Why your business’ cybersecurity training strategy isn’t working

Having a strong cybersecurity strategy is more important than ever for businesses, with hacking attempts and other online scams growing in frequency.

In a world where technological solutions are considered first, you might well be surprised to hear that 90% of cybersecurity breaches happen due to simple human error. That’s why every good cybersecurity strategy places employee training at its core.

Fortunately, the number of companies considering the human angle in their cybersecurity strategy is growing.

Unfortunately, many of those strategies fail. Sound like you?

Join us as we share some of the common reasons why training strategies fail:

Your training is reactive, not proactive

Many businesses make the mistake of only providing training only when they “need” to.

Whether it’s the sudden realisation that you need to achieve compliance or if the discovery that you’ve been breached, many training programmes are embarked upon reactively, rather than proactively.

Having a more proactive approach to training will help to pre-empt issues and give employees the necessary knowledge before a problem arising that leads to a data breach.

Over-valuing certifications

A common mistake is taking certifications as proof of an employee’s skills. Certifications are proof of knowledge in a specific subject but may not reflect their skills.

So, an employee might be able to answer a set of questions related to cybersecurity but having the skills to take the best actions to protect your business is another story. If you want your employees to have good cybersecurity skills, they need a training course that develops these skills, not training that is a tick-box exercise.

Opting for a one-size-fits-all approach

If your cybersecurity training isn’t tailored to your organisation, this could be severely limiting the effectiveness of your training.

We all have differing levels of knowledge, different biases and, of course, unique personalities – all of which determines your relative risks to various forms of attack.

Training that is tailored to the specific individual’s learning needs, such as Bob’s Culture, is more likely to be effective and therefore your employees will be in a better position to make the most suitable cybersecurity actions.

Bob’s Culture includes our unique Human Vulnerability Assessment, which involves completing a Phishing Baseline and Awareness Questionnaire to build a customised training rollout. This approach identifies potential blind spots and skills gaps that could leave your business vulnerable to a cyberattack, delivering training that’s relevant to your team and your organisation.

Not all employees will react to threats such as phishing emails in the same way, for example, one employee might be more optimistic than their more cautious peers, which could lead to them clicking a link that allows hackers to access your systems.

By tailoring training content around the individual, you give each employee the skills and knowledge to take the best course of action when faced with a potential cyberattack.

How to improve cybersecurity knowledge in the workplace

Cyberattacks have become a constant problem for businesses of all sizes. Hackers cast their net far and wide, targeting all types of businesses as they look for weaknesses that they can expose and profit from.

Even small businesses are at risk because hackers often believe that they will have less sophisticated security systems in place and will therefore be an easier target.

As such, every organisation needs to be very vigilant about the threat of cyberattacks and have the right systems and other security measures in place to protect their business. But how do you improve cybersecurity knowledge in your workplace?

Training. Why? Because 90% of breaches occur as a result of human error?

That’s why employee cyber awareness training and ongoing education is crucial to keeping businesses protected from the growing number of cyberattack threats.

The key areas that employees should be educated on are:

Data protection

Employees need to know how they can protect data and prevent data breaches. This involves a wide range of actions such as choosing strong passwords and not giving out data to unsolicited emails, calls, texts or any other channels.

The danger of links and popups

Pop-ups and links within emails and text messages are a big danger and employees often fall for scams that put data at risk. Employees need to learn how to identify the risks and report them using the correct process.

Using secure Wi-Fi

With an increasing number of people working from home, or at other places away from the workplace, there are more opportunities for hackers, as some employees will access company systems using Wi-Fi with weak security. Having a firewall for the company network offers some protection for businesses, but employees working home accessing systems that store data also need a firewall for protection.

Keeping security software up to date

When system updates become available, it is important to update them as soon as possible as this helps to keep them secure. Anti-virus and anti-malware protection have regular updates to enable them to protect against new cyber threats.

What to do if there is a data breach

If your business has a data breach, there are a number of consequences that could cause significant problems for your company. Firstly, the financial impact of a data breach can be severe. Under GDPR you can be fined up to 4% of annual global turnover (or €20million – whichever is greater). On top of this, you may need to pay compensation to the people affected by the data breach.

You might also have significant legal fees to pay, so it can be financially crippling to many businesses. The other problem is the reputational damage caused by a breach and the loss of trust from customers. This can cause you to lose existing customers and will also put potential customers off using your business due to the bad publicity surrounding the data breach.

Even if you completely overhaul your security measures, it takes a long time to rebuild trust and improve your business reputation.

All of which is to say that effectively training your team to act appropriately and promptly at the first signs of a data breach is utterly essential.

How to prevent a data breach

Making sure that your employees stay up to date with the cybersecurity measures they need to take is vital in preventing a data breach.

Across three products, Bob’s Business offers comprehensive online training packages covering all aspects of data protection and many other critical compliance subjects. With over 55 courses covering cybersecurity awareness and compliance topics, as well as award-winning simulated phishing training, we make reducing your risk of breach simple.

Find out more about Bob’s Business products here.

How to write a privacy policy

It’s fair to say that running a business with a website used to be a simpler prospect than it is today.

UK data protection law now requires you to publish a privacy policy on your website that explains to website visitors how you use their data. Larger businesses will have legal experts who will write their privacy policy for them, through either an in-house lawyer or someone external that they hire to write up the policy.

For SMEs with smaller teams and budgets, though, it can be tricky to know how to craft a privacy policy.

The good news is that a privacy policy can be created without the necessity to pay a lawyer, all you need to do is ensure the policy includes all of the required information, to avoid any legal issues.

As well as fulfilling data protection requirements, having a privacy policy has several benefits, such as:

  • Builds trust with website users
  • Looks professional
  • Gives people peace of mind
  • Fulfills third-party requirements (if you use a third-party service such as Google Analytics)

How to write a privacy policy

If you are going to create your website’s privacy policy yourself, using a template will help to ensure you have included everything that is required.

Reading some privacy policies that similar businesses have created and displayed on their website will also help you to understand what should be included. Remember that they may have missed something out that your business needs to include, so don’t just rewrite someone else’s privacy policy.

Writing your privacy policy

These are the main sections you will need to include:

Your contact details

Within the policy, you should include your legal business name and contact details such as an address, telephone number, and email address.
Type of personal information collected

You should list the types of personal information that you collect, such as name, IP address, address, DOB, contact info, etc. The types of information you collect will usually depend on the type of business you are in.

How you get the information and why you have it

You should clearly explain the processes and methods used to gather their information and also explain why you use it.

How personal information is stored

If you are storing any personal information, you need to provide details about how you store it and what security measures you use to ensure that their data is protected.

Data protection rights

The policy should also explain their data protection rights, giving instructions on how they can opt out of collecting and sharing information. You should also share details of how they can unsubscribe from their mailing list.

How to complain

List your complaints process, such as writing to your address or emailing a complaints email address. If you are a business that is regulated, you should also include details of the complaints process that the regulators have in place if the complainant is not satisfied with your response.

These are the key elements to include within your privacy policy but the content should be tailored to your business and the ways that you use data. Some businesses might not collect much data and therefore their privacy policy can be quite basic, while other companies might be collecting, using, and sharing lots of data and require a more comprehensive privacy policy.

Additional support for creating a privacy policy

Many small businesses appoint a person to have the main responsibility for data protection management. You should make sure that this person receives the latest data protection training to ensure that they have the knowledge they need to keep your business compliant.

Bob’s Business offers several online GDPR courses that cover the key aspects of data protection responsibilities and guidance on processes such as creating a privacy policy.

Find out more about Bob’s Business data protection courses.

GDPR for small businesses: The ultimate guide

As web technology has evolved, we’ve enjoyed the many benefits of a fully connected world. However, we can’t deny that there have been negatives, many of which relate to the ways our data is handled.

One of the main concerns of using digital tools and websites is data protection, with countless of our most commonly used web services collecting personal information from customers and website visitors.

It’s this reality which encouraged regulators to take a fresh look at data protection regulations. The Data Protection Act 1998 was deemed to be no longer fit for purpose due to how technology solutions had changed, with new data protection risks emerging, including the transfer of data outside of the EU.

To ensure EU residents are adequately protected, an EU law called the GDPR (General Data Protection Regulation) was introduced on 25 May 2018. As a result of Brexit, the new UK DPA 2018 now applies as well as the UK GDPR 2018.

Here’s what you need to know:

The seven principles of the GDPR

To comply with the GDPR, many businesses (including small businesses) have had to make a number of changes to how they handle data. The GDPR rules are based around a set of principles.

The 7 GDPR principles are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

What are the types of data outlined in the GDPR?

The types of data that are protected under the GDPR are outlined under the regulation.

Personal data includes the following:

  • Name
  • Address
  • Email address
  • ID card number
  • Location data
  • IP address

There is also a category of sensitive information that is classed as personal data, which includes information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where processed to uniquely identify someone)

How does GDPR affect small businesses?

As a business, you must have a valid lawful basis if you process personal data. The six lawful bases are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

For your business to stay compliant with GDPR there are a number of actions that are required. For example, having a stronger firewall to improve security or changing online forms to state how the data is used.

Consumers have the right to access personal data you hold about them, and they also have the right to object to the way you use their data. You need to have processes in place that allow consumers to make choices about their data, for example, allowing them to easily unsubscribe from your mailing list.

Struggling with GDPR jargon? Check out our GDPR jargon buster!

The risk of data breaches

Data breaches can affect businesses of any size, not just large businesses. When a business is found to not have the appropriate data protection measures in place and they have a data breach, they are liable to heavy fines. The maximum fine under the UK GDPR is £17.5 million or 4% of the organisation’s annual global turnover, whichever is greater.

It’s more than an idle threat, too. Just ask Google, who found themselves slapped with a record fine in 2019.

Small businesses are often targeted by hackers, as there is a chance that their security measures are weaker, due to having a smaller budget than the bigger companies. However, the cost of a breach can have huge financial implications as well as causing massive reputational damage, so small businesses should be investing in their data security processes.

How businesses can protect themselves

Hiring a GDPR consultant to come and assess the business processes is a good way of getting expert advice but it is also important that employees have a strong knowledge of GDPR and the requirements for compliance.

Bob’s Business provides an extensive package of online training including GDPR compliance, from basics through to more in-depth modules on subjects such as Consent and other key aspects of complying with GDPR.

Take a look at our GDPR training that can quickly get your workforce up to speed with the information that they need to be aware of to stay compliant.

How to stay safe online

The internet has become a foundational element of our daily lives. From work lives which increasingly demand constant internet access to leisure time which leans on streaming, browsing and gaming, living online is more common than ever.

However, it’s not without risk.

A report by CNBC revealed that hackers targeted small businesses 43% of the time, trying to take advantage of the fact that they are often more vulnerable due to the lack of security measures and IT security knowledge within the company.

Online threats come in a wide variety of formats, and it is becoming increasingly difficult to identify the threats, as cybercriminals invent more sophisticated attacks to outsmart security software and unsuspecting employees.

That’s why we’ve put together this essential guide to staying safe online with simple, actionable and effective tips. Let’s get started.

Our top tips for staying safe online

Protect your emails by using a strong and separate password

Your email account should have a strong password that is not easy to guess, but is easy to remember

Avoid using personal information such as your name, birthday or username. The longer the password, the stronger it will be, and you should try to include numbers, symbols, uppercase and lowercase letters. The simplest method is to pick three unique, unconnected words and combine them with characters and numbers, like “Fan5Field3Shock!”. It’s easy to remember and virtually impossible to crack.

It’s also important to have unique passwords for different logins. That way, if one account is compromised, you aren’t susceptible to a chain reaction of breaches that expose your online presence.

Want to know the worlds most commonly used passwords? Click here.

Install the latest software and app updates

Software developers work tirelessly to patch security holes in their products, so don’t let their efforts go to waste, make sure that apps and web plugins are always up to date.

Additionally, install effective security software such as antivirus protection, firewalls and network security. They won’t stop you making a mistake, but they can sometimes offer a layer of protection against known malware.

Turn on two-factor authentication

Having two-factor authentication helps to protect your accounts from unauthorised access by strengthening your online accounts with an added layer of protection in addition to a username and password.

This often takes the form of a code texted to your phone, or sent to your email address, that confirms you are who you say you are. It’s a quick, simple and effective way to help protect your accounts – even if your password is compromised.

Use a password manager

Using a free or paid for password manager is one of the safest ways to manage multiple passwords and make sure you do not end up locked out of your account if you forget a password.

The problem with having a unique password for each service you use (and you definitely should have a unique password for each) is that it quickly means remembering hundreds of passwords.

That’s why you should be using a dedicated password manager, not only do these tools remember all your passwords for you, they can even suggest a strong password automatically on new websites.

Secure smartphones and tablets with a screen lock

Smartphones and tablets are convenient to carry around, but they are also more likely to get lost or stolen than larger devices. It is therefore imperative that you use a screen lock on smartphones and tablets to prevent people from being able to access apps you have on your phone.

If you have Apple Pay or a similar smartphone payment app that you use, a screen lock can stop people from using it before you have a chance to contact the bank to cancel the card it is linked to.

Always backup your most important data

If you lose a device or it gets damaged, backups ensure that you don’t lose all of your data.

There are lots of different ways to do this, depending on the size of data you are backing up and your preference for how often you want to back up. For example, you can perform physical backups by plugging in an external hard drive and backing up your data there. Alternatively, you can use cloud storage to back up data. The choice is yours!

Stay up to date with online security training

Regularly training yourself and your team on online security can ensure that you’re all aware of the latest cyber threats and understand the actions and measures that you can take to stay protected.

Bob’s Compliance from Bob’s Business gives you and your team full access to our 50+ strong catalogue of cybersecurity and compliance eLearning courses, including Web Woes, from just £1.39 per month. Learn more here.

The essential guide to securing your premises

As a business owner, protecting your assets is one of your top priorities. After you have spent years developing your business, just one preventable incident could cause huge problems. Therefore, it is important to have comprehensive security measures in place, for both physical and digital security.

In this guide, we’ll cover the essential security measures your organisation needs to deploy to protect your business. Let’s get started.

The five steps to secure your premises

1) Appoint a person with the responsibility for security

One person must have overall accountability and authority to make decisions regarding security, so choose the most suitable person for the job. For larger businesses, you may want to employ a person specifically for this role but for smaller businesses, the responsibilities will usually be in addition to their current job role.

2) Assess your risks

The first step to establishing the relevant security measures is to assess the main risks, such as weak points that could result in a break-in to your premises. The accountable person should perform the assessment and record all of the potential risks that could result in damage or loss to your business.

The main areas to focus on are:

Physical security

This involves inspecting the security of windows, doors, and any other physical weaknesses where someone could break into the property. You should inspect the types of locks that you have in place and decide whether you need to upgrade them to the highest level of security, for example, installing anti-snap locks on doors.

Electronic security

You should also review your existing electronic security, such as your alarm and CCTV. If you do not have the latest technology of these solutions, now could be the right time to invest in better electronic security. The quality of CCTV systems available now compared to ten years ago has vastly improved, incorporating sophisticated features to deter potential thieves and trespassers.

3) Prevent IT theft

Protecting your IT systems is also hugely important and is a legal requirement if you collect any customer data. You must comply with the relevant data protection laws depending on how you use and transfer data. To ensure that you are preventing IT theft you should have a robust IT security framework including a firewall, encryption software, and other appropriate security software.

In addition to this, you need to make sure that your IT equipment is protected from theft. For example, if a laptop was stolen from your premises, this could potentially result in a data loss incident, as well as losing valuable equipment. Therefore, having a secure storage place for IT equipment and ensuring systems are password protected is essential.

4) Consider the threat of arson

Arson and vandalism are a problem that businesses also have to consider, as there is an increasing number of these types of incidents occurring, accounting for over 50% of all attended fires. Vandals and arsonists often target business premises when they are unoccupied, causing considerable damage and threatening lives.

A high-quality CCTV system can help to deter arsonists and vandals but there are other actions you can take to protect your business. For example, making sure there are no combustible materials left outside and there is no accumulation of waste or rubbish.

5) Train your employees

Another important step in protecting your premises is to ensure that your employees have adequate training in the key areas including data protection, IT security, and protecting the premises. If you have delegated responsibility to an employee for the security of your premises, they would benefit from the Protected Premises course available from Bob’s Business.

Get in touch with our team today and start reducing your risk within hours.

What you need to know about diversity and inclusion in the workplace

Diversity and inclusion are vital in all areas of life and in the workplace they are crucial for a diverse set of people to work together cohesively.

Having good quality diversity and inclusion policies in place, as well as providing comprehensive training on these topics can help workplaces to improve their diversity and inclusion.

What are the benefits of diversity and inclusion in the workplace?

There are many benefits to businesses by having a diverse and inclusive workplace, including:

  • Greater levels of engagement, with more people feeling involved, respected and treated fairly. Employees that feel engaged with their workplace work harder and companies with high levels of employee engagement usually have lower rates of absences, which delivers significant cost savings for the company.
  • Teams work more productively with a broader range of perspectives and there is more chance of generating fresh ideas. Where you have a mix of ages, genders, ethnicities and educational backgrounds, there are more varied inputs coming from life experiences.
  • Studies show that companies with more gender and racial diversity, perform higher than their competitors. Diverse and inclusive companies will generally return higher profits.
  • There is a bigger talent pool to recruit from, so you are more likely to find high calibre candidates for roles. People want to work in diverse and inclusive cultures and if your company has a good reputation for D&I, this gives you more appeal to work for than other companies.
  • Employees working in inclusive teams are happier to stay working for the company, saving the expense of recruiting and training new staff as replacements.

What is the difference between inclusion and diversity?

The words diversity and inclusion are often used together in the same term but the meaning of each is quite different.

Diversity in the workplace refers to having employees that are of a different race, gender, sexual orientation, religion and class and who have different political beliefs.

Inclusion is used to describe how much people feel valued and involved and whether they feel fairly treated by their employers and peers.

Getting an even balance of diversity and inclusion is essential for companies, as having one without the other can have disastrous effects. Diversity without inclusion can result in a culture where people do not feel part of the company, and inclusion without diversity will limit innovation and new ideas from developing.

Evaluating your executive team

When you are looking at ways to build a more diverse and inclusive workplace, you should start from the top. The executive team is the most visible team in the organisation and if there is a lack of diversity and inclusion, this makes a big statement about your company’s recruitment and promotion approach.

As well as having visible diversity in your executive team, you should also consider whether leaders are demonstrating inclusion. If your leaders are not driving inclusion by example, they would benefit from attending a training course to help them to understand the changes they need to make.

How to create a more diverse and inclusive culture

Start with recruitment

Recruitment processes should include assessing whether job applicants are going to contribute towards improving diversity and inclusion. Training courses that help people to understand diversity and inclusion better should be provided to all employees, not just the executive team.

Another way to help embed a culture of diversity and inclusion is to acknowledge and honour multiple religions and cultural practices. This might involve celebrating the festivals of different faiths and holding themed events that celebrate a range of different cultures.

You can also incorporate inclusivity into your core values to show that it is an important part of the way your business operates. If you have an employee survey, include questions related to whether they feel that the workplace is diverse and inclusive and request feedback that can be used to make improvements.

Listening to feedback from employees is the best way to get a true reflection of what the culture of your business actually feels like from employees’ perspectives.

Utilise inclusive language

Another way to help to make your workplace more inclusive is by using inclusive language, for example, using “spouse” and “partner” as opposed to “husband” and “wife”. If you have an internal communications team, they should be ensuring that the language used in their communications is inclusive.

Managers should be flexible to accommodate religious practices such as prayer times, or a change of working hours to help people who are fasting for religious reasons to get enough sleep after staying up late to break their fast, for example.

The HR department should also strengthen anti-discriminatory policies and help to ensure that the policies are adhered to.

Deploy training

Educating all employees about diversity and inclusion is one of the most significant actions that will make a difference. Bob’s Business offers a Celebrating Difference course that enables learners to develop a better understanding of the key principles of diversity and inclusion in the workplace.

The training also uses creative storytelling scenarios which are more engaging and thought-provoking for learners, compared to some of the more traditional and mundane training material used by other training companies.

Ready to get started? Discover Bob’s Business’ range of training solutions here.

The good, the bad and the ugly of cybersecurity statistics (2021 edition)

At Bob’s Business, we’re at the very forefront of organisational cybersecurity training and simulated phishing training. Making training entertaining, engaging and effective is what we do.

In order to make training truly effective, however, we need to understand the cybersecurity habits, behaviours and assumptions that underpin behaviours across organisations.

It’s why we created the Human Vulnerability Assessment, our unique organisational benchmarking tool which we deploy to Bob’s Culture clients to help deliver truly tailored training and demonstrate organisational improvement.

Now, we’re ready to reveal some of the statistics we’ve gleaned from over six months of opening HVA deployments – statistics that reveal the good, the bad and the ugly of cybersecurity in 2021.

The Good

97% of recipients believe that everyone in their organisation had a role to play in cybersecurity.

77% did not feel that they could be complacent with regard to cybersecurity due to their organisation’s automated defences.

71% consider it possible for their organisation to fall victim to a cyberattack.

The Bad

24% of recipients answered that they occasionally download files and media without verifying their authenticity. That means that around one in four employees were at risk of accidentally downloading malware, which can have severe consequences for an organisation.

11% of recipients responded that they do with some level of frequency share work passwords with their colleagues. Sharing passwords like this leads to less secure accounts and may result in data breaches.

45% of those questioned did not claim to be at all suspicious of incoming emails.

The Ugly

65% of recipients admitted to reusing passwords on multiple sites. This means that a data breach on one external site may lead to multiple compromised accounts.

16% admit to clicking links in emails from unverified sources. Our tests show otherwise, as while any given phishing simulation typically achieves a ~16% click rate, the overall portion of recipients that click on at least one template throughout a campaign is higher.

Only 46% of recipients claimed always to follow their company’s cybersecurity policies. More troubling still was that 14% claimed not to know the policies at all.

The methodology

The HVA questionnaire was sent to users at 25 organisations. In total 4,937 users completed the test. As questions were added to the HVA or changed over time, the sample for specific questions varies. The results for all organisations were collated. Key demographic statistics were then drawn from questions of interest.

Why every organisation should be ISO 27001 certified

How can you give partner organisations and customers greater confidence in the way they interact with your business, and assure the reliability, security, and integrity of your systems and information? The answer: ISO 27001 certification.

ISO 27001 certification is an important standard for most organisations with an ISMS (Information Security Management System), but what is ISO 27001, and do you need it?

This article will discuss why your organisation should be ISO 27001 certified and answer all your questions.

What is ISO 27001?

ISO 27001 is the internationally recognised specification for implementing an ISMS (Information Security Management System). It delivers a framework to establish, operate, monitor, review and maintain an ISMS.

ISO 27001 is the most comprehensive and respected standard of its kind, published by the International Organisation for Standardisation (ISO), in partnership with the International Electrotechnical Commission (IEC). It is one part of a wider series of standards (the ISO/IEC 27000 series) that covers information security.

What are the requirements of ISO 27001 training?

You could jump straight into ISO 27001 training without any primer, but you’ll get much more from it if you familiarise yourself with the standard first.

As such, we recommend your team take our ISO 27001 course, where they will learn the principles of ISO 27001, why it’s important, how everyone can improve information security in your organisation, and how to react to noncompliance in your organisation.

Deploying cybersecurity awareness training to your team is the next step. Demonstrating that your team have completed cybersecurity awareness training is a required element to achieve the standard. Whether it’s Bob’s Culture or Bob’s Compliance, our products help you do just that.

You may be wondering where cybersecurity comes into all this, and the answer is simple – ISO 27001 is an information security framework and cybersecurity forms part of this. As the world becomes more dependent on technology, cyber will take an increasing role in how we establish, operate, monitor, review and maintain our ISMS.

In terms of specific requirements for ISO 27001 training, this depends on the type of course you take, and the needs of your organisation.

What are the benefits of ISO 27001 certification?

There are several benefits to ISO 27001 certification:

  • Increased partner and customer confidence in your organisation
  • Retain customers and win new business
  • Prevent loss of reputation over compliance concerns
  • Avoid hefty fines over non-compliance
  • Avoid wasted investment in the wrong security standards
  • Comply with other regulations, such as SOX
  • Plug gaps and loopholes in your information security
  • Improve risk management
  • Demonstrate a clear commitment to information security
  • Build a culture of security within your organisation
  • Establish, operate, monitor, review and maintain an ISMS to the highest standards

ue to this wide range of benefits, you should look beyond ISO 27001 as a compliance tool and more as a way to achieve several business benefits. It can deliver value in several ways, making it a worthwhile investment for many organisations.

What types of organisations benefit from ISO 27001 certification?

While many organisations have some form of information security standards in place, ISO 27001 is a comprehensive framework for information security, delivering compliance, and assurance, across all areas of an ISMS.

Because of this, ISO 27001 certification can benefit any organisations that are directly or indirectly involved in information security — and especially those that handle sensitive data.

Examples include:

  • Government agencies – including national and local government departments
  • IT companies – including software developers, cloud computing companies, IT support companies
  • Financial companies – including banks, lenders, brokerage houses, insurers, wealth management firms
  • Telecoms companies – including internet service providers, mobile networks, satellite companies
  • Technology companies – including software companies, hardware companies, biotech companies, renewable energy companies

Another important thing to remember is public and private organisations can define compliance with ISO 27001 as a legal requirement in their contracts.

This means you may need ISO 27001 certification to be a partner, customer or supplier to some organisations, a point that is most relevant to highly-regulated industries like finance, where ISO 27001 is considered an industry standard.

What next?

If you’ve made it this far, then there’s a good chance you believe your organisation would benefit from ISO 27001 certification.

The next step is to discuss this with ISO certification experts, who will help you figure it out once and for all if it’s right for your organisation.

In any case, it’s important to implement effective information security education and awareness across your organisation, and our cybersecurity awareness training is the perfect way to get started.

Your GDPR jargon buster

Let’s face it, GDPR legislation isn’t an easy read. Scrap that – it’s a slog. It’s so vast, in fact, that you can spend hours reading it and not understand very much at all.

The good news, however, is that it gets significantly easier once you understand what the jargon means and how it all links together.

To help out, we’ve put together this helpful GDPR jargon buster which you can use as a primer before undergoing GDPR training and diving into the intricacies of the legislation. It’s a 5-minute read that’ll save you hours of time.

Let’s get to it…

What is a Data Protection Officer?

A Data Protection Officer is an expert in data protection law. Their role is to ensure an organisation processes personal data in compliance with the GDPR.

It is a legally required appointment where the processing in question involves regular and systematic monitoring of data subjects on a large scale, or where the processing is of special categories of data on a large scale (the threshold is 5,000 persons).

What is a Subject Access Request?

A Subject Access Request (SAR) is a request for access to personal data. This is the correct legal mechanism under the GDPR for accessing and receiving a copy of personal data as well as other supplementary information held on file.

An individual can make a SAR themselves or have a legal representative do it in writing, verbally, or even on social media. As the ICO says, “a request is valid if it is clear that the individual is asking for their own personal data. An individual does not need to use specific words, refer to legislation or direct the request to a specific contact.”

What is a Data Subject?

A Data Subject is any person with a data file who can be identified directly or indirectly via an identifier from the data collected about them.

Examples of personal identifiers include name and passport number. Identifiers also include physical, physiological, genetic, mental, economic, cultural and social identifiers, such as religion and race.

What is a Data Controller?

A Data Controller is an entity (company, individual, or other body) that controls the means and purpose of processing data. They are the decision-makers with regards to processing. In other words, they instruct the processor.

What is a Data Processor?

A Data Processor is an entity (company, individual, or other body) that processes data on behalf of a Data Controller. They only work on the instructions of the Data Controller. They serve the controller’s interests rather than their own.

What is Profiling?

In the GDPR, Profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.” Organisations use profiling to predict behaviour, discover user preferences, and make decisions (such as credit decisions).

What is Pseudonymisation?

Pseudonymisation is a data entry technique that replaces or removes certain identifiers from data sets with pseudonyms or values that cannot identify the individual. Controllers will often pseudonymise data so they can use the data beyond the purpose for which it was originally collected. This is allowed under Article 6(4)(e) of the GDPR.

The UK GDPR defines Pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”

What is the Data Protection Act?

The Data Protection Act 2018 is UK legislation that sets out the framework for the UK GDPR, a modified version of the EU GDPR with derogations and other provisions.

Put simply, the Data Protection Act 2018 is the UK’s implementation of the EU’s General Data Protection Regulation, which is why you will see the phrase “UK GDPR” used a lot in reference to legislation that applies in the United Kingdom.

Find out more

Our NCSC-certified GDPR training courses are the perfect way for everyone in your organisation to learn more about the GDPR. We can help you get to grips with the GDPR and ensure compliance across your organisation.