BEC Scams On The Increase

Tony MasonMicrosoft 365 Security, Security Awareness & Phishing

BEC Scams & CEO Fraud

During the Gartner Security & Risk Management Summit this week it was reported that 2019 projects should include Incident Response, BEC Scams and Container Security.

This was swiftly followed by the news that a European subsidiary of Toyota lost more than £30 million following a business email compromise (BEC) scam. 

BEC or CEO Fraud is a scam in which cyber criminals spoof company email accounts and impersonate executives. They try and fool an employee in accounting or HR into sending money or giving out confidential tax information. With Toyota, it’s almost inconceivable to imagine how so much money can have been involved from one company. Sadly BEC fraud is worth billions and has now overtaken ransomware and data breaches in EMEA cyber insurance claims.

The size of the Toyota scam is alarming in itself. However the consequences will be huge. Others will see how lucrative this type of scam can be. Cyber criminals will be increasing their BEC campaigns and new actors will be attracted into this lucrative field.

Staff Training & Processes

As a result, it’s becoming ever more important that organisations apply security measures to their business practices. They must train staff to ensure they get third party approval for any financial transactions. In addition, new payment procedures must be introduced into the company where several people sign off on a financial transaction.

Unfortunately, junior staff are in a position where they trust their managers and do as they are instructed. Processes must be put in place where staff can question the requests from colleagues, managers or even suppliers and in fact must question them.

Despite a multi-layered cyber security system, IT security tools are not infallible against human behaviour.  Staff must be trained to be aware of the potential attacks.  These can come in various forms; phone, email, or even social media and the attackers will find the weakness in any business.

Javvad Malik, security awareness advocate at KnowBe4 advises that BEC is fundamentally based on socially engineering the victim into making the money transfer.

“The first step should be raising awareness amongst staff of these attacks. In particular focus on those who work in finance or have the ability to set up new payments or amend existing ones.”

“Secondly, and perhaps more importantly, procedures need to be in place which prevent one user from being able to authorise or create a new payment. Rather, segregation of duties should be put in place whereby more than one user approval is needed to initiate payment. In addition, established and trusted mechanisms are required through which any requests can be queried.”


Other measures can also be put in place.  Barracuda, who offer Sentinel advise taking advantage of artificial intelligence. Look for AI that deploys technology that doesn’t simply rely on looking for malicious links or attachments, as attackers are increasingly bypassing these tactics. They also recommend implementing DMARC authentication and reporting into your organisation.  This can help stop domain spoofing and brand hijacking. Plus they suggest utilising multi-factor authentication in your organisation.  Passwords alone are no longer enough to keep cyber-attackers out.

Defensive measures against BEC scams

IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII in response to any emails.
  • Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
  • Keep all software patches on and all systems updated.
  • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders’ address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

BEC Fraud is on the increase because these highly lucrative attacks are succeeding and they will continue to attract more groups willing to attempt their methods. 

To add to this, KnowBe4 report that your email filters have a 10% failure rate.

Therefore you need a strong human firewall as your last line of defence.

KnowBe4 Recommend Eight Prevention Steps

Many steps must dovetail closely together as part of an effective prevention program:

  • Identify your high-risk users
  • Institute technical controls
  • Set a security policy
  • Develop standard procedures
  • Cyber-risk planning
  • Training for all users
  • Continuous simulated phishing
  • Stay aware of red flags

For more information see KnowBe4 Security Awareness Training

Traditional Vision Of Vulnerability Management Is Outdated

Tony MasonVulnerability Management & SIEM

Vulnerability Management
Vulnerability Management

A decade ago, most enterprises could get away with addressing vulnerability management in silos. One team would scan servers and desktop computers on the enterprise network. They would look for misconfigurations in systems and vulnerabilities in commercial software applications. When problems were discovered, they were thrown over the wall for system administrators and operations groups to fix. Application developers were responsible for policing internally-developed applications. Other specialists worried about the susceptibility of employees to social engineering attacks. Rarely was anyone responsible for analysing how different types of vulnerabilities might interact to expose critical data and intellectual property.

That vision of vulnerability management is too inefficient and expensive for today’s enterprise. Computing environ­ments are far more complex. IT and security groups must monitor a much larger attack surface. Infrastructures and applications can change on a daily, even hourly basis. Cyber criminals and hackers have learned how to exploit chains of weaknesses in systems, applications, and people. Therefore, traditional vulnerability management tools and practices are too limited, too siloed, and too slow to keep up with these challenges.

Time To Rethink Vulnerability Management

As a result, security organisations must rethink their vulnerability management programs. They need to monitor dynamic computing environments, respond in minutes, and address weaknesses in people as well as technology.

They also need to monitor complex, dynamic computing environments. Responses are required in minutes or hours when issues are discovered — not days or weeks. They must address weaknesses in people as well as technology. Also, security professionals must be able to think like attackers in order to understand which vulnerabilities pose the greatest risks to the enterprise.

Key Principles Of A Modern Approach

One of the key principles for a modern vulnerability management program and the overarching practice of SecOps is “complete ecosystem visibility.” That means integrating vulnerability assessment scanning solutions with virtual services as well as IaaS platforms and other cloud environments. Similarly security teams should be able to monitor more types of data on more types of endpoints without multiplying the number of agents and assessment solutions they use.

Integrating scanning tools with internal ticketing systems automates the handoff of vulnerability tasks to the IT operations team. As a result they have access to more data, faster, with less chance of losing information.  Teams also need to address web application vulnerabilities as rich web applications can be an Achilles heel.  Legacy tools are frequently unable to effectively test rich web applications. A modern vulnerability management program needs tools that can address these issues.

Security groups are also often hard-pressed to keep pace with the speed of change of production applications. These can be put into production on a weekly, daily, hourly, or even minute-by-minute basis.

One way to address these challenges is to work towards a DevSecOps approach. The concept is to adopt tools and processes that allow software developers, security staff, and the operations people who manage application deployment to work together. They should integrate security into every phase of the software development life cycle (SDLC).


Above all, with a modern vulnerability management program formed through the SecOps mindset, organisations can:

  • Step up their game with network scanning to include complete ecosystem visibility, simplified assessment, and automated remediation workflows.
  • Better address web application vulnerabilities – by analysing more complex applications and by adopting DevSecOps practices. This will help them keep up with applications that can change daily or hourly.
  • Increase resilience to phishing and other social engineering attacks through education and simulations. As well as mitigating user risks by linking incident detection and response capabilities with vulnerability management.
  • Assess overall risk using customised risk scoring and pen testing to prioritise vulnerabilities based on their real risk to the specific enterprise.

Evolving towards such a program requires thinking through the value of each area and finding opportunities to integrate the different areas. However the rewards are dramatic, giving security groups the ability to:

  • Monitor today’s vastly expanded attack surface.
  • Keep up with quickly changing infrastructure and applications.
  • Work collaboratively with IT operations and application development groups to identify and remediate vulnerabilities of all kinds, faster.
  • Reduce the ability of attackers to exploit the largest attack vector in most organisations: the users.
  • Accurately determine which vulnerabilities pose the greatest risk to the enterprise. To make best use of remediate resources in the short term, and to focus on the most effective defences in over the long term.

Email us for more information and receive Rapid7 ‘s Whitepaper on The Four Pillars of Modern Vulnerability Management – a  comprehensive approach to reducing vulnerabilities across your ecosystem.

Are Your Compliance, Risk & Audit Projects Taking Too Much Of Your Time.

Tony MasonCompliance - GRC (Governance, Risk & Compliance)

GRC Compliance Management

Today, most organisations are required to follow some type of regulation.  Almost all of us need to comply with the Payment Card Industry Data Security Standard (PCI DSS). However, that is often combined with other regulations, such as the new ramifications of GDPR. Even if you are not required by law to comply with any regulations, you may be following an internal risk framework, internal policies & procedures, or an industry best practices framework such as NIST or ISO. You may even be applying for a Royal Warrant or taking additional security measures in following Cyber Essentials. Managing compliance for one regulation or framework is time consuming. Having multiple regulations sometimes means you have to create an entire and expensive compliance department.

Compliance Management

Most organisations use spreadsheets, documents and collaboration portals, as well as email threats and individual calendars to manage their GRC (Governance, Risk & Compliance) initiatives. This is inefficient, error prone, costly, and a risk in itself. 

We all know that compliance is mainly a matter of “people and processes” and tools come second. However, old-school GRC offerings require many months of implementation and high consulting hours to stand up.

New GRC Platform

We are delighted to bring you the new product from KnowBe4, the KCM GRC Platform. It has a simple, intuitive user interface, easy to understand workflows, a short learning curve, and will be fully functional in a matter of days.  It was developed to save you the maximum amount of time getting GRC done.

KCM is a SaaS-based GRC platform that is surprisingly affordable and super easy to use. Now you can move beyond using spreadsheets and manual processes that are time consuming and unmanageable. With KCM, you can effectively and efficiently manage risk and compliance within your organisation and get insight into gaps within your security program.

The KCM GRC platform is offered in different packages to meet the needs of all organisations and is available with the following modules to choose from:

  • Compliance Management
  • Policy Management
  • Risk Management
  • Vendor Risk Management

KnowBe4’s Experts have created prebuilt requirements templates for the most widely used regulations and create new templates as regulations change or are updated. There is no need for you to monitor confusing changes in regulations anymore.  In addition, customers can build or import your own templates, using the super easy custom template feature.

Free trials are available so please get in touch to see how KCM could help you –

See how you can get audits done in half the time at half the cost with KCM.

World Password Day

Tony MasonData Protection, Security Awareness & Phishing

World Password Day

World Password Day

Today is World Password Day which is a great occasion to be briefing our staff on the dangers of reusing passwords.

The National Cyber Security Centre (NCSC) have reported on the most commonly used passwords found that have been accessed by third parties in global cyber breaches.  Their breach analysis showed 23.2 million victim accounts worldwide used 123456 as a password. They have also listed the most used names, premier league football teams and even musicians and fictional characters.

A recent study in the UK by OnePoll found users manage an average of 14 online accounts (eg, emails, banking, bills, shopping, entertainment, etc.). They then have to remember around nine different passwords across these.  No wonder two in five (38%) users forget their passwords at least once a month.

Why weak passwords are a danger to your business

Reusing passwords is still a major risk for individuals and companies.  The NCSC report  has collated  a list of 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches.  The compromised passwords were obtained from global breaches that are already in the public domain having been sold or shared by hackers.

The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by international web security expert Troy Hunt. The website Have I Been Pwned allows people to check if they have an account that has been compromised in a data breach.

The report shows that even being more creative with your password still runs the risk of a breach; ‘oreocookie’ was still seen over 3000 times.

Attackers use lists like these when attempting a cyber breach.  This can help them breach a perimeter or move within a less well defended network.

How password blacklists can help your users to make sensible password choices

Using this NCSC list can help users create safer passwords but don’t use it in isolation. However, for a start, if you see a password that you use on this list, you should immediately change it.

IT managers can now use this list to check whether their users have a weak password and can help them create new, safer passwords.  Recognising the passwords that are most likely to result in a successful account takeover is an important first step in IT security.

Password Guidance

  • Update your password policies
    • The NCSC give guidance on what to include to help users choose good passwords
    • Ensure employees can’t use known bad passwords
  • Use password blacklists
    • NIST recommend using password blacklists, such as this NCSC list or Have I Been Pwnd to ensure users don’t pick a password that is commonly found in data breaches. Then add these into your authentication flow
  • Use Password Managers
  • Choose a good, strong password
    • Choosing a password is hard. The NCSC urges using 3 random words to create a password. They also advise creating a hard-to-guess password, particularly to secure important data, such as personal or banking details.  Choose something creative & memorable to you but something others cannot guess (not your first name, football team or favourite band).
  • Choose different passwords for different accounts, especially your email account or financial accounts with sensitive data
    • 25% of employees use the same password for all logins
  • Use a modern approach to authentication (including multi-factor authentication)
  • Make your staff aware of how attackers use passwords obtained from beaches to make it relevant & ensure users adopt a good password policy

Read More at National Cyber Security Centre.

See how vulnerable you are. Find out now which users are using hacked passwords

Try KnowBe4’s free tool: New Breached Password Test (BPT) to see which of your users are currently using passwords that are in the publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so you can take action immediately.

40% of Organisations Not Doing Enough to Protect Office 365 Data.

Tony MasonData Protection, Microsoft 365 Security

Microsoft Office 365 Security

Office 365 Data Security.

Companies could be putting themselves at risk by relying exclusively on Office 365 Data Security, according to Barracuda.

Barracuda’s latest report found that 40% of IT organisations surveyed don’t use third-party backup tools to protect Office 365 data. The report questioned more than 1,000 IT professionals, business executives, and backup administrators.

They explain why it is a big risk to ignore third party data back up tools and just trust Office 365 to deliver all the back up you need. This is particularly important as the amount of data being lost remains high. As we are using more devices and getting our data from more places each year, it becomes harder to ensure our data is secure.

Why Use Third Party Back Up?

Barracuda’s Director of Data Protection Platform Strategy, Greg Arnette, explains.  While Microsoft does offer a resilient SaaS infrastructure to guarantee availability, it doesn’t secure data for historical restoration for long.  Plus, its service-level agreements don’t ensure against user error, malicious intent, or other activity that can destroy data.

“Microsoft will protect your data for an outage in a data centre environment, but they will not detect threats such as account takeovers and ransomware. Those kind of attacks will look like the actions of a typical end user. The backup vendors are now doing more detection using cloud-based APIs to keep track of what changes over time.”

The report explains deleted emails are not backed up on Office 365 in the traditional sense. Instead, they are placed in a recycle bin for up to 93 days before being completely deleted forever. For SharePoint and OneDrive, deleted data is held for a maximum of 14 days by Microsoft.  Plus you need to open a support ticket to retrieve it. SharePoint and OneDrive can’t even retrieve single items/files; they have to restore an entire instance. It’s actually doubtful that these short term retention policies would even meet most of today’s compliance requirements.

Cloud Back Up

Many think that if data is in Saas, then it will automatically be backed up.  However this isn’t the case. Just because it is ‘held in the cloud’, doesn’t mean that it will be backed up.

The Barracuda report also discovered that while 64% of companies worldwide state that they back up data to the cloud, 36% still don’t. Although the report didn’t show clearly why this was, it is likely that there are still major security concerns over storing in the Cloud.  This is despite the benefits of being able to retrieve everything if hit by a disaster such as fire or flood.

Companies need to realise that they are responsible for their data: protecting, archiving and being able to recover it, especially email.

See the whole story at Dark Reading.

Barracuda Essentials offers all-in-one Cloud Based Email Security, Backup, Archiving & eDiscovery for Office 365.

Take a look here for more information.

Ensure you are backed up. The alternative isn’t worth thinking about.



Phishing Attacks Now More Common Than Malware

Tony MasonSecurity Awareness & Phishing

Phishing Attacks

Phishing Attacks More Common Than Malware

The latest annual Microsoft Security Intelligence Report (SIR) has just been issued and indicates that phishing attacks are now by far the most frequent cyber threat.  Since their last report, phishing attacks have increased 250%.

Microsoft’s security team are in a great position to analyse trends in cyber security threats.  Their figures are based on their internal scans of O365 email addresses and their latest report is based on over 470 billion messages.  The results show that not only are the phishing attacks more often, but in a short space of time have become significantly sophisticated.

Technology is getting better at detecting phishing attacks, with machine learning improvements automatically blocking phishing emails.  However, unfortunately, phishing continues to be a threat due to the human nature of it.  Cyber criminals focus on human fear, panic, brand trust, or ignorance.  They continue to use this method of attack due to the success they have with it.

The Rise of Phishing Attacks

The report shows that not only are phishing attacks increasing, but they are becoming the criminals’ preferred attack method.  Attackers are often able to convincingly impersonate users and domains.  They bait victims with fake cloud storage links, engage in social engineering and create attachments that look similar to those commonly used in the organisation.

As we reported last week on Ransomware-as-a-service, cyber hacking services are now available to any aspiring cyber criminal in an ‘out-of-the-box’ format. Phishing attacks are also now available in kit form.  These Phishing Kits clone popular websites and operate from temporary servers.  They can be purchased from the Dark Web at reasonable prices.

Avoiding Phishing

On analysing the SIR, KnowBe4 note that simple diligence can defeat just about all the phishing attacks listed.

Most phishing messages succeed through social engineering tactics, leveraging blind trust, impulsiveness and lack of awareness. Proper organisation-wide security awareness training that focuses on recognising common phishing attacks and request response policies can drive down the phish-prone percentage of users dramatically.

Vendor Supply Chain

Both Microsoft and KnowBe4 also highlight that while companies must train their staff and internal users, they must also ensure that their vendors are doing the same.  Supply chain attacks are another new area of focus for cyber criminals. These attacks tend to deliver malware that installs crypto-currency coin miners. Therefore, any outside vendor with access to your systems is a potential point of compromise.

The best defence is a layered approach to security that involves employee training & collaboration with digital supply chain partners.

See the whole story here.


Tony MasonData Protection, Endpoint Security, Enterprise Security, Security Awareness & Phishing

Ransomware-as-a-Service available on the Dark Web

The Dark Web and Ransomware-as-a-Service

This month our partner, Vipre, reported on Ransomware-as-a-Service and the impacts this could have on the industry.  Jason Norton advised, ‘Ransomware is a form of malware that encrypts, or locks a user out of and away from their critical data. Typically, the attacker demands monetary payment in exchange for a decryption key that promises to unlock the hijacked data’.

Reports this week are claiming that more companies are paying the demands, as their insurance companies are paying the bill.   This definitely makes for a lucrative market for potential cyber criminals to focus on. However, this may not result in you getting your data back.


Jason explains how Ransomware-as-a-Service (RaaS) is slightly different to normal ransomware. ‘Unlike traditional ransomware, RaaS doesn’t require the attacker to be necessarily skilled at writing computer code to launch attacks. That is because the RaaS delivery model is similar to a monthly subscription service. This type of affiliate program creates a win-win situation for both the malware author and the subscription buyer. There is usually some type of profit sharing or split between the two parties which is normally agreed upon up front. In the end, the only loser is the victim who pays the demanded monetary ransom in the hope of safely getting their valuable data back’.

For a monthly subscription fee, cyber criminals can provide access to easy-to-use malware and ransomware, packaged for immediate distribution to the buyer. These RaaS packages are found and sold on the Dark Web.

The interesting & most concerning point Jason makes about the advent of RaaS is that it removes a large barrier to bad actors’ entry into this field.

To become a hacker, you used to need to have the ability to code. With this new RaaS service, that need has now been taken away.  The problem that creates is, there is no guarantee you will get your data back.  There used to be an unwritten rule in the world of ransomware that once you had paid the ransom, you would receive your data back.  Sadly, the new hackers using RaaS don’t have the skill set to retrieve this for you.

Additionally, the volume of attacks may rise as it becomes easier for new entrants to come in to the market.  Jason relates this to pyramid selling schemes, where, in this instance, the ransomware authors stand to make a lot of money by maximising the number of hackers using their service.

Key ways to counter Ransomware

  • Use a Next-Gen Endpoint Security Solution, such as Vipre
  • Train Your Users: using simulated phishing of latest scams, together with engaging & interactive training, such as KnowBe4
  • Regularly Back Up Your Data


Check here for Vipre’s full report.

Phishers Shift Efforts To Attack SaaS and Webmail Services

Tony MasonSecurity Awareness & Phishing

A new report out today provides us with some good news and some bad for the beginning of 2019. According to Help Net Security ‘the good news is that the total number of conventional, spam-based phishing campaigns declined as 2018 came to a close.  The bad news is that users of software-as-a-service (SaaS) systems and webmail services are being increasingly targeted.’

APWG have just issued their Q4 2018 Phishing Activity Trends Report and it shows the number of confirmed phishing sites declined towards the end of 2018.  They report 138,328 in Q4,versus 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1. Although, overall phishing sites grew 220% over the course of the year and phishing attacks increased 36%.

Phishing Sites

This new decline in the number of phishing campaigns may have been down to anti-phishing efforts. It may also be because criminals are moving to more specialised and lucrative forms of e-crime than pure mass-market phishing.  However, there is also a growing concern that the decline may actually be down to the fact they are going undetected. It is suggested that techniques are becoming ever more sophisticated.  Detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes. Also attackers are creating multiple redirects in spam-based phishing campaigns.  They take users (and automated detectors) from an email, through multiple URLs on multiple domains before finally depositing the potential victim at the actual phishing site.

New Preferred Targets

Phishing targeting SaaS and Webmail services increased from 20.1% of all attacks in Q3 to almost 30% in Q4. Attacks against cloud storage and file hosting sites continued to decrease, falling from 11.3% of all attacks in Q1 2018 to only 4% in Q4 2018.


Phishing Attacks Hosted on HTTPS & SSL


Phishing Attacks Hosted on HTTPS

Interestingly, researchers at APWG member Phish Labs noted that in Q4 2018, the number of phishing attacks hosted on websites that have HTTPS and SSL certificates declined for the first time in history. However, 47% of phishing attacks are still hosted on sites that use digital certificates to make attacks look legitimate, fooling users into thinking they are secure, and to avoid any browser warnings.

So whatever the shift in trends, we still need to remain vigilant and aware of the developments and increased sophistication of the attackers at large.

Black Friday Scam

Tony MasonSecurity Awareness & PhishingLeave a Comment

Black Friday Scam

Black Friday & Cyber Monday Scam

Black Friday & Cyber Monday Scams

This week sees the return of the phenomena of Black Friday and Cyber Monday. These marketing events are significantly driving up the increase in online sales in the run up to Christmas.  2017’s Cyber Monday was the largest online shopping day in history and was mobile’s first $2 billion day.

This weekend has become an unbridled online spending extravaganza, but threat actors have taken notice. It’s Holiday Season for these bad guys too, but not the way you might think. They go into scam-overdrive mode.

Black Friday and Cyber Monday are the busiest on-line shopping days and they are out to get rich with your money

With their latest report, the team at RiskIQ summarised it well:

“Ever the opportunists, threat actors set up their operations where the money is; and in the case of the Black Friday and Cyber Monday phenomena, it’s e-commerce. According to Adobe Digital Index, in 2017, online shoppers stuffed e-commerce cash registers with more than $19.6 billion in sales through the Black Friday weekend—a more than 15 percent increase over 2016.

“With more people than ever poised to partake in this year’s November shopping frenzy, attackers will capitalise by using the brand names of leading e-tailers to exploit users looking for Black Friday deals and coupons by creating fake mobile apps and landing pages to fool consumers into downloading malware, using compromised sites, or giving up their login credentials and credit card information.”

Sales this weekend are forecast to be up 19.4% on last year with $7.8 billion expected in e-commerce on Cyber Monday.

What starts out as a search for Christmas presents at bargain prices can turn into a financial nightmare. For brands, what starts as a marketing campaign to boost sales can turn into a security fiasco that not only affects them financially but can destroy trust with their customers.

This year, Magecart, which is made up of several groups of digital credit card-skimming actors with ties to Russia, adds a serious new layer of threat. They are responsible for large-scale breaches that stole thousands of customer credit cards.  Only put your details in a secure shopping portal, not on sites for coupons and competitions and be restrictive with your personal data.

It’s worth sending an email to staff over this weekend and the Christmas season reminding them to be vigilant.  It is crucial to pay attention to detail while shopping online.

So what to look out for?  At the moment, there are literally thousands of fake sites, looking just like the real thing. Don’t fall for it.

Key Things to Consider:

  1. Make sure the site you go to is the real one, including subsequent link addresses.
  2. Type in the address or use your bookmark.
  3. Do not click on links in emails with special offers.
  4. Be aware of permissions the site is requesting, is it relevant to what’s required?
  5. Watch out for alerts via email or text that you just received a package from FedEx, UPS or DPD, and then asks you for some personal information.  Don’t enter anything.
  6. Don’t download fake mobile apps that promise big shopping savings.
  7. Be very wary of online discount coupons. Don’t input your details unless you trust the site’s official web address & be restrictive with your data.
  8. Ensure the site is ‘https’, security protected.
  9. Only use Credit Cards online, instead of Debit Cards & if possible, only use credit card information saved in your online shopping account to avoid being intercepted by Magecart.

Think Before You Click! 

KnowBe4 Security Awareness Training

GDPR & Data Breaches

Tony MasonData Protection, News, Security Awareness & PhishingLeave a Comment

GDPR & Data Breaches Under The New Rules


GDPR & Data Breaches 6 Months On.

The value of the average data breach fine issued by the Information Commissioner’s Office (ICO) in the UK has doubled in one year, reaching £ 146,000, according to the City Law firm, RPC.

The total value of fines imposed by the ICO has risen by 24% compared to 2017, reaching just under £ 5m at the end of September.

Credit reporting agency, Equifax was issued the maximum £ 500k last month, for failing to protect the data of 15million people when their data was stolen in a cyber attack in 2017.

According to Richard Breavington, a partner at RPC, ‘A doubling in the average size of fine should serve as a wake-up call to business. However, political pressure is mounting.’

The ICO issued its first enforcement notice under the new rules in September.  They fined AggregateIQ, who allegedly used the data of 87m Facebook users to sway voters during the 2016 EU referendum.

Facebook have also just been fined £ 500K for failing to protect users’ information and lack of transparency about how this data was being used.  Companies need to understand the new rules and ensure all their staff is aware, and ensure there is full compliance.  As this activity was prior to the new European GDPR ruling, the fine isn’t included in the figures above and was capped at the maximum of £ 500K.  However, should such a serious data breach occur today, their maximum fine would be 4% of global turnover – which could be as much as $ 1.9billiion.

Also, Heathrow Airport saw a fine of a mere £ 120K for a ‘serious’ data breach, for failing to secure ‘sensitive personal data’ when an employee lost a memory stick that was not encrypted or password protected (only 2% of staff had been trained in data protection and there was widespread practice of staff downloading sensitive data onto memory sticks, which contravened the company policy as well as GDPR rules).  Had Heathrow been penalised under the new rules, it could have seen a penalty of £ 17million or 4% of turnover.

Now BA has an open case by the ICO for the recent data breach from its website and since this is post May, legal experts are questioning whether the new data laws could now see BA receive fines of up to £500 million if they are found to be in breach of the new rules.

Not only from the Data Watchdog, the ICO, but also fines are coming from elsewhere.  Morrisons has just lost its appeal against a High Court ruling that it is legally liable for a former employee leaking personal information about 100,000 staff members and it may now face compensation bills running into millions. This result will sound alarm bells to other businesses and have huge ramifications for others in the future.  Companies need to take responsibility for their data; it’s about protecting people as much as their data.

It is becoming increasingly clear that we need to create a strong culture of responsibility. 

A recent Versasec survey examining the impact of GDPR 6 months on, shows that the privacy regulation cost more to implement than was anticipated.  However other non-Eu companies are also beginning to adopt similar regulations in anticipation of new rules in their own territories as 30% believe that more stringent privacy rules are likely worldwide.

The biggest concern of those surveyed was to ensure all employees comply with the rules. Their fears are more down to the fines they could face due to GDPR & data breaches, than losing revenue or customers.

59% of respondents admitted their company was still not fully compliant on May 25; their challenges centred around educating employees and having enough resources to implement the new regulation.

Data is important and the fines and ramifications for businesses are huge. From the directors down, all staff need to be aware of the importance of data and cyber security, from passwords, to encryption, downloading, to memory sticks.  Training staff in an engaging and motivating way will go a long way to ensuring processes and policies are followed and systems are protected.

The repercussions can be devastating, whether financially, legally, personally, your reputation or much worse…


KnowBe4’s Security Awareness Training library includes GDPR training modules, videos, posters & newsletters as part of their extensive library of training modules.