Categories
Blog

How to do a risk analysis – a step-by-step guide (Free template)

Modern app icon of browser business concept
Modern app icon of browser business concept

How to do a risk analysis – a step-by-step guide (Free template)

Joanna Kwong

In this blog post, we discuss what risk analysis is, why it is relevant for your company organisation, and provide you with a quick start guide on how to get started with our very own template.

What is a risk analysis? 

Risk analyses are a useful tool for any organisation who wants to anticipate incidents and plan on how to mitigate the risks. It involves identifying and analysing potential events that may negatively affect individuals, assets, or the organisation. We use risk analyses to make judgements on the tolerance of the risks so that we can better anticipate them. And most importantly, it makes it possible for us to prioritise our security activities.

At CyberPilot, we use this template to help organisations do a risk analysis of information security. It is free and you can download it here:

A risk analysis can benefit your organisation with the following:

It can also connect theoretical risks and understand the probability of it happening in real life.

That way, you can better understand how to allocate resources to prevent them. We will give you two examples below.

Risk 1:

A tornado hits company headquarters and damages all the IT equipment.

While this is certainly a risk that could happen and have a big negative impact, it is unlikely to happen if your area has no history of experiencing tornados. Therefore, you could spend your efforts in thinking of solutions for other risks.

Consequence: HIGH

Likelihood: LOW

Risk 2:

A staff member travels with company IT equipment and it gets damaged on the baggage carousel.

While losing the IT equipment of one staff member is not catastrophic for the company, it is more likely to happen if staff travel regularly. And maybe the consequence for losing the specific equipment is not only the cost of the laptop, smartphone etc., but could also lead to potential data loss.

Consequence: MEDIUM

Likelihood: MEDIUM

We would suggest spending some time on mitigating this risk.

Ultimately, risk analyses can help you weather any storm, or at least be better prepared for it.

Risk analysis for information security

For information security, we can start by looking at potential events that can negatively affect your organisation. Some examples include:
You can ask yourself:

In the next session, we will discuss how you create your own risk analysis with our free template.

How to create a risk analysis

You can download our template here and follow along.

risk analysis
A snippet from out template // Click to enlarge

Step 1:

Create a scale for the risk assessment matrix

First, we determine the scales that we use for our risk assessment. On our template, you can access it on the first tab.

scale
Click to enlarge

In the template, we categorise the risk levels as low, medium, or high. One way of thinking of risk level is how severe the consequences can be for your organisation. Below, we define what each risk level could mean in terms of IT systems.

Low risk 

Medium risk

High risk

Additionally, you can also take this opportunity to discuss with your organisation about how many resources must be used to fix these issues if they ever occur. Our template provides you the opportunity to fill the time and monetary consequences, but you can also think of how much time must be put into fixing the issue.

As the risks and consequences differ from organisation to organisation, we highly recommend adapting this section according to your needs. For example, if you are part of a company whose revenue comes solely from the e-shop on the website, then the website crashing is considered a much higher risk. In contrast, if your website serves just as a landing page without much functionality or effect to your day-to-day operations, then the website crashing is a lower risk because the consequences are lower.

Step 2 - start by listing your assets :

Fill in the risk assessment

To complete the risk assessment, we provide different columns fill:

Asset

When we talk about assets in this context, we mostly mean assets related to the IT in your organisation. This can include hardware, such as laptops and mobile devices. Additionally, it can include the IT services provided by your organisation such as internal communication systems (e.g., Microsoft Teams of Slack) or customer-facing services like the company webpage. Other than IT assets, we included staff as an asset, as they have a lot of influence over the state of your information security. We discuss this in our e-book if you want to read more.

Finally, if you have performed asset management, then it is very easy to use that document as a reference. You don’t have to list all of the assets, but you can choose the most important or commonly used ones to start with.

Short description

Although self-explanatory, this column can be very useful for defining what you mean when you listed the asset. For example, when we list staff as an asset, we can define it as both full-time and part-time employees. You can also define who is not included, for example, consultants, who act as external advisors to the organisation but are not officially part of the organisation.

Department

Defining which department is advantageous because it prepares the company for when the problems must be fixed. First, it can give you a better understanding or a refresher of each department or subdepartment’s responsibilities. Second, it helps the organisation react faster when there is a risk.

However, we don’t recommend spending too much time on this column, as it can easily overlap between departments and change over time. We recommend getting a general understanding and being flexible for when the time comes to fixing the issue.

Step 3 - list threats and vulnerabilities

Threat 

The threat is a potential harm that can be done to an asset, which can have effects on the organisation.  If there have been any security breaches or incidents in the past, you can list them in this column. For example, ransomware or unauthorised access to confidential data could be considered a threat. Next, we discuss vulnerabilities that coincide with these threats.

For example, the threat of ransomware is present when staff are browsing websites for their work. They may unsuspectedly stumble upon a fake website and accidentally install ransomware, therefore locking access to the organisation’s files and computer until they pay the cybercriminals.

Vulnerability 

Vulnerabilities could be described as the reason for the threats to occur. When it comes to ransomware, it could, for example be because staff could have unsuspectedly stumbled upon a fake website and accidentally install ransomware. When it comes to unauthorised access to confidential data, it could be that somebody has forgot to close some windows during a video call and accidentally showed the customer some internal communications.

This section is not to place blame, but rather think of theoretical scenarios and the reasons why a threat could occur. By understanding how the threats occur, we can a) understand how big the threat is, b) the probability of it happening, and c) think of ways to proactively avoid them.

Performed actions 

In this section, you write whether you have currently done anything to mitigate this rise. For example, if you have experienced losing important files before and have enforced using a cloud storage for back-up, that is a performed action.

Step 5 - evaluate risks

Consequence

After writing about the threats, you can better assess how big the consequences are in case of threats being realised with this asset. This is obviously a subjective assessment, but it should be discussed with colleagues and often you will find that there can be different perspectives on consequences. Perhaps the marketing department will put a ‘HIGH’ consequence on something happening to the company website, since that can affect sales. But the IT department would not see it in the same way, as it would not affect the day-to-day operation of the company. That’s why it is important to get a lot of different perspectives.

Probability

Not all risks are created equal. Some could probably happen a few times a month, while some may only happen once every few years. By assessing the probability of threat, you can understand how to prioritise them, and perhaps leave some out which are not realistic to be tackled.

Suggestions for increased security

After filling in the other sections, you will have gained a better understanding of each asset and the risks associated with them. From that, you can use this section for writing suggestions for increased security.

Your risk assessment is complete!

When every section is filled with the assets and the threats you can think of, you will have a better overview of the risks. From the risk analysis, you will be able to see which threats are more likely to happen and its consequences if they occur. Of course, you can keep this document handy and keep it updated.

We hope that this blog has helped you understand what a risk analysis is and how to do one yourself. As a matter of fact, we use this template to help many organisations who want to have a better understanding of the risks involving the information security of their IT assets.

If you would like to get some help with putting together your risk assessment, we are happy to have a talk about it. Download our template here and you can contact us at info@cyberpilot.io.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Blogpost skabelon // 2021

Blogpost skabelon // 2021

sajerathan vincent cyberpilot

With a lot of people still being asked to work from home because of COVID-19, video meetings have quickly become an even more vital tool for companies and organizations. During these video meetings, lots of things can go wrong. For example, someone could accidentally reveal personal or confidential information while sharing their screen. Read more and learn about how you can avoid security breaches while sharing your screens.

Table of Contents

Heading + paragraphs

H2: Dette er en heading

H3: Jeg er en heading. Jeg bliver brugt som introtekst efter en anden heading.

H4: Jeg er en heading. Jeg bliver som oftest brugt som subheading til en H2'er. Hvis et afsnit har flere underoverskrifter, bliver jeg også brugt her.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

H6: Jeg er en heading. Jeg bliver oftest brugt som knap overskrift.
Punktopstilling

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis. Teksten der lægger op til listet content skal være med fed:

  1. Mellemrum mellem numre skal være shift/space

  2. Lorem ipsum dolor sit amet, consectetur. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

  3. adipiscing elit. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
Links

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Et eksternt link skal være orange med underline. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo. Er et link en CTA/interne links, fx. til et af vores services, skal linket markeres med fed og uden underline.

Knapper
Citater/highlight text

First, we should provide a purpose statement. Generally, this should state that the document is a set of guidelines that are expected to be followed by all staff of the organisation. This is where the framework for the document is set. We give an example here:

“Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.”

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Billeder
log-system-overview-activities
Click to enlarge
HTML tabeller
Rank Supervisory Authority Fine (penalty) Reason
1.
France’s Data protection authority, CNIL 
€50m 

Google Inc, was fined for 

  • Failing to adequately explain how they process data.
  • Failing to have legal grounds to process data regarding personalised advertising.
2.
The Hamburg Data protection Supervisory Authority
€35.26m

A global retailer was fined for 

  • Failing to have enough legal support for processing data.
3.
Italy’s Data Protection Supervisory Authority, the Garante
€27.8m

A telecommunications operator was fined for 

  • Failing to adequately explain how they process data. 
  • Failing to have legal grounds to process data 
  • And more 
GDPR fines
Click to enlarge
Podcast snippets

H4: Jeg er en heading.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Faktaboks

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

H4: Jeg er en faktaboks

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Reklamebanner

Free posters

To create extra focus on how to secure your video meetings, we have developed 3 posters about the topic.

Download them for free here:

EN---Video-meetings

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Categories
Kurser Nyeste kurser

Protect Personal Data

Protect Personal Data

Watch the video from our Protect Personal Data course, where Kurt puts some personal data on a USB drive then loses it on his commute, which leads to a security breach.

You can access the entire course on our e-learning platform by logging in here. If you do not have an account, you can try it for free.

The course

About the course

Many organisations have made rules and guidelines for how to handle personal data to avoid security breaches. However, they are only effective if everyone takes it seriously and complies with them. In this course, we focus on what we can do in our everyday work life to succeed in protecting personal data.

44121507_s
Want to learn more?

An information security is an important tool to achieve and maintain a good information security culture, which includes pointers on how to handle personal data. In this blog post, we will guide you how to create an information security policy for your organisation.

Want to learn more?

An information security is an important tool to achieve and maintain a good information security culture, which includes pointers on how to handle personal data. In this blog post, we will guide you how to create an information security policy for your organisation.

44121507_s

Other material

Create awareness in your organisation with our posters. You can download the posters and hang them on your walls in your organisation.

In this way your employees willl be reminded of what to be aware of when they see a the posters.

cp poster

Related courses

helt
Category: GDPR

Protect Personal Data

Learning objectives: Why it is important to protect personal data, how your organisation’s rules and guidelines help to protect personal data and how your actions make a difference and can help protect personal data

Read More »
Updating
Category: GDPR

Updates

Learning objectives: What an update is, why it is important to update your devices and a few good tips and habits for keeping your devices updated

Read More »
Categories
Blog

What is ransomware and how to avoid it

ransomware
ransomware

What is ransomware and how to avoid it

Joanna Kwong

Ransomware is a real threat to organisations, and the number of incidents is rising each year. In this blog post, we will give you some concrete tips on how your organisation can avoid ransomware attacks and what to do if your organisation is hit.

What is ransomware?

When you hear the word ransom, you are probably thinking of an unfortunate scenario like a kidnapping, where the kidnapper is holding someone hostage until they receive a large sum of money from the victim’s family.

It’s not too far off from what ransomware is. Ransomware is a type of malware in the form of digital hostage-taking using encryption. It is where a computer is infected with a virus that locks files or access to the system. Normally, cybercriminals gain access to computers because of a trojan horse attack – where we have accidentally downloaded or opened malicious files, e.g. from a phishing e-mail. The cybercriminals will demand payment in exchange for giving you back control over your system.

Ransomware attacks have increased in the age of Covid-19

Since the emergence of Covid-19, global organisations have seen a 148% spike in ransomware attacks. With the increase in remote working, overwhelmed hospitals, and our desire to find answers to ease uncertainty, many people have become dangerously vulnerable.

Before we dive into the tips on how to avoid being hit by ransomware, let’s have a look at two famous ransomware attacks to see what’s at stake. By looking at some real-life cases, we hope that it will help you understand the possible consequences and how easily we can be targeted.

UNC1878

Also known as Wizard Spider, UNC1878 is an infamous ransomware gang that is believed to be operating out of East Europe. They have been traced from attacks that have disrupted health care in at least six hospitals in the United States during the Covid-19 pandemic, which could threaten patients’ lives. The rest of the world has also seen significant spikes in ransomware attacks.

Among others, UNC1878 uses the TrickBot trojan to gain access to the victims’ systems, and the Ryuk ransomware to extort victims. Ryuk is responsible for 75% of ransomware attacks against American healthcare organisations.

Bad Rabbit

Bad Rabbit is another ransomware attack that happened in 2017 and used a method called a ‘drive-by’ attack. It spread by targeting insecure websites.

During a drive-by attack, a user visited a legitimate website not knowing that it has been compromised by a hacker. Although merely browsing the website is harmless, users are infected when they click to install something that is malware in disguise. In the case of Bad Rabbit, they created fake requests to install Adobe Flash.

How to avoid ransomware attacks

Luckily, there are a few things we can do to try avoiding ransomware attacks. By following the suggested precautions below, you will greatly diminish the risk and consequences of being infected by ransomware.

Keep devices updated

The easiest way to strengthen your cyber security is to keep your devices and its software updated. Updating isn’t only for the device to run faster and more smoothly, but they are done to update the computer’s security. However, not everybody knows this, and will often decide to delay the updates as they are working to meet the next deadline. That’s why your team has to understand the importance of keeping their devices updated.

Awareness training

Ransomware is almost always targeted at people. They take advantage of our curiosity, sense of urgency, and trust. By having everyone on the same page by providing knowledge about phishing attacks, surfing the internet safely, and ransomware, your team will become aware of threats and be less likely to fall for a ransomware attack.

You can also download our free e-book on how to make your team your biggest cyber security defence!

Back up

Since the consequences of ransomware mean that you may lose data or access to devices, we highly recommend thinking of a back-up plan. Here are a few possible solutions:

Use multiple backup solutions

By having more than one backup solution, you can be more certain that your data can be recoverable if the ransomware infection has spread too quickly. While we understand that implementing this solution could take more time and resources, we highly recommend it to organisations who depend on their IT and data for their daily operations.

Keep an offline backup

Ransomware easily spreads through the network to devices that are connected. By backing up data offline, not only will you have a backup, but it will be in a place that the infection cannot touch.

Increase the frequency of backing up

By actively backing files up more frequently, it will automatically mean that you lose less data when infected with ransomware. For example, if you back up your data every hour, then it could mean that you only lose one hour’s worth of work and data, as opposed to e.g., an entire day’s.

However, it is all about finding the right balance. The more you back up, the higher cost it is for your organisation.

Test your backup

The only thing worse than not having a backup is thinking that you have a backup after all your efforts, then realising that it doesn’t work when you need it. That’s why it is important to test the restoration process continuously.

If your organisation is hit with a ransomware attack

When you can no longer access your data or use your computer without paying a hefty fine, then you have been infected with ransomware. Here are a few things to do if you have fallen victim.

Never pay up!

In the midst of panic when being hit with ransomware, your instincts might tell you to take the ‘easy’ way out – to pay the cybercriminals.

When cybercriminals target your organisation with ransomware, they have one purpose: to extort you for money! Even if you paid up, there is no guarantee that they will honour their agreement and return access to you, as they are dishonest criminals by nature. By refusing to pay up, you invalidate the cybercriminals’ efforts. Fortunately, if you have made the necessary precautions and follow the tips in this blog post, you could have the upper hand in this incident.

Communication is key

Keeping the incident secret will do no good. If your colleagues are unaware of the threat of ransomware or an infection in the organisation, they cannot defend themselves.

Additionally, you should report the ransomware incident to your governmental organisation which deals with cyber security and the GDPR. Unfortunately, many ransomware attacks go unreported simply because people don’t know the importance of reporting. This makes it difficult for law enforcement to track the attacks, warn other organisations, and come up with effective defences against cybercriminals.

Isolate the incident

Ransomware is notorious for spreading like wildfire. In a matter of minutes, it can spread through your organisation’s network and infect numerous computers. If possible, disconnect the affected computer from the network (Wi-Fi and wired). If there are any external hard drives connected to the computer, be sure to disconnect those to. We also recommend disabling the affected person’s account until a solution has been found.

Getting rid of the ransomware

Unfortunately, there is no one-size-fits-all solution for when you are infected with ransomware. In most cases, we would recommend that you ask for a second opinion of another IT expert to be safe. Sometimes, you could be lucky enough to have solved the decryption, but often, turning to back-ups is the way to go. If you have made frequent back-ups, you can wipe the affected computer clean or restore it without losing too much data.

The biggest tip against ransomware: be aware of the threats!

Ransomware could appear anywhere, from a very convincing phishing e-mail or a fake website. Fortunately, there are steps you can take to minimise losses or prevent being hit altogether. By backing up your data in more than one place, you can recover it without paying the cybercriminals. If you train your team to be aware of possible threats and know how to avoid them, then that will drastically reduce the risk of a ransomware attack.

At CyberPilot, we offer awareness training in cyber security for organisations who would like to protect themselves against ransomware threats. We offer 3 months of free awareness training for an unlimited amount of users – no credit card required.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Categories
Blog

What you need to know about which data breaches are fined, and how you can avoid them

19355609 - piles of stacks of green banknotes

What you need to know about which data breaches are fined, and how you can avoid them

rebecca

Because of the way the GDPR was written and that it is still relatively new, there are a lot of open questions. For example, how do we know if our organisation’s guidelines and procedures live up to the GDPR’s requirements?  How much will we be fined if there is a data breach?  

DLA Piper published a report on January 20, 2021 that summarises GDPR fines and data breaches over the past year (the webpage is in Danish but you can find the report in English here). This report gives us a better idea of which data breaches are more frequently fined, and what kind of data breaches will be fined in the future.  

This article will help you get a deeper understanding of what types of data breaches you should pay close attention to, and specific strategies you can use that might prevent your company from being fined.

The Biggest Fines Last Year

The table below illustrates the three biggest fines given last year and shows why it is important to take the GDPR seriously.

Rank Supervisory Authority Fine (penalty) Reason
1.
France’s Data protection authority, CNIL 
€50m 

Google Inc, was fined for 

  • Failing to adequately explain how they process data.
  • Failing to have legal grounds to process data regarding personalised advertising.
2.
The Hamburg Data protection Supervisory Authority
€35.26m

A global retailer was fined for 

  • Failing to have enough legal support for processing data.
3.
Italy’s Data Protection Supervisory Authority, the Garante
€27.8m

A telecommunications operator was fined for 

  • Failing to adequately explain how they process data. 
  • Failing to have legal grounds to process data 
  • And more 
GDPR fines
Click to enlarge

This article will cover: 

GDPR fines can be challenged

Within the past year, EU countries reported an increase of breach notifications by 19%. This is an average of 331 notifications per day. Regulators have issued a total of EUR 158.5m in fines since January 28, 2020, but it is not the end all be all. Some organisations successfully appealed these claims, which led to large reductions in anticipated fines. The fines were reduced by 80-90%, in part because of the financial hardships caused by Covid-19.

The main takeaway here: it pays to appeal and challenge the proposed fines.

What kinds of data breaches are fined?

The same rules have different ways of being enforced

Since each country has its own regulatory authority, data breaches and fines vary from country to country. Even though all data protection laws in the EU and the UK originate from the GDPR, the compliance cultures within organisations differ widely.

In addition, the separate data protection supervisory authorities have different interpretations of the legislation and therefore different enforcement practices. This uncertainty is most challenging for multinational organisations that operate in many different countries, as it makes it harder for them to anticipate and implement the different interpretations of the GDPR. Despite this, the fines summarised below were frequently handed out, regardless of supervisory authority.

Failure to communicate clearly and openly about how they process data

Organisations have gotten into trouble if they were not open and clear with users about how they process their personal data. The main way that they show this is in their privacy notice. This notice must explain to individual users in a simple way, how the organisation will use their personal data, and how their practices comply with the GDPR.

Organisations are fined for having overly complicated privacy notices. They were also fined if notices that were too gritty, inaccurate, or incomplete. For example, if you move personal data to a third country (one that is not in the EU), but don’t communicate this information, your privacy notice is incomplete.

It’s a fine line…

The challenge with drafting privacy notices can be that when you include too much detail, your audience may not be able to understand it, and thus breaches the GDPR’s transparency principle. On the other hand, if you include too little detail, you risk of receiving a fine for providing imprecise or incomplete information.

Possible solution: Take a ‘layered approach’ to privacy notices. This approach presents the privacy notice in three different ways:

  1. A short note (a brief explanation of why they use personal data, and where to go for more information),
  2. A medium note (a graphic that describes how they use personal data),
  3. A long note (a complete and thorough notice that covers all necessary information to comply with the GDPR).

However, this is not a bullet-proof solution either. Organisations have also been fined for this method as, in some cases, users had to read and check off too many different privacy notes. In this case, the information was presented in a way that was far too complicated for the user.

The bottom line is that it can be extremely difficult to explain the complexity of processing to regular consumers who don’t have a law degree. All in all, the report did not have a strong solution to this problem. The main takeaway here: proceed with caution when drafting privacy notes and ask for help when in doubt.

Failure to have or show a legal reason to use personal data

There are many different scenarios where your organisation will have a legal reason to process data.

For example: your organisation sells a subscription to a music app and asks the consumer to give consent so you can process their musical preferences in order to suggest other songs and artists that they might like.

Organisations were fined for failure to legally be allowed to process personal data. They were also fined even when a legal ground to process existed, but the organisation had failed to properly demonstrate or document this. Therefore, documentation is just as important as the existence of a legal basis to process.

Finally, organisations were fined when processing was based on invalid consent. This is a broad term that covers a wide range of situations. Some of which are: someone might be penalised or miss out on an opportunity if they do not give consent, they might not realise they have given consent, the organisation does not specifically name themselves when asking for consent, and many more.

To make sure that personal data is being used legally, organisations should have:

  1. Good data mapping in thorough and accurate records of processing.
  2. Rules and guidelines that properly protect personal data.
  3. Documentation that shows they can legally use personal data.
  4. Clear privacy notices that connect each processing activity with the law that allows them to use the data.

Possible solution: You can apply a risk-based approach, for which you give more time and attention to higher-risk processing activities. For these activities it is important that you employ a Data Protection Impact Assessment (DPIA). This is a type of risk assessment, that can help identify where there are data protection risks with a given project or plan. This assessment tool, when used correctly, helps you demonstrate in what ways you comply with all your data protection obligations.

Failure to implement appropriate security measures

According to the GDPR, organisations must use ‘appropriate’ measures to make sure there is a level of security that corresponds to how much risk is involved for the individual, whose data you are processing. The term ‘appropriate’ is very subjective, which makes it hard for organisations to adequately identify and implement such measures. However, based on the fines that have been given out in the past year, we can get a better sense of what qualifies as appropriate security measures.

The following table is a list of security measures, that might be necessary to implement in order to avoid a fine.

Security Measure Explanation

A privileged user is someone who has access to systems and data that might be sensitive and needs extra protection. It is therefore important to monitor these users by analysing behaviour and providing reports, to ensure that personal data is protected. 

A process that boosts a server’s protection, using techniques to prevent access to administrator accounts
Encrypting personal data

Encryption refers to the process that converts clear text into a code that only can be decoded again with a special key. It is particularly useful for protecting sensitive personal data.   

An extra security measure that requires the user to provide two or more verification factors to gain access to an application, online account or other. This can be a pre-determined password, followed by a code that is sent to you, or one that you have in physical form.

This guarantees that users are who they say they are, and that they are allowed to access company data. You should use this on a needs basis, and remember to remove a user’s access when it is no longer necessary.  

This is a simulated cyber-attack against your computer system to check where you are vulnerable, and what can be exploited. This is not a one-off measure, and should be used regularly
Avoid hardcoding passwords

Plain text passwords can easily be hacked. Hardcoding is the plain text passwords embedded in source code. Hardcoding passwords should be avoided.

It is important to keep track of failed access attempts. If a data breach happens, having this log makes it much easier to track and investigate.
This is the process of reading source code line-by-line in order to identify where your organisation might be vulnerable. It also might reveal personal data that is being stored incorrectly. Overall, it can greatly improve an organisation’s security.  

Using the Payment Card Industry Data Security Standard (PCI DSS) 

Using this set of security standards makes sure that your organisation accepts, processes, stores or transmits credit card information in the most secure way.
Security measure GDPR
Click to enlarge

Possible solution: Organisations should consider and evaluate whether any of these measures are needed in their efforts to protect personal data. Organisations should also consider documenting the basis for why they adopted or omitted a particular security measure.

Breach of the data minimisation and data retention principles

Organisations have been fined when they have processed too much data or have saved too much data. In the two decades prior to when the GDPR was passed, there was very little regulation of how you could use personal data, combined with an enormous increase of the amount of personal data processed and stored by organisations. Now, these organisations are faced with the time and resource consuming task of detangling and sorting this massive amount of data. It requires the following two things:  

  1. Finding and classifying all data into two categories: to be deleted (data minimisation) and to be saved.

  2. Deleting personal data stored in old systems and applications, that either cannot or do not easily support secure deletion. 

Possible solutions: To resolve this and prevent harm to data subjects, organisations must create an overview of all their data, and delete data that they no longer need, or have a right to process. In addition, it is important to develop guidelines and use systems that can securely process data going forward.

Transfer of personal data to third countries and international organisations: Will be more frequently fined in the future

In July 2020, the Shrems II judgement, was handed down by Europe’s highest court, that demanded, “in addition to fines, the immediate suspension of alleged illegal transfers of personal data from the EU to third countries”. We have yet to see the fallout from this judgement, and it might take some time before it filters through to enforcement practice.

Possible solutions: We are still waiting for finalised drafts from the Commission regarding how to treat data that is transferred to third party countries (any country not members of the EU and UK). Normally when organisations need to transfer data to third party countries, they use a “standard contractual clause” to do so. This contract is intended to protect personal data, so that when it leaves the EU, it will remain protected by the GDPR in other countries that do not offer the same amount of protection to personal data.

Once the Commission has updated this policy, organisations should implement a Transfer Impact Assessment (TIA). This will illustrate which risks are linked with the transfer of personal data out of the EU, and your organisation should revise the standard contractual clauses accordingly.

Securely processing personal data can be a daunting task. Often, those responsible for this task are not legal experts on the matter. You can find more information on our blog, to explore best practices and processes for safeguarding personal data.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Categories
Blog

Awareness training is spreading knowledge

Awareness-training is spreading knowledge

Awareness training is spreading knowledge

sajerathan vincent cyberpilot

Awareness is about recognising and understanding what is happening around us and staying alert of possible dangers and risks. Especially with the increasing digitalisation, things are changing, and we are facing new types of risks, such as phishing and fraudulent websites. Awareness training can help strengthen the information and cyber security in your organisation and foster a better understanding of the GDPR. This blog post will discuss what awareness is and how you can use awareness training to train your employees.

What is awareness training?

Awareness the ability to spot dangers and risks when they pop up.  However, to do this we need to know and be aware of the fact that there are risks. In situations of emergencies and dangers, awareness plays an especially crucial role.

Now, for instance, when you are out for a walk or a jog you would probably never cross the street without looking out for cars. We all know that you can get seriously injured when hit, and that’s why we are aware when crossing the street.

But when it comes to cyber security, the internet, and the GDPR not everyone understands the dangerous parts and the consequences of e.g., a phishing e-mail. Therefore, we are not aware when browsing, clicking, and being immersed in digital life. We never cross the street without looking for cars, but we browse the internet all day without worry.

In today’s digital world of work, we are more prone to cyber security threats as we are spending more and more time online. In organisations and companies, employees must be aware of these kinds of risks and know what to do when being faced with them. It could start from having small changes, such as creating strong passwords and knowing how to spot a phishing email. Despite that, if your employees don’t know that health information is considered sensitive personal data, they may also not know that it should be treated differently than normal personal data. Lastly, it is also not enough that the IT department is aware of all this, but everybody in the organisation must be on board.

Differing awareness levels among individuals

Everything we see, hear, think, and do affects our awareness. Regardless of whether we are watching our favourite tv show, reading a book, listening to music, having conversations with friends, yes, nearly everything relates to our awareness. Some individuals are aware and can spot dangers and risks in seconds, while others are not aware and might take some time or never spot them. How can we be aware of threats?

Well, we need knowledge about threats before we can be aware of threats. Some people in an organisation might already have it, but it only takes one person to click on a phishing link for it to cause immediate consequences.

For instance, in cases of suspicious emails sent to individuals, it will be the individuals who have a good amaount of awareness who would be able to spot them and protect themselves.

You might ask yourself; can I train the awareness of my employees? The answer: Yes, you can. Awareness training train individuals’ consciousness to be aware of these dangers and risks. It focuses on creating a high level of awareness on a variety of topics and helps individuals become aware of their digital behaviour and how to mitigate threats.

How does awareness training work?

Awareness training can happen in many ways. It can be done with physical workshops, having posters around the office, or through e-learning. They can be done by themselves or they can supplement each other. The most important thing is to get the ideas across and for your team to gain a good understanding of the topics. Hence, it is about spreading knowledge in your organisation.

In another context, we see that online awareness campaigns can be effective in educating the public in other areas. For example. the Australian National Mental Health Commission has introduced an online awareness campaign with the hashtag #InThisTogether to offer Australians mental health and wellbeing tips through Covid-19. You can read more about the effort here. It shows how awareness can be created with simple measures.

When it comes to cyber security and the GDPR awareness is particularly useful when being done on an ongoing basis. It can help change the culture in an organisation, which cannot be done with a single workshop. This effort should be a more continuous process that requires some commitment i.e., by being repeatedly made aware of the importance of certain topics. In that way, we will automatically spot things that may seem odd or suspicious with regards to these topics.

When used in an effective way, awareness training can create a culture of change in your team. In our e-book, we discuss how you can implement awareness training. You can download it here for free.

Awareness training for cyber security and GDPR compliance

Awareness training is an effective way of creating awareness about cyber security and GDPR in your organisation. Your team has an important role to play with it comes to maintaining strong cyber security.

For instance, 9 out of 10 security breaches are caused by human error. This includes some instances regarding the GDPR. This regulation has exposed many organisations to a great challenge.

Once your team is aware of these aspects, it will have a positive effect on your organisation. The goal isn’t to have everyone become cyber security or GDPR experts, but your team will at least know the basics and be aware of situations in which they should ask for help.

With that in mind, awareness training can be used to create the awareness in your organisation to be better prepared.

As mentioned, awareness is nothing else than the capability to identify threats when they occur. However, before we can be aware of threats, our mind requires knowledge to build up an awareness level. Now, in today’s organisations and companies, cyber security and GDPR related threats are occurring more frequently than ever. Therefore, awareness training can create awareness regarding these threats in your organisation. The training can be done in many ways. It can be done with a traditional approach or with a e-learning. It can also be something in between, as discussed in this blog post here.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Categories
Blog

How to make guidelines for IT usage. A step-by-step tutorial with our template

it security

How to make guidelines for IT usage. A step-by-step tutorial with our template

anders bryde

In this blog, we will take you through how to make guidelines for the use of IT in your organisation. Having this kind of document can help strengthen the cybersecurity in your organisation. You will be guided to use our template, which you can find further down this page. We also have a template to create a IT security policy which you can find here. Both documents are vital tools to achieve a good cybersecurity culture in your organisation.

The difference between an IT security policy and guidelines for IT use

When you work with cybersecurity in your organisation, it can be very useful to have both a IT security policy and guidelines for IT use. With a policy and set of guidelines, you provide a clear set of expectations, which will strengthen your security.

IT security policy

The purpose of a IT security policy is to provide a general framework for the organisation that includes objectives and delegates the responsibility for cybersecurity within the organisation. The policy is a small document with only a few pages. It is viewed as a management memo with ambitions for the organisation’s cybersecurity measures.

Guidelines for Cybersecurity

The guidelines document is more extensive and includes rules and guidelines, which the entire team must follow. Where the policy is general and strategic, the guidelines document is concrete and actionable. (If you would rather see the tutorial for making policies, then click here)

In this blog post, we will go through the template for Guidelines for IT Use and discuss what to be aware of when you create these guidelines for your organisation.

Providing Specific Rules

While the IT security policy creates a strategic framework, the guidelines document defines specific rules to follow. Basically, what should be incorporated into one’s daily routine while working. For example, it can include guidelines about the length of passwords, clean desks, or private use of company equipment, like laptops and smartphones.

The purpose of the guidelines is to create the field for the organisation to play on. The purpose of the guidelines is to provide clarity for all members of staff, so the guidelines should be easy to understand and follow.

For the guidelines to be successful, nobody in the organisation should ever be in doubt about whether they are breaking the rules and should be able to easily navigate through their daily work life in a secure way. Additionally, the document should be concise, as too many rules can lead to worse cybersecurity, as one could simply forget them because of mental overload.

How to use the template

It is important to point out that the following points should only serve as an inspiration for your guidelines. You have your own context that perhaps only makes some of the rules relevant to you. We recommend taking what is relevant to you, add your own rules, and remove the rest.

The templates contain the following items:

Purpose statement

Guidelines and principles:

The template contains two overall points, where guidelines and principles have 10 focus areas for the rules in the organisation. We will go over each point below.

Purpose statement

Guidelines and principles:

First, we should provide a purpose statement. Generally, this should state that the document is a set of guidelines that are expected to be followed by all staff of the organisation. This is where the framework for the document is set. We give an example here:

“X focuses on ensuring the availability, the confidentiality, and integrity of its systems and data. All staff must act in a responsible, ethical, and legal manner. All X staff, consultants, and temporary staff are required to manage knowledge with care and discretion, whether written, electronic, or verbal.

Therefore, the handling of must be per X’s information security policy as well as following the listed guidelines and principles. To ensure this, the staff of X are continuously trained and made aware of topics within cybersecurity and the GDPR with continuous training.”

The purpose statement lays down the basic rules for use of IT in organisation X and explicitly states the expectation of the staff’s continuous training and awareness.

Guidelines and principles:

The guidelines and principles point out specific rules to follow when using IT systems in the organisation. Here, we have added 10 points as examples with some principles to follow.

1. How to use the template

Confidentially is normally included in employment or projects contracts, but it is still useful to state it in the guidelines to emphasise its importance. It states that the organisation expects confidentiality from its employees when it comes to confidential information, e.g., customer information.  We give an example here:

“You must handle all of X’s information with discretion and care. Under no circumstances should you access or use information, systems, or networks that are not necessary for your job. Do not share confidential information with colleagues, consultants, or temporary staff who do not have a job-specific need for this information. You may not share confidential information with third parties unless it has a clear business purpose. When working with external parties, they must have signed a declaration of confidentiality. “

2. Access codes (passwords and PIN codes)

 This section is where the organisation can set requirements for the users’ access codes. For example, you can state requirements for the length, use of digits, or characters. You can also encourage people not to reuse passwords. We give an example here:

“All passwords and PIN codes are personal. To create a strong password, we recommend a long password of at least 12 characters, using both uppercase and lowercase letters, and numbers. When leaving your workstation, you must log off or lock the machine. Never have passwords on written on bulletin boards, paper or stored on hard disk/e-mail.”

3. Physical framework

The physical framework deals with how to handle information, data, papers either physically on one’s desk or in the physical space of the organisation. We provide an example here:

“Please ensure that your desk is organized and that there are no important documents in plain sight when you are not using them. Confidential information must be placed in locked drawers, cupboards, or the like to avoid unauthorized access. At the same time, be aware of the visibility of your PC screen. You should not have confidential and sensitive data open when unauthorized persons are behind you so that they can watch your activities over your shoulder.”

4. Handling equipment and documents outside of premises

This section deals with how to handle equipment and documents when outside of company/organisation premises, e.g., when working remotely. More and more companies recently have had to concretely define this, as working from home has become a necessity.

Here, there may be some different expectations than on premises and mainly focuses on securing the organisation’s equipment. We provide an example here:

“If you bring IT equipment outside of X’s premises, it must be secured with a pin or password that ensures a sufficient amount of security against access by unauthorized persons.  When flying, mobile equipment and documents must always be carried as hand luggage. “

5. Equipment and software

Nowadays, we use cloud services and software can be quickly downloaded from the internet. Therefore, it is essential to make some general rules on what types of services may be used and downloaded, as it can be incredibly difficult to control and keep track of your team’s activity. We give an example here:

“All IT systems, equipment, or memory storage devices must be approved by X and follow company standards as issued. Never connect unauthorized equipment to workstations or networks. This also applies to USB keys and smartphones. Additionally, you may only install or download programs if you have been permitted to do so.

Software and equipment are the property of X and must be treated accordingly. Therefore, they must not be lent to others including family. For data handling, you must use X’s internal file server. Use of cloud-based services such as Google Drive, Dropbox, and web-based file sharing is only allowed if receiving data from external parties. It is not permitted to upload X’s data to unauthorized services. The software must always be used according to the license terms entered by X.”

6. User credentials

User credentials deal with how user management should take place in one’s IT systems.  For example, multiple users could share user information and make use of each other’s logins. We recommend that you may only use your own user credentials so that you do not get into trouble because of the actions of others. We give an example of the guideline here: 

“User rights must be respected, therefore only use your own user credentials to log in. Never share your user information with others, including your employer. Misuse of credentials and digital activity can leave digital traces that have a negative impact on X.” 

7. Digital activity

Here, you can discuss best practices and limitations for digital activity on company-owned equipment. It is important to set realistic expectations, and some of these can be common sense. For example, it would be outrageous to ban visiting specific public websites or checking one’s private e-mails, but you can limit the level of private consumption during work hours.  Needless to say, illegal websites and activity should be banned. However, it is up to your organisation to specify these rules where your team still have some freedom, but you draw a line somewhere. We provide an example here:

“Please minimise the private use of the Internet and e-mail on X’s equipment. For personal documents, save it locally in a folder on your computer and label it ‘Private’. Personal data must not be sent by e-mail. Under no circumstances, may work-related online correspondence take place through anonymised communication channels. It is strictly forbidden to use X’s e-mail accounts, computers, tablets, and mobile phones to view pornographic, racist, extremist, or criminal content. When receiving an e-mail, the sender’s e-mail address must be checked before unknown links and documents are opened.”

8. Security monitoring and logging

This is to communicate that you as the organisation can log and monitor your team’s digital activities.  It does not necessarily mean that it is routinely done and more importantly, you respect your team’s privacy. But by bringing it up to their attention, you could encourage them to act accordingly. We provide an example here:

“X respect the individual employee’s privacy and complies with local laws and regulation. However, we reserve the right to log IT use and in special circumstances, require access to an employee’s e-mail and files.”

9. Handling of personal data

The handling of personal data is closely aligned to the GDPR. Normally, compliance with the GDPR requires more elaborate processes than a set of rules in a document for IT use. However, the guidelines are still a place where employees can be made aware of the handling of personal data with some very general requirements. These requirements do not say much about the processes that make you comply with the requirements but can create awareness of the importance of handling personal data. We give an example here:

“At X, we are very careful to take good care of and protect the personal information that our customers, members, employees, and partners have entrusted us with. We work continuously to develop and implement secure processes, which must ensure the legal and secure processing of personal data.

We have established the following basic principles for the processing of personal data: 

10. Reporting security incidents

The last point is to illustrate how to report security incidents. It should be a requirement for employees to report safety incidents that they observe or are exposed to. You can provide examples of what a security incident might involve and to whom they should report. The important thing is that your team is aware of when to act and who to address. We give an example here:

“If you suspect of any security incidents, you must immediately report this to your immediate manager and the IT department.”

 Examples of security incidents  
Do not hesitate to contact the person in charge (XXX) if you suspect something. Better safe than sorry!

The guidelines are a first step to reinforcing good habits

The guidelines make it possible for your team to easily check what they can or cannot do. However, it is important to point out that this effort cannot stand alone; you cannot just write down the rules and expect everyone to abide by those rules. Your team must be trained on a continuous basis to ensure that awareness is always there.

A strong foundation for your Cybersecurity culture

The IT security policy and guidelines provide a strong foundation for creating a good cybersecurity culture in your organisation. If you have now prepared and would like to get started with the IT security policy, you can find a similar guide here.

It is important that the documents do not just lie and collect dust when you have filled them out, but that you continuously review and update them. We recommend that you do this annually. Additionally, we must work actively with the objectives and guidelines from the two documents, so that the cybersecurity culture is enforced.

We hope you found the template and guide useful!

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Categories
Blog

SIEM is not worth it!

siem er ikke noget værd
needle

SIEM is not worth it!

Kenneth Jørgensen

…without the right data and the right focus.

Recently, SIEM has become a buzzword, but it is just a combination of security event management and security information management (the abbreviation stands for security information and event management). In other words: the analysis of logs with a focus on security.

The SIEM products on the market make great promises. But unless you have a network that 100% adheres to the rules and that all of the users and administrators do exactly as they should (spoiler: it is never the case!), you will get bombarded with false positives and alarms. 

I have never, in my entire career, seen a network that 100% adheres to the rules. Additionally, many users use the networks for more than they should and/or are allowed to. 

You have not worked enough with logs until you have seen Event ID 4624 type 0

The key to being able to analyse logs with a focus on security is to understand everything that is outside of a SIEM product. These include questions such as: 

Event ID 4624 is also not white noise

When everything is set up, the fun begins. There will be a period where data must be analysed and whatever is found on the network that is outside of the framework must be eliminated. It includes everything from system accounts that are bombarded with AD (active directory), users who have the Hola VPN, devices that should not be on the network, errors, and time delays that make the Kerberos request not successful. This work can take organisations 3-5 months before you are ready to set up any alarms. Unfortunately, there is no such SIEM product that can complete this process for you and more importantly – you will never finish that process.

You get A LOT out of just starting to work with log analysis

SIEM products are nothing in themselves. Unless you want a lot of falsepositive alarms, then the analysis of logs with a focus on security requires an expert to connect the alarms and analyses the logs obtained. In other words, we must constantly focus on what is on the network, before we can discover what should not be there.  

2×2 ≠ 5751 

The point is that we must be able to analyse ourselves to see if there are obvious errors – this requires a knowledge of what is normal. The more we know about the norm, the easier it is to spot abnormalities. Additionally, it is important to gain knowledge about what is possible and needed to get data from all the devices that send their logs. SIEM does not detect mismatched logs or changes in the log structure – you would just get false results. 

InvokeShellcode – Ouch!

There are constantly new ways that someone or something can access your data outside all your security perimeters. Therefore, the vulnerabilities/methods used to compromise data must be investigated on an ongoing basis, so that you know exactly which indicators to look for and be alerted to. 

Some things cannot be detected with logs, and in those cases other measures must be taken. So far, I have only encountered one SIEM product on the market that had guidelines for what we should look forI should emphasize that these were guides and something you had to add to the SIEM product yourself. But I will give this product some credit for understanding the SEM part of SIEM. 

No one is looking where it normally starts

To be honest, I have never really understood why we are so preoccupied with collecting logs from servers and networking equipment, rather than the clients. Most compromises could be detected with monitoring logs from clients. I am not saying that you should not log from the servers and network equipment, but we should think about where it is smartest to start with the collection of logs if you must prioritise.  

What I am really trying to say is…

The analysis of logs with a focus on security will give any organisation a lot in terms of security, awareness, and understanding of the network. But we need to realise that it requires time and maintenance. There needs to be a lot of input from specialists – both technical and non-technical for implementation. Therefore, I would suggest getting help from experts for the project.  

Do you want to see if your organisation is prepared to do the analysis of logs with a focus on security? Write to me at info@wifitest.dk and I will give you 5 questions to evaluate this.  

Unfortunately, it is not possible to buy a onesizefitsall solution – sorry about that.

Kenneth is a co-founder of CyberPilot. CyberPilot focuses on helping companies that have already realised that cybersecurity = risk and risk management. We do this by focusing on the initiatives that provide the greatest value. We have already helped many organisations.

Follow us here on the website or on LinkedIn. We regularly provide advice and guidance on how you can also work with cybersecurity with simple steps and how you can make sure to use your resources most efficiently.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Categories
Kurser

Updates

Updates

You can access the entire course on our e-learning platform by logging in here. 

If you do not have an account, you can try it for free.

The course

About the course

We’ve probably all updated our devices before. But other than being a small nuisance in our day, what exactly do they do? Here, you can read about what updates are and what could happen if you delay them.

gdpr
Want to learn more?

Even though the GDPR has taken effect for many years, many organisations are still uncertain about how to exactly implement it in their daily operations. In this blog, we will talk about how awareness can help teams get a better understanding and become GDPR compliant.

Want to learn more?

Even though the GDPR has taken effect for many years, many organisations are still uncertain about how to exactly implement it in their daily operations. In this blog, we will talk about how awareness can help teams get a better understanding and become GDPR compliant.

gdpr

Other material

Create awareness in your organisation with our posters. You can download the posters and hang them on your walls in your organisation.

In this way your employees willl be reminded of what to be aware of when they see a the posters.

cp poster

Related courses

helt
Category: GDPR

Protect Personal Data

Learning objectives: Why it is important to protect personal data, how your organisation’s rules and guidelines help to protect personal data and how your actions make a difference and can help protect personal data

Read More »
Updating
Category: GDPR

Updates

Learning objectives: What an update is, why it is important to update your devices and a few good tips and habits for keeping your devices updated

Read More »
Categories
Kurser

Targeted phishing (spear phishing)

Targeted phishing (spear phishing)

Watch the video from our Targeted Phishing course, where you can see how easily cybercriminals can send targeted phishing with a few quick clicks.

You can access the entire course on our e-learning platform by logging in here. If you do not have an account, you can try it for free.

The course

About the course

Nowadays, phishing attacks are getting more difficult to spot and more people are falling victim to the trap. In this course, you will learn about how cybercriminals can target their phishing attacks, what to look for, and how you can defend yourself against them.

Phishing
Want to learn more?

Phishing has been estimated to be the biggest current cyber security threat to organisations. This blog post will discuss what phishing is and why they are getting harder and harder to spot. We also give you tips on how to train your team, so that they do not fall victim to phishing schemes.  

Want to learn more?

Phishing has been estimated to be the biggest current cyber security threat to organisations. This blog post will discuss what phishing is and why they are getting harder and harder to spot. We also give you tips on how to train your team, so that they do not fall victim to phishing schemes.  

Phishing

Other material

Create awareness in your organisation with our posters. You can download the posters and hang them on your walls in your organisation.

In this way your employees willl be reminded of what to be aware of when they see a the posters.

cp poster

Related courses

helt
Category: GDPR

Protect Personal Data

Learning objectives: Why it is important to protect personal data, how your organisation’s rules and guidelines help to protect personal data and how your actions make a difference and can help protect personal data

Read More »
Updating
Category: GDPR

Updates

Learning objectives: What an update is, why it is important to update your devices and a few good tips and habits for keeping your devices updated

Read More »