Tag: Data Protection

Posted on by

How to Protect Data Storage from Hacking

How to Protect Data Storage from Hacking

Data protection is more important than ever, but also much harder to achieve. It was fairly simple to previously protect data storage from hacking when it was only saved on-prem and there was limited access. 

Today, data storage and access are more dispersed. Remote employees, cloud storage solutions, BYOD policies, and access via multiple devices from anywhere make data protection seem like an impossible goal.

It’s important to understand that a data breach is a business issue, not just an IT issue. 

To make sure your company and customer data are safe, you will have to protect data storage from hacking attempts. The following data storage safety practices will help you achieve a high level of data security and compliance. 

1. Use strong passwords 

The most common way data storage is hacked are weak or shared passwords. You would ever store thousands of dollars behind a simple “0000” or “12345” password? No.

The data you are trying to protect is worth even more than that, so make sure that anyone with access to it has a strong, complex, and unique password. 

Weak passwords are present in almost every organisation and can cost corporations millions in damages because of data breaches. 

  • To avoid hacking attempts, have a proper password protocol in place. All passwords that provide access to data should have a minimum of 12 characters and shouldn’t be complete words. 
  • Use a combination of upper- and lowercase letters, numbers, and symbols. The password should not have personal meaning – no names, addresses, dates, or anything that can be unearthed on social media.
  • Passwords should also be changed every 6 months.

2. Add Two-Factor Authentication 

Additional authentication protocols should be a standard practice to protect data storage from hacking

In case your first authentication layer – the usernames and passwords – end up in the wrong hands due to a successful phishing attack, the second layer of protection in the form of two-factor authentication (or multi-factor) will keep data safe from outside access. 

The authentication server will prompt the user to input another security code after authenticating their credentials. The code is usually delivered via SMS, or via a phone authenticator app. Some services will also offer the code via phone call if supported. 

3. Include Session Timeouts / Auto Disconnects 

To battle forgotten login sessions that could potentially lead to a data breach because somebody else used the device, incorporate session timeout routines onto your data storage servers. 

These routines will automatically disconnect the user from all inactive sessions. 

For example, if the user accessed your data storage but has been idle for the last 15 minutes, they will be logged out. When they come back, they will be prompted to log back in again. 

This security measure is especially valuable if your staff has access to data storage from shared, remote (and potentially unsafe) locations.   

4. Use encryption for all documents and emails 

Encryption helps protect data storage from hacking because in the event it ever falls into the wrong hands, they won’t be able to read it. 

When you encrypt data, the data is translated into ciphertext that is just a string of random characters. The only way to make it readable again is to turn it back to its original form with the right encryption key. 

The larger the key size, the more computational power is needed to crack it. The rule of thumb is to use encryption services that offer at least 256-bit encryption protocols.  

In order to ensure you have encrypted all sensitive documents, you should use a data protection solution that covers data discovery and sharing. Microsoft’s Azure Information Protection is such a system, and can be used to discover all your data, apply labels that determine how sensitive data is, and then apply rules on data access. The system will find all locations where data is stored and help you migrate it to a safer, centralised location. 

Because such systems also include email encryption, it also helps you keep data safe in case of mishaps. For example, if somebody accidentally sends an email with sensitive data to the wrong recipient, the recipient won’t be able to read the data without first having proper authorisation. 

5. Limit Access to Data Storage

In order to protect data storage from hacking, you have to limit access to data to inside actors too. 

The more people have access to sensitive and classified data, the higher the risk of data falling into the wrong hands. 

Your employees should have access only to data that’s essential to their role in the company. 

In case employees would need to access data occasionally, it’s better to have procedures in place that would authorise access to them temporarily rather than giving them unlimited access. 

6. Use Safe Cloud Storage Solutions 

Cloud storage solutions help you keep your data accessible at all times and is becoming the standard today. With so many employees working from remote locations and accessing data from multiple devices, it’s safe to say that there are many more vectors of attack.  

To protect data storage from hacking but keep it accessible and online, try using a decentralised cloud

It uses blockchain technology to keep data safe and such cloud storage is not controlled by a single entity and data is not stored on a centralised location. Instead, data is spread in tiny fragments across a large global network. When you need to access it, it will be assembled and decrypted as soon as you are authorised (either with an encryption key or password). 

7. Educate Employees

You can invest in the best firewall, anti-spam, and antivirus software, but if your employees don’t know how to spot a potential threat, your attempt to protect data storage from hacking will ultimately fail.  

Everyone in your company, be it the newest members of the team or senior executives, should go through regular education training. Ideally, they should learn about: 

  • The latest threats and risks, and vectors of attack – Suspicious email attachments, phishing attempts, how to stop a spoofed email address, and more. 
  • Best practices when it comes to data security – Teach them about BYOD policies, unsafe public networks, being safe while accessing data from remote locations, etc.
  • How to use new security software you implement – Get them on board with new software solutions and teach them how to use them to avoid slowdowns and disruptions.   

Your data security is only as strong as the weakest link. What’s your weakest link? 

Posted on by

6 Hospitality Businesses Who Faced Data Breach Fines

hospitality data breach fine

Contrary to popular belief, the hospitality industry is an excellent target of cybercrime because of the sheer amount of personal and sensitive data held. In fact, there are several businesses that have already faced data breach fines.

Every day, hotels, hostels, and restaurant chains handle credit cards, emails, contact preferences, home addresses, and other sensitive data from millions of customers, and hackers want to get their hands on that information.

A data breach can go undetected for quite a long time, as some of the cases below demonstrate, which would only increase the GDPR fine nowadays!

Here are 6 hospitality businesses who have recently faced data breach fines, and the cybercrime that caused them.

1. Hilton Fined $700,000 After Taking 10 Months To Notify Customers of Data Loss.

Back in 2014, Hilton hotels were a victim of a data breach, followed by another breach during 2015, which resulted in the data loss of over 360,000 customers. The data that was stolen held sensitive information like credit card numbers, names, addresses, and more.

The biggest issue is that Hilton failed to inform its customers about the breach in a timely manner. It took them ten months after they learned about the breach to inform their customers. This resulted in a $700,000 fine for lack of adequate security and failing to inform customers about the breach. If this had happened recently, their fines would be much higher under GDPR –  they would probably have to pay around $420 million.

2. Radisson Hotels Face Potential GDPR Fine

Radisson Hotel Group faces fines under the newly adopted GDPR. The breach was discovered in 2018, with Radisson claiming to have promptly informed the EU regulators within the 72-hour timeline. It was detected in the Radisson Rewards database, and some members of their Rewards programs were compromised.

Apparently, credit card or passwords were not stolen. Stolen data included names, addresses, email addresses, company names, Rewards member numbers, and frequent flyer numbers. As a result, the hotel chain might be facing a €10 million fine.

3. Trump Hotels Pay $50,000 After Not Informing Customers About Breach

Even Trump hotels aren’t spared of data breaches. The hotel chain suffered a data breach back in 2014 when over 70,000 credit card numbers and other personal data were stolen via the payment processing system that was infected. The now president Trump agreed to cover the $50,000 fine that was issued because the hotel chain didn’t bother to inform their customers about the breach even though they knew about it for months.

4. Wendy’s $50 Million Settlement

Restaurant chain Wendy’s had to pay a hefty fine because of the data breach that happened in 2015 and 2016 when 1,025 POS systems used at their locations were infected with malware that led to a lot of stolen credit card info. It is reported that over 18 million cards were compromised in the breach.

Many of these cards were used to commit fraudulent online purchases. As a result, Wendy’s had to face a class action lawsuit from affected financial institutions and consumers. Wendy’s reached a settlement that required them to pay $50 million by the end of 2019.

5. Zippy’s Restaurant $725,000 Data Breach

Zippy’s restaurant chain based in Hawaii suffered a data breach in November 2017. They first discovered the breach in March 2018. All cards used during that time might have been affected. The compromised information included credit card numbers, expiration dates, names, and security codes.

There is no information about how many customers were affected, but a class action lawsuit was filed against FCH Enterprises, the owner of Zippy’s Restaurant. It’s worth noting that not only the restaurant chain was affected. The other franchises held by FCH – Napoleon’s Bakery, Kahala Sushi, Pearl City Sushi, and Pomaika’i Ballrooms. FCH reached a settlement and agreed to pay $725,000.

6. The $915Million GDPR Marriott Case

Probably the case that got most traction is the large data breach that occurred with the Marriott hotel chain. Personal data and credit card details, even passport numbers and dates of birth of more than 500 million of their customers were stolen. The Marriott group includes hotel chains such as Sheraton, Westin, W, Le, Meridien.

The breach was first discovered in September 2018, while detailed investigation revealed ongoing unauthorized access dating back to 2014. They did encrypt sensitive data such as credit card information. However, the group stated they cannot be sure that encryption keys were not stolen too.

The most concerning part is that this was ongoing for four years, meaning security monitoring profoundly failed. The fine: $3.5 billion dollars plus $915 million from ICO GDPR.

With the rising risk of data breach and rising prices of fines, make sure you protect your customers’ sensitive data. This is especially true with the GDPR in place. By doing so, you avoid fines and ensure your guests rest easy knowing their personal information is safe with you.


Posted on by

How to Hold an Azure Information Protection Staff Training

How to Hold an Azure Information Protection Staff Training feature image

In light of the latest data security climate, where a risk of a breach is higher than ever, it is of utmost importance to keep valuable data safe. Microsoft’s Azure Information Protection (AIP) helps in achieving this goal and it’s the solution we recommend.

Particularly when you consider that the UK average cost of a data breach is close to £2.87 million ($3.68 million) according to a recent report from the Ponemon Institute.

Azure Information Protection is a cloud-based data protection solution that keeps data safe through advanced encryption, identity, and authorisation policies.

But. 

Adopting AIP isn’t enough – you need to train your staff on how to use it properly. Newly accepted regulations like the EU General Data Protection Regulation (GDPR), combined with concerns about what awaits the UK in terms of free data flow after Brexit, make data security an important aspect to every company, so it makes sense to invest into Azure Information Protection staff training.

Ensuring Your Employees Are ‘On Board’

Change is something many employees are not fond of, so getting them on board with Azure Information Protection Staff Training is the first thing to do before you begin with implementation and actual training.

When your employees are educated on GDPR and data breach consequences, they will become more engaged in Azure Information Protection staff training. Not being compliant and risking a breach could cost them their job because many businesses that suffer a major data breach never recover. 

But, how do you do hold Azure Information Protection Staff Training?

Step #1 Educate on the Risks

Start by making your staff aware of the dangers of security breaches and just how little it takes for one to occur if data protection is lacking.

Step #2 Explain Their Role in Compliance & Data Protection 

Many employees are not aware of just how important they actually are in keeping data safe. Start by explaining their role in the company security and compliance. Explain that whenever they send data – be it email or access to a folder – to somebody inside or outside of the company, it can be a security risk. The risk here is that often there are no resources that would monitor or restrict misuse of that shared data.

The most recent statistics included in IBM’s Cost of a Data Breach Report show that a staggering 27% of all data breaches that happened was caused by a human error – in other words, employee negligence was the cause.

Think about the following scenario: You are sending sensitive financial data to an outside partner. The partner is negligent and sends this confidential data to parties that should not have access to it. This constitutes a data breach.

A data breach has serious consequences far beyond actual financial costs including:

  • Hacking
  • Downtime
  • Loss of customers
  • Loss of personally identifiable information (PII) from customers and employees
  • Loss of intellectual property
  • Loss of financial information
  • Breach of data protection laws
  • Legal fines and claims
  • Reputation damage

Step #3 Show Why Azure Information Protection is the Solution 

Proper training will help reduce the risk of a data breach as a result of human error. Before you fully implement AIP, ensure your staff become familiar with all the features and that each department knows how to utilise its full potential. 

Explain how Azure Information Protection works and how, when integrated, in the organisation it can help on an operational level. 

Step #4 Show off Features They Can Use

During Azure Information Protection staff training, the focus should be on providing specific and detailed guidelines to each department. Present all the important features that AIP offers:

  • You Can Classify Your Data – AIP helps classify and label data based on how sensitive it is through a system of labels that automatically protect it once applied.
  • 24/7 Protection – Once you classify data and protect it, it stays protected. AIP follows data and ensures it’s protected even when shared outside of your organisation or stored on an external device.
  • Track Data and Revoke Access  – AIP helps you track what is happening to data you have shared, and in case it’s needed, you can easily revoke access.
  • Log and Report Support Compliance – Get access to powerful features that help analyse and monitor usage of data. The reporting feature helps maintain compliance with rules and regulations.
  • Safe Collaboration – Thanks to labeling and classification, you have complete control over who has access to data and how they can interact with it.
  • Microsoft Office Integration – AIP is integrated into MS Office so you can secure any document with a single click as well as automatically in the background. 
  • Easy to Manage and Deploy – AIP works in the cloud and on-site equipment too.

Step #5 Make it Specific

Once done, provide each department with detailed guidelines and best practices for using AIP specifically for them. For example, teach your finance department staff on how to use AIP features like the Do Not Forward Button or Sensitivity Bar, or your marketing department on how to apply AIP labels and send data to external partners.

If you want to make your AIP staff training easier, we’ve created an Azure Information Protection Staff Training Course on The TowerWatch Academy.

Posted on by

Delete Metadata on Redacted Documents To Avoid a Data Breach

delete metadata on redacted documents feature image

Did you delete metadata on redacted documents the last time you sent them?

If not, it’s easy to see the original information if you know where to look and then you might as well not have redacted them at all! This doesn’t just apply to ‘Top Secret’ documents anymore, it also poses a problem under GDPR.

For example, it’s easier to redact personally identifiable information (PII) you don’t want to share when sending a document to third parties or externally. Rather than getting consent from each user or changing your document (or database) altogether.

But.

Some people have been making mistakes. The ICO reported that in Q4, failure to redact data was one of the most common types of data security incidents. So, ultimately, if you don’t delete the metadata on redacted documents it can lead to a data breach! To remove the risk, it’s best to remove the metadata. Here’s how it’s done:

Delete Metadata on Redacted Documents in Word

  1. Select and open the Word document you want to remove the data from.
  1. Click on the “File” tab and select “Info” from the menu.
  1. Choose “Check for Issues” and select all the data you want to check the document for:
    • Comments, revisions, and versions
    • Properties and personal information
    • Headers, footers, watermarks
    • Hidden text
    • Document server properties
    • Custom XML data
    • Ink
  1. Click “Inspect” and review the results.
  2. Choose “Remove all” to strip the document of metadata.

Delete Metadata on Redacted Documents in Excel

  1. Select and open the Excel workbook you want to remove metadata from.
  1. Select “File” > “Info” and under “Check for Issues” choose “Inspect document.”
  1. Select the data you want to check:
    • Comments and annotations
    • Properties and Personal Information
    • Hidden rows and columns
    • Hidden worksheets and names
    • Custom XML data
    • Invisible content
    • External links and embedded files
    • Macros
    • Cached data
  1. Choose “Inspect” and review the results.
  2. Select “Remove all” on each type of information you want to remove.

NOTE: If an Excel workbook was saved as a shared file, some information can’t be removed. This includes document properties, personal information, comments, annotations, headers, and footers. To remove these, you first have to unshare the workbook. Should you remove hidden rows and columns with data, this can affect calculations and formulas.

Delete Metadata For PDFs

Unfortunately, in the free version of Adobe, access to metadata is limited. So whilst you can view the properties, you can’t edit or remove them. To remove you’ll need a subscription to Adobe Acrobat XI or a specialist tool. But, here’s how to do it with an Adobe Acrobat XI license.

  1. In Adobe Acrobat XI, locate the Tools panel in the top right corner.
  1. Open the “Protection” tab and locate the “Hidden information” heading.
  1. Select “Sanitize document” and click “OK.”
  1. To choose what to delete, select the “Remove Hidden Information” option.
  2. Name your file and click “Save.”

Delete Metadata on Redacted Documents in PowerPoint

  1. Select and open the Powerpoint presentation you want free from metadata.
  1. Under the “File” tab, go to “Info” > “Check for Issues” > “Inspect document”
  1. Select the data you want to check:
    • Comments
    • Properties and personal information
    • Revision data
    • Custom XML data
    • Off slide and invisible content
    • Macros
  1. Click “Inspect” and wait for the results.
  2. Click on “Remove all” on all the information you want gone.

Delete Photo Metadata

Okay, this one might be a bit of a stretch as far as GDPR is concerned, but we figured we might as well show you how to do this as well whilst we were here! Also note that you can access photo metadata if you’re adding it to a document, so you’ll need to remove it before adding to a redacted document.

  1. Right-click the image file and go to “Properties.”
  1. Go to the “Details” tab.
  1. Select “Remove properties and personal information.”
  2. Select which data you want to remove.

Although it might seem like a faff! Incorrectly or failing to redact documents properly will lead to data breaches. Particularly when sending files publicly! so, delete metadata on redacted files and you should reduce your risk significantly.

You might also be interested in:

20 Computer Malware Signs Causing You a Potential Data Breach
The Different Tactics Hackers Use to Gain Access to Your Computer
Posted on by

How Azure Information Protection Can Be Used in GDPR Email Compliance

Today, businesses make data-driven decisions in order to have a competitive edge. If your business deals with personal data from customers, it is required to be compliant with EU’s General Data Protection Regulation (GDPR) requirements this means disclosing how it handles data and ensuring that data remains safe.

Everything You Need To Know About GDPR & How It Will Affect Your Business

Why You Should Use Azure Information Protection for GDPR Emails

Sending sensitive data internally or to recipients outside your company carries a certain risk. Every email you send could lead to a disclosure of sensitive data, which constitutes a breach of GDPR. Therefore, investing in the protection of emails and files that are sent is crucial.

Azure Information Protection help keep your emails safe through advanced encryption and protects data at a file level with any attachments you might share too.

It’s a great solution that we recommend to our clients and one we can deploy seamlessly.

How to Install Microsoft’s Azure Information Protection for Small Businesses

While GDPR email compliance may seem like just another regulatory hassle, it is actually an opportunity to invest into your company’s digital security. The most recent data from the Ponemon Institute shows that the global cost of a data breach is increasing steadily, and in 2018, it has reached $3.86 million.

If that’s not enough to convince you, why not use IBM’s data breach cost calculator and see what yours could actually cost.

The Latest Data Breach Report Shows a Troubling Trend

A data breach carries serious consequences, and every business operation will suffer financial, sales, marketing, safety, you name it. The 2018 Cost of a Data Breach Study states there are three main causes of a data breach, with percentages of attack globally being:

  • Malicious or criminal attack the main reason for 48% of all breaches
  • System malfunction the cause of 25% of all breaches
  • Human error the cause of 27% of all breaches

The report shows that human error was the reason behind a data breach more often than a system malfunction was, while malicious and criminal attack took first place.

Note: It’s important to state that human error only includes insiders who were careless, while malicious attacks also include insiders, third parties, and contractors who caused a data breach intentionally.

In the UK specifically, malicious and criminal attacks were the reason of 50% of all breaches, human error was behind 26%, with system glitch causing only 24% of all data breaches.

This means as high as:

 76% of all GDPR breaches in the UK can be caused by either negligence or malicious intent.

Which can be vastly reduced when using a file or email encryption like Azure’s Information Protection

The True Cost of a Data Breach to Your Business

How AIP for GDPR Emails Keeps You Compliant

Azure Information Protection (AIP) is a cloud-based service that allows you to protect any sensitive and confidential data through encryption. You can protect local data you keep on your devices or data that you store in the cloud. When you send that data outside of your company, the encryption remains in place because it’s active at a file-level.

This means that even if you’re compromised, documents that are recovered cannot be read or unencrypted. Plus, intercepted emails cannot be read unless the intended user verifies themselves.

Ultimately, AIP can’t stop your users from making a mistake, but it can support them and arm them with the tools to protect company data properly.

Azure Information Protection Protects Against Malicious Intent

For example, if one of your employees or third-party recipients wants to email a file to an unauthorised person, they won’t be able to do so. Plus, AIP has a great feature called Do Not Forward for GDPR compliant emails. When this option is used, the recipient must first be authenticated to even view the email, and this is all they can do. They can’t forward the email or print, or screenshot. This ensures the email is for their eyes only and that they cannot execute a data breach by forwarding onto non-approved users that would lead to GDPR violation.

Documents attached to these emails are also counted as DO NOT FORWARD and will have the same restrictions.

Azure Information Protection Activity

Not only does AIP limit who can view the data, but it also tracks how that data is being used. By doing so, it ensures that data is safe at all times and that GDPR compliance standards are met. Plus, if you suspect there’s a risk that the data could be used in a way that violates GDPR regulations, you can even revoke access to it.

There are a range of other uses for Azure Information Protection to help keep your company emails and files protected. If you need help learning the reigns or want to deploy Azure Information Protection Yourselves, get started today by clicking here.

Posted on by

Technical GDPR Staff Training Essentials

technical GDPR staff training essentials feature image

One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.

But, you need to be prepared.

Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.

We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.

As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.

Before Your GDPR Staff Training

Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.

In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.

5 Ways Your Emails Could Breach GDPR

What To Include in GDPR Training Sessions

A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:

1. Consent

GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.

If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it. 

2. The Risk of Non-Compliance

Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.

Everything You Need To Know About GDPR & How It Will Affect Your Business

3. Understanding Your Business’ Role

Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.

4. Knowing Regulations & Regulatory Bodies

For example, your staff should know the role of the ICO and relevancy of the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.

5. Being Specific To Your Business

There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.

For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.

Industries Prone to Email GDPR Breaches

6. New Company Policies

Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)

Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.

7. How To Spot Data Breaches

The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.

8. SAR Requests

Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away. 

The Technical Side of GDPR Staff Training

Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself. 

This means that you and your staff will have to learn about new encryption technologies and software you decide to integrate into your business operations.

Article 32 of GDPR states that this can be achieved through:

  • Pseudonymisation and encryption of personal data
  • Ensuring your processing systems and services are confidential and resilient
  • Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
  • Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security

For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.

GDPR Email Terminology You Need to Know!

Continuous GDPR Training Ensures Compliance

The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff. 

Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.   

If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:

https://towerwatchacademy.thinkific.com/courses/get-file-and-email-encryption-for-small-businesses-microsoft-aip-course
Posted on by

20 Computer Malware Signs Causing You a Potential Data Breach

With our increasing reliance on our phones, computers, and other internet-connected technology and accessories, security is more important than ever. To be able to recognise when our tech might be compromised can save you from potential catastrophic losses. It’s therefore important to be on the lookout for computer malware signs. 

How often do you pay for something using your credit card or online wallet? How many passwords do you have saved or “remembered” so you can quickly log in? Hackers can gain access to your devices in numerous ways, but in many instances, it’s not immediately apparent.

The Current State of Internet Security

According to the Symantec 2017 Internet Security Threat Report (ISTR), 1 in every 131 emails you receive is infected with malware. Opening such an email infects your computer and gives attackers access to your personal and business data.

In a business environment on a company network, this can give hackers access to the same shared systems and folders that your computer has access to, leading to a data breach with far-reaching consequences. All it takes is for a high-level executive, member of the C-suite, or HR personnel with access to sensitive records to click that infected email and it’s game over for some businesses. 

Being aware of the dangers and spotting the computer malware signs is, therefore, more important than ever to prevent the disastrous effects of a successful cyberattack. These are the warning signs of a possible data breach and that your system has been infected. 

20 Computer Malware Signs To Be Aware Of

1. Pop-Ups

Very often, malware and viruses will be disguised as regular notifications. Your computer will display the notification, often saying that your PC is infected and offering help to remove the threats. If you accept “help,” you will be prompted to visit a website and leave your credit card information to pay for the service of removing the threat. Even though such an attack pattern is not new and has been present for a while, people still fall for it very often. This is the most common of all computer malware signs.

2. Sudden Sluggish Performance

If you notice that your computer is slower than usual, the first thing to do is check the Task Manager. You can access it by simply writing “Task Manager” after hitting the Windows key on your keyboard.

Once there, check the Performance tab to see whether any of your hardware is being used too much: the CPU, memory, disks, or GPU. Chances are, your memory might be compromised by malware.

If you’re not infected and your computer is still slow, check out our course here to improve computer performance.

3. Has a Mind of Its Own

Some glitches in your system might appear like your computer has a mind of its own – usually a brief glimpse of a registry change or your mouse moving by itself. In most cases, these are just little glitches – a speck of dust on the mousepad, for instance. But this could also be one of the computer malware signs. If mouse movements are deliberate and make sense, like the mouse moves and opens or closes applications, then you are definitely dealing with a far more serious threat than a dusty mouse pad.

To disable this kind of remote access, the first thing you should do is disconnect your PC from the internet, disable network drivers so it can’t connect again, and make sure any connectivity options are disabled, e.g. Bluetooth. Then, you can start dealing with removing the issue.

4. Crashing

Your computer might crash for no apparent reason. Often, software and hardware incompatibility are to blame, but if this is excluded, computer malware infection is a real possibility. To see what the crash was caused by, go to Event Viewer by hitting the Windows button on your keyboard and writing “Event” – it should be suggested as the first option. Once opened, go to Windows Logs and go through those that are marked as an error. This will give you more insight into what caused the crash and help you or your IT team find a solution fast.

5. Low storage

If your computer is suddenly running low on storage, it might be that you have not been paying attention to how much you have left. Some malware and viruses, however, are programmed in such a way that they replicate endlessly until they use up all the storage space you have.

Always ensure you know how much space you have left. If you know for sure that your hard drive partitions had more than enough, suspicious activity is to be expected.

6. You Don’t Appear to Have Security Measures Working, e.g. No Antivirus etc.

Your computer might notify you that your security isn’t working – that your antivirus has been disabled. If this is the case, check the status of your antivirus immediately. While this can be a system glitch while your antivirus is updating, it is often a sign that you were infected.

If you can’t get your antivirus software up and running, you will have to either install a new antivirus and antimalware software or, if you’re using a paid version, contact your antivirus manufacturer’s support and let them lead you through the recovery process.

7. Ads

Malware software can also cause pop-up ads, new tabs in browsers, or change homepages, and search engines, without the user’s consent. To get rid of these annoying pop-ups and ads, you will have to find the infected software and remove it from your device.

8. New Icons on Your desktop

If you notice a new icon on your desktop that you don’t know the origin of, suspect foul play right away as new icons are computer malware signs. Malicious software might be installed on your device, threatening to steal your credentials, cause havoc, or even lock you out. If this is your work computer, contact your IT department right away as it could have been installed on the network, not just your own device.  

9. Corrupted folders or Missing folders

If you get a prompt your file is corrupt or you realise some folders are missing from where they are supposed to be, it could be an infection. Some malicious software will not be after your credit card data – the intent can simply be to erase all your data from your drives. While this is less of a threat today than it was before thanks to various online storage solutions, not all your data is stored online. If you have lost files, a system restore might be a way of getting them back.

10. Ransoms

Some malware acts as a simplified version of ransomware by locking you out of your computer until you pay. But, unlike hardcore ransomware, there are some things you can usually do to unlock it.

Using Windows safe mode might do the trick. Once you have booted Windows that way, you can run a virus scan and remove the ransomware. There are also dedicated ransomware removal tools from established antivirus brands, and even Microsoft itself has tools available. Another option is to use System Restore to restore your computer to a version that wasn’t infected yet.

11. Errant Messages

Your system might notify you that an application requires permission to do something, for example an application trying to change something on your computer or connect to the network. This usually happens when you start up, update or install a new application. However, if none of these have happened recently and you’re still getting the messages, your PC might be infected.

12. Redirecting Web Browsers

If you notice that your browser started redirecting you to random sites, you might be dealing with a browser redirect malware, whose aim is to use these redirects to artificially boost traffic to such sites, gather search data, or to try to scam users and steal their personal data. Search for suspicious programs on your device if you suspect this to be the case.

13. New Home Pages

If you open your web browser and your homepage is changed, you need to check which program might have caused this. Usually today, a lot of software will come with additional taskbars or options to change your homepage while you install them. You can opt out of it easily during installation, but many people oversee this. While such changes and additions might not be viruses themselves, they often lack proper security and can easily be used as a point of entry.

14. You’re (Not) Reaching Out

You might find that new conversations are popping up in your email inbox or social media that were started by ‘you’, but you can’t recall starting them.

These spam messages encourage your contacts to click on links that will then infect them. A popular scam is the malware will send an SOS email or message saying you’re stranded and need cab money or a train ticket. It might not seem like a lot but if every one of your friends and every one of their friends become infected, it’s a lot of potential.

15. BSOD – Blue Screen, Will Not Boot

If your computer suddenly becomes unresponsive and you see the dreaded blue screen of death (BSOD), it could be malware.

However, BSOD often happens after you install new software or hardware. Check whether you have the latest drivers installed for all your components and search for possible incompatibility between programs and hardware you are using.

If this is not the case, you will have to consult the Event Viewer again to see what exactly caused the BSOD.

16. Credit or Bank Purchases

If you get notified that there were purchases made with your credit card, or money was taken from your bank account but you didn’t do it, ask your bank to verify how payment was made. If it was done using your card (not in person) it means it was an online transaction. This can mean your device is compromised and they’ve taken the details, particularly if you have them saved e.g. Google online. 

Cancel your cards, disconnect from the internet and do a thorough sweep of your devices to make sure that the breach didn’t come from them.

17. You can’t login to your accounts

If you can’t get access to your account because your password suddenly isn’t working, there’s a good chance you’re dealing with a case of account theft. This is already one of the serious computer malware signs. Always have a fallback option for such cases – a way to reset your password via your phone number, for instance. To minimise such a risk, have two-factor authentication that will request a code sent to your phone or a generated code from an app installed on your phone.

If you get a notification from your authenticator, for example, a code on your phone but you’re not trying to log in, check your system for malware and change your passwords immediately. It could be someone with a keystroke logger.

How To Protect Your Email Password From Hackers

18. Your Hard Drive Appears to Be Constantly Working Even When Doing Nothing

Erratic and sluggish operations can be caused by a lot of software and hardware issues. To see what is happening, you will have to open your Task Manager by hitting your Windows key button and typing “task manager” for it to appear on the list.

Once opened, look at the performance of your hardware. If you see that your disk is on ‘100%’ most of the time, you will have to check which processes are running and might have caused this. Note that certain Windows processes might cause this from time to time – recently microsoft.photos.exe, a legit Microsoft application, was causing this issue for some users.

If you find any other applications that are unfamiliar to you and are using your disk fully, terminate the process by right-clicking on it and selecting the “End Task” option. Find which program the task belongs to in order to see whether it’s a real malware or virus issue or just an incompatible program.

19. File Names Change or Are Missing

Any changes to files – either the names or the location of the files – should immediately be attributed to malicious software activity. A deep scan with a dedicated software will be needed to find the infection. Any files that were affected – renamed, deleted, or removed – might be beyond saving, so always make sure you have your data securely backed up online.

20. Unusual login pages

Any changes to login pages you often use – either for work or personal – should be deemed suspicious. Usually, changes like this are announced in advance, so check for news about the changes before you log in. Any pages that require your work, Google, or social media account credentials (both username and password) for login should also be avoided as these might be phishing sites that are trying to steal your credentials.

If you’ve navigated to the page through an email, close the tab and go to the company you’re trying to login to directly. If you don’t recognise the site, NEVER give your credentials away!

It’s important that if you feel there is something wrong with your computer, particularly if you are on a company device or part of a shared network that you report it! Small and subtle changes can lead to big data breaches and catching malware early is key.

You Might Also Be Interested In: 

The Different Tactics Hackers Use to Gain Access to Your Computer
12 Warning Signs Of A Phishing Email
Making sure You’re Protected From RANSOMWARE Attacks
Posted on by

The Different Tactics Hackers Use to Gain Access to Your Computer

We’d all like to think that hackers are spending weeks on end planning their every move to attack a business but the truth of it is nowhere near as exciting. Although this could happen to a big target, for most people it’s a lot more boring and they get ‘accidentally’ caught in the net as hackers looking to make a quick buck send out malware or ransomware hoping someone will fall into the trap.

That doesn’t mean the effects aren’t any less devastating!

So, to make sure you can protect yourself, let’s look at the various different tactics hackers use to try and steal your business’ data.

1. Relying on Human Error

We’re sorry to say that lack of education in businesses and human error by employees account for a large portion of breaches in our experience. For example, employees attempting to access internal systems from unsafe locations, using personal (infected) devices on the network, or clicking malicious links in an email. Hackers cast their net far and wide, and the likelihood is someone will click something and open the door. And that’s all they need. 

Hackers also pray on the lack of oversight from business owners on their employees. According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, 59% of small businesses do not have insight into the types of passwords employees use. This means that although the company is liable for a breach, they aren’t enforcing or even aware of the security standards of the passwords in use. 

2. Phishing

Phishing is one of the most common tactics hackers use. This is usually in form of an email that is spoofed to look like it’s coming from another sender, like your bank, or ISP. It will urge you to act immediately or you might lose your account, money, or face infractions. 48% of hacks on companies last year found that phishing or social engineering were the result.

Here are the warning signs you need to look out for in a phishing email

12 Warning Signs Of A Phishing Email

3. Public/Free Wi-Fi

Public computers and Wi-Fi networks are notorious for being plagued with malicious software that “sniffs” for data packets while you are using them. You risk losing your account data as soon as you type in your password. 

4. Phone Calls

Surprisingly these still work and is still one of the tactics hackers use! Hackers have been known to ring you claiming to be your bank or an organisation you’re affiliated with and ask you to confirm details over the phone. For example, banking pins or passwords as well as talking to you about family data or information, like your mother’s maiden name to get the ‘security question’ answers or take a stab at your password. If you feel a phone call is suspicious, never hand over your data, simply tell them now isn’t a good time and hang up.

5. Weak Passwords

Lazy, generic and consequently weak passwords are the easiest way for hackers to get access to your accounts. Many small business owners admitted that, while they still have password strength policies, 68% do not enforce them. A generic or commonly used password like 12345, makes it easy for hackers to gain access to your email or computer.

Check out our article below on protecting your password from hackers:

How To Protect Your Email Password From Hackers

6. An Out-of-Date OS

While nobody likes how long OS updates take, they exist for a reason: to address flaws within the code that can potentially be exploited. Without regular updates, you enable easy access to hackers who are aware of the weak points.

7. Infected Attachments

It’s not just the links you should be wary of in an email. Masked to look like images or documents, they often carry viruses, malware, or spyware, like a keylogger that will install to your device and record your every keystroke to get your passwords that way.

8. Dodgy Devices

Be wary of those free devices being handed out to you as “freebies” in many cases, hackers can load malware or keystroke loggers on them so that when they are entered onto the computer they immediately infect it.

9. Pineapples – Spoofed Wi-Fi Points

A Wi-Fi pineapple is a fake Wi-Fi access point that has been purely set up to steal your data but it masks as public Wi-Fi. From the hacker’s point of view, they have multiple programs and software running to gain access but to the unsuspecting user, they just jump on as usual and voila, instant access to your data.

10. Unsuspecting Accessories

Your new smart lock, phone controlled thermostat, camera that is enabled to a network, card reader or any other online accessory all have access to your network. Hackers can use these as easy points of entry if they aren’t protected correctly to access your network and get to your data that way!

Unfortunately, we’ve only just scratched the surface of tactics hackers use to access your data and your files, and this is why we are firm advocators for using file protection as part of your cyber security strategy. That way, hackers can’t access the data from your files once you’ve been breached, therefore protecting the data stored within them.

To get automatic file and email encryption for small businesses using Microsoft’s Azure Information Protection, click the image below to get half off our course on udemy:

file and email encryption course image. click to take you to the course
Posted on by

How to Install Microsoft’s Azure Information Protection for Small Businesses

Until now, Microsoft’s Azure Information Protection (AIP) has been an enterprise level IT solution for the big brands and businesses. So, you may not have even heard of it! But, its tools are perfect for small businesses and allows you to get AUTOMATIC file and email encryption that is easy to use, and affordable.

Let’s look at why you should be looking at this solution for your small business, how you can use it and what it can do for you:

Why do I Need File Protection?

We could advocate for file protection but it’s easier just to show you, here’s how easy it is to gain access to your sensitive data if you don’t have file protection:

The solution to this? We recommend, Microsoft’s Azure Information Protection (AIP)

Update: 23/09/20 – Microsoft’s AIP has actually been upgraded to MIP, with a few extra features. This article is still relevant and if you scroll to the bottom you can see a demo of a recent project we just completed on how it looks in action.

What is Microsoft’s Azure Information Protection?

It’s an excellent cloud-based file and email encryption solution that allows you to create certain ‘rules’ to protect your files and emails automatically.

What Does This Entail?

Although it’s also an excellent option for smaller businesses because it offers unique cyber security features which make GDPR compliance easy and seamless, you can’t really “figure it out” as you go.

It’s not as simple as downloading a piece of software. There’s a little more to it than that. But, once you know how, it’s our recommendation for keeping your company, files and emails protected. The installation looks a little like this:

Different Stages of AIP Implementation

Once you’ve set up your active directory and assigned your licenses, there are 3 steps to implementing Microsoft’s Azure Information Protection:

Assessing Your Data

Although only roughly 5% of your data is sensitive, you still need to protect it and in order to do so, you need to understand what it is, where it is and how you handle it.

Installation

This is the easy part (if you know what you’re doing) and is a simple installation of the AIP client onto all of the machines/servers that you want to have automatic encryption capabilities.

Monitoring/Testing

This is all about tweaking your settings to match your usage based on what you’re using your protection for in your business.

So, How Can I Do It Myself?

We originally created an AIP course (you can still take the legacy course HERE.) However since the update to MIP (Microsoft Information Protection) there’s a lot more backend setup, licensing crossovers, and implementation that just make this a project that is really tricky.

If you get it wrong you can accidentally encrypt and lock yourself out of all of your data, and to be honest, we don’t recommend doing this.

We still want to make MIP accessible for SMEs so we offer a half hour consulting option to give you the best tailored advice on what forms of protection are best for you, and then we can help you set up MIP if it’s suitable.

Book in for your consultation CLICK HERE.

Check out the MIP Demo below to see it in action:

Posted on by

How “At Risk” Small Businesses REALLY Are to Cyber Attacks

busy coffee shop as a small business

Running a small business comes with a very specific set of challenges, like having limited resources, and often cyber security falls to the bottom of the list. But, the cost of a data breach, no matter the size of your organisation can be huge and the bad PR or image alone could be crippling as small businesses have to rely on reputation! 

Why Would Anyone Target Small Businesses?

Many small business owners don’t understand why their company would be an appealing target for hackers. They are small, don’t have vast funds or sensitive secrets that anyone would care about. They believe they are not big enough to be a target, so they don’t invest as heavily in cyber security as larger businesses do.

Some hackers do not target small businesses specifically but try to infect as many devices as possible, and without protective measures, backups in place, or the education, small businesses can very quickly become victims too.

The most common type of tactic that casts a wide net are ransomware attacks and more recently, cyber-attacks are becoming more targeted and specific.

The top 3 reasons why small businesses are targeted specifically by hackers are:

  1. The lack of investment into security makes it too easy for those looking to make quick money by selling details. 
  2. Small businesses often work with larger enterprises and if they’re not careful can serve as a point of entry for a large data breach.
  3. A small business is more likely to meet the hacker’s demands, such as a ransom, to get their data back because without it, their business is at a standstill. 

Cyber-attacks against Small Businesses are on the Rise

According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, attacks against small and medium business owners are on the rise. A staggering 61% of small businesses that were interviewed reported they were affected by a cyber-attack. The most common type of attack included phishing or social engineering, with web-based attacks and general malware following closely behind.

What Small Businesses Should do to be Safe from Cyber Crime

Change of stance is the most crucial thing.

If small business owners continue to believe they are not a good target to hackers and believe they don’t matter, they will continue to be vulnerable to cyber attacks. Small businesses should focus on the following areas:

  • New Technology and Software – Investing in the newest software solutions can give small businesses the edge that they need to catch breach attempts early. Machine learning can detect anomalies in network traffic or credit card fraud attempts so that small businesses don’t have to pay as much attention. 
  • Employee Education – Teaching employees about cyber security lowers the risk considerably. Get them on board about it and teach them about password policies, what makes a strong password, why password sharing is risky, and signs that indicate a possible breach. Check out the TowerWatch Academy for regular courses that you might need for educating staff and using protection software. 
  • Regular Updates and Patching – Ensure all your systems are up to date and patched regularly. New patches are applied to parts of code that could have been used as points of entry before the patch which is why you should always keep up to date. 
  • Use Encryption – Encryption is a precaution in case a data breach happens. If hackers get to your data, having it encrypted will render it useless to them. 
  • Physical Security – Have surveillance in place in areas where you keep your sensitive data to avoid malicious actions from the real world.
  • Two Factor Authentication – In case a cyber attack is successful in getting credentials to log in to your system(s), a two-factor authentication will stop them from getting further than trying to log in and will immediately alert you so you can lock it down and change your passwords. 

If you need any help or support protecting yourself as a small business from cyber security attacks, join our free Facebook community for IT support for your small business.