Author: Kevin Hawkins

Phishing, Ransomware and Other Malware

There are of course several things that we can do to protect ourselves, both procedurally and technically, providing defence in depth.  Protecting businesses from phishing and other malware is crucial for maintaining a secure online environment. Here are some key steps to help protect your business:

  • Employee Education: Train your employees to recognize and avoid phishing attempts. Teach them how to identify suspicious emails, links, and attachments. Encourage them to report any suspicious activity promptly.
  • Strong Passwords: Enforce the use of strong, unique passwords for all business accounts. Consider implementing two-factor authentication (2FA) for an extra layer of security.
  • Data Backups: Regularly back up all critical business data to secure, off-site locations. This ensures that even if malware or ransomware attacks occur, you can restore your data without paying a ransom.
  • Incident Response Plan: Develop a comprehensive incident response plan outlining the steps to be taken in case of a security breach. This plan should include communication protocols, containment measures, and recovery procedures.
  • Ongoing Security Awareness: Maintain a culture of security awareness within your organization. Regularly remind employees about the importance of staying vigilant and following security best practices.

Alongside these there is some other stuff that can, to a large extent, be automated in order to reduce your administrative burden and reduce support costs.

  • Regular Updates and Patches: Keep all software and operating systems up to date with the latest security patches. Regularly update antivirus and anti-malware software as well. All sounds great but what if you could reduce this requirement to a manageable level.  Manageable not only because it must be done, but also because of the disruption it can cause to your working environment.  Have a word with us.  We have an app for that!!
  • Secure Network: Implement robust network security measures, including firewalls, intrusion detection systems, and secure Wi-Fi networks. Regularly monitor and audit network activity for any anomalies. This is all good, there is still very much a place on your network for firewalls.  But what about protective monitoring?  Is that affordable?  Is it manageable?  Is protecting the network layer good enough?  Should we be looking at the application layer instead?  Have a word with us.  We have an app for that!!
  • Anti-Malware: Are you considering renewing your AV licence?  Have a word with us first.  We recommend a system which uses a Hard Disk Firewall (HDF).  All data on your systems is stored either as non-runnable data or runnable application programs.  Malware is a type of runnable program with undesirable behaviours.  HFD prevents malware infection, stopping malware program files from being stored and run on a computer.
  • Web Browsing Security and email protection: Advise employees to exercise caution when visiting websites, especially those with suspicious or unknown origins. Encourage the use of secure browsing practices, such as avoiding clicking on unfamiliar links. Deploy email filters and spam blockers to prevent malicious emails from reaching employees’ inboxes.  Protective monitoring has a play here also and we have an app for that!!

Remember, cybersecurity is an ongoing effort. Stay informed about the latest threats and continuously adapt your security measures to address emerging risks. Consider consulting with cybersecurity professionals for additional guidance tailored to your specific business needs.

A little bit about BOTS and AI

BOTS have been around for a long time now, and most people now have at least a basic idea of what they are.  For those that aren’t sure, a bot is a software application that is programmed to do certain tasks. Bots are automated, which means they run according to their instructions without a human user needing to manually start them up every time. Bots often imitate or replace a human user’s behaviour. Typically, they do repetitive tasks, and they can do them much faster than human users could.

Sound benign don’t they, and to be fair, there are many that are benign, carrying out functions that lend themselves to automation.  But they are used for other purposes that aren’t so great.  There are many examples of malicious BOTS that scrape content, spread spam content, or carry out credential stuffing attacks.

Malicious BOTS often work in what is known as a Botnet, short for robot network, which refers to an assembly of computers than malware has compromised.  Such infected machines, individually known as BOTS, are remotely controlled by an attacker.  These networks can and do run synchronised, large scale attacks on targeted systems or networks.

That is one reason why attacks such as ransomware, perpetrated on SMEs, are profitable for cyber criminals.  By using a Botnet, they can send such attacks to hundreds of targets at the same time, which requires only a percentage to pay up, to produce a return on a very small investment.

Bot activity is expected to increase even further this year, the researchers claimed, due to the arrival of generative AI tools like OpenAI’s ChatGPT and Google’s Bard.

“Bots have evolved rapidly since 2013, but with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years,” said Karl Triebes, a senior vice president at Imperva.

“Cyber criminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years.”

This is something I have talked about before.  AI can be both a boon and a potential danger in terms of cybersecurity. On one hand, AI can enhance cybersecurity by detecting and mitigating threats more efficiently, analysing vast amounts of data for anomalies, and automating certain security tasks. On the other hand, AI can also pose risks if it falls into the wrong hands or is used maliciously. Sophisticated AI-powered attacks could exploit vulnerabilities, evade detection, or launch targeted attacks at an unprecedented scale. It is crucial to develop robust safeguards, ethical guidelines, and responsible AI practices to ensure AI remains a force for good in cybersecurity.

We have nothing to fear from ethical AI development which integrates ethical considerations into the design and deployment of AI systems, emphasizing transparency, fairness, and accountability to mitigate potential biases or unintended consequences.  Sadly, we are already seeing signs of AI being used in cyber-attacks.  Some of you may remember that at one time we had what was known as the ‘script kiddy.  These were budding criminals who did not have a deep skill level but were downloading, often purchasing, scripts on the dark web, written by skilled hackers who made a good living selling them online.  The script kiddy would then attempt to use these scripts to hack, also taking all the risk.

The script kiddy has all but disappeared of recent years, but AI is allowing them to make a comeback – in spades.  They can now use AI to create code that allow them to produce their own malware, which is, in turn, creating an upsurge in cyber-attacks and threats.

So don’t be complacent, 2024 could become even more of a problem than 2023, in terms of cyber-attacks.  Time to take some action now, to protect yourself.

Estate Agents Fined by the ICO For Data Breaches

When it comes to data protection, and the requirement under UK GDPR to process and store personal data securely, you might not immediately think of Estate Agents, and for that matter financial advisors, solicitors etc. But Estate Agents hold large amounts of information on their clients, including their financial history, bank account details, copies of passports and other identifying documents, much of which they are required to hold for 7 years, under financial services legislation. So the scope for a data breach is huge.

Some examples include:

A London estate agent has been fined £80,000 by the ICO after leaving the personal data of more than 18,000 customers exposed for almost two years. The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data between March 2015 and February 2017.

The exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.

Writing on its website, the ICO said its investigations had uncovered a ‘catalogue of security errors’. The Agent had failed to take appropriate technical and organisational measures, in addition, only alerting the ICO to the breach when it was contacted by a hacker.

Lack of adequate data security is an important basis for imposing fines. Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need?

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law. Have you got that covered with an adequate policy and process in place and understood?

This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch. For example, financial data which under other legislation, they must keep for 7 years. I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.

One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.

We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it. There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP. These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.

Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.

We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed. Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.

Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).

Step 1: Data Risk Discovery and Quantification

Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.

Step 2: Data Risk Monitoring and Auditing

Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.

Step 3: Data Risk Remediation by Encryption

Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.

Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost. If you don’t like it, we take it away.

Cyber Awareness Training and its Worth to the Business

I’m going to cover off a couple of subjects today, starting with an excerpt from a Data Breach Investigation Report by Verizon, from which I am openly cribbing. The bit that initially grabbed me attention was the number of recorded business email compromises (BEC) reported which have apparently, doubled over the past year, with this threat comprising nearly 60% of social engineering incidents studied.

The report was based on an analysis of 16,312 incidents and 5199 breached over the past year and the report suggests that BEC is now more common than phishing in social engineering incidents, although phishing is still more prevalent in breaches.

Social engineering, that is to say the gathering of information and profiling a target company is a very real reason why most breaches involve a high proportion of human interaction.  It is especially prevalent amongst senior management who are often exposed to such attacks.  In fact, I reported last week that AI is now being used to spoof emails and even phone calls, purporting to come from senior management, instructing staff to carry out an action that will involve some form of financial penalty.

This means that the protections in use against this type of attack can’t simply rely on technical solutions, but that staff must be made aware of, and kept up to date with, the latest techniques, as they will be the ones who will be targeted in the first instance.  Training must also involve senior management; they are most certainly not immune.

As I go around the SME community, it never ceases to amaze me that many SME owners don’t see the value of cyber awareness training for their staff, and I can’t help wonder why not.  After all, we would argue that it is one of the single biggest wins against cyber-crime that an SME can take, at a minimal cost in turns of time and money.  So why do I think this is?

Statistics reveal that around 60-70% of UK SMEs have suffered a cyber-attack, and amongst those, only 11% had cyber cover. While we are beginning to slowly see a rise in the number of businesses seeking insurance cover after becoming more aware of the risks of cyber-attacks since the pandemic, we still have a long way to go.  Now, cyber insurance is another very thorny issue which really deserves a blog of its own.  However, briefly let’s say that there are many clauses in most, if not all, policies that will require named precautions to have been taken, before any pay out can be considered, and those pay outs are not common, shall we say.

Returning to the subject of Cyber Awareness training, this is a favourite hobby horse of ours, particularly as it affects non-technical staff where it is vitally important for both managers and employees to make them aware of what they could be facing.  If you don’t know what threats exist, them how can you look out for the signs, and how can you effectively target your security spend.  Likewise, staff must know what to look out for, how attacks are formulated and how they are carried out.  A good motivator for staff is that, to put it bluntly, their jobs are on the line if the business is hit badly and loses money.  Most SMEs are involved in businesses where cash flow is king, and they simply can’t afford the kind of hits that are being experienced almost daily now.

It cannot be stressed enough that whilst your staff are your greatest asset, they can also be the biggest threat regarding cyber security.  Most data leaks are caused not be personnel doing anything deliberately wrong, but by doing things they didn’t know they shouldn’t, and by not fully understanding the processes in place to fight off such attacks.

Moving on, and unashamedly cribbing from another article, this time from Forbes, which was all about the need to prioritise cyber security and the culture needed to promote it continuously throughout the organisation.  This of course, continues to reinforce the need for adequate cyber security awareness training throughout year, and not just as a tick in the box, point in time exercise.  A very real perspective, not just at the SME level but at all levels of business size, is that “cybersecurity is a cost centre”, a cost to the business that doesn’t help drive revenue and therefore it’s an expense line item; expensive employees, expensive tools and processes that can hinder operations. With the explosion of internet connected everything constantly collecting data, security is a SALES DRIVER. Being secure and having the ability to prove it (via audits/certs) builds TRUST and makes for a stronger brand. For most SMEs it is already well known that if they want Government contracts or want to be in the supply chain for bigger company’s servicing Government contracts, then Cyber Essentials and Cyber Essentials Plus, is a must, so It is time to shift the old mentality and to start focusing on how security can help drive sales and revenue.  We are seeing a shift in that direction, albeit slowly, but even so, many in SME management are reluctant to embrace this reality. It often takes a customer, or potential customer, to carry out due diligence before placing an order, to convince an SME to take this seriously.

Supply Chain Threats and Vulnerabilities

Supply chain attacks, what are they and why do they matter to an SME?  Lots of larger company’s rely on smaller ones to provide key components that they require in their manufacturing or other processes.  That supply chain is critical their operations and is therefore required to be robust and secure.  An attacker is constantly looking for weak links in cyber defences, that can be exploited for financial gain.  They will look at an SME as such a weak link, expecting the SME to have a lower understanding of the threat, and lower expenditure on defence.  They will be looking to piggy back on loopholes in the suppliers defences, to attack their main target.

Manufacturers often use what is known as ‘just in time supply’, ie they have an electronic connection to their key suppliers who are connected up to the company’s inventory, and automatically resupply when an item runs low.  It’s efficient and prevents the holding of unnecessary stock.  But it can, if not done correctly, drive a coach and horses through your security.

Cybersecurity, IT governance, and data security will be the number one risks in 2023. Ransomware has been a significant threat in 2022, but the nature of cyberattacks is constantly evolving.

The goal of such attacks is to grab whatever the target has that is of value to the attacker, so it can include infecting legitimate applications in order to distribute malware, access IPR (designs, plans, source code, build processes etc etc), or inventory theft, inserting false invoicing into your system etc.  In fact, if you can think of something that might damage your company, you can bet that the cyber criminals have already thought of it.

In short, a supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain.

An example of such an attack was published by NCSC and points out that many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Such sensitive data is not necessarily just about customers, but could also cover business structure, financial health, strategy, and exposure to risk. In the past, firms dealing with high profile mergers and acquisitions have been targeted. In September 2013, several networks belonging to large data aggregators were reported as having been compromised.

A small botnet was observed exfiltrating information from the internal systems of numerous data stores, through an encrypted channel, to a botnet controller on the public Internet. The highest profile victim was a data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. While the attackers may have been after consumer and business data, fraud experts suggested that information on consumer and business habits and practices was the most valuable.

The victim was a credit bureau for numerous businesses, providing “knowledge-based authentication” for financial transaction requests. This supply chain compromise enabled attackers to access valuable information stored via a third party and potentially commit large scale fraud.

NCSC also cited what is known as a watering hole attack, which works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

The attacker identifies weaknesses in the main target’s cyber security, then manipulates the watering hole site to deliver malware that will exploit these weaknesses.

The malware may be delivered and installed without the target realising (called a ‘drive by’ attack) but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

Steven A. Melnyk, Professor of Supply Chain Management at Michigan State University said, “The problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, they generally have the weakest cybersecurity arrangements in terms of size, resources, and expertise. They open up large clients to leapfrog cyber security attacks.”

Melnyk cited the example of a well-respected American chemical company that was hacked through its supply chain. The hackers obtained information about customers and orders, including quotes. They saw details of items that the company – which was renowned for innovation – was getting ready to patent, he revealed. “The hackers altered the master production schedule; they changed due dates, order quantities and order quality levels. Deliveries were compromised. A new supplier then entered the market, with the precise items that the customers wanted, at prices under the current variable costs. This supplier also patented the firm’s innovations.”

The growth of the digital economy and digital supply chain is contributing to the growing cyber security threat, with four billion people predicted to be connected to the Internet daily in 2020.  In 2021 it is estimated that so far, attacks of this nature have increased globally, by around 42%.

There are of course things that you can do to protect yourself and your clients.  There are several technical defences that you can implement.  The problem generally remains that SMEs have a tight budget and no internal resource to combat this issue.

The first thing cyberattackers do after breaching a defence is move laterally throughout the ecosystem in search of privileged accounts.  This is because privileged accounts are the only accounts that can access sensitive resources. When a privileged account is found, sensitive data access is attempted. This predictable attack sequence is known as the Privileged Pathway – it’s the common attack trajectory followed by most cybercriminals.  The trick is to disrupt an attacker’s progression along this pathway so that breach attempts, and therefore supply chain attacks, can be prevented.

An effective Privileged Access Management (PAM) framework will disrupt this common attack trajectory and is highly recommended.

That said, I have always been a great advocate that the biggest ‘quick win’ any company can achieve, at minimum cost, is staff awareness.  Staff are the primary gateways to malicious code injections because they’re usually tricked into permitting cybercriminals access into an ecosystem.

The most common form of trickery is scam emails (or phishing attacks), which I have discussed in previous posts. These emails seem like they’re sent from trustworthy colleagues but upon interacting with them, malicious codes are activated, and internal login details are stolen, which in turn could grant criminals access to a system, initiating the hunt for higher privileged accounts.

To prevent such incidents, all staff need to be educated about common cyberattack methods so that they can identify and report breach attempts, rather than falling victim to them.

There is so much more to this subject, and it is a matter for each company to assess how much of a problem they think this is to them.  Understanding the threats to the business, how vulnerable you are to those threats, and therefore what risks you are taking, and how severe they are, is key to every element of Cyber Security.  SMEs remain vulnerable because they rarely have any in house resource to understand those risks and take the right actions to mitigate those risks.

[/et_pb_blurb][/et_pb_column][/et_pb_row][/et_pb_section]

The dangers of Wi-Fi in your local coffee shop

This is a subject that I tend to jump on every so often, because it’s one that people just don’t seem to get. I dropped into a coffee shop yesterday for my caffeine infusion, and there were a couple of people with their laptops open, working away on business issues. I could see open spreadsheets (and easy to read if you were sitting behind them), and all had their email open. One was on a video call, and I heard all of her side of the conversation, annoying enough for other café users but she wasn’t aware of the data she was releasing into the wild, at all.

Of course, this is nothing new, it’s been ‘a thing’ for years now, but is it a safe thing to be doing?  A recent survey suggests that a high proportion of the connections to unsecured Wi-Fi networks result in hacking incidents, often from working in coffee shops, restaurants, airports, and other public places.

If you are among those Wi-Fi lovers, there’s bad news for you… your online privacy and security is at risk, as long as you rely on the weak to non-existent Wi-Fi security protocols at coffee shops.  This means that you could be exposed to various threats such as identity theft which has over 15 million cases each year, data theft/breaches, introducing malware to your business network and that of your customers/suppliers.  This list is not exhaustive.

Free or public Wi-Fi’s are hotspots for hackers and data snoopers who want to steal your private data or financial information. Needless to say, it is pretty easy for hackers to do that nowadays. You will be surprised to know the different ways hackers can compromise your device or your private information and why you shouldn’t rely on Wi-Fi security at coffee shops as they come with a lot of risk.

One of the favourites is the Man-In-The-Middle attack.  As the name suggests, it is a type of attack where the attacker intercepts a transmission between two parties by inserting himself / herself between your network connection and the server. Quite easy to do with limited or no security on the Wi-Fi router.  The attacker can record the data for later viewing and even change or modify it.

MITM attacks are usually caused by exploiting vulnerabilities, through malware or malicious tools like “hotspot honeypot.”  An MITM attack is perhaps the most common type of Wi-Fi attack. In fact, a security survey of 500 CIOs and IT decision makers from 5 countries, conducted by iPass on Mobile Security, reveals that MITM poses the greatest threat to mobile security.

Another favourite is the Network scanner.  The Internet is brimming with network scanning tools that are built to compromise networks or devices.  They work by:

  • Mapping the network to find all the devices that are connected to it
  • Retrieve details regarding the operating system and find vulnerabilities like open ports
  • Using the open ports, the hacker would try to directly connect to the device through any means necessary such as password cracking

There is evidence to suggest that hotspot spoofing is the third greatest threat (after lack of encryption – almost never implemented in coffee shops) when it comes to mobile security.  Wi-Fi lovers wouldn’t think twice what network they are connecting to and whether the network is safe or not.

Hackers are well aware of the psychology of Wi-Fi users and they exploit it by creating spoofed hotspots.  These hotspots may have the label of the coffee shop, but in reality, they are fake networks created by hackers.  When you join a fake or malicious hotspot, the attacker can trick you into using your credentials on fake websites or to gain access to your company network. For instance, when you try to purchase something online using your credit card, the hacker might create a fake website and retrieve your credit card number.

With such details in wrong hands, you might fall victim to threats like identity theft. The following could potentially happen:

  • The cybercriminal can use your national insurance number to get a job or apply for benefits
  • Take loans out in your name
  • Rent properties, even get a mortgage
  • Get access to your company network and install back doors, false identities etc to enable them to return time and again

Coffee shops are the most popular spots for people to sit and relax, drink coffee or eat their preferred food items. Perhaps their popularity is what makes them dangerous when it comes to mobile security.  When you rely too much on the Wi-Fi security at coffee shops, you fall into the traps that hackers have laid out for you.

Coffee shops may be considered as dangerous venues when it comes to your online security. However, it doesn’t necessarily need to be!  Security awareness amongst employees and individuals is of paramount importance, and there are a number of technical implementations that can be undertaken to allow for this practice to continue safely.

Ransomware and SMEs

REvil, Wizard Spider, Grief, Ragnar, they sound like they should be in a Marvel comic.  But there’s nothing funny about these guys.  Operating in countries that do not cooperate with international law agencies and not caring who they attack, including health care organisations, Ransomware gangs are on the increase.

Ransom money in the millions has been paid by some very respectable companies, in order to recover access to their data and keep their companies going.  A quick trawl of the internet produces results that how diverse ransomware targets are.  Whilst the largest target area appears to be the US, the UK targets have included Amey, Hackney Council, Wentworth Golf and Country Club, Scottish Environment Protection Agency, UK Research and Innovation and last month, Serco.  (Source Blackfrog).The way it works remains relatively the same, regardless of the method used.  Criminal gangs hack into connected IT systems, lock access to them, and then sell a decryption key in exchange for payment in bitcoin.  They have targeted schools, hospitals (you may remember the well reported attack on the NHS a couple of years ago), councils, airports, government bodies (local and central), insurance companies, this list is far from exhaustive.

Anyone who is connected to the internet, is vulnerable to a Ransomware attack.  An emerging sweet spot though, is mid-sized companies that generate enough revenue to make them a target, but aren’t yet large enough to have dedicated cybersecurity resources on board.

Make no mistake, these hackers operate as organised gangs who compartmentalise themselves into specialties.  Some specialise in identifying compromised systems and gaining access, whilst others handle the ransom negotiations.  These hackers operate as organised gangs: some members specialise in identifying compromised systems and gaining access, while others handle the ransom negotiations. It is not uncommon for an investigation to see cryptocurrency transferred into many different cyberwallets).  These gangs to have a ‘signature’ which is often recognizable.  REvil and Psya have flair whilst Ryuk are somewhat robotic in their approach.

A worrying trend is that recently, these gangs have pivoted into extorting individuals.  If victims don’t pay, their data is dumped online, or sold on the dark web to the highest bidder, and of course, there is no way of ensuring that the data isn’t sold anyway, regardless of the victim paying up.

Of course, most people don’t have incriminating or embarrassing data on their private systems, but some do, particularly important people in the public eye for whom data release can be at least damaging, if not crippling.  According to a report from cybersecurity software firm Bitdefender, attacks increased by 485% in 2020 alone. “It’s taken off since Covid because we have more people working from home,” says Sophia, a crisis communications expert who specialises in advising companies who have been targeted by ransomware hackers. Poorly secured remote access logins are a common route in. “More of a digital environment leads to more points of entry for the attackers,” she says. “The last year and a half has been a whole new ballgame.”

So, if you are running a medium size business, or perhaps running a local organisation using your own home systems where you have personal data belonging to others which you are obliged to protect under the DPA2018/GDPR, then you are a target and you need to take some precautions against an attack of this nature.  If you want to know more please don’t hesitate to contact us for a chat.  We specialise in looking after SMEs and understand your challenges.

Risk Assessment – An Essential Element for all Business large and small

I’ve talked a lot in the past about targeting your spend to ensure that you’re money goes on protecting what is really important to you, ensuring that the protections you have spent money on are in the right place, configured to protect what really needs protecting, are maintained correctly and are of course, effective.  So how do you do that?  Do you just take a good guess at what is needed?  Of course not, but it’s still a valid question.  Did whoever built your network install a firewall, did they set up an effective anti malware regime ie one that is constantly updated using a process whereby users can’t stop it if it becomes inconvenient? That happens, believe me.  Is all of this necessary?  Almost certainly.

A lot of these questions can be relatively easily answered.  To start with you need to:

  • Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head).
  • Run through each Data Asset (or group of them) against the Controls and Procedures in accordance with your security policies (if you haven’t got security policies then that’s a whole other discussion), to determine which should apply and how they are currently being applied. It’s very useful to use a standard such as ISO27001 for this, even if you have no intention of applying for certification.

But now the difficult part, assessing the risks and what controls would be adequate to remediate those risks, thus ensuring you are placing the right controls, be they procedural or technical, in the right places and not wasting time, money and effort, putting in controls that aren’t actually needed, or are in the wrong place.

If you have a system to help you with this, then that really is the way to go.  Here at H2 we have partnered with Secure Business Data to enable us to use, and where appropriate, to sell 27K1 ISMS.  A risk assessment tool that is specifically targeted at SMEs and is therefore very competitively priced. It can come with an annual or a monthly fee, however you prefer.  We have adopted this system for use with our Risk Assessment Service which is carried out in three phases:

  • Phase 1 – H2 conducts an assessment reviewing your existing information security, data protection protocols, technical security controls, and processes and procedures to determine their effectiveness and appropriateness, using 24K1 ISMS.
  • Phase 2 – Working to your timescale and budget, H2 implements the findings from the risk assessment process which has used 24K1 ISMS. This could include introducing simple changes to your processes, all the way through to implementing technical solutions that provide effective protection from threats.
  • Phase 3 – Education, ongoing security management, review and maintenance.

Consequences of a data breach

Despite a greater emphasis being placed on data security, data breaches are on the increase.  Whether through sophisticated social engineering techniques or more technical attacks, cybercriminals are trying every available tactic to profit from this sensitive information.

According to one report, within the first nine months of 2019, 5,183 breaches were reported, exposing over 7 billion compromised records. Up 33.3% on the previous year with records exposed more than doubled, up over a 100%.

In a recent study, more than half of the recipients (57%) said they do not have a Cyber Security policy in place, rising to more than two-thirds (71%) of medium-sized businesses (250 to 549 employees).  This is somewhat shocking considering the potential consequences, exposing companies to significant risk and placing them under the microscope with both customers and regulators.

This week we will publish a significant potential consequence of this daily, starting with:

Financial Loss

The financial impact of a data breach is one of the most hard-hitting consequences that organisations.  It is estimated that the cost of a data breach has risen 12% over the past five years.  If as a result of a ‘scam’ via phishing for example, the loss may not even be noticed for some time, perhaps not until the next financial audit.

The hit can include compensating customers, responding to the incident, investigating the breach, investment into new security measures, legal fees, not to mention the eye-watering regulatory penalties that can be imposed for non-compliance with the DPA 2018 and GDPR.

Tomorrow we’ll take a look at reputational damage.

Reputational damage

The reputational damage resulting from a data breach can be devastating for a business. It is estimated that up to a third of customers in retail, finance and healthcare will stop doing business with organisations that have been breached. Additionally, the majority will tell others about their experience, and 33.5% will post on social media.

It todays world of instant communication organisations can become a national, even global, news story within a matter of hours of a breach being disclosed. This negative press coupled with a loss in consumer trust can cause irreparable damage to the breached company.

Consumers are all too aware of the value of their data and if organisations can’t demonstrate that they have taken all the necessary steps to protect this data, they will simply leave and go to a competitor that takes security more seriously.

Reputational damage does not go away and can impact an organisation’s ability to attract new customers, future investment and eveb new employees to the company.

Legal Action

Under the DPA 2018 and GDPR, organisations are legally bound to demonstrate that they have taken all the necessary steps to protect personal data. If this data is compromised, whether it’s intentional or not, individuals can seek legal action to claim compensation.

We recently posted a piece on a UK Legal Firm offering a no win no fee service for anyone who suspects their data may have been compromised.  There has been a huge increase in UK as victims seek monetary compensation for the loss of their data.

Equifax’s 2017 data breach affected more than 145 million people worldwide and the company has paid out more than $700 million in compensation to affected US customers. Whilst this is at an extreme end, SMEs could find themselves risking compensation of around £5k per person whose data is compromised.  As it rarely only affects one individual, how many SMEs would be able to withstand such claims in the hundreds, followed by action by the ICO could see a fine in 6 figures.

As the number of breaches continues to rise, we can expect to see more of these group cases being brought to court.

Operational Downtime

Business operations can be heavily disrupted in the aftermath of a data breach. Organisations will need to contain the breach and conduct a thorough investigation into how it occurred and what systems were accessed. Operations may need to be completely shut down until investigators get all the answers they need. This process can take days, depending on the severity of the breach. The knock-on effect on revenue can be substantial.

Loss of Sensitive Data

If a data breach has resulted in the loss of sensitive personal data, the consequences can be devastating. Personal data is any information that can be used to directly or indirectly identify an individual, whether held electronically or on paper. This will include everything from a name to an email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.

If a critical patient had their medical records deleted in a data breach it could have a serious effect on their medical treatment and ultimately their life. Biometric data is also extremely valuable to cybercriminals and worth a lot more than basic credit card information and email addresses. The fallout from breaches that expose this data can be disastrous and exceed any financial and reputational damage.

Regardless of how prepared your organisation is for a data breach, there is no room for complacency in today’s evolving threat landscape. You must have a coordinated security strategy in place that protects sensitive data, reduces threats and safeguards your brand’s reputation.

Cyber Security and the Small to Medium Enterprise

The National Cyber Security Centre (NCSC), a department of GCHQ Cheltenham, estimates that if you are an SME then you have around a 1 in 2 chance of experiencing a cyber security breach.  For the small business this could result in costs of around £1400, for the medium business, considerably more.  One has just been hit for around £30000, which I am sure you will agree, can be extremely damaging to the bottom line of businesses operating under tight margins.  And of course, it’s not just financial penalties but the reputational damage should your customers data and assets be affected as well.

As we travel around and visits clients or potential clients, it is common to find that they have the view that adequate security is provided by technology.  They rely on their IT provider to provide the guidance they need which tends to involve firewalls, anti-malware software and perhaps a back up regime.  All well and dandy.  A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

So what does he mean?

As he’s not here to ask I suggest that he’s saying that essentially the technology available can be an essential part of your protection but it has to be targeted in the right way, which not only means you have the right piece of kit doing the right thing, but that you are targeting your IT spend to support your business goals and give a maximum return on investment (ROI).  It should also be married to good policies and processes that are enforceable and auditable and fully understood by your work force.  To do this you have to understand exactly what your risks, vulnerabilities and threats are in order to ensure that your solution to those risks, vulnerabilities and threats, is targeted for maximum effect and ROI and that the technology is supporting the policies and processes, all of which is underpinned with good security awareness training.

What is the risk? How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Etc etc etc.  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take. Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

Within SMEs the difference between assessing day to day business risk and assessing risk to information assets, is one of understanding.  What is an information asset?  Note the word ‘information’ rather than IT.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  I could go on.

The first thing to understand is that these risks are owned by the board, and if you don’t have a formal board, then the management team.  That needs to be understood fully by those at the top.  That team needs to understand what level of risk is acceptable and agree what risks you are prepared to tolerate in order to achieve your business aims.   You need to ensure that supporting policies are produced, implemented, understood by employees and regularly reviewed and updated.  At H2 we tend to produce an information security and data protection handbook which can run into many pages.  Producing these policies is not as easy as it sounds.

You may also wish to look at some recognised standards by which you can regulate your risk management.  One such is the international standard for information security, ISO 27000 series but perhaps the most appropriate for SMEs is the Cyber Essentials Scheme which will help you demonstrate an appropriate level of information security and risk management within your company.

Once you have a risk management framework in place, owned from the top, then you can identify your information assets and assess the risk to your business should those assets be compromised in some way.  Then and only then can you adequately assess what processes and technologies you need to mitigate the risks identified for each asset thus targeting your spend for maximum effectiveness.

Sadly that’s not the end.  User education is probably the most important element of all for an SME.  Ensuring that your staff are aware of the policies and why they exist.  Protect yourself against scams which sadly, form the biggest danger to SMEs rather than hacks.  Scams can be very low tech or high tech using malware, but however they come in, your staff need to be aware of them.

Scroll to top