Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
2018 is rapidly drawing to a close. The winter chill is setting in and a festive spirit permeates the air. 2019 is hurtling towards us carrying the promise of new challenges and opportunities. However, there’s still a couple of weeks to get a few more massive data breaches in.
From Ticketmaster, Dixons and British Airways to Quora and Reddit, we’ve seen thousands of payment cards compromised and millions of users’ details stolen. Marriott tops the list with a casual half a billion customers’ data compromised. Not only that, it turns out that their database had been compromised since 2014. Perhaps they could have benefited from a quality SIEM. Everyone is at risk of a cyber-attack, but one could be forgiven for thinking that it’s only the major players getting targeted.
New companies are cropping up everywhere. This is partially due to that great enabler called technology. With simple apps that help process payments, manage payroll, orchestrate HR and more, it’s becoming easier and easier for entrepreneurs to make their vision a reality. In March of 2018, it was claimed that a technology firm was set-up in the UK on average once every hour. Clearly then, the SME market is a huge source of potential revenue for malicious actors.
Recent events do raise the question as to just who is most at risk. Breaking it down by industry will take some doing (though financial institutions often rank highly on that list for obvious reasons), but the start-up vs corporate environment is an intriguing question. Who’s more at risk, the multi-national conglomerate or the start-up company of twelve? The big vs small comparison has many aspects that are worth considering and consider them we shall.
Generally speaking, the hacking community has more to gain from the larger companies. This could be financial gain, through stolen banking data, ransomware or stolen card details for example, or it could be in the sheer amount of data up for grabs. In the case of Quora, Reddit and Marriott, hundreds of millions of users had their data compromised. What this data consists of can vary from company to company, but all will undoubtedly contain email addresses, which can be sold on the dark web. These will likely be used as targets for phishing campaigns or – if more information is known – in identity theft. As it stands, more information usually is known. In the case of Marriott, details included addresses, phone numbers, birth dates, encrypted credit card information and even passport numbers. All this information is valuable to someone.
However, contrary to what the recent string of hacks might suggest, these larger companies will usually have ‘better’ security. Many hold certificates for various compliance standards, which whilst not equating to security, theoretically means they’ll have processes in place to protect data. They also have more money, which means they can invest in better security tech and monitoring. Their environments will have been set up and configured by dedicated infrastructure experts and their apps would have received a thorough pen testing.
What all this means is that hackers will really have to know what they’re doing and be extremely determined to get in. In some respects, this works in larger corporations’ favour, as human beings are naturally lazy. Even when it’s a case of sitting at a computer, people will want to do the least amount of sitting at a computer as possible.
On the other side of the cyber coin, smaller companies will tend to have less money, and therefore fewer defences. Their infrastructure may well have been thrown together haphazardly as they started to grow and then maintained by someone who isn’t an expert or someone who’s fulfilling multiple roles. Patching may not be as well managed, and apps might not be as thoroughly tested for security flaws.
This means that it’s theoretically easier to get through their defences. Whilst there may be less to gain, it’ll still be a gain and, as it requires less time and effort to get to, it’s worthwhile. It’ll certainly be worthwhile if the company is processing payment card data. In this respect, smaller businesses may seem like the target of choice. It’s an easy win, even for the less knowledgeable hackers.
Phishing is arguably the easiest way of compromising a network. Why go through all the trouble of trying to exploit technical flaws or avoiding firewalls when you can just get a member of staff to let you in? You wouldn’t try and slide down a chimney if someone’s holding the door open for you (unless of course you’re Santa, in which case tradition demands it).
The more people you have in your organisation, the more likely it is that someone is going to open that dodgy attachment or click a malicious link. If everyone’s in the same room and an email drops into a mailbox claiming to have an invoice attached, Jenny could poke her head up and ask, ‘anyone expecting an invoice?’ When the answer is no, it can be deleted, and the sender blocked.
In contrast, larger companies have various different departments working independently, with hundreds of emails firing back and forth. It’s likely that users will think that said attached invoice has something to do with someone else, and the easiest way to find out who is to open it up and see what was ordered. All of a sudden, every file on the network is encrypted with ransomware and, once again, Chaz the intern is getting thrown under the bus.
Bulletproof have conducted various red team tests in which we’ve managed to bluff our way into offices and data centres, mostly by exploiting the innate politeness ingrained in the British. This is much easier to do in larger companies. People are less likely to question letting someone they don’t know into the office, because they’re probably just the new starter in customer care. This is next to impossible in small businesses where everyone knows everyone.
So, from a social engineering perspective, it’s larger companies that are more likely to suffer from it. Not that smaller companies don’t of course.
The best mitigation against social engineering is education. Cyber security training is rapidly becoming an essential part of every company’s security policy and is often a requirement of compliance packages. Regular training sessions can be expensive and the more members of staff you have, the more sessions you’ll have to book, which is why larger companies tend to opt for e-learning modules. These tend take the form of slides followed by a multiple-choice questionnaire. The effectiveness of these is debatable, in that some people think they’re terrible and others think they’re really terrible. The best kind of training consists of engaging and interactive sessions with security experts. Coincidentally, Bulletproof provide these.
Larger companies will have to book more sessions in order train all their staff, but they do have the funds to do so. Whilst smaller companies have a more limited budget, they’ll only need to book a few hours to train all their staff. So, for both big and small, arranging proper training will hardly bankrupt them.
Larger companies are more likely to pay a little extra when booking a penetration test in order to include a social engineering element. Following this, they’ll be able to focus on their problem areas and tighten their procedures. So, from a training perspective, we have a bit of a stalemate between the big and the small. Both are susceptible to social engineering, but to a different extent. We’ll always say larger companies are in the most danger, simply down to the sheer numbers.
I think it’s fair to say, that smaller businesses will tend to rely more on third parties than larger ones. The aforementioned outsourcing of HR payroll and payment processing springs to mind. This helps keep costs down, but also means relinquishing a great deal of control. If the company handling your payroll get’s breached, then by extension you have been breached.
Larger companies tend to do all of this in house, meaning they have full control over their data. However, this also means that if they are breached, they’ve no one to blame but themselves. This is not to say that larger companies are not at the mercy of third parties at all. Many make use of apps, or still choose to outsource payment processing. It’s just – on the whole – they are less at risk than smaller ones.
SIEM solutions with active threat hunting are great for protecting a business. Monitoring log files for suspicious file changes, probing IPs, strange logons and more can help prevent an attack taking place or isolate and resolve a problem before too much damage is done. Unfortunately, there’s no getting around the fact that setting up a robust SIEM can be expensive. Paying trained SOC analysts to manage it is even more so.
This is where many smaller companies are at a disadvantage. Considering the financial and reputational costs a large data breach can incur, companies with enough cash will certainly consider setting up an in-house SIEM. Small companies lack that option.
However, they can still benefit from a quality SIEM if they outsource this responsibility. This gives you access to quality tech and trained analysts at a fraction of the cost.
From typing out the above, it seems the only real conclusion to be made is to reiterate that everyone is at risk. The main difference between the big and small companies is that the former has a bigger budget. But as we have seen throughout this year, data breaches aren’t stopped by big budgets. It’s not about how much you can spend, it’s where and how you spend it.
Training modules that staff vacantly click through offer nothing. Paying for compliance packages, but only following the standards when an audit is coming up is – frankly – a waste of money. Paying for penetration tests, but not including key components in the scope can be disastrous (poor scoping is a pet peeve of our pen testers). Properly scoping your pen test can save you money in the long run.
Take time to analyse your network and ensure the proper segmentation is in place, even if it means getting an external expert in to advise. It might cost initially, but it’ll really help keep your important assets secure.
You are a target for hackers. Whether you’re the CEO of a start-up or Chaz the intern at a global brand, you’re susceptible to social engineering. If you’ve got one server or a huge, complex network, you need to make sure it’s set up and configured securely and all software is up to date. Spend wisely by working with cyber security experts and take advantage of penetration tests, managed SIEM and interactive cyber security training. You’ll never be 100% secure, but if you do everything right you can get close to it, regardless of your size.
Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.
Check out our penetration test offers designed to help businesses of all sizes.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.