0131 510 1234

Archive for category: GDPR

Eliminate the insider threat.

Eliminate the insider threat.

In our rapidly evolving technology landscape, the insider threat is a growing problem. Collaboration tools, cloud and mobile computing have significantly increased the risks faced by organisations. A report by Cybersecurity Insiders and CA Technologies recently stated that ninety percent of organisations feel vulnerable to insider attacks.

Not all insider threats are malicious, though. Accidental data breaches caused by careless employees or negligence account for more than 50% of all data loss incidents from inside the network. Organisations storing or accessing confidential data must take action to reduce the risks of losing data from within the confines of company systems.

So, what can you as a business leader do to protect your most important information? The short answer is you need to take a holistic approach to information security. The soon-to-be-implemented GDPR will force organisations to get their data protection house in order, presenting opportunities to do better business.

We are gearing up to attend Scotland’s largest Cyber Security event, ScotSecure at Edinburgh’s Dynamic Earth next week. Two of Scotland’s security software powerhouses, Zonefox and My1Login will be joining us as we aim to help business leaders protect their networks from the inside and the outside.

About Zonefox and My1Login
In case you have been out of the country with no access to the Internet for the past few years, Zonefox and My1login are two of Scotland’s leading lights in the cybersecurity software space.

Protect your network with Zonefox

Zonefox has developed award-winning insider threat protection software that provides a 360-degree view of your network by monitoring every endpoint and every user 24/7. So, whether your employees are working remotely or third parties are accessing and sharing information they shouldn’t be, you will know about it.

Zonefox’s Augmented Intelligence automatically detects when a users’ behaviour changes and it can quickly spot when compromised user accounts are being used to harvest valuable IP and confidential data.

With Zonefox, network administrators have access to detailed forensics, enabling them to answer critical questions about an incident: Where did the incident take place? Who was the perpetrator? What did they take? Where did the data go?

Having answers to these questions not only helps find a quick resolution to data loss incidents, but it also helps organisations comply with data breach notifications – a significant element of GDPR obligations.

Protect your applications with My1Login

Glasgow-based My1Login is a European leader in Identity and Access Management (IAM) and Single Sign-On (SSO) solutions.

The security software provider has won multiple awards, including Identity and Access Management Solution of the Year at the recent Computing Security Awards. They are also an approved UK Government Supplier through G-Cloud 9.

My1Login is the UK’s most secure and most widely-compatible IAM solution that enables organisations to mitigate password-related cyber-security risks, strengthen identity assurance and meet critical compliance obligations such as GDPR. Its Single Sign-On solution integrates with all app types – web apps, mobile apps, flash apps, virtualised apps, and even legacy, thick-client apps and mainframes. Passwords can be updated automatically without revealing credentials, and the IT department can provision new users and manage My1Login via Active Directory (AD), simplifying user management at a stroke.

My1Login SSO also integrates with multi-factor authentication services, further securing employees’ access to corporate applications.

Heading to Scot-secure 2018?

If you are planning to visit Scot-secure 2018 next week, come over and chat with us about a comprehensive approach to network protection. The lovely folks from Zonefox and My1Login will happily take you through a demo of their innovative products.

GDPR – Four small letters. One massive impact.

GDPR – Four small letters. One massive impact.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (the 1998 Act) when it comes into effect on May 25th this year.  The GDPR has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.

Consideration has been given to new technologies, business processes and data usage that have become part of the digital economy in recent years.

Principles of the GPDR

Under the GDPR, the data protection principles set out the primary responsibilities for organisations. Personal data must be:

“processed lawfully, fairly and in a transparent manner in relation to individuals.”

“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”


Download your free copy of our GDPR e-book

Lawful basis for processing under the GDPR

Although not new, the lawful basis for processing under the GDPR places more emphasis on accountability and transparency relating to how your organisation processes data.

The six lawful bases are similar to the old conditions for processing, although there are some differences – the ICO website contains more information on lawful processing.

Individual rights

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right of rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision making and profiling

You can read more about individuals rights on the ICO website.

Time to report a data breach

Under the 1998 Act, organisations have one month to report a data breach but once GDPR is enforceable, this period will reduce dramatically. Once a data breach has been detected, organisations will have 72 hours to investigate the violation, let the regulator know what’s happened, figure out if personally identifiable information (pii) has been compromised and have a plan to manage the threat.

Unless there are technical controls and a robust information security policy in place to mitigate the threat of a data breach, many organisations will struggle to meet these demands.

Data Protection Officer

In some circumstances, organisations must appoint a Data Protection Office (DPO). You must appoint a DPO if you:

  • are a public authority (except courts acting in a judicial capacity)
  • carry out large-scale systematic monitoring of individuals (e.g. behaviour tracking)
  • carry our large-scale processing of special categories of data or data relating to criminal convictions or offences – at this time, there is no numerical definition of “large-scale processing.”

You may appoint a data protection officer to act for a group of companies or a group of public authorities – depending upon size and data processing requirements.

Any organisation can appoint a DPO. Our Technical Director, Neil Douglas is a qualified GDPR Data Protection Officer and is always free to chat regarding your DPO or GDPR requirements.


The maximum penalty for suffering a severe data breach under the Data Protection Act 1988 is £500,000. Mobile telecoms company, Talk Talk received a £400,000 fine for failing to prevent a serious data breach back in 2015. –

Penalties under the GDPR are far more severe. A maximum fine of €20 million or 4% of global annual turnover for the most severe data breaches is on the cards. However, we don’t expect the Information Commissioners Office (ICO), the UK’s governing body to impose the maximum fine as it hasn’t done so under the existing regulations – that’s not to say they won’t impose sizeable penalties.

Subscribe to the Network ROI blog

  • We'd love to keep in touch with you by email with offers, news and new product information. We treat all personal data with respect, and we promise NEVER to sell your details to third parties for marketing purposes.
7 Important GDPR Data Privacy Changes to be Aware of

7 Important GDPR Data Privacy Changes to be Aware of

May 25th, 2018 will herald the start of a new age in data privacy when the General Data Protection Regulation (GDPR) is introduced. The GDPR is a new piece of legislation designed to protect the data privacy of EU citizens. It will replace the Data Protection Act 1998 (DPA) in the UK when it becomes law next year.

A lot has changed since 1998, desktop computers and laptops have become mainstream. Mobile devices, email marketing, cloud computing and a vast array of connected devices have also transformed our lives. The GDPR aims to protect individuals’ data in the digital age.

You are probably familiar with the principles of the DPA and may be wondering what will change when the GDPR comes into force. In this article, we will highlight some of the changes to help you make the best data privacy decisions for your business.

Brexit and the GDPR

Although Britain voted to leave the EU, UK-based organisations need to comply with the GDPR when it becomes enforceable in 2018. Also, many UK organisations process EU citizens’ data and will continue to do so after the UK is expected to officially leave in 2019.

1. Enforcement

DPA – Enforced by the Information Commissioner’s Office (ICO).
GDPR – A Supervisory Authority (SA) will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries.

Free GDPR e-book:

Preparing for General Data Protection Regulation: 12 steps SMEs should take right now

2. Reach

DPA – Applies only in the UK.
GDPR – Applies to the whole of the EU and any company (globally) that holds data belonging to EU citizens.

3. Penalties

DPA – Failure to comply with the DPA can result in fines of up to £500,000 or 1% of annual turnover.
GDPR – Penalties for non-compliance of GDPR regulations are expected to reach $20m or 4% of global turnover – a significant increase.

4. The right to be forgotten

DPA – There is currently no legal requirement for companies to remove the data they hold on an individual.
GDPR – Individuals can exercise their ‘right to be forgotten’ which involves permanently deleting all personal data from company systems.

5. Data Protection Officers (DPO)

DPA – There is currently no obligation for a company to employ a dedicated DPO.
GDPR – Organisations employing 250 employees or more must appoint a Data Protection Officer.

6. Opting in

DPA – Under the current legislation, businesses do not require an opt-in when collecting data.
GDPR – Consent underpins the new regulations. When collecting data, the reasons for collecting personal data and its uses must be outlined at the point of collection and in the company Privacy Policy.

7. Reporting a data breach

DPA – Under the current regulations, there is no legal obligation for a data controller to report a breach to the ICO or to individuals whose information has been lost or stolen.
GDPR – Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. Organisations are also obliged to report a data breach to the relevant supervisory authority (ICO) within 72 hours of becoming aware of it.


The points above are not exhaustive; they illustrate some of the key differences between the current legislation and the GDPR.

The GDPR is extensive and will require lots of preparation. We recommend you start planning your GDPR journey now to ensure your organisation achieves compliance.

We are ready to assist with information and technology protection requirements your business may have to ensure complete compliance when the GDPR becomes law next year.

For more information on data privacy reform and the GDPR, visit the ICO website.

What is Cyber Essentials?

What is Cyber Essentials?

Cyber Essentials (CE) is a Government-backed initiative designed to protect small and medium-sized businesses from the threat of cyber-attacks and online data breaches. Cyber Essentials certified companies can display a badge on their website and sales literature to reassure clients and suppliers they have the correct processes in place to protect their business against common internet based cyber-attacks.

  • Cyber Essentials – an independently verified self-assessment. Organisations assess themselves against five basic security controls, and a qualified assessor verifies the information provided.
  • Cyber Essentials PLUS – a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.

Why do I need Cyber Essentials?

Cyber crime is a growth industry. A report carried out by The Federation of Small Businesses states that two-thirds (66%) of small businesses fell victim to cyber-crime between 2014 and 2016. The same report estimates SMEs were attacked four times each on average, costing small business owners. A BBC report in 2016 highlighted the changing trends in crime as cases of online fraud rose, while traditional crimes such as burglary and vehicle theft fell substantially.

Protect your business against common cyber attacks

Companies have an obligation to protect personal and sensitive data. Existing regulations such as PCI DSS compliance – for firms that manage payment card transactions and the Data Protection Act 1998 (DPA 1998) for firms handling personal information of any type are already in place. Organisations will soon have to comply with GDPR, a replacement for the DPA 1998. Cyber Essentials helps to meet your data protection obligations.

Increase your competitive advantage

Cyber Essentials certification gives your organisation a significant edge over non-CE certified competitors. Information management is a big deal, and it’s important to reassure customers your organisation has the controls, procedures and processes in place to protect their personal data. Adding ‘secure’ to your brand proposition increases trust among peer groups and stakeholders alike.

Help to avoid hefty fines

The Information Commissioner’s Office (ICO) enforces data policy legislation in the UK and award substantial fines to companies that experience significant data breaches. Once GDPR rules come into effect in May 2018, fines are expected to soar, with a maximum penalty of €20 million or 4% of global annual turnover for the preceding financial year – whichever is greater.

CE certified businesses can bid for Government contracts

Public sector contracts can be a lucrative source of income for small and medium-sized businesses, helping secure long-term jobs for many communities. Since October 2014, businesses handling personal information must be Cyber Essentials certified to bid for public sector contracts.

Ready to become Cyber Essentials certified?

Call us on 0131 510 3456 if you would like Network ROI to help your business become Cyber Essentials certified. alternatively, you can find out more by visiting our Cyber Essentials page.

  • We'd love to keep in touch with you by email with offers, news and new product information. We treat all personal data with respect, and we promise NEVER to sell your details to third parties for marketing purposes.
How to create a secure password

How to create a secure password

Why You Need a Strong Password

Whether you’re logging into Office 365 at work or signing into Amazon, Netflix or Facebook, passwords are an essential part of daily life. In this guide, we’re going to show you how to create a strong password.

Passwords exist to protect valuable information stored on personal and company devices. Passwords also protect the computer systems of companies you do business with from the attention of organised criminal gangs who wish to profit from your valuable data.

Data. Your most valuable commodity

Recently, data such as user credentials, bank details, personal addresses and passwords have become a precious commodity to online fraudsters looking to profit from the trusting nature of honest, hard working people.

The number of logins we now have to deal with every day also means we’re more likely to re-use the same password for multiple sites; a dangerous tactic that potentially lets criminals penetrate multiple sources of information at once.

Recent hacking incidents aimed at high-profile companies such as Sony, Apple and Talk Talk have highlighted a very real need for businesses to take online security much more seriously. The companies mentioned, as well as many small, less well-known enterprises, are counting the cost in lost profits, reputational damage, and loss of consumer trust.

Password CCTV

Three Common Tactics Used by Hackers

Brute Force Attack

A Brute force attack is a method of breaking into a computer network based on a trial and error approach which attempts to guess every character of your password using hundreds of thousands or even millions of attempts. Brute force attacks are time-consuming and easily preventable with account lockout policies, similar to the ones implemented by Network ROI.

Dictionary Attack

A dictionary attack is a method of breaking into a computer network based on trial and error but unlike the brute force attack, the dictionary attack uses a list of common words used in passwords. Every time a dictionary attack is successful, it adds the cracked password to it’s own database.

Dictionary attacks guess passwords much faster than brute force because they are targeting a smaller amount of commonly used passwords. Account lockout policies provide a degree of protection against these types of attack, but won’t stop them all.

Password Spraying

Password Spraying is a method of breaking into a computer network based on guessing the username with a commonly used password. Password spraying works against lockout policies by limiting the number of attempts to break into the network against any single account. Password spraying usually targets thousands of machines at once.


Password Do’s and Don’ts


  • Choose something that you can easily remember without writing down.
  • Choose something that you can type quickly, reducing the chance of someone stealing your password by looking over your shoulder
  • We recommend using 15 characters, ideally a mixture of upper case and lower case letters, numbers and symbols
  • Use between two and four short, random words with spaces or symbols that join them together
  • Use a good password generator software if you find the tips above tricky
  • Use the first letter of each word from a favourite poem or song – preferably one with a long title


  • Don’t use your name, company name or something personal to you that can be found on social media such as birthday, dog name, child name etc.
  • Don’t base your password on something located close to you such as mouse, monitor, keyboard etc.
  • Never use the word password in any form. e.g. ‘Pa$$w0rd’ or ‘pa55word’
  • Don’t use a word found in the English dictionary, or a foreign one for that matter
  • Don’t use a simple keyboard sequence such as ‘qwerty’, ‘zxcvbnm’ or ’abcdefg’
  • Don’t use the name of your favourite sports team actor or musician, especially if that information can be easily found on social media
  • Never use a password based on your name, account name, username or email address
  • Don’t simply double up on a word. e.g. ‘bookbook’
  • Don’t reverse a word. e.g. ‘koob’
  • Don’t rely on adding numbers to replace letters in common words such as ‘5pac3man’ or ‘m0n1tor’

Password examples

Here are some examples of both good and bad passwords. the trick is to find something that is both memorable, but difficult for a machine to guess. The example at the bottom will be extremely difficult for a machine to decipher, but also difficult for you to memorise.

Also, never use the actual examples shown in any password resource as there is a good possibility they have been added to a criminal database somewhere.





Password resources

There are lots of great resources available to help you manage passwords for both business and personal logins. Here are some examples of commonly used password generators and management tools.

xkcd generator –

xkcd generates four random words with spaces in between to create almost unbreakable passwords. It also includes a cartoon that explains how the system works.

Diceware Passwords –

If you are a fan of tech startups, there are few tech entrepreneurs younger than 11-year-old Mira Modi. You can send her $2 and she will create a virtually uncrackable password for you using the diceware method.

Lastpass –
Lastpass is a popular management tool that stores your encrypted passwords in the cloud.  Lastpass works across all your devices and can be accessed as long as you have an internet connection.

KeePass –

KeePass is a free, open-source manager that keeps your passwords in a database that you secure using a master key or a key file. You only have to remember one master password to gain access to your vault. Remember to follow the tips above to make it strong, or crooks will have access to all your information!

Download your free Password Essentials guide

Make weak passwords a thing of the past.



By clicking ‘Submit’ you are giving consent to receive email marketing communications from Network ROI Ltd as outlined in our Privacy Policy

  • We'd love to keep in touch with you by email with offers, news and new product information.