07736307256 joanne@bravapro.com
5 Easy Ways To Protect Your Business From Cyber-Crime

5 Easy Ways To Protect Your Business From Cyber-Crime

Are you relying on good luck or a wing and a prayer to protect yourself from cyber-crime and internet risks? Below are some online security tips your business can use to protect itself. After all, you don’t know when your luck will run out!  

 # 1: Set Up Two-factor Authentication

Set up two-factor authentication for all your online accounts and devices.

Hackers are clever; the right person could hack nearly any online account or device. Enabling two-factor authentication on your laptop, phone, email account and on each app you use is a straightforward way to add extra security. 

Two-factor authentication ensures that anybody attempting to access an online account is who they say they are. The way it typically works is:-

  • Firstly, you enter your username and password as normal
  • Then, rather than gaining immediate access, a second level of verification is needed. This second level of approval could be via
    • An additional PIN to enter
    • A secret question to answer
    • A code sent to your phone or email
    • Approval on an authenticator app

The theory is that even if your device was stolen and your password compromised, the hacker isn’t going to know or have access to this extra information.

And yes, I know it can be annoying to have to verify everything on your phone or via email. But not as irritating as losing all your data or, worse, all your money.

 

 # 2: Use A Password Manager

Personally, I use LastPass, but I recently purchased Norton anti-virus (See also tip 4 about anti-viruses), and noticed it contains a free password manager.

Most of us understand that we shouldn’t use our children’s names, date of birth, 12345 or ‘password’ as your password. That your password should be unique for each site and consist of a number, letters (capitals and small case), and symbols in a complex random order.

We all understand the theory, but the challenge is when we use so many apps every day, how do you remember these random passwords? The simple answer is unless you have a photographic memory, you can’t.

So, instead of following what we know would be the safe way of working, we continue to use a weak password, write them on post-it notes or have a file called passwords (don’t laugh; I have seen it!)  

This is where password managers help, as they store all your login information for all the websites you use in one place. When you log into a website or app, the password manager automatically populates the password fields. So you can still have a complicated password but don’t need to remember it. The only password you need to remember is the one to your password manager tool. 

 

 # 3: Connect To A VPN 

Have you ever sent an email while you’re in a queue for your morning coffee, Or when you access your bank account on the train doing your daily commute – you may as well use the time wisely, right! 

If you’re relying upon an unprotected public Wi-Fi network for your connection, be careful. The cyber-savvy stranger opposite you on his laptop could be eavesdropping.

A Virtual Private Network (or VPN) helps safeguard your online activities by hiding your personal information when you access the internet. This means you can check your bank account, shop online, and even send confidential emails without the fear of the data being compromised. 

Bonus Tip: If you outsource your work to a virtual assistant or virtual business manager, one of the first questions you should ask is if they use a VPN. 

 

 # 4: Routinely Update Anti-virus And Anti-malware Software

We all do it; our anti-virus sends a pop-up reminding us we need to update, but what do we do? We press ‘later.’ 

Software providers are regularly developing updates (called patches) to take care of any weaknesses or threats as they emerge. However, these updates can’t work unless you apply them. To increase your protection from cyber-attacks, it’s essential your anti-virus/anti-malware are the most up-to-date versions.

 

 # 5: Shop Securely Online.

The simplest way to ensure an online purchase is ‘uneventful’ is to make sure the website you’re buying from is safe and secure. Look out for the lock symbol in the toolbar. Plus, the website starts with “HTTPS” in the address bar before tapping in all your credit card or bank details.

Do You Think Cyber-crime Won’t Happen To You?

 

That it only happens to big businesses?

This is no longer true. Big corporations spend billions on their IT security as they cannot risk the bad reputation from a significant data breach. Hackers are therefore increasingly targeting mid to small-size businesses. They are easier to hack because small companies are generally under-protected or do not understand what is needed to safeguard their technology.

 Questions To Ask Yourself

  • Do you have a website? Perhaps even an online store where you take payments? Are they safe for those visiting your site?
  • How much personal information do you keep digitally on your clients, suppliers or contacts? Is that information stored safely?
  • Think of how many documents you downloaded, emails you signed up for or forms you completed this week. Were they all from reputable sites?
  • How many emails do you send or receive every day? Do any of them contain personal information?
  • If you are storing information in the cloud, who can access it, and what safety measures do you have in place?
  • What about your social media posts? Are they secure and safe? Or are you giving out information a hacker could use to get into your accounts? 

If any of the above applies to you, you need to consider how you protect your technology, business data and personal information. If you are unsure where to start, then get in touch I would be happy to talk you through some of these quick.

What Are Cookies – A Bitesize Explanation

What Are Cookies – A Bitesize Explanation

1st Important cookies question ? hobnob or ? digestive?

2nd important cookies question – Do you have a cookie policy and a cookie opt-in?

Why Am I Asking About Cookies?

Because the EU (as part of GDPR) has decided that as a user you should know how you’re being tracked and who you’re being tracked by. You should also have some options on whether you agree or not.

What Is A Cookie And What Does It Do?

A cookie is a small piece of code inserted by a website you visit onto your device that allows the website to monitor certain things about your visit.

How Do You Find Out What Cookies You Are Using?

The quickest way to is to use a cookie checker on your website – I use Cookiebot.

But you can also do it manually 

How Do I Give My Site Visitors Cookie Options?

Many old cookie consent programmes simply tell visitors what cookies you are using. However, this is not sufficient for GDPR requirement. Instead, you should have a cookie option that gives people the option to say yes or no to cookies at specific levels. If you are using a website builder like Wix or Squarespace there are inbuilt cookie consent banners, but you need to ensure they are set correctly.

For WordPress site, you can use a plugin. I personally use Civic UK (which is the one the ICO uses) but other options are Metomic and Osano.

To find out more about working compliantly with a Virtual Assistant please read my other blogs on the subject…

How To Work With A Virtual Assistant Post-Brexit

How To Share Mailchimp In A GDPR Compliant Way

How To Work With A Virtual Assistant Post-Brexit

How To Work With A Virtual Assistant Post-Brexit

Before I even start talking about the Brexit deal. Let us first discuss the correct way to have been contracting with a Virtual Assistant before the end of 2020.

As the data controller, i.e. it’s your data – your clients gave it to you. You therefore have the responsibility to ensure processing happens in a compliant way!

When outsourcing there are 3 key things that you need to ensure are in place:-

1) A Contract  

The contract should include obligations of confidentiality, i.e. a non-discloser agreement, which covers GDPR explicitly.

2) A Data Protection Agreement (DPA)

A DPA goes beyond the non-discloser agreement in the contract. It includes specific instructions from the data controller (you) to the data processer (the Virtual Assistant) about what the processor may do with the data.

3) Security Instructions

Clear instructions, that everybody understands and follows, with regards to access to systems and storage of data. For example, details of passwords format, 2-factor authentication requirements etc.

I would also add to the list that a reputable Virtual Assistant, who understands the importance of protecting your data, would also be registered with the ICO, plus have cyber insurance cover.

If you haven’t drawn up your own outsourcing contract, then your Virtual Assistant most likely has contract paperwork they can share. However, be mindful of that most VAs purchase contracts online. If they have purchased, or even just copied contracts, from a non-EU site they may not have the correct terminology. Which means as the data is your responsibility, you may not be covered if there was to be a breach.

Myth Buster

It is common to outsource email or diary management to a Virtual Assistant. You may assume that as they are only viewing information, all this compliance malarkey isn’t necessary….Wrong!

Even viewing personal data (i.e. opening an email and seeing the person’s name and email address) still comes under GDPR. Hence it is advisable to have the correct contracting in place.

How Does Brexit Change Things?

The answer is in the short term it doesn’t.

Currently, the UK and EU are taking a ‘business as usual’ approach. While this was supposed to expire on 31st January 2020, the finalised deal means that this will continue until 30th April. With a possible extension to 30th June, providing neither party raises an objection.

However, another way politicians could extend the UK/EU agreement is via a ‘finding of adequacy’.

What is a data adequacy decision?

Surprisingly the Brexit deal does not deal with GDPR beyond the provision for this extension. Therefore, The EU Commission needs to decide if it will grant the UK a ‘finding of adequacy’. This would then allow data to pass both ways between the UK and the EU freely.

While this isn’t a foregone conclusion. The good news is that as long as the UK laws remain in line with GDPR, there is a strong chance the EU will grant adequacy.

Hang On…

I only work locally in the UK, this doesn’t affect me?

If you are working locally, potentially nothing will change.

However, one crucial question to ask yourself is, are you actually only working locally?

A lot of businesses have lead magnets, webinars or online courses that they advertise on the internet. Typically to sign up for these, a customer will share their personal information. In theory, anyone from around the world could sign up to your materials. If that ‘anyone’ is located in an EU country this could be a problem if no adequacy is granted.

 

Where Does That Leave Us Post-Brexit?

Well for the short term as long as you have the appropriate:-

  • Contact
  • Data processing agreement
  • Security information

Plus have your done due diligence with regards to insurance and ICO registration you should be covered.

However, if your Virtual Assistant provided your contracts, they should be monitoring the decisions and issue new contracts if applicable.

 

In conclusion, GDPR, or whatever framework replaces it, is not easy to understand. I am certainly no expert on it! While we are in a transition period, nothing changes, but potentially if a ‘finding of adequacy’ is not granted things could change quickly.

The ultimate responsibility for the personal data you collect in your business lies with you. If you share that personal data with a Virtual Assistant (or they have visibility to it), you are still responsible for that data. Hence you need to ensure it is stored and processed correctly. Plus that you are up-to-date with any changes in the UK/EU agreements. The ICO have a helpline to support small businesses who may have questions around data protection.

For Virtual Assistants wishing to ensure their contracts are fit for purpose, I would recommend Koffeeklatch as an excellent source of information. 

How To Share Mailchimp In A GDPR Compliant Way

How To Share Mailchimp In A GDPR Compliant Way

 

One of the most common tasks outsourced to virtual assistants (VAs) is email marketing. Yet many VAs, especially those in offshore locations, do not fully understand the intricacies and responsibilities associated with delivering this service in a GDPR compliant way.

From my experience working for an international corporation, I knew my clients could not simply hand over their Mailchimp log-in details to me. This in itself could be an instant GDPR breach. I knew that while a client could delegate the work to me, they still had the responsibility to ensure any personal data they had collected was handled in an appropriate way.

In order to ensure I was advising my clients how to set up email marketing correctly, I contacted an expert in the field, Annabel Kaye from KoffeeKlatch.

Annabel has been helping small business owners with HR support since the early 1980s. With the advent of GDPR legislation, she became an expert in this field as well, particularly with regards to how it relates to VAs, web designers, bookkeepers and trainers.

Annabel explained to me that there is a big gap between the law, people’s expectations and what can actually work. The onus is on the outsourcing company, as the data collector, to make sure their VA is working in a compliant way, and that involves more than simply checking an ICO certificate.

 She shared the below advice for small business owners looking to outsource their Mailchimp email marketing: –

Contract Your VA To GDPR Security And Confidentiality

You need to have a contract that sets out your confidentiality and security requirements.  Many Virtual Assistants and Digital Assistants have their own terms of business.   Not all of these are protecting your business and your customer data in the way they should.  You are the one setting the standards, so it is your job to make sure the right paperwork is in place.

Give Your VA GDPR Data Processing And Security Instructions

You will need to issue written instructions on how your lists are to be accessed and what can and cannot be done.  These may be quite brief if your Assistant is just setting you up, but if they are going to be accessing the data on a regular basis, you will need to make it plain exactly what they can do with the information they have access to.

If your Assistant is GDPR savvy they will be asking you for this anyway since it is now lawful for them to access your data without them.

They may not use these words, but if they are content to access your data without any formalities this should tell you that your Assistant is not GDPR savvy and may not know what they are doing in GDPR terms.

If they don’t know what they are doing this can cause problems for you since it is up to you to use your Assistant in a GDPR compliant way.

Own Your Mailchimp Account

If you don’t yet have a Mailchimp account make sure you set it up in your business name and with your email address.   This makes you the owner in terms of how Mailchimp categorises roles.  Even if you don’t know how to do anything else like create lists or content, it is vital that you are the Owner.  This gives you the right to add and remove other users. You will find it hard to comply with GDPR if you can’t turn off users who no longer need access.

At KoffeeKlatch we often see business owners who are not the Owner of their Mailchimp account as they let someone else set it up. This means that other person can lock you out of your account!  This is not a good idea for business anyway but certainly prevents you from properly fulfilling your responsibilities as a ‘Data Controller’ – which is what you are when collecting information about individuals such as names and email addresses, for your business.

Turn On Two-factor Authentication And Improve Your GDPR Compliance

Make sure you have turned on two-factor or multi-factor authentication. This is easily done in Mailchimp – see here. You also get a temporary discount for all users if you are paying for Mailchimp. You will be making your data more secure and saving yourself some money.

While this will make your data more secure, the second factor is tied to your phone. You might want to think about what will happen if you lose your phone!   It can take days or longer to get back in if you lose your phone.

Multi-user Set Up

Don’t all share one login.  You will find it impossible to control or track who does what. Mailchimp lets you set up multi-users.

Before you set up one for your Assistant, create a duplicate account using another email address that also has two-factor log in but authenticates to another device!  You can see Mailchimp’s instructions here. Make sure your own duplicate account has a full set of rights.  Set your duplicate account at Admin level.

Then set up your Assistant with their own login (don’t forget to turn on two-factor authentication for them too).  If they lose their device, you can change their set up.

Set Up The Right Roles For GDPR Compliance

It can be tempting to set your Assistant up as ‘Admin’ and leave them to it.   However, as a GDPR principle, it is not a good idea to give people maximum rights ‘just in case’.  It is more sensible to set people up with only the rights they need to do the particular work you are paying them to do.  That way they can’t accidentally do something you do not want them to do.     Here is a link to the Mailchimp user roles – click here.  It is safer to choose lower roles.  KoffeeKlatch recommends you do not set anyone up at higher levels than Manager except on a temporary basis.  You can change the user role without having to create a new user.

Minimise The Data You Collect

It can be tempting to create sign up forms requiring all sorts of information about your prospect or customer.   Try to avoid this temptation.   The more information you ask for at an early stage, the less comfortable people will feel.

Imagine you are at a networking event and you meet someone you are about to hand your card to.  Just as you do they ask you – can I have your date of birth, what is your home address, can I have your personal phone number.  It starts to feel a bit creepy, doesn’t it?  The same thing applies to signing up to an email list or claim a special offer (your lead magnets).

Not only that, if you don’t need the data at that stage you are breaching GDPR if the information is not necessary. Whatever your Assistant says, it is your job to make sure you are not going too far.

Consent And GDPR Compliance

The rules on email marketing and consent are being overcomplicated. As a simple guide, you will need consent if they are not an existing customer (customer lists can be created without consent provided there is an opt-out on the material you send (provided you send only relevant offers to what they purchased).

When you are relying on consent, it must be clear to the person what they are consenting to. You can’t assume anything and the old days of a handshake are gone.  Clear information at the point of sign up is vital. People must know what they are getting into.

While consent is just one of six ways to collect data under GDPR when it comes to email marketing to prospects it is usually necessary.

Remember, if they can’t understand it, they can’t have really consented to it.

Keep it simple. Whatever your Assistant sets up it is your responsibility to check it is OK.

Who Is Writing And Providing Your GDPR Data Privacy Policy?

You or your Assistant will need to link sign up forms to your Data Privacy Policy.   That policy should reflect what you are actually collecting and using (and why) along with other information.   While templates can be a great place to start you will need to make sure it accurately reflects what you are doing – not something copied from someone else who is doing things differently!

GDPR Is Not Just About Documents

Mailchimp is a great email marketing platform and it gives you the tools you need for GDPR compliance – but if you don’t work with the people you pay in a GDPR compliant way it can all come back to bite you.  GDPR and data privacy is about every step of your business process when it comes to handling data.