Skip to content
  • Jeremy Aylott, Lead Ethical Hacker, Cyber and Fraud Centre, shares in detail about the Sensitive Data Leak scenario of our Exercise in a Box programme.

What is it? 

Charities, small businesses, and public sector organisations hold as much sensitive data as large organisations but rarely have the same resources for securing it. Most organisations know that the Information Commissioner’s Office can issue fines of up to £17.5 million following a breach of sensitive data, but did you know individuals can file separate claims for compensation? Sensitive data is being stolen and used to extort charities for millions in ransom payments.  

Using the Sensitive Data Leak scenario from the National Cyber Security Centre’s Exercise in a Box toolkit, our team of ethical hackers will challenge your data protection policies and processes in a discussion-based exercise aimed at improving your organisation’s resilience to extortion and sensitive data leaks.  

This exercise is split up into three injects, with several discussion points covering a variety of topics, including: 

  • Your organisation’s logging and monitoring of internal sensitive data. 
  • Your processes for securely offboarding a disgruntled employee. 
  • Internal escalation of a security incident and the legal considerations. 

Why do it? 

Every organisation stores personal data in some form. This could be related to clients, staff, rejected job applicants or even individuals targeted in a marketing campaign. As such, every organisation has a legal obligation to protect that data, with harsh financial and reputational penalties for breaches, particularly when your organisation does not have adequate security measures.  

Cyber exercising is an effective way to walk through a theoretical cyber incident, from the causes of the initial breach through to response and recovery. By talking through your organisation’s security processes with the help of our ethical hackers, you will identify points for future improvement and learn how to respond.

Who is it for? 

Exercise in a Box is aimed at any organisation, large or small, aiming to increase their cyber knowledge. We’re offering funded sessions to all public sector organisations and any third-sector organisations working in health, housing, or social care. Security is everyone’s responsibility, not just IT, and as such, Exercise in a Box is suitable for everyone in your organisation.  

You can find additional guidance below:

Cyber and Fraud Centre Resources: 

Data breaches: guidance for individuals and families

Reducing data exfiltration by malicious insiders
Reducing data exfiltration by malicious insiders – NCSC.GOV.UK

Dealing with suspicious emails, phone calls and text messages: 

Phishing attacks: defending your organisation: