Small and micro-business owners or entrepreneurs aren’t exempt from GDPR and they must still find solutions that will make them compliant.
While large enterprises have the means to implement the newest security measures easily, smaller businesses and entrepreneurs just don’t often have access to the right technology.
The simplest way to protect the data is to encrypt your email so you retain control over all data you send. Encryption ensures that only the contents of your email are accessible by the right recipient. If somebody else gets it by mistake or because it was forwarded, they won’t be able to read the contents.
The alternative is having a ‘Do Not Forward’ function on that prohibits the receiver from forwarding the email in the first place. Best case, you have both in place for full protection
This system can even automatically detect sensitive data when configured correctly. With AIP, only the rightful recipient can read the email, and they won’t be able to forward it to anyone.
Unfortunately, this solution can be pricey for smaller businesses and the tool is focused towards the larger enterprises.
Smaller businesses and entrepreneurs need to look elsewhere.
My Protected Mail Helps You Keep Email Data Confidential
This is where My Protected Mail can help you here. This solution is similar to AIP but specifically focuses on providing services to small businesses, micro-businesses, and individuals. My Protected Mail offers encryption services (EaaS – encryption as a service) for your email communication. This benefits business owners because:
My Protected Mail not only uses the same principle as AIP but also the same architecture – it’s powered by Microsoft 365 Azure Information Protection.
The encryption process is automatic and super easy to use. When emailing through My Protected Mail, it will be encrypted automatically, giving you control over all data you are sending.
Each email you send through the system is also automatically flagged as “Do not forward.” This ensures all contents of the email stay with the recipient and cannot be shared with other parties.
How to Use My Protected Mail to Encrypt Email Messages
My Protected Mail is a cloud-based solution and doesn’t require any additional software installation on your part; you just need to make a few changes in the way you send your email. Here’s how:
Instead of putting the recipient address into the recipient header, you will put [email protected] in there.
The recipient email address goes to the Subject line instead.
When you have finished writing your email, hit Send, and that’s it!
(Plus it works on whatever device or service you’re using so can work on a MAC too)
Sending Encrypted Email From a MAC
The recipient will get an email that will require an OTP (one-time passcode) to access the email. This passcode is received once the recipient clicks the link “Sign in with a one-time passcode.”
The best thing is you can try it out for free as the Free plan allows you to send up to fifteen emails per month and includes basic reply functionality (meaning you will continue the conversation protected).
Today, businesses make data-driven decisions in order to have a competitive edge. If your business deals with personal data from customers, it is required to be compliant with EU’s General Data Protection Regulation (GDPR) requirements – this means disclosing how it handles data and ensuring that data remains safe.
Why You Should Use Azure Information Protection for GDPR Emails
Sending sensitive data internally or to recipients outside your company carries a certain risk. Every email you send could lead to a disclosure of sensitive data, which constitutes a breach of GDPR. Therefore, investing in the protection of emails and files that are sent is crucial.
Azure Information Protection help keep your emails safe through advanced encryption and protects data at a file level with any attachments you might share too.
It’s a great solution that we recommend to our clients and one we can deploy seamlessly.
While GDPR email compliance may seem like just another regulatory hassle, it is actually an opportunity to invest into your company’s digital security. The most recent data from the Ponemon Institute shows that the global cost of a data breach is increasing steadily, and in 2018, it has reached $3.86 million.
The Latest Data Breach Report Shows a Troubling Trend
A data breach carries serious consequences, and every business operation will suffer – financial, sales, marketing, safety, you name it. The 2018 Cost of a Data Breach Study states there are three main causes of a data breach, with percentages of attack globally being:
Malicious or criminal attack– the main reason for 48% of all breaches
System malfunction– the cause of 25% of all breaches
Human error– the cause of 27% of all breaches
The report shows that human error was the reason behind a data breach more often than a system malfunction was, while malicious and criminal attack took first place.
Note: It’s important to state that human error only includes insiders who were careless, while malicious attacks also include insiders, third parties, and contractors who caused a data breach intentionally.
In the UK specifically, malicious and criminal attacks were the reason of 50% of all breaches, human error was behind 26%, with system glitch causing only 24% of all data breaches.
This means as high as:
76% of all GDPR breaches in the UK can be caused by either negligence or malicious intent.
Which can be vastly reduced when using a file or email encryption like Azure’s Information Protection
How AIP for GDPR Emails Keeps You Compliant
Azure Information Protection (AIP) is a cloud-based service that allows you to protect any sensitive and confidential data through encryption. You can protect local data you keep on your devices or data that you store in the cloud. When you send that data outside of your company, the encryption remains in place because it’s active at a file-level.
This means that even if you’re compromised, documents that are recovered cannot be read or unencrypted. Plus, intercepted emails cannot be read unless the intended user verifies themselves.
Ultimately, AIP can’t stop your users from making a mistake, but it can support them and arm them with the tools to protect company data properly.
Azure Information Protection Protects Against Malicious Intent
For example, if one of your employees or third-party recipients wants to email a file to an unauthorised person, they won’t be able to do so. Plus, AIP has a great feature called Do Not Forward for GDPR compliant emails. When this option is used, the recipient must first be authenticated to even view the email, and this is all they can do. They can’t forward the email or print, or screenshot. This ensures the email is for their eyes only and that they cannot execute a data breach by forwarding onto non-approved users that would lead to GDPR violation.
Documents attached to these emails are also counted as DO NOT FORWARD and will have the same restrictions.
Azure Information Protection Activity
Not only does AIP limit who can view the data, but it also tracks how that data is being used. By doing so, it ensures that data is safe at all times and that GDPR compliancestandards are met. Plus, if you suspect there’s a risk that the data could be used in a way that violates GDPR regulations, you can even revoke access to it.
There are a range of other uses for Azure Information Protection to help keep your company emails and files protected. If you need help learning the reigns or want to deploy Azure Information Protection Yourselves, get started today by clicking here.
One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.
But, you need to be prepared.
Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.
We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.
As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.
Before Your GDPR Staff Training
Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.
In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.
What To Include in GDPR Training Sessions
A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:
GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.
If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it.
2. The Risk of Non-Compliance
Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.
3. Understanding Your Business’ Role
Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.
There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.
For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.
6. New Company Policies
Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)
Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.
7. How To Spot Data Breaches
The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.
8. SAR Requests
Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away.
The Technical Side of GDPR Staff Training
Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself.
Ensuring your processing systems and services are confidential and resilient
Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security
For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.
Continuous GDPR Training Ensures Compliance
The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff.
Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.
If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:
With our increasing reliance on our phones, computers, and other internet-connected technology and accessories, security is more important than ever. To be able to recognise when our tech might be compromised can save you from potential catastrophic losses. It’s therefore important to be on the lookout for computer malware signs.
How often do you pay for something using your credit card or online wallet? How many passwords do you have saved or “remembered” so you can quickly log in? Hackers can gain access to your devices in numerous ways, but in many instances, it’s not immediately apparent.
In a business environment on a company network, this can give hackers access to the same shared systems and folders that your computer has access to, leading to a data breach with far-reaching consequences. All it takes is for a high-level executive, member of the C-suite, or HR personnel with access to sensitive records to click that infected email and it’s game over for some businesses.
Being aware of the dangers and spotting the computer malware signs is, therefore, more important than ever to prevent the disastrous effects of a successful cyberattack. These are the warning signs of a possible data breach and that your system has been infected.
20 Computer Malware Signs To Be Aware Of
Very often, malware and viruses will be disguised as regular notifications. Your computer will display the notification, often saying that your PC is infected and offering help to remove the threats. If you accept “help,” you will be prompted to visit a website and leave your credit card information to pay for the service of removing the threat. Even though such an attack pattern is not new and has been present for a while, people still fall for it very often. This is the most common of all computer malware signs.
2. Sudden Sluggish Performance
If you notice that your computer is slower than usual, the first thing to do is check the TaskManager. You can access it by simply writing “Task Manager” after hitting the Windows key on your keyboard.
Once there, check the Performance tab to see whether any of your hardware is being used too much: the CPU, memory, disks, or GPU. Chances are, your memory might be compromised by malware.
Some glitches in your system might appear like your computer has a mind of its own – usually a brief glimpse of a registry change or your mouse moving by itself. In most cases, these are just little glitches – a speck of dust on the mousepad, for instance. But this could also be one of the computer malware signs. If mouse movements are deliberate and make sense, like the mouse moves and opens or closes applications, then you are definitely dealing with a far more serious threat than a dusty mouse pad.
To disable this kind of remote access, the first thing you should do is disconnect your PC from the internet, disable network drivers so it can’t connect again, and make sure any connectivity options are disabled, e.g. Bluetooth. Then, you can start dealing with removing the issue.
Your computer might crash for no apparent reason. Often, software and hardware incompatibility are to blame, but if this is excluded, computer malware infection is a real possibility. To see what the crash was caused by, go to Event Viewer by hitting the Windows button on your keyboard and writing “Event” – it should be suggested as the first option. Once opened, go to Windows Logs and go through those that are marked as an error. This will give you more insight into what caused the crash and help you or your IT team find a solution fast.
5. Low storage
If your computer is suddenly running low on storage, it might be that you have not been paying attention to how much you have left. Some malware and viruses, however, are programmed in such a way that they replicate endlessly until they use up all the storage space you have.
Always ensure you know how much space you have left. If you know for sure that your hard drive partitions had more than enough, suspicious activity is to be expected.
6. You Don’t Appear to Have Security Measures Working, e.g. No Antivirus etc.
Your computer might notify you that your security isn’t working – that your antivirus has been disabled. If this is the case, check the status of your antivirus immediately. While this can be a system glitch while your antivirus is updating, it is often a sign that you were infected.
If you can’t get your antivirus software up and running, you will have to either install a new antivirus and antimalware software or, if you’re using a paid version, contact your antivirus manufacturer’s support and let them lead you through the recovery process.
Malware software can also cause pop-up ads, new tabs in browsers, or change homepages, and search engines, without the user’s consent. To get rid of these annoying pop-ups and ads, you will have to find the infected software and remove it from your device.
8. New Icons on Your desktop
If you notice a new icon on your desktop that you don’t know the origin of, suspect foul play right away as new icons are computer malware signs. Malicious software might be installed on your device, threatening to steal your credentials, cause havoc, or even lock you out. If this is your work computer, contact your IT department right away as it could have been installed on the network, not just your own device.
9. Corrupted folders or Missing folders
If you get a prompt your file is corrupt or you realise some folders are missing from where they are supposed to be, it could be an infection. Some malicious software will not be after your credit card data – the intent can simply be to erase all your data from your drives. While this is less of a threat today than it was before thanks to various online storage solutions, not all your data is stored online. If you have lost files, a system restore might be a way of getting them back.
Some malware acts as a simplified version of ransomware by locking you out of your computer until you pay. But, unlike hardcore ransomware, there are some things you can usually do to unlock it.
Using Windows safe mode might do the trick. Once you have booted Windows that way, you can run a virus scan and remove the ransomware. There are also dedicated ransomware removal tools from established antivirus brands, and even Microsoft itself has tools available. Another option is to use System Restore to restore your computer to a version that wasn’t infected yet.
11. Errant Messages
Your system might notify you that an application requires permission to do something, for example an application trying to change something on your computer or connect to the network. This usually happens when you start up, update or install a new application. However, if none of these have happened recently and you’re still getting the messages, your PC might be infected.
12. Redirecting Web Browsers
If you notice that your browser started redirecting you to random sites, you might be dealing with a browser redirect malware, whose aim is to use these redirects to artificially boost traffic to such sites, gather search data, or to try to scam users and steal their personal data. Search for suspicious programs on your device if you suspect this to be the case.
13. New Home Pages
If you open your web browser and your homepage is changed, you need to check which program might have caused this. Usually today, a lot of software will come with additional taskbars or options to change your homepage while you install them. You can opt out of it easily during installation, but many people oversee this. While such changes and additions might not be viruses themselves, they often lack proper security and can easily be used as a point of entry.
14. You’re (Not) Reaching Out
You might find that new conversations are popping up in your email inbox or social media that were started by ‘you’, but you can’t recall starting them.
These spam messages encourage your contacts to click on links that will then infect them. A popular scam is the malware will send an SOS email or message saying you’re stranded and need cab money or a train ticket. It might not seem like a lot but if every one of your friends and every one of their friends become infected, it’s a lot of potential.
15. BSOD – Blue Screen, Will Not Boot
If your computer suddenly becomes unresponsive and you see the dreaded blue screen of death (BSOD), it could be malware.
However, BSOD often happens after you install new software or hardware. Check whether you have the latest drivers installed for all your components and search for possible incompatibility between programs and hardware you are using.
If this is not the case, you will have to consult the Event Viewer again to see what exactly caused the BSOD.
16. Credit or Bank Purchases
If you get notified that there were purchases made with your credit card, or money was taken from your bank account but you didn’t do it, ask your bank to verify how payment was made. If it was done using your card (not in person) it means it was an online transaction. This can mean your device is compromised and they’ve taken the details, particularly if you have them saved e.g. Google online.
Cancel your cards, disconnect from the internet and do a thorough sweep of your devices to make sure that the breach didn’t come from them.
17. You can’t login to your accounts
If you can’t get access to your account because your password suddenly isn’t working, there’s a good chance you’re dealing with a case of account theft. This is already one of the serious computer malware signs. Always have a fallback option for such cases – a way to reset your password via your phone number, for instance. To minimise such a risk, have two-factor authentication that will request a code sent to your phone or a generated code from an app installed on your phone.
If you get a notification from your authenticator, for example, a code on your phone but you’re not trying to log in, check your system for malware and change your passwords immediately. It could be someone with a keystroke logger.
18. Your Hard Drive Appears to Be Constantly Working Even When Doing Nothing
Erratic and sluggish operations can be caused by a lot of software and hardware issues. To see what is happening, you will have to open your Task Manager by hitting your Windows key button and typing “task manager” for it to appear on the list. Once opened, look at the performance of your hardware. If you see that your disk is on ‘100%’ most of the time, you will have to check which processes are running and might have caused this. Note that certain Windows processes might cause this from time to time – recently microsoft.photos.exe, a legit Microsoft application, was causing this issue for some users.
If you find any other applications that are unfamiliar to you and are using your disk fully, terminate the process by right-clicking on it and selecting the “End Task” option. Find which program the task belongs to in order to see whether it’s a real malware or virus issue or just an incompatible program.
19. File Names Change or Are Missing
Any changes to files – either the names or the location of the files – should immediately be attributed to malicious software activity. A deep scan with a dedicated software will be needed to find the infection. Any files that were affected – renamed, deleted, or removed – might be beyond saving, so always make sure you have your data securely backed up online.
20. Unusual login pages
Any changes to login pages you often use – either for work or personal – should be deemed suspicious. Usually, changes like this are announced in advance, so check for news about the changes before you log in. Any pages that require your work, Google, or social media account credentials (both username and password) for login should also be avoided as these might be phishing sites that are trying to steal your credentials.
If you’ve navigated to the page through an email, close the tab and go to the company you’re trying to login to directly. If you don’t recognise the site, NEVER give your credentials away!
It’s important that if you feel there is something wrong with your computer, particularly if you are on a company device or part of a shared network that you report it! Small and subtle changes can lead to big data breaches and catching malware early is key.
We’d all like to think that hackers are spending weeks on end planning their every move to attack a business but the truth of it is nowhere near as exciting. Although this could happen to a big target, for most people it’s a lot more boring and they get ‘accidentally’ caught in the net as hackers looking to make a quick buck send out malware or ransomware hoping someone will fall into the trap.
That doesn’t mean the effects aren’t any less devastating!
So, to make sure you can protect yourself, let’s look at the various different tactics hackers use to try and steal your business’ data.
1. Relying on Human Error
We’re sorry to say that lack of education in businesses and human error by employees account for a large portion of breaches in our experience. For example, employees attempting to access internal systems from unsafe locations, using personal (infected) devices on the network, or clicking malicious links in an email. Hackers cast their net far and wide, and the likelihood is someone will click something and open the door. And that’s all they need.
Hackers also pray on the lack of oversight from business owners on their employees. According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, 59% of small businesses do not have insight into the types of passwords employees use. This means that although the company is liable for a breach, they aren’t enforcing or even aware of the security standards of the passwords in use.
Phishing is one of the most common tactics hackers use. This is usually in form of an email that is spoofed to look like it’s coming from another sender, like your bank, or ISP. It will urge you to act immediately or you might lose your account, money, or face infractions. 48% of hacks on companies last year found that phishing or social engineering were the result.
Here are the warning signs you need to look out for in a phishing email
3. Public/Free Wi-Fi
Public computers and Wi-Fi networks are notorious for being plagued with malicious software that “sniffs” for data packets while you are using them. You risk losing your account data as soon as you type in your password.
4. Phone Calls
Surprisingly these still work and is still one of the tactics hackers use! Hackers have been known to ring you claiming to be your bank or an organisation you’re affiliated with and ask you to confirm details over the phone. For example, banking pins or passwords as well as talking to you about family data or information, like your mother’s maiden name to get the ‘security question’ answers or take a stab at your password. If you feel a phone call is suspicious, never hand over your data, simply tell them now isn’t a good time and hang up.
5. Weak Passwords
Lazy, generic and consequently weak passwords are the easiest way for hackers to get access to your accounts. Many small business owners admitted that, while they still have password strength policies, 68% do not enforce them. A generic or commonly used password like 12345, makes it easy for hackers to gain access to your email or computer.
Check out our article below on protecting your password from hackers:
6. An Out-of-Date OS
While nobody likes how long OS updates take, they exist for a reason: to address flaws within the code that can potentially be exploited. Without regular updates, you enable easy access to hackers who are aware of the weak points.
7. Infected Attachments
It’s not just the links you should be wary of in an email. Masked to look like images or documents, they often carry viruses, malware, or spyware, like a keylogger that will install to your device and record your every keystroke to get your passwords that way.
8. Dodgy Devices
Be wary of those free devices being handed out to you as “freebies” in many cases, hackers can load malware or keystroke loggers on them so that when they are entered onto the computer they immediately infect it.
9. Pineapples – Spoofed Wi-Fi Points
A Wi-Fi pineapple is a fake Wi-Fi access point that has been purely set up to steal your data but it masks as public Wi-Fi. From the hacker’s point of view, they have multiple programs and software running to gain access but to the unsuspecting user, they just jump on as usual and voila, instant access to your data.
10. Unsuspecting Accessories
Your new smart lock, phone controlled thermostat, camera that is enabled to a network, card reader or any other online accessory all have access to your network. Hackers can use these as easy points of entry if they aren’t protected correctly to access your network and get to your data that way!
Unfortunately, we’ve only just scratched the surface of tactics hackers use to access your data and your files, and this is why we are firm advocators for using file protection as part of your cyber security strategy. That way, hackers can’t access the data from your files once you’ve been breached, therefore protecting the data stored within them.
To get automatic file and email encryption for small businesses using Microsoft’s Azure Information Protection, click the image below to get half off our course on udemy:
Until now, Microsoft’s Azure Information Protection (AIP) has been an enterprise level IT solution for the big brands and businesses. So, you may not have even heard of it! But, its tools are perfect for small businesses and allows you to get AUTOMATIC file and email encryption that is easy to use, and affordable.
Let’s look at why you should be looking at this solution for your small business, how you can use it and what it can do for you:
Why do I Need File Protection?
We could advocate for file protection but it’s easier just to show you, here’s how easy it is to gain access to your sensitive data if you don’t have file protection:
The solution to this? We recommend, Microsoft’s Azure Information Protection (AIP)
Update: 23/09/20 – Microsoft’s AIP has actually been upgraded to MIP, with a few extra features. This article is still relevant and if you scroll to the bottom you can see a demo of a recent project we just completed on how it looks in action.
What is Microsoft’s Azure Information Protection?
It’s an excellent cloud-based file and email encryption solution that allows you to create certain ‘rules’ to protect your files and emails automatically.
What Does This Entail?
Although it’s also an excellent option for smaller businesses because it offers unique cyber security features which make GDPR complianceeasy and seamless, you can’t really “figure it out” as you go.
It’s not as simple as downloading a piece of software. There’s a little more to it than that. But, once you know how, it’s our recommendation for keeping your company, files and emails protected. The installation looks a little like this:
Although only roughly 5% of your data is sensitive, you still need to protect it and in order to do so, you need to understand what it is, where it is and how you handle it.
This is the easy part (if you know what you’re doing) and is a simple installation of the AIP client onto all of the machines/servers that you want to have automatic encryption capabilities.
This is all about tweaking your settings to match your usage based on what you’re using your protection for in your business.
So, How Can I Do It Myself?
We originally created an AIP course (you can still take the legacy course HERE.) However since the update to MIP (Microsoft Information Protection) there’s a lot more backend setup, licensing crossovers, and implementation that just make this a project that is really tricky.
If you get it wrong you can accidentally encrypt and lock yourself out of all of your data, and to be honest, we don’t recommend doing this.
We still want to make MIP accessible for SMEs so we offer a half hour consulting option to give you the best tailored advice on what forms of protection are best for you, and then we can help you set up MIP if it’s suitable.
Running a small business comes with a very specific set of challenges, like having limited resources, and often cyber security falls to the bottom of the list. But, the cost of a data breach, no matter the size of your organisation can be huge and the bad PR or image alone could be crippling as small businesses have to rely on reputation!
Why Would Anyone Target Small Businesses?
Many small business owners don’t understand why their company would be an appealing target for hackers. They are small, don’t have vast funds or sensitive secrets that anyone would care about. They believe they are not big enough to be a target, so they don’t invest as heavily in cyber security as larger businesses do.
Some hackers do not target small businesses specifically but try to infect as many devices as possible, and without protective measures, backups in place, or the education, small businesses can very quickly become victims too.
The most common type of tactic that casts a wide net are ransomware attacks and more recently, cyber-attacks are becoming more targeted and specific.
The top 3 reasons why small businesses are targeted specifically by hackers are:
The lack of investment into security makes it too easy for those looking to make quick money by selling details.
Small businesses often work with larger enterprises and if they’re not careful can serve as a point of entry for a large data breach.
A small business is more likely to meet the hacker’s demands, such as a ransom, to get their data back because without it, their business is at a standstill.
Cyber-attacks against Small Businesses are on the Rise
According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, attacks against small and medium business owners are on the rise. A staggering 61% of small businesses that were interviewed reported they were affected by a cyber-attack. The most common type of attack included phishing or social engineering, with web-based attacks and general malware following closely behind.
What Small Businesses Should do to be Safe from Cyber Crime
Change of stance is the most crucial thing.
If small business owners continue to believe they are not a good target to hackers and believe they don’t matter, they will continue to be vulnerable to cyber attacks. Small businesses should focus on the following areas:
New Technology and Software – Investing in the newest software solutions can give small businesses the edge that they need to catch breach attempts early. Machine learning can detect anomalies in network traffic or credit card fraud attempts so that small businesses don’t have to pay as much attention.
Employee Education – Teaching employees about cyber security lowers the risk considerably. Get them on board about it and teach them about password policies, what makes a strong password, why password sharing is risky, and signs that indicate a possible breach. Check out the TowerWatch Academy for regular courses that you might need for educating staff and using protection software.
Regular Updates and Patching – Ensure all your systems are up to date and patched regularly. New patches are applied to parts of code that could have been used as points of entry before the patch which is why you should always keep up to date.
Use Encryption – Encryption is a precaution in case a data breach happens. If hackers get to your data, having it encrypted will render it useless to them.
Physical Security – Have surveillance in place in areas where you keep your sensitive data to avoid malicious actions from the real world.
Two Factor Authentication – In case a cyber attack is successful in getting credentials to log in to your system(s), a two-factor authentication will stop them from getting further than trying to log in and will immediately alert you so you can lock it down and change your passwords.
When it comes to GDPR and emails things can get confusing! You need to make sure you completely understand the GDPR email terminology potential users/customers/businesses could be using so you can action accordingly.
Consent – This means permission! GDPR’s aim is to allow users more control over their data and is big on consent which means if you don’t have it, you can’t use it. Now there are some situations where direct consent isn’t needed, for example if someone makes a purchase from you, you’re allowed to send them a relevant email about their order without their consent as it’s a necessary byproduct of the purchase. Another example is when a company or business has a business specific email address on their “Contact Us” page. This is considered consent as long as the email is a business and not personal address e.g. [email protected] NOT [email protected]. One thing to note here is you still can’t add them to a mailing list but you can contact them with something of genuine interest.
Data Breach – This is where information has been accessed by unauthorised third parties due to a security issue. This usually refers to confidential or sensitive information.
Data Controller – The ICO define a data controller as:
“A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed”
Data Portability – This is the right of the user to move personal data to competitors and businesses have to comply. It must be readable and universally accepted by the other party and once moved, the original business may not store it (unless for legal/tax purposes.)
Data Processor – The ICO define a data processor as:
“In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.”
Data Processing – When information is handled, physically or digitally for any action. For example, collecting it, uploading it into an automatic algorithm, using it to segment etc.
Data Protection Authorities (DPA) – These will be appointed in individual EU-based countries to enforce and support the new data protection laws.
Data Protection Officer (DPO) – Data controllers will appoint an employee (or sometimes hire externally) a DPO whose responsibility is to make sure data protection and processing is met and understood throughout the organisation.
Data Subject – This is any person that the personal data is about.
Erasure – When an individual makes an erasure request, this means to have all of their personal data removed from your organisation (and third party organisations you use to manage this personal data) Not complying with this can leave you open to fines.
Encryption – A way of making information protected to prevent unauthorised entities or people being able to access, read or extract the data.
Pseudonymisation – A way to make personal data less identifiable to an outside party by using pseudonyms and preset identifiers in place of the data itself.
Recipient – The receiver of your email
Subject Access Request (SAR) – Contrary to popular belief, this isn’t actually new. A SAR request is something a user can do via email which entitles them to ask what information is stored about them. You may find the “Subject Access Code of Practice” by the ICO useful. Also known as a “Right to Access Request”
For more information on email protection in the age of GDPR, check out our FREE COURSE HERE to guide you through it!
If you want to protect the personal data that you send and reduce the risk of a breach, you’ll want to encrypt your emails or use an email encryption service! Did you know that you can send encrypted emails without installing anything?
The ongoing joke of the moment is the amount of unsolicited emails you’re receiving as a result of GDPR, “consent” and the regulations that became effective as of 25th May 2018. But, the new General Data Protection Regulation (GDPR) is a piece of EU legislation that has thrown forward infinite questions about specific processes, particularly those in the recruitment industry. Among these questions is: Are recruiters liable for data breaches when sending CVs via email?
After all, they hold a ton of personally identifiable information (PII) in the form of CVs, application forms and the submissions through their website. But, how much of this are recruiters responsible for and if you’re communicating via email, are you responsible for this data if there is a breach, even when you’ve gotten consent?
We’re looking at the facts from the ICO as well as our take on protecting PII sent via email to limit your chances of a breach.
Liability under GDPR
In short, recruiters are liable for any data breaches resulting from the sending of CVs via email, but to understand why, we must delve a little deeper.
Under GDPR, the data controller holds ultimate responsibility for all personal information collected by their organisation. The data controller must be highly trained to pre-empt and effectively address any potential breaches and it is down to the controller to ensure that the all held data is collected, processed, and stored properly.
The data controller is ultimately responsible for their organisation, but all individuals within it must act in compliance with GDPR. Under this legislation, anyone handling personal data is referred to as a data processor. A data processor acts on behalf of the data controller, and must adhere to the rules of GDPR.
In this instance, recruiters are the data processors when they are working with sensitive data, such as that contained within CVs.
Liability for Recruiters
Recruiters, as data processors, have accountability over the information they collect, handle, and send elsewhere. This includes CVs.
They need to ensure that the CVs and the data within them are:
#1 Sent only to the intended recipients
#2 Are used solely for a specific purpose
#3 Are removed correctly when no longer required.
A recruiter must know exactly where the CV is going and how it is being used by the recipient. This is because, under the rules of GDPR, any EU citizen has the right to erasure, otherwise known as the right to be forgotten. If such a request is received, the recruiter (and their organisation’s data controller) are duty bound to honour and complete the request.
But, if they aren’t keeping records or control of the transmissions of personal data they send, this task becomes more difficult, if not, impossible.
In order to protect themselves and their organisations, recruiters are likely to be encouraged to seek a disclaimer with each individual before they receive any of their personal data. The language of the disclaimer will vary between each organisation, but most will contain an acknowledgment that the individual will surrender some control of their data whilst it is being processed.
Note that whilst individuals may give their consent to allow the data processor and data controller access and processing of their personal information, they are still protected by GDPR and retain custodianship of their own data, including the right of erasure.
Tools such as Data Subject Access Requests (DSARs) provide individuals with the authority to obtain all of the data held about them by another individual or organisation. These are commonly used during employment-related disputes.
Whilst UK legislation dictates that any DSAR is fulfilled within 40 days of receipt, GDPR goes further. If a DSAR is not honoured, it could incur a fine of up to 4% of an organisation’s annual global turnover, or a fine of €20 million, whichever is greater. Although the maximum is unlikely to be enforced, except in extreme cases, the potential severity of punishment in response to breaches clearly demonstrates the importance placed on the rights of individuals to retain authority over their data. Plus, that’s not the only cost a business can incur in the event of a data breach.
What steps can recruiters take to protect themselves from GDPR-related penalties?
Now that we’ve explored GDPR legislation and potential penalties that can be incurred as a result of non-compliance, we’ll take a look at five steps recruiters specifically can take to prevent a breach and protect themselves.
Encrypt emails and Attachments
In order to avert unauthorised access to CVs and other personal data, a simple and effective solution is to encrypt emails and attachments. Encryption prevents data from being intercepted with malicious intent, and it ensures that only the intended recipient has access.
Encryption is easily managed through settings within some existing email client, or via third-party specialist services such as My Protected Mail. For large organisations, or smaller companies that routinely deal with a bulk of highly-sensitive data, the third-party approach is encouraged.
It is also worthwhile to ensure that all data processors (and controllers) are trained in the optimal use of encryption. After all, there’s no point in having a tool if it is not being used correctly.
Only send CVs to the intended recipient (and prevent forwarding)
When sending a CV by email, recruiters should select only the essential recipients. If the CV is not directly relevant to a recipient, it should not be sent to them. By keeping the pool of recipients as small as possible, it helps to prevent potential breaches.
It’s also worth clarifying, within the body of the email, that the CV should not be forwarded to any other recipient without the permission of the recruiter. Forwarding of attachments, particularly without the knowledge of the original sender, makes it almost impossible to track where the data has gone. Keep in mind that the individual to whom the CV belongs may make a right to erasure request at any time. Failure to keep track of their data can jeopardise an organisation’s ability to do this.
Provide extra information in your disclaimer
Make it clear to candidates, and all other individuals, precisely how their data will be collected, processed, and removed. Transparency at this stage helps to prevent issues further down the line. Use your disclaimer to present all possible scenarios, and ensure that consent is obtained before a CV is collected.
Keep sensitive data secure within internal systems
We’ve discussed the procedure for sending CVs to external recipients, but what about internal record-keeping? This is equally critical, and organisations must ensure that their internal systems are secure enough to manage and protect stored data.
Ensure that third parties are also compliant
Before a recruiter sends any information to a third party, it is worthwhile to sign an agreement regarding their respective data responsibilities. An organisation must ensure that all third parties are also compliant with GDPR, and will honour any future erasure or DSAR requests. This helps to prevent any potential problems in the future.
As we have seen, recruiters and their organisations do have a responsibility to protect all data sent electronically. Recruiters are liable for data breaches since as data processors, they act on behalf of their organisation’s data controller, and are bound by the rules of GDPR.
It is crucial, therefore, that they are trained and equipped with the resources to keep client data safe.
Whether you’ve had a data incident in the past and you need to write your report ASAP or you’re being proactive about the future, our Data Breach Report Blueprint has everything you need to write a comprehensive report, and more importantly, understand how to analyze the data breach from a business perspective and stop it happening again.
Whether you’ve had a data incident in the past and you need to write your report ASAP or you’re being proactive about the future, our Data Breach Report Blueprint has everything you need to write a comprehensive report, and more importantly, understand how to analyze the data breach from a business perspective and stop it happening again.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.