7%, but unpaid ransomware isn’t the main reason. Instead, increased amounts of data were the primary factor in companies with more than 500 employees, as per our cyber landscape report. The data breach risk factor is serious enough to lose market positioning, and coupled with the high-regulation impact, the risk is raised to high. 

User error is becoming a more common reason for data breaches, so companies should make sure they are protected not just from external but also internal threats. 

The best way to deal with each of these threats can be thoroughly tested in Boardish so that CISOs and other cybersecurity professionals immediately see the effectiveness of solutions and present these in front of the board in financial terms. 

For a more detailed insight into the threat landscape, you can download the full cyber report for free here: Boardish Analytical Cyber Reports

Posted on

Microsoft Azure Information Protection (AIP) Scanner Tool Course

Microsoft Azure Information Protection (AIP) Scanner Tool Course

Our new course on data discovery and encryption with the Microsoft Azure Information Protection (AIP) Scanner Tool is out. Those who enroll in the course will learn all about setting up the AIP scanner and the requirements. They will also learn how to discover and protect your on-prem data.

The Azure Information Protection (AIP) scanner tool provides businesses with a complete data encryption solution. Not only will it help businesses encrypt their on-premise data, but also help them discover, control, and organise their data. 

Why You Need to Learn How to Install and Set up The Azure Information Protection (AIP) Scanner Tool 

With more cyber threats looming about than ever before, cybersecurity has become a pressing issue for any business dealing with sensitive data. Last year’s adoption of the General Data Protection Regulation (GDPR) by the EU also places heavy emphasis on data safety and export of personal data outside of EU and EEA borders. 

Most business owners have security solutions in place to protect the data from unauthorized access by external attackers. However, they seem to forget that many cybersecurity issues start on the inside. The most pressing issues that lead to a data breach are the following: 

  • No clear data organization – Unstructured data is hard to track and even harder to keep safe. 
  • Unrestricted access to every file and document – Not all of your employees need to have access to all your documentation. Data should always be shared on a “need to know” basis. 
  • No tracking on data access and usage – Without a system that tracks how data is being used and accessed, it’s very hard to avoid or detect malicious intent and possible data breaches. 

Why You Should Invest in Data Encryption

Cybersecurity has become a strategy that covers more than just having a firewall and spam protection in place. 

Today, cybersecurity covers everything from encryption to employee education and access control. The AIP scanner tool helps you achieve just that – you will know exactly where your data is, and you’ll be able to label it accordingly. You will also control who has access to it (both inside and outside of your organisation).  

Protect Your On-Premise Data Yourself

Our AIP Scanner Tool course will teach you everything you need to know about the AIP scanner. With 38 lectures divided into eight lessons, you’ll learn how to discover all data locations you keep on-prem (even archived data!). You will also learn how to classify and encrypt it. You’ll learn all about prerequisites to install the AIP scanner and how to set up the virtual environment needed to run it. 

You will become familiar with all AIP scanner modes so you can choose which is the best for your business. You will also learn how to install the scanner and test its settings. This way, you can ensure it’s working correctly before running it on your server, and how to deal with false positives. 

Enroll Today for Lifetime Access

Are you a business in dire need of a good data security solution? Do you wish to broaden your knowledge and install the AIP scanner for others? Enroll today and gain lifetime access to lessons, videos, articles, and downloadable resources that will teach you to successfully protect your data.

Sign Up Here >>> https://www.udemy.com/course/data-discovery-encryption-with-microsofts-aip-scanner/?couponCode=ARTICLE50OFF

Posted on

How to Protect Data Storage from Hacking

How to Protect Data Storage from Hacking

Data protection is more important than ever, but also much harder to achieve. It was fairly simple to previously protect data storage from hacking when it was only saved on-prem and there was limited access. 

Today, data storage and access are more dispersed. Remote employees, cloud storage solutions, BYOD policies, and access via multiple devices from anywhere make data protection seem like an impossible goal.

It’s important to understand that a data breach is a business issue, not just an IT issue. 

To make sure your company and customer data are safe, you will have to protect data storage from hacking attempts. The following data storage safety practices will help you achieve a high level of data security and compliance. 

1. Use strong passwords 

The most common way data storage is hacked are weak or shared passwords. You would ever store thousands of dollars behind a simple “0000” or “12345” password? No.

The data you are trying to protect is worth even more than that, so make sure that anyone with access to it has a strong, complex, and unique password. 

Weak passwords are present in almost every organisation and can cost corporations millions in damages because of data breaches. 

  • To avoid hacking attempts, have a proper password protocol in place. All passwords that provide access to data should have a minimum of 12 characters and shouldn’t be complete words. 
  • Use a combination of upper- and lowercase letters, numbers, and symbols. The password should not have personal meaning – no names, addresses, dates, or anything that can be unearthed on social media.
  • Passwords should also be changed every 6 months.

2. Add Two-Factor Authentication 

Additional authentication protocols should be a standard practice to protect data storage from hacking

In case your first authentication layer – the usernames and passwords – end up in the wrong hands due to a successful phishing attack, the second layer of protection in the form of two-factor authentication (or multi-factor) will keep data safe from outside access. 

The authentication server will prompt the user to input another security code after authenticating their credentials. The code is usually delivered via SMS, or via a phone authenticator app. Some services will also offer the code via phone call if supported. 

3. Include Session Timeouts / Auto Disconnects 

To battle forgotten login sessions that could potentially lead to a data breach because somebody else used the device, incorporate session timeout routines onto your data storage servers. 

These routines will automatically disconnect the user from all inactive sessions. 

For example, if the user accessed your data storage but has been idle for the last 15 minutes, they will be logged out. When they come back, they will be prompted to log back in again. 

This security measure is especially valuable if your staff has access to data storage from shared, remote (and potentially unsafe) locations.   

4. Use encryption for all documents and emails 

Encryption helps protect data storage from hacking because in the event it ever falls into the wrong hands, they won’t be able to read it. 

When you encrypt data, the data is translated into ciphertext that is just a string of random characters. The only way to make it readable again is to turn it back to its original form with the right encryption key. 

The larger the key size, the more computational power is needed to crack it. The rule of thumb is to use encryption services that offer at least 256-bit encryption protocols.  

In order to ensure you have encrypted all sensitive documents, you should use a data protection solution that covers data discovery and sharing. Microsoft’s Azure Information Protection is such a system, and can be used to discover all your data, apply labels that determine how sensitive data is, and then apply rules on data access. The system will find all locations where data is stored and help you migrate it to a safer, centralised location. 

Because such systems also include email encryption, it also helps you keep data safe in case of mishaps. For example, if somebody accidentally sends an email with sensitive data to the wrong recipient, the recipient won’t be able to read the data without first having proper authorisation. 

5. Limit Access to Data Storage

In order to protect data storage from hacking, you have to limit access to data to inside actors too. 

The more people have access to sensitive and classified data, the higher the risk of data falling into the wrong hands. 

Your employees should have access only to data that’s essential to their role in the company. 

In case employees would need to access data occasionally, it’s better to have procedures in place that would authorise access to them temporarily rather than giving them unlimited access. 

6. Use Safe Cloud Storage Solutions 

Cloud storage solutions help you keep your data accessible at all times and is becoming the standard today. With so many employees working from remote locations and accessing data from multiple devices, it’s safe to say that there are many more vectors of attack.  

To protect data storage from hacking but keep it accessible and online, try using a decentralised cloud

It uses blockchain technology to keep data safe and such cloud storage is not controlled by a single entity and data is not stored on a centralised location. Instead, data is spread in tiny fragments across a large global network. When you need to access it, it will be assembled and decrypted as soon as you are authorised (either with an encryption key or password). 

7. Educate Employees

You can invest in the best firewall, anti-spam, and antivirus software, but if your employees don’t know how to spot a potential threat, your attempt to protect data storage from hacking will ultimately fail.  

Everyone in your company, be it the newest members of the team or senior executives, should go through regular education training. Ideally, they should learn about: 

  • The latest threats and risks, and vectors of attack – Suspicious email attachments, phishing attempts, how to stop a spoofed email address, and more. 
  • Best practices when it comes to data security – Teach them about BYOD policies, unsafe public networks, being safe while accessing data from remote locations, etc.
  • How to use new security software you implement – Get them on board with new software solutions and teach them how to use them to avoid slowdowns and disruptions.   

Your data security is only as strong as the weakest link. What’s your weakest link? 

Posted on

5 London Hotels That Are Above the Curve on Technology

5 London Hotels That Are Above the Curve on Technology

The hotel industry is only just starting to embrace the latest tech. London hotels areis working hard to make guests feel like they are right at home during their stay. But when does a hotel stay feel like home?

The latest technology has made it possible to set up the room just the way you like it. From choosing the right room, lighting, temperature, music – everything can be controlled and set up in advance.  London hotels have started picking up on the need to personalise every guests’ stay and invest in new technology to make this possible.

Here are five of the London hotels innovating technology in their offering to guests: 

1. Eccleston Square Hotel

Named London’s most high-tech hotel, Eccleston Square Hotel is a unique blend of historical elegance and exciting new technology. 

The hotel’s very own app that guests can download to their device acts as a digital concierge and lets you set up everything just the way you want for your arrival. 

Each room has access to free and fast Wi-Fi, and comes equipped with free smartphones that guests can use for international calls and free data while roaming the city or conducting business.  

The in-room pads let guests control every single aspect of their room – light, sound, and temperature – and they can also browse the menu, order room service from the restaurant, and select the time of delivery. 

The bathroom glass walls can be toggled between see-through and frosted with a simple touch of a button. The best part is that the “Do not disturb” sign can be activated from the touchpad, too! 

2.  Radisson Blu Edwardian, Berkshire

Radisson Blu on oxford Street never stops innovating to offer the very best guest experience. While staying at the Edwardian on the Bloomberry St, guests will be able to use their very own virtual assistant called Edward. 

Edward will help throughout the whole stay and help them with check-ins, checkouts, and requesting anything guests might need. Each room has fast Wi-Fi for an unlimited number of devices, and guests can even stay up to date thanks to their digital news app. 

3. South Place Hotel, London

The South Place Hotel also realised that guests want full control of their room setup, so every guest can control lighting and electronic blackout blinds, and enjoy crystal clear sound thanks to the Bang & Olufsen media centre and a library full of free on-demand movies and shows. 

The bathrooms are equipped with a TV and speakers too, and those who get tired of movies can head to the hotel’s games room.

4. Amba Hotel Marble Arch, London 

Also located on Oxford Street, Amba Hotel Marble Arch lets guests have full control over every aspect of their stay. They can choose rooms themselves during booking, and the Mobile Valet app lets guests explore the hotel and all amenities, order room service, and set up express checkout easily. 

Every room is equipped with USB sockets next to beds and super-fast unlimited Wi-Fi. There’s also a tablet in each room that guests can use as they like, and Smart TVs they can link their own devices with and connect to their favourite services.  Plus, you can keep your tech secure thanks to the in-room laptop safe which is a great addition for business trips.

5. CitizenM London Bankside

The CitizenM London Bankside offers their guests compact rooms filled to the brim with technological gadgets that make the stay comfortable and futuristic. Starting with ‘one-minute’ check-in kiosks, the guests are guided to a room that they can adjust as they want. 

Guests will have their own tablet “mood pad” that gives them control over all the aspects of the room. Coupled with lightning-fast Wi-Fi, it’s really like being portalled to the future. 

Today, a personal touch and focus on guest preferences is what it’s all about. The very best hotels focus on the guest experience by making it easy to check in and out, order, and connect to personal and business accounts and services right in the room.

Posted on

How To Create A Secure Password in 2019

You’d be amazed at how easy it is to create a secure password in 2019 and yet so many people don’t! 

Despite the increasing efforts that many websites put into security precautions, it’s a two-way street and users need to catch up and take responsibility too. Weak passwords are still a common way to hack someone, even in 2019.

The National Cyber Security Centre released a list of the most common weak passwords found by analyzing data from 100 million passwords leaked in data breaches. 

The top ten weakest passwords are the following: 

  • 123456
  • 123456789
  • qwerty
  • password
  • 1111111
  • 12345678
  • abc123
  • 1234567
  • password1
  • 12345

Other noteworthy entries near the very top include things like “000000” and “Iloveyou.” The primary spot has been held by “123456” for years now, however. 

A Secure Password in 2019 Should Be Complex, Unique, and Random

The above-mentioned passwords don’t even meet the minimum requirements of what’s considered a safe password nowadays. Today, truly secure passwords will have: 

  • A mix of upper and lowercase letters
  • Numbers
  • Special characters

Don’t think for a second that such passwords are bulletproof. They can also be cracked if you aren’t careful with how you create them. 

Creating a Secure Password in 2019

The following ten tips will help you create a truly secure password in 2019 and avoid the most common mistakes that lead to breaches. 

Avoid simple passwords like the ones on the list above

The fastest way your account will be compromised is by setting a weak password. While it’s bothersome to use all these safety measures like mixing cases and special characters, it’s more irritating to try to cancel credit card payments you never made. 

Don’t use simple to guess data

Avoid putting your name, the names of family members, or even the names of your pets because this is a sure fire way to become compromised in record time. Also, never use your username as a password too. That’s another easy guess. 

Use patterns 

An easy way to recycle a password safely is to switch for a designated number of spaces on the keyboard. For example, if your password was “ThiSisS3cuRe” (This is secure), you can instead use the keys that are one space to the left. Instead of “T” you would use “R” and so on. This will get you what seems like a completely random sequence: “RguSuaA2xzEw.” And yet, you will know how you got it. 

Change passwords regularly

Many people experience a breach because they never change their passwords. Passwords get outdated quickly, and as time goes by, what was once considered complex can now easily be cracked and guessed. 

Some services prompt you to change your password regularly, which is not a bad idea, but many users then choose a simple password to get it over with. That’s a bad practice, and however annoying you might find it, every password change should have a complex password. 

Top Tip: Change your passwords every 6 months and set a reminder on your phone to do it so you don’t forget! 

Use a different password for each account

Never use a master password for all your accounts. That increases risk in case of a breach. Imagine your business email or banking information is suddenly jeopardised because you used the same password as on some random and less secure site. Each account should have its own password. 

Use randomly generated passwords

Google Lock has a password suggestion mode that offers you to create a randomly generated password instead of thinking of one yourself. This is a convenient service, but it can be hard to remember all such passwords without a system behind them.

Don’t write down passwords 

You might find it convenient to write all your passwords on a piece of paper, or in a notepad. Be aware that any type of data that’s not encrypted is not safe. Usually, it’s considered okay for home users to write down passwords on a piece of paper so long as they are kept out of sight (and not taped to the computer!), but never do that at work, or you risk someone using your workstation for malicious intent. 

Find a password manager that suits your needs

If you find it hard to remember all passwords, use a password manager. These are pieces of software that remembers all your passwords so you don’t have to. There are free and paid options available, and some are online, others are offline. Go through reviews to find the best deal for you. 

The point to note here is that you’re storing all of your passwords in one place, so make sure you pick an encrypted system that is extra secure! if you don’t have enough passwords to use a system like this, it’s best to avoid!. 

Use cryptography 

Develop your very own system to encrypt your passwords. One good way to do this is to have a sentence that will remind you of a password. For example, you have a pet cat and wish to base your password off of it. Instead of using your cat’s name mixed with a few numbers, use a sentence such as: 

  • “My cat Garfield loves lasagna.” and then encrypt each part: 
    • My cat Garfield = McG
    • Loves = <3
    • Lasagna = LsgnA
  • So your password will be “McG<3LsgnA”

Use two-factor authentication

Reduce the risk even more and use two-factor authentication in addition to having a strong password. On the off chance that somebody manages to crack your super complex password, two-factor authentication will keep them from doing anything else. 

Such authentication is bound to a token or a phone app that generates a random string of (usually) six numbers that rotate every 60 seconds, which are unique to your account. Without this second step to prove it’s really you, hackers won’t be able to access your account at all. 

Cybersecurity Rests on You Choosing a Secure Password in 2019 

Hackers are finding new ways to get to your data every day. Don’t let your password be the weak link that will give them access to everything else. Want to learn other ways to protect your computer? Check out our latest course here >>> PROTECT YOUR COMPUTER FROM GETTING HACKED COURSE <<<

Posted on

Data Discovery as an Important First Step in Cyber Security Implementations

feature image for data discovery in cyber security implementations post

Data security is the staple of a successful business in this era, and most businesses invest into at least basic cyber security. After all, it’s much more affordable when compared to the aftermath of a data breach. Before you implement security measures that will keep your business and reputation safe, you should know what type of data you deal with, and you can do that with data discovery tools.  

What’s Data Discovery and How Does It Help My Business?

The importance of data discovery in cyber security is experiencing rapid growth because of stricter regulations like the General Data Protection Regulation(GDPR) that mandate all businesses should be well aware of what kind of data they collect and how they use it. But what is data discovery anyway?

Data discovery is a business process of collecting and analysing data to gain insight into trends and patterns. This insight helps businesses shape their critical business decisions.

And while most businesses today will happily collect data to make data-driven decisions, they will often fail to store and protect that data in a systematic and logical manner.

This causes two critical issues:

  1. When data is disorganised, it will impact data analysis and affect the end result, which can lead to bad business decisions.
  2. Disorganisation also increases the risk of data being accessed by unauthorised entities, either through a data breach or because it was accidentally disclosed by an employee.

Data discovery helps businesses not only collect and analyse data, but it also shows them where and how data is stored and who has access to it, which gives them a good idea of how safe that data really is.

Data Discovery in Cyber Security

Because data discovery provides quite a number of benefits to a business, it’s safe to assume it can help with cyber security too. So what’s the best way to use data discovery in cyber security, and what benefits will this bring?

It is the first step to becoming GDPR compliant. Businesses gather all kinds of data to gain insight into the latest trends and preferences, and for this purpose, they often store sensitive data from their users and customers.

  • GDPR requires that ALL businesses that deal with personally identifiable information (PII) from EU citizens to disclose they are using and storing this data.
  • In addition, they must have consent from the user/customer to store all that data, and keep records of consent too. If they don’t, they are not allowed to store it.
  • Any type of data that can lead to the identification of an individual falls into this category: name, address, online identifiers, ID numbers, IP addresses, even cookie identifiers.  

It helps you implement the right cybersecurity measures. It can be hard to choose which cybersecurity measures are the best option for your business.

  • Firewalls and secure networks are a good start, but without implementing data discovery in cybersecurity, you won’t have a structured overview of your data, or who has access to it.
  • Considering that human error is the most prevalent reason for a data breach, limiting access to data and keeping it on a “need to know” basis is a sound defense against such errors.
  • This also helps you implement data encryption that limits further data sharing and disclosing it to somebody without the right authentication.

It helps you identify security threats quickly. When you have a unified and structured overview of your data and can see who accesses it and in what way in real time, you can quickly respond to any type of threats.

  • Machine learning and AI solutions can help you automate this process and monitor users’ access and detect any anomalies.
  • For example, if there is a sudden surge in data access from a specific access point, you will get a warning to investigate. In case you determine there was indeed a breach, the scope of the breach will be very limited.

Data Discovery Brings Your Cyber Security to a Whole New Level

With increasing volumes of data flowing through your on-prem or cloud data centres, you need solutions that will not only give you insights into trends but what type of data you have, where it’s stored, and how many of your employees have access to it. By structuring your data according to sensitivity levels and implementing solutions that limit access and keep a watchful eye on how it’s used, you will be able to thwart cyber security threats before they become a problem.

Learn more about data discovery by using Microsoft’s AIP scanner in our Udemy course now available at a discounted price.

Check out the TowerWatch Academy for more courses!

Posted on

6 Hospitality Businesses Who Faced Data Breach Fines

hospitality data breach fine

Contrary to popular belief, the hospitality industry is an excellent target of cybercrime because of the sheer amount of personal and sensitive data held. In fact, there are several businesses that have already faced data breach fines.

Every day, hotels, hostels, and restaurant chains handle credit cards, emails, contact preferences, home addresses, and other sensitive data from millions of customers, and hackers want to get their hands on that information.

A data breach can go undetected for quite a long time, as some of the cases below demonstrate, which would only increase the GDPR fine nowadays!

Here are 6 hospitality businesses who have recently faced data breach fines, and the cybercrime that caused them.

1. Hilton Fined $700,000 After Taking 10 Months To Notify Customers of Data Loss.

Back in 2014, Hilton hotels were a victim of a data breach, followed by another breach during 2015, which resulted in the data loss of over 360,000 customers. The data that was stolen held sensitive information like credit card numbers, names, addresses, and more.

The biggest issue is that Hilton failed to inform its customers about the breach in a timely manner. It took them ten months after they learned about the breach to inform their customers. This resulted in a $700,000 fine for lack of adequate security and failing to inform customers about the breach. If this had happened recently, their fines would be much higher under GDPR –  they would probably have to pay around $420 million.

2. Radisson Hotels Face Potential GDPR Fine

Radisson Hotel Group faces fines under the newly adopted GDPR. The breach was discovered in 2018, with Radisson claiming to have promptly informed the EU regulators within the 72-hour timeline. It was detected in the Radisson Rewards database, and some members of their Rewards programs were compromised.

Apparently, credit card or passwords were not stolen. Stolen data included names, addresses, email addresses, company names, Rewards member numbers, and frequent flyer numbers. As a result, the hotel chain might be facing a €10 million fine.

3. Trump Hotels Pay $50,000 After Not Informing Customers About Breach

Even Trump hotels aren’t spared of data breaches. The hotel chain suffered a data breach back in 2014 when over 70,000 credit card numbers and other personal data were stolen via the payment processing system that was infected. The now president Trump agreed to cover the $50,000 fine that was issued because the hotel chain didn’t bother to inform their customers about the breach even though they knew about it for months.

4. Wendy’s $50 Million Settlement

Restaurant chain Wendy’s had to pay a hefty fine because of the data breach that happened in 2015 and 2016 when 1,025 POS systems used at their locations were infected with malware that led to a lot of stolen credit card info. It is reported that over 18 million cards were compromised in the breach.

Many of these cards were used to commit fraudulent online purchases. As a result, Wendy’s had to face a class action lawsuit from affected financial institutions and consumers. Wendy’s reached a settlement that required them to pay $50 million by the end of 2019.

5. Zippy’s Restaurant $725,000 Data Breach

Zippy’s restaurant chain based in Hawaii suffered a data breach in November 2017. They first discovered the breach in March 2018. All cards used during that time might have been affected. The compromised information included credit card numbers, expiration dates, names, and security codes.

There is no information about how many customers were affected, but a class action lawsuit was filed against FCH Enterprises, the owner of Zippy’s Restaurant. It’s worth noting that not only the restaurant chain was affected. The other franchises held by FCH – Napoleon’s Bakery, Kahala Sushi, Pearl City Sushi, and Pomaika’i Ballrooms. FCH reached a settlement and agreed to pay $725,000.

6. The $915Million GDPR Marriott Case

Probably the case that got most traction is the large data breach that occurred with the Marriott hotel chain. Personal data and credit card details, even passport numbers and dates of birth of more than 500 million of their customers were stolen. The Marriott group includes hotel chains such as Sheraton, Westin, W, Le, Meridien.

The breach was first discovered in September 2018, while detailed investigation revealed ongoing unauthorized access dating back to 2014. They did encrypt sensitive data such as credit card information. However, the group stated they cannot be sure that encryption keys were not stolen too.

The most concerning part is that this was ongoing for four years, meaning security monitoring profoundly failed. The fine: $3.5 billion dollars plus $915 million from ICO GDPR.

With the rising risk of data breach and rising prices of fines, make sure you protect your customers’ sensitive data. This is especially true with the GDPR in place. By doing so, you avoid fines and ensure your guests rest easy knowing their personal information is safe with you.


Posted on

How Much Does Azure Information Protection Cost?

How much does Azure Information Protection Cost Feature Image

With increasing cyber security threats as well as GDPR (General Data Protection Regulation) having taken effect from 25 May 2018, businesses need to protect their sensitive data.

One of the ways we recommend to our clients is by using Microsoft’s Azure Information Protection (AIP) as a way of protecting and automatically encrypting sensitive information. But, a common question we get asked from unsure businesses, is the bottom line:

‘How much does Azure Information Protection cost?’

This article explains the breakdowns of pricing, as well as the effect your business will have on the price, to hopefully make it easy to understand!

How Your Requirements Affect Azure Information Protection Price

The pricing of Azure Information Protection is different for every business, and will depend on::

  • The Office 365 Suite you have – If you don’t have an Office 365 subscription, you will have to choose one that includes Azure Information Protection or get AIP as a stand-alone subscription.
  • Your business size – Because the price is calculated on a ‘per user’ basis, the higher the number of users, the higher the price.
  • Your business requirements – This is mainly on the AIP modules you will use. The more modules you use, the higher the price.

Azure Information Protection Cost Breakdown

Azure Information Protection consists of two parts:

  1. The classification and labelling of data
  2. The encryption and rights management (RMS)

To be fully protected, you will need both.

There are several Office 365 subscriptions that include the Azure RMS option. AIP is part of the:

  • Office 365 Enterprise E3
  • Office 365 Enterprise E5
  • Microsoft Enterprise Mobility + Security E3 and E5 plans.

If you have a plan that is not included above, you can still get Azure Information Protection without switching. AIP RMS is available as a stand-alone add-on that can be purchased separately.

There are three pricing groups for Azure Information Protection:

  • AIP for Office 365 – £1.50 user/month
  • AIP Premium P1 – £1.60 user/month
  • AIP Premium P2 – £4 user/month

Azure Information Protection Business Costs

The pricing for Azure Information Protection is calculated as follows:

(Office 365 plan cost/month per user + AIP cost/month per user) x Number of Users = Total Monthly Cost.

Here’s an example:

You have an Office 365 Enterprise E3 Subscription – the price is £17.60 per user/month.

You also need the Azure Information Protection Premium P2 – the price is £4 per user/month.

The total price per user per month is £21.60.

You have 50 users, so the price will be £21.60 x 50 = £1,080 per month for all your users.

How to Buy Azure Information Protection?

There are two options when buying Azure Information Protection:

  1. You can get it as a stand-alone option
  2. You can buy it as an integral part of the Microsoft licensing suite, such as the Microsoft 365 Enterprise or the Enterprise Mobility + Security Suite.

The license for AIP can be bought in the form of a user subscription directly on the Microsoft website, through the Microsoft Enterprise Agreement Volume Licensing program or through the Microsoft Cloud Solution Provider program.

Are you unsure on which Azure Information Protection package you need? Contact us and we can help determine which AIP deal is the right fit for your business needs to secure your data. Then, implement it with you.

Posted on

How to Hold an Azure Information Protection Staff Training

How to Hold an Azure Information Protection Staff Training feature image

In light of the latest data security climate, where a risk of a breach is higher than ever, it is of utmost importance to keep valuable data safe. Microsoft’s Azure Information Protection (AIP) helps in achieving this goal and it’s the solution we recommend.

Particularly when you consider that the UK average cost of a data breach is close to £2.87 million ($3.68 million) according to a recent report from the Ponemon Institute.

Azure Information Protection is a cloud-based data protection solution that keeps data safe through advanced encryption, identity, and authorisation policies.

But. 

Adopting AIP isn’t enough – you need to train your staff on how to use it properly. Newly accepted regulations like the EU General Data Protection Regulation (GDPR), combined with concerns about what awaits the UK in terms of free data flow after Brexit, make data security an important aspect to every company, so it makes sense to invest into Azure Information Protection staff training.

Ensuring Your Employees Are ‘On Board’

Change is something many employees are not fond of, so getting them on board with Azure Information Protection Staff Training is the first thing to do before you begin with implementation and actual training.

When your employees are educated on GDPR and data breach consequences, they will become more engaged in Azure Information Protection staff training. Not being compliant and risking a breach could cost them their job because many businesses that suffer a major data breach never recover. 

But, how do you do hold Azure Information Protection Staff Training?

Step #1 Educate on the Risks

Start by making your staff aware of the dangers of security breaches and just how little it takes for one to occur if data protection is lacking.

Step #2 Explain Their Role in Compliance & Data Protection 

Many employees are not aware of just how important they actually are in keeping data safe. Start by explaining their role in the company security and compliance. Explain that whenever they send data – be it email or access to a folder – to somebody inside or outside of the company, it can be a security risk. The risk here is that often there are no resources that would monitor or restrict misuse of that shared data.

The most recent statistics included in IBM’s Cost of a Data Breach Report show that a staggering 27% of all data breaches that happened was caused by a human error – in other words, employee negligence was the cause.

Think about the following scenario: You are sending sensitive financial data to an outside partner. The partner is negligent and sends this confidential data to parties that should not have access to it. This constitutes a data breach.

A data breach has serious consequences far beyond actual financial costs including:

  • Hacking
  • Downtime
  • Loss of customers
  • Loss of personally identifiable information (PII) from customers and employees
  • Loss of intellectual property
  • Loss of financial information
  • Breach of data protection laws
  • Legal fines and claims
  • Reputation damage

Step #3 Show Why Azure Information Protection is the Solution 

Proper training will help reduce the risk of a data breach as a result of human error. Before you fully implement AIP, ensure your staff become familiar with all the features and that each department knows how to utilise its full potential. 

Explain how Azure Information Protection works and how, when integrated, in the organisation it can help on an operational level. 

Step #4 Show off Features They Can Use

During Azure Information Protection staff training, the focus should be on providing specific and detailed guidelines to each department. Present all the important features that AIP offers:

  • You Can Classify Your Data – AIP helps classify and label data based on how sensitive it is through a system of labels that automatically protect it once applied.
  • 24/7 Protection – Once you classify data and protect it, it stays protected. AIP follows data and ensures it’s protected even when shared outside of your organisation or stored on an external device.
  • Track Data and Revoke Access  – AIP helps you track what is happening to data you have shared, and in case it’s needed, you can easily revoke access.
  • Log and Report Support Compliance – Get access to powerful features that help analyse and monitor usage of data. The reporting feature helps maintain compliance with rules and regulations.
  • Safe Collaboration – Thanks to labeling and classification, you have complete control over who has access to data and how they can interact with it.
  • Microsoft Office Integration – AIP is integrated into MS Office so you can secure any document with a single click as well as automatically in the background. 
  • Easy to Manage and Deploy – AIP works in the cloud and on-site equipment too.

Step #5 Make it Specific

Once done, provide each department with detailed guidelines and best practices for using AIP specifically for them. For example, teach your finance department staff on how to use AIP features like the Do Not Forward Button or Sensitivity Bar, or your marketing department on how to apply AIP labels and send data to external partners.

If you want to make your AIP staff training easier, we’ve created an Azure Information Protection Staff Training Course on The TowerWatch Academy.