Proofpoint’s new 2020 “State of the Phish,” report is a comprehensive look at global cybersecurity and phishing attacks. The cybersecurity company’s latest study reveals over half of all organizations were victim to at least one successful phishing attack in 2019.

The new report takes data from Proofpoint’s near 50 million simulated phishing attacks as well as survey responses from over 600 IT security professionals. It also looked at the cybersecurity knowledge of over 3,500 employees in the UK, France, Germany, Spain, the US, Australia and Japan.

As well as finding 55% of companies had to remediate at least one successful attack, cybersecurity professionals are reporting increasing social engineering attacks, according to an Infosecurity report on the study.

In addition, 88% of global organizations report spear phishing attacks and 86% social media attacks. Figures that indicate no business is safe from the threat of cybercrime. A further 84% of organizations reported “smishing” attacks, which is phishing via SMS text message. Worryingly 83% said they had also experienced voice phishing attacks, dubbed “vishing.”

A further figure of concern is that 81% of companies included in the study had experienced and seen problems caused by malicious USB drops.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

The good news is that security awareness training works

Proofpoint did also discover in its research that empowering individuals and employees to identify and disarm phishing emails and cyberattacks works. As many as 78% of companies included in the study’s survey report that security awareness training activities led to quantifiable reductions in phishing attack vulnerability.

Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint, says, “effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission.” He adds:

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”

Not only did Proofpoint find that the volume of phishing attacks is on the increase, but the attacks are becoming more sophisticated. The study found there had been more than nine million suspected phishing emails received by end users in 2019. This is an increase of 67% on comparable data from 2018.

2019’s phishing emails were also more targeted and personalized, denoting a trend towards the use of social engineering in cyberattacks.

An awareness of social engineering attacks

Not only do all employees, no matter the size of an organization, need to be security aware but they now need to understand they are at risk of social engineering attacks too.

These phishing attacks often use targeted personal data to trick an email recipient into believing they are looking at a genuine email. They are much more difficult for the average individual to spot. And, there are still many individuals and employees who will still automatically trust an email which contains their personal details.

Social engineering attacks are both fuelled by cybercriminals doing their own research but also obtaining information from data breaches that can be easily bought on the dark net.

A recent survey by GetApp revealed that only 27% of companies are providing social engineering awareness training. GetApp says:

“That means nearly 75 percent of businesses could be leaving their employees to fend for themselves against masters of manipulation. Companies must train employees on how to recognise social engineering techniques that are designed to exploit human nature for access to sensitive company data.”

Worryingly GetApp found that 8% of the employees in its survey had received no cybersecurity training at all.

Social engineering and comprehensive security awareness training

It’s been said before, but we really cannot reiterate it enough. Employees really are the last line of defence against phishing and cyberattacks. They are often also the first line of defence. Last year, in Proofpoint’s “Annual Human Factor Report,” the company’s vice president Kevin Epstein said:

“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”

Employees and individuals made aware of the nature and risks of phishing emails and social engineering attacks can be easily empowered to identify such ploys, ignore them, delete them, or report them. With security awareness training employees are far less likely to open a phishing email, click an unsavoury URL, open a malicious attachment, or fall for a scam call. They can protect both their own data and the information and network of the company they work for.

Any employee can be the recipient of a phishing email and no matter how intelligent and professional, if they don’t know the most current tactics of cybercriminals then they are at risk of falling victim to its sender.

Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

January 28 is Data Protection Day, an annual event created in 2006 by the Council of Europe. It commemorates the date the council’s data protection convention, “Convention 108” was signed in 1981. This was the first legally binding international tool for data protection. Signatories agreed to “ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data.”

Convention 108 was updated in 2018 and its Amending Protocol has been signed by nearly 40 countries. Its relevance has survived for over three decades because of its “technologically-neutral, principle-based approach.”

Data Protection Day perseveres to raise awareness of good data protection practices and inform individuals about their data rights. The European Commission has issued a statement ahead of the day outlining its commitment to the importance of data protection rules. It says:

“Data is becoming increasingly important for our economy and for our daily lives. With the roll-out of 5G and uptake of the Artificial Intelligence and Internet of Things technologies, personal data will be in abundance and with potential uses we probably can’t imagine. While this offers amazing opportunities, some cases show that robust rules are needed to address clear risks for individuals and for our democracies. In Europe we know that strong data protection rules are not a luxury, but a necessity.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Since the implementation of GDPR, 160,000 data breach notifications have been made to GDPR governing authorities.

Though GDPR and other initiatives are indeed raising awareness of, and improving, data protection, the cyber war to prevent data breaches whether intentional or accidental continues.

Let’s look at a few of this past week’s breaches and revelations…

SuperCasino, UK customers

An online casino website that serves UK gamblers has suffered a breach that was revealed on an affiliate forum, as per Calvin Ayre. A forum member posted an email that SuperCasino had sent to its customers that warns the website has “suffered a security incident and some of your data has been revealed to an unauthorized person.”

SuperCasino says the unauthorized person had access to customer names, usernames, email addresses, phone numbers and physical addresses but had not been able to access credit card information, passwords or document copies.

The website says it has taken “measures,” to mitigate the breach but has asked customer to reset their SuperCasino passwords as well as passwords on other sites if they have used similar passwords. It has also warned customers to look out for fake emails asking them to change passwords, change payment methods or even transfer money.

The UPS Store, US locations

As per Bleeping Computer, 100 The UPS Store locations have been affected after a breach caused by a phishing email. Public Relations & Social Media Manager Jenny Robinson says:

“Email accounts at less than two percent of The UPS Store locations in the U.S. were victim of a phishing incident, which may have impacted some Personally Identifiable Information (PII) for a very small fraction of customers of The UPS Store.”

The breach affected the locations between September 29, 2019 and January 13, 2020 but has reportedly not affected point-of-sale transactions at the stores.

The information exposed is that contained in emails received from customers by the affected UPS email accounts. Robinson explains:

“The types of personal information involved varied by individual, but included information emailed to the affected The UPS Store locations, including things like government-issued identification, financial, and other information.”

The UPS incident has been detailed in a filing with the Vermont, US, attorney general including that, “an unauthorized person potentially had access to a limited number of local store email accounts.”

So far it appears the exposed data has not been misused and an official statement by company reveals:

“Immediately upon discovering this incident, The UPS Store, Inc. initiated an investigation to assess the incident’s scope, including engaging a third-party cybersecurity firm, and has taken steps to further strengthen and enhance the security of systems in The UPS Store, Inc. network, including updating administrative and technical safeguards.”

Affected customers have been provided with credit monitoring services.

30,000 medical cannabis users, US

vpnMentor researchers discovered an unsecured Amazon S3 bucket on December 24, 2019, that according to CISOMag exposed “sensitive” data relating to medical cannabis users and dispensaries in the US. The exposed database is reportedly owned by the point-of sale system, THSuite, used by medical cannabis dispensaries across the US.

THSuite fixed the breach on January 14, 2020 after being informed by vpnMentor. The data exposed includes identification, medical ID numbers, names, dates of birth, addresses and details on the amount and price of cannabis used.

H&M employees, Germany

As per Reuters, H&M has identified “unacceptable” data security breaches in its German operation and is reportedly cooperating with Germanys data protection supervisors. A spokesperson for H&M says action has been taken and it is in discussions with “all colleagues,” adding, “since the incident is in legal examination … we cannot further comment on that at the moment.”

A German publication says Germany’s State Data Protection Commissioner, Johannes Caspar, is investigating H&M management for storing details on the personal lives of employees. Casper is quoted as saying:

“The qualitative and quantitative extent of the employee data accessible to the entire management level of the company shows a comprehensive research of the employees, which is without comparison in recent years.”

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

A Comparitech security research team led by Bob Diachenko has discovered five Elasticsearch servers containing Microsoft customer service records easily accessible to anyone with a web browser.

Let’s take a look at this latest breach and why Elasticsearch software appears so often in online data exposure incidences.

On December 28, and 29, 2019, the 250 million customer service and support records were left unprotected on the internet, without any password protection or authentication requirements. The records, as per Comparitech, are logs of conversations between Microsoft support agents and Microsoft customers. They cover a 14-year period between 2005 and December 2019.

The five servers appeared to each contain identical sets of the 250 million records. They were identified by Diachenko who immediately contacted Microsoft.  The researcher says:

“I immediately reported this to Microsoft and within 24 hours all servers were secured, I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”

Microsoft’s General Manager, Eric Doerr, has also commented:

“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”

Over December 30 and 31, Microsoft secured the servers and the exposed data and both Diachenko and Microsoft continued the investigation and breach management process. It’s not known if any unauthorized parties accessed the data whilst it was exposed.

Diachenko revealed that much personally identifiable information including email aliases, contact telephone numbers, and payment information, was redacted. But the records did contain plain text data which did include email addresses, IP addresses, customer locations, and descriptions of customer service and support “claims and cases.” The exposed information also included the email addresses of Microsoft support agents, case numbers, resolutions and remarks, and even internal notes that were marked confidential.

Comparitech reporter and VPN expert Paul Bischoff writes:

“Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.”

Tech support scams can often involve a scammer pretending to be a Microsoft support representative and occur frequently, usually without scammers having personal information about the potential victims. Armed with actual customer support information these types of scams could be far more effective, and lead to victims revealing sensitive information or allowing access to their devices. Bischoff warns:

“Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first.”

Microsoft also never asks for a password or requests users to install applications which allow access to a user’s desktop – like TeamViewer.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Why are Elasticsearch Databases so often at the route of data exposures and breaches?

It may not have escaped your attention that there have been a number of high-profile data breaches and reports of unsecured information discovered on the internet in Elasticsearch databases or servers. Infosecurity writer Danny Bradbury questioned this trend in February 2019, speaking to Mike Paquette, security product director at Elasticsearch.

Firstly, Elasticsearch is open source software which allows users to index and search unstructured data. Bradbury describes Elasticsearch as a “massive bucket for all your enterprise information. It slurps up everything from emails to spreadsheets and social media posts, and then lets you search it. It is a valuable repository for all kinds of enterprise information.” Paquette says:

“Recent reports about sensitive data being exposed in Internet-facing Elasticsearch instances are not related to defects or vulnerabilities in Elastic-developed software.”

The Elasticsearch product director says the problem is a lack of understanding of Elasticsearch security and how the software works. He adds:

“Reports usually involve instances where individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”

Paquette explains Elasticsearch tries to prevent unauthorised access to its databases by design. It connects Elasticsearch to local addresses meaning, as per Bradbury, “if an administrator wants to communicate outside the local machine, it has to be configured to do so.”

Problems potentially arise if, for example, a user is deploying Elasticsearch in the cloud and chooses open internet access. Paquette warns extra work needs to be done to secure Elasticsearch databases accessed and stored in the cloud. He adds that developers may relax controls on development or testing systems on the internet for convenience but may unwittingly neglect to change back the configuration when their work moves to production.

Bradbury also writes that the free version of Elasticsearch only includes its X-Pack security features during a trial. X-Pack includes role-based access control and encryption. But the author also illustrates that Elasticsearch databases can be protected without using its paid option. Bradbury writes:

“Even if you don’t use that paid option, though, there are still plenty of things you can do to stop your entire Elasticsearch database from showing up on the public Internet.”

Elasticsearch users should check their configuration settings

There is no clue apparent yet as to the reason for Microsoft’s Elasticsearch data exposure. We don’t know how the company uses and secures Elasticsearch.

The lesson for our readers and clients here at The Defence Works is clear. Consider how many companies have seen “data breaches” and information exposed on Elasticsearch databases. If your company uses Elasticsearch software or similar, it’s time to conduct a full audit of your configurations to ensure that your company and customer data is fully protected.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

It’s been another insightful week in cybersecurity and data breaches.

Law firm DLA Piper has discovered that since GDPR was implemented in May 2018 there were an average of 247 data breach notifications per day in the first eight months. And, since that point there have been an average of 278 notifications per day. As per ZDNet, over 160,000 data breach notifications have been made to GDPR governing authorities in the year and a half since GDPR came into play.

Ross McKean, partner at DLA Piper specialising in cyber and data protection says:

“GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12 per cent compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.”

Fines resulting from GDPR compliance issues and data breaches are calculated to date at £97 million.

Action against sellers of information obtained from data breaches

The FBI, in collaboration with the UK’s National Crime Agency (NCA) and others, has taken down a website that sells access to stolen data. The FBI seized the domain WeLeakInfo[.]com after being granted a warrant by the District of Columbia, US. The website’s managers have not been apprehended.

As per Infosecurity Magazine, the website said it was for users who wanted to check if their information had been compromised but it provided a “useful resource” for cybercriminals looking to use breached data in phishing, social engineering, and other such attacks.

A Department of Justice statement said:

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.”

And, says the statement, “The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period.”

The FBI is reportedly seeking any information on the website’s owners or administrators.

Mitsubishi Electric have disclosed a major breach that occurred last year.

The company has published a statement on its website revealing a breach that happened on June 28, 2019, and that has been subject to an internal investigation.

Mitsubishi Electric, based in Tokyo, have reportedly revealed the breach after stories were published in two local newspapers. The publication’s blame a group of cyber-spies linked to China.

In the breach, hackers may have stolen sensitive data from the company’s internal network. Mitsubishi agree that data was stolen but have denied that the information concerned its business partners and defence contracts.

The company is one of Japan’s largest defence and infrastructure companies and the breach is being treated with “utmost severity,” as per ZDNet.

Regus employee data exposed

The BBC reports that job performance details for over 900 employees at office-space provider Regus have been published online by accident. A staff performance review included workers being recorded showing researchers posing as clients around office space that was up for rent.

Information was then published on collaborative work platform Trello and a spreadsheet of staff names, addresses, and job performance information, was discovered by the Telegraph via Google.

The names and addresses of hundreds of researchers contracted by Regus parent company IWG were also breached. IWG says, “team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles.” The company adds:

“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise. As our primary concern we took immediate action and the external provider has now removed the content.”

John Kyrle High School and Sixth Form Centre, Ross-on-Wye, UK

The Hereford Times reports that West Mercia Police are investigating a cyber attack that has erased personal documents from computer systems at the Herefordshire secondary school.

Headteacher Nigel Griffiths believes the data has been deleted rather than stolen or shared and explained:

“We were unable to access servers within the school which are used to store lots of different types of personal data about staff and pupils.”

The breached data could include student records, exam data, special needs, and safeguarding information. Griffiths adds:

“The security issue which has arisen, further to initial investigations, is the system has been accessed without authorisation. Encryption has been applied which is currently preventing us from being able to access the server.”

The well-rated 800 pupil school has experienced “considerable disruption,” from the attack and breach, and the headteacher says:

“It is clear that this security incident is criminal in nature and investigations are already underway to identify the perpetrator and minimise any ongoing risk.”

The UK Information Commissioner’s Office has reportedly been informed, as well as examination boards, Ofsted, and Herefordshire Council.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

This year’s Allianz Risk Barometer 2020, from top global insurer Allianz Global Corporate & Speciality (AGCS), puts cyber incidents up two places from last years list to the greatest threat to businesses in 2020.

Cyber incidents now overtake “business interruption,” last year’s number one threat and the top threat for the previous seven years. It’s a category which includes riots, civil unrest, terrorism, natural disasters, and fires.

Cyber incidents are more damaging and expensive

The 9th annual Allianz risk survey saw its highest participation, over 2,700 experts from more than 100 countries. The participants included CEOs, risk managers, brokers and insurance agents. As per a press release for the report:

“Cyber incidents have become more damaging and expensive for companies – and often result in lawsuits and litigation after the event.”

Of the respondents, 39% indicated cybersecurity was their greatest business threat. The figure was 37% for business interruption.

“Awareness of cyber threats has grown rapidly in recent years, driven by companies increasing reliance on data and IT systems and a number of high-profile incidents.”

In the barometer seven years ago, cyber incidents were far lower on the risk list, in 15th place with just 6% of responses. Joachim Müller, AGCS CEO says:

“The Allianz Risk Barometer 2020 highlights that cyber risk and climate change are two significant challenges that companies need to watch closely in the new decade. Of course, there are many other damage and disruption scenarios to contend with, but if corporate boards and risk managers fail to address cyber and climate change risks, this will likely have a critical impact on their companies’ operational performance, financial results and reputation with key stakeholders. Preparing and planning for cyber and climate change risks is both a matter of competitive advantage and business resilience in the era of digitalization and global warming.”

Climate change achieved its highest position yet on the Allianz list, climbing to 7th  place.

Not only was cybersecurity indicated as the biggest challenge companies are facing in 2020 globally, but it was in the top three risks for most countries including the UK, US, Austria, Belgium, France, Spain, Sweden and Switzerland.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Data breaches, ransomware, spoofing attacks and penalties from regulators

The report points to the threat of larger and more expensive data breaches, the rising number of ransomware and spoofing attacks but also the prospect of fines and litigation. Such fines coming from the increasing amount of data privacy legislation globally, such as GDPR in the UK. Allianz puts a large data breach, of a size of one million records or more, as costing an average of $42 million. This figure is up 8% year-on-year.

Marek Stanislawski, Deputy Global Head of Cyber for AGCS, says:

“Incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions.”

Human error and business loss can be mitigated by security awareness training

There is also a wider impact of cyber incidents, and that’s business interruption losses as a result of downtime, the unavailability of data, systems, or technology. That’s whether it’s a ransomware attack, a technical glitch, or a cyber-attack.  Stanislawski adds:

“Many incidents are the results of human error and can be mitigated by staff awareness trainings which are not yet a routine practice across companies.”

At The Defence Works we understand both the growing cybersecurity threat and the need for security awareness which can prevent accidental breaches but also enable employees to identify attacks before they take hold in a corporate system.

Security awareness training works by addressing a number of areas that cause security vulnerabilities. It concentrates on major threats such as phishing and the importance of security hygiene. Security awareness teaches every employee about the danger of cyber incidents and how to incorporate a consciousness of cybersecurity into their every activity.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Another week, another list of data breaches to read and learn from.

This week Betanews ran a story citing Verizon’s yearly Data Breach Investigations Report of 2019 that discovered over a third, 34%, of data breaches were the result of “insider threat actors.

These insider threats could simply be unhappy employees, or more sinisterly could be employees selling data to make money. Or even, who have secretly joined a company to steal information or be destructive.

Though the 34% figure seems high and its worth seeing if the trend continues into this year’s report the threat is a real one. Data breaches do occur because of internal human threats. Company’s can help to protect themselves against insider threats, however, by conducting more thorough background checks and, a popular solution today, implementing “zero trust,” policies. This means that no one person or device is intrinsically trusted by a company to handle data and that passwords and identity verification must be constantly checked.

Let’s look at this past week’s data breaches hitting the news and their causes where we have them.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

P&N Bank, Australia

Australia’s P&N Bank has informed its customers of a data breach where personally identifiable information (PII) and sensitive account information was exposed. ZDNet reporting indicates the bank warned customers of an “information breach” which has occurred via its customer relationship management (CRM) platform. It says the information “appears to have been accessed as a result of online criminal activity.”

The entry point for the attack is believed to be a hosting company and the issue occurred whilst the bank was performing a server upgrade.

As well as the personal and sensitive information, and financial information, account balances and “records of interactions,” have been exposed. P&N Bank says, “upon becoming aware of the attack, we immediately shut down the source of the vulnerability.” It is also working with its regional police force and federal authorities to investigate the attack.

Columbus Metropolitan Library, Ohio, USA

A breach has been discovered affecting nearly one hundred library employees in Columbus Ohio. It’s a particularly severe breach as it appears that cybercriminals gained access to personal information and then successfully managed to use it to open bank accounts.

The breach was revealed after one worker discovered a fake bank account in their name. The discovery led to more revelations from employees and the fraud is now being investigated. The library is looking into the cause of the breach with spokesperson Greg Dodd saying:

“We do take the safety and security of all of our staff very seriously. So we immediately filed a police report.”

The cybercrime appears to be sophisticated rather than opportunistic with the criminals depositing money gained from payday loans then withdrawing it via debit cards. The library is putting a plan of action in place for affected employees which includes fraud protection. The library has stressed that customers have not been affected.

SouthEast Eye Specialists Group, Tennessee, 13,000 patient records

In yet another healthcare industry breach SouthEast Eye Specialists Group has this week notified 13,000 patients that their health information may have been exposed in a breach that occurred last year. Officials, as per reports by Beckers Hospital Review, discovered an employee’s email had been accessed by an unauthorized third party. The group secured the account and brought in computer forensic experts to investigate the breach.

Social Security numbers and treatment information may have been exposed but as yet there is no indication that patient information has been misused or even viewed. A news release says:

“While there is no indication that an unauthorized party accessed or viewed patient information or evidence of patient information being misused, SEES Group remains committed to protecting patients’ information and has taken steps to prevent a similar event from occurring in the future, including reviewing and revising its information security policies and procedures.”

LimeLeads, 49 million records

Just breaking is the news that 49 million user records from B2B contact data finding platform LimeLeads is available for sale on an underground hacking forum. The data includes names, email addresses and company details.

Reporting so far points to a failure to setup a password for an internal server leaving anyone on the internet able to access the data. Bitglass CTO Anurag Kahol, commented on the issue for Digital Journal, saying:

“Week after week, we witness companies leaving sensitive data vulnerable in the cloud due to simple mistakes and misconfigurations. In this particular case, a failure to password protect an internal server led to over 49 million user records being made available for sale on the dark web – exposed data included full names, emails, phone numbers, and other personally identifiable information.”

Kahol adds that those affected are now “vulnerable to fraud and phishing attacks for the foreseeable future,” adding that:

“Unfortunately, cybercriminals can leverage tools that detect abusable misconfigurations within IT assets like Elasticsearch databases, making it easier and easier to find and exploit vulnerabilities.”

A glance through our previous data breach summaries will show this is not the first breach related to an Elasticsearch database.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Ken Xie, founder and CEO of multinational cybersecurity software company Fortinet, writing for the World Economic Forum (WEF) explains the challenges and potential solutions for cybersecurity leaders today.

Xie says business and society needs to move to a scenario where cybersecurity is “built in to every product and system,” because cybersecurity can no longer be an “add-on.” To achieve this integration cybersecurity leaders face a number of challenges.

Real-time threat information sharing is essential

Firstly, says Xie, the speed at which security professional must address weaknesses and threats is fundamental to cybersecurity:

“Cybersecurity systems must keep up with the increasing speed and volume of internet traffic. Speed of reaction is vital as well. Too often, there are long lag times in addressing cybersecurity problems. Criminals can – and do – take advantage of this.”

To achieve this fast pace of response and stay ahead of cybercriminals requires the real-time sharing and visibility of threat information. In our digitally connected world “cybersecurity and global security,” are the same thing, says Xie.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Collaboration and security awareness can quickly deliver tangible results

Secondly, the CEO stresses the collaborative approach needed to effectively fight cyber threats. He says a “hive mind” would be the result, enabling rapid learning and expanded “competency and capacity.” Organisations and states must learn from each other or the “same attacks,” will “take down countless entities.” He adds:

“Wide collaboration means including everyone in a broader conversation about cybersecurity.”

Thus “knowledge repositories,” must be part of operational systems and as well as collaborating in order to share threat intelligence data we must also collaborate “on education.”

“The more we talk about the importance of cybersecurity and its fundamental role, and the more education is shared, the more we will educate and nurture the future generations of cybersecurity professionals we very much need.”

Xie cites Herjavec Group’s 2020 Official Annual Cybercrime Report and the prediction of Cybersecurity Ventures that cybercrime will have a global cost in excess of $6 trillion annually by 2021, up from $3 trillion in 2015.

He adds that experts and decision makers across public and private sectors must work together and leaders should “make it clear,” that collaboration is “time well-spent.”

The CEO believes that tangible results could be achieved quickly. Especially given that 92% of malware arrives with individuals via email, as per CSO Online.

“With the right awareness campaigns and policies, as well as diligence in practice, we could eliminate more than 90% of malware simply by teaching new skills that overcome ingrained behaviours.”

A common vision

Xie also believes that a common vision, even “akin to NATO,” with its fundamental principles could lead to effectively anticipating the next threats from cybercriminals instead of reaction to them. He says:

“Cybersecurity education and training should be part of everyone’s educational development.”

Technology driven cybersecurity

As co-founder of Fortinet, now a multi-million-dollar cybersecurity technology company, of course Xie does not forget the importance of technology, noting that the world’s current infrastructure was not designed with cybersecurity in mind.

He says cybersecurity will require computing power, and infrastructure should have this designed in, as well as there being an integrated and multi-layer cybersecurity system.

“An example of such a larger vision for cybersecurity where all parts of the network participate together is security-driven networking, which changes traditional assumptions of networking.”

This type of networking takes the risk of each path of traffic into account and moves activity to the safest path. With 5G, centralized cybersecurity approaches are no longer tenable.

Product designers and developers must create with security in mind and update existing platforms. A perfect solution is unlikely but an “integrated, optimized platform,” will not “emerge at all unless we realize that it is needed.”

Xie concludes that “cybersecurity is a responsibility we all must take on,” and that:

“It is only once we have true integration, both across national and geographic borders, and also within our own businesses, that cybersecurity will achieve its full potential of creating a truly protected world.”

The Defence Works – our approach to security awareness and cybersecurity education

Xie makes important points. An effective global cybersecurity strategy must be an integration of both technology and knowledge, both sharing and security awareness.

Here at The Defence Works we focus on security awareness training believing that every individual within a business must be empowered with cybersecurity knowledge. This comes from the top down, but it should encompass every single employee. In this way, phishing emails can be identified and safely dealt with or threats can be spotted quickly, reported and actioned by security professionals. It will never be a perfect approach, cybercriminals evolve quickly, and human error will always occur. It is, however, a better approach and combined with effective technological deployment and development it will be progress in the cybersecurity battle.

Your employees play a key role in helping to use technology safely, so why not help upskill them on the risks posed when using mobile devices? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Psychologist’s Study Suggests Cybersecurity Training Should be Linked to Personality

A Myers-Briggs chartered psychologist, John Hackston, studied over 500 employees discovering that different personality types could be linked to certain cybersecurity behaviours.

The British Psychological Society (BPS) published an article titled “Businesses can improve cyber security by linking staff training to personality.” It describes Hackston’s findings which he is presenting at the BPS Division of Occupational Psychology annual conference in Stratford-upon-Avon, UK, on January 9.

Personality could define cybersecurity conscientiousness and diligence

Hackston quizzed 560 employees from around the world about their place of work and their experiences of cybersecurity, each respondent completed a personality questionnaire. He analysed the results discovering that personality types are connected to levels of behaviour relating to cybersecurity. For example, how conscientious employees were in following cybersecurity rules or how diligent they were in keeping passwords and devices secure.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Introverts may be more careful with sensitive information

Introverts, as per the BPS article, are more likely than extraverts to a concur that, “no-one should put confidential business information in email, instant messenger (IM) or texts, as they may not be secure”. Employees who have an affinity with practical information and prefer to be organised are more likely to follow cybersecurity rules more closely.

Hackston’s study also discovered 64% of people believes they had been the subject of a cyber attack in the past twelve months and as many as 15% believed they had experienced a cyber attack in the past seven days. Men were more likely to be candid and report experiencing a cyber attack than women. And, US employees were on average the highest performers for “conscientiously follows rules,” when compared with other countries. Hackston says:

“With the rise of cyber security attacks, cyber-savvy employees are crucial in keeping information safe. It’s clear to be really secure one size does not fit all. Organisations would benefit if they considered the personality preferences of their staff when organising training.”

ESET and Myers-Briggs Cyberchology Report Finds Similar Results

Another study published in August 2019, by ESET researchers and Myers-Briggs, “Cyberchology: The Human Factor,” discovered that different kinds of cyber security errors occur more frequently among employees with certain personality preferences.

It found extraverts tended “to be more vulnerable to manipulation, deceit, and persuasion from cybercriminals.” These social engineering attacks “are particularly effective against extraverted types,” who may be more susceptible to social overtures. Though an advantage extroverts have is that they are attuned to outside communication and are faster to pick up external threats.

People with a preference for “sensing,” or observing and remembering details, are able to spot phishing attacks faster but sometimes take cyber risks. “Feeling,” personality types, guided by personal values, and “judging,” types, who are systematic and structured, “could be more likely to fall for social engineering attacks but are more rigorous in following cybersecurity policies.”

The full report by ESET and Myers-Briggs can be found here. It says:

“All personality types have different strengths and blindspots that can impact the outcome of a cybersecurity attack. Identifying where these lie and how they might correspond to your cyber security protocols is a great first step in building a coherent, integrative cyber security programme.”

An ESET survey found 42% of businesses are focusing on delivering compliance training as part of their cybersecurity strategy. But there is “often a lack of team coherence regarding cyber security, despite the fact that every team member in a modern business will have access to and be using vulnerable systems on a regular basis.” Cyber breaches, “could be avoided if a more integrative and business-wide approach to cyber security were adopted.”

Cybersecurity training and security awareness training doesn’t have to be boring or baffling

Whilst there is no major wand to discover every vulnerability, protect against every attack, or be aware of every threat, being aware and prepared can help to identify attacks before they result in a breach and prevent many breaches.

With The Defence Works our training is simple and interactive, providing insights and tools to spot and stop cybercrime. Our classic interactive courses are GCHQ certified and can dramatically improve employee’s awareness. We also have interactive episodes based on real life events to make security awareness training more relevant to daily lives. We have a suit of bite-sized, funny, and relatable comedy sketches to really drive home cybersecurity implications with humour instead of hours in a classroom.

When conducting security awareness training with The Defence Works you can focus in on the content that works best for you and your team. We offer simulated phishing training where you can test employees with fake attacks, assess their responses, and allocate re training if necessary. And, as nobody’s perfect these phishing simulations are conducted in a supportive and empowering manner. If your employees are confident they can identify a potential cyber attack and report it, they will be far more likely to do so.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.


Share this:

Heading rapidly into 2020 the data breach threat is not letting up.

2019 now appears to be the worst year ever for data security, a label not entirely unexpected as attack surfaces widen with new technology, cyber criminals evolve their tactics, and the simple human capacity for error perseveres.

Ponemon Institute’s 2019 Cost of a Data Breach Report now puts the average cost of a data breach at a record $3.92 million. As per HelpNetSecurity and Teramind data breaches increased by 54% in the first half of 2019 and at least 4.1 billion records were exposed last year.

IT Governance puts the number of records breached in December 2019 alone at 627 million records. It reports that a total of 90 breaches and cyber attacks were revealed across the month.

Risk Based Security puts data breaches as having jumped 33% in 2019 compared to 2018 and says a total of 5,200 breaches exposed nearly eight billion records. ScoreSense says as many as 4 in 10 Americans have been affected by some kind of breach in the past year.

IBM declares malicious breaches, rather than human error, are still the most common cause of data exposure.

Let’s look at, and learn from, just some of the past few weeks data breaches.

LifeLabs, Canada, 15 million individuals affected

Canada’s largest lab testing company, LifeLabs Medical Laboratory Services, has been hit by a ransomware attack and it paid a ransom after the theft of 85,000 lab test results and potentially the data of 15 million customers.

As per The Globe and Mail, LifeLabs paid an “undisclosed sum” to retrieve the data and have engaged cybersecurity experts to asses the damage. So far, the experts have advised that customer risk is “low” and there has not yet been “any public disclosure of customer data.” The experts are monitoring the dark web and online locations where such stolen data often surfaces.

The stolen data may include names, addresses, email addresses, logins, passwords, and health card information which was stored on LifeLabs’ breached systems.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

UK honours list recipients

As per The Guardian. 1,000 key figures and celebrities on this years UK honours list have had their home and work addresses inadvertently posted on a government website. The list includes more than twelve Ministry of Defence employees and senior counter-terrorism officers. It was published in a downloadable format and visible online for around an hour according to the Cabinet Office.

Ex-head of the civil services, Sir Bob Kerslake says:

“It is a serious and indeed extraordinary breach because this is a well-established process that has gone on in pretty much the same way for years, so I think an urgent investigation is certainly needed.”

It has been speculated that the list was posted through “human error,” Kerslake adds:

“Of course, it’s likely to be human error, as has been suggested, but we need to know how well staff were trained about the importance of maintaining security. Were they briefed on the potential consequences if this information was released.”

The incident has been reported to the Information Commissioners Office (ICO) and the Cabinet Office said it was contacting individuals to advise in regard to security concerns as well as to apologise. The ICO will be the body under GDPR which decides if fines will be due in the breach.

Former work and pensions secretary Iain Duncan Smith says:

“Everybody knows virtually everything about me. It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published.”

Singapore Ministry of Defence Contractor ST Logistics, 2,400 records breached

2,400 Ministry of Defence (Mindef) and Singapore Armed Forces (SAF) staff may have been affected by a data breach, according to The Straits Times, which occurred after malware entered systems via a phishing email attack.

ST Logistics provides retail and equipping services for SAF and the data exposed may include names, numbers, email, and residential addresses.

Wawa, USA, customers of 850 stores since March 2019

The US convenience store chain has revealed it has discovered malware capable of exposing card numbers, expiration dates, and cardholder names. CEO Chris Gheysens says the breach affects, “potentially all Wawa in-store payment terminals and fuel dispensers.” Potentially any customer who used a debit or credit card at any of Wawa’s 850 locations since March may have been affected.

Wawa did not reveal to The Washington Post exactly how many customers it believes have been affected but did say it is not aware of any card fraud following the breach. Gheysens said in a statement and apology:

“I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident.”

Share this:

Cybercrime costs an average of $13 million per organization, $2.9 million per minute and cost a total of $1.5 trillion in 2018. That’s just a few cybercrime statistics that are quantified, there is a greater impact besides, of disruption and unreported events, that’s difficult to track. And, as we know the threat of cybercrime is both growing and evolving.

Carolyn Crandall, chief deception officer and CMO of cybersecurity technology company Attivo Networks, outlines these statistics and the cost and impact of cybercrime in 2019 in her “Year in Review: Cybercrime” article at InfoSecurity Magazine.

Cybercrime costs by the numbers

It’s Ponemon’s Ninth Annual Cost of Cybercrime Study that puts the average cost of cybercrime to a business at $13 million, a figure that’s increased by $1.4 million in 2019.

Risk IQ says cybercrime costs the global economy $2.9 million every single minute, a total of $1.5 trillion for 2018.

Accenture analysts predict that between 2019 and 2023 $5.2 trillion in global value will be at risk from cyber-attacks.

(Accenture’s “Cost of Cybercrime” study shared by the World Economic Forum shows that “no industry is untouched.” The industries seeing the most impact from attacks are banking, utilities, software and the automotive industry. High-tech industries, energy and consumer goods sit in the middle for attack costs. And the impact of attacks on the travel and life sciences industries is growing the most.  The report also notes that organizations have seen security breaches grow by 67% in the past five years.)

The Identity Theft Resource Center indicates data breaches are increasing. In 2018 there were 1244 breaches and 2019’s figures to date have already exceeded 1272.

In 2018, compared to 2017, the number of data breaches fell 23% but the number of records of consumer data exposed actually increased 126%.

Crandall also writes that each malware attack in 2018 cost on average of $2.6 million and many other types of attack caused at least $1 million in “information loss and business disruption.”

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training

The threat of cybercrime will not diminish in 2020

The CMO says the following reasons mean there will be no slowdown to the threat of cybercrime:

  • Cybercrime’s economic benefits attract organized crime groups
  • Nation states have an interest in political interference and disruption
  • The anonymity of the internet means there are “limited prosecutions.”

Spending on information security products and services is expected to reach over $124 billion in 2019. Crandall outlines the problem:

“The dynamics for winning this battle are challenging, with the advantage generally tipped towards the adversary who carries the benefit of time, resources, the element of surprise and a commercialized marketplace for doing business. Shifting power, or as some would call ‘the home-field advantage,’ back to the defender will require new thinking.”

How businesses could react to improve cybersecurity

Crandall says good cybersecurity hygiene and employee training will need to be coupled with the following in 2020:

  • Early detection infrastructure
  • Security frameworks to assess efficiency and reliability
  • Use of the MITRE ATTACK framework to assess how well attacks are addressed
  • Tracking of time taken to respond to and contain threats and to “restore operations.”
  • Consideration of how AI and machine learning can be used to understand threats and automate operations
  • The updating and testing of incident response plans for all attack scenarios
  • Study of prior attacks on industry peers and a “review how your organization would have fared” if it had been the victim of the same attack.
  • Consideration of how well security plans fare for dealing with insider and supplier threats as well as external threats
  • Check cyber insurance coverage and “understand its requirements and restrictions.”

Attivo specialises in deception technology, Crandall adds this “has been taking its place as a de facto detection security control based on its ability to slow down and derail attacks across all major attack vectors and attack surfaces.”

She also says that a cybersecurity skills gap adds to the challenge of cybercrime:

“The odds are inherently against our information security teams, who are expected to operate flawlessly with limited resources, while protecting over 26 billion devices, with over five million applications and the more than six billion connected people behind them.”

And, that we should “learn from the attacks that have come before” as well as seeking out technologies that aid the early detection of cyber-attacks.

Each week at The Defence Works we outline the previous weeks data breaches. Each and every of the hundreds of data breaches that occur each year contain a lesson for other companies in how the breach occurred and how it was dealt with. Considering real-world attacks can help to improve security awareness, identification of attack vectors, and aid in preventing new attacks occurring.

Security awareness is vital in the fight against cybercrime. Technology is important but, as we learn from data breaches, cyber attackers can easily trick employees or take advantage of their unwitting mistakes.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

GDPR Bites: Germany Fines 1&1 Telecommunications €9.55m

Germany’s data commissioner has issued one of the largest fines for GDPR violation yet to 1&1 Telecommunications for data privacy failings in its call centers.

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has ruled that 1&1 failed to enforce Article 32 of GDPR which relates to having the appropriate technical and organizational measures to protect data privacy whilst processing personal data.

As per ZDNet, the BfDI discovered callers to the telecommunications company were able to discover personal information by providing a name and date of birth, an insufficient and easily bypassed safeguard to personal data protection.

The BfDI’s federal commissioner, Ulrich Kelber, says the action is a “clear sign” that GDPR will be effectively enforced in Germany, adding:

“The European General Data Protection Regulation gives us the opportunity to strongly sanction the inadequate security of personal data, we apply these powers in light of due consideration.”

The data commission did also give praise to 1&1 for being transparent and cooperating during the investigation. The company has now added an extra authentication step for calls received at its centers. Though the BfDI says despite the changes “the imposition of a fine was necessary.”

1&1 Telecommunicatons is Germany’s largest DSL and mobile services company and part of 1&1 Drillisch which has 14 million customers.

On the same day as 1&1’s fine was issued, internet service provider Rapidata also received a €10,000 fine for failing to allocate a data-protection officer, a basic tenet of GDPR.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

The largest GDPR fines to date

We are 18 months in to GDPR legislation and the issued fines now total in the hundreds of millions. The biggest three fines to date, British Airways, Marriott Hotels, and Google, total €365 million. The top ten fines, as per Precise Security in November, totalled €402.6 million to that point.

British Airways – Fined €204.6 million for a data breach

Magecart Group were able to use card skimming tactics to collect personal and payment information of half a million British Airways customers.

Marriott International – Fined €110.3 million

A cyber incident exposed the data of 339 million of Marriott’s guest records affecting 30 million European country residents and 7 million UK residents.

Google – €50 million

Issued by French regulator CNIL for failing to provide enough information in its data consent policies and for not giving users enough control over the use of their information.

Austrian Post – €18 million

Alleged to have used customer data including ages and addresses to calculate the probability of which political party they might support and then selling the findings.

Deutsche Wohnen – €14.5 million

The Berlin Commissioner for Data Protection and Freedom of Information fined real estate company Deutsche Wohnen for not having a proper data retention schedule in place.

(And now 1&1 Telecommunications – €9.55 million)

Bulgarian National Revenue Agency – €2.6 million

Reports in August indicated the tax agency would appeal the fine after a cyber attack resulted in the country’s largest ever data breach. The owner of a cybersecurity company and two employees have been charged for the attack.

UWV – €900,000

The Dutch employee insurance service provider was fined for inadequately securing its employer’s portal. As the portal contained health data it should use multi-factor authentication. – €645,000

The Polish retailer with nine websites was fined for failing to protect data collected from 2.2 million customers.

DSK Bank – €511,384

Part of Hungary’s OTP Group, the Bulgarian bank was fined for a data breach affecting 33,000 clients. Names, addresses, copies of ID cards, bank account details and property deed data was improperly disclosed and accessed by third parties.

Haga Hospital – €460,000

The hospital was fined for failing to secure medical log files and not having the appropriate controls to safeguard patient data.

In startling statistics shared by Precise Security, European data protection authorities have received more than 90,000 data breach notifications since May 2018. European companies must report any data incidents to their national data protection authority within 72 hours of the breach. Based on the nature and seriousness of the breach, data protection authorities can then investigate and impose fines which can total up to 4% of a company’s annual turnover.

In early November Germany’s data protection authority the German Datenschutzkonferenz (DSK) issued a new model for calculating fines for GDPR violations which meant that higher fines would be issued compared to its previous model of calculation.

Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Cybersecurity Initiatives: The EU’s CONCORDIA

CONCORDIA is Europe’s largest cybersecurity consortium, funded by the EU Commission’s Horizon 2020 research and innovation program. Amongst its aims and those of three other EU cybersecurity initiatives it works with, are to pilot a European Cybersecurity Competance Network and create a common European Cybersecurity Research and Innovation Roadmap.

Accelerating cybersecurity research and collaboration for a more secure digital Europe

The consortium, which began in January 2019, is a collaboration across Europe to “accelerate cybersecurity research” encourage cybersecurity collaboration between both industry and academia, pool expertise, overcome industry fragmentation, and create a shared cybersecurity ecosystem and a more secure digital Europe.

It has 55 partners including universities and organizations from 19 countries. It began this year with 42 partners and is planned as a four-year cybersecurity project. Some of CONCORDIA’s other goals include closing the gender gap in the cybersecurity industry and quantifying cybersecurity’s value in order to communicate with stakeholders, decision makers, and cyber insurance companies. It’s also working to raise cyber security awareness and increase cybersecurity competence, it liaises with other bodies and agencies, and can provide counselling and funding to cybersecurity startups.

The other three cybersecurity initiatives funded by the EU are ECHO, SPARTA, and Cybersecurity for Europe.

Collaboration and awareness are key to cybersecurity success

Cybersecurity collaboration and consortiums of this nature are vital to the fight against cybercrime, improving cybersecurity and preventing data breaches. Individual cybersecurity companies and those companies taking the brunt of cyberattacks can learn from every threat. Sharing threats and responses can mean every business is better protected and that cybersecurity technology is better for everyone. And, with the pace of digital transformation, the development of emerging technologies and the move to the cloud, attack surfaces get broader and threats become greater and more sophisticated daily.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Ericsson joins CONCORDIA and aims to confront new threats from 5G and IoT development

One particular threat on the agenda of CONCORDIA is the development of 5G networks and the resulting growth of IoT device deployment. A key collaborator, Ericsson, has shared this week why it has joined the consortium “which has a mission to establish an EU-integrated cybersecurity ecosystem for digital sovereignty in Europe.”

Ericsson joined CONCORDIA last year and is now “working proactively on many levels to maintain and develop the security and reliability of telecom networks.” With CONCORDIA and a number of mobile network operators Ericsson is developing a “telco threat intelligence platform” and pilot that uses artificial intelligence and machine learning for “detecting, sharing and exchanging threats in 5G networks, and enable intelligent processing of ML/AI threat information and privacy-preserving ML/AI.” Ericsson adds:

“This major pilot is being launched to address the cybersecurity questions that will inevitably arise – from both a political and technological perspective – as our society becomes increasingly digitalized and connected.”

5G and the development of widescale IoT usage is a very serious new cybersecurity threat. Ericsson writes:

“5G will enable massive deployment of IoT networks, potentially inviting large-scale attacks which naturally need to be prevented. Hence, one of Ericsson’s main interests in CONCORDIA is researching machine learning (ML)-assisted technical solutions for efficient prevention and detection of malware and botnets in mobile networks.”

In a 5G network, as in corporate networks, malware and botnets can “roam” so “real-time data including threat intelligence information needs to be shared between telco companies so others can take proactive measures against attacks.”

The telco collaboration will also investigate how to process Indicator of Compromise (IoC) data that is shared by Cyber Threat Intelligence (CTI) platforms in order to disseminate the information and deploy it quickly for the right industry. Telecommunications systems threats may be different to banking threats, for example. The pilot also aims to aid a move to data privacy and reduce data breaches, it adds:

“The telco pilot also considers cases where service/content providers collect information in violation to privacy legislations like GDPR e.g. without user consent. Information about such service/content providers could be rapidly propagated via CTI platforms so that consumers or privacy agents can take measures to prevent information from being leaked.”

Ericsson and its telco project partners have chosen to use CTI platform MISP, which is financed by the EU, to develop its “European Threat Intelligence Pilot” which will share telco threat intelligence. There are similar pilots planned for the financial and insurance sectors.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: