Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Since GDPR came into effect, people tend to be a lot more aware of their personal data or rather, data breaches containing their personal data. Most data breaches that appear on the news tend to be what I call ‘big boy breaches’. These refer to massive breaches from the big companies consisting of millions and millions of data records. A prime example would be when Uber got hacked and data of 57 million data subjects, consisting of names, email addresses and phone numbers, was compromised. To make matters worse, rather than come clean about the whole thing, the ride-sharing company paid the hackers to delete the data before anyone found out. Then, everyone found out. The firm was fined a record $148 million.
In January 2019, it was revealed that hotel chain Marriott had been compromised as far back as 2014 and hundreds of millions of records were stolen. Elsewhere, Morrisons suffered a breach at the hands of an ex-employee and a USB stick was found at Heathrow airport which contained security details of the Royal family.
These are the breaches you hear about, however there are countless other breaches that go relatively unnoticed. When you went to work yesterday, in those 7.5 hours or so, an average of almost 2 million data records were stolen. If we do the maths, over a working year of 261 days, that’s 522 million records, and that’s just whilst you’re at work. The point I’m trying to make is, those stories you see on the news aren’t the only breaches. They’re just big enough to be considered ‘news worthy’.
As a GDPR consultant, data breaches make up a massive part of my day-to-day activities and I spend a lot of time talking to clients about them. One interesting point I’ve noticed from my travels is that people tend not to know how many different types of breaches there are. They’re not always caused by a hacker.
Let’s look at some of the less obvious data breaches and the best practices that can be used to avoid them.
People make mistakes all the time, but the worst one I've ever seen was bad access control, which meant that anybody could find anything on any employee. Obviously that information should only be available to HR. Losing data or not disposing of it correctly is also a data breach, even if it hasn’t led to any negative consequences.
One data breach I see on a regular basis is where someone accidentally uses the CC field instead of the BCC field when they're sending an email. That means basically if you email 100 people at once using the CC field, all the other people in that email thread are going to get the same email and of course the same email addresses will be on show.
Another common data breach is where databases are migrated to new system software, but the data in that database wasn’t originally collected for that purpose. These ‘technological’ data breaches usually go unnoticed until someone in GDPR or compliance starts asking questions.
Data being used for a purpose it was not originally collected for will also not be risk assessed and can raise trust issues with clients. If there’s a data breach affecting data subjects, and an investigation shows your company has been misusing data, well, it certainly won’t work in your favour. You can expect a fine, and depending on the severity of your misuse, the fine might be a large one.
Not disposing of data correctly may sound like a minor problem, but it can have quite profound consequences. In a worst-case scenario, someone rummaging through bins could find enough information to steal someone’s identity. You might be rolling your eyes now, thinking that no one is going to rummage through the bins for discarded financial records, but it happens.
Businesses more commonly make the mistake of not wiping and disposing of old hard drives properly. If a hacker gets a hold of one of these, they can cause all sorts of mayhem. The problem is more widespread than you might think, as hard drives bought on eBay are often found to be stuffed with personal data. Dispose of both paper files and hardware components appropriately and consider engaging the services of a reputable secure data destruction company.
Losing data in any way counts as a data breach. This is because you can’t account for its whereabouts, so cannot say who has access to it or what someone may do with it. There are so many ways this can happen. Just look at the Heathrow airport incident. Someone just happened to lose a USB drive and suddenly there’s a data breach. If data or email information is stored on an employee’s work phone, and that phone is lost or stolen, then that is a data breach (assuming you can’t remotely wipe the device).
The best practices to follow here would be:
What do we mean by a data perimeter? Set a limit past which data should never leave. This should be physical and digital, and allows you to keep track of personal data at all times. Never email data to external contacts, for example. Never take financial or HR documents outside of their respective departments or folders. Put controls in place and train your staff. Limit or outright ban the use of USB sticks for example.
Data is forever on the move, both in the sense of hard copies and hardware (such as servers and data tapes) and digital copies. There are numerous risks that come with data in transit. Man-in-the-middle attacks are all too common. This is where a malicious actor manages to exploit an application vulnerability or intrude on a network to intercept data as it’s sent.
Physical documents can be at risk when on the move too. They can be misplaced or stolen or otherwise read by unauthorised people. If documents are posted, there’s the chance they could be delivered to the wrong address or lost somewhere along the way.
With more businesses giving staff mobile phones and laptops, data is essentially on the move at all times. If a staff member leaves a laptop containing sensitive and personal information on a train, then that’s a data breach. There’s no telling who might have access to it. Lost devices are a problem everywhere. In the span of four years, the government lost more than 600 devices (including laptops, phones and USBs).
There are lots of different ways that data can accidentally get exposed on the web, particularly as more businesses migrate towards cloud platforms. All it takes is someone to move data onto a personal cloud drive, or store something in the wrong folder and before you know it, it’s been accessed over and over again by unauthorised personnel. Security misconfigurations or a lack of encryption can also come into play here. The biggest problem is, once something finds its way onto the public web, it can be copied and shared so many times that you’ve got to assume it’s out of your hands for good.
Even something as innocent as taking an office selfie with Chaz the intern can turn into a data breach if there’s readable data in shot. For example, that new starter form on the desk with some poor data subject’s contact details, D.O.B and address.
The best practice here would be to be to introduce policies to reduce the chances of this happening, such as compulsory data awareness training.
People should only have access to the data they need to do their job. Sharing information accidentally, such as attaching the wrong document to an email, could lead to the wrong person reading confidential HR data.
So, to stop things like this from happening, make sure staff are trained and aware of their responsibilities when it comes to personal data. Always double check emails before hitting send and implement strict data access controls.
Even though you haven’t technically lost the data in the sense that physical documents have gone missing, losing access to it is on the same level. There’s no telling who could potentially be taking a peak at it. It could be that certain files are stored in a location that, due to a technical error, no one can get to. Alternatively, it could be that a ransomware outbreak is preventing anyone from being able to read the files.
Up-to-date virus protection and cyber awareness is key. Investing in basic cyber training for all staff is always recommended.
Knowing what constitutes a breach is the first step in proactively preventing them. If keeping track of all this personal data seems like a full-time job in itself, it’s because it is. Having an appointed Data Protection Officer can take away a lot of the strain as far as data protection is concerned. They can conduct data mapping exercises and data protection impact assessments (DPIAs) to ensure you’re doing everything right and have the appropriate controls in place. They will be the first point of contact for all data subjects and regulatory bodies. In short, they will ensure everything is being done to keep personal data safe and highlight areas for improvement to reduce the chances of a breach. Under GDPR, certain companies are required by law to appoint a DPO.
If you’re struggling with your responsibilities concerning data protection, but don’t have the time or resources to appoint a dedicated DPO, consider outsourcing this role. Outsourcing a DPO gives you access to a data protection specialist at a fraction of the cost of a full-time in-house employee. You can simply pay for the hours you require, getting all the actionable advice you need, ultimately helping you keep your data safe.
Luke is Bulletproof’s Head of Compliance, and can often be found coming up with new, innovative, and entertaining ways to evolve our compliance services portfolio. His passion for compliance and business insights always comes through in his articles.
Find out how to secure your business in 10 steps with our free best practice infographic.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.