Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Since the outbreak of Covid-19, many organisations have had to make a swift transition to remote working to ensure business continuity. What would typically take months of planning and preparation was implemented in a matter of days. The chaos that this created, combined with the already uncertain nature of life during a pandemic, had created the ideal environment for cybercriminals.
On the whole, bad actors are not employing novel techniques. Rather, they’re leveraging people’s confusion and inattention to run familiar attacks such as phishing. According to Barracuda Networks, there has been a 667% increase in malicious phishing emails since the coronavirus outbreak. Moreover, Google has shared that it is blocking an average of 18 million coronavirus scam emails every day. With the workforce now being more susceptible to attack, the risks are ever higher for organisations. As the saying goes, you’re only as strong as your weakest link.
To make things worse, remote working is new territory for many businesses, calling for a completely different security strategy and significant adjustment. While IT teams are distracted with implementation, they may not have the resources to thoroughly monitor suspicious activity or apply security patches to newly administered technologies. This could leave an organisation’s internal infrastructure and network vulnerable to an employee’s compromised device. You’re also reliant on the security of something you have no control over, namely the employee’s home network. This will likely be riddled with IoT devices, tablets, laptops, phones and poorly secured home routers.
Bulletproof recently ran a webinar all about securing remote working environments, which is free to view here:
In order to help you navigate through this challenging landscape, here are answers to the most common questions we get asked.
Cloud services enable employees to work from all over the world and from any setting, but the downside of this is that attackers see this as an opportunity to target cloud services themselves.
In order to protect yourself further, it’s worth setting up a VPN. This reduces the risk of an attacker brute-forcing access to your systems. Another option is to activate conditional login settings. In this current climate, it’s likely that your workforce will be static, allowing you to restrict access to users within a specific geolocation.
Another risk to bear in mind with cloud services is the shared responsibility model. The flexibility afforded by these services leads to high complexity, which in turn causes security risks from misconfigurations as it’s not always clear who is responsible for what. This shared responsibility can lead to a serious breach if you don’t implement good cloud security practices and consider what each configuration could expose.
Your main focus should be sticking to basic best practices. As simple as it sounds, it’s actually a really effective cyber security control. This includes things like ensuring that systems are patched and using up-to-date antivirus, plus a process to manage the patching and updating.
It also means using additional layers of security (defence in depth), such as firewalls, as employees may have to share their internet connection with others (e.g. flatmates). While your employee’s devices might be more or less ‘secure’, their flatmates may not enforce the same level of security. As a result, if their device were to be compromised, the malware could potentially jump to the employee’s device through the network.
Again, the key is to follow best practices and assess devices before allowing them onto the network. It is also useful to define a minimum standard for your BYOD devices (e.g. verifying they are patched and run an antivirus software). Ideally, if the user is unable to meet this standard, you should impose a number of restrictions. For example, limiting what documents or webpages they can access.
Regardless, IT teams should be diligent about monitoring these devices, knowing what is being accessed and when. This will allow you to identify any abnormal activity and shut down access to systems for review, before it’s too late.
Remote administration software can open up the business to significant risk, as a hacker could gain the same high privileges as an admin user. To guard against this, we recommend using a VPN, plus turning on two-factor authentication (2FA) everywhere that supports it.
Other best practices:
The impact of an O365 (or other cloud service) compromise, can vary in severity depending on the bad actor’s objectives and intentions. Once a hacker has obtained the credentials to a cloud account, they almost always gain unfettered access to the company’s whole network. This provides cybercriminals with other avenues of attack. For example, they might impersonate an employee for monetary gain (like emailing a CFO for payment on an invoice), or they might just grab all your data to sell on the darkweb. Their tactics for doing this can often be very sneaky, such as setting up email forwarding rules, which covertly forwards an employee’s emails to their own address.
Typically, a hybrid platform’s native security controls do not allow for an organisation to have both cloud and on-premises data in a central place. This results in duplicate processes and requires you to harden, configure, test, monitor and manage two environments for potential attacks.
One of the biggest challenges of working in a hybrid deployment is synchronising accounts and how to do that in a secure way. The NCSC guidelines say that you should synchronise your on-premises Active Directory services and credentials with a cloud service which serves as the primary authentication source. This will lower your risks compared to running your own Active Directory system.
The good thing about standard licenses is that it offers all the basic tools you need. However, with the Office 365 Enterprise model, you also get access to a suite of threat protection tools and phishing tests. This also allows you to run brute force attacks against your accounts to test for weak points, and alerts users about any suspicious activity. Of course, the effectiveness of any security review is limited to what you choose to do, or not to do, with the findings.
Often, the provider of these cloud services has high levels of compliance and are aligned with security best practices, including completing penetration testing on their systems. If you wanted to validate this with your own pen test, third-party providers may impede you doing so.
In-line with the shared responsibility model, you can however audit your configuration to ensure that it has been done correctly and that you are using all the features available to you to secure both your employees and customers. In other words, where you cannot conduct a pen test, carry out a health check.
Bulletproof offers an Office 365 Security Health Check, which covers 91 best practice guidelines, checking areas such as authentication and accounts, data management, email security, auditing, storage as well as mobile device management.
As we’ve all been finding out, physical location of employees matters less and less. So if your remote workforce is connected to internal systems through a VPN, it’s still important to conduct an internal penetration test, even if employees are not physically in the office. If you have put restrictions on cloud services, it is also a good opportunity to test their effectiveness. Similarly, make sure your VPNs themselves are not vulnerable to attack.
Ideally, IT teams would have a few local devices, configured the same as the employee devices, on which to test the patches prior to roll-out. Failing that, you can spread the patching out to one or two people per team. In this way, if the patch doesn’t work as expected, the whole team will not face disruptions. If all else fails, test core apps and patches on a virtual machine prior to deployment.
Learn more about our Penetration Testing options
GDPR is GDPR. Employees are required to continue adhering to the policies and procedures your organisation has (hopefully) put in place, no matter where they’re working from. In fact, it might be worth having your employees undergo a refresher security training session, as it is easy to become complacent about data protection duties and responsibilities when working from home. The ICO has recognised that companies may be delayed in responding to data subject requests, but other than that, it’s GDPR business as usual.
Printing documents, especially documents containing sensitive information, should be kept to a minimum. It is also important to consider how the data destruction policy might affect what you do with documents whilst remote working. All documents should be shredded and securely destroyed in-line with your policy. If employees are unable to do this at home, it would be better for them to keep the documents locked in a cupboard and brought to the office upon return, for destruction.
Learn more about our GDPR services
It may be necessary to implement temporary changes to your processes in order to accommodate the change to remote working. The first thing you’ll need to do is a thorough assessment of the possible risks that a business might face. Then, measures should be put in place to mitigate those risks. If not, there needs to be sign-off from management to ensure that they are prepared to accept the risks
Get in touch today to find more ISO 27001 support
You need to take a look at all the areas that might be different from an employee working in the normal office environment, including the systems they now work with and the information they access. It is vital that employees are then given the necessary training, and your existing policies and procedures are adapted to address this. Furthermore, you’ll also need to take into account:
When transitioning to an unfamiliar environment of mass remote working, the first step for any organisation is to evaluate your current security posture. It is important to understand where the risks lie, what policies and procedures might need adjusting, and what technologies exist that could be of use.
Additionally, organisations should question whether their employees are prepared to identify threats, and know how to manage or prevent them. The next steps require you to actively address any vulnerable areas:
Information security wizard, evangelist, and guru – not to mention co-founder of Bulletproof. Oli’s always sharing deeply interesting and insightful things on this blog and on his LinkedIn. With many years’ of experience in understanding information security and innovation, Oli’s blogs are always a highlight.
Find out how to secure your business in 10 steps with our free best practice infographic.
Learn how a Bulletproof pen test helped Traced create a chain of trust, improve its security posture, and inspire customer confidence.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.