Posted on Leave a comment

How to Secure Microsoft 365 for Remote Working

secure Microsoft 365 graphic

It seems that remote working won’t go away after the pandemic passes. In fact, organisations in most industries are working towards making it a permanent and viable option. 

Large enterprises and corporations like Facebook and Google plan to keep the model for a while. While others like Twitter, Slack, and Zillow decided to allow (most or all of) their employees to work from home permanently. Their decision-making points towards the likeliness of remote work becoming a permanent option in most companies.  

SMBs looking to secure work from home 

According to Intermedia’s survey, small to medium business owners believe the remote work model will stay permanently. The survey indicates there is an overwhelming preference in keeping remote work as a long-term option. With 57% of SMB owners stating that employee availability and life and job satisfaction have increased, and citing a drop in overhead costs as a benefit that enabled them to stay afloat during lockdowns. 

Those SMBs deciding to embrace the model are in the midst of preparations to make remote work permanent. 

The Microsoft 365 suite is heavily used among SMBs, as their subscription model offers industry-leading functionality at a reasonable price. With access to security and operational features previously available only to enterprises, Microsoft 365 also includes cloud-based services that can be used from anywhere. Making the suite a perfect choice for work-from-home teams. 

Compliance remains a core concern for work-from-home protection

Remote work comes with a new set of risks, especially for cybersecurity. Compliance acts and regulations don’t differentiate between in-office and remote work. 

They require that you have secure working-from-home policies for sensitive information and data, and that you secure staff when working from home. 

The most common regulations to comply with include: 

  • Health Insurance Portability and Accountability Act (HIPAA) for businesses offering health services 
  • EU’s General Data Protection Regulation (GDPR) for all businesses processing and handling personal data from EU citizens
  • California Consumer Privacy Act (CCPA) for all California-based businesses and those doing business in California
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) for everyone handling personal data from Canadian citizens

These acts require you to comply with Information Security Management Systems (ISMS) standards, most notably the ISO/IEC 27000 series, as well as the Payment Card Industry (PCI) Data Security Standard (DSS) for those who take card payments online. 

SMBs often struggle with acquiring the right security solutions because the budgets are low. 

Remote work and software spending

The graph below shows how expectations on software spending have changed from March to May 2020. 

As the impact of the pandemic stopped being an unknown variable, respondents have revised their expectations on spending, which is indicated by less spending than initially expected. 

Statistic: COVID-19 impact on software spending worldwide 2020 (Survey results comparison: March, April & May) | Statista
Find more statistics at Statista

While the highest percentage of respondents (40%) initially stated they will increase their spending on software, in May, 44% reported there were no changes compared to spending during the previous year. 

And while the overall spending seems to stay the same, there are big shifts on what type of software the funds are allocated to. 

Statistic: Where are businesses increasing software spending? | Statista
Find more statistics at Statista

With working from home being the new norm, conferencing takes the lead, followed by collaboration, remote desktop tools, and security software. 

Work-from-home protection is an important concern for SMBs, and as the newest data from Microsoft shows, everyone is trying to speed up their cybersecurity digital transformation. 

So how can you protect all the Microsoft 365 documents and communication that you work with daily when everyone is using different networks and devices to access it?

How to protect Microsoft 365 when working from home

In our experience, the most efficient option to cover both of these is to use Advanced Microsoft Information Protection (MIP), as it has the best cost-benefit ratio. 

Microsoft Information Protection uses built-in capabilities from Microsoft Office 365 and Windows 10, as well as additional solutions provided by Microsoft, to secure Microsoft 365 and all the digital information and data you work with in your business across the whole playing field: in the cloud by using Cloud App Security, as well as on devices and on premises. 

It allows you to detect sensitive information and locate where it’s currently stored, secure documents as soon as they are created, and even ensure that you dispose of them in a secure manner. 

What Microsoft Information Protection can do for SMBs: 

  • It will secure Microsoft 365 apps and services you use and all your business information from leakage.
  • It blocks malicious actors from access, and doesn’t allow access to untrusted actors.
  • The automatic classification protects all documents based on the criteria, trigger words, and phrases you set up. 
  • It actively tracks data through its lifecycle and gives you insight into who has access to data and a log of who accesses it and what they are doing with it.
  • It helps your employees stay productive and learn about working from home best practices. The system will suggest labels and teach them how to use and apply them correctly. 
  • It gives you overview over information flow, with valuable insight on patterns of data usage inside of your organisation. 
  • This allows to spot anomalies in data usage and access, enabling quick detection of potentially harmful actions by actors or malicious software.
  • It keeps all data secure even when sharing with vendors and third parties by not allowing forwarding, downloading, or copying information shared with them.

Such capabilities extend beyond securing your data – it also keeps your staff secure from making errors while handling data, and all the vendors you work with by not allowing them to forward any information you share with them further. 

Once set up, you’ll have a system that performs well in the cloud, covering the need to secure remote working, but on premises too, once you decide to go back into the office. 

See MIP in action with our email demo video here:

Why you need to secure Microsoft 365 for remote working

When you secure Office 365, you and your team can do remote work securely and are saving time and money. But that’s only one benefit of using such an extensive system: 

  • No changes in workload: The automatic classification and encryption of all documents you work on and share with remote staff, contractors, and other third parties means there is no need to increase workload for your staff and spending time on complex manual security checks that they need to learn to apply. 
  • You will secure Microsoft Office through compliance: Classification and encryption executes on the cloud level too and protects against human error, one of the most common reasons behind data leaks. Securing Microsoft 365 for remote working also helps you be compliant with all regulations. 
  • Security travels: The cloud-based protection extends beyond business devices – the protection remains with documents and data and travels with them, ensuring they are secure even if they end up in the wrong hands. 

Secure external consultant documents for Microsoft 365

Working with external consultants increases risk of data leakage and breach, since you are relying on them to practice good cybersecurity. 

Instead of hoping they are doing a good job, you can secure Microsoft 365 documents sent to and used by external consultants through MIP. With auto classification, the options for downloads and further sharing will be disabled, ensuring the data can never be accessed by anyone but your external consultants. 

Secure internal sensitive and confidential information when working from home

Secure Microsoft 365 data with MIP’s extensive labeling and trigger system based on labels. You can classify all information into specific categories, and set up sensitivity labels for each of those categories. 

The trigger system activates based on the rules you set up. For each rule, there is a condition that must be met in order to trigger the second part, the action, something that will happen automatically when the condition is matched. 

For example, when a user without permission tries to access a sensitive document, the rule sends an email to the user and administrator of your system about the incident. 

Whenever someone creates a new document, no matter where within your organisation, it will automatically be protected based on the category and labels applied to that type of document. 

These labels are document-based, meaning they persist with it and are transferred anywhere the document ends up. If the document ends up being in an insecure environment, your security policies will continue being enforced, and won’t allow usage by anyone who isn’t a trusted source. 

The system allows you to track all data and documents as it moves through and outside of your organisation. In case you ever suspect foul play, you will be able to revoke access to the document, rendering it useless to anyone who is trying to get it. 

In such cases, the MIP can, based on your setup, respond with a real-time email alert, or a report on the dashboard.

Microsoft Information Protection includes Data Loss Prevention (DLP) capabilities, with policies against accidental sharing. With it, you can also label documents for information retention, set an expiry time and apply deletion policies that will execute automatically when requirements are met. 

Secure email communication when working remotely

The labeling system goes beyond Office apps, and you can secure Microsoft Outlook in the form of Office 365 Message Encryption. 

It allows you to classify and secure email messages as well. When labeled, the policies for that specific label will be applied to the email. This includes policies such as: 

  • Encryption
  • Watermarks
  • Access restriction
  • Disabling forwarding

The label that is applied will persist with the email and keep security policies on the email even when it leaves your organisation. It helps employees work from home securely by preventing phishing attacks and disclosing information accidentally. 

Secure BYOD for remote working

By having online-only work, your employees will use a number of devices to access business data, like Windows and Mac OS machines and mobile devices. A comprehensive security suite such as Microsoft Information Protection has encrypting standards that will work on all of them. 

If you’re unsure on the right way to secure BYOD for remote working and set up policies, we can discuss other ways of working with BYOD. For example, we offer Windows Information Protection setup services that secure employee-owned devices from data leakage and other security incidents. 

The MIP setup takes time and IT knowledge

Microsoft Information Protection is definitely an all-encompassing solution that addresses the risks of remote work well. It secures access to sensitive data and documents, grants permissions to the right stakeholders, and ensures all your business data is safe even if it’s somehow accessed without authorisation. 

But there is a downside to it: It takes a lot of time to set up such an extensive system for someone who never had to deal with it. Even if you have an IT professional on your team, chances are, they will need to ask for help. Only those with knowledge in Active Directory, a good comprehension of Microsoft licensing, and previous experience with Microsoft or Azure Information Protection itself can set it up. 

One error in permissions and labeling, and you can lock yourself out from your own documents, even if you are the admin. Or if you miss it during setup, the system might not flag important documents correctly, making them easily accessible by someone without permission.

Learn more about how we can help here:

Advanced Office 365 Security for Remote Working

Professional setup saves time and money

Towerwatch has many years of real-world experience with encryption. We have been working with Microsoft Information Protection and setting up automatic encryption protocols for global brands even back when MIP was still known as Azure Information Protection. 

Now you can rest easy knowing it’s set up properly and that all documents and communications are secure. You will efficiently eliminate the risk of costly mistakes that could result in regulation breach fines or loss of customers. 

To find out more about how we can secure your business operations with a future-proof cloud-based solution that will continue working even if you decide to go back into office, book a consultation with Microsoft Global Professionals for MIP, and our initial session HERE

Our initial session is priced at £250, and for this investment, you will not just cover the session cost, but also get a comprehensive overview of the current state of your cybersecurity solution and work-from-home compliance status. When you decide to move forward to the next stage, this investment will also be deducted from the project fee. 

Book your initial session HERE.

Posted on

6 Ways Your Marketing Is Breaching GDPR

Marketing breaching GDPR is a real issue! The General Data Protection Regulation (GDPR) has had a profound impact on how businesses communicate with prospects and customers, and how they conduct their marketing. There are still businesses that believe that once users consent to their marketing campaigns, they can use the gathered personal data however they want.

But this can get you in a world of trouble!

GDPR is much more complex than getting consent from visitors and users. While many news outlets have placed emphasis on how consent is handled, it’s actually about the way businesses handle and protect personal data, what they use it for, and how they seek permission to use it.
GDPR is not a directive – it’s a regulation, and it’s legally binding. Companies could easily breach GDPR with their marketing efforts, and here the 6 common ways it can happen:

#1 Contacting people without active consent

GDPR regulates consent in extensive detail, and according to their regulations, consent must offer real choice, and users have to be in charge! It needs to be prominent, and users should have no issues understanding it. It should also be always requested on its own, not as part of any terms or conditions.

The only valid consent according to GDPR is a positive opt-in and requires you to disclose any third-parties that rely on that consent. You should also provide an easy way to withdraw consent.

#2 Automatic opt-ins

Automatic opt-ins were a common method to trick users who weren’t paying attention to consent. Such tactics are considered predatory and are considered marketing breaching GDPR tactics. Any tick boxes that are pre-ticked or say “click to opt OUT” are a huge breach.

Remember: The only type of consent accepted under GDPR is a positive opt-in.

#3 Poor lead lists and storage

Where are you storing your lead lists? While it’s very convenient to have them readily available on a shared Google Drive or OneDrive document, that’s a very poor practice and definitely a GDPR breach if you have the link set to public for sharing.

Your leads list should be secured and encrypted, and shared only on a need-to-know basis.

How long you keep the information is also important. Under GDPR’s data minimisation principle, holding information for too long is a marketing GDPR breach, so it’s important to delete it as soon as you don’t need it.

#4 Obtaining lists without confirmation of consent

One way marketers fill up their sales pipeline is with purchased lead lists. There’s a lot of third-party lead generator sites that are willing to sell lists to you. But you have to be careful when buying lists.

If these generators don’t have active consent from users on distributing their data to other parties, then YOU will be the one who’s breaching GDPR as soon as you contact those prospects.

You always need to have proof that they consented to be contacted by you, whether they gave the consent to you directly, or through third parties.

#5 Ignoring erasure requests

Users who have given consent to collect and process their data have the freedom to withdraw that request at any time. They can also request that you delete all the data that you have gathered on them. Not answering those requests is considered marketing breaching GDPR.

Do you know how to erase data? Do you know how much time you have to get back to them once they send a request?

GDPR states that you must act within a month of receiving the request, but there are also instances where you can extend response times; for example, when the user made multiple requests or in case the request is very complex.

#6 Accidentally sharing email addresses

Accidentally sharing any personal information is considered a breach under GDPR.

Surprisingly, emails are a very common reason behind a data breach. Emails that are sent to the wrong recipient are the most common mistake, as well as emails with unprotected attachments.  

An accidental data breach is still a data breach, so make sure your emails are secured and encrypted. This way, even if they are accidentally sent to wrong recipients.

Update: The ICO is sharing more and more information on specific circumstances and it’s interesting to note that a business email is protected under GDPR IF it contacts the ability to identify someone properly. The most common way is: [email protected] so with that in mind you should be wary about contacting businesses as well! Check out this page by the ICO about marketing to businesses here: https://ico.org.uk/for-organisations/in-your-sector/marketing/the-rules-around-business-to-business-marketing-the-gdpr-and-pecr/

For more information on GDPR email compliance, check out the 5 ways your emails could be breaching GDPR HERE >>> https://towerwatchtech.com/5-ways-your-emails-could-breach-gdpr/

Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

The Importance of Cybersecurity for Businesses in 2019

feature image for the importance of cybersecurity in businesses in 2019 post

Cybersecurity is a vital part of every business that deals with any type of sensitive data. With online threats becoming more diverse every day, and the increasing regulations like GDPR. It is imperative that businesses stay on top of the latest cybersecurity developments for 2019.

Here are the most important things to consider when looking for ways to improve cybersecurity for businesses:

Hacking Is an Industry Now

Hacking has become a lucrative industry, with certain types of data being more valuable than others. Medical records, for example, are worth ten times more on average than credit card details.

Because there is so much money involved in hacking, it is not surprising that hackers are launching highly sophisticated attacks that are hard to detect and can be disruptive not only to normal business operations, but also to wider government-operated systems, like power grids for example. As such, hacking threats should be taken seriously, because a data breach can easily bring your business to a halt or end it altogether.

It’s Harder to Detect Breaches

Ponemon’s 2018 Cost of Data Breach Study states that it takes 197 days on average to detect a breach. After that, it takes another 69 days on average to contain a breach. This is a very long time for a breach to go undetected, costing businesses millions. For smaller companies, such a devastating breach could mean the end of their operations. Larger companies have an easier time to recover, but it still takes months or years.

A breach doesn’t just cause loss of revenue, but also reputation, customers, and missed opportunities, as well as any damages that have to be paid after the breach.

Third-Party Apps and Vendors Are Common Vectors of Attack

With cloud computing being the new norm, it can be hard to confine sensitive data within an isolated data centre in your office. The majority of data today is stored in the cloud, with many businesses sharing data no only internally, but also to external third-party vendors or applications.

If these apps or vendors do not take adequate security precautions resulting in a data breach, the business can still be held accountable for the loss of sensitive data. Make sure then to check all third-party vendors your business deals with.

Data Protection Is More Important than Ever

Businesses who don’t invest in cybersecurity should be held accountable. It doesn’t really matter whether it was just an oversight or due to negligence – if the someone steals valuable data, there should be serious consequences.

Lawmakers are becoming aware that cybersecurity is an important aspect that needs to be regulated seriously. We are already seeing the adoption of stricter laws and regulations – the General Data Protection Regulation (GDPR) is just one of them.

Not only do such laws and regulations force businesses to improve their security, but they also help protect users against predatory practices like selling data to third parties without the user’s explicit consent.

Any business who is serious about what they do should have transparent data collection and usage policies. They should have adequate security and encryption for their data.

AI Helps Companies Protect Against Attacks

Advancements in AI and machine learning have made predictive analytics an ally against cyber attacks. Businesses have more overview of their real-time security than ever before. And predictive analysis helps them promptly detect anomalies in their operations. This is especially beneficial for the financial sector such as banks, and other businesses will reap the benefits as well.

As a business owner, you should be aware of the cyber threats lurking about. Know also that no target is too small for hackers. Make sure to update all your software regularly and educate your employees. Ensure that any third-party vendors or applications you deal with are taking cybersecurity seriously too.

Posted on

6 Hospitality Businesses Who Faced Data Breach Fines

hospitality data breach fine

Contrary to popular belief, the hospitality industry is an excellent target of cybercrime because of the sheer amount of personal and sensitive data held. In fact, there are several businesses that have already faced data breach fines.

Every day, hotels, hostels, and restaurant chains handle credit cards, emails, contact preferences, home addresses, and other sensitive data from millions of customers, and hackers want to get their hands on that information.

A data breach can go undetected for quite a long time, as some of the cases below demonstrate, which would only increase the GDPR fine nowadays!

Here are 6 hospitality businesses who have recently faced data breach fines, and the cybercrime that caused them.

1. Hilton Fined $700,000 After Taking 10 Months To Notify Customers of Data Loss.

Back in 2014, Hilton hotels were a victim of a data breach, followed by another breach during 2015, which resulted in the data loss of over 360,000 customers. The data that was stolen held sensitive information like credit card numbers, names, addresses, and more.

The biggest issue is that Hilton failed to inform its customers about the breach in a timely manner. It took them ten months after they learned about the breach to inform their customers. This resulted in a $700,000 fine for lack of adequate security and failing to inform customers about the breach. If this had happened recently, their fines would be much higher under GDPR –  they would probably have to pay around $420 million.

2. Radisson Hotels Face Potential GDPR Fine

Radisson Hotel Group faces fines under the newly adopted GDPR. The breach was discovered in 2018, with Radisson claiming to have promptly informed the EU regulators within the 72-hour timeline. It was detected in the Radisson Rewards database, and some members of their Rewards programs were compromised.

Apparently, credit card or passwords were not stolen. Stolen data included names, addresses, email addresses, company names, Rewards member numbers, and frequent flyer numbers. As a result, the hotel chain might be facing a €10 million fine.

3. Trump Hotels Pay $50,000 After Not Informing Customers About Breach

Even Trump hotels aren’t spared of data breaches. The hotel chain suffered a data breach back in 2014 when over 70,000 credit card numbers and other personal data were stolen via the payment processing system that was infected. The now president Trump agreed to cover the $50,000 fine that was issued because the hotel chain didn’t bother to inform their customers about the breach even though they knew about it for months.

4. Wendy’s $50 Million Settlement

Restaurant chain Wendy’s had to pay a hefty fine because of the data breach that happened in 2015 and 2016 when 1,025 POS systems used at their locations were infected with malware that led to a lot of stolen credit card info. It is reported that over 18 million cards were compromised in the breach.

Many of these cards were used to commit fraudulent online purchases. As a result, Wendy’s had to face a class action lawsuit from affected financial institutions and consumers. Wendy’s reached a settlement that required them to pay $50 million by the end of 2019.

5. Zippy’s Restaurant $725,000 Data Breach

Zippy’s restaurant chain based in Hawaii suffered a data breach in November 2017. They first discovered the breach in March 2018. All cards used during that time might have been affected. The compromised information included credit card numbers, expiration dates, names, and security codes.

There is no information about how many customers were affected, but a class action lawsuit was filed against FCH Enterprises, the owner of Zippy’s Restaurant. It’s worth noting that not only the restaurant chain was affected. The other franchises held by FCH – Napoleon’s Bakery, Kahala Sushi, Pearl City Sushi, and Pomaika’i Ballrooms. FCH reached a settlement and agreed to pay $725,000.

6. The $915Million GDPR Marriott Case

Probably the case that got most traction is the large data breach that occurred with the Marriott hotel chain. Personal data and credit card details, even passport numbers and dates of birth of more than 500 million of their customers were stolen. The Marriott group includes hotel chains such as Sheraton, Westin, W, Le, Meridien.

The breach was first discovered in September 2018, while detailed investigation revealed ongoing unauthorized access dating back to 2014. They did encrypt sensitive data such as credit card information. However, the group stated they cannot be sure that encryption keys were not stolen too.

The most concerning part is that this was ongoing for four years, meaning security monitoring profoundly failed. The fine: $3.5 billion dollars plus $915 million from ICO GDPR.

With the rising risk of data breach and rising prices of fines, make sure you protect your customers’ sensitive data. This is especially true with the GDPR in place. By doing so, you avoid fines and ensure your guests rest easy knowing their personal information is safe with you.


Posted on

5 Reasons Hospitality Businesses Get Hacked

hospitality business hacking

The last several years have revealed that hospitality businesses are vulnerable to cyber attacks. Many major hospitality players being victims of cybercrime that was in some cases undetected for years. In a separate post, we have cited six hospitality businesses that faced data breach fines resulting from hospitality business hacking.

Hackers are becoming increasingly innovative in ways they gain access to secure hospitality systems. In contrast, the hospitality sector is lagging behind in security measures. Businesses often don’t treat cybersecurity as a priority but prefer to focus on customer experience only, which can have far-reaching consequences in case of a breach.

The most common factors that contribute to hospitality business hacking and data breaches include the following:  

#1 The Number of People Involved

It is the nature of the hospitality industry that makes hospitality businesses such targets – there are so many customers and staff involved that hackers easily benefit from those numbers.  Sooner or later, somebody will make a mistake and click on a malicious link delivered into their inbox from a spoofed email address, and that one click is often enough to get access to everything.

Once inside, hackers will easily find employee credentials to get access to sensitive information, such as customer names, emails, addresses, current residence, credit card information, loyalty programs and points, and more, and use all that information for monetary gain or to sell it on the dark web.  

Another big issue that contributes to the high vulnerability of the hospitality sector is the current hospitality retention rates. Retention rate in the hospitality industry is quite low in comparison to averages or other industries. In the UK, the annual staff retention level is just over 70%, which is concerning since the average retention is usually around 85%. Not only are staff usually less interested in the long-term protection of the business, but frequent changes of users and passwords often leads to bad practices like sharing or logging in for each other.

#2 Unsecured Networks Result in Hospitality Business Hacking

One of the easiest ways hackers are able to access guest and employee data is through Wi-Fi networks that are poorly secured and unsecured. While it’s hard to make sure a Wi-Fi network is 100% secure against attacks, hospitality businesses can do a lot to minimise the risk.

First of all, a network should never be unsecured. While it might seem like a great perk – use your network easily without having to ask for a passcode – this also means that anyone can access it, hackers included. The passcode should always be complex to avoid hackers simply guessing it. Businesses should avoid setting up “12345” or the business name as the passcode.

In addition to the right encryption settings for all the networks, it’s important to separate them too. Guests should always have a separate network for all their devices. Sharing the same network for business devices and guest devices is a recipe for disaster. Some of your guests may not be as innocent as they appear. They may be accessing your internal systems and data whilst also enjoying your coffee.

#3 Lack of Understanding

Another fault of many businesses in the hospitality industry is their lack of understanding of cybersecurity. Hotels are now interconnected digital systems that compete for customers by introducing new digital experiences. As such complex systems, they have a large number of endpoints – like the above-mentioned Wi-Fi networks, but also HVAC systems, Points of Sale (PoS), electronic door locks, smart devices – through which customer data is accessed and stored.

It’s true that they do adopt new technology and software to streamline their operations. But their outdated security measures don’t cover new security threats. You see, each of the endpoints used can also be an entry point for hackers to steal data. Sometimes, it’s enough to delay updating your PoS system for hackers to get a successful entry.   

Because hospitality businesses deal with such a large amount of sensitive data daily, it’s of utmost importance that they also understand the risks that come with the benefits of new software and tech solutions.

#4 Cybersecurity Isn’t Their Focus

Most hospitality businesses will agree that customer satisfaction and the overall experience with their brand is what matters most. The competition is fierce, and it’s very easy to lose customers. In their battle to retain customers, they will often prioritise to spend their money on user experience. As a result, they streamline all their internal operations towards this goal.

Providing a seamless experience in every single one of their locations require interconnection of all hotels from the same chain. For this reason, they are able to easily share their data on customers between locations. This way, the customer’s preferences when it comes to rooms and suites and other data that help make them feel welcome is accessible at any time, no matter which of their hotels the customer walks into. Such data sharing happens within the hotel chain national network, which all hotels have access to.

This interconnectedness can have far-reaching consequences – just one breach into a single hotel from the whole chain is enough for hackers to quickly gain access to their whole system and steal information from central data points.

#5 Lack of Education Lead to Hospitality Business Hacking

With a lack of understanding of why security systems are crucial for all the digital systems in the hospitality industry, cybersecurity is often put into the back seat. This, in turn, results in a severe lack of education for staff members and partners.

If employees working in hospitality do not know how to spot risks, the chances of hospitality business hacking skyrocket. Not all employees are tech-savvy or IT professionals. Some of them don’t know how to spot a phishing attempt. However, with the right training, you can greatly reduce the chances of being hacked.

The best approach here would be to have cybersecurity staff that will take proactive measures to keep all systems secure. Therefore, it’s not a bad idea to appoint a Chief Information Security Officer (CISO) who would oversee all security-related operations. The CISO ‘s responsibility includes setting up a plan in case a breach happens.

The Right Measures Help Detect a Breach Quickly

The hospitality industry will remain a high-risk target for cyber attacks, and there will always be a risk. However, taking the right countermeasures will minimise hospitality business hacking. This ensures that if a breach does happen, there are rules in place that will help detect it quickly. Consequently, businesses take the right course of action.

Posted on

How to Stop an Email Being Forwarded (for Free)

handing a piece of paper off over the table. How to stop emails being forwarded feature image

The risk of a data breach is higher than ever and still, not many people realise that your emails can be a breach of GDPR!  

All it takes is for someone to forward an email containing sensitive data to unwanted 3rd parties and bada bing, bada boom, you’re in breach.

(there are other ways your email can breach GDPR – check those out here)

So, how do you solve this?

GDPR Email Security in the Data Protection Era

Small and micro-business owners or entrepreneurs aren’t exempt from GDPR and they must still find solutions that will make them compliant.

While large enterprises have the means to implement the newest security measures easily, smaller businesses and entrepreneurs just don’t often have access to the right technology.

The simplest way to protect the data is to encrypt your email so you retain control over all data you send. Encryption ensures that only the contents of your email are accessible by the right recipient. If somebody else gets it by mistake or because it was forwarded, they won’t be able to read the contents.

The alternative is having a ‘Do Not Forward’ function on that prohibits the receiver from forwarding the email in the first place. Best case, you have both in place for full protection

How to Encrypt Your Email Messages

You can do this with Microsoft Azure Information Protection (AIP), which helps businesses classify and protect emails and other documents with a labelling system.

This system can even automatically detect sensitive data when configured correctly. With AIP, only the rightful recipient can read the email, and they won’t be able to forward it to anyone.

Unfortunately, this solution can be pricey for smaller businesses and the tool is focused towards the larger enterprises.

Smaller businesses and entrepreneurs need to look elsewhere.

My Protected Mail Helps You Keep Email Data Confidential

This is where My Protected Mail can help you here. This solution is similar to AIP but specifically focuses on providing services to small businesses, micro-businesses, and individuals. My Protected Mail offers encryption services (EaaS – encryption as a service) for your email communication. This benefits business owners because:

  • My Protected Mail not only uses the same principle as AIP but also the same architecture – it’s powered by Microsoft 365 Azure Information Protection.
  • The encryption process is automatic and super easy to use. When emailing through My Protected Mail, it will be encrypted automatically, giving you control over all data you are sending.
  • Each email you send through the system is also automatically flagged as “Do not forward.” This ensures all contents of the email stay with the recipient and cannot be shared with other parties.

 

How to Use My Protected Mail to Encrypt Email Messages

My Protected Mail is a cloud-based solution and doesn’t require any additional software installation on your part; you just need to make a few changes in the way you send your email. Here’s how:

    1. Instead of putting the recipient address into the recipient header, you will put [email protected] in there.
    2. The recipient email address goes to the Subject line instead.
    3. When you have finished writing your email, hit Send, and that’s it!

(Plus it works on whatever device or service you’re using so can work on a MAC too)

Sending Encrypted Email From a MAC

The recipient will get an email that will require an OTP (one-time passcode) to access the email. This passcode is received once the recipient clicks the link “Sign in with a one-time passcode.”

The best thing is you can try it out for free as the Free plan allows you to send up to fifteen emails per month and includes basic reply functionality (meaning you will continue the conversation protected).

Posted on

How Much Does Azure Information Protection Cost?

How much does Azure Information Protection Cost Feature Image

With increasing cyber security threats as well as GDPR (General Data Protection Regulation) having taken effect from 25 May 2018, businesses need to protect their sensitive data.

One of the ways we recommend to our clients is by using Microsoft’s Azure Information Protection (AIP) as a way of protecting and automatically encrypting sensitive information. But, a common question we get asked from unsure businesses, is the bottom line:

‘How much does Azure Information Protection cost?’

This article explains the breakdowns of pricing, as well as the effect your business will have on the price, to hopefully make it easy to understand!

How Your Requirements Affect Azure Information Protection Price

The pricing of Azure Information Protection is different for every business, and will depend on::

  • The Office 365 Suite you have – If you don’t have an Office 365 subscription, you will have to choose one that includes Azure Information Protection or get AIP as a stand-alone subscription.
  • Your business size – Because the price is calculated on a ‘per user’ basis, the higher the number of users, the higher the price.
  • Your business requirements – This is mainly on the AIP modules you will use. The more modules you use, the higher the price.

Azure Information Protection Cost Breakdown

Azure Information Protection consists of two parts:

  1. The classification and labelling of data
  2. The encryption and rights management (RMS)

To be fully protected, you will need both.

There are several Office 365 subscriptions that include the Azure RMS option. AIP is part of the:

  • Office 365 Enterprise E3
  • Office 365 Enterprise E5
  • Microsoft Enterprise Mobility + Security E3 and E5 plans.

If you have a plan that is not included above, you can still get Azure Information Protection without switching. AIP RMS is available as a stand-alone add-on that can be purchased separately.

There are three pricing groups for Azure Information Protection:

  • AIP for Office 365 – £1.50 user/month
  • AIP Premium P1 – £1.60 user/month
  • AIP Premium P2 – £4 user/month

Azure Information Protection Business Costs

The pricing for Azure Information Protection is calculated as follows:

(Office 365 plan cost/month per user + AIP cost/month per user) x Number of Users = Total Monthly Cost.

Here’s an example:

You have an Office 365 Enterprise E3 Subscription – the price is £17.60 per user/month.

You also need the Azure Information Protection Premium P2 – the price is £4 per user/month.

The total price per user per month is £21.60.

You have 50 users, so the price will be £21.60 x 50 = £1,080 per month for all your users.

How to Buy Azure Information Protection?

There are two options when buying Azure Information Protection:

  1. You can get it as a stand-alone option
  2. You can buy it as an integral part of the Microsoft licensing suite, such as the Microsoft 365 Enterprise or the Enterprise Mobility + Security Suite.

The license for AIP can be bought in the form of a user subscription directly on the Microsoft website, through the Microsoft Enterprise Agreement Volume Licensing program or through the Microsoft Cloud Solution Provider program.

Are you unsure on which Azure Information Protection package you need? Contact us and we can help determine which AIP deal is the right fit for your business needs to secure your data. Then, implement it with you.

Posted on

How to Hold an Azure Information Protection Staff Training

How to Hold an Azure Information Protection Staff Training feature image

In light of the latest data security climate, where a risk of a breach is higher than ever, it is of utmost importance to keep valuable data safe. Microsoft’s Azure Information Protection (AIP) helps in achieving this goal and it’s the solution we recommend.

Particularly when you consider that the UK average cost of a data breach is close to £2.87 million ($3.68 million) according to a recent report from the Ponemon Institute.

Azure Information Protection is a cloud-based data protection solution that keeps data safe through advanced encryption, identity, and authorisation policies.

But. 

Adopting AIP isn’t enough – you need to train your staff on how to use it properly. Newly accepted regulations like the EU General Data Protection Regulation (GDPR), combined with concerns about what awaits the UK in terms of free data flow after Brexit, make data security an important aspect to every company, so it makes sense to invest into Azure Information Protection staff training.

Ensuring Your Employees Are ‘On Board’

Change is something many employees are not fond of, so getting them on board with Azure Information Protection Staff Training is the first thing to do before you begin with implementation and actual training.

When your employees are educated on GDPR and data breach consequences, they will become more engaged in Azure Information Protection staff training. Not being compliant and risking a breach could cost them their job because many businesses that suffer a major data breach never recover. 

But, how do you do hold Azure Information Protection Staff Training?

Step #1 Educate on the Risks

Start by making your staff aware of the dangers of security breaches and just how little it takes for one to occur if data protection is lacking.

Step #2 Explain Their Role in Compliance & Data Protection 

Many employees are not aware of just how important they actually are in keeping data safe. Start by explaining their role in the company security and compliance. Explain that whenever they send data – be it email or access to a folder – to somebody inside or outside of the company, it can be a security risk. The risk here is that often there are no resources that would monitor or restrict misuse of that shared data.

The most recent statistics included in IBM’s Cost of a Data Breach Report show that a staggering 27% of all data breaches that happened was caused by a human error – in other words, employee negligence was the cause.

Think about the following scenario: You are sending sensitive financial data to an outside partner. The partner is negligent and sends this confidential data to parties that should not have access to it. This constitutes a data breach.

A data breach has serious consequences far beyond actual financial costs including:

  • Hacking
  • Downtime
  • Loss of customers
  • Loss of personally identifiable information (PII) from customers and employees
  • Loss of intellectual property
  • Loss of financial information
  • Breach of data protection laws
  • Legal fines and claims
  • Reputation damage

Step #3 Show Why Azure Information Protection is the Solution 

Proper training will help reduce the risk of a data breach as a result of human error. Before you fully implement AIP, ensure your staff become familiar with all the features and that each department knows how to utilise its full potential. 

Explain how Azure Information Protection works and how, when integrated, in the organisation it can help on an operational level. 

Step #4 Show off Features They Can Use

During Azure Information Protection staff training, the focus should be on providing specific and detailed guidelines to each department. Present all the important features that AIP offers:

  • You Can Classify Your Data – AIP helps classify and label data based on how sensitive it is through a system of labels that automatically protect it once applied.
  • 24/7 Protection – Once you classify data and protect it, it stays protected. AIP follows data and ensures it’s protected even when shared outside of your organisation or stored on an external device.
  • Track Data and Revoke Access  – AIP helps you track what is happening to data you have shared, and in case it’s needed, you can easily revoke access.
  • Log and Report Support Compliance – Get access to powerful features that help analyse and monitor usage of data. The reporting feature helps maintain compliance with rules and regulations.
  • Safe Collaboration – Thanks to labeling and classification, you have complete control over who has access to data and how they can interact with it.
  • Microsoft Office Integration – AIP is integrated into MS Office so you can secure any document with a single click as well as automatically in the background. 
  • Easy to Manage and Deploy – AIP works in the cloud and on-site equipment too.

Step #5 Make it Specific

Once done, provide each department with detailed guidelines and best practices for using AIP specifically for them. For example, teach your finance department staff on how to use AIP features like the Do Not Forward Button or Sensitivity Bar, or your marketing department on how to apply AIP labels and send data to external partners.

If you want to make your AIP staff training easier, we’ve created an Azure Information Protection Staff Training Course on The TowerWatch Academy.

Posted on

8 Signs Your IT Managed Service Provider Is GDPR Compliant

GDPR Compliant IT Managed Service Provider Feature Image

Before hiring an IT managed service provider you need to make sure they are GPDR compliant, and capable of making sure your business technology is compliant too. You can’t afford not to.

With the recent GDPR regulations that came into effect in May, no matter how big or small your business is, you still need to comply.

But, that’s not all. 

Under the GDPR, any 3rd parties that handle sensitive information on your behalf are processors, and your duty is to make sure they know their responsibilities too. Your service provider falls into that category. Here are 10 signs that indicate they have taken the appropriate measures to be GDPR complaint as well.

1. They can answer your questions on GDPR and how it relates to technology. 

Your GDPR compliant IT managed service provider (MSP) should be able to provide clear answers to any inquiries related to the GDPR. They should have details on the type of data they manage and how it’s being stored, processed, and protected.

They should be able to explain what steps they are taking to ensure that data is safe, and they will be able to provide you with proof of how they are doing that.

Then, they should be able to explain how they can help your specific business do the same. 

2. Their GDPR compliance is reflected in their contracts 

To ensure that they are compliant, your managed service provider should have included GDPR principles into their contracts. Since they are exchanging data with you, the contract should reflect the GDPR regulations. If you have an ongoing contract with your MSP and it wasn’t updated yet, contact them ASAP and demand the update.

They should also have an up-to-date and compliant privacy policy. 

3. They are ICO registered 

Most MSPs will need to register with the ICO, some will need to pay a fee while others won’t. Only data controllers have to pay the fee, and if that applies to them you should be able to find them on the ICO public register

Note: It’s highly likely they will need to be registered with the ICO. However, this is not always the case with every business. If they aren’t registered they should be able to demonstrate why they are exempt. 

4. They honor new personal data rights

GDPR clearly states that individuals are the owners of their data and have specific rights pertaining to their data:

  • They have the “right to be forgotten” and can request that all their data be erased. When such a request is received, it should be solved within a month.
  • They should be informed about any usage of their data.
  • They have the right to request copies of their data.
  • They also have the right to correct any data collected on them.

MSPs should have policies in place that honor every single one of these rights. Although this places an extra burden on how they are handling data, not adhering to it can jeopardise them and the data they are processing.

5. They understand GDPR compliant tools

Since your MSP regularly exchanges data with you and others, they should ensure that data can never be accessed by an unauthorised party. This can be done through encryption and other security policies that keep data safe wherever it is.

Now imagine your MSP is storing data outside of the EU their data centres are located in the US. Because they are still handling data from EU citizens, it still falls under the GDPR jurisdiction and should be treated as such. This means that no matter the location, that data should be protected in a compliant way.

7. They have updated their own practices

It’s easy to say you’re compliant but often companies will still be using their original bad practices. For example, automatic opt-ins, ignoring erasure requests, or using old lists without the proper consent. 

8. Understand their own processes that collect and store data

Your MSP should be able to tell you which stages of their process they collect data, how it’s stored and in what way it is used. That should be part of their road to compliance. If they can’t they may not have been as thorough as they first appear. 

Signs Your IT Managed Service Provider is NOT GDPR Compliant

1. They say “GDPR doesn’t apply” 

This can be a major red flag. Because in most circumstances it will apply to some degree or another. Those who aren’t compliant often use this as an excuse but ignorance won’t stop their fines (or yours) if you work with them. 

2. They aren’t willing to sign data processing agreements

A data processing agreement is needed for data controllers to use a data processor under Article 28. If this applies and your MSP is unwilling to sign, AVOID! 

3. They have a ‘GDPR certification’ 

At present (Dec, 2018) there is no form of official GDPR certification/qualification or body of official training that gives this any weight. Of course, there are many training programs which can be helpful in providing education, but you cannot be ‘GDPR certified’ or ‘GDPR qualified’ as a company (yet.) This ‘qualification’ or training does not equal compliance. 

Hopefully this has made it easier for you to determine the fact from the fiction when it comes to finding a GDPR compliant IT managed service provider! 

If you wish to make sure your data is safe and compliant, we can help. Contact us today and let us help you set up the highest security standards for all your data requirements.