Posted on

How Azure Information Protection Can Be Used in GDPR Email Compliance

Today, businesses make data-driven decisions in order to have a competitive edge. If your business deals with personal data from customers, it is required to be compliant with EU’s General Data Protection Regulation (GDPR) requirements this means disclosing how it handles data and ensuring that data remains safe.

Why You Should Use Azure Information Protection for GDPR Emails

Sending sensitive data internally or to recipients outside your company carries a certain risk. Every email you send could lead to a disclosure of sensitive data, which constitutes a breach of GDPR. Therefore, investing in the protection of emails and files that are sent is crucial.

Azure Information Protection help keep your emails safe through advanced encryption and protects data at a file level with any attachments you might share too.

It’s a great solution that we recommend to our clients and one we can deploy seamlessly.

While GDPR email compliance may seem like just another regulatory hassle, it is actually an opportunity to invest into your company’s digital security. The most recent data from the Ponemon Institute shows that the global cost of a data breach is increasing steadily, and in 2018, it has reached $3.86 million.

If that’s not enough to convince you, why not use IBM’s data breach cost calculator and see what yours could actually cost.

The Latest Data Breach Report Shows a Troubling Trend

A data breach carries serious consequences, and every business operation will suffer financial, sales, marketing, safety, you name it. The 2018 Cost of a Data Breach Study states there are three main causes of a data breach, with percentages of attack globally being:

  • Malicious or criminal attack the main reason for 48% of all breaches
  • System malfunction the cause of 25% of all breaches
  • Human error the cause of 27% of all breaches

The report shows that human error was the reason behind a data breach more often than a system malfunction was, while malicious and criminal attack took first place.

Note: It’s important to state that human error only includes insiders who were careless, while malicious attacks also include insiders, third parties, and contractors who caused a data breach intentionally.

In the UK specifically, malicious and criminal attacks were the reason of 50% of all breaches, human error was behind 26%, with system glitch causing only 24% of all data breaches.

This means as high as:

 76% of all GDPR breaches in the UK can be caused by either negligence or malicious intent.

Which can be vastly reduced when using a file or email encryption like Azure’s Information Protection

How AIP for GDPR Emails Keeps You Compliant

Azure Information Protection (AIP) is a cloud-based service that allows you to protect any sensitive and confidential data through encryption. You can protect local data you keep on your devices or data that you store in the cloud. When you send that data outside of your company, the encryption remains in place because it’s active at a file-level.

This means that even if you’re compromised, documents that are recovered cannot be read or unencrypted. Plus, intercepted emails cannot be read unless the intended user verifies themselves.

Ultimately, AIP can’t stop your users from making a mistake, but it can support them and arm them with the tools to protect company data properly.

Azure Information Protection Protects Against Malicious Intent

For example, if one of your employees or third-party recipients wants to email a file to an unauthorised person, they won’t be able to do so. Plus, AIP has a great feature called Do Not Forward for GDPR compliant emails. When this option is used, the recipient must first be authenticated to even view the email, and this is all they can do. They can’t forward the email or print, or screenshot. This ensures the email is for their eyes only and that they cannot execute a data breach by forwarding onto non-approved users that would lead to GDPR violation.

Documents attached to these emails are also counted as DO NOT FORWARD and will have the same restrictions.

Azure Information Protection Activity

Not only does AIP limit who can view the data, but it also tracks how that data is being used. By doing so, it ensures that data is safe at all times and that GDPR compliance standards are met. Plus, if you suspect there’s a risk that the data could be used in a way that violates GDPR regulations, you can even revoke access to it.

There are a range of other uses for Azure Information Protection to help keep your company emails and files protected. If you need help learning the reigns or want to deploy Azure Information Protection Yourselves, get started today by clicking here.

Posted on

Technical GDPR Staff Training Essentials

technical GDPR staff training essentials feature image

One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.

But, you need to be prepared.

Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.

We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.

As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.

Before Your GDPR Staff Training

Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.

In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.

What To Include in GDPR Training Sessions

A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:

1. Consent

GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.

If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it. 

2. The Risk of Non-Compliance

Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.

3. Understanding Your Business’ Role

Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.

4. Knowing Regulations & Regulatory Bodies

For example, your staff should know the role of the ICO and relevancy of the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.

5. Being Specific To Your Business

There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.

For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.

6. New Company Policies

Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)

Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.

7. How To Spot Data Breaches

The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.

8. SAR Requests

Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away. 

The Technical Side of GDPR Staff Training

Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself. 

This means that you and your staff will have to learn about new encryption technologies and software you decide to integrate into your business operations.

Article 32 of GDPR states that this can be achieved through:

  • Pseudonymisation and encryption of personal data
  • Ensuring your processing systems and services are confidential and resilient
  • Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
  • Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security

For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.

Continuous GDPR Training Ensures Compliance

The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff. 

Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.   

If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:

https://towerwatchacademy.thinkific.com/courses/get-file-and-email-encryption-for-small-businesses-microsoft-aip-course
Posted on

Why You Need a Managed Service Provider in Hospitality

With most industries actively embracing digitalisation, the need for having IT staff is more prevalent than ever before. Still, not everyone has the required means or knowledge to set up and manage their IT infrastructure in-house, or enough time to research the best options for their specific needs to keep up with innovation.

The hospitality industry is no exception. Many don’t realise the reliance on technology within the hospitality industry, but with booking and ordering systems, restaurant wi-fi and networks and cloud storage for venues with limited space (just to name a few) it’s more important than ever to stay on top of it.

Plus, hospitality means people. And with the GDPR regulations and the emphasis of increasing data protection from customers, you need to protect your business and technology.

Unfortunately, IT support often doesn’t follow suit here, with security threats and potential problems becoming more prevalent issues within the industry. While established players often have a dedicated in-house IT staff to manage all their needs, not all have the means to do so, and some don’t have the technical expertise to deal with this challenging industry. This is where managed service providers come in.  

What Is a Managed Service Provider (MSP)? 

A managed service provider (MSP) is a company that specialises in the management of IT infrastructure and systems for their customers. This management can either be remote or done at the customer’s office. Most often, it is offered as a continuous service for a set monthly fee.

It is different from traditional IT support because it not only covers reactive maintenance, i.e. maintenance when something goes wrong, but also proactive services and system monitoring, as well as cybersecurity, IT consulting, and upgrades. It is a flexible service that adjusts to the needs of each client instead of offering a one-size-fits-all solution.

For example, if a hotel already has good booking solution that can easily handle peak times during holiday season, they will not need infrastructure maintenance, but they might require additional services with their staffing software. A good MSP will adjust to meet these needs.

What Does a Managed Service Provider Do? 

Managed Service Providers cover a broad range of IT support – from infrastructure maintenance to incorporating automation, handling security and compliance matters, or migrating to a new platform. The range of services differs between industries – and even in the same industry – and depends heavily on the needs of each client. An MSP will always provide a fully customisable solution and can do the following:

  • Automate routine tasks
  • Provide maintenance for your entire technological stack
  • Monitor IT infrastructure to ensure all systems perform optimally
  • Develop technological strategies to address current issues
  • Do preventative maintenance to detect loss of efficiency and catch issues early on
  • Implement new technological solutions that scale with your business
  • Future-proof IT systems by upgrading legacy software
  • Apply system and software upgrades and patches to ensure system and data safety
  • Deliver responsive support so that any major IT crisis is resolved quickly
  • Handle data storage and disaster recovery

A managed service provider helps you focus on your business while taking care of your IT systems. They are more than just IT professionals – they align with your goals and ensure your IT capabilities don’t hold you down on your journey to reach them.

Why You Should Work with an MSP 

Employing a managed service provider helps businesses stay on top of the latest technologies and security requirements. MSPs help by identifying flaws in IT systems, operations, or infrastructure and working out the best solutions to improve overall business efficiency in a cost-effective way.

For example, a restaurant needs to sell more seats, not always have the latest fancy equipment, so an MSP will help identify the best option within budgets to suit the individual needs of the client.

They allow businesses to quickly implement new technological solutions and adapt to rapidly changing business environments (particularly when there is a change in legislation.)

They work with their clients to achieve the ultimate goal: ensure the best guest experiences and cultivate guest loyalty.

Here’s some of the ways they do this:

  1. You Get Access to Fully Customisable Solutions – MSPs offer cloud-based infrastructure solutions meaning if you open (or close) a new location, your solutions can be upgraded or downgraded easily to match!
  2. They Improve Your Efficiency and Give You a Competitive Advantage – MSPs have the resources to immediately begin working on specifically tailored solutions that are then deployed and integrated with your existing systems. This process is much faster than it would take to do the research, development, and implementation in-house from scratch. For example, if you wish to update your data storage and improve security systems to keep all guest and consumer data safe, an MSP will do that for you.
  3. They Help You Plan Ahead and Predict Expenses – They help determine peaks in your traffic and help you prepare for it by adjusting your infrastructure to withstand the higher demand. For instance, if you have peak reservations and stays during holidays, your MSP will ensure that your network can carry the increased visitor load and handle billing efficiently.
  4. They Lower Your Business Costs – Instead of using a one-size-fits-all solution that has elements you will never need, you will only pay for services you use and nothing more. In addition to this, they eliminate the costs of hiring, training, and retaining in-house IT staff or hiring emergency or temporary staff only to fix or update your systems. Plus, because they are often on a contract, you get a better rate than if you were to hire an ad hoc IT consultancy firm.
  5. They Eliminate Issues Quickly – Because MSP resolve issues daily, there are a few unknowns left. When your business has an IT issue, they will be able to solve it quickly as opposed to an in-house IT employee who might have never had to deal with that specific issue.
  6. They Help You Focus on Your Business – All businesses have limited resources and focus available, hiring an MSP helps you focus your attention to where it’s really needed – your core business. Leave the IT decisions to them.
  7. They Handle Risk and Compliance for You – Shifting markets and financial conditions make every business decision a risk. MSPs have the required expertise and industry knowledge to choose the best possible strategy. In addition to this, they can help you remain compliant under technological and data protection legislation. .  
  8. They Keep Your Systems and Data Secure – A good MSP will ensure your systems are fully secure and up to date on security patches. They will handle PCI compliance standards for online payments and reservations, ensure your firewall is active, and your guests’ data and sensitive information are safe.

Who A Managed Service Provider Would Suit Specifically 

Managed services are used through a broad range of industries but are particularly effective in the following:

Hospitality Industry

Hotels, resorts, restaurants, and bars have embraced digitalisation and are striving to offer the best online and in-house experience to their guests, from the initial landing page all the way to booking, reservations, and payment options on the day.

The key challenge to success in the hospitality industry is providing the perfect customer experience. And innovative technology helps you get there.

A growing number of hotels and other key players have migrated to cloud software to improve their business operations and get access to data analysis capabilities to detect trends and potential customers. On top of this, in restaurants or hotels where you can’t have large equipment or server racks, it’s an effective space saver too.

Because the hospitality industry handles vast amounts of sensitive guest and customer data, they require the right security solutions and must ensure they are compliant with government regulations (like GDPR.)  Financial transactions play a big role, so having safe IT security is the prime objective.

Smaller hospitality establishments often don’t have fully equipped IT teams available, so complementing their existing team or relying on managed services for all their IT needs improves their IT security and quality, gives them access to newest software, and helps them compete with big players.

Small Business Owners and Start-Ups

Small and medium businesses, as well as start-ups, often struggle with keeping up to date on newest IT solutions. It takes a lot of time and money to keep their IT professionals on top of the newest trends and solutions which are often things that a startup doesn’t have.  

Managed Service Providers help SMBs and start-ups with a full suite of IT services that are customised to their needs, goals, and preferences. This brings down overall costs and distributes them evenly throughout the year thanks to fixed monthly fees. Plus, business owners and start-ups get access to the latest tech and software solutions, as well as security options.

Companies With Unfavourable Opening Times

Any company working 24/7 knows that IT costs can run high because you have to hire a team to rotate so you have someone on site. Telephone support only goes so far and hiring emergency IT professionals when something goes wrong can be difficult and costly to fix if they don’t know your business or setup.

Employing an MSP gives them access to IT monitoring and support around the clock, which eliminates overtime pay or shift costs for internal IT staff. MSPs can complement and manage on-site  IT staff as a standalone solution.

Things To Look For In A Managed Service Provider

A good managed service provider will have the required industry knowledge, qualifications, and certifications to back up their expertise. When choosing an MSP, look out for the following:

  1. Qualifications and Certifications – The MSP of your choosing should be up to date on industry-specific knowledge and have experience working in your field. For example, those working in the hospitality industry should look for an MSP who provides cybersecurity solutions that are compliant with GDPR (if you or your customers are in Europe.) Ensure that the IT professionals who handle your infrastructure have the required certifications, but also experience working with your frameworks.
  2. Partnerships – For example, an MSP who is a senior Microsoft partner will suggest they have the knowledge, expertise and vetting of Microsoft to work with their systems. Meaning you have peace of mind that they know what they’re doing.
  3. Pricing, Range of Services, and Customisation – Depending on your needs, you will be able to choose what services you need and which ones you don’t. The right MSP will be flexible and understand your specific needs. They will listen to your goals and get to know your business before offering their services. The pricing options should reflect the services that you will use, and those that you won’t should be excluded from the price. Most commonly, you will be offered a monthly retainer based on the service and level of support that you need.
  4. Service Level Agreements – A good MSP will offer a service level agreement (SLA) that determines all the details, such as quality and performance metrics that should be met, details about liability in case of performance issues or outages, a list of services and responsibilities offered by the MSP, and a framework to resolve service issues.
  5. Availability – Always choose an MSP who provides flexible assistance that includes remote monitoring and emergency support. If possible, opt for one with a local presence so that their professionals can visit your office if needed.

If you’re looking for a managed service provider in hospitality, Contact us HERE today.

Posted on

20 Computer Malware Signs Causing You a Potential Data Breach

With our increasing reliance on our phones, computers, and other internet-connected technology and accessories, security is more important than ever. To be able to recognise when our tech might be compromised can save you from potential catastrophic losses. It’s therefore important to be on the lookout for computer malware signs. 

How often do you pay for something using your credit card or online wallet? How many passwords do you have saved or “remembered” so you can quickly log in? Hackers can gain access to your devices in numerous ways, but in many instances, it’s not immediately apparent.

The Current State of Internet Security

According to the Symantec 2017 Internet Security Threat Report (ISTR), 1 in every 131 emails you receive is infected with malware. Opening such an email infects your computer and gives attackers access to your personal and business data.

In a business environment on a company network, this can give hackers access to the same shared systems and folders that your computer has access to, leading to a data breach with far-reaching consequences. All it takes is for a high-level executive, member of the C-suite, or HR personnel with access to sensitive records to click that infected email and it’s game over for some businesses. 

Being aware of the dangers and spotting the computer malware signs is, therefore, more important than ever to prevent the disastrous effects of a successful cyberattack. These are the warning signs of a possible data breach and that your system has been infected. 

20 Computer Malware Signs To Be Aware Of

1. Pop-Ups

Very often, malware and viruses will be disguised as regular notifications. Your computer will display the notification, often saying that your PC is infected and offering help to remove the threats. If you accept “help,” you will be prompted to visit a website and leave your credit card information to pay for the service of removing the threat. Even though such an attack pattern is not new and has been present for a while, people still fall for it very often. This is the most common of all computer malware signs.

2. Sudden Sluggish Performance

If you notice that your computer is slower than usual, the first thing to do is check the Task Manager. You can access it by simply writing “Task Manager” after hitting the Windows key on your keyboard.

Once there, check the Performance tab to see whether any of your hardware is being used too much: the CPU, memory, disks, or GPU. Chances are, your memory might be compromised by malware.

If you’re not infected and your computer is still slow, check out our course here to improve computer performance.

3. Has a Mind of Its Own

Some glitches in your system might appear like your computer has a mind of its own – usually a brief glimpse of a registry change or your mouse moving by itself. In most cases, these are just little glitches – a speck of dust on the mousepad, for instance. But this could also be one of the computer malware signs. If mouse movements are deliberate and make sense, like the mouse moves and opens or closes applications, then you are definitely dealing with a far more serious threat than a dusty mouse pad.

To disable this kind of remote access, the first thing you should do is disconnect your PC from the internet, disable network drivers so it can’t connect again, and make sure any connectivity options are disabled, e.g. Bluetooth. Then, you can start dealing with removing the issue.

4. Crashing

Your computer might crash for no apparent reason. Often, software and hardware incompatibility are to blame, but if this is excluded, computer malware infection is a real possibility. To see what the crash was caused by, go to Event Viewer by hitting the Windows button on your keyboard and writing “Event” – it should be suggested as the first option. Once opened, go to Windows Logs and go through those that are marked as an error. This will give you more insight into what caused the crash and help you or your IT team find a solution fast.

5. Low storage

If your computer is suddenly running low on storage, it might be that you have not been paying attention to how much you have left. Some malware and viruses, however, are programmed in such a way that they replicate endlessly until they use up all the storage space you have.

Always ensure you know how much space you have left. If you know for sure that your hard drive partitions had more than enough, suspicious activity is to be expected.

6. You Don’t Appear to Have Security Measures Working, e.g. No Antivirus etc.

Your computer might notify you that your security isn’t working – that your antivirus has been disabled. If this is the case, check the status of your antivirus immediately. While this can be a system glitch while your antivirus is updating, it is often a sign that you were infected.

If you can’t get your antivirus software up and running, you will have to either install a new antivirus and antimalware software or, if you’re using a paid version, contact your antivirus manufacturer’s support and let them lead you through the recovery process.

7. Ads

Malware software can also cause pop-up ads, new tabs in browsers, or change homepages, and search engines, without the user’s consent. To get rid of these annoying pop-ups and ads, you will have to find the infected software and remove it from your device.

8. New Icons on Your desktop

If you notice a new icon on your desktop that you don’t know the origin of, suspect foul play right away as new icons are computer malware signs. Malicious software might be installed on your device, threatening to steal your credentials, cause havoc, or even lock you out. If this is your work computer, contact your IT department right away as it could have been installed on the network, not just your own device.  

9. Corrupted folders or Missing folders

If you get a prompt your file is corrupt or you realise some folders are missing from where they are supposed to be, it could be an infection. Some malicious software will not be after your credit card data – the intent can simply be to erase all your data from your drives. While this is less of a threat today than it was before thanks to various online storage solutions, not all your data is stored online. If you have lost files, a system restore might be a way of getting them back.

10. Ransoms

Some malware acts as a simplified version of ransomware by locking you out of your computer until you pay. But, unlike hardcore ransomware, there are some things you can usually do to unlock it.

Using Windows safe mode might do the trick. Once you have booted Windows that way, you can run a virus scan and remove the ransomware. There are also dedicated ransomware removal tools from established antivirus brands, and even Microsoft itself has tools available. Another option is to use System Restore to restore your computer to a version that wasn’t infected yet.

11. Errant Messages

Your system might notify you that an application requires permission to do something, for example an application trying to change something on your computer or connect to the network. This usually happens when you start up, update or install a new application. However, if none of these have happened recently and you’re still getting the messages, your PC might be infected.

12. Redirecting Web Browsers

If you notice that your browser started redirecting you to random sites, you might be dealing with a browser redirect malware, whose aim is to use these redirects to artificially boost traffic to such sites, gather search data, or to try to scam users and steal their personal data. Search for suspicious programs on your device if you suspect this to be the case.

13. New Home Pages

If you open your web browser and your homepage is changed, you need to check which program might have caused this. Usually today, a lot of software will come with additional taskbars or options to change your homepage while you install them. You can opt out of it easily during installation, but many people oversee this. While such changes and additions might not be viruses themselves, they often lack proper security and can easily be used as a point of entry.

14. You’re (Not) Reaching Out

You might find that new conversations are popping up in your email inbox or social media that were started by ‘you’, but you can’t recall starting them.

These spam messages encourage your contacts to click on links that will then infect them. A popular scam is the malware will send an SOS email or message saying you’re stranded and need cab money or a train ticket. It might not seem like a lot but if every one of your friends and every one of their friends become infected, it’s a lot of potential.

15. BSOD – Blue Screen, Will Not Boot

If your computer suddenly becomes unresponsive and you see the dreaded blue screen of death (BSOD), it could be malware.

However, BSOD often happens after you install new software or hardware. Check whether you have the latest drivers installed for all your components and search for possible incompatibility between programs and hardware you are using.

If this is not the case, you will have to consult the Event Viewer again to see what exactly caused the BSOD.

16. Credit or Bank Purchases

If you get notified that there were purchases made with your credit card, or money was taken from your bank account but you didn’t do it, ask your bank to verify how payment was made. If it was done using your card (not in person) it means it was an online transaction. This can mean your device is compromised and they’ve taken the details, particularly if you have them saved e.g. Google online. 

Cancel your cards, disconnect from the internet and do a thorough sweep of your devices to make sure that the breach didn’t come from them.

17. You can’t login to your accounts

If you can’t get access to your account because your password suddenly isn’t working, there’s a good chance you’re dealing with a case of account theft. This is already one of the serious computer malware signs. Always have a fallback option for such cases – a way to reset your password via your phone number, for instance. To minimise such a risk, have two-factor authentication that will request a code sent to your phone or a generated code from an app installed on your phone.

If you get a notification from your authenticator, for example, a code on your phone but you’re not trying to log in, check your system for malware and change your passwords immediately. It could be someone with a keystroke logger.

18. Your Hard Drive Appears to Be Constantly Working Even When Doing Nothing

Erratic and sluggish operations can be caused by a lot of software and hardware issues. To see what is happening, you will have to open your Task Manager by hitting your Windows key button and typing “task manager” for it to appear on the list.

Once opened, look at the performance of your hardware. If you see that your disk is on ‘100%’ most of the time, you will have to check which processes are running and might have caused this. Note that certain Windows processes might cause this from time to time – recently microsoft.photos.exe, a legit Microsoft application, was causing this issue for some users.

If you find any other applications that are unfamiliar to you and are using your disk fully, terminate the process by right-clicking on it and selecting the “End Task” option. Find which program the task belongs to in order to see whether it’s a real malware or virus issue or just an incompatible program.

19. File Names Change or Are Missing

Any changes to files – either the names or the location of the files – should immediately be attributed to malicious software activity. A deep scan with a dedicated software will be needed to find the infection. Any files that were affected – renamed, deleted, or removed – might be beyond saving, so always make sure you have your data securely backed up online.

20. Unusual login pages

Any changes to login pages you often use – either for work or personal – should be deemed suspicious. Usually, changes like this are announced in advance, so check for news about the changes before you log in. Any pages that require your work, Google, or social media account credentials (both username and password) for login should also be avoided as these might be phishing sites that are trying to steal your credentials.

If you’ve navigated to the page through an email, close the tab and go to the company you’re trying to login to directly. If you don’t recognise the site, NEVER give your credentials away!

It’s important that if you feel there is something wrong with your computer, particularly if you are on a company device or part of a shared network that you report it! Small and subtle changes can lead to big data breaches and catching malware early is key.

You Might Also Be Interested In: 

Posted on

How to Install Microsoft’s Azure Information Protection for Small Businesses

Until now, Microsoft’s Azure Information Protection (AIP) has been an enterprise level IT solution for the big brands and businesses. So, you may not have even heard of it! But, its tools are perfect for small businesses and allows you to get AUTOMATIC file and email encryption that is easy to use, and affordable.

Let’s look at why you should be looking at this solution for your small business, how you can use it and what it can do for you:

Why do I Need File Protection?

We could advocate for file protection but it’s easier just to show you, here’s how easy it is to gain access to your sensitive data if you don’t have file protection:

The solution to this? We recommend, Microsoft’s Azure Information Protection (AIP)

Update: 23/09/20 – Microsoft’s AIP has actually been upgraded to MIP, with a few extra features. This article is still relevant and if you scroll to the bottom you can see a demo of a recent project we just completed on how it looks in action.

What is Microsoft’s Azure Information Protection?

It’s an excellent cloud-based file and email encryption solution that allows you to create certain ‘rules’ to protect your files and emails automatically.

What Does This Entail?

Although it’s also an excellent option for smaller businesses because it offers unique cyber security features which make GDPR compliance easy and seamless, you can’t really “figure it out” as you go.

It’s not as simple as downloading a piece of software. There’s a little more to it than that. But, once you know how, it’s our recommendation for keeping your company, files and emails protected. The installation looks a little like this:

Different Stages of AIP Implementation

Once you’ve set up your active directory and assigned your licenses, there are 3 steps to implementing Microsoft’s Azure Information Protection:

Assessing Your Data

Although only roughly 5% of your data is sensitive, you still need to protect it and in order to do so, you need to understand what it is, where it is and how you handle it.

Installation

This is the easy part (if you know what you’re doing) and is a simple installation of the AIP client onto all of the machines/servers that you want to have automatic encryption capabilities.

Monitoring/Testing

This is all about tweaking your settings to match your usage based on what you’re using your protection for in your business.

So, How Can I Do It Myself?

We originally created an AIP course (you can still take the legacy course HERE.) However since the update to MIP (Microsoft Information Protection) there’s a lot more backend setup, licensing crossovers, and implementation that just make this a project that is really tricky.

If you get it wrong you can accidentally encrypt and lock yourself out of all of your data, and to be honest, we don’t recommend doing this.

We still want to make MIP accessible for SMEs so we offer a half hour consulting option to give you the best tailored advice on what forms of protection are best for you, and then we can help you set up MIP if it’s suitable.

Book in for your consultation CLICK HERE.

Check out the MIP Demo below to see it in action:

Posted on

GDPR Email Terminology You Need to Know!

When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.

Although not an exhaustive list, here are some of the terms that will be most useful to understand. We’ve taken this list from our Free GDPR Email Protection Course you can find here.

Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. [email protected] NOT [email protected]. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.

Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.

Data Controller – The ICO define a data controller as:

“A person who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be processed”

Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)

Data Processor – The ICO define a data processor as:

“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”

Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.

Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.

Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.

Data Subject – This is any person that the personal data is about.

Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.

Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.

Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.

Recipient – The receiver of your email

Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”

For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!

Posted on

How to Send Encrypted Emails Without Installing Anything

If you want to protect the personal data that you send and reduce the risk of a breach, you’ll want to encrypt your emails or use an email encryption service! Did you know that you can send encrypted emails without installing anything?

Why would you want to send encrypted emails? 

You may think that encrypted emails don’t apply to you or they are a bit too “techy” to use. But, we’re making it simpler because hackers don’t care whether you’re techy or not. There are some other instances where you might want to send encrypted emails (for industries prone to email breaches check out our other article here.)

  1. If you’re a business owner or entrepreneur communicating about employee/subcontractor personal data, sharing sensitive information or ideas and secrets you want to protect.
  2. You’re sending attachments that contain personal information, e.g. recruiters sending CVs, accountants handling account data, members of the public sending copies of ID or official documents.
  3. Lawyers sending case-specific information
  4. Developers trying to create encrypted messages from their web portal

But, there are a few issues with the solutions that are out there at the moment: 

  • They require you to use a different email client entirely (and sometimes they aren’t user-friendly for beginners)
  • The other person (recipient) can’t read the encrypted email if they aren’t on the same service
  • You need to install an extension, app or program onto your computer (which many businesses won’t allow as it is directly on the network) in order to use them at all

How do you send encrypted emails without installing anything?

This is something we’ve developed. Encrypted emails as a service and it’s really simple. Anyone can use it (whether you’re techy or not). Simply:

  1. Write your email as normal
  2. Put “[email protected]” in the “To” field
  3. Add your recipient in the “subject” field
  4. Hit send

Test it right now: 

  1. Write your email as normal
  2. Put “[email protected]” in the “To” field
  3. Add your recipient in the “subject” field
  4. Click Send

It works on mobile, MAC or PC as well as any existing platform you’re on. Here’s what the process looks like from a MAC:

What the receiver will see (and do) to read the encrypted email:

In Gmail

In Outlook

If you want to protect your emails and your data for free, check out My Protected Mail for more!

Posted on

Are Recruiters Liable for Data Breaches When Sending CVs Via Email?

The ongoing joke of the moment is the amount of unsolicited emails you’re receiving as a result of GDPR, “consent” and the regulations that became effective as of 25th May 2018. But, the new General Data Protection Regulation (GDPR) is a piece of EU legislation that has thrown forward infinite questions about specific processes, particularly those in the recruitment industry. Among these questions is: Are recruiters liable for data breaches when sending CVs via email?

After all, they hold a ton of personally identifiable information (PII) in the form of CVs, application forms and the submissions through their website. But, how much of this are recruiters responsible for and if you’re communicating via email, are you responsible for this data if there is a breach, even when you’ve gotten consent?

We’re looking at the facts from the ICO as well as our take on protecting PII sent via email to limit your chances of a breach.

Liability under GDPR

In short, recruiters are liable for any data breaches resulting from the sending of CVs via email, but to understand why, we must delve a little deeper.

Under GDPR, the data controller holds ultimate responsibility for all personal information collected by their organisation. The data controller must be highly trained to pre-empt and effectively address any potential breaches and it is down to the controller to ensure that the all held data is collected, processed, and stored properly.

The data controller is ultimately responsible for their organisation, but all individuals within it must act in compliance with GDPR. Under this legislation, anyone handling personal data is referred to as a data processor. A data processor acts on behalf of the data controller, and must adhere to the rules of GDPR.

In this instance, recruiters are the data processors when they are working with sensitive data, such as that contained within CVs.

Liability for Recruiters

Recruiters, as data processors, have accountability over the information they collect, handle, and send elsewhere. This includes CVs.

They need to ensure that the CVs and the data within them are:

#1 Sent only to the intended recipients

#2 Are used solely for a specific purpose

#3 Are removed correctly when no longer required.

A recruiter must know exactly where the CV is going and how it is being used by the recipient. This is because, under the rules of GDPR, any EU citizen has the right to erasure, otherwise known as the right to be forgotten. If such a request is received, the recruiter (and their organisation’s data controller) are duty bound to honour and complete the request.

But, if they aren’t keeping records or control of the transmissions of personal data they send, this task becomes more difficult, if not, impossible.

In order to protect themselves and their organisations, recruiters are likely to be encouraged to seek a disclaimer with each individual before they receive any of their personal data. The language of the disclaimer will vary between each organisation, but most will contain an acknowledgment that the individual will surrender some control of their data whilst it is being processed.

Note that whilst individuals may give their consent to allow the data processor and data controller access and processing of their personal information, they are still protected by GDPR and retain custodianship of their own data, including the right of erasure.

Tools such as Data Subject Access Requests (DSARs) provide individuals with the authority to obtain all of the data held about them by another individual or organisation. These are commonly used during employment-related disputes.

Whilst UK legislation dictates that any DSAR is fulfilled within 40 days of receipt, GDPR goes further. If a DSAR is not honoured, it could incur a fine of up to 4% of an organisation’s annual global turnover, or a fine of €20 million, whichever is greater. Although the maximum is unlikely to be enforced, except in extreme cases, the potential severity of punishment in response to breaches clearly demonstrates the importance placed on the rights of individuals to retain authority over their data. Plus, that’s not the only cost a business can incur in the event of a data breach.

What steps can recruiters take to protect themselves from GDPR-related penalties?

Now that we’ve explored GDPR legislation and potential penalties that can be incurred as a result of non-compliance, we’ll take a look at five steps recruiters specifically can take to prevent a breach and protect themselves.

  1. Encrypt emails and Attachments

In order to avert unauthorised access to CVs and other personal data, a simple and effective solution is to encrypt emails and attachments. Encryption prevents data from being intercepted with malicious intent, and it ensures that only the intended recipient has access.

Encryption is easily managed through settings within some existing email client, or via third-party specialist services such as My Protected Mail. For large organisations, or smaller companies that routinely deal with a bulk of highly-sensitive data, the third-party approach is encouraged.

It is also worthwhile to ensure that all data processors (and controllers) are trained in the optimal use of encryption. After all, there’s no point in having a tool if it is not being used correctly.

  1. Only send CVs to the intended recipient (and prevent forwarding)

When sending a CV by email, recruiters should select only the essential recipients. If the CV is not directly relevant to a recipient, it should not be sent to them. By keeping the pool of recipients as small as possible, it helps to prevent potential breaches.

It’s also worth clarifying, within the body of the email, that the CV should not be forwarded to any other recipient without the permission of the recruiter. Forwarding of attachments, particularly without the knowledge of the original sender, makes it almost impossible to track where the data has gone. Keep in mind that the individual to whom the CV belongs may make a right to erasure request at any time. Failure to keep track of their data can jeopardise an organisation’s ability to do this.

  1. Provide extra information in your disclaimer

Make it clear to candidates, and all other individuals, precisely how their data will be collected, processed, and removed. Transparency at this stage helps to prevent issues further down the line. Use your disclaimer to present all possible scenarios, and ensure that consent is obtained before a CV is collected.

  1. Keep sensitive data secure within internal systems

We’ve discussed the procedure for sending CVs to external recipients, but what about internal record-keeping? This is equally critical, and organisations must ensure that their internal systems are secure enough to manage and protect stored data.

  1. Ensure that third parties are also compliant

Before a recruiter sends any information to a third party, it is worthwhile to sign an agreement regarding their respective data responsibilities. An organisation must ensure that all third parties are also compliant with GDPR, and will honour any future erasure or DSAR requests. This helps to prevent any potential problems in the future.

In Summary

As we have seen, recruiters and their organisations do have a responsibility to protect all data sent electronically. Recruiters are liable for data breaches since as data processors, they act on behalf of their organisation’s data controller, and are bound by the rules of GDPR.

It is crucial, therefore, that they are trained and equipped with the resources to keep client data safe.

Posted on

Are Invoicing Companies Leaving Small Businesses Vulnerable?

For the last 2 years, my main focus as a cyber security consultant was/is getting companies, mostly big companies, ready for GDPR. One pressing concern is the GDPR compliance of invoicing companies.

Maybe GDPR is a buzzword for some, but the logic behind it is great for both privacy and proper data security.

The privacy part is somewhat challenging because the definition of PII (personally identifiable information) and SPI (sensitive personal information) is well defined in GDPR and it is very wide by definition.

It COVERS EVERYONE.

From big companies to small companies, and even micro companies. You are obliged to do your maximum to protect PII and SPI.

Many companies have started the shift of changing their work methods and the way that B2C communication is done. For example, basic “client notifications” are now usually protected.

GDPR is first and foremost a methodology change, not a technological one. You change the way you work first and then which technological tools you use.

This change has already “hit” some industries but other industries are preferring to ignore it, for example I am a client of one the biggest online invoicing companies, along with many other small & medium business owners.

Invoices have PII and SPI in them – they have a lot of the info of my clients (their name & postcode), sometimes even the full address, proper identifiable information.

When I send an invoice to my clients I am sending PII and SPI.

Since the GDPR date, my colleagues and I have started to send invoices in a secure way. Is it more “work”? Yes. We are sending a PDF within an encrypted email, not a link, so that we can make sure that only the recipient gets it and not someone else.

As a client of one of the biggest online invoicing companies, I’m concerned about their GDPR compliance, and I have contacted them and asked very clearly,

“What are you going to do about GDPR? Which encryption method are you going to use and how are you going to guarantee that the PII and SPI that are being sent via your system is secure?”

And …

Nothing really.

I got some generic responses, some links to the privacy/GDPR policy, but no real answer.

Then after some more Q&A, I got a strange response,

“We are sending PII BY FUNCTION... so, nothing is really going to change” So I responded with,

So? GDPR has no “BY FUNCTION” Exclusion” and, of course, since then, it’s been silence.

It seems, at least for that specific company that they are ignoring or excusing not being GDPR compliant by saying that their CORE FUNCTION, and I quote “BY FUNCTION” is … NOT GDPR compliant, I know its sounds crazy but that’s the reality.

So, let’s break it down a bit:

  1. I am using their online invoicing platform – they are my Data Processor
  2. I am storing sensitive client information on their system and I expect them to be GDPR compliant. Which I trust their feedback that it is (regarding the way the store and access information)
  3. But… when I send the invoice to my clients via their system – I am extracting PII and SPI from their system and sending it into the world with no security mechanism at all?!
  4. This specific online invoicing company is sending a link (like many others) – not even a password protected PDF is an option?

Bottom line, you as a user of the system have the option not to send a link, but download the PDF, secure it, and then send it yourself… but why isn’t the invoicing company doing it for you? Why are they putting YOU at risk?

Why? – I don’t know, I presume it’s because it’s easier to ignore the reality than to face it. It’s easier to put everything on your clients than to solve the core issue.

My professional recommendation to you is: Until online invoicing companies GDPR compliance become clear, protect yourself! Don’t send PII and SPI in a non-secure way.

Eli Migdal.

Posted on

Industries Prone to Email GDPR Breaches

Although emails are not specifically referenced within the clauses of the GDPR, the legislation does cover all data contained within emails and attachments. Anyone handling personal information related to citizens of the EU is bound by GDPR, and must make preparations to ensure that they are compliant from the date of adoption, if not sooner.

In this article, we’ll take a closer look at the industries that tend to be prone to data breaches involving emails, the reasons why, and strategies to avoid information becoming compromised.

Why Are Some Industries More Prone Than Others?

Theoretically, all industries have the potential to experience GDPR breaches. However, these are made more likely when organisations manage a disproportionately large amount of personally identifiable information, or PII. This is data that can be used on its own, or in combination with other known variables, to determine an individual’s identity.

Some examples of PII may include a full name (particularly if it is uncommon), date of birth, home address, telephone number, email address, passport, driving license, national insurance or social security number, credit card details, or vehicle registration. The more variables that are known, the easier it is to build an image of someone’s identity.

This kind of data is attractive to those who wish to exploit it, which can make some organisations vulnerable to hacking or phishing attacks. Human error can also cause data breaches; although this may be innocuous, the potential damage is just as severe.

It’s important, therefore, for these industries to take additional precautions in the gathering, storage, and processing of sensitive information.

Industries at Risk

Due to the nature of the data they hold the:

  • Financial
  • Legal
  • HR
  • Medical sectors

have a high risk of experiencing GDPR breaches.

The recruitment industry is also very susceptible, as organisations within it hold substantial amounts of personal information, which is passed frequently between internal and external recipients!

Small businesses, entrepreneurs, and virtual assistants can carry an elevated risk of experiencing GDPR breaches, particularly if they are starting out or otherwise unaware of correct data management procedures. 

Emails regarding invoices, bank details, and login information can be especially problematic. Training helps to mitigate this risk, prevent records being compromised, and protect the reputation of data custodians.

What Can Be Done to Minimise Risk?

Take a ‘prevention is better than cure’ approach. In the first instance, use anonymised data as far as possible because, if data is compromised, this makes it far more challenging for unauthorised parties to connect the dots and endanger the security of afflicted individuals.

When communicating via email, take extra precaution and encrypt your emails and attachments at the file level rather than on your computer because it’s much harder to crack and is very GDPR compliant. You can do this by installing software in your business which does this automatically, but if you don’t have the budget for a large-scale solution, you can try something like My Protected Mail which doesn’t involve installing anything and is quick and easy to deal with.

Although we have cited industries prone to email GDPR breaches, it’s best to be responsible no matter your industry. All custodians of sensitive data are responsible for its protection. If you are working within an industry with an elevated risk of email GDPR breaches. Be sure you are prepared! Check out My Protected Mail here for more info and sign up for free to get the extra protection your sensitive emails or attachments need.