Posted on

Are Invoicing Companies Leaving Small Businesses Vulnerable?

For the last 2 years, my main focus as a cyber security consultant was/is getting companies, mostly big companies, ready for GDPR. One pressing concern is the GDPR compliance of invoicing companies.

Maybe GDPR is a buzzword for some, but the logic behind it is great for both privacy and proper data security.

The privacy part is somewhat challenging because the definition of PII (personally identifiable information) and SPI (sensitive personal information) is well defined in GDPR and it is very wide by definition.

It COVERS EVERYONE.

From big companies to small companies, and even micro companies. You are obliged to do your maximum to protect PII and SPI.

Many companies have started the shift of changing their work methods and the way that B2C communication is done. For example, basic “client notifications” are now usually protected.

GDPR is first and foremost a methodology change, not a technological one. You change the way you work first and then which technological tools you use.

This change has already “hit” some industries but other industries are preferring to ignore it, for example I am a client of one the biggest online invoicing companies, along with many other small & medium business owners.

Invoices have PII and SPI in them – they have a lot of the info of my clients (their name & postcode), sometimes even the full address, proper identifiable information.

When I send an invoice to my clients I am sending PII and SPI.

Since the GDPR date, my colleagues and I have started to send invoices in a secure way. Is it more “work”? Yes. We are sending a PDF within an encrypted email, not a link, so that we can make sure that only the recipient gets it and not someone else.

As a client of one of the biggest online invoicing companies, I’m concerned about their GDPR compliance, and I have contacted them and asked very clearly,

“What are you going to do about GDPR? Which encryption method are you going to use and how are you going to guarantee that the PII and SPI that are being sent via your system is secure?”

And …

Nothing really.

I got some generic responses, some links to the privacy/GDPR policy, but no real answer.

Then after some more Q&A, I got a strange response,

“We are sending PII BY FUNCTION... so, nothing is really going to change” So I responded with,

So? GDPR has no “BY FUNCTION” Exclusion” and, of course, since then, it’s been silence.

It seems, at least for that specific company that they are ignoring or excusing not being GDPR compliant by saying that their CORE FUNCTION, and I quote “BY FUNCTION” is … NOT GDPR compliant, I know its sounds crazy but that’s the reality.

So, let’s break it down a bit:

  1. I am using their online invoicing platform – they are my Data Processor
  2. I am storing sensitive client information on their system and I expect them to be GDPR compliant. Which I trust their feedback that it is (regarding the way the store and access information)
  3. But… when I send the invoice to my clients via their system – I am extracting PII and SPI from their system and sending it into the world with no security mechanism at all?!
  4. This specific online invoicing company is sending a link (like many others) – not even a password protected PDF is an option?

Bottom line, you as a user of the system have the option not to send a link, but download the PDF, secure it, and then send it yourself… but why isn’t the invoicing company doing it for you? Why are they putting YOU at risk?

Why? – I don’t know, I presume it’s because it’s easier to ignore the reality than to face it. It’s easier to put everything on your clients than to solve the core issue.

My professional recommendation to you is: Until online invoicing companies GDPR compliance become clear, protect yourself! Don’t send PII and SPI in a non-secure way.

Eli Migdal.

Posted on

Data Breaches Aren’t Just Your Users’ Fault (Infographic)

As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.

Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.

It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:

  • Forcing users to frequently change their password – even if they hate us for it
  • Making sure policy dictates a different password for each program or part of the system
  • To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
  • To be approachable so that any issues are quickly reported

Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
Infographic: Security Breaches from Compromised User Logins

UserLock FileAudit IS Decisions Priorités en matière de sécurité d'accès
Posted on

Industries Prone to Email GDPR Breaches

Although emails are not specifically referenced within the clauses of the GDPR, the legislation does cover all data contained within emails and attachments. Anyone handling personal information related to citizens of the EU is bound by GDPR, and must make preparations to ensure that they are compliant from the date of adoption, if not sooner.

In this article, we’ll take a closer look at the industries that tend to be prone to data breaches involving emails, the reasons why, and strategies to avoid information becoming compromised.

Why Are Some Industries More Prone Than Others?

Theoretically, all industries have the potential to experience GDPR breaches. However, these are made more likely when organisations manage a disproportionately large amount of personally identifiable information, or PII. This is data that can be used on its own, or in combination with other known variables, to determine an individual’s identity.

Some examples of PII may include a full name (particularly if it is uncommon), date of birth, home address, telephone number, email address, passport, driving license, national insurance or social security number, credit card details, or vehicle registration. The more variables that are known, the easier it is to build an image of someone’s identity.

This kind of data is attractive to those who wish to exploit it, which can make some organisations vulnerable to hacking or phishing attacks. Human error can also cause data breaches; although this may be innocuous, the potential damage is just as severe.

It’s important, therefore, for these industries to take additional precautions in the gathering, storage, and processing of sensitive information.

Industries at Risk

Due to the nature of the data they hold the:

  • Financial
  • Legal
  • HR
  • Medical sectors

have a high risk of experiencing GDPR breaches.

The recruitment industry is also very susceptible, as organisations within it hold substantial amounts of personal information, which is passed frequently between internal and external recipients!

Small businesses, entrepreneurs, and virtual assistants can carry an elevated risk of experiencing GDPR breaches, particularly if they are starting out or otherwise unaware of correct data management procedures. 

Emails regarding invoices, bank details, and login information can be especially problematic. Training helps to mitigate this risk, prevent records being compromised, and protect the reputation of data custodians.

What Can Be Done to Minimise Risk?

Take a ‘prevention is better than cure’ approach. In the first instance, use anonymised data as far as possible because, if data is compromised, this makes it far more challenging for unauthorised parties to connect the dots and endanger the security of afflicted individuals.

When communicating via email, take extra precaution and encrypt your emails and attachments at the file level rather than on your computer because it’s much harder to crack and is very GDPR compliant. You can do this by installing software in your business which does this automatically, but if you don’t have the budget for a large-scale solution, you can try something like My Protected Mail which doesn’t involve installing anything and is quick and easy to deal with.

Although we have cited industries prone to email GDPR breaches, it’s best to be responsible no matter your industry. All custodians of sensitive data are responsible for its protection. If you are working within an industry with an elevated risk of email GDPR breaches. Be sure you are prepared! Check out My Protected Mail here for more info and sign up for free to get the extra protection your sensitive emails or attachments need.

Posted on

Why Your Emails Need to Be Compliant Under GDPR

Although emails are not specifically referenced in the GDPR, all data contained within them does come under its jurisdiction. To avoid the risk of a breach, as well as to conform to these regulations, it’s important to stay protected and send GDPR compliant emails. 

In this article, we’ll introduce you to points you should consider when sending GDPR compliant emails.

Safeguarding Personal Information

Personally identifiable information, or PII, is data that can be used—either on its own or in combination with other records—to determine an individual’s identity. It is best practice not to provide PII wherever possible, but to use anonymised data instead.

But, we know this isn’t always the case and sometimes you need to share data that could become identifiable, so it must be sent securely. Protected emails that contain PII should also not be allowed to be forwarded to unauthorised participants and you should ensure that any data you do send has been pre-authorised by the owner because consent is a key part of GDPR, which must be respected at all times.

Preventing Unauthorised Access to Data

A data breach places sensitive information at risk of exploitation by criminal activity or other unauthorised purposes. A data breach can be prevented by sending attachments securely, tracking the receipt of documentation, sending only essential information, and by double-checking that data recipients are authorised.

File level encryption is one of the best ways to do this (find out more about this in our previous article here) and there are simple ways to send protected emails without having to download special programs. Try using something like My Protected Mail for free and see how you can send and receive protected emails. 

If you do find that your organisation has experienced a data breach, you (or your company’s assigned data protection officer) are duty bound under GDPR to notify affected individuals within 72 hours of awareness of the breach. This provides the opportunity to take corrective measures and prevent further compromise of their information. Of course, your organisation has a responsibility to facilitate and support such action, whilst simultaneously commencing an investigation and completing internal and external reporting.

Protecting Your Brand’s Reputation

Personal data is important to every individual. When we entrust organisations with sensitive information, there is an expectation that this will be respected. Any breach or mismanagement of data reflects negatively on a brand.

That said, if a data-related incident does occur, it is best to be honest about the situation from the start. Not only does the GDPR explicitly require this, but taking swift action helps to protect your brand’s reputation. People understand that even highly secure structures can be compromised, and if your organisation responds quickly, this can help to mitigate the damage. Conversely, a delay or cover-up would be completely unacceptable.

Generating positive PR

If your organisation is shown to be consistently compliant with data protection laws—including GDPR—this gives a positive impression of your information safeguarding processes. It also demonstrates a wider sense of reliability and security and strengthens your brand’s reputation, encouraging potential customers and stakeholders to put their trust in you.

Consider getting help in making you compliant by using My Protected Mail, it works with your exisiting systems and doesn’t require setup or installation! To find out more, visit www.MyProtectedMail.com

Posted on

The True Cost of a Data Breach to Your Business

GDPR has placed renewed focus on the issue of information security, and the potential impact and cost of a data breach on involved organisations.

Obviously, a data breach can have substantial financial consequences. Depending on the severity of the GDPR infringement, administrative fines can reach up to €20 million, or 4% of annual global turnover, whichever is higher. Plus, it also leaves you liable to pay damages to individuals or businesses as a result of the breach. 

However, fines are not the only cost to a business; reputational damage can be devastating to long-term viability.

In this article, we’ll take a closer look at the wide-ranging costs that can be incurred in response to a data breach.

Bad PR

It is said that all PR is good PR, but it’s not always the case. Data security is intrinsically linked with an individual’s sense of personal safety, and any infringement of that will prompt a fiercely negative response from affected individuals. A business’ reputation can be destroyed by a data breach incident.

Trust is the foundation of customer loyalty. If that trust is compromised, your business may not be able to recover its former standing.

Loss of Revenue & Company Value

Reputational damage as a result of a GDPR breach will almost inevitably lead to a dip in sales. For service providers, such as lawyers or accountants, a breach can result in a loss of retainers or diminished customer loyalty. Larger corporations may find that their company value takes a hit.

In 2013 and 2014, Yahoo experienced several data breaches, which affected large swathes of customer accounts. At the time, they were in the process of being bought out by Verizon. After the breaches took place, Yahoo’s value was slashed by $300 million, which had a significant impact on its shareholders.

Even a giant like Yahoo is susceptible to the effects of a data breach. For smaller companies, this can be catastrophic.

The Pareto Principle

In business management theory, the Pareto Principle states that 80% of a company’s revenue comes from 20% of its customers. These tend to be long-term client relationships, allowing an organisation to take advantage of regular, repeat business.

If a data breach were to damage the trust of this crucial 20% of customers, which is feasible in such circumstances, it could jeopardise 80% of revenue. This can have a devastating impact on long-term business survival.

Future Business

Small businesses are particularly vulnerable to the long-lasting negative effects of a GDPR breach. They tend to rely on referrals, recommendations, and word-of-mouth marketing. After a data breach, the reputational damage may prove insurmountable.

Don’t forget; if a customer has a positive experience, they will probably tell a handful of people. If they have a negative experience, they will tell everyone they can.

The true cost

Ultimately, the true cost of a data breach to your business may be the business itself. That’s why it’s important to be well-trained in the best practices to protect the personal data you handle. 

Have any questions on how you can avoid a data breach? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

Protecting Your Data In The Age Of Mobile

Today, one of the main tasks for all institutions is achieving maximum protection for their data while ensuring full accessibility and mobility. Protecting your data has become the responsibility of both users and the organization holding it.

The complexity and the resulting problems are caused by a following sequence:

Increased mobility leads to improved employee productivity leading to wider dispersal of data leading to increased chance of dangerous data leakage

Below, I will focus on the example of the widely used DROPBOX tool.

The challenges we face tend to increase as the tools providing accessibility and mobility improve drastically.  A good example of this is DROPBOX – it enables users to effectively access their data, while the integration and training efforts for them are kept to a minimum.  This tool is very much liked by most users, and they work with it extensively. DROPBOX gives us the ability to access the data from any mobile device anyplace, and enables us to work OFFLINE as well.

I do not doubt the fact that DROPBOX is a very effective tool that can significantly increase employees’ productivity.  For example, a salesperson can quickly generate a price offer while being on the move, using a mobile device, and instantly share it with his co-workers – this is quite an achievement!

So if it is true, then why has DROPBOX earned such a bad reputation within IT managers’ community as a tool contributing to harmful data leakage?

This is first and foremost an issue of control!

DROPBOX can sometimes lead to a loss of control, resulting in some segregated files leaking outside the institution.

It is important to note that a similar problem can also occur in any Windows Server environment, but the ease of using DROPBOX can be very conducive to such problems happening much more often.

How do we stay in control?

The newer and more sophisticated product, DROPBOX FOR BUSINESS, does offer advanced control facilities, such as compartmentalization, 2-Form Authentication, control of outside sharing, centralized file management and Active Directory authorization management (using an additional third-party tool, though).

Is all this enough?  Sadly, no…

All these features help in protecting your data if your company’s employees are honest and dependable, and not tinged with corruption or carelessness, which can easily lead to data leakage.  In addition, these tools cannot provide protection in an OFFLINE mode, which is especially important in cases of your device being misplaced or stolen.

The protection should be applied to the files themselves, and not to the outer envelope that contains them. The protection/encryption should be applied on the file level itself, so the files would be protected at all times while opened in different gadgets or applications:

  • PC/laptop
  • Smartphone
  • Tablet/PDA
  • DROPBOX
  • SkyDrive

Basic RMS by Microsoft and more advanced tools, such as Secure Islands IQP, provide effective encryption solutions that focus on safeguarding the files, and not the outer shell, which is proving to be so difficult to protect nowadays.

The mobile devices themselves should be encrypted, so the data will still be safe even in case of lost or stolen devices.

  • For most laptops – use the file encryption system such as centrally controlled BitLocker
  • For mobile devices such as smartphones or tablets – several centrally-controlled MDM tools that can enforce the devices’ encryption from a central node

All your mobile devices should be equipped with centrally-activated active encryption, ensuring that losing the device will not lead to data misappropriation. This process is an effective way of protecting your data.

Conclusions:

  1. A classified file that has been properly encrypted, with a tool such as Secure Islands IQP, can be disseminated on all kinds of media and devices – office computer, tablet, home computer, mail program, DROPBOX.  In all the cases the access to the file will be open only to a person authorized for it
  2. A standard file, protected by DROPBOX (for example), and placed in the DROPBOX offline cache directory, will still be protected, even if the mobile device was lost or stolen

So, can the use of the DROPBOX tool on employees’ tablets work with data security rules? The answer is YES – if the IT System is designed correctly, using the modern methods of data security assurance!

Eli Migdal, CEO of Migdal Computing Solutions LTD

Visit our Information Security page for more information and find out how we can help you.