As the countdown to GDPR implementation progresses, we have refreshed our course Data Protection: Privacy at Work to ensure users benefit from the latest in policy and practice.

New modules have been added and existing ones updated to take account of the coming data protection regime; both across Europe and in the UK specifically with the introduction of the new Data Protection Bill.

New modules

Global Data Protection Module

An in-depth, line by line comparative analysis of data protection legislation and regulations across more than 70 major countries. View a summary of data protection rules compared to GDPR for one country at a glance, or compare and contrast multiple jurisdictions to ensure staff all around the world understand their data protection obligations.
Continue reading

Are your passwords as secure as an open door? While many IT security experts are focused on patching software, closing weaknesses, and implementing expensive security software, your employees could be using simple passwords like ‘password’ and ‘abc123’. Weak passwords remain one of the easiest ways to hack into a system, and there are many millions of weak passwords in existence (what’s more, these ineffective passwords are often re-used by employees across multiple sites, making it even easier for hackers to gain access). Leaked databases of email addresses and password pairs exceed the hundreds of millions, and these exposed passwords may still be in use by your employees – all a hacker has to do is check.

It’s not hard to see why people use simple passwords. These days we all need to remember so many combinations of usernames, email addresses and passwords that it’s tempting to reduce this mental overload by recycling one or two memorable passwords.

This is why organisations must constantly remind employees of the importance of strong passwords. A weak password isn’t just a threat to the individual and their information. A weak password is an open door to the entire organisation, meaning that it’s more than a matter of personal preference: it’s an existential threat.

Here are seven tips for creating and maintaining secure passwords:

Keep passwords secret

This may sound obvious, but many people share their passwords with friends, colleagues, or family members at one time or another, but never go back and change their password afterwards. Remind employees to keep passwords to themselves, and never enter or create a password when someone else is watching.

Don’t recycle passwords

Enormous databases of passwords are circulated widely online. These contain hundreds of millions of stolen passwords – which your employees could still be using to gain access to your systems. Remind people to use unique passwords for every service. Password managers can help generate and store complex passwords securely.

Avoid using personal information

Your children’s or pet’s names may spring to mind when you try to create a password, but these details are often available to anyone who cares to scan our social media profiles. Avoid such easy-to-find details and choose something harder to guess.

Don’t use dictionary words

A single word from the dictionary is quick and easy to crack. Even if you replace some of the letters with numbers and characters, you’re making life too easy for the hackers.

… Unless you use six unrelated words

Putting six random words together in a string that makes no sense can be a viable password strategy. For example:

  • PerplexBravadoMonkeyRivalsAttentionSponge is a long, secure password that would make life difficult for hackers and their password-cracking software.

Turn phrases into random strings of letters/numbers

Turn a phrase into a password – i.e. ‘I loved eating ice cream in Venice in 2016’ becomes IleiciVi2016 – or ‘I went camping and lost £20 in my sleeping bag’ becomes Iwcal£20imsb. This tactic can create impenetrable passwords that are also easy to remember, particularly if the phrase relates to a fond memory or a happy occasion.

Change passwords regularly

However good your password, there’s a chance that it could be circulating online. By changing your password every year, you limit the risk of hacking considerably.

Does your organisation enforce strong passwords? Do you have a method for helping employees manage multiple passwords?

VinciWorks offer a suite of cyber security training courses, including one that is dedicated to setting a secure password.

Employing a culture of security and training, and then testing this knowledge on a regular basis, is the most effective way to safeguard against data security threats and eliminate user errors. eLearning is a great way to foster a culture in which everyone understands and respects data security protocols, and wherein cyber-security risks are kept to an absolute minimum.

Everywhere you look, hacking seems to be on the rise, and it’s true that many of these attacks are opportunistic. However, some hackers are more calculating than this, conducting attacks over time so they can harvest the data they value. One such approach is the ‘man in the middle’ (MITM) attack. This involves hackers gaining access to your network, or intercepting your communications so that they can eavesdrop, collect data, and interfere with your own transmissions.

As you can imagine, once a hacker can get between you and the people or systems you communicate with, they have the power to cause immense harm. They can easily gather valuable information such as payment card information, legal documents, and company secrets. But it’s hackers’ ability to amend and corrupt this information that makes MITM attacks so potentially damaging. Instead of simply harvesting data, hackers can, in fact, change your information to suit themselves. With a few taps of the keyboard they can alter your bank details so that payments land in their accounts, not yours … and you may not notice until months later. This is not a hypothetical threat; hackers have even amended mortgage documents sent from a private home buyer to a solicitor so that hundreds of thousands of pounds were unwittingly redirected into their accounts.

So how do MITM attacks occur? They typically involve two different kinds of interception: either between you and your peers on your company network, or between you and an internet access point – usually over WiFi. The threat from open WiFi networks is particularly dangerous – and another reason why sensitive information should never be sent or received over an open wireless network.

We may imagine that our company networks and intranets are more secure, because we know who can gain access, but there may be a temptation for employees to use their privileges for nefarious purposes – particularly disgruntled employees who decide to gather valuable information before they leave the company. Employees may also be persuaded by a third party to create an access point for external hackers. Given the high value of this kind of access, companies must consider the great lengths that criminals may go to for this kind of fraud. And, as we’ve discussed in previous articles, employees can easily give hackers access without intent or awareness.

The question is, then, what can your organisation do to limit the risks of MITM attacks? As always, there is an educational component; employees need to understand their role in maintaining a secure network. Employees should never work on company laptops (or phones) from unsecured, public Wi-Fi networks. Employees also need to understand how to spot unsecured websites, and to look for websites using the ‘https’ rather than ‘http’ protocol, particularly when sharing sensitive data or making payments online.

From a company IT perspective, using HTTPS on all web and intranet sites is essential for preventing these attacks. An Intrusion Detection System (IDS) can alert you to problems – and help prevent an attack from turning into a costly loss of data, reputation or cash.

Is your organisation protected against MITM attacks? Or is it time to shore up your defences?

VinciWorks offer a suite of cyber-security training courses designed to deliver effective cyber security training in an easily digestible, highly motivating format. Each course highlights a particular learning objective (e.g. phishing attackssetting a secure password, using email and browsing the internet) and can be completed in approximately five minutes in order to maximise knowledge retention and keep engagement levels up.

Additionally, we also offer more holistic, longer information security and preventing a data breach courses that address physical as well as digital security threats, as well as courses on the new EU-wide GDPR legislation, with its increased focus on internet security and affirmative consent.

Related Courses

Bupa, the global health insurance company, admitted recently to a massive data breach affecting their international customers. A rogue employee copied and distributed the details of 108,000 customers. The data did not include financial or health information, but did include names, dates of birth, nationalities and some contact information. Whilst this information may not be enough to defraud Bupa customers, the data could be used by hackers to create more convincing phishing attacks to fool unsuspecting members of the public.
Security expert Marco Cova said to The Register: “Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. Data breaches provide a distribution hub for malware for years to come.”
Bupa quickly admitted to the data breach and explained that the employee has been fired, and the matter was being investigated by the police. The Financial Conduct Authority and other relevant regulators were also notified and Bupa contacted all the customers affected to provide advice on how to spot any fraudulent emails and scams that may come their way. Following the breach, Bupa has also reported plans to review its security procedures.
While Bupa has responded rapidly and openly to this incident, many will question how a company that handles so much sensitive personal information could fall victim to this kind of attack – particularly from inside their own walls. Presumably they have a Data Loss Prevention system configured to stop employees from downloading or copying data without authorisation. So how could one employee harvest 108,000 records?
The Bupa attack is another example of cyber-crime that doesn’t fit the common misconception. This was not a carefully planned operation by a hardened criminal; it was an opportunistic theft by a trusted member of staff. This kind of crime is difficult to prevent, particularly when organisations are striving to remove barriers to innovation and enable employees to do great work efficiently.
Has your organisation struck the balance between security and digital freedom? Or do you need to do more to secure your data and systems against internal threats?
eLearning can help warn against potential repercussions for data theft and educate employees on the laws and regulations in place to deter cyber-crime. VinciWorks offer a suite of cyber-security eLearning courses, as well as short courses on the upcoming GDPR legislation with its increased focus on digital security.

Related Courses

Safeguarding children means protecting the health, well-being and human rights of children and vulnerable adults.  It includes enabling them to live free from harm, abuse and neglect. A vulnerable adult is a person over the age of 18 and who is, or may be for any reason, unable to take care of him or herself, or unable to protect him or herself against significant harm or exploitation.

Safeguarding children is everyone’s responsibility.

Legislation aimed at protecting children and vulnerable adults includes: The Children Act, Working Together to Safeguard Children, Every Child Matters, The Human Rights Act, The Mental Capacity Act and The Care Act.

This legislation was devised not just to provide protection for vulnerable groups but, to guide and support those organisations that work or come into contact with children or vulnerable adults. Organisations include voluntary groups, faith groups, private sector providers, schools, colleges, sports clubs and hospitals.  The acts help to develop the confidence of staff, trustees, volunteers, parents, carers and the general public.

Safeguarding Children Policy

All organisations working with or alongside children or vulnerable adults must have a Safeguarding Policy in place.  

A Safeguarding Children or Protection Policy is a statement that makes it clear what an organisation or group will do to keep children and vulnerable adults safe. The policy must stipulate an organisation’s commitment to protect and outline the practical measures and procedures it will undertake to support this statement. A code of conduct may be included, detailing the how staff are selected against a certain criteria and the behaviour expected of them when working with vulnerable people.

If Safeguarding Children is a shared responsibility, do you and your staff know what to do?

“Never do nothing”.

Providing adequate and ongoing training will enable your staff to confidently recognise areas of potential concern and know what steps to take.  

VinciWorks Safeguarding eLearning course highlights core information about the safeguarding process, exploring the range of problems that children and vulnerable adults might face and explaining what actions should be taken if concerns are identified. It looks at the different categories of abuse – physical, sexual, emotional and neglect – that could lead to concern, the kinds of situations where abuse could occur and who the abusers might be.

The online course demonstrates practical steps that can be taken to safeguard children and vulnerable adults. It explores the ‘four Rs’ that underpin an effective safeguarding process: recognition; response; recording; and reporting. The course also outlines the correct procedures to follow if there is a suspicion of abuse.

All VinciWorks courses can be fully customised to meet your needs at no additional cost. VinciWorks Safeguarding eLearning course can be tailored to refer to your organisation’s policies and procedures. Your designated course administrator can edit the text and images of the course using the integrated authoring tool, and link to organisation-specific documentation.

Tax evasion

On 30th September 2017, the Criminal Finances Act comes into force, as does the requirement for businesses to have reasonable procedures to prevent the facilitation of tax evasion. The law is broad and the net is wide; a business can be prosecuted if a contractor puts a client in touch with a dodgy accountant or the entire modus operandi of the business is to stash away taxable cash.

VinciWorks conducted a survey of 250 UK businesses to find out just how much tax evasion risk companies are exposing themselves to. A quarter of companies still do not have any policies in place to prevent financial crime and one in ten companies in the legal and financial services sector haven’t put in place a whistleblowing policy.
Continue reading

9.9 million working days were lost in the UK in 2014/15 due to one thing: work-related stress. This means that – for one year – stress in the workplace cost the UK economy nearly £5.5 billion. Is your organisation doing enough to tackle the problem?

What causes work-related stress?

Work-related stress develops when an employee is unable to cope with the pressures being placed on them at work. There are a number of key ‘triggers’ which have been found to be common across all types of work, including a workload that is too large; lack of flexibility in work patterns; a hostile working environment, including workplace bullying and violence; lack of control over the work an employee undertakes; lack of support; too much, or too little, responsibility; difficult relationships; lack of employee understanding of their role within the organisation; and organisational change, large or small. Taking control of these across your organisation will help to tackle the negative impacts of work-related stress.

How much of an issue is work-related stress?

In 2014/15, stress accounted for 35% of all work-related illnesses and 43% of working days lost due to ill health. The incidence rate was 1380 per 100,000 workers, with a total of 440,000 cases, including 234,000 new cases. The overall number of lost working days was 9.9 million, equating to 243 days lost per case. Stress has been found to be more prevalent in the public sector. And, despite increasing awareness of the negative effects of stress, the numbers of cases have stayed constant for the last decade.

Not only does stress cause high levels of sickness absence and staff turnover, the broader impacts of stress oemployee health are also staggering. Stress can cause heart palpitations, headaches, and other aches and pains. Behind musculoskeletal problems, it is the second biggest health complaint in the workforce. It can drive unhealthy behaviours – such as smoking and heavy drinking – which, in turn, can lead to increased risk of heart disease. Recent studies suggest that there are links to type 2 diabetes. And there have been cases of suicides linked to work-related stress and anxiety. 

What are your responsibilities and what should you do about it?

As an employer, you have responsibilities to provide a healthy and safe working environment, in line with the statutory requirements set out in the Health and Safety at Work Act 1974 and the Management of Health and Safety at Work Regulations 1999. The duty covers carrying out and monitoring a risk assessment on your workplace, including the prevalence of stress.

As well as your legal duties, you also have a social responsibility to provide a healthy workplace. This will not only benefit your employees. You’re also likely to see increased motivation and productivity, a more effective work-life balance, reduced absence, fewer risks of long-term illnesses and staff who recover more quickly when they do fall ill. All this means significant improvements in staff morale – and substantial cost savings.

The first step is to evaluate the extent of stress within your organisation. This should involve a risk assessment and an analysis of your absence data, as well as a staff survey. You should involve staff as you develop a policy, which should set out the responsibilities of different groups of staff, as well as all employees, on the steps your organisation will take to mitigate stress. You should develop an action plan to implement any changes that are required. You should know what good practice looks like; seek out examples and set a yardstick for your business.

If your organisation relies heavily on email as a way of communicating, you might want to think specifically about including guidelines for email use out of office hours. This will make it easier for your employees to feel more comfortable stepping away from their smartphones and enjoying some real time away from the job. There might also be other specific activities – including any kind of organisational change – where work-related stress demands particular attention.

Your line managers are perhaps the most critical part of creating a supportive culture. They are best placed to identify which members of their team might be suffering from stress. They are also employees whose behaviour can have the most significant impact on others. Make sure your line managers know what is expected of them, what management styles should be adopted and what the impacts of work-related stress are on your organisation.

Training can help to set the tone for all your employees, including your line managers. Our new Stress Awareness Training course has been designed to encourage employees to work positively. The course identifies the causes of stress and offers solutions to manage it more effectively. It can be tailored to deliver your organisation’s stress management policy.

Looking for in-depth and engaging Mental Health and Wellbeing training? Explore our comprehensive eLearning library and try any of our courses for free. 

Tax Evasion

Are your staff sufficiently prepared for the Criminal Finances Act? Ensuring everyone is familiar with your organisations’ procedures to prevent facilitation of tax evasion will go a long way to protect your company from prosecution. We have therefore created a tax evasion code of conduct policy template based on the Criminal Finances Act that can easily be edited and made available to all staff, clients and stakeholders.
Continue reading

A skills gap refers to the space between what employers want or need their employees to be able to achieve, and what employees actually have the know-how and experience to do. At the moment, there seems to be unrest in the UK regarding the General Data Protection Regulation (GDPR) and the amount of cyber-security and data-handling professionals that are available to help organisations comply by the deadline in May 2018.

Since GDPR affects nearly every organisation in the EU (and all those who wish to do business with EU countries) – and with constant warnings and alarming headlines about large penalties for breaches of GDPR legislation (up to €20M) – it is perhaps understandable that UK organisations are feeling the pressure along with everyone else.

The question remains, though, how best to bring employees up to speed, particularly those who need a good understanding of the basic principles and directives of the GDPR, but who wouldn’t need as much expertise as, say, a dedicated Data Protection Officer (DPO). Even for organisations that employ a DPO, it makes sense to nurture and develop staff from within prior to the May 2018 deadline, if only to help mitigate the risk of said employees leaking customer data, storing it incorrectly, or otherwise inadvertently misusing it.

As part of your GDPR preparations, it makes sense for all staff to be aware of the GDPR, its implications, and what GDPR-compliance looks like compared to The Data Protection Act. Organisations will need to go into detail about what constitutes a breach from May 2018 onwards, as well as put in place policies about mobile-technology and data governance. It will also make sense to schedule regular, e.g. annual, refresher sessions in case anything changes and to really ensure compliance; and to arrange for new employees to undertake the same training as part of their induction.

How can VinciWorks Help?

We offer GDPR online training courses to bring your employees up to speed with the GDPR. All our courses are automatically updated and the amended versions made available to users should legislation change.

A quick summary of our most popular GDPR courses can be found below:

  • Preparing for GDPR
    This course offers organisations the chance to learn how to prepare for the upcoming GDPR in time for May 2018 as well as informing them what they’ll need to do differently after this time. It also looks to answer any queries your employees may have about staying compliant after GDPR legislation comes into place.
  • ‘Accountability’
    This course looks at the GDPR directive and the need for transparency within your organisation. Other areas covered include why the GDPR directive legislation is so important, how to demonstrate accountability and how to minimise the risk of a data breach.
  • ‘Erasure: The Right to be Forgotten’
    This is a user-friendly microlearning course which takes five minutes to complete. It offers a focussed look at “The Right to be Forgotten” as it’s such a fundamental consideration of the upcoming GDPR legislation. After purchasing this micro course, your employees can expect to learn what responsibilities and obligations they have when receiving a request to erase personal data from others.

All our eLearning courses can be accessed and re-accessed as many times as you require to ensure compliance and, together with our full compliance suite of eLearning courses, form an ideal base for employee learning and development.

The Modern Slavery Act was introduced into law in 2015; the new legislation combined previous slavery and trafficking laws and also increased the maximum jail term for human traffickers from 14 years to potential life behind bars.

The Act was an obvious effort to crack-down on Modern Slavery and to cast light on the subject, making the public more aware of its scale and destruction. However, it’s debatable whether enough has been done to educate people about this horrendous crime since the number of suspected victims of slavery and trafficking has more than doubled in the three years 2013 – 2016. In fact, the National Crime Agency (NCA) estimates that there could be as many as tens of thousands of victims of Modern Slavery in the UK alone, making it a crime now so widespread that, as NCA Director Will Kerr suggests, ‘ordinary people would be unwittingly coming into contact with victims everyday’.

Although sexual exploitation is a the most common form of slavery reported in the UK, many victims are found working in nail bars, construction sites, brothels, cannabis farms and in agriculture or domestic environments. Many more still are hidden deep in the supply chains that service otherwise reputable organisations – places where owners and employees have no idea that any criminal activity is taking place – and, yet, these businesses still face huge reputational damage if they are found to have neglected the necessary due diligence that exists to protect vulnerable people.

There is no typical victim of slavery. Modern slaves may be men, women, or children, but all are normally among the most vulnerable and socially-excluded groups. Many believe they are escaping poverty, accessing education, or avoiding unstable socio-political conditions. However, usually the gangs and traffickers responsible for Modern Slavery are only interested in financial gain. They move people around the globe as if they were commodities to be bought and sold, and control them through fear and intimidation.

What can organisations do to tackle Modern Slavery and comply with the Modern Slavery Act?

Tackling Modern Slavery in the supply chain involves increasing employee awareness as to what the ‘red flags’ of slavery might be. If organisations teach all their employees what to look out for, then it is harder for trafficking crimes to go undetected. For example, The NCA says that signs of abuse could include:

  • The manner of a person’s dress
  • Visible signs of injuries
  • Signs of stress
  • The manner in which people come to work in a particular area

VinciWorks’ eLearning courses are designed to teach employees to identify vulnerable areas when it comes to choosing and working with external suppliers, and also what the tell-tale signs of Modern Slavery are and how to report them.