The Edge IT blog providing great tips, advice, support and news on IT issues. Edge IT are Technology Consultants based in Letchworth, Hertfordshire, offering IT Support, Projects, Security, Cloud & Services to small businesses in Herts & beyond.
Workplace 2.0 is no longer a futuristic concept confined to the innovation section of popular business magazines, but a real, thriving endeavour backed by new digital technologies. It seeks to change the way employees work together in fundamental ways and is needed more than ever, thanks to changes in the labour force and global markets.
The Need For A Workplace 2.0
The need for a new kind of workplace is becoming more evident with each passing year. The top driver is employee expectations. Millennials and younger generations want more from their work than just a paycheck at the end of the month. They want purpose, passion and compassion to permeate what they do on a daily basis and need to feel needed, respected and cherished by the companies they serve.
Also pushing firms toward a workplace 2.0 is the growing skills gap. Companies require technology that can circumvent the need for skills that may not be available at a price that they can afford. It’s the job of technology to step in and take over where a lack of skills is a problem.
Related to the skills gap is the increasingly globalised and fragmented workforce. Businesses often have to search far and wide to find the people they need to facilitate their operations, with searching for talent overseas not uncommon. Digital transformation and new technologies provide enterprises with the adaptable and flexible tools they need to manage employees in distant locations, far from the central office.
Finally, cybersecurity issues are making the “business threat environment” more complicated. Unlike in the past when it was easier for managers and CEOs to conceptualise the threats that their businesses faced, today, with the rise of sophisticated digital techniques, it’s far more difficult. Workplace 2.0 utilises a combination of systems which function autonomously in the background, protecting workers and businesses from the online threats that they face, while automatically updating to counter new dangers.
Although there is no single, overarching solution which can yield a workplace 2.0, world-leading technology companies, like Microsoft, are starting to offer products which can take companies part of the way towards their workplace transformation goals. Microsoft, for instance, is working on products that promise to provide collaborative tools, productivity-enhancing features, and exceptional security, all without the need for companies to hire specialists.
What Is Microsoft 365?
Microsoft has gone from strength to strength under the leadership of Satya Nadella since he took over the reins from Steve Ballmer back in 2014. The company is transforming itself from a consumer-first to a business-first company, focusing on integrated solutions that it hopes will usher in a new wave of productivity and changes in working practices. Just over a year ago, it released its flagship business product called Microsoft 365, designed to move companies in the direction of workplace 2.0.
There is some confusion, however, about what Microsoft 365 is, so it’s worth explaining. In essence, Microsoft 365 is a bundle of IT and security services that companies pay for on a rolling monthly basis which facilitate all kinds of business operations, from word processing to security. Included in the bundle is Office 365, a subscription service that gives companies access to all of Microsoft’s Office products (Word, Powerpoint, Excel etc.), Windows 10 Enterprise version, and the company’s Enterprise Mobility and Security product.
It’s important to note that Microsoft 365 isn’t just a bunch of existing products wrapped up into a single, simple monthly subscription service. It’s also overlaid with a sprinkling of the company’s AI magic, giving business customers additional functionality that helps to improve their word processing, team planning and OS experience. To give you an idea of what that looks like in practice, Microsoft now offers business customers additional, machine learning-driven, spelling and grammar correction. The software is sophisticated enough to discern proper grammar in idiosyncratic settings, based on common uses of phrases elsewhere in its database (or the internet for that matter). Customers get a more true-to-life grammar correction facility, helping to improve marketing content, email writing, documents, and reports.
Microsoft Teams is a product which Microsoft hopes will help deliver better teamwork across organisations. Part of the transformation from workplace 1.0 to workplace 2.0, according to the tech giant, is a movement away from a “me-centric” culture to a “we-centric” culture. The team, not the individual, is fast becoming the unit of production, and so companies need to introduce tools that allow people to work together more effectively.
Microsoft Teams is the company’s response for businesses who want to streamline team performance and get more done with the resources that they have available. Perhaps the leading feature of Microsoft Teams is that ability to bring people together. Available in over 40 languages, Teams allows both businesses and freelance networks to discuss issues through chat services, video calling, shared file storage, and collaborative content creation tools (including Office products). The product integrates with over 140 apps (like Adobe and Evernote) and offers additional security features to protect company data. In short, Teams is a one-stop-shop for all your digital collaboration needs, couched in a secure and stable cloud-based environment. No need to set up servers: no expensive maintenance required. And no more emails. Well, that’s the idea at least.
Microsoft 365 is a product that understands that people in your organisation might not be located in the same physical office – or even in an office at all. But it still recognises the importance of education and human interactions in any business setting.
One of the most exciting features of the product is AI-enhanced events. Not only does the product allow you to watch presentations by colleague live (so long as you’ve got a camera set up), but it enhances the experience with a range of useful features designed to save viewers’ time and help them find the content they need. AI, for instance, automatically performs speech-to-text transcription (negating the need for expensive human typists), and a transcript search feature, which allows users to find the information they need in a video just as quickly as they can when searching regular text.
The events feature in Microsoft 365 is enabling workplace 2.0 in other ways too, such as by automatically labelling videos with presenter names using facial recognition software and using closed captions to help those who might not be able to hear.
As we discussed earlier, millennials and younger generations want a higher quality experience while at work. No longer are workers happy to sit in cubicles all day long, fiddling about with spreadsheets to get a paycheck at the end of the month. They want their work to complement their life, not oppose it.
Microsoft knows this, which is why it’s built a range of features into Microsoft 365 that it hopes will improve teamwork and work-life balance. Microsoft is developing “nudges,” an AI-powered facility which reminds people when they’re sending emails to others after hours and when they might need to take a break. It uses insights from MyAnalytics to remind people automatically, hoping that it will help organisations develop a culture which respects the importance of time out.
The Digital Canvas
Go to any modern startup, and you’ll see flip-charts and whiteboards all over the place, covered in notes and ideas. Microsoft wants to bring these tools into the digital realm because of the increasing fragmentation of company workforces. The Microsoft Whiteboard is just one of the tools that the company is developing so that people can meet virtually, share ideas, and communicate essential concepts that are difficult through text or voice alone.
Company education may also stand to benefit. In fact, Microsoft has a Microsoft 365 product which it targets at educators called Microsoft 365 Education, owing to the collaborative opportunities the platform provides. Teaching employees new concepts remotely should be easier than it was in the past.
Enabling A Multi-Device Experience
While the mobile revolution offered some advantages over traditional working practices, it was never a full solution for a fragmented workforce. In the past, workers often had to have two devices: one personal and one corporate, adding to company costs.
But with Microsoft 365, this may be a thing of the past. Thanks to centralised IT and the Azure Active Directory, employees can switch between personal and corporate devices, as and when they please, without the usual security issues associated with such policies. Microsoft says that the working environment now travels with the individual, rather than the device, meaning that the device is relegated to secondary importance. It’s the individual’s access that matters – as it should be.
The hope is that this will improve user experience. People will be able to pick up their work, no matter where they are, regardless of the device that they choose to use.
In conclusion, Microsoft 365 and Microsoft Teams offer business customers an important stepping stone to achieving “workplace 2.0.” Thanks to a range of features, it is now far easier to manage employees remotely, use digital tools to improve workplace cultures, and negate the need for specific, in-demand technical IT skills to be provided in-house.
We have broken down some of the most important factors and best practices we believe good Email Security to be consisted of.
These are (in no particular order):
2 Factor Authentication
The rough guide will hopefully help both IT Administrators and Commercial Leaders the confidence and insight into what should really be in place to protect the number 1 attack vector for all businesses today.
Passwords – the oldest trick in the book
Passwords are one of the most important factors in keeping your email information safe. A good strong password is the first level of defence against a security breach.
Don’t use generic passwords. Things like CompanyName123 and FirstLastname! aren’t secure – especially when it comes to admin level accounts. Here’s a nice little comic that we reference to make strong passwords for ourselves.
Platform – Hosted Exchange Services or On-prem?
Many companies still have emails hosted in on-premises environments, and whilst there is now “one-size-fits-all” approach, we generally recommend hosted environments such as Microsoft Office 365 for many of our customers as it removes the maintenance overhead associated with such an environment, which is typically more secure by design.
Factor in the benefits of having Microsoft’s weight behind the service level support, email services that don’t rely on your connectivity or infrastructure and is redundant across multiple EU datacentres, it’s typically very compelling to consider Hosted Exchange services.
Here are some of the top benefits of moving your clients to a Hosted Exchange service.
With a service like Office 365, Microsoft support the service layer, and as such issues are resolved relatively quickly, reducing costs on labour and maintenance for your Internal IT team or MSP.
Disasters can have a significant financial impact on small businesses, and most cannot simply will not spend out on redundant connections. When their system goes down, they rely on the either their Internal IT Team or their MSP to bring them back online. A Hosted Exchange service can continue to provide email services no matter what is impacting your client. They can use their smart phone or take their laptop to the nearest Wi-Fi hotspot to enable their clients to continue with their business.
Storage and Archiving
Additionally, with a Hosted Exchange Service, they come with large mailboxes, archiving and even Legal Hold facilities for professional service providers like Layers and Accountants.
While user counts are predictable, storage requirements can grow exponentially, and email systems are always attempting to meet an ever-increasing demand. Network storage space is costly, and back up must be provided to restore all the data. Hosted Exchange service providers offer hosted archiving for a small additional charge, without having to worry about storage capacity or additional servers to handle the growing email archive.
2 Factor Authentication – what, how and why?
Critical email accounts should ideally always be protected by 2 factor authentication. Most modern online services take your security extremely seriously and have taken the necessary measures to make sure your information stays protected using 2 factor authentication. If you bank online, you will already have used an equivalent.
For a hosted exchange environment like Office 365, Microsoft allow users to configure 2FA for specific accounts.
In the best-case-scenario, protect all accounts. When this isn’t feasible, we suggest aiming to ensure any accounts that deal with finance, billing, hr and other sensitive data, and of course directors, have this in place as a minimum.
You can set 2FA up with Microsoft Authenticator or if you are using a platform like G-Suite, then Google Authenticator will be the best option.
However, for these online security protocols to be 100% effective, it’s crucial that you’ve taken your
Encryption – Use Encryption to protect sensitive emails
With the introduction of GDPR back in May 2018, email encryption has been a hot topic for organisations that are thinking about how to best protect the data they are sending both internally and externally.
Most people think of the process of encrypting emails with a very simple metaphor – a secret agent writing a message in code, perhaps. This is accurate, but only paints part of the picture. Most enterprise grade email encryption solutions actually work on three distinct levels. The first one is actually encrypting the message itself – the spy writing in code, in our example.
Then, they must encrypt the connection between your computer and the server actually sending the mail. This ensures that the mail actually gets to the mail server, and then the final recipient that you intended it to get to, instead of being hijacked and passed along to an intruder. Using the spy metaphor, you can compare this to having a secret and secure location to exchange information with your sources.
Finally, the encryption solution needs to make sure that the copy stored locally on your computer or in your cloud mailbox is also encrypted and secure. This is like making sure you keep your spy orders in a locked briefcase at all times. An encryption solution that does just one or two of these three things leaves you with a massive vulnerability, and can actually be more dangerous than no encryption at all, since it can lead to a false sense of security.
If you’ve decided that an email encryption may be right for your company, the next step is to choose the type of encryption and encryption method you’ll be using. Keeping your email encrypted between your computer and the email server is fairly straightforward – most email providers now do so for you. To verify, check your URL bar (if you use webmail) for the “https” prefix in the address.
If you use Outlook or a similar program, you often have the option of choosing to use TLS/SSL when communicating with the server. This is a secure protocol that makes sure your messages aren’t tampered with en-route to their destination. If you’ve decided that email encryption is a must-have feature, but your current mail service provider doesn’t support “https” in webmail or SSL/TLS, consider switching mail providers.
The next step is to secure the message itself. This is where things start to get a little bit complicated. The first thing you will need is a security certificate. This certificate, given out by a company or organisation that is trusted as a source of identity verification, is like your digital fingerprint. It tells everyone who sees it that you are, in fact, you. To do so, though, the people you are communicating with need your public key. This is like your ID card that can be matched up to your fingerprints to verify your identity.
The downside of this process is that you have to make sure that everyone you message has a copy of your public key ahead of time so that they can verify your identity and decrypt the message. The alternative is to use one of the many available software solutions that automate much of the process. That also comes with downsides, though – you have to put your trust in a third party, and many of these software solutions still require some extra action on the part of the recipient (such as verifying their identity, signing up for a membership, or other such actions).
Finally, you have to make sure that your archived messages are adequately protected. If you use a webmail client, you are stuck with whatever protection the mail service provider gives you. Fortunately, this is usually quite good. Mail service providers have long ago learned that getting caught being hacked is very bad for business. If you have a self-hosted server or you use an email client like Outlook, though, you have some options. The simplest is to encrypt your entire hard drive.
This method is simple and reliable. However, you have to make a trade-off between security and usability – the stronger the encryption methods and protocols, the slower data access (and your computer) becomes. The better option is to encrypt just the location of the stored/archived email. This gives you the best compromise between strong security and functionality. And don’t forget, encrypting your laptop does little good if you have all your emails also stored on your un-encrypted mobile phone.
Attachments – Trust issues & Scanning for threats
Always make sure to scan all attachments with a good antivirus software program before opening and be especially aware of any zipped attachments, ones with unusual file types, and Office documents with macros. Scammers use all of these tactics to install malicious software on your machine.
We typically recommend solutions that scan emails at both the Service Level (e.g. Hosted Exchange) and then at the Client Level (e.g. Outlook).
Any modern Antivirus software will take care of this from the Client Side, and many Hosted Services have some form of Antivirus Scanning capability, but we see it all too often where a company has a system that is simply insecure, or lacks even these basic functions.
Whilst native protection offered by services such as Office 365, most businesses would benefit from enhanced security offered by specialist products such as Edge Email Security which is deployed easily and seamlessly words with all major email platforms.
Training – Anti-phishing & Email Security Training for employees
Phishing, also known as “brand spoofing” or “carding”, is a term used to describe various scams that use (primarily) fraudulent e-mail messages, sent by criminals, to trick you into divulging personal information.
Criminals use this information to steal your identity, rob your bank account, or take over your computer or even email account, sending fake invoices on your organisation’s behalf!
Counterfeit web sites, using “hijacked” company brands and logos, are created to lure you into revealing information you would not want to be public knowledge. These digital thugs are “phishing” for any data they can obtain to prey on people and further their criminal activities.
Even the most experienced internet user can be duped into entering information based on a targeted phishing email. Often phishing emails are sent to a small number of users in order to avoid detection. This is why protection at click-time is so important in today’s ’email to web’ communication world and is offered by high-level email security products.
However even the best cloud-based email security solution can’t catch every malicious email missive. It’s important to educate your staff as to the fundamental signs that an email may not be entirely legitimate.
Even if you use a secure email provider, users need to protect their privileged credentials. “Weak and recycled passwords are common, something that inherently makes everything less secure,” notes Lee Munson, a security researcher at Comparitech.com in West Kingsdown, UK.
Don’t allow sharing passwords among team members – what this practice gains in convenience it certainly loses in security. Two-factor authentication (2FA) is a baseline defense as we mention earlier on in this post. Make it so your staff can’t give away their credentials! Business Impact: Sloppy password management creates an open door for hackers: 80% of security breaches involve privileged credentials, according to The Forrester Wave: Privileged Identity Management, Q3 2016.
Don’t trust emails, even if they’re from inside. Research found that business email compromise (BEC) tactics get through enterprise email security solutions 7 times more than email-borne malware. But threats can come from a bad actor inside your organisation may use internal phishing to spread an attack. Business Impact: During a three-month period in late 2016, the FBI’s Internet Crime Complaint Center recorded 40,203 BEC incidents globally, costing affected organisations $5.3 billion. Mimecast research shows that 90 percent of global IT security decision makers rank threats on the inside as a major challenge to their organisations’ security, and almost half (45 percent) feel ill-equipped to cope with them.
Check URLs “on-click/every click”. We don’t look at – much less closely examine – URLs, which makes us prone to malicious URL phishing. Skillful cyber thugs capitalize on this weakness with typo-squatting(URLs that look correct at a glance)and other sneaky techniques. Your best defence is automated real-time, on-click/every click URL scanning. Business Impact: Cybercriminals are increasing their use of malicious URLs to trick you into giving up credentials or installing malware, which can cost even small companies large amounts of money in recovery costs and downtime.
Solutions from providers like Proof Point include URL Defence mechanisms that can scan the link at the time of entry and when the user clicks on the link. This helps mitigate attacks for Spear-Phishing attacks; sophisticated attacks involving initially “clean links”. Speak to your current provider to see if
All these tactics may seem overwhelming, but you need a lot of email protection to safeguard against savvy cybercriminals that are after your money and data. Learn more about what could be getting through in your employees’ email.
Outbound Filtering – Do you really have visibility?
The general focus of email security in the media today is based on inbound email threats; phishing, ransomware attacks and of course spoofing. Email administrators often overlook the significance of outbound email misuse and the trouble it can cause an organization.
To give you an example, let’s assume your environment was compromised a few months ago via an employee entering in details into a phishing email. The “bad-actor” sends a client an email, which they now have complete access to. The email is sent from your company email address and it’s loaded with viruses. Would you have visibility on this? How would you discover this? Is there anything in place that could stop such an attack?
Good email security solutions offer outbound filtering content analysis that is designed to protect your business against exactly this type of attack and safeguard its reputation. It is possible to scan all outbound messages, the attachments including those from whitelisted senders and then trigger a notification for the sender when an outbound message is blocked due to attachment content filtering.
You should look for solutions that fully integrates with G-Suite, Office 365 or any on-premise mail server to add vital outbound data loss prevention and reputation analysis.
Continuity – What happens if it all goes down?
So, all your data is backed up, but what happens if that Exchange Server goes down, or indeed the Hosted Exchange Service that you so heavily rely upon has an outage (and it does happen!). Then what?
Most small and medium sized businesses simply must wait for services to be restored by the provider or IT Team that is administering the server. For many companies this is not a big cost or issue and is perfectly acceptable; for others however, it’s is considered extremely costly from a time, resources, lost revenue and reputational damage perspective.
If you are prepared to accept up to a day’s down-time, then a service like Office 365 should hold up well. But if this is deemed unacceptable then email continuity should be high on your Disaster Recovery Plan and priority list.
Again, there are several good solutions that can be put in place to protect against email downtime. It’s important to assess based on existing but also future projects to business impact. Restoration times, failover and monitoring should also all be evaluated in-line with the considerations above.
The growing threat of cyber-related crime is quickly becoming a major concern for most organisations and business leaders. With regular reports of high-profile businesses falling victim to cyber crime across the globe, it’s the responsibility of every organisations to ensure they adequately protect themselves and their customers.
Cyber Essentials is a cyber security certification, published in June 2014, that is backed by the UK Government in collaboration with the industry to promote a standard in cyber security practices across all industries and sectors. Based on five key controls, the scheme is designed to encourage organisations to adopt good security practices to address a number of common threats and minimise risk (even for businesses which aren’t particularly experienced in technology). An official Assurance Framework has been produced to enable organisations to successful obtain the certification by providing relevant guidance in the steps required to implement the appropriate controls to be compliance with the scheme at relatively low cost.
Edge IT achieved the Cyber Essentials certification through the IASME Consortium, one of four accreditation bodies specified and appointed by the UK Government, in February 2017. In addition, IASME offers the ISAME Governance Standard that encourages further security best practices on aspects such as physical security, staff awareness and data backup. The IASME Governance Standard is widely recognised as the best cyber security standard for small companies by the UK Government when in consultation with trade associations and industry groups.
As a technology company, Edge IT already adopts a number of best practices and protective measures to protect its digital assets and information as well as advising its client’s how to do the same. In addition to the practices described by the Cyber Essentials scheme, we also adhere to the guidance outlined by the National Cyber Security Centre’s (NCSC), including 10 Steps to Cyber Security and Cloud Security Principles. The NCSC was setup by the UK Government to help protect critical services cyber attacks, manage major incidents and improve the underlying security of the United Kingdom. Part of GCHQ, the NCSC works in collaboration with organisations and citizens to reduce the cyber security risk that exists today.
Making the most of your CRM – 5 Mistakes & how to avoid them
You are probably very familiar with the selection of customer relationship management (CRM) software available to you, but is your company getting the most out of your CRM?
Efficient management of information and data is critical for organizations of all sizes. An organization can generate huge amounts of information on a daily basis, making managing it difficult. Keeping in mind the business needs, the information can be organized with the help of technology, processes, people and the value of the content. But to ensure maximum use of these resources and better management of the business data, it is equally important to be aware of the problems that may arise in the process and how you should go about managing them. A CRM will go a long way to helping manage your information.
Whether you are using SalesForce, Sage 200, Hubspot, Zoho, Pipedrive or your own bespoke system, its easy to get it wrong. Even seasoned IT professionals can still miss something when it comes to choosing and implementing the right CRM platform, leaving them with hassles that suck time and money. Be sure you are getting your CRM strategy right by looking out for these five common CRM mistakes.
CRM Scalability is important – SaaS & Cloud-based CRMs help with this.
1. Choosing a CRM platform that cannot scale
If your CRM was chosen years ago when your company was smaller, there is a good chance it isn’t serving your needs now. As your business expands, and you gain more clients and contracts, assess your current data to be sure your CRM solution can handle your current and future business needs. Your CRM should be able to support your organisations growth, and be robust enough to support 2x, 5x or even 10x growth.
There are many CRMs on the market now that are essentially SaaS (software-as-a-service) products, or “Cloud-first”. This is almost always preferred for a modern deployment as it removes the requirement for additional Application servers being added into the IT Environment or stack and speeds up initial deployment.
Most customers will experience a lengthy on-boarding process with their chosen provider. It’s very important to leverage this opportunity to get the most out of the product and decrease the time to get your team up-to-speed on the new system.
CRM typically touches many different departments and areas of your business, so it’s essential to get all the stakeholders together early to map out requirements and ensure any system can cope with those department’s demands. Marketing, Sales, Customer Service, Logistics & Operations all feature heavily in our experience.
Sales Driven CRMs will allow you to customise your team’s workflow
2. Choosing a CRM system that is not sales-friendly
Does your CRM tool serve your employees who are out in the field? If not, it isn’t serving your overall company well, either. Select a user-friendly CRM system for higher engagement among your sales team so they will actually input valuable data into the system. A bad user experience can cost your team time, create frustration and require lots of additional training. Ensure your team can use the tool quickly, efficently and effectively to avoid “CRM-fatigue”!
Marketing Intergration should be standard in any modern CRM
3. Failing to integrate your CRM tool with marketing & social media
Social media matters, even when it comes to your CRM system. If your CRM tool does not include social media interactions with customers, you are missing a big piece of the customer relationship puzzle. Tracking social information and engagement provides vital customer insights that you don’t want to miss. If you are not able to leverage Social Media directly, ensure at the very least your system integrates with your main marketing platforms.
Many of the larger CRM providers will integrate directly with the large Cloud & SaaS marketing tools and platforms, and some even have their own “App Store”. Marketing automation can be achieved with some CRMs using advanced features that include integration of exciting new technologies such as Machine Learning and Ai helping marketing teams make data-driven decisions quickly and uncover new opportunities that will resonate with their audience.
CRM UX should be blisteringly fast to support, not hinder your team
4. Including too many fields in each record
CRM should let your team do their jobs quickly and effectively. It should support, not hinder information sharing and tracking. Give your sales team the option of only filling out the most important details about each contact so they can capture that information and move on. They can always go back and fill in additional information later, and the initial simplicity will help them work more quickly.
Whilst it will ultimately come down to preference, there are signs to look out for that the CRM you are evaluating is not a great User Experience such as:
Struggling to intuitively find basic data & Information
CRM Metrics & Reporting should be powerful and intuitive
5. Failing to establish metrics to monitor success & lack of real-time reporting
As with other marketing efforts, you should use metrics to measure how well your CRM tool, or the way in which you use the tool, is serving you. Set metrics for each of the business areas that will be impacted by the CRM system, and monitor them regularly. Your chosen system should allow you to create important reports with granularity and accuracy. If it doesnt, consider speaking with the vendor on possible options or further training. After all, whats the point of all this data without the option of analysing it?
Some notes on best practices and items for consideration
Dealing with information management issues
To get rid of the information management pain points in business processes, you should identify and know about the problems first. Often times, it is general apathy to data, rather than a particular process or department, that causes problems in managing information. Apparently, the problems that many companies face in information management are recurring, and seem to be persistent despite the changes in technology.
What is needed for effective information management? Well defined goals and objectives, and clear cut expectations from the people involved, are what make an information management program effective.
Here is a look at the key information management issues that could affect the business processes, and how you should tackle them.
Good UX & Reporting is key to a high-performing CRM System
One of the biggest problems of managing data is an information bottleneck. This is often a result of not clearly understanding the value of the content, and how it is needed in the organization. Complex storage and application devices, increasing business operations, and lack of quality maintenance of data also lead to poor data integration.
The solution for these problems is a team that can categorize the available information according to its relevance to the existing business processes. The information should also be classified based on who uses the information and what it is used for. One of the best ways to do this is to index the information and store it so that the information that is often needed is easily accessible, and what is not is archived.
Paper, paper and more paper
In this age of information overload, many companies still tend to store the information on paper. This can lead to increase in paperwork, which can be difficult to handle in the long run. In addition, information on paper is highly susceptible to deterioration, loss or theft. Document management and any loss of vital information can cost the enterprise heavily in time and money.
The solution to this problem is to make use of technology to digitize the necessary information. This enables easy management – addition and removal of the data as required – and also reduces the costs involved in document management and storage. Information in electronic format can be stored in flexible storage devices, allowing easy access to it when required.
Sometimes a document or content is replicated too many times, finding its way into several devices. Also, companies tend to keep copies of certain documents that are no longer relevant to the business processes. Creating too many copies of a document, when not needed, makes the information management process more complex.
The solution to this problem is to avoid replication of data without reason. This improves the business process agility and enables easy and effective tracking, maintenance and storage of important information.
Not being prepared
Being prepared for the unforeseen is essential for preventing loss of data, be it in the form of paper or in the electronic form. Not having the necessary disaster and risk management plans can disrupt the smooth flow of business processes and lead to losses.
The only way to prevent this is to have a recovery plan that can help you restore your digital and paper documents without affecting your business.
Having the necessary information is one thing, while being able to access and use it in time is another. Poorly designed workflow processes and policies for managing data make it difficult to store and retrieve data without any hassles.
Organizations should focus on developing flexible workflows that can be optimized according to the growing and changing business processes.
Windows 10 comes with a free, built-in encryption software that you can deploy within your business today.
BitLocker Drive Encryption (BDE), or BitLocker, offers volume-level data encryption for data stored on Windows workstations, laptops and servers. BitLocker protects the data when the Windows systems are offline (i.e. when the OS is shut down) and can
prevent data breaches such as the theft or loss of confidential data on laptop computers.
BitLocker is a useful add-on to the Windows OS as it helps organizations secure data and save money because they don’t need to invest in special third-party disk encryption software.
3rd Party solutions such as ESET DESLock+ can be more expensive, but also offer more power and flexibility for larger organisations. IT Departments in organisations are often reluctant to implement new security features due to the inherintly higher complexity and maintenance overheads that new Security solutions can present. Also, new crypto solutions bring a certain administrative fear factor to administrators and operators, this can be harder to deal with in a small business environment.
We have highlighted three critical steps in this article that you must pay special attention to if you are considering deploying BitLocker in your Windows environment. Our aim is to give you a framework, and build confidence so you can secure your environment, and data with better practices and encryption. BitLocker is available in the Ultimate and Enterprise editions of Vista and Windows 7 and in all Server 2008 and Server 2008 R2 editions, Server 2012 and Windows 10 Pro.
Choose the Right Unlock Method
The strength of the protection BitLocker offers depends to a large extent on the authentication mechanism it uses for unlocking access to a BitLocker-protected drive. This authentication mechanism is referred to as the unlock method.
Before a drive is unlocked, BitLocker authenticates the drive based on identification data that the user or the OS provides and that authorizes BitLocker to unlock access to the drive. BitLocker supports different unlock methods based on user knowledge of a secret, presence of a hardware component, or software keys, or a combination of all three ofthese. You can select the unlock method when you set up BitLocker.
The available unlock methods differ for OS drives and for fixed or removable data drives. For example, only an OS drive can be protected using a Trusted Platform Module (TPM), a special security chip that is part of most of today’s PC motherboards. On an OS drive, you can choose one of the following unlock methods:
startup key only
TPM + PIN code
TPM + startup key
TPM + PIN code + startup key
The last three of these unlock methods offer the best protection. Unlock methods involving a PIN require the user to provide a PIN code at system startup time. When a startup key is involved, at startup time the user must insert a USB token that holds the startup key.
On a fixed or removable data drive, you can choose the following three unlock methods: password, smart card + PIN, or automatic. For data drives, the smart card + PIN unlock method offers the strongest protection.
When you use a TPM-based unlock method to protect your OS drive, BitLocker provides integrity checks for critical system files, in addition to data encryption, at boot-up. On the other hand, using a TPM adds setup and management complexity and overhead. For example, the TPM must be enabled in BIOS. On most systems, this can only be done after you have defined a BIOS password. The TPM architecture also requires that an owner password be defined before the TPM can be used. The owner password allows for the clearing and disabling of a TPM and is typically owned by a system administrator.
When you consider deploying BitLocker with a TPM, you must make sure that your computers have a TPM version 1.2 chip and a BIOS that is compatible with TPM version 1.2 or later specifications. To check whether a computer includes an operational TPM chip that can be used for BitLocker, check the TPM Management snap-in (tpm.msc).
Because many organizations still have older computers that don’t have a TPM and you cannot simply add a TPM to a computer, Microsoft included the startup key only unlock method for OS drives. To use this unlock method, you must make sure that your users have a USB drive and that the computer BIOS supports the reading of USB devices during computer startup. For more information on how to set up BitLocker without a TPM, read “Using BitLocker Without a Trusted Platform Module”.
When you plan to unlock your BitLocker-protected data drives with a smart card, you must make sure that your users have BitLocker-compatible certificates loaded on a smart card. To generate these certificates, you can use a certification authority (CA), create self-signed certificates, or configure an existing EFS certificate for use with BitLocker. When using smart cards, it is also recommended that you have a smart-card management software in place. You can for example use the smart card management functionality that is offered by Microsoft ForeFront Identity Manager (FIM). When you consider using smart cards, I would advise you to carefully read through the “Using certificates with BitLocker” and “Using smart card with BitLocker” articles on Microsoft TechNet.
Create a Solid Recovery Strategy
An encryption tool like BitLocker requires a robust recovery strategy. BitLocker forces you to define a recovery method during setup, this will allow you to regain access to the data on an encrypted drive when the drive cannot be accessed. for example, if the original chosen unlock methods that were discussed in the previous section fail.
On an OS drive, you will need a recovery method when a user forgets the PIN or loses the USB token that holds the startup key, or if the TPM registers integrity changes to the system files. For data drives, you will need a recovery method when a user forgets the password or loses the smart card. Also, if a protected data drive is configured for automatic unlocking, you will need a recovery method if the auto-unlock key stored on the computer is accidently lost, for example after a hard-disk failure or reinstallation.
BitLocker supports three recovery methods: a recovery password, a recovery key, and a data recovery agent (DRA).
A recovery password is a 48-bit numerical password that is generated during BitLocker setup. You can save the recovery password to a file, which you then preferably store on a removable drive. You can also print the password, or it can be automatically saved in Active Directory (AD). If you want to automatically store recovery passwords in AD, you must make sure that all computers can connect to your AD when they enable BitLocker. Storage of BitLocker recovery information in AD is based on an AD schema extension that creates extra attributes to attach BitLocker recovery information to AD computer objects. Server 2008 and Server 2008 R2 Domain Controllers (DCs) include this extension by default. On Windows Server 2003, you must install the BitLocker-specific schema extension.
To facilitate the viewing and retrieving of the BitLocker recovery passwords from AD, Microsoft provides an AD Users and Computers (ADUC) MMC snap-in extension. It adds a BitLocker Recovery tab to the properties of the AD computer object. The tab shows all BitLocker recovery passwords associated with a particular computer object. For Server 2008 R2, the BitLocker Active Directory Recovery Password Viewer tool is an optional feature included in the Remote Server Administration Toolkit (RSAT). For Server 2008, this extension can be downloaded here.
The second recovery method uses a 256-bit recovery key that you can save to a USB token or another location. Similar to a recovery password, a recovery key enables users to regain access to their protected drive without administrator intervention. When using a recovery key, users must insert a USB token or provide a pointer to another key location during recovery.
The third recovery method, based on a data recovery agent (DRA), always requires intervention of a member of the IT department. This method leverages a special certificate that is issued to a dedicated DRA administrator in your organization. The DRA certificate’s thumbprint is distributed to all BitLocker-protected devices using GPO settings to ensure that only the administrator with a matching DRA certificate and private key can recover the information.
Administrators can use GPO settings to configure what recovery methods are required, disallowed, or made optional. For example, administrators can use GPOs to require that the recovery password for the OS drive is stored in AD. And administrators can also use GPO settings to determine whether a recovery password can be saved to a file on disk, printed, or viewed as text.
Select an Easy Deployment Method
In larger IT environments, you can automate BitLocker deployment and configuration using a script that Microsoft provides. The script is named EnableBitLocker.vbs, and it calls on the Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration. You can use the script as is, or you can customize it to better meet your organization’s needs.
To run the script, you can leverage a startup script that is applied using GPO settings or a software distribution tool, such as Microsoft Systems Management Server (SMS) or System Center Configuration Manager (SCCM).The EnableBitLocker.vbs sample WMI deployment script can be downloaded from the BitLocker Deployment Sample Resources page on MSDN.
Prior to deploying BitLocker protection for an OS drive, you may need to check the disk partitioning on the target systems. On an OS drive, BitLocker requires a separate and active system partition. This is an unencrypted partition that contains the files needed to start the OS. In Windows 7, a separate active system partition is created automatically as part of the Windows installation process. On systems that were upgraded from a previous Windows version or on systems that come preconfigured with a single partition, the BitLocker setup wizard will automatically reconfigure the target drive for BitLocker by creating the separate and active system partition.
But you don’t want to use the BitLocker setup wizard for preparing hundreds or even thousands of your systems with a single partition configuration for BitLocker. In those cases, you will want to use the Microsoft WMI script to enable BitLocker. Before you get there, you can also use a special tool called the BitLocker Drive Preparation command-line tool (BdeHdCfg), provided by Microsoft, to prepare the systems’ drives for BitLocker. You can find more information on this tool in the BdeHdCfg Parameter Reference.
For smaller BitLocker deployments, I advise you to use the BitLocker command-line tool Manage-bde.exe to configure BitLocker. This tool is designed to enable BitLocker on one computer at a time and to assist with the administration after BitLocker is enabled. Again, before you use Manage-bde.exe to enable BitLocker on an OS drive, you may need to prepare the hard disk for BitLocker by running the BitLocker Drive Preparation command-line tool.
Get It Done the Right Way
BitLocker is a very powerful security technology that has reached a good level of maturity. It requires careful planning and a design that pays special attention to selecting the right unlock method, defining a solid recovery strategy, and choosing an easy deployment method. With these three steps in mind, you’re well on your way to BitLocker confidence.
IT Security is critical, regardless of the size of organisation. it’s estimated that only a quarter of businesses will be ready for GDPR, get one step ahead with our easy to use, quick run-down on actions you can take..
With GDPR (General Data Protection Regulations) now less than 3 months away, it is more vital than ever to put in place a strong, comprehensive IT Security Policy for your organisation.
Many companies, simply do not know where to start, to try and help with this, we have put together 6 checks you can perform accross your environment to help you plan and implement better IT Secuity as part of your ongoing GDPR Compliance efforts.
We break it down into bite sized chunks and put together the following list of 6 checks:
Implement a strict password policy Whilst an obvious step, many organisations still are using basic, unsecure passwords like: “123456” or “password1”. If you havent already, ensure you put in place a robust policy to govern the creation and maintenance of your passwords, especially for management! Ensure passwords are not kept in stilly places, such as Post-IT notes on screens, or in a .txt file on a desktop. Use a good password management tool such as: Keepass (Download a free copy here) Your passwords should not be simple to remember. An 8-character alphanumeric password, with small and large caps, and including special characters is preferable. Finally for all you SysAdmins out there, forcibly implement a password security policy through your server using GPO, or ask your provider to do so.
Payment and transfer of funds procedure Implement a standardised procedure to handle all financial transactions including payments and procurement. Include an authorisation policy to personally or verbally confirm all irregular or unusual payment And transfer requests. Whilst most larger companies will have something in place organisations with less than 50 employees tend to be lacking in strict operational procedures and this is, surprisingly, a common procedure that is missed out! Do not rely on details provided in emails either, even if it looks to come from someone in your company, if in doubt arrange some Phishing Training with your staff to help mitigate user-error.
Evaluate emails and check who they appear to be from Unsure if you were expecting an Invoice from a Supplier? Does the format look slightly different? Be mindful of the tone, language, structure and writing style of all emails containing links or attachments. It’s good practice to hover over links in email to explore the domain the link points to. If it doesnt look absolutely perfect and as expected, do not click it. Double-qualify the email signature and images used. Look at the email address, does it look odd? This is something that can easily be solved with a quick phone call or a verbal confirmation from the sender as well as to stop, look and evaluate the situation. Losing a couple of minutes to triple check is far better than risking a security breach. Educating and training for all staff is especially important, with mandatory training for new employees.
Use Business-Grade Anti-Virus, Spam and Web Filtering Solutions Kill threats in their tracks by stopping them before they can do any damage with enterprise Anti-Virus, Spam and Content Filtering. Create layers of overlapping security especially when it comes to incoming data like emails, web browsing and downloading. Prevent phishing attempts and intrusions by implementing solutions that will aggressively filter out viruses, spam and threats from unusual or untrustworthy domains and addresses. It’s also highly recommended to ensure you have a physical firewall device, we tend to prefer SonicWall Firewalls in place for your network and internet access as this will help protect you from external threats and attacks.
Manage your Patches! Keep up to date, and dont ignore those regular updates for your operating system and software tools. Your provider should be ensuring your software is updated on a regular schedule, ideally at least once a weak. If you are a running old software such as Windows XP or Server 2003, consider an upgrade, they are unsupported by Microsoft, so will no longer get security patches and act as one large liability within your IT environment. Updates include operating system patches (especially security updates), third party application updates and anti-virus definitions. T 310,000 viruses appear every day, so you can see why its important to keep ahead of the curve!
Have a backup solution & continuity plan in place Do you know how long it will take you to recover if a critical server fails? What happens if there is a large Ransomware outbreak detected on your network? Planning is key to ensuring you can keep your organisation operational in a crisis. Not all backup solutions are suitable for fast-paced companies. It pays dividends to check your solution truly is fit for purpose. A bad backup procedure, or slow restore can put back businesses by days and in some cases weeks, so if you haven’t reviewed your plan, with GDPR on the horizon, it’s definately the time to do so. Ensure that you already have disaster recovery redundancies in place so that you can recover at a very minimum 24 hours worth of data and system states. Ideally implementing high availability will also speed up your restoration and recovery process.
You may have heard the Data Protection term GDPR in recent months, but what exactly is the GDPR (General Data Protection Regulation) and why does your business need to know about it? 2018 will see the GDPR come into effect in the UK. Time is running out for business owners to assess their current Data Protection compliance and to implement necessary preparation for the GDPR.
The full GDPR regulations as published on the European Commission website is 88 pages long and contains 99 articles.
Our guide acts as a summary covering the main points of the document that business owners need to be aware of, and aims to help owners understand what exactly the GDPR is, how it is going to effect their business and how you to prevent potential noncompliance to the GDPR.
The GDPR in summary, is Europe’s new framework of data protection laws that will replace the previous 1995 protection directive, which is what the current UK law is based upon. On the 25th May 2018 the UK’s Information Commissioner’s Office (ICO) will enforce the law.
After four years of discussion and negotiation, the GDPR was adopted by both the European Parliament and the European Council in April 2016. After it’s publication in the EU Official Journal in May 2016, a two year preparation period was enforced, to give businesses until 2018 to prepare for changes.
All businesses that ‘processes’ personal data (any information relating to an identified or identifiable natural person) in the UK will have to comply. And yes, even after Brexit, the GDPR will still apply to UK companies.
Don’t we already have Data Protection?
Currently each EU member state operates under the current 1995 data protection regulations. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies and the government.
The GDPR changes how personal data be used, and these updates will be included in the new Data Protection Bill, as published by the UK government.
The UK government says the Bill sets out a number of exemptions from the GDPR, which include added protectionist for journalists, scientific and historical researchers and anti-doping agencies who handle people’s information.
Although the UK’s Bill may be slightly different to the GDPR, it’s important to note that almost everything the GDPR sets out will be covered in the UK’s Bill, so all UK companies must still work towards full compliance to the GDPR.
Elizabeth Denham, the UK’s Information Commissioner further explained how the GDPR will effect the UK, “the GDPR is a strong law, and once we are out of Europe we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK”.
Denham also goes on to explain the potential benefit of the GDPR as it provides “the opportunity to strengthen our data protection law with the express aim of inspiring public trust and confidence.”
What are GDPR Guidelines?
The new GDPR framework aims to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals. At it’s core, it is designed to give citizens more rights and control over their information and personal data.
It also aims to simplify the regulatory environment for businesses, so both citizens and businesses can fully benefit from the digital economy. Almost every aspect of the modern day revolves around data, from social media companies to banks and retailers, your name, address and other information is constantly being stored by organisations.
Business owners are therefore expected to be compliant to the changes that are in place to protect individual’s rights. Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Holding Information. The GDPR will require you to maintain records of all processing activities, and updates and changes to this need to be shared amongst your networking infrastructure, meaning anybody who you share data with needs to be made aware anytime updates happen such as erasures.
Increase of Rights for Individuals. The GDPR includes the following rights for individuals: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling. Simply put, there’s little that a subject can’t demand to know about their data and what you’re doing with it.
Consent. The GDPR contains firmer rules over what counts as consent to holding an individual’s data. Consent must be freely given, specific, informed and unambiguous. There must be a procedure in place for the withdrawal of consent or of any amendment requests.
Children. For the first time, the GDPR brings in special protection for children’s data. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
Data Breaches. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. Organisations are expected to have this procedure in place in the event of a data breach.
Design & Data Protection Impact Assessments. It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.
Access to your data. As well putting new obligations regarding collecting data, the GDPR is focused on giving the individuals whom data you hold more power. When someone asks a business for their data, they must stump up the information within one month
Key Articles –
Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically.
Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
Will My Business Be Effected?
It’s extremely rare that any charity, business or organisation of some sort does not need to comply to the GDPR. Most industries are due to be complaint because the GDPR states that both personal data and sensitive personal data are covered by GDPR. Personal data means any information that can be used to identify a person.
This can be a name, address, IP address you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. The GDPR does however outline that pseudonymised personal data can fall under the law, if it’s possible that a person could be identified as a pseudonym (a fictitious name).
Overview of Effects on Businesses
The European Commission claims that by having a single supervisor authority for the entire EU, it will make it simpler and cheaper for businesses to operate within the region. Indeed, the Commission claims GDPR will save €2.3 billion per year across Europe.
What that means, they say, is regulation will guarantee data protection safeguards are built into products and services from the earliest stage of development, providing ‘data protection by design’ in new products and technologies.
An important addition to the GDPR that business owners also need to be aware of, is that the GDPR allows a data subject’s (the citizen you have data over) right to lodge a complaint against the data holder.
This means that anybody who’s data you hold, has the right to turn around and accuse your company of non-compliance to the GDPR if they can identify infringements and miss compliance that you are making. They also have the right to compensation of any material and/or non-material damages from an infringement and breach of the GDPR that your company holds.
Effects for Citizens & Their Rights
The number of data breaches and hacks which have occurred over the recent years has greatly increased, and the unfortunate reality for many citizen’s is that their private data has been compromised. Arguably the biggest and most important change that the GDPR will bring for citizens is that businesses have to inform the individual and relevant supervisory local authority if there has been a data breach. The GDPR compliant breach notificaton, means that companies will have to report details of the incident and losses.
Consumers are also promised easier access to their own data in terms of how it is processed, with organisations told that they need to detail how they use customer information in a clear and understandable way. GDPR also introduces a stricter ‘right to be forgotten’ process, which allows people who no longer want their data processed to have it deleted.
We love this video from itpro which debates the GDPR and what it brings or businesses and citizens further.
The IT Pro debate: GDPR - YouTube
How can I prepare for GDPR?
Preparing for the GDPR doesn’t have to be complicated. The GDPR may seem complex, but when it’s stripped down, a large amount of the principles already exist int he UK’s Data Protection Act, so if you are following this fully currently, then you shouldn’t have a huge amount of work to do to comply to the GDPR. There are steps you take now to get your business complying.
The ICO explained “you are expected to put into place comprehensive but proportionate governance measures,” “Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
Storing Information. You should document what personal data you hold, where it came from and who you share it with. This needs to be organised and clear.
Education. Anybody processing data in your company needs to be educated about the GDPR and it’s implications.
Individual’s Rights. You should check your procedures to ensure they cover all the rights that individuals have. This includes how you would delete data and how you would provide data, online and electronically.
Children. Start thinking now whether you need to put systems in place that verify individual’s ages and assess whether obtaining a parental or Guardian consent for any data your business holds is necessary.
Consent. It’s important to review how you seek, record and manage consent and whether you need to make any changes.
Data Breaches. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection Officer. Designate someone in the company to take responsibility for data protection compliance. Assess where how this role will sit with your organisation’s structure and consider formal designation.
International. If you operate in more than one EU member state (you carry out cross boarder processing) you need to determine your lead data protection supervisory authority.
Lawful Basis. You should identify your lawful basis for the processing of the data you do. This is vital, as under the GDPR individual’s rights will be modified depending on your claimed lawful basis for holding their information.
Design & Data Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
What If I Don’t Comply to GDPR?
It’s important to make the most of the next 5 months and get your company compliant to GDPR standards. Osterman Research outlined the most common Data Technologies that organisations will spend more on specifically to address the GDPR. The sooner you address them, the less money you will spend, before technology companies raise the prices in preparation for the GDPR panic.
The time and money it may take to assess your company and implement suitable measures will be more than worth the cost of risking a potential breach to compliance and facing a devastating penalty.
If your organisation doesn’t comply, if it is not processing data correctly, it will be fined, and this cost will be dramatically bigger than the cost of a fine for noncompliance to Data Protection Act of 2017.
From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
Fortunately, not all infringements of the GDPR will lead to those serious fines. Besides the power to impose administrative fines as described above, a supervisory authority also has the (corrective) power to (amongst others) issue warnings, reprimands and orders before payment is expected.
The GDPR will also have the right to enforce undertaking on a company to commit a course of action that will improve their compliance and avoid further action. It should be noticed however that these practices and all monetary fines will be decided upon depending on the breach committed and what company has committed them.
Monetary penalties are not the only concern business owners need to be aware of. Prosecutions including prison sentences could also take place for deliberate breach and noncompliance to the GDPR standards.
Steve Sullivan’s report of the proportions of different ICO Actions showcases however how monetary penalties are still the most popular choice of sanction.
from fines worth only £160,000 in 2010 to over £3 million in 2017, it goes without saying that the ICO are becoming more vigilant and pro-active at investigating and sanctioning non-compliant firms.
As we are focusing on Cyber Security this month, and next month will see us go through the run up to Christmas, it’s the ideal time to be talking about Christmas Cyber Security scams. Unfortunately, the Christmas period brings about fresh opportunities for Cyber Criminals, meaning everybody needs to be more vigilant in the run up to the big day.
Criminals know that everybody is likely to be a little frantic, rushed and perhaps maybe not as switched on as normal during December as they try and sort out gifts for the big day. With people more vulnerable to not spotting potential threats, this gives criminals the ability to take advantage of users online.
Fake Gifts. When it comes to trying to source a loved one their dream gift, many of us will go out of the way to search online for the cheapest version of the product you’re after. This doesn’t only mean you’re potentially buying fake products, but you could also be giving your money away and not even receiving anything in return. Make sure that websites are legitimate to order from my checking they are secure (https not http).
If they don’t have any contact details visible and ask for money over the phone, these are other red flags that the company isn’t planning on giving you anything for your spend. It’s always a safer bet to pay a more common and expected price for a gift, as if a product’s price seems to good to be true, it probably is.
Malware ridden E-Cards. It’s a horrible thought that anybody has the heart to do this, but unfortunately 2016 saw an unprecedented rise in this scam, and 2017 is expected to be worse. During the Christmas period you may be receiving emails and email Christmas cards from unknown sources. Make sure you don’t open an email or link from any sender that you don’t recognise. These ‘Christmas’ cards could potentially contain all that’s needed to infect your computer with a virus or steal your information and data.
Fake Charities. Many of us take the time to give to charities during the Christmas period, and with a lot of us spending more time online, charities are now taking to social media and email marketing to spread their cause and ask for money. This can cause problems when criminals can set up seemingly legit looking accounts or websites and ask for money in the name of a well-known charity. The best way to avoid this scam is to simply make sure that you’re on the legitimate official website, social media account or email address for that charity. If anything looks out of the ordinary, it probably is.
Desktop Backgrounds. It seems far fetched, but last year saw an increase in malware contained in desktop bundles that have a series of cheery Christmas images designed to give a user a feast for the eyes of rotating festive images for their desktop background. Never download zip files from an unknown source, and if you’re keen to have something festive as your background, use a trusted free image source to find your images such as unsplash.com Websites asking for money for images, or offering bundles of downloads, are likely to be fraudulent.
Giftcards E-Mails. Giftcards are a popular choice of gift for many of us, as they’re easy and can be cheaper than forking out for a specific product as a gift. Criminals know this to, and have devised scams that sends a user a receipt for a giftcard they don’t remember purchasing. When the user decides to then cancel this giftcard purchase, they will be asked to hand over personal details such as credit card information. Look out for email receipts that don’t come from an official recognised source and don’t trust anything that doesn’t look 100% real.
Social Media Messages. Similarly to email circulation, many of us send animations and attachments to our friends on social media during Christmas time to wish them well. Unfortunately, your friends may be accidentally sending you malware. Be careful not to open any attachments or links that don’t look familiar, even if they are coming from trusted friends and families. It’s possible that they could have clicked on something malicious themselves that is sending an automated bot out to reply to all friends and messages with malware.
Fake Holidays. Many people book their dream summer getaway during the Christmas period, or perhaps as a gift for a loved one. Criminals know this too well, and will be creating fake websites, advertisements and packages online that appear to be selling you your dream holiday at a dream cost. Be it a pop up or social media advert that leads to infection or a full on booking scam, there are many possibilities for attacks. Only book or click on holiday deals that are from a reputable company, website URL and source. If a holiday deal seems way too cheap to be real, it likely isn’t!
Fraudulent Surveys. Fake surveys are circulated all year round, that promise a cash reward or gift once the user fills out the survey. Knowing that most people are keen for some extra cash around Christmas, fraudulent surveys are on the rise around Christmas time. If you find a survey asks for bank and credit details, it’s highly likely it’s fake. It’s also generally very rare to find a legitimate website that legally offers cash rewards for survey completions. Close pop ups to surveys and don’t fill in anything that requires your personal information.
Shipping Status Emails. Another popular email scam during the Christmas run up is to send users shipping updates of products that they didn’t remember ordering. Many of us will be expecting legitimate shipping updates as we order online over the Christmas period, so there’s a higher chance of these updates being opened and the links being clicked through to. Once opened, these links could infect your machine or similar to the giftcard scam, demand personal details from the user such as bank account details.
Wi-Fi. We’ve mentioned the dangers of Wi-Fi hotspots previously, but with a lot of people shopping from their phones and giving away personal details on their mobiles during the Christmas period, it’s especially important. Never connect to an unknown source, and generally, avoid online shopping using public Wi-Fi’s even if they are normally secure sources.
Most importantly, if you have any concerns about potentially having your identity, information or banking details compromised, contact your banking provider or the police immediately. Share this article with your friends and family to make everybody aware of the online Christmas scams predicted for 2017. Edge IT are here to help with any Cyber Security concerns or queries, and don’t hesitate to get hold of us this Christmas.
There’s no better time to be talking about malware. With the NHS attack earlier this year and the recent rise of the Bad Rabbit virus, malware however big or small, is plaguing many locations of the world.
Spreading faster than ever, with more sophisticated variations than ever, the problem is only getting worse. Viruses and malware are a daily occurrence worldwide, considering a scary 4,000 estimated attacks took place every day in 2016 alone, with that number estimated to be double in 2017.
According to Kaspersky, a leader in antivirus software, not only are malware attacks exceptionally higher than they were a few years ago (and much higher than most people think), but the quality of the malware has also increased dramatically. They are less obvious, and more aggressive, meaning that even those of us who like to think of ourselves as tech savvy could fall for a malware scam.
What’s further frightening, is that virus infections are no longer simply a practical joke from a lone hacker, they are complex and manufactured crimes, belonging to whole methodical organisations. With now suspected political and financial motivations, more than ever companies are proposed targets for this sort of crime. A potential attack can be devastating for a company, not only wrecking their brand image and costumer support, but potentially costing the company lots of money, alongside the worrying chance of losing sensitive and secure data.
Barkly’s survey about Security Confidence Headed into 2017, showed that 38% of respondents who suffered attacks expect their security budget to increase in 2017 but 52% expect budget to decrease or stay the same. This can alarmingly show how many businesses are unprepared and oblivious to just how large the risk actually is for viruses.
For SME’s, Edge IT recommend that all companies undertake the advice of a professional IT company, and look into trusted software and processes that can protect your company in the event of an attack. However, there are simple steps anybody can take to help prevent attacks, and we’ve summarised them into key points.
Firstly, to fully understand how to protect your company, you need to understand what malware actually is, and what forms it can come in.
Viruses: A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
Worms: A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.
E-mail viruses: An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim’s e-mail address book. Some e-mail viruses don’t even require a double-click — they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson ] A fascinating study from FAU also backed up the fact that many of us are still clicking on threatening links. Their study found that worryingly, two in every three users admitted to clicking on a virus link, and alarmingly there were a lot more actual clicks compared to the amount of people who owned up to the doing.
Trojan horses: A Trojan horse is simply a computer program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
So, now we understand more about the dangers, what can be done to prevent them?
Patching is the most common way of describing the process of making sure a machine is properly secured with the latest operating systems, browsers and anti-virus. A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, which usually also improves the performance of the computer.
Without up to date and secure versions of these items, then the computer is more at risk to viruses. Operating systems such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them particular targets for criminals. Criminals and security researchers are constantly analysing and testing the code, looking for flaws that can allow a “computer hacker” to take control of a computer or steal valuable data.
It’s therefore vital that when a new and improved version of a software or system is available, that you take the chance to upgrade. The upgrade and change could be fixing and preventing flaws that hackers may be trying to take advantage of right now. As a business owner, patch tests can seem overwhelming and time consuming. especially if you have a large number of machines. Barbecue of this,we offer our own patch management service for businesses, so you don’t have to be worrying about systems or software’s that need upgrading.
You may be sick of hearing about the importance of anti virus, but the fact is that it is so widely spoken about because it is very important for all machines. Whether you have a small or large company, every machine needs a reliable anti-virus software. Anti-virus acts as the doorman to the computer, checking and approving what comes through onto the system. It’s aim is to seek out, warn and destroy all potential threats. Installed properly, it can be the barrier between potentially infecting a computer.
A problem that many companies face, is remembering to update their anti-virus. It’s pretty simple to have it downloaded onto all machines, but when you’re busy focusing on the business, it’s easy to let antivirus expire and miss upgrades. It’s a common misconception that once on the machine, it’s safe for life. Employees need to be aware that they should be looking out for notifications from your anti-virus that may be pre-warning of expired software. Alongside anti-virus it’s important to know your operating systems, firewalls, and firmware up-to-date. Are your servers and workstations running operating systems that are still being supported? Is your firewall current? Is everything being automatically updated and patched on a consistent basis? What about your firmware? It is important that these elements stay current to protect against ever-evolving threats
Browsing and Download Policies
Malware isn’t just found within software’s and systems. It’s now becoming more common than ever for malware to be detected on the internet. We may associate viruses on the internet with the dark web or inappropriate websites, but they are now appearing on seemingly legitimate websites that we are frequently visiting. Viruses are particularly powerful on the internet because they are attached to data, not code, making them harder to avoid.
There are ‘safe browsing’ options on most browsers, and it may be worth looking into this for your staff. Anti-virus can also be sure certain pop ups and adverts are blocked, which may contain further links to download files that are harmful. Downloading unknown files is where a lot of problems start. One way a company can combat this issue is by setting up administrator powers on machines. This can mean that users have to request permission to download unknown files that are deemed suspicious. Although perhaps time consuming for the administrator, it will still be a lot quicker than trying to solve a virus problem if it should arise.
Many business are still yet to fully understand the implication mobiles can have on their security infrastructure. More than any other device, phones and tablets straddle the line between purely business and personal. Even if your company has company phones and devices, many individuals are still bringing in and using personal devices alongside. Many employers are happy to combine the two, providing business devices that employees can use outside of work for personal use too
Mobile phones however, are increasingly becoming a target for malware and hacking, thought to be due to criminal’s awareness that many people’s personal phones also act as their business phone and therefore can contain information and desired data. The issue of mobile phones being brought into the work place should be on any employers radar. We love this little visual which captures all of the different areas of threat mobile phones can face.
You can’t control what people do on their personal devices outside of work, but it may be worth thinking about having a general security chat with your company about how they currently protect themselves and their devices online. We’ve also previously outlined how using free public wifi can provide risks for devices, so it goes without saying that your company needs a secure wifi infrastructure and system in place. Edge have helped many companies set up their infrastructure to ensue it’s a secure and safe online environment, protected against malware. Lastly, we can’t express enough how it’s important to make sure every member of your company understands malware and it’s dangers, and their actions that may encourage it’s presence. Although encouraged, many employees still don’t choose secure passwords for example, which can be another easy route for criminal organisations to access certain files and areas of a machine to infect.
Edge IT are on hand for any virus concerns, and protecting small businesses against malware dangers is a large area of our expertise. Get in touch today for free advice on protecting and preventing viruses in your company today.
Yesterday it was reported that a new breed of malicious malware named ‘Bad Rabbit’ had been sweeping Russia and Ukraine. Several reports suspect it is too early to tell how far this malware may reach, but all European based locations should be particularly vigilant.
Russian cybersecurity firm Group-IB explained how three media companies in Russia had been attacked, alongside the Ministry of Infrastructure of Ukraine. Russian news agency Interfax even announced on social media that they were ‘working to restore it’s systems’ after admitting that hackers had intervened.
Once infected, the user is taken to Tor-hidden websites where the ransom of Bitcoin is demanded, estimated to be £210. Loss of data is threatened if the victim does not pay within the fourty hour time period of infection. The red font and methods alarmingly appear similar to previous attacks noticed in June named NotPetya. According to the Moscow-based Kaspersky Lab, Bad Rabbit infections have been detected in Turkey and Germany as well. “Based on our investigation, this is a targeted attack against corporate networks.”
With Bad Rabbit now detected in the United States, as detected by Avast, the expectation is that there will be a number of growing detections to come. Although a ‘vaccination’ has been sourced, which encourages users to create certain file types, the risk of infection is still possible.
Cyber hacking is always a risk for any business, which is why reliable IT security measures are a the first step to gaining protection. However small or extreme the risk, any data holding company needs to take the measures to protect their information. For any concerns about IT security risks, get in touch with us today for an assessment.