You may have heard the news announcing that Proofpoint — a leading next-generation security and compliance company — has acquired our company. On May 6th, the acquisition officially closed and The Defence Works is now part of Proofpoint.

This is an exciting time for all of us at The Defence Works, as we know this merger of products and services will bring our customers industry-leading security awareness training innovation with the addition of advanced threat detection and intelligence. The blending of our two companies will give you access to the most accurate insights into your employees’ vulnerability to the real-world attacks and threats you are facing every day, as well as the education solutions you need to more effectively manage and reduce end-user risk.

On a personal note, it has been an honor to work with our employees to grow The Defence Works into a leader in the security awareness market. The market and threat landscape have transformed dramatically and we have worked diligently to stay attentive to our customers’ needs and raise the bar for end-user awareness and training. The recent release of our Interactive Episodes series “THIS CITY” is a great example or our ongoing commitment to delivering cybersecurity education tools that help organizations change employee behaviors and improve their overall security postures.  This decision-based, interactive security awareness training is based on recent real-life events, highlighting the risk to end users in an engaging and interactive format.

As we continue on this next leg of our journey, our goal is “business as usual” — that is, continuing to lead, innovate, and execute on our product vision, and provide the superior level of service The Defence Works customers have come to expect and enjoy.

We are very conscious that we would not be where we are without our customers. We thank you for trusting us to be your partner in security awareness and training, and we look forward to continuing to serve you in the years ahead.

Best of health,

 

 

 

Eddie Whittingham

Founder of The Defence Works

Share this:

This week, we’re featuring a guest post from Carrie Morgan at Contemsa about her recent experience with a HMRC scam call.

I consider myself a fairly tech-savvy person: I used to work for a technology company, I used to sell IT security products and my business now is all based online.

Yet, I’m still finding it harder and harder to distinguish between genuine emails or texts, and scams.

Identifying social engineering scams

Social engineering amongst scammers is becoming so sophisticated that more and more people will inevitably fall prey to it. In one year alone, 900,000 people received scam texts, emails or calls claiming to be from HMRC.

Recently, I received a call from HMRC, supposedly from their Debt Recovery Team. On the call, I could hear the usual background noises of a call centre, and the person talking to me sounded exactly like what I’d expect someone calling from HMRC to sound like: professional and knowledgeable. And that’s what scammers are playing on: they align their ‘performance’ to what we as the public are expecting to hear.

The victim of a scam call

We receive quite a few scam calls every week so we’re quite attuned to them, but this call was different. Everything lined up.

My partner took the call initially and was hesitant, but then decided that the call was legitimate when the caller appeared to have a number of pieces of information that lined up. On the face of it, it sounded like HMRC.

But something wasn’t right, so I asked to speak to them instead. I explained to the caller that we’d had quite a few scam calls recently, and that we didn’t want to share any more info so could we call them back.

This was the point that I first thought, ‘this sounds off’. When I asked if we could call them back, the person I was speaking to was very understanding (tick), and said I could go check out the website at hmrc.gov.uk (another tick) – well yes, that’s HMRC’s web address but any scammer could give you the address of an official company or organisation – it still doesn’t help me prove the identity of the person calling.

Then the caller said, ‘You could call us back, but you’ll likely be waiting for over 45 minutes as our lines are very busy.’ Now, I don’t know about you, but HMRC have never been concerned about how long I’ve had to wait on their phonelines.

So, let’s look at the evidence so far.

What made this call sound legitimate?

  • The call ‘sounded’ right – the background noise of the office environment.
  • The caller himself ‘sounded’ right – the tone, the professionalism, the information he was providing.
  • It was around the time that HMRC payments are due, so although we were up to date with everything, we were worried that there had been an issue so because it was at the right ‘time’ – it passed our mental scam check to some extent.
  • The caller was happy for us to go and ‘check the website’ and call them back – which made it sound legitimate as a scammer would surely tell us not to do this? Right – well no.

But what didn’t sound right about the call?

  • The caller tried to talk us out of waiting on hold for 45 minutes to get back through to them. HMRC are unlikely to do this.

 

The unravelling

It was at this point in the call that I queried a few things, and everything went sour.

I asked for more details to verify that this call was, in fact, from HMRC. The caller refused to speak to me as I wasn’t the ‘named’ person on their list. I put him on speakerphone so my partner could speak to him instead, and this was met with the caller saying that they had given us more than enough information to verify their identity, but that because of our unwillingness to cooperate, we were going to be landed with a penalty from HMRC!

These all sounded like big red flags, but a little voice in my head said, ‘What if it really is HMRC?’; ‘What if we are being uncooperative by asking for more information?’

I asked the caller for his name and details so that we could go away and contact HMRC ourselves and follow up. At this point, he hung up on us abruptly. Another big red flag.

Is it really a scam?

So, did we think it was a scam at this point? Well, we did to some extent, but we were still unsure. We were worried that maybe our accountant or one of us had missed something and that we were being difficult by not answering the caller’s questions – it was, after all, a new process that we weren’t familiar with, so all we could do was apply common sense as we had no experience about this particular process.

In the end though, it was a scam. We spoke to our accountants and verified that we had no outstanding HMRC bills.

But, I’ll admit, I was a little shook up from the experience. We didn’t lose anything, we didn’t give over any sensitive information and no money was exchanged. But I felt stupid. I’d not recognised that this was a scam, just that something felt slightly off.

If the call had have been from a foreign number, then I’d have automatically known it couldn’t be HMRC.

If it had sounded like the call was being made from someone’s bedroom with a dog barking in the background, I’d have known it couldn’t be HMRC.

And so on.

But the fact is, lots of things added up. It plays into confirmation bias because many of the existing beliefs I had about what a call from HMRC usually sounds like, fitted with this call.

And this is why scams are getting so incredibly hard to distinguish the good from the bad.

Protecting vulnerable people from cyber scams

I regularly give my mum pointers about avoiding social engineering calls, because she is the type of person who gets a call saying, “Hi, this is a call regarding your Lloyds bank account,” only to respond with: “No, that’s not right, I bank with Barclays!” And then with just that one sentence, you’ve given them a titbit of data to go away and use on the next call.

So next time, when she gets a call about her Barclays bank account, it will pass her inner gatekeeper and she might be tricked into giving even more identifying info out.

The point of this story is to highlight that even though I consider myself fairly well up on cyber scams and the psychology of social engineering, I was still played to some extent. By entertaining the call in the first place, we inadvertently gave over information that said, ‘Hey, we are people who do get calls from HMRC from time to time’.

My worry is that as email spoofing and social engineering gets ever more sophisticated, if I’m not picking up on some fairly obvious-looking scams, then what hope is there for protecting more vulnerable people who don’t know the signs to look out for.

What are organisations doing to protect their customers from scams?

Thankfully, companies and government organisations are now doing more to educate their customers and users about scams, whether that’s by running TV adverts warning customers not to hand over personal details, or by HMRC launching campaigns to educate the public about common scams.

But when one avenue closes and the public becomes more aware of a type of scam, criminals will look for other, more sophisticated ways to target people – so we all need to stay vigilant and double check whether we’re being stringent enough when assessing if a scam is real or whether we’re letting our confirmation bias lead us in the wrong direction.

Author Bio

Carrie Morgan

Carrie Morgan runs Contemsa, which creates professional B2B sales templates for sales leaders and organisations.

Share this:

At The Defence Works, it goes without saying that we’re 100% committed to helping support businesses through COVID-19.  That’s why, since the announcement of isolation, we’ve been busy beavering away to create a brand-new Working from Home course to help keep organisations secure throughout this difficult time.

Our new Working from Home course covers:

  • Some general COVID-19 guidance when working from home to help employees stay mentally fit and healthy;
  • The personal pros and security cons of working from home;
  • Ways to reduce the risks when working from home; and
  • … some interactive scenarios to aid your employees’ understanding.

working from home covid-19 security awareness training

It’s ready, now – and available free of charge for all current security awareness customers. If you’d like to know how security awareness training packages work, sign up for a free demo here.

We’ve taken the unusual step of also including a short animation to help users with some positive steps towards maintaining good mental health whilst working in isolation, as we recognise these are unprecedented times and this can be a really good medium through which to share this message with employees“.

As ever, please don’t hesitate to ask if you have any questions. I really hope you like our new Working from Home course, especially seen as it’s so important right now more than ever with cyber-criminals preying upon the pandemic.

From everyone here at The Defence Works, we all wish you and yours the very best of health.

Eddie Whittingham, Founder and MD at The Defence Works

Share this:

A new report by cyber security experts FireEye suggests that GDPR may have slashed the amount of time cyber attackers are able to access compromised networks in Europe before they are finally discovered.

FireEye believes the average time from the beginning of a cyber attack to when it is identified (during which attackers may continue to intrude on systems) has fallen substantially. The average attack duration was 177 days before discovery, last year. It is now 54 days, a 70% decrease of intrusion time. The average “dwell time” a cyber attacker was present in a breached system globally in 2011 was 416 days.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

In its latest study, the FireEye Mandiant M-Trends 2020 Report, the cybersecurity company directly attributes this drop in attack and intrusion time to GDPR.

“In M-Trends 2019, we suggested that a steep rise in median dwell time was likely linked with organizations putting more emphasis on GDPR and increasing focus on security which may have revealed historic compromises.”

Now GDPR is into its second year, FireEye finds:

“Statistics are now generally in line with the global averages, which reflect the improving security posture of organizations and highlight the ongoing challenges organizations face from sophisticated threat actors.”

But the company goes on to warn, even through improvements have been made, “attackers still go undetected in target environments for far too long, remaining stealthy and harder to spot as they pursue their goals.”

To be in compliance with GDPR organisations must report a data breach to their relevant data protection authority within 72 hours of realising the incident. Failure to report within the timescale required or being non-compliant with GDPR when the breach is examined can lead to massive fines. As evidenced by the top fines issued across Europe since the implementation of GDPR.

David Grout, CTO for EMEA at FireEye, told ZDNet:

“GDPR pushed organisations to implement new policies, reviews and a new focus to get better at detection.”

Grout believes that GDPR helped to get cybersecurity attention at board level, and not just within IT teams, he says:

“The buzz around the topic leading up to the GDPR deadline helped to get it in front of senior execs outside of the IT team. Many of them saw the importance of GDPR compliance and they supported measures to improve defences and breach identification.”

The influence of GDPR is also felt world-wide, companies outside of Europe must comply if they do business inside of Europe, and other regions are looking to create equivalent legislation. FireEye also found the median dwell time globally has fallen from 78 days to 56 days.

Despite the averages, worryingly, FireEye found that one in ten of its investigations see cyber attacks that intrude on an organisations network for more than two years. Grout says:

“Some of them are being targeted by highly skilled APT [Advanced Persistent Threat] groups that are able to hide themselves for a long time after the initial breach.”

The report found one common vulnerability exploited by attackers (and one that can be easily fixed) is a failure to use multi-factor authentication (MFA) on corporate networks. Cyber attackers that are able to get their hands-on passwords are able to very simply breach major networks. Attackers are also still taking advantage of known vulnerabilities in software, because software doesn’t get patched with the latest software updates as soon as they are issued.

FireEye’s report concludes, however, with a more positive note:

“Many of the stats in M-Trends 2020 show that both the industry and organizations are getting better at cyber security.”

The research didn’t pinpoint a single reason why there has been improvement but:

“Perhaps more vendors and more awareness are leading to better visibility across the security spectrum. Or organizations are simply investing more in their cyber security programs.”

Here at The Defence Works, we certainly believe that GDPR helped to push cybersecurity and data breaches under the spotlight for businesses. And, not just for beleaguered IT departments. Business leaders and board level executives all became far more aware of the need for data protection and the penalties that could ensue if data isn’t protected. Employees handling data on a day to day basis also became much more aware of data security and protection.

Security awareness is certainly a key to cybersecurity. Many breaches do occur because attackers get through defences and discover software vulnerabilities. However, passwords can be gained because of human errors. And, still a substantial proportion of cyber attacks and breaches begin with a phishing email. Statistics coming out of data protection bodies, such as the Irish Data Protection Commission (DPC) point to as many as 83% of reported data breaches could be due to human error or lack of GDPR awareness.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

New statistics from Kaspersky point to over half of UK organisations not having a cybersecurity policy and as many as two-thirds of cybersecurity leaders admitting that their organisations are complacent about protecting customer data.

TechRound, and writer Daniel Tannenbaum, interviewed Kaspersky’s Principal Security Researcher, David Emm, to find out more about the cyber security company’s latest insights. The recent study finds 47% of UK company’s have experienced a cyber breach of some description in the last two years, but regular risk assessments are not so regular, at just once per year. Emm says:

“We seem to hear about a data breach every day and any successful breach has debilitating effects on an organisation including damage to reputation, loss of customers and huge financial implications.”

These breaches are reportedly costing an average of £3 million per incident.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Despite the findings Emm doesn’t appear convinced that regulation is the answer for UK firms, he says:

“The risk with adding more regulation is that it could become a box-ticking exercise and give a false sense of security, when actually every company is different and there is no one size that fits all in cybersecurity.”

The lead researcher believes that “guidelines and frameworks can be very useful.” He says the UK government’s Cyber Essentials Scheme has had a positive effect because of its framework of recommendations. In regard to data protection, he adds:

“Similarly, with GDPR, it has forced companies to think about the data they hold, the way that they collect it and the need to secure it.”

Emm also points to the issue of supply chain risk and that associated with third party vendors, as well as potentially at the risks of acquiring a business that could be technologically less mature. He says:

“When you have new partners in your business, you also need to ask, ‘well are you taking security seriously?”

Of course, the expert’s favourite line for us here at The Defence Works, where we advocate security awareness training, is:

“So, it’s about education.”

Before we tell you are little more about the benefits of security awareness training, Emm covers the lack of risk assessments within organisations in a little more detail. He says:

“Ideally you want to give staff training on data and cybersecurity – but the challenge is that executives have busy schedules and strict budgets and they find it much easier to buy a solution from Kaspersky or other vendors than invest in years of training. Products are tangible and that resonates well with large organisations who feel impelled to act.”

Adding, there is a case for “having staff on board who understand the risks; and whether it is sophisticated crime or opportunistic crime, the message needs to be reinforced about things like the danger of clicking on links and also what happens when you take your phone and laptop away with you and the potential risks that can manifest.”

Kaspersky also found that just 41% of businesses believe their organisation has “robust endpoint security.” The cybersecurity giant recommends that as well as six monthly cybersecurity assessments and investment in endpoint security solutions that fight the latest cyberthreats, that companies should:

“Organise frequent cybersecurity training for IT staff, so they are aware of the organisation’s policy and solutions.”

The benefits of cyber security awareness and training

Here at The Defence Works we believe that employees should be aware of an organisation’s policy and solutions towards cybersecurity threats. And, that security awareness should be an ingrained part of daily work lives. After all it’s human error and action, and phishing attacks arriving to individuals email addresses that result in many data breaches and successful cyber-attacks.

Security awareness training can make employees aware of common scams and of the threat and appearance of phishing emails, quite simply making them less likely to fall for such tricks.

And of course, as individuals become less vulnerable and more aware, using better passwords and avoiding obvious threats, a company’s vulnerability falls substantially.  There is less financial risk and risk to reputation, both of which can completely decimate a company to the point that it fails, quickly.

Security awareness has clear benefits for compliance, to GDPR for example, as employees learn the many different ways data breaches occur, they can more pro-actively ensure GDPR compliance.

Trained employees are happier. Rather than being fearful of cyber attackers and petrified of being responsible for a data breach, with security awareness training employees can be confident in their knowledge and skills. Employees that understand how threats can occur are empowered to watch for them and to deal with such threats effectively.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

83% of Data Breaches Caused by Human Error, Let’s Round-Up Last Weeks

A host of new statistics emerging as we progress through year two of GDPR are pointing to human error as being the overriding source of data breaches.

Firstly, the Irish Data Protection Commission (DPC) analysed data breach trends within its jurisdiction. It discovered that 83% of the data breaches reported to it under GDPR were classified as “unauthorised disclosure,” which included such scenarios as employees sending data to the wrong recipient, and accidental breaches of information through online customer portals and processing errors.

Then, in recent days, Infosecurity Magazine has reported on a CybSafe analysis of data from the UK Information Commissioners Office (ICO). CybSafe finds that 90% of data breaches in 2019 reported to the ICO under GDPR were caused by mistakes made by end-users. In 2017 and 2018, 61% and 87% of data breaches were due to human error. The trend points to a growing problem rather than a rescinding one.

CybSafe also found that the underlying cause of breaches, at 45% of all reports, was phishing attacks. Despite phishing attacks being initiated by cyber criminals and hackers, phishing emails only become truly dangerous if the links or files they contain are released onto systems and networks by unsuspecting recipients. Oz Alashe, CEO of CybSafe, says:

“It’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”

Alashe says although employees are a risk to cybersecurity, this risk can be mitigated:

“Employees of course pose a certain level of cyber-risk to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behavior and culture.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Let’s take a look at some of the last week’s data breach revelations and see what we can learn from them to protect our own businesses from such incidents.

RideLondon, UK

Organisers of the RideLondon cycling event believe that up to 2,100 registered participants may have been affected by a data breach that has seen entrants receive other individual’s ballot results. The London & Surrey Cycling Partnership has apologised and the breach, as per the BBC, is being “urgently,” looked into.

The popular event usually has more applicants than places available for the ride, so a ballot system is used to select participants. The event is scheduled for August 16, 2020. The CEO of the London & Surrey Cycling Partnership, Nick Bitel, says his company is trying to establish “how many people have been affected,” but it believes it is “less than 3% of the total of more than 70,000 people who entered the ballot.” Bitel adds:

“We are working with our contractors to establish the full facts but it appears that the issue was caused by an error in the collation of the acceptance letter and the addressed envelope in the final stages of a mailing process which led to the people affected receiving the name, address and date of birth of one other person.”

The company has apologised and says it will be contacting those affected.

Altice USA Inc, 12,000 records

The provider of Optimum cable television and internet revealed in a February 5, notice that a breach occurred in November. The breach has been pinned to a phishing attack which resulted in a “unauthorized third party,” gaining access to the email account details of Altice employees. Around 12,000 current employees, some former employees and a small number of customers may have been affected as per Newsday reports.

Stolen email credentials were used to remotely access and download the contents of email mailboxes. Lisa Anselmo, a spokesperson for Altice, says:

“During our investigation, we learned in January 2020 that certain downloaded mailboxes contained password-protected reports that included personal information for current employees and some former employees.”

Anselmo says no personal financial information was breached. The company has offered identity and credit monitoring services, via Experian, to affected employees.

Fifth Third Bank, Cincinnati, US

Reports are indicating a breach that actually occurred during 2018. The Fifth Third Bank says employees passed stolen personal information outside of the company. These employees have now been dismissed. The breached information included social security numbers, addresses, and account numbers.

As per Local12 any customers who lost money because of the breach have been reimbursed and all affected customers have been provided with fraud alert services.

JustPark, UK

A new parking application, JustPark, has been subject to a data breach that may affect 4,500 individuals. JustPark has taken over the Department for Infrastructure’s parking application and it appears the information of business users was accidentally published on its website.

The breached information includes names and email addresses, mobile telephone numbers, car makes, and registrations for UK users. The information was discovered on the registration and payment section of the JustPark website and included the amount businesses had paid and their parking history.

Founder and CEO of JustPark, Anthony Eskinaziy, says it is an “isolated incident.” He has apologised for the exposure but denies a “major data breach,” as per the BBC. The CEO says the ICO has been informed.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

The Irish Data Protection Commission (DPC) has analysed the data breach trends within its oversight during the first year of GDPR. A massive 83% of reported breaches could be simple human error or lack of GDPR awareness.

As per Computer Business Review, the DPC’s findings appear to point to human fault instead of a lack of technology or cybersecurity to protect personal and sensitive data. 83% of reported breaches are classified as “unauthorised disclosure.” This means an organisation, or one of its employees, has sent personal or sensitive data to the wrong recipient in an SMS message or by email. And, it can include physical letters, as well as accidental breaches of information via online customer portals and through processing errors.

For the year following May 25, 2018 the Irish DPC received 5,818 data breach notifications. Around 4% didn’t in the end meet the definition of a “personal data breach,” and fall under GDPR.

Of the breaches, companies reporting loss of company or customer data, 13% were not reported within the 72-hour period required under GDPR. The DPC says:

“It is important that controllers understand that once they have been made aware of a personal data breach, a timetable is set in motion.”

Furthermore, only 7% of reported breaches were because of an attack by a hacker or cybercriminal. A figure far lower than many might expect.

As well as the 83% classified as “unauthorised disclosure,” and potentially due to human error, lost and stolen devices makeup 2% of the breaches. And, lost or stolen documents or papers are 5% of the total.

A data controller from one company reported seven incidents to the DPC of compromised email accounts. A “significant” amount of personal data may have been breached causing risk to the individuals concerned. In this case the recurrence of the breaches was because the data controller didn’t have the right technical and organisational measures in place to ensure data security.

The DPC also found that data breaches were spread across industries, saying it had received breach notifications from “within the public and private sector, including those notified by: the financial sector; the insurance sector; the telecommunications industry; the healthcare industry; and law enforcement.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

The Irish DPC is one of the busiest in Europe

A recent article from publication RTE, says across 2019 there were 6,716 data breaches reported to the DPC. The numbers have been crunched by DLA Piper which found Ireland has the second highest number of GDPR breach reports per capita in all of Europe. That makes the DPC one of the busiest in the EU. The highest number of GDPR breach reports per capita in 2019 is attributed to the Netherlands.

Ongoing investigations could result in GDPR fines issued by Ireland

RTE says the high figures for Ireland are likely because a number of large technology firms have bases there. This means that the Irish DPC has GDPR oversight on companies such as Google. So far, the DPC hasn’t issued any GDPR fines but it is investigating Facebook, Twitter, Apple, Whatsapp and Google. These investigations could lead to fines in the future.

Across Europe there have been 160,000 GDPR reportable breaches since May 2018. After Ireland, Denmark has the next highest number of breaches per capita. Italy, Romania and Greece have the fewest breaches per capita. So far GDPR has led to fines of €114 million.

If GDPR breaches are because of human error, then training is needed

We hate to blow our own trumpet at The Defence Works. But if 83% of GDPR breaches reported to the Irish GDPR are because of some form of human error, action, or inaction, then it is fair to say comparable statistics may be similar elsewhere in Europe and in the UK. If this is the case, then more GDPR training and data security awareness training is needed. Human-caused data protection and cybersecurity incidents are often preventable.

We make GDPR training fun and effective

GDPR employee training can help to prevent huge GDPR non-compliance fines. At The Defence Works we make our training engaging. We cut through clunky data protection wording and cut out dull delivery. Our aim is to make GDPR compliance, data protection and cybersecurity everyone’s responsibility, getting the message across in a light-hearted way. Our goal is to empower employees and give them confidence to understand, deal with, and protect, data privacy.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

UK Prime Minister Boris Johnson has revealed in a statement to the House of Commons that one of the early changes to UK policy could be developing independent data protection legislation.

As per Teiss reporting, it’s not apparent whether an independent data protection policy would change 2018’s Data Protection Act which aligns with GDPR. Prime Minister Johnson said:

“The UK will in future develop separate and independent policies in areas such as (but not limited to) the points-based immigration system, competition and subsidy policy, the environment, social policy, procurement, and data protection, maintaining high standards as we do so.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

No change for GDPR compliance until the end of 2020

Days before Prime Minister Johnson’s statement the Information Commissioner’s Office (ICO) confirmed that it is “business as usual for data protection,” until the Brexit transition period completes at the end of 2020. The ICO says:

“GDPR will continue to apply. Businesses and organisations that process personal data should continue to follow our existing guidance for advice on their data protection obligations. During the transition period, companies and organisations that offer goods or services to people in the EU do not need to appoint a European representative.”

The ICO’s role won’t change for now, but the organisation confirms there are unknowns for the future of data protection adding:

“The ICO will continue to act as the lead supervisory authority for businesses and organisations operating in the UK. It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future.”

Post-Brexit Data Protection

Cameron Abbot and Michelle Aggromito of international law firm K&L Gates explain some of the legalities of the future of GDPR and data protection, from their perspective, in an article at The National Law Review. They write:

“There will be little change during the transition (also known as “implementation”) period that is expected to end on 31 December 2020. During this period, EU law will continue to apply in the UK, including the EU General Data Protection Regulation (GDPR), after which the GDPR will be converted into UK law.”

They say that the UK will become a “third country,” just like the US, Canada or China, as far as GDPR is concerned. That is of course “assuming all goes to plan (which is almost impossible where Brexit is concerned).”

For data flowing in and out of the UK, the authors say:

“The UK Government has acknowledged that it will recognise all EEA countries under its own adequacy ruling and incorporate all existing EU adequacy decisions. This will allow organisations within the EU to continue facilitate data transfers from the UK to these countries.”

Adequacy refers to whether a “third country,” outside of GDPR is accepted as having adequate and equivalent data protection to the GDPR, and for the safe exchange or transmission of data between countries. The authors continue:

“GDPR restrictions will apply to personal data being transferred into the UK unless the EU establishes that the UK is an “adequate” country. This will require the European Commission to assess and approve the UK for adequacy. This is unlikely to get across the line by this time and so organisations should ensure that they have implemented appropriate safeguards for inbound data transfers, such as adopting the EU’s standard contractual clauses in its arrangements with EU based entities.”

Lastly in the article’s points:

“Organisations based in both the UK and the EU will need to update their privacy notices to reflect the change in status.”

The authors, in the text published on February 5, conclude:

“The UK Government has said that it plans to continue GDPR post the transition period and so organisations should maintain their compliance on that basis. However, if Brexit has taught us one thing, it’s that we can never be certain.”

UK companies should continue to work to GDPR, while thoroughly monitoring and investigating how Brexit will impact data protection laws over time and how they should operate, as well as taking expert or legal advice if necessary.

Globally, data protection legislation is developing and countries outside of the EU are proposing comparable laws to GDPR. Eventually, these emerging laws will hopefully complement each other and an international standard for data protection may emerge in the future.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

A recent Thales cyberthreat report revealed 10% of cyberattacks on power plants are likely led by organised cybercriminals and state-sponsored actors. And, it concluded that the power generation industry is one of the most at risk sectors. Now French multinational Thales has partnered with American owned GE Steam Power, confirming an agreement at the International Cybersecurity Forum held in France this week.

Thales and GE Steam Power will work together to deliver a suite of cybersecurity solutions to power plant operators. The collaboration will combine the cybersecurity knowledge of Thales with GE’s power industry expertise and hopes to deliver threat intelligence, joint training programs, and other cyber solutions.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

As per Power Engineering International, GE has installed hardware and equipment at the National Digital Exploitation Centre (NDEC). The centre was created by Thales and the Welsh government for cyber development and education. The GE equipment will be used to demonstrate cyber-attacks and model response scenarios alongside Thales’ Cyber Range.

Thales released its “Cyberthreat Handbook,” last year. It was produced in collaboration with Verint and details cyberthreats to the power generation and other sectors, the major groups of hackers and cybercriminals, and the most commonly used attack vectors. Thales describes the comprehensive document as a “who’s who,” of cyber attackers. It was produced after a year of investigation, “100 days of detailed analysis,” and by eight full-time analysts with over 100 sources of data studying 490 attack campaigns globally.

Thales says the handbook is a, “report of unprecedented scope designed to provide a classification and basis for further investigation of major groups of cyberattackers, including cybercriminals, cyberterrorists, hacktivist groups and state-sponsored hackers.” It adds the purpose is, “to help organisations in the private and public sectors to better detect and anticipate future attacks.”

The analysts categorized cyber attackers into four groups:

“Out of approximately sixty major groups of attackers analysed, 49% are state-sponsored groups often aiming to steal sensitive data from targets of geopolitical interest. 26% are ideologically motivated hacktivists, closely followed by cybercriminals (20%) who are driven by financial gain. In fourth position, cyberterrorists account for 5% of the groups analysed.”

And, they summarise that the globe’s major powers, unsurprisingly, are the targets of cyberattackers. The US is at the top of the list, followed by Russia, and the European Union but especially the UK, France and Germany. The sectors most targeted by attackers were defence, the financial sector, and energy and transportation but Thales notes that attacks on the media and health industries are also growing and that:

“A growing number of groups of attackers are now focusing on vulnerabilities in the supply chain, and in particular on smaller partners, suppliers and service providers that are used as trojans to access major targets.”

Listed amongst the main attack methods are website defacement, DDoS, ransomware, trojan, wiper and backdoor attacks. The techniques used range from using scripting techniques to manipulate systems and run certain functions to changing data or code to make attacks harder to detect. As well as using “credential dumping,” i.e., obtaining or stealing authentication methods to gain access. And, lastly, “exploiting human weakness,” by fooling users in to running malware themselves by “clicking on a malicious link or attachment,” contained in a spear phishing campaign.

The Cyberthreat Handbook also analysed the typical “modus operandi,” of attackers, their process and progress through breached systems in order to achieve their goals. Along with running harmful malware, one end goal, per the report, appears to be the theft of data.

Thales and Verint say:

“It has become vital for power generation operators to get specific and regular training to understand what they are fighting and how to better protect their systems.”

The agreement between Thales and GE will see the two companies deliver joint training for power plant operators.

A need for understanding and security awareness

No matter the industry and intent, cyberattackers will seek out potential vulnerabilities. Often humans are the target as many unintentionally fall for phishing attacks containing malicious links and attachments which release harmful malware into corporate systems.

Proofpoint’s new 2020 “State of the Phish,” report takes a detailed look at global cybersecurity and phishing attacks. It conducted 50 million simulated phishing attacks and surveyed 600 IT professionals across sectors. It found that in 2019, over half of all organizations were victim to at least one successful phishing attack.

At The Defence Works we know that technology and systems are vital in the fight against cybercrime but we also believe that security awareness training for employees is also one of the best defences. Considering, of course, the prevalence of phishing attacks.

It’s not easy to train employees in cybersecurity, but that’s why we make our security awareness training quick, simple and fun. This makes it more memorable, more effective, and helps to protect your company better.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

After a seven-month study with participation from the National Cyber Security Centre (NCSC), academics and retailers, the UK government has proposed the development of new IoT security regulations.

The UK Department for Digital, Culture, Media and Sport released a draft proposal and consultation outcome this Monday titled, “Government response to the Regulatory proposals for consumer Internet of Things (IoT) security consultation.

Previously the UK has followed voluntary measures for IoT cybersecurity, however such devices are at high risk of attack and their security has been questioned. ThreatPost reports on US findings that 82% of connected medical devices had been targeted by cyberattackers in the past year, for example.

The report notes that the number of IoT devices in use is expected to be more than 75 billion by 2025. This massively widens the scope of attack for cybercriminals, especially if such devices aren’t as well protected as the business networks they are connected to. The consumer threat is also very real.

Matt Warman, the UK minister for Digital and Broadband at the Department for Digital, Culture, Media and Sport says the increasing number of IoT devices and the related security risks need an alternative to the current status quo. Warman outlines:

“Whilst the U.K. government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”

Warman warns that, “there is a risk that any compromised vulnerability within a device could result in real harm. Therefore urgent joint Government and industry action is required to address these challenges.”

He stresses that IoT products should be, “secure by design,” and that 90% of 331 manufacturers supplying the UK market with IoT devices assessed in 2018, “did not possess a comprehensive vulnerability disclosure programme up to the level we would expect.” He adds:

“Breaches involving connected devices are increasingly becoming common, simply because manufacturers had not built important security requirements, such as using unique credentials, into their products.”

The UK government department’s consultation on the regulation of IoT devices builds on the Code of Practice for Consumer IoT Security that was published in 2019. The department has also been working globally to “create international alignment on IoT security.” Warman’s team is advocating a “staged approach” to enforcing better IoT cybersecurity principles, “through regulation – starting with ensuring stronger security is built into products.”

Under the proposed laws IoT device manufacturers will need to ensure all devices have a unique password not able to be reset to a universal factory setting and provide a public support point for the reporting of vulnerabilities. Makers will also need to give guidance on when security updates for their IoT devices will be released. Warman says:

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,”

As per BankInfoSecurity, Brian Honan, the president of Dublin-based cybersecurity consultancy BH Consulting says:

“The rules do not cover all aspects of IoT security and indeed the U.K. government acknowledges this by stating the rules are no silver bullet. Hopefully, over time this will evolve.”

Honan suggests the UK government should also look to do more to secure the systems that IoT devices create.

Ken Munro, partner at Pen Test Partners, told ThreatPost that “there is clearly broad support for the proposed regulation of consumer smart devices, however without swift legislation this is just another meaningless consultation.” Munro adds:

“The government needs to act now to help protect us from smart device manufacturers who play fast and loose with our privacy, safety and security. I’m supportive of the government’s proposed legislation, so long as it is the first step on a path towards wide-ranging, robust regulation of the internet of things.”

As per the BBC, a spokesperson from the Department of Digital, Culture, Media and Sport was unable to confirm when the proposed legislation would be ready.

 

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

The published consultation document says the next steps for developing legislation will be to “conduct further stakeholder engagement,” in order to develop, “regulatory options.” The continued work by the UK government department will lead to the publishing of a “final stage regulatory impact assessment later in 2020.”

Whilst any legislation is still at the consultancy stage, the cyber threat to IoT devices and the networks they connect to remains. For consumer cybersecurity much of the onus, at least initially, will be on the manufacturer. For organisations this is much different.

Though the ideal is for businesses to buy devices with better security built in, the reality is that any organisation has a responsibility for its own cybersecurity. Connecting an IoT device to a business network should be taken as seriously and more as connecting a new PC, installing new software, or moving files to the cloud.

Cybersecurity strategy and threat protection systems should encompass any device, IoT, mobile, POS or otherwise. And, employees who use such devices should be educated as to the risks they pose and the cyber attacks that can occur through these mediums.

Kaspersky, late last year, released a report that revealed the cybersecurity company had found 105 million attacks on IoT devices in the first half of 2019.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Data Breaches Up 20% in 2019. Here’s a Round Up of Last Week’s.

The total data breach figures are coming in for 2019 and there is good and bad news.

Identity Theft Resource Center (ITRC), a non-profit, says the number of breaches rose by 17% from 1,257 in 2018 to 1,473 in 2019. This debunks 2018’s figures which showed the number of data breaches as falling from the previous year. ITRC president Eva Velasquez says:

“It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed.”

The ITRC study, sponsored by CyberScout, did however find the total number of records exposed in 2019 fell by 50% on the previous year. Notably, there appears to be a 65% reduction in the number of records containing “sensitive personally identifiable information,” which were exposed.  This latter figure is down from 471 million in 2018 to below 165 million in 2019.

Breaches of personally identifiable information (PII) can be more concerning as this data can include social security numbers, actual bank account details, driver’s license numbers, and other such credentials that cybercriminals can use to open accounts and impersonate individuals.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

The ITRC also says:

“We also saw the rise of a significant new threat — data exposure from unsecured databases — and growth of an existing tactic known as credential stuffing where data thieves use seemingly innocuous information like stolen email addresses and logins to attempt to access various kinds of accounts. Third-party vendors also continued to be a source of data breaches through accidental release or supply chain cyberattacks.”

Here at The Defence Works we’ve covered these threats over recent weeks. Unsecured databases on cloud servers have been a common trend in the causes of many data breaches we’ve reported. Supply chain and vendor risk is a prominent theme in cybersecurity today, with organisations like Europol and the National Cyber Security Centre (NCSC) warning of the dangers.

MarketWatch reports the average cost of a data breach for a US company is now $8.2 million according to IBM and Ponemon Institute data. The average cost per lost record in the US is $242.

Without further ado, let’s see what we can learn from some of last week’s data breach revelations…

St Louis Community College, St Louis, US.

One of the latest education breaches, St Louis Community College may have seen thousands of records exposed after email-based attacks on staff. The “series” of attacks reported by KSDK, gave the cybercriminals access to data held in employee email accounts. The breached information may include names, student identification numbers, addresses and phone numbers for over 5,000 students as well as the social security numbers of 71 individuals.

St Louis Community College revealed the breach on Tuesday and says most affected accounts were secured within 24 hours and all of them within 72 hours.

Crew and Concierge Ltd, UK.

A Verdict investigation has discovered an exposed server containing 90,000 files belonging to international recruitment agency Crew and Concierge. The database appears to contain records of individuals registered with the recruiter and the personal data of over 17,000 individuals from around the globe who work in the yachting sector may have been breached. The records included CVs and resumes, names, addresses, and visa information, as well as over 1,000 passport copies.

Verdict says the database was left exposed on a “misconfigured unsecured Amazon Web Services (AWS) S3 bucket and appears to have been online and available for anyone to access without a password since February 2019.”

The bucket was reportedly secured within hours of the company being notified.

Sara Duncan, director of Crew and Concierge, in a statement to Verdict, says:

“We have been advised by the cybersecurity consultant that exploitation of S3 buckets is by no means a straightforward activity and that it appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have misconfigured instance that may leave it open to malicious attack.”

Duncan says Crew and Concierge had placed “confidence” in the developers it had hired, that the company takes “full responsibility as the data controller,” and, she adds:

“In the very short period, we have come to understand the true impact of a cyberattack, and we have learnt many valuable but hard lessons.”

The United Nations

Reports also emerged last week that the UN had experienced a data breach in July 2019 pinpointed to a flaw in Microsoft SharePoint. As per Threatpost hackers exploited a vulnerability and gained access to an estimated 400 GB of sensitive data. A document which revealed the attack was reportedly leaked by The New Humanitarian and it says that at least 42 UN servers in Geneva and Vienna were compromised. The data exposed may include information about UN staff and organizations that work with the UN.

Ben Parker, of The New Humanitarian, says:

“Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report… implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals and organisations communicating with and doing business with the U.N.”

Threatpost received a statement from the UN which read:

“Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information. The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices. However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system.”

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

The US Federal Bureau of Investigation has warned consumers that e-skimming attacks, where online shopper credit card details are stolen, are on the rise.

Skimming devices have been a threat, predominantly to ATMs and point of sale (POS) terminals, for some years. The FBI says it has been monitoring e-skimming for seven years, as per CNBC. But, says Herb Stapleton, section chief for the FBI’s cyber division, e-skimming crimes are growing because cybercriminals are sharing their malware online as well as becoming more sophisticated. Stapleton explains attackers are evasive saying, “If we put up a wall, they’re building a ladder or a tunnel or a way to go around it.” The section chief, talking to CNBC, didn’t quantify the growth saying:

“It’s hard to put really — definite numbers around it. But one thing we know for sure is that millions of credit card numbers have been stolen, even over the course of the past two years.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

E-skimming, also known commonly known as Magecart attacks, involve a number of techniques. Cybercriminals can infect websites and POS devices with malware that steals personal and credit card information. They can also breach web servers or servers that support e-commerce websites. When a site has been compromised there is no visible difference for shoppers who continue with their purchases. Stapleton says:

“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer.”

CNBC cites big brand victims of e-skimming attacks as Macy’s, Puma’s Australian e-commerce site, Ticketmaster, and British Airways. We covered the resulting Macy’s data breach a few weeks ago. The retailer believes an attack used malicious code added to Macy’s checkout and “MyWallet” pages on their e-commerce website to gain access to shoppers’ personal information. During the same week Catch Restaurants in New York suffered a similar breach due to malware on their POS payment systems. Our weekly data breach roundups are full to the brim of similar incidents.

Randy Pargman, senior director for threat hunting and counterintelligence at Binary Defense in Ohio, US told CNBC it has many clients in the retail sector and that:

“Any retailer that has a significant online presence that accepts online orders is definitely concerned about e-skimming.”

How consumers can protect themselves whilst shopping online

CNBC says customers can do a number of things to protect themselves when shopping on the internet including:

Shopping with credit cards

Credit cards can sometimes give a little more protection and less inconvenience if a card is compromised. Credit cards may have lower liability for fraud, and it may take less time to get a fraudulent transaction resolved.

Consider virtual credit cards

Some banks and credit card issuers offer a virtual credit card facility. Virtual cards have a randomly generated card number that is linked to your actual card. They can be used for online transactions, charge your usual credit card account, and can have their own transaction and even expiry limits. Using a virtual card means that e-commerce websites aren’t given real card details, offering a little more protection if they are breached or a less credible site.

Regularly check bank and card transactions

Consumers should always regularly check their credit and debit card transactions and immediately notify a bank or card issuer of any unusual transactions. Though it can be a pain, considering the volume of card theft and misuse it’s a must for any online shopper.

A prudent warning for any business that takes payments online

In the Oregon FBI’s Tech Tuesday segment back in October the organisation warned “small and medium-sized businesses and government agencies that take credit card payments online,” that:

“E-skimming occurs when cyber criminals inject malicious code onto a website. The bad actor may have gained access via a phishing attack targeting your employees—or through a vulnerable third-party vendor attached to your company’s server.”

Once malware or malicious code is present on a website it can be used to transmit consumer credit card details to cybercriminals instantly. The information gained can be used by the hackers or sold on the dark web to other cybercriminals and bad actors. The FBI says businesses and organizations should:

  • “Update and patch all systems with the latest security software. Anti-virus and anti-malware need to be up-to-date and firewalls strong.
  • Change default login credentials on all systems.
  • Educate employees about safe cyber practices. Most importantly, do not click on links or unexpected attachments in messages.
  • Segregate and segment network systems to limit how easily cyber criminals can move from one to another.”

Bleeping Computer reported on a RiskIQ study, in October 2019, that found since the first discovery of a Magecart threat in August, 2010, there could have been over two million Magecart attacks. In a single automated attack by cybercriminals more than 960 stores were breached, at the same time.

RiskIQ warns that attackers often target Magento and OpenCart website software users, looking for vulnerabilities in these platform builds and retreating when patches and updates are issued. It warns that attackers use malicious adverts, and that 17% of these could distribute the Magecart threat. And, malicious code survives undetected on an e-commerce website for an average of 22 days.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: