Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Businesses of all sizes would benefit from raising their awareness of the potential threats for the year ahead. Hackers are not only exploiting new vulnerabilities such as Log4Shell, but also continuing their use of tried-and-tested methods like phishing and attacking unpatched systems to compromise the security of businesses. There are also challenges in achieving compliance which will be a barrier for organisations looking to secure business and supply chain data.
The ever-growing threat landscape puts pressure on businesses to stay proactive and have the necessary cyber security measures in place to ensure their workforce, networks and infrastructure remain protected. In this blog, we look at the challenges businesses are facing and address key security tips you should consider to protect your business in 2022.
A new year brings along old threats and phishing remains prevalent as one of the biggest cyber security attack vectors. According to IBM’s 2021 Cost of a Data Breach Report, phishing attacks cost businesses an average of $4.65 million. These attacks target the people within a business and rely on impersonation and human error. If successful, hackers stand a good chance of eliciting sensitive information from an unwitting employee. Our research shows that a staggering 83% of data breaches occur due to phishing attacks. This, combined with a 521% increase in COVID-related phishing emails due to the Omicron variant, show that it is more important than ever to safeguard your business by training employees to identify both the obvious and more nuanced social engineering threats that phishing attacks present. In 2021, we saw a rise in LinkedIn phishing emails targeting new employees, resulting in it being the most clicked-on social media-related phishing email (42%), ahead of Facebook and Twitter.
Hackers are generally deploying LinkedIn phishing emails within the first month of a new starter joining a company, under the guise of the company’s CEO or a senior-level employee. The reason this model is successful is because it plays into the emotions of a new employee. By implying urgency, new recruits can be tricked into a phishing attack due to panic and the desire to please.
The solution is quite simple: awareness training for all staff is a crucial tactic to aid your security and stop hackers succeeding with their phishing campaigns. Look at it like this, if a new employee has no knowledge of phishing or social engineering, how likely are they to succumb to the demands of a hacker posing as their CEO requesting to purchase a gift card on their behalf or click on a suspicious link? As a result, this could lead to an employee revealing sensitive information which can be exploited for financial gain.
Consider what would happen if that same employee was trained and aware of the primary strategies used by hackers and the results of yielding to such demands from unrealistic internal requests. Training should not be underestimated or overlooked, and organisations should seek to invest in continual security training to strengthen their cyber resilience.
If businesses are serious about protecting their data and personal information, then changing default credentials is a no-brainer, right? Default credentials are assigned by developers or manufacturers to allow access to software or hardware devices during initial setup. So, when these credentials are not changed, it is generally due to complacency or ignorance by IT admins. Time and resources are also factors for IT admins to ignore changing default passwords.
Even the most novice of hackers will understand that the path of least resistance is the one most likely to be successful for an attack. Default credentials can be easily accessed over the internet, therefore businesses could be leaving themselves open to opportunistic attacks. Common devices and systems which can use default credentials include:
From observing our honeypot data in 2021, it is clear hackers are using default credentials as a means of carrying out brute-force attacks. For example, our cyber security research showed multiple brute-force attempts using default Raspberry Pi credentials. We know that hackers would not use these methods if they were not successful or so easily available on the internet, so this indicates a trend of poor password management. Failing to change default credentials is a rookie mistake and one which can lead to hackers infiltrating servers to plant malware, manipulating networks and devices, and stealing sensitive data once they have access.
Data from our 2022 report shows passwords like ‘<No Pass>’, ‘admin’ and ‘PASswoRD’ were the top 3 credentials used to attempt to infiltrate our honeypot servers. Generic passwords like these are enticing for hackers and unlikely to thwart them from breaching systems. However, passwords which are unique, memorable, and avoid using personal information such as names or destinations will be harder for hackers to guess. Adding multi-factor authentication (MFA) will also add an additional layer of protection to secure your business. To secure your business it is imperative to change default credentials to prevent hackers from easily breaching your systems and accessing company and personal information.
Patching should be a key component of a business’ security plan. Keeping operating systems and software up to date is one of the best ways to safeguard your network against security breaches. However, upgrade costs, system downtime, compatibility issues and a lack of resources are all major factors in why patching can get ignored. It can also be time-consuming, so businesses with under-resourced IT teams will fall short of deploying patches quickly and consistently. For example, outdated libraries and components ranked in our top vulnerabilities found during penetration testing in 2021. When businesses don’t patch, they effectively leave the door wide open for hackers to exploit vulnerable systems.
It’s worth mentioning that patching alone won’t secure businesses against every cyber security threat. The Log4j vulnerability which came to light at the end of 2021 was an example of this. Organisations were instructed by CISA to immediately “assume compromise and to update or isolate affected assets” whilst hunting for malicious activity. Cyber security vendors were also instructed to inform end-users of products which may include the vulnerability and to update software as a priority. However, the initial release of patches did not fully address all discovered issues in Log4j, leaving applications exposed and not completely protected against vulnerability. Moving quickly to fix unpatched systems is important to prevent hackers from attacking weakened systems and exploits like Log4j vulnerability.
A well-executed patch management policy focusing on scheduling, prioritisation, testing, deployment, monitoring and reporting can help businesses maintain a regular patching process and ensure that it doesn’t get neglected. Nevertheless, even with a patch management policy in place, unless organisations have a dedicated security team to manage patching correctly and efficiently, businesses will continue to be at risk of cyber-attacks. To ensure the security of your business, it is crucial that updates don’t fall through the cracks and patching is executed in a timely manner.
Maintaining compliance is important in order to meet baseline security standards. GDPR, Cyber Essentials, ISO 27001, PCI DSS… the list goes on, but each regulation and legislation is in place to serve a purpose – to help protect the data of businesses, their customers and their supply chain. When delivered correctly, compliance can also help a business differentiate from their competition, develop brand awareness and increase customer trust by demonstrating a commitment to security best practice.
The complexity and lack of understanding of compliance proves to be a hurdle for many businesses. Changes in compliance can prove challenging to organisations who lack the expertise or guidance on how to stay ISO compliant. In 2021, businesses failing to implement the ISO 27001 standard was simply because of a lack of understanding of what it is. ISO 27001 is beneficial not just for your business but for the security of your supply chain as it demonstrates your business is working to the highest security standards. However, changes in policies and standards are also needed to reflect the ever-evolving business landscape, with the most significant shift being businesses adopting new working practices since the COVID-19 pandemic. This was one of the main drivers for new changes being introduced to ISO 27001 and Cyber Essentials certification for 2022.
We understand the difficulties that businesses can face in achieving certification and compliance. To combat this, seeking guidance and accruing knowledge on the importance of compliance and how it can help secure your business can help break down these barriers and ensure you are equipped to achieve compliance with confidence. To secure your business and remain compliant, it is also necessary to adopt a culture where compliance plays an integral part of your risk management and cyber resilience strategy for 2022 and beyond.
Cyber threats will continue to evolve but also present businesses with many of the existing threats we’ve encountered in previous years. Understanding your evolving threat landscape and addressing existing gaps in your cyber security strategy will help to strengthen your cyber resilience. So, here are some key actions for you to consider in 2022 to secure your business and minimise the threat of a cyber-attack.
Information security wizard, evangelist, and guru – not to mention co-founder of Bulletproof. Oli’s always sharing deeply interesting and insightful things on this blog and on his LinkedIn. With many years’ of experience in understanding information security and innovation, Oli’s blogs are always a highlight.
Find out how to secure your business in 10 steps with our free best practice infographic.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.