Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof red team demonstrate a novel approach to evade static analysis in Linux malware.
Read More
Cyber security may be about to become more than AOB for organisational boards across the country. British Airways has been struck with a record-breaking £183-million fine as a result of its data breach last year in which around 500,000 customers had their data stolen, including credit card and CVV numbers. This is perhaps the first example of the ICO really flexing their fining muscles post-GDPR, which allows for a maximum fine of up to €20-million or 4% of annual turnover (whichever is greater) for non-compliance.
We spoke briefly about BA’s data breach when it happened. The crux of our article was that compliance does not equate to security and our stance has not changed. Whether it’s PCI DSS, ISO 27001 or Cyber Essentials, compliance isn’t a magic shield that wards off hackers. Of course, they help, but businesses need to be continually reviewing and testing their security strategy throughout the year regardless. If they don’t, they’ll get breached no matter how many signed certificates they have.
Contrary to what you might think, regulatory bodies don’t tend to go for the scarily large numbers just because they can. BA’s £183 million might seem a touch steep if you compare it to Facebook’s relatively paltry fine of £500,000 for its role in the Cambridge Analytica scandal. Considering the social media giant racked up $40 billion in revenue in 2017, they probably didn’t notice a casual half a million slip away to the ICO. However, it’s worth noting that this case had to be reviewed under the Data Protection Act, not GDPR. £500,000 was the maximum fine back then in the careless heyday of a pre-GDPR world. Had the whole thing occurred just a short while later, things could have been a lot worse for Zuckerberg and crew.
The BA data breach occurred after that fateful day of May 25th 2018 and, therefore, was subject to the full wrath the legislation allowed. It should be noted that the airline plans to dispute the decision, which is legal speak for spluttering “how much?” However, the ICO have been quoted as saying British Airways had “poor security arrangements” where customer information was concerned. Seeing as customers were unwittingly being diverted to a fraudulent website, it seems hard to argue with this statement. Best practices were probably not being followed.
Whilst BA has cooperated fully with the ICO, they were still responsible for the protection of their customers’ personal data. If there were indeed “poor security arrangements” in place, then they did not take this responsibility seriously enough. Article 32 of GDPR stipulates that the “appropriate technical and organisational measures” should be in place to ensure the security of personal data. At this point in time, it doesn’t seem like this was the case for BA. That is one possible reason for the large fine.
Whilst it may be difficult for BA to see the positives in this, there are some to be seen from a cyber security perspective. If there’s one thing the higher-ups at companies hate, it’s losing money. The more zeroes on a loss, the more they hate it. It could well be that the ICO has implemented such a large fine to wake businesses up to the severity of the situation. They have a duty to protect their customers’ data and, if they fail in this duty, there’ll be more than just reputational damages to consider.
I can see various suited board members across the country – perhaps even the world – leaning forward and taking note. This note will be ‘get better at cyber security’. It will be in capital letters and underlined twice.
An example has been made and if companies don’t react, they’ll suffer a similar fate. Ripples may already be in motion. Cyber security will rapidly move up the agenda for all businesses, regardless of the size, and customers will benefit from knowing their data is in safe hands.
As Bulletproof co-founder, Oliver-Pinson Roxburgh states “businesses need to get cyber security right, and it’s not necessarily that costly a process, especially when you consider the potential cost of a breach. Regulatory fines are just one aspect, there’s the cost of mitigation, the potential loss of customers and reputational damages to consider.”
GDPR is with us to stay and organisations will have to take their responsibility over customer data seriously. This means having the right tech and management processes in place to ensure security is as tight as it can be. This fine levied at British Airways may well encourage others to get it right before it’s too late. Penetration tests, effective log monitoring, active threat hunting with managed SIEM and proper training are all integral to a strong security strategy and will help your organisation avoid these hefty fines.
Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.
Find out how to secure your business in 10 steps with our free best practice infographic.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.