Compliance fundamentals, cyber and data awareness, supporting new parents, domestic abuse lived experience, neurodiversity guide
The EU’s General Data Protection Regulation (GDPR) marks its fourth anniversary after coming into effect on 25th May 2018. Since then, it has paved the way for other data protection regulations, including the CCPA, and 1.6 billion euros of fines have been issued.
While the UK has adopted its own version – UK GDPR, companies of all sizes continue to fall short of GDPR compliance due to data protection violations such as data breaches.
Four years on, despite the record number of fines issued by the Information Commissioner’s Office (ICO) over the past financial year (2020/21) at £42m, organisations have taken complying with GDPR and other data protection regulations more seriously.
Unfortunately, recently, the ICO fined facial recognition database firm Clearview AI £7.5 million for breaching UK data protection rules – which is still a significant reduction from its original fine of £17m in November 2021. The organisation was fined for developing an online database by collecting over 20 billion images of people’s faces and data from publicly available information sources on the internet and social media. It did not notify any of the individuals involved that their images were being collected or used in this way – which goes against data protection regulations.
What’s the biggest challenge with GDPR?
We spoke to our CTO, Jason Stirland, who highlighted, “the biggest challenge with GDPR remains that it’s not always fully understood by employees.
“This is why regularly refreshing data protection training in all employees is crucial – no matter their level – as it ensures that every employee understands their GDPR obligations to protect themselves and the organisation.
“Data breaches can happen for several reasons, and with employees being the most vulnerable resource, human errors will tend to occur. Be that as it may, reducing the likelihood of data breaches happening remains an organisational responsibility to train employees on cybersecurity awareness training – e.g., learning how to spot a phishing email and not sharing any personal or confidential information with third parties.”
GDPR and the Great Resignation – Is there an impact?
Jason revealed that the pandemic created pathways for significant people changes in organisations of all sizes, thanks to the Great Resignation.
“With this in mind, organisations must remember to do their due diligence and ensure newer team members are provided with GDPR training to ensure compliance. It’s worrying how many organisations fail to consider this within the onboarding process, especially with many employees now joining companies on a remote working or hybrid basis – ensuring they can learn this from home will be vital.”
If you’re looking to reduce GDPR training gaps within the onboarding process or improve GDPR compliance overall in employees, then take a look at our data protection courses and get in touch with us today for a free demo.
More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company’s IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar’s till systems by the attack.
What caused the Spar’s Cyber Attack?
The exact details of exactly how Spar’s systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.
How does a Ransomware attack work?
Ransomware is a form of malware, and the key to its objective lies in the prefix, ‘ransom’. Ransomware infects organisation’s IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.
Once the ransomware has accessed an organisation’s system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal’s intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.
What types of Ransomware are there?
- Crypto ransomware – individual files are encrypted with this form of attack.
- Locker ransomware – basic computer functions/system functions are affected.
Crypto Ransomware – what is it?
There are 2 ways which crypto ransomware is usually delivered:
- Files and links sent via email, instant messaging services or other digital communication channels.
- Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.
Email, instant messaging, and digital communications
Exploit Kits and Trojan Downloaders
Locker ransomware – what is it?
In some circumstances users that are not tech savvy may not realise they are being defrauded.
The solution is simple…
How to detect ransomware
Prevention is made up of two components,: a watchful eye and market-leading security software.
How to build a watchful eye
Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation’s cyber safety, but it can be applied at home by employees too.
There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.
We offer a comprehensive range of Cyber Security and Information Security courses to help your business defend itself again cyber criminals.
Common Ransomware methods once a system infection has started
Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.
Illegal content claims:
- Cybercriminals pose as law enforcement or a regulatory body.
They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid. - Unlicensed applications:
Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.
Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar’s example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.
Ikea Targeted by a New Phishing Scam
A new type of phishing attack has been uncovered after flat-pack furniture giant, Ikea, launched an internal investigation after noticing several malicious emails circulating throughout the business. Email Chain Hijacking is a new type of phishing scam that takes advantage of a weakness found in Microsoft Exchange servers.
Ikea adequately protected against the attack by encrypting all personal data. However, many other businesses remain vulnerable to this new type of attack.
What is Email Chain Hijacking?
Email Chain Hijacking is a key identifier of the prevalent SquirrelWaffle malspam campaign, which takes advantage of a vulnerability in Microsoft Exchange Servers. SquirrelWaffle malware enables cybercriminals to gain a foothold inside organisations IT systems, allowing them to deploy further system infections such as Quakbot, a well-known banking trojan.
Usually, with phishing attacks, imposter emails attempt to mimic an organisation’s emails and domain. Once an individual clicks on the link, malware is downloaded and the systems are infected. With Email Chain Hijacking, emails are sent via the organisation’s actual servers. Cybercriminals reply to existing email chains and embed malicious links or attachments within them.
Once the hacker has access to an individual’s email system, they find an email chain to use and then reroute the replies to a separate inbox, such as the trash folder. The person’s email they are using never see the replies in the email chain, which means the attack can go untracked for a long time.
This method makes it incredibly difficult for individuals to spot the phishing attack and react since emails don’t just look like they are from their colleague’s email addresses, they actually are.
How can Your Business Protect Against Email Chain Hacking?
There are a number of things to do to guard against an email chain hack. These include:
- Ensure all email accounts use security best practices. This includes setting secure passwords and using multi-factor authentication.
- Regularly inspect email and inbox settings. Look out for rules that weren’t created by the user that intend to filter replies into a different inbox. If you spot this, contact your IT team immediately.
- Disable all Microsoft Office Macros where possible. Macros allow a user to personalise automatic and manual email replies and are a common vehicle of attack.
- Ensure your business has a quality and trusted Endpoint Detection and Response (EDR) security provider in place. If an email chain hack is successful, an EDR can stop the malicious code hidden in links and attachments from being executed.
- Increase your organisation’s knowledge with comprehensive training designed to increase their awareness of cyber-crime and their responsibilities to protect their organisation.
DeltaNet Cyber Security Collection
We provide a comprehensive collection of courses designed specifically to build awareness, knowledge, and capability to fight cyber-crime such as phishing. You can find out more here.
In addition to this, we have developed a revolutionary Phishing Simulation Tool. The tool allows organisations to test their employees’ resilience against phishing in the real world by staging simulated phishing attacks. You can send fake phishing emails to anyone and everyone in your organisation and report on performance. The Phishing Simulation Tool will make cyber risk owners aware of anyone who has failed the test, allowing for further training to be provided and increasing your organisation’s defences against phishing attacks and cybercrime.
General Data Protection Regulation (GDPR) has been around long enough for us all to understand it’s basic data protection principles. While the regulation itself may not be new to businesses anymore, there are still new businesses, processes and situations appearing every day across the world. These new businesses, processes and situations must still comply with GDPR.
This blog looks at the 7 key principles of GDPR, what they are and what businesses are expected to do to comply with them, and how to ensure GDPR compliance in 2022.
What are the 7 Key Principles of GDPR?
There are 7 principles of the General Data Protection Regulation which all businesses should be aware of. By creating a culture of compliance around these principles, organisations can rest assured they are well on their way to GDPR compliance.
Setting the scene
To practically demonstrate how the 7 key principles of GDPR can affect business practices, we will follow a newly created company, NeltaDet, as they begin their journey to be GDPR compliant. NeltaDet is building a mailing list to receive a monthly compliance newsletter. They aim to capture website visitors’ details through their online newsletter sign up form or an opt-in tick box on their product enquiry form.
Lawful, fair and transparent
The first GDPR principle consists of 3 components:
1. Lawful – this refers to the gathering of people’s data. There must be a lawful reason for you to process personal data. There are 6 legal reasons deemed as lawful, these are:
- Consent
- Contract
- Legal Obligation
- Vital Interests
- Public task
- Legitimate interest
More information on these can be found here.
2. Fair – this refers to the scope of personal data processing. This should be limited to what is expected by the person whose personal data is being processed.
3. Transparent – when dealing with an individual’s personal data, GDPR guidelines require you to communicate clearly and simply about how that person’s personal data is intended to be used.
For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.
Purpose Limitation
Purpose limitation ensures that businesses only process data for it’s original purpose. Personal data should not be used for purposes that it wasn’t originally intended for – if it is used for another purpose then the individual, and business, responsible could be fined or have criminal charges pursued.
NeltaDet’s newsletter signup process automatically stores the IP address of the individual on sign up. At the time, this was so NeltaDet could keep a record of how and when NeltaDet gained consent to send the newsletter to this individual. However, someone in the marketing team now wants to repurpose this personal data and use it to send out geographically targeted email campaigns based on their IP addresses. This breaches GDPR and could result in a fine and or criminal charges against individuals and the business. Information should only be used for the purposes originally stated when collecting the data.
Data Minimisation
When collecting customer information, it can be tempting to collect as much data as possible to maximise the information you have on your customer database. However, the GDPR principle of data minimisation requires businesses to only collect the information they need. Long gone are the days of long sign up forms and endless questions. GDPR ensures that the collection of personal data collection is minimised to what is needed, not what is wanted.
For NeltaDet’s compliance newsletter sign up form they should only be asking for two pieces of information – the individual’s name and email address. This is the only information required to send their newsletter and no other information should be requested.
Accuracy
Any businesses data should – at the very minimum – be accurate regardless of GDPR. However, under GDPR guidelines, personal data should be maintained and kept up to date. The data controller and/or data processor should take reasonable measures to ensure personal data remains up to date.
The ICO states that where a business uses it’s own sources to compile personal data, then it should ensure that the information is accurate. Despite this, sometimes, you may not be able to check the accuracy of the information that comes from a third party. In this case, you should:
- accurately record the information provided;
- accurately record the source of the information;
- take reasonable steps in the circumstances to ensure the accuracy of the information;
- and carefully consider any challenges to the accuracy of the information.
Regarding NeltaDet’s situation, they should ensure that their data controller/processor regularly cleans their data and ensures it is accurate. It would also be good practice to give all subscribers a preferences portal where they can manually edit their own personal data and unsubscribe if they want to, helping to ease the workload for NeltaDet and improve the quality of their data.
Storage limitations
Under GDPR, businesses should not store data for longer than they need it. They should also be able to justify why any data is stored. It is good practice to develop a data retention policy that stipulates how long personal data will stay on file – this helps to satisfy GDPR documentation requirements.
Much like the principle of data accuracy, businesses should review the personal data they hold regularly. Any data that is no longer needed should be erased regularly to meet storage limitation guidelines, and business data is kept clean.
Individuals also have the ‘right to erasure’ which allows them to request their data gets deleted. However, there are scenarios where businesses can still store personal data even if an individual has submitted an erasure request. To better understand the right to erasure, check out our Right to Erasure online training course.
For NeltaDet’s compliance newsletter, storage limitations are straightforward. The individual provided consent to use their data to receive newsletters, and NeltaDet has implemented a preferences management portal to help subscribers make their data more accurate. When an individual unsubscribes from the compliance mailing list, their data must be deleted from the system, if they are not subscribed to anything else and are not a customer. This is because their only purpose to hold their data was to provide them with the compliance newsletter. Once they unsubscribe, they no longer have a reason to store this data.
However, if the individual unsubscribing from the compliance newsletter is an existing customer with active subscriptions to their other newsletters, then NeltaDet can continue holding their data on the system, without sending the compliance newsletter to them.
Integrity and confidentiality
GDPR’s integrity and confidentiality principle derives from two sides of the CIA triad. This principle ensures any business dealing with personal data has appropriate security measures in place to protect it from both internal and external threats.
Integrity – refers to protecting personal data from manipulation, ensuring information stays correct.
Confidentiality - refers to protecting personal data from unauthorised access. Ensuring cyber criminals and other unauthorised people cannot access a business’ stored data, keeping it confidential.
NeltaDet needs to ensure it has proper systems in place to ensure its data is secure. Deploying a password-protected system like a CRM is a great place to start, but this is just a basic level to protect the personal data a company holds. Discover our range of data protection courses here.
Accountability
This is the final principle of GDPR, and it is concerned with taking accountability for GDPR compliance in a business. Accountability should involve more than just tick-box exercises. It requires organisations to take responsibility for their actions, and how they comply with the other GDPR principles. Organisations must demonstrate that they have appropriate measures and records in place to highlight their accountability.
Looking at NeltaDet’s compliance newsletter, NeltaDet must highlight the lawfulness principle/consent given by the individual, as well as documenting how they initially proposed to handle this data. Then ensuring they complied with the rest of the GDPR principles, documenting their compliance procedures and any potential risks or breaches of GDPR.
How to ensure GDPR compliance in 2022
Training. High quality, comprehensive training for all staff is the only way to ensure GDPR compliance in 2022. GDPR is a vast landscape that affects every person and every department within an organisation. High quality, thorough and regular training is essential to ensure GDPR compliance. Non-compliance can be significantly financially and reputationally damaging. Employees can also face potential personal liability in a court of law. Every individual in a business should understand their role to play in assuring GDPR compliance.
eLearning has evolved, and 2022 is looking to be the real post-Covid test businesses will face. Production is due to rise and employees are reluctant to return to the workplace full-time, bringing a new set of challenges. Traditional in-house training and compliance procedures no longer work, and a switch to digital training has already begun. Organisations must ensure they switch to online GDPR training or face potential compliance issues in the future. An organisation’s GDPR compliance is only as good as its weakest link.
We provide a comprehensive collection of online data protection courses which your business can use on our Astute eLearning platform (optional). Our courses are CPD accredited and have been developed alongside GDPR and Data Protection experts to ensure their content is accurate and engaging. By utilising our Astute platform you easily identify and close any skills or knowledge gaps, learn on the go with a tablet or smartphone with our cloud based support, easily report on GDPR training to assist GDPR compliance and much more.
For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.
Phishing is a type of cyber-crime, in fact it’s one of the most common types of cyber-crime organisations encounter, costing, on average, just under £3M per successful attack.
Phishing works by targeting individuals, or entire organisations, via email, telephone, or text message and posing as a legitimate person/business requesting users to click on links to perform some type of action.
Phishing attacks often ask users to ‘confirm’ and share personal data such as passwords or credit card information, but the links contained in these types of attacks can also download malicious software, such as ransomware, onto the unsuspecting users’ computer.
Common features of phishing
Depending on how sophisticated the scammer is, phishing can take many forms and appear to be from a myriad of legitimate-looking senders. However, there are common characteristics to look out for when spotting phishing attacks:
- Congratulations! – Often phishing scams are wrapped up the disguise of a lucrative deal or offer intended to grab people’s attention and make them feel excited and/or lucky. You may have ‘won’ a competition or else be offered the chance to invest in a wonderful (but totally fictitious) product. Remember, if it seems too-good-to-be-true, it probably is.
- Urgency – Phishing scammers don’t want to give you time to think, it’s one of the reasons people at work are more likely to fall for these types of attack – their thoughts are on other important tasks. Cyber-criminals want you to act fast, so if you encounter an email pushing a sense of urgency or insisting you do something ‘immediately’, it’s best to think twice. Legitimate organisations are unlikely to give you little time to act.
- Links – If you’ve received a message asking you to click on a hyperlink, you can hover over it to view the actual URL it points to. Double check if this URL seems legitimate (is it misspelled? Does it seem to lead to a completely different website from where the source purports to be?). When in doubt, do not click! Visit the source directly and contact their customer team.
- Attachments – if you spot an unexpected or strangely uncontextual attachment in an email, do not open and delete it immediately. Very often these files contain malware or viruses that automatically download to your device.
- Beware the sender – Keep an eye on the sender’s name; if you recognise it, ask yourself whether the tone of the email seems unexpected or out of character. If you’re in doubt, contact the person separately and check whether the message is real. If the sender is unknown to you, it’s ok to be suspicious about why they would contact you and how they got your details. If you’re unsure, it’s always best practice to forward the email to your IT department or contact the source directly yourself.
Common types of phishing to look out for
Whilst the goal of any phishing scam is to steal personal/sensitive data, there are many different types of phishing your employees should be aware of:
Email phishing
Not news to many of us, most phishing attacks are sent by email. Here, cyber-criminals register fake domains that impersonate genuine people or organisations, sending hundreds of thousands of generic requests to individuals, hoping just 1 or 2 will succeed in scamming somebody. Usually, the fake domain involves character substitution, e.g., using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’. Alternatively, the criminal may use the impersonated person or organisation’s name in part of the fake email address, hoping it will con a distracted recipient into thinking the address is legitimate.
Spear phishing
Spear phishing is a type of email phishing, but it involves targeting only one specific person or group of people (hence the ‘spear’ symbolism). Cyber-criminals who engage in spear phishing will already have some, or all, of the following information about the victim: name, workplace, job title, email address, information about their job role, social media account information and posts, friends list. This type of information-gathering is a form of social engineering and it works because it allows cyber-criminals to launch more targeted phishing attacks that look and feel more personal and therefore, more genuine. An example of spear phishing would be an email from your ‘manager’ asking you to click a link and complete a genuine-sounding task.
Whaling
Whaling attacks are an even more targeted form of email phishing and are designed to go after the ‘big fish’, e.g. senior management or the ‘C-suite’. Crafted with a solid understanding of business language/tone, whaling is a type of fraud designed to encourage victims to perform a business-related action, e.g. transfer funds or file tax information. Similar to other phishing attacks, whaling is often accompanied by a sense of urgency and preys upon the fact that their target will be busy and stressed-out by the request.
Smishing and vishing
In the instance of both smishing and vishing, telephones replace emails as the vehicle of attack. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation. A common vishing scam, for example, involves a fraudster posing as a bank or credit card representative and informing the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to ‘verify’ their identity or to transfer money into a ‘secure’ account – of course, this account really belongs to the criminal.
Angler phishing
Referring to the ‘hook’ aspect of real fishing, angler phishing is a specific type of phishing attack that exists on social media. Using social platforms, attacks are launched from realistic-looking corporate social media accounts that, in actual fact, exist to post malicious URLS to cloned websites, and which propagate fake posts, tweets, and products. These accounts may also contact followers, urging them to divulge sensitive information or click links to download malware under the guise of a ‘competition’ or similar corporate marketing that mentions specific users.
How effective is your phishing awareness training? It’s easy to find out with our new phishing simulator tool! Click HERE to find out more.
We had hoped that 2021 would bare little resemblance to 2020, the year everything stood still. While this unfortunately hasn’t been the case, there is one group of people who haven’t been on pause – Phishing Scammers.
During the 2020/2021 global pandemic, the Federal Bureau of Investigation (FBI) reported that phishing scams increased from 114,702 incidents in 2019, to 241,324 in 2020/2021. Alongside this, the scams themselves have become more elaborate and more convincing. So here is a rundown of the phishing scams you need to be aware of in 2021.
Office 365 Phishing Scam
With employees having to spend the last 18 months working from home,, this scam has been developed to mimic a company’s IT department, asking people to respond if they want their details to stay the same on their Office 365 account. Once the individual clicks on the link, the scammer then gets access to their computer. With employees not being able to visit their IT department, this phishing campaign has had some success. So, here is what to look out for to stop it from happening to you:
- Check the sender email – is this actually your IT department?
- Is it asking for unusual or personal identifiable information?
- Bad grammar, or a different tone to usual?
- Poor quality artwork/logo?
If you spot any of the above are inconsistent, or something smells a bit phishy, then get in touch with your IT team to find out.
Vaccine phishing emails
With the Covid-19 vaccine rollout in place around the world, phishing scammers are taking advantage of people wanting to get their vaccine by sending emails posing as official NHS emails. Things to watch out for:
- Asking for you to open an attachment to book your vaccine, or to access vaccine appointment details. The official NHS emails will not ask you to do this. Remember, do not click on a link in the email until you are sure it is legitimate.
- An urgent and/or capitalised subject line. Official vaccine sources are less likely to capitalise their entire subject line, and will appear more professional and less panic-inducing.
Here is an example of what the Covid-19 Vaccine pishing emails look like:
Royal Mail or other courier phishing emails/texts
With the reliance on online shopping during the pandemic, scammers have been exploiting this with fake courier emails and texts. Due to the increasing numbers of parcels being delivered, phishers have been finding success in sending missed delivery, or shipping fee emails/texts with phishing links attached. Most of the time, people are waiting for a delivery, so this can seem legitimate. Some things to look out for:
- A missed delivery email/text when you haven’t ordered anything. These emails/texts work by scaring you to think someone has ordered something on your behalf, making you click on the link. A tip is to check your bank first, have there been any unusual transactions? If not, then contact the Royal Mail (or the other dedicated courier) on their dedicated scam helpline ([email protected]). They will be able to confirm if it is genuine, or a scam.
- ‘Unpaid shipping costs for your package’ – these are less believable, but they do sometimes catch people off guard. After all, you only have to click on the link, and with more people ordering from international sellers, shipping costs/tariffs is becoming more of an issue.
If you receive these kinds of communications, do the usual checks. Does this email look genuine? Does it have bad grammar? Who is the sender? If you are still unsure, contact the courier directly.
While these are some of the trending phishing scams over the past year, they are not the only ones being used. The sad reality is that new phishing techniques will be developed every day. However, there are things you can do to protect yourself and your business.
Click here for our tips on how to spot a phishing email, and here to help your business develop knowledge on cyber security and phishing with our Cyber Security eLearning collection.
After spending time and effort deciding upon the right cyber-security training solutions provider, agreeing and implementing said training, and then overseeing the roll-out with employees, you’d be surprised how often businesses drop the ball when it comes to measuring the fruits of their labour.
If you don’t measure the results, though, how can you know for sure the training is working? How do you know you’re doing enough to protect your company?
The good news is, you’re reading this article! So, here are some key principles and useful tools to bear in mind when measuring the effectiveness of your cyber-security training:
Identify skills gaps
Skills gaps are deficiencies in performance caused by lack of skills for, or knowledge about, the workplace (for instance, keeping business information secure).
In the short term, the goal of training is to bridge these gaps through a series of learning interventions; the desired outcome here being the mitigation of their effect upon business performance and metrics.
In the long term, however, your training solution should seek to identify and rectify the root causes of such gaps and help to improve processes around these areas. In other words: to remove the gap from occurring in the first place.
To achieve both these long and short term goals (and to measure their progress over time) you’ll need access to information, and that’s why it’s important to …
Test your employees
Did you know that the latest cyber-attack trend data for the UK shows the majority of data breaches began with a phishing attack?
Every day 156 million phishing emails are sent and 16 million of these get through security filters into inboxes.
What’s more, 8 million phishing emails are opened and 800,000 malicious links in those emails are clicked.
80,000 recipients fall for phishing scams every. Single. Day.
One surefire way to test if your cyber-security awareness training is hitting the mark is to test it – and not only by using knowledge-based quizzes and surveys. Rather, software such as phishing simulators can be used to conduct fake phishing attacks within your company – across a range of different industries and targeting specific audiences (e.g. aimed a C-suite, aimed at finance, fake social media accounts, and so on).
By integrating tools like phishing simulators into a Learning Management System (such as the one your eLearning is hosted on) it’s easy to see campaign reports (open rates, click rates, deletion figures, etc..) and diagnose which employees require further training and reinforcement activities straight away.
Up your reporting game
xAPI (or Experience API) is a file format for storing and retrieving all the data from your learning experience in the form a data-based ‘statements’. These are then stored inside a Learning Record Store (LRS) for each employee.
Using xAPI, then, it’s easy to collect and anaylse data from a whole range of learning experiences (even those carried-out outside a browser; mobile apps and so forth) and – when it comes to learning analytics – this is great news! It means we have the ability to track employee progress over time, monitor performance pre- and post-assessment, and measure engagement across entire programs of learning.
These insights build a real picture about the effectiveness of your chosen training solution and, when used alongside an intelligent learning platform, can be used to create targeted learning journeys designed to fill any gaps in knowledge and increase the training’s potency.
Check your culture
Admittedly, measuring a compliance culture seems rather difficult, but that’s not to say it’s impossible! Businesses might use anonymous surveys, for example, to measure attitudes, behaviors, and employee impressions – these answers can be very useful when it comes to giving an idea of why people continue to take risky actions (e.g. using overly-simple passwords or leaving screens unlocked) despite having had training against this.
Measuring employee impressions in this manner is useful information to have, particularly before you embark on a new cyber-security training program, as it can be used to measure behavioural change and attitudes along the way.
Insights over time, such as how employees react when observing and/or reporting cyber-security incidents, how they view the ‘tone from the top’ (i.e. management commitment) when it comes to cyber-security measures, as well as whether they feel compliance is communicated effectively and how engaging their training is, can prove invaluable when it comes to the nitty gritty of your training’s efficacy.
After all, qualitative insights from surveys can help you change behaviours and reduce risks – but it’s important to note that finding an overall quantitative cultural metric is equally important. It’s only through quantitative metrics that behavioural improvements can really be measured and sought.
GDPR Compliance – what’s going wrong?
Three years on from the biggest shake up to modern day data regulation, you would be forgiven for thinking businesses ‘get-it’ when it comes to GDPR. Unfortunately over 2020-2021 Google (twice…), Amazon, H&M, British Airways and Marriott among others, have all faced fines that add up to an eye-watering £100+ million.
Some of these fines come from data breaches and unsecure cyber security practices, while in the case of BBVA’s five million euro fine, it was due to a lack of clarity in their privacy policy, and their improper use of customer data preferences.
Three years from the launch of GDPR, American Express (Amex) has been fined for spamming its customers with over 4 million emails by the UK data protection regulator, ICO.
Listen to customer preferences.
It seems that Amex forgot one of life’s basic principles – ‘there is more to listening than not talking’. They gave their customers an accessible preference sheet and allowed them to choose what communications they would receive. However, they decided to keep talking to their customers, sending over 4 million marketing emails to customers who had chosen not to receive marketing communications. Amex argued that these emails were about ‘servicing’ and were not marketing emails. The ICO disagreed after receiving complaints from numerous customers, and fined Amex £90,000.
While this is a contender for the most expensive email marketing campaign ever, it is also a perfect representation of why business-wide understanding of GDPR is so important to an organisation’s overarching operations and reputation.
GDPR lessons:
There are many lessons to be learnt from Amex’s mishandling of customer data. The first being that it is vital to allow your customers to manage their data preferences. It creates a positive experience for the customer and removes the human error factor in data preference handling.
Secondly, have strictly defined preference parameters for all communication. Amex had the foundations in place to have good data handling procedures. They had customer-led preference management, and well categorised preferences for all to understand in the business.
Thirdly, educate your workforce. Amex’s downfall sits somewhere in between their workforce not understanding the difference between servicing communications and marketing communications, and decisions being made to use personal data in a way that it wasn’t supposed to be.
Achieve GDPR best practice with our Online Data Protection Courses
The single best way to guard against breaches of data protection is to educate your workforce. If all employees understand the basics of GDPR, and how they can help their organisation stay compliant, the risk of fines by governing bodies and the subsequent reputational damage is minimised.
We provide expert GDPR e-learning courses to help businesses stay ahead of the GDPR curve. Click here to discover how we can help with your GDPR and other data protection needs.