Posted on

GDPR Email Terminology You Need to Know!

When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.

Although not an exhaustive list, here are some of the terms that will be most useful to understand. We’ve taken this list from our Free GDPR Email Protection Course you can find here.

Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. [email protected] NOT [email protected]. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.

Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.

Data Controller – The ICO define a data controller as:

“A person who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be processed”

Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)

Data Processor – The ICO define a data processor as:

“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”

Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.

Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.

Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.

Data Subject – This is any person that the personal data is about.

Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.

Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.

Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.

Recipient – The receiver of your email

Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”

For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!

Posted on

Are Recruiters Liable for Data Breaches When Sending CVs Via Email?

The ongoing joke of the moment is the amount of unsolicited emails you’re receiving as a result of GDPR, “consent” and the regulations that became effective as of 25th May 2018. But, the new General Data Protection Regulation (GDPR) is a piece of EU legislation that has thrown forward infinite questions about specific processes, particularly those in the recruitment industry. Among these questions is: Are recruiters liable for data breaches when sending CVs via email?

After all, they hold a ton of personally identifiable information (PII) in the form of CVs, application forms and the submissions through their website. But, how much of this are recruiters responsible for and if you’re communicating via email, are you responsible for this data if there is a breach, even when you’ve gotten consent?

We’re looking at the facts from the ICO as well as our take on protecting PII sent via email to limit your chances of a breach.

Liability under GDPR

In short, recruiters are liable for any data breaches resulting from the sending of CVs via email, but to understand why, we must delve a little deeper.

Under GDPR, the data controller holds ultimate responsibility for all personal information collected by their organisation. The data controller must be highly trained to pre-empt and effectively address any potential breaches and it is down to the controller to ensure that the all held data is collected, processed, and stored properly.

The data controller is ultimately responsible for their organisation, but all individuals within it must act in compliance with GDPR. Under this legislation, anyone handling personal data is referred to as a data processor. A data processor acts on behalf of the data controller, and must adhere to the rules of GDPR.

In this instance, recruiters are the data processors when they are working with sensitive data, such as that contained within CVs.

Liability for Recruiters

Recruiters, as data processors, have accountability over the information they collect, handle, and send elsewhere. This includes CVs.

They need to ensure that the CVs and the data within them are:

#1 Sent only to the intended recipients

#2 Are used solely for a specific purpose

#3 Are removed correctly when no longer required.

A recruiter must know exactly where the CV is going and how it is being used by the recipient. This is because, under the rules of GDPR, any EU citizen has the right to erasure, otherwise known as the right to be forgotten. If such a request is received, the recruiter (and their organisation’s data controller) are duty bound to honour and complete the request.

But, if they aren’t keeping records or control of the transmissions of personal data they send, this task becomes more difficult, if not, impossible.

In order to protect themselves and their organisations, recruiters are likely to be encouraged to seek a disclaimer with each individual before they receive any of their personal data. The language of the disclaimer will vary between each organisation, but most will contain an acknowledgment that the individual will surrender some control of their data whilst it is being processed.

Note that whilst individuals may give their consent to allow the data processor and data controller access and processing of their personal information, they are still protected by GDPR and retain custodianship of their own data, including the right of erasure.

Tools such as Data Subject Access Requests (DSARs) provide individuals with the authority to obtain all of the data held about them by another individual or organisation. These are commonly used during employment-related disputes.

Whilst UK legislation dictates that any DSAR is fulfilled within 40 days of receipt, GDPR goes further. If a DSAR is not honoured, it could incur a fine of up to 4% of an organisation’s annual global turnover, or a fine of €20 million, whichever is greater. Although the maximum is unlikely to be enforced, except in extreme cases, the potential severity of punishment in response to breaches clearly demonstrates the importance placed on the rights of individuals to retain authority over their data. Plus, that’s not the only cost a business can incur in the event of a data breach.

What steps can recruiters take to protect themselves from GDPR-related penalties?

Now that we’ve explored GDPR legislation and potential penalties that can be incurred as a result of non-compliance, we’ll take a look at five steps recruiters specifically can take to prevent a breach and protect themselves.

  1. Encrypt emails and Attachments

In order to avert unauthorised access to CVs and other personal data, a simple and effective solution is to encrypt emails and attachments. Encryption prevents data from being intercepted with malicious intent, and it ensures that only the intended recipient has access.

Encryption is easily managed through settings within some existing email client, or via third-party specialist services such as My Protected Mail. For large organisations, or smaller companies that routinely deal with a bulk of highly-sensitive data, the third-party approach is encouraged.

It is also worthwhile to ensure that all data processors (and controllers) are trained in the optimal use of encryption. After all, there’s no point in having a tool if it is not being used correctly.

  1. Only send CVs to the intended recipient (and prevent forwarding)

When sending a CV by email, recruiters should select only the essential recipients. If the CV is not directly relevant to a recipient, it should not be sent to them. By keeping the pool of recipients as small as possible, it helps to prevent potential breaches.

It’s also worth clarifying, within the body of the email, that the CV should not be forwarded to any other recipient without the permission of the recruiter. Forwarding of attachments, particularly without the knowledge of the original sender, makes it almost impossible to track where the data has gone. Keep in mind that the individual to whom the CV belongs may make a right to erasure request at any time. Failure to keep track of their data can jeopardise an organisation’s ability to do this.

  1. Provide extra information in your disclaimer

Make it clear to candidates, and all other individuals, precisely how their data will be collected, processed, and removed. Transparency at this stage helps to prevent issues further down the line. Use your disclaimer to present all possible scenarios, and ensure that consent is obtained before a CV is collected.

  1. Keep sensitive data secure within internal systems

We’ve discussed the procedure for sending CVs to external recipients, but what about internal record-keeping? This is equally critical, and organisations must ensure that their internal systems are secure enough to manage and protect stored data.

  1. Ensure that third parties are also compliant

Before a recruiter sends any information to a third party, it is worthwhile to sign an agreement regarding their respective data responsibilities. An organisation must ensure that all third parties are also compliant with GDPR, and will honour any future erasure or DSAR requests. This helps to prevent any potential problems in the future.

In Summary

As we have seen, recruiters and their organisations do have a responsibility to protect all data sent electronically. Recruiters are liable for data breaches since as data processors, they act on behalf of their organisation’s data controller, and are bound by the rules of GDPR.

It is crucial, therefore, that they are trained and equipped with the resources to keep client data safe.

Posted on

Are Invoicing Companies Leaving Small Businesses Vulnerable?

For the last 2 years, my main focus as a cyber security consultant was/is getting companies, mostly big companies, ready for GDPR. One pressing concern is the GDPR compliance of invoicing companies.

Maybe GDPR is a buzzword for some, but the logic behind it is great for both privacy and proper data security.

The privacy part is somewhat challenging because the definition of PII (personally identifiable information) and SPI (sensitive personal information) is well defined in GDPR and it is very wide by definition.

It COVERS EVERYONE.

From big companies to small companies, and even micro companies. You are obliged to do your maximum to protect PII and SPI.

Many companies have started the shift of changing their work methods and the way that B2C communication is done. For example, basic “client notifications” are now usually protected.

GDPR is first and foremost a methodology change, not a technological one. You change the way you work first and then which technological tools you use.

This change has already “hit” some industries but other industries are preferring to ignore it, for example I am a client of one the biggest online invoicing companies, along with many other small & medium business owners.

Invoices have PII and SPI in them – they have a lot of the info of my clients (their name & postcode), sometimes even the full address, proper identifiable information.

When I send an invoice to my clients I am sending PII and SPI.

Since the GDPR date, my colleagues and I have started to send invoices in a secure way. Is it more “work”? Yes. We are sending a PDF within an encrypted email, not a link, so that we can make sure that only the recipient gets it and not someone else.

As a client of one of the biggest online invoicing companies, I’m concerned about their GDPR compliance, and I have contacted them and asked very clearly,

“What are you going to do about GDPR? Which encryption method are you going to use and how are you going to guarantee that the PII and SPI that are being sent via your system is secure?”

And …

Nothing really.

I got some generic responses, some links to the privacy/GDPR policy, but no real answer.

Then after some more Q&A, I got a strange response,

“We are sending PII BY FUNCTION... so, nothing is really going to change” So I responded with,

So? GDPR has no “BY FUNCTION” Exclusion” and, of course, since then, it’s been silence.

It seems, at least for that specific company that they are ignoring or excusing not being GDPR compliant by saying that their CORE FUNCTION, and I quote “BY FUNCTION” is … NOT GDPR compliant, I know its sounds crazy but that’s the reality.

So, let’s break it down a bit:

  1. I am using their online invoicing platform – they are my Data Processor
  2. I am storing sensitive client information on their system and I expect them to be GDPR compliant. Which I trust their feedback that it is (regarding the way the store and access information)
  3. But… when I send the invoice to my clients via their system – I am extracting PII and SPI from their system and sending it into the world with no security mechanism at all?!
  4. This specific online invoicing company is sending a link (like many others) – not even a password protected PDF is an option?

Bottom line, you as a user of the system have the option not to send a link, but download the PDF, secure it, and then send it yourself… but why isn’t the invoicing company doing it for you? Why are they putting YOU at risk?

Why? – I don’t know, I presume it’s because it’s easier to ignore the reality than to face it. It’s easier to put everything on your clients than to solve the core issue.

My professional recommendation to you is: Until online invoicing companies GDPR compliance become clear, protect yourself! Don’t send PII and SPI in a non-secure way.

Eli Migdal.

Posted on

Data Breaches Aren’t Just Your Users’ Fault (Infographic)

As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.

Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.

It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:

  • Forcing users to frequently change their password – even if they hate us for it
  • Making sure policy dictates a different password for each program or part of the system
  • To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
  • To be approachable so that any issues are quickly reported

Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
Infographic: Security Breaches from Compromised User Logins

UserLock FileAudit IS Decisions Priorités en matière de sécurité d'accès
Posted on

Industries Prone to Email GDPR Breaches

Although emails are not specifically referenced within the clauses of the GDPR, the legislation does cover all data contained within emails and attachments. Anyone handling personal information related to citizens of the EU is bound by GDPR, and must make preparations to ensure that they are compliant from the date of adoption, if not sooner.

In this article, we’ll take a closer look at the industries that tend to be prone to data breaches involving emails, the reasons why, and strategies to avoid information becoming compromised.

Why Are Some Industries More Prone Than Others?

Theoretically, all industries have the potential to experience GDPR breaches. However, these are made more likely when organisations manage a disproportionately large amount of personally identifiable information, or PII. This is data that can be used on its own, or in combination with other known variables, to determine an individual’s identity.

Some examples of PII may include a full name (particularly if it is uncommon), date of birth, home address, telephone number, email address, passport, driving license, national insurance or social security number, credit card details, or vehicle registration. The more variables that are known, the easier it is to build an image of someone’s identity.

This kind of data is attractive to those who wish to exploit it, which can make some organisations vulnerable to hacking or phishing attacks. Human error can also cause data breaches; although this may be innocuous, the potential damage is just as severe.

It’s important, therefore, for these industries to take additional precautions in the gathering, storage, and processing of sensitive information.

Industries at Risk

Due to the nature of the data they hold the:

  • Financial
  • Legal
  • HR
  • Medical sectors

have a high risk of experiencing GDPR breaches.

The recruitment industry is also very susceptible, as organisations within it hold substantial amounts of personal information, which is passed frequently between internal and external recipients!

Small businesses, entrepreneurs, and virtual assistants can carry an elevated risk of experiencing GDPR breaches, particularly if they are starting out or otherwise unaware of correct data management procedures. 

Emails regarding invoices, bank details, and login information can be especially problematic. Training helps to mitigate this risk, prevent records being compromised, and protect the reputation of data custodians.

What Can Be Done to Minimise Risk?

Take a ‘prevention is better than cure’ approach. In the first instance, use anonymised data as far as possible because, if data is compromised, this makes it far more challenging for unauthorised parties to connect the dots and endanger the security of afflicted individuals.

When communicating via email, take extra precaution and encrypt your emails and attachments at the file level rather than on your computer because it’s much harder to crack and is very GDPR compliant. You can do this by installing software in your business which does this automatically, but if you don’t have the budget for a large-scale solution, you can try something like My Protected Mail which doesn’t involve installing anything and is quick and easy to deal with.

Although we have cited industries prone to email GDPR breaches, it’s best to be responsible no matter your industry. All custodians of sensitive data are responsible for its protection. If you are working within an industry with an elevated risk of email GDPR breaches. Be sure you are prepared! Check out My Protected Mail here for more info and sign up for free to get the extra protection your sensitive emails or attachments need.

Posted on

Why Your Emails Need to Be Compliant Under GDPR

Although emails are not specifically referenced in the GDPR, all data contained within them does come under its jurisdiction. To avoid the risk of a breach, as well as to conform to these regulations, it’s important to stay protected and send GDPR compliant emails. 

In this article, we’ll introduce you to points you should consider when sending GDPR compliant emails.

Safeguarding Personal Information

Personally identifiable information, or PII, is data that can be used—either on its own or in combination with other records—to determine an individual’s identity. It is best practice not to provide PII wherever possible, but to use anonymised data instead.

But, we know this isn’t always the case and sometimes you need to share data that could become identifiable, so it must be sent securely. Protected emails that contain PII should also not be allowed to be forwarded to unauthorised participants and you should ensure that any data you do send has been pre-authorised by the owner because consent is a key part of GDPR, which must be respected at all times.

Preventing Unauthorised Access to Data

A data breach places sensitive information at risk of exploitation by criminal activity or other unauthorised purposes. A data breach can be prevented by sending attachments securely, tracking the receipt of documentation, sending only essential information, and by double-checking that data recipients are authorised.

File level encryption is one of the best ways to do this (find out more about this in our previous article here) and there are simple ways to send protected emails without having to download special programs. Try using something like My Protected Mail for free and see how you can send and receive protected emails. 

If you do find that your organisation has experienced a data breach, you (or your company’s assigned data protection officer) are duty bound under GDPR to notify affected individuals within 72 hours of awareness of the breach. This provides the opportunity to take corrective measures and prevent further compromise of their information. Of course, your organisation has a responsibility to facilitate and support such action, whilst simultaneously commencing an investigation and completing internal and external reporting.

Protecting Your Brand’s Reputation

Personal data is important to every individual. When we entrust organisations with sensitive information, there is an expectation that this will be respected. Any breach or mismanagement of data reflects negatively on a brand.

That said, if a data-related incident does occur, it is best to be honest about the situation from the start. Not only does the GDPR explicitly require this, but taking swift action helps to protect your brand’s reputation. People understand that even highly secure structures can be compromised, and if your organisation responds quickly, this can help to mitigate the damage. Conversely, a delay or cover-up would be completely unacceptable.

Generating positive PR

If your organisation is shown to be consistently compliant with data protection laws—including GDPR—this gives a positive impression of your information safeguarding processes. It also demonstrates a wider sense of reliability and security and strengthens your brand’s reputation, encouraging potential customers and stakeholders to put their trust in you.

Consider getting help in making you compliant by using My Protected Mail, it works with your exisiting systems and doesn’t require setup or installation! To find out more, visit www.MyProtectedMail.com

Posted on

The True Cost of a Data Breach to Your Business

GDPR has placed renewed focus on the issue of information security, and the potential impact and cost of a data breach on involved organisations.

Obviously, a data breach can have substantial financial consequences. Depending on the severity of the GDPR infringement, administrative fines can reach up to €20 million, or 4% of annual global turnover, whichever is higher. Plus, it also leaves you liable to pay damages to individuals or businesses as a result of the breach. 

However, fines are not the only cost to a business; reputational damage can be devastating to long-term viability.

In this article, we’ll take a closer look at the wide-ranging costs that can be incurred in response to a data breach.

Bad PR

It is said that all PR is good PR, but it’s not always the case. Data security is intrinsically linked with an individual’s sense of personal safety, and any infringement of that will prompt a fiercely negative response from affected individuals. A business’ reputation can be destroyed by a data breach incident.

Trust is the foundation of customer loyalty. If that trust is compromised, your business may not be able to recover its former standing.

Loss of Revenue & Company Value

Reputational damage as a result of a GDPR breach will almost inevitably lead to a dip in sales. For service providers, such as lawyers or accountants, a breach can result in a loss of retainers or diminished customer loyalty. Larger corporations may find that their company value takes a hit.

In 2013 and 2014, Yahoo experienced several data breaches, which affected large swathes of customer accounts. At the time, they were in the process of being bought out by Verizon. After the breaches took place, Yahoo’s value was slashed by $300 million, which had a significant impact on its shareholders.

Even a giant like Yahoo is susceptible to the effects of a data breach. For smaller companies, this can be catastrophic.

The Pareto Principle

In business management theory, the Pareto Principle states that 80% of a company’s revenue comes from 20% of its customers. These tend to be long-term client relationships, allowing an organisation to take advantage of regular, repeat business.

If a data breach were to damage the trust of this crucial 20% of customers, which is feasible in such circumstances, it could jeopardise 80% of revenue. This can have a devastating impact on long-term business survival.

Future Business

Small businesses are particularly vulnerable to the long-lasting negative effects of a GDPR breach. They tend to rely on referrals, recommendations, and word-of-mouth marketing. After a data breach, the reputational damage may prove insurmountable.

Don’t forget; if a customer has a positive experience, they will probably tell a handful of people. If they have a negative experience, they will tell everyone they can.

The true cost

Ultimately, the true cost of a data breach to your business may be the business itself. That’s why it’s important to be well-trained in the best practices to protect the personal data you handle. 

Have any questions on how you can avoid a data breach? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

5 Ways Your Emails Could Breach GDPR

There’s a lot of confusion in the air currently for small businesses surrounding GDPR!

So let us set the record straight when it comes to sending emails.

If you are sending emails with personally identifiable information (PII) (here’s the ICO’s guide on what actually counts as personal data.) you need to take adequate lengths to protect it.

It’s that simple.

So let’s look at some of the ways your emails could be putting your business at risk when the GDPR regulations come into effect on the 25th May 2018. 

Edit: for the answers to commonly asked GDPR email questions scroll to the bottom of this article. 

*This post may contain affiliate links* 

1. Failing to use BCC (Blind Carbon Copy)

When sending to multiple recipients, unless emailing internally, you’ll need to use the BCC function.

This means that any given recipient will only see their own email address, the sender’s, and any recipients in the carbon copy (CC) section. All other recipients are anonymised. 

Failure to do this means that the name and email address (both PII information) are shared with other recipients without their prior consent! This is a breach of GDPR regulations.

2. Sending Sensitive Data to the Wrong Recipient

So many people are getting in hot water for this one! Not only is the distribution of sensitive data to an unintended recipient contravening the consent element of the GDPR. It is also likely to have a detrimental effect on the trust held between two parties, which can devastate a working relationship.

And, the ICO aren’t allowing the human error defence!

With the likes of UK law firm WilmerHale unintentionally sending details of  whistleblowing investigations at PepsiCo to a Wall Street Journal reporter. The information came from the US Securities and Exchange Commission, as well as internal investigators. This mishandled data had the potential to cause significant damage to PepsiCo’s reputation, and its leak certainly did no favours for Wilmer et al.

Be careful, therefore, to double-check both the data being sent and the email addresses of recipients, to ensure that sensitive information does not fall into the wrong hands, or you could be in a world of trouble. 

3. Un-Protected/Encrypted Attachments

It’s essential to encrypt critical information when sending it by email. This prevents interception, either by malicious or accidental means, and ensures that sensitive data is delivered securely.

This also includes making sure that you retain control over how the personal information is used once you have sent it too, by making sure the recipient can’t just copy, forward or blast out the sensitive information after you’ve sent it. You do this by encrypting the file rather than your computer or email system itself (we’ve written a handy guide on disk vs file encryption for small businesses here.)

My Protected Mail, for example, encrypts the file to make sure that it can’t be sent on to someone other than the intended recipient (you can’t even screen share the file via Skype, you just get a blank page!)



4. Preventing Opt-Outs/Automatic Opt-Ins

Under GDPR, people have the right to erasure, otherwise known as the right to be forgotten. If any recipient asks for their email address to be removed from a mailing list, you need to do it immediately. Also, if an individual requests that any data stored about them is deleted, you are legally bound to do so.

It’s also important to confirm active consent from the outset, you can no longer ask people to “opt-out” with an automatic opt-in box checked. As well as requesting manual entry of an individual’s email address, provide information about how their data will be stored, and ask them to check a box to confirm they understand and acknowledge this. 

5. Including PII Without Taking Precautions

This isn’t just related to encrypting your one email, be careful with chains, “reply all” and forwarding emails that may contain the original PII on to those without permission. If you add additional recipients to a discussion, perform a check of the email content beforehand, and remove PII if it is present.

Taking the proper precautions beforehand ensures that your business is safe from fines but also that you are taking the responsibility of your clients or customer’s data.

Data Breach Report Blueprint & Template

CLICK HERE TO GET THE TEMPLATE

Common GDPR Email Questions Answered:

We’ve been contacted with many GDPR email related questions so we thought we would share for you the most common ones:

Is sharing an email address a breach of GDPR?

This depends on two things:

Firstly, Is the email a personal one, like your personal Gmail? If no, does your company email address have your full name? e.g. [email protected]? If you’ve answered no, then it’s not a GDPR breach. If yes, answer then next question.

Do they (you) have permission or reasonable reasons to share your email. For example, to perform a service you’ve signed up to where sharing your email address is absolutely necessary? Have you given express consent and forgotten about it?

If someone has shared your email and is now marketing to you without your consent, it IS a GDPR breach and you can respond to them asking for an erasure request (request to get your data deleted).

When is my business allowed to share email addresses?

The short answer is that you’re not. Unless you get express permission from the customer (not automatically opting them in.) The only time you are allowed to share emails is when it is vital to the service you are providing. For example, sending email addresses to a courier for confirmation of delivery.

But even then, you must ensure that any third parties do not market or contact those personal addresses outside of the business need they are providing! Or you could also be liable.

When forwarding emails what do I need to consider with GDPR?

You should always air on the side of caution when forwarding private or sensitive information, even internally. Ask yourself, does the recipient need to see this information or should I remove sensitive PII from the email before I forward? And don’t forget to remove personal email addresses in the replies if they are not needed.

Can I use BCC and be GDPR compliant?

Yes, if you’re sending a mass email, BCC makes sure no-one else sees each other’s emails and therefore reduces the risk of a breach. Of course, if this happens regularly there is more chance of human error being made so it’s always best to use a mailing program.

Are you being GDPR compliant in your marketing? Check out this article on that HERE.

My employer shared my personal email address in the company. Is this a GDPR breach?

It can be. But the likelihood is, it’s more of a privacy issue that you should first discuss with HR. Internal company communications, particularly if you’ve provided your private email to be contacted on is a GDPR grey area and if you’re uncomfortable with this information being shared, you should first contact your HR or legal department to discuss.

I accidentally shared personal email addresses with our sporting group, is this a GDPR breach?

If your sporting (or any other social group) is classed as an organisation, rather than an informal group, then yes, it’s technically a GDPR breach. However, the practicality is that everyone who is part of that team or group has consented to being contacted and know the other members anyway.

If you’re concerned about your privacy, in that case, you should contact the head of the group and request them to use BCC in the future. If you were added to the list and didn’t give your permission, or know the group, then yes it’s a GDPR breach that you can report. But, again, this is a grey area.

Posted on

How Easy It Is To Steal Your Outlook & 365 Password

*This article originally appeared here on LinkedIn* How Easy It Is To Steal Your Outlook & 365 Password

During a penetration testing project, I was working on finding the weak spots in the IT system of the company and finding the best solutions to patch them up.

The client had most of the traditional security solutions such as firewalls and external penetration was not useful / efficient.

But when we did an internal penetration test  I saw something very disturbing in the way that Outlook works, and how due to poor design in Outlook’s security warning it’s easy to obtain a user’s password.

The same method allowed us to obtain outlook password outside the company perimeter as well.

It’s quite easy to steal your Outlook & 365 password.

Case study:

Environment:

·      Windows 7 Pro computers

o  Tested on Windows 10 Pro as well

·      Outlook 2016 connected to Microsoft 365

o  Tested on outlook 2013 connected to Microsoft 365 as well

Penetration testing:

We used a classic “Men in the Middle Attack” between the client and the gateway, see Diagram 1.

Diagram 1

Results:

Outlook’s behavior was very problematic,

Once we started poising the ARP the following Prompt, (See prompt 1) was shown to the user:

Prompt 1.

The advanced users who decided to push the “View Certificate” have seen the following screen,(prompt 2.)

Prompt 2.

The “injected certificate” is an outlook.com which is not trusted but to most users outlook.com is “good enough”

Most of the users didn’t give this small prompt a lot of thought and pressed YES to proceed:

 This caused outlook to send information on a non-encrypted method and any sniffing tool instantly showed us the Outlook password (Which is also the main active directory computer/domain login)

This exercise was done within the company network, later we decided to follow one of the users to a meeting at a coffee shop where is connected to a public WIFI which we have also joined, and we managed to do the same process outside the company perimeter.

Analysis:

1.   Outlook’s security prompt is very small, hardly noticeable, none alarming and doesn’t deliver the severity of the issue

  • Compare it with the prompt the Google Chrome provides when you try to send information at a non-encrypted method – the Google Chrome is “Scary” and makes the users stop and think

2.   Most of the users don’t understand the security prompt at all

3.   Most of the users will automatically press yes on this prompt to continue working

Is it a user behavior error – No! – the security prompt is poorly showed that only IT users are expected to understand the severity

Resolving the issue:

1.   We implemented a GPO settings that doesn’t allow outlook to work on non-secure layer at all

2.   We did user awareness cyber security training to show to the users how risky this little prompt is.

3.   We reported this vulnerability was reported to Microsoft  – Microsoft responded that it isn’t a real vulnerability because the user gets a prompt!, i think the prompt itself is not designed correctly and allows a big room for user error.

How to protect your outlook against this type of attack:

We deal with protecting yourself in our next article on How To Protect Your Password From Hackers

Written by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)

Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

Protecting Your Data In The Age Of Mobile

Today, one of the main tasks for all institutions is achieving maximum protection for their data while ensuring full accessibility and mobility. Protecting your data has become the responsibility of both users and the organization holding it.

The complexity and the resulting problems are caused by a following sequence:

Increased mobility leads to improved employee productivity leading to wider dispersal of data leading to increased chance of dangerous data leakage

Below, I will focus on the example of the widely used DROPBOX tool.

The challenges we face tend to increase as the tools providing accessibility and mobility improve drastically.  A good example of this is DROPBOX – it enables users to effectively access their data, while the integration and training efforts for them are kept to a minimum.  This tool is very much liked by most users, and they work with it extensively. DROPBOX gives us the ability to access the data from any mobile device anyplace, and enables us to work OFFLINE as well.

I do not doubt the fact that DROPBOX is a very effective tool that can significantly increase employees’ productivity.  For example, a salesperson can quickly generate a price offer while being on the move, using a mobile device, and instantly share it with his co-workers – this is quite an achievement!

So if it is true, then why has DROPBOX earned such a bad reputation within IT managers’ community as a tool contributing to harmful data leakage?

This is first and foremost an issue of control!

DROPBOX can sometimes lead to a loss of control, resulting in some segregated files leaking outside the institution.

It is important to note that a similar problem can also occur in any Windows Server environment, but the ease of using DROPBOX can be very conducive to such problems happening much more often.

How do we stay in control?

The newer and more sophisticated product, DROPBOX FOR BUSINESS, does offer advanced control facilities, such as compartmentalization, 2-Form Authentication, control of outside sharing, centralized file management and Active Directory authorization management (using an additional third-party tool, though).

Is all this enough?  Sadly, no…

All these features help in protecting your data if your company’s employees are honest and dependable, and not tinged with corruption or carelessness, which can easily lead to data leakage.  In addition, these tools cannot provide protection in an OFFLINE mode, which is especially important in cases of your device being misplaced or stolen.

The protection should be applied to the files themselves, and not to the outer envelope that contains them. The protection/encryption should be applied on the file level itself, so the files would be protected at all times while opened in different gadgets or applications:

  • PC/laptop
  • Smartphone
  • Tablet/PDA
  • DROPBOX
  • SkyDrive

Basic RMS by Microsoft and more advanced tools, such as Secure Islands IQP, provide effective encryption solutions that focus on safeguarding the files, and not the outer shell, which is proving to be so difficult to protect nowadays.

The mobile devices themselves should be encrypted, so the data will still be safe even in case of lost or stolen devices.

  • For most laptops – use the file encryption system such as centrally controlled BitLocker
  • For mobile devices such as smartphones or tablets – several centrally-controlled MDM tools that can enforce the devices’ encryption from a central node

All your mobile devices should be equipped with centrally-activated active encryption, ensuring that losing the device will not lead to data misappropriation. This process is an effective way of protecting your data.

Conclusions:

  1. A classified file that has been properly encrypted, with a tool such as Secure Islands IQP, can be disseminated on all kinds of media and devices – office computer, tablet, home computer, mail program, DROPBOX.  In all the cases the access to the file will be open only to a person authorized for it
  2. A standard file, protected by DROPBOX (for example), and placed in the DROPBOX offline cache directory, will still be protected, even if the mobile device was lost or stolen

So, can the use of the DROPBOX tool on employees’ tablets work with data security rules? The answer is YES – if the IT System is designed correctly, using the modern methods of data security assurance!

Eli Migdal, CEO of Migdal Computing Solutions LTD

Visit our Information Security page for more information and find out how we can help you.