User Permissions Tracker worksheet from GDPR Data Classification & Cyber Security Template

Every user login is effectively a key to your organisation’s data and systems, though unlike a physical key you don’t need to take an existing key to a locksmith or key cutting service to make new keys. Instead, logins can be created by anyone who has administrator rights to the particular service or system, whether they are authorized to do so, or not. Given the myriad of online services and systems within most organisations, this can easily range from 20 to 50 keys per person, depending on their role and responsibilities, and sometimes a lot more.

From the constant news…

Photo by Aida L on Unsplash

Can you trust your penetration testing company with your results, or are they inadvertently performing the initial reconnaissance for cyber criminals, with you picking up the bill to boot? Whether from an insider threat or remote access trojan, penetration testing (pen test) companies are an ideal target for cyber criminals. Their customers are a ready made list of organisations with valuable enough data to justify a paying for a pen test, or some regulatory compliance requirement.

Pen test results are available for purchase on the dark web, so this is not just theory, but a reality. If you know there…

Photo by Olivier Darbonville on Unsplash

Back in September I received an email claiming to be from the courier firm DPD and that an attempt to deliver a parcel was unsuccessful. In order to get the item redelivered I would need to reschedule the delivery and confirm the address details are correct. Unfortunately as there had already been three failed attempts there would be a small charge. The link provided also included the tracking code embedded into it for convenience.

Photo by Kelly Sikkema on Unsplash

As part of the cyber security awareness training for many organisations, the IT department simulates phishing emails via a third party service to help educate their users and report on who is more likely to click on a phishing email. Some of these third party phishing services are even free like Gophish and Duo Security, and yet, I have a policy of not phishing my own staff. Let me explain why.

The reason is, that for the past 5 years I have been encouraging all my colleagues to forward suspicious emails they receive to the IT department or to contact…

For over 20 years we have been on a never-ending cycle of being told that the software we use has bugs or security issues and that it has been fixed in an update or patch. But those updates have had a tendency of breaking something else, and the whole cycle begins again. In the worst cases, a bad operating system update has left users completely in the lurch without a working computer and so people have become weary of updates, even to the point of refusing to install them. How many times have you restarted a computer only to realize…

Photo by Lianhao Qu on Unsplash

The GDPR legislation at 57,500 words long is not the easiest of things to get your head around if your business processes personal data (for which the majority do). But one of the smallest steps in GDPR compliance that so many forget to do, can land you a £400 or £600 fine, going up to £4350.

This small step is nothing more than to pay the annual £40 or £60 data protection fee, which is required by law to the data protection authority, which in the UK is the Information Commissioner’s Office or ICO. If you are lucky enough to…

Photo by Balaji Malliswamy on Unsplash

Everything we do online is based on trust, we trust our email providers, our cloud services, our search engines, software developers and online stores. We give them personal and financial information, ranging from our pet’s names and first school, to our credit cards and bank details. So, as a result, it is very easy for the criminals to abuse that trust, because the opportunities to do so seem endless. …

Photo by Ricardo Arce on Unsplash

Targeted email attacks are an increasingly difficult problem to stop through technology alone, requiring both processes and people (via education) to effectively combat. Commonly called ‘spear phishing’ and for high profile targets ’whaling’ the core of the attack is via social engineering and elements of truth from our recent online activities.

So why are they so difficult to block? Firstly, many targeted phishing emails do not contain anything immediately malicious. Some will not have anything at all that gives the game away, building a rapport over time. Others rely on shortened hyperlinks and attachments that contain hyperlinks like an Adobe…

Photo by Scott Graham on Unsplash

Cybersecurity training in many organisations is seen as chore, a tick box exercise that needs to be done when we get time, maybe next week. Or it is mandatory, regardless of the deadlines you face, but mostly irrelevant to your role or to risks the organisation faces. Yet, in today’s world of highly sophisticated data breaches, does all this training actually make a difference?

Firstly, cyber security training is a bit like studying history; every month that goes by adds another month to the pool of history to possibly learn. There is no end to the subject matter because it…

Photo by Ryan Moulton on Unsplash

Over the past few years there has been a paradigm shift in the world of computer gaming, whether on a consoles, computers and mobile devices, where the focus is no longer on just selling you a game. Instead, the focus has shifted on you buying an in-game currency or virtual currency that allows you either unlock additional content or offers some advantage or cosmetic difference on how your game character(s) look within the game. As a result, this is raking in hundreds of millions for some game developers and the criminals have taken note.

Many of the games are technically…

Nick Ioannou

IT professional, blogger, author & public speaker on cloud/security issues, with over 20+ years’ corporate experience. More resources at

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store