Capgemini Research published in September 2019, revealed that less than 30% of businesses achieved GDPR compliance. This would mean there are many companies still developing their data privacy and data security in order to become GDPR compliant. And, those who achieved compliance must also sustain their new standards.

Security Boulevard shared an article recently published by Vigilant Software which points to the differences between data privacy and data security, the two elements need different processes and skills, but combined they can help towards achieving GDPR compliance. The article’s author Julia Dutton says:

GDPR compliance = data privacy + data security management

Data privacy covers the protection of personal information. Information such as names, email addresses, medical information and so on – in fact, anything through which a person can be identified (whether by itself or if combined with other types of data). Data security is more about how companies protect data confidentiality, data integrity, and its availability. The two aspects are separate but need to be managed together.

A quick look at GDPR Article 32

GDPR’s Article 32 requires that data holders and collectors deploy the right technical measures as well as policies, procedures, and processes. The level of data security must be appropriate to the level of risk at the company processing personal data. Anyone within an organisation with access to personal data must work be in compliance with GDPR – it’s a responsibility that spans the entire organisation, right the way through to the individual and their own responsibility.

What this means is that companies must choose their digital systems wisely as well as the processes employees follow when collecting and using personal information. And, employees should understand GDPR and the importance of following the compliant processes set in place.

Here at The Defence Works we deliver GDPR training that can help drive users awareness, reducing the impact of a data breach and, ultimately prevent companies facing huge fines – and we keep it engaging via quick-fire sessions that your employees will find useful (no jargon, we promise!).

Imperva, in its coverage of Article 32, says data security measures should at least:

  • Encrypt or anonymise personal data
  • Maintain confidentiality, integrity, availability, access, and the resilience of data processing systems
  • Be able to restore the availability of access to personal data in the event of a security breach
  • Test and evaluate the effectiveness of systems and procedures

Technical measures, like software and tools must be evaluated against whether they are “state of the art,” their processing and risk profiles, and their costs. Remember, there is no silver bullet to GDPR compliance.

Organisational strategies for achieving data privacy and methods of compliance, according to Imperva, should include change management, data discovery and classification, loss prevention, data masking and protection, privileged user monitoring, rights management, user tracking, and data access auditing. As well as “ethical walls” separating business groups which need differing levels of access and VIP data privacy for more sensitive data.

Maintaining compliance once GDPR is achieved

A GDPR checklist to help maintain compliance, by Programming Insider, tells companies to ensure they consistently:

  • Monitor who has access to data and what data is being stored
  • Allow consumers access to their data if its requested
  • Identify, categorize, and catalog all data elements stored and from every source
  • Define what data is, document all procedures and make sure they are shared across every part of a business
  • Govern procedural compliance and who has access to personal data and how much access they have
  • Protect data using appropriate encryption and anonymity
  • Inform consumers how data is protected
  • Delete data that is no longer required
  • Audit data centres and data storage silos

It’s of course vital that companies, or their nominated data personnel, familiarise themselves with the complete GDPR and ensure it is interpreted into relevant business processes, then implemented in absolutely every part of an operation.

For many companies’ data privacy and GDPR compliance is equivalent to a full-time role or more. For other companies it may mean hiring specialists or training internal personal or teams. But there is plenty of expert third-party help available. It comes with a cost but fines for non-compliance with GDPR are steep. British Airways and Marriott Hotels are two firms that have already discovered the pain point of a lack of GDPR compliance.

GDPR has costs and benefits

The need for data privacy and data security to achieve GDPR not only ensures compliance. After all, GDPR is designed to protect data and prevent data breaches. To a business the cost of a data breach is massive monetarily and for its future success.

A data breach for a small business costs on average $200,000 and 60% will go out of business within six months of a breach. That’s without fines for non-compliance with GDPR.

In contrast, the benefits of GDPR compliance are big and they don’t just extend to data privacy and security protection. Capgemini’s survey found that of those who are continuing to work hard towards GDPR compliance, 81% reported that GDPR had a “positive impact” on their reputation and brand image.

After all, we owe it to each other to look after our data in a more pro-active, professional way.

Want to engage your employees around the issues of data security and integrity?  Sign up for a free demo of our GCHQ-certified GDPR Awareness training, today.

Share this:

In a worldwide study using honeypots to attract cyberattackers, Kaspersky finds that attacks on internet of things (IoT) devices have risen dramatically since 2018.

Kaspersky has just released its “IoT: A Malware Story” report which says the multinational security company found 105 million attacks on IoT devices coming from 276,000 different IP addresses in the first half of 2019. This is nine times greater than the first six months of 2018. In 2018, in total, there were 12 million attacks on IoT devices. These devices can be anything connected to the internet, like routers, smart systems, cameras and even cutting-edge manufacturing machinery, making the threat to them one that can affact both consumers and businesses.

Attackers capitalize on IoT devices weak security

The report’s press release says cyberattacks on IoT devices are “booming,” and that:

“As more and more people and organizations are purchasing network-connected smart devices, such as routers or DVR security cameras, without recognizing the security risks. Cybercriminals are intensifying their attempts to create and monetize IoT botnets, capitalizing on the devices’ weak security.”

An earlier report, on September 14, by F-Secure warns that cyberattacks on IoT devices, according to Forbes, are “accelerating at an unprecedented rate.” F-Secure’s report, “Attack Landscape H1 2019” declares a three-times increase on this type of attack up to 2.9 billion events. F-Secure also uses honeypots and says it’s the first time that honeypot attacks have “hit the billion mark.”

What are honeypots?

Honeypots are a cybersecurity tool and decoy which mimic attack targets and attract cyberattackers. They can be used to either detect or deflect attacks, and gain valuable information as to how cybercriminals operate. With increasing sophistication of attack vectors tactics like honeypots are vital for cybersecurity professionals to keep ahead of criminals.

Research by Norton parent, Symantec, in 2015, using honeypots, allowed it to pinpoint the geographic location of attacking IP addresses. Not just that, the research found that some of the first passwords attackers tried in order to access IoT systems were “admin” and “123456.” A revelation that proves that cyberattackers still expect businesses and consumers to be using such simple passwords.

Attackers guess IoT device passwords

One Kaspersky security researcher, Dan Demeter, says:

“Judging by the enlarged number of attacks and criminals’ persistence, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. It’s quite easy to change the default password, so we urge everyone to take this simple step toward securing your smart devices.”

According to a Verizon Data Breach Investigations Report in 2018, reported by Trace Security, 81% of company data breaches were due to poor passwords. And, that 70% of employees reuse passwords at work. PixelPrivacy says that Millennials aged 18-31 are the worst for poor passwords with 87% admitting they reuse passwords even though they know not to.

20,000 infections every 15 minutes to just 50 honeypots

Kaspersky’s latest IoT cybersecurity study, reported by TechRepublic on October 15, used 50 honeypots that simulated web servers and real devices. Some were discovered and revealed by cyberattackers, but over the course of a year the honeypots tracked 20,000 infections every quarter of an hours.

The attack vectors included Mirai, a type of malware family that targets weak IoT devices to use in large-scale DDoS attacks. It was Mirai that was used in 2016 resulting in the largest internet failure in US history.

Kaspersky says 30% of the attacks originated in China, 19% in Brazil and 12% from Egypt. In 2018 more IoT attacks came from Brazil at 28%, then China generating 14% of attacks, and Japan at 11%. It’s worth noting that these geographic observations may be based on IP addresses rather than the location or nationality of the actual attacker.

Breached IoT devices can be used in further cyberattacks, to release malware, and to otherwise attack the networks they are connected to.

Cybersecurity protection for IoT devices

In the report, Kaspersky’s makes a number of recommendations including:

  • Keeping on top of update installs as this is how vulnerabilities are fixed by IoT makers
  • Change preinstalled passwords and use complicated passwords
  • If a device acts strangely, reboot it, but this won’t prevent future attacks
  • Restrict IoT devices to a local VPN or internet provider rather than risking public exposure

And for businesses:

  • Using threat data feeds to block network connections coming from known malicious networks
  • Ensuring all software is up to date and putting unpatched devices on a separate network where they cannot be accessed by unauthorised users.

Cyberattacks on IoT devices are a further example of where emerging technologies are creating news sources of risk for businesses and consumers and new opportunities for attackers. Artificial intelligence (AI) is also creating new threats to organisations and even drones could be used to breach a business physically or digitally.

Share this:

If you have yet to see a cybercrime statistic that convinces you that cybersecurity needs to be more than the domain of the IT department or cybersecurity contractor, here are a few to consider.

  • Juniper research puts the cost of cybercrime for 2019 at $2 trillion
  • So far this year 10 billion records may have been subject to data breaches
  • Spending on cybersecurity is estimated to reach $10 billion by 2027
  • Cybint says 60% of companies have experienced cyber attacks
  • 65% of security professionals expect to be dealing with a major breach in the next 12 months
  • The average cost to recover from a cyberattack for a company with over $1 billion in revenue is $4.6 million up from $3 million in 2018
  • Half of cyberattacks are targeted at small businesses but many invest less than $500 in cyber security
  • A cyberattack on a small business costs $200,000 on average and 60% go out of business within six months of an incident
  • And, according to the 2019 Official Annual Cybercrime Report (ACR) a business will fall victim to a ransomware attach every 14 seconds

Increasing sophistication of attack vectors adds to risk

Some of these eye-opening statistics and more were published by CPO Magazine, others by TechBeacon and CNBC. Europol just released its latest report where it says cybercrime is getting bolder and increasingly focused on businesses. Cyber attacker’s tactics are becoming increasingly sophisticated, so much so that you could even be attacked by a drone, or by an attacker using social engineering or artificial intelligence to trick you. The statistics are scary, but the threat is great.

What should a cybersecurity strategy include?

To prevent cyberattacks and to cope with an attack if it occurs, a thorough and planned cybersecurity strategy is essential. Here are just a few elements such a strategy should include:

  • Comprehensive assessment of threats, vulnerabilities and current infrastructure
  • An evolving cybersecurity plan with continuous reassessment of risk
  • The appropriate level of cybersecurity software and systems including firewalls, antivirus and anti-malware, for your business and industry
  • Frequent vulnerability checks, software updates and patches
  • A focus on data privacy including compliance with GDPR and other emerging global regulation
  • Special attention to cloud systems and IoT devices which create new risks
  • Ensuring third-party vendors have a cybersecurity strategy to match your own to minimize supply chain risk, another growing threat
  • Constant monitoring for new threats locally and globally
  • Adopting a culture of cybersecurity
  • Ongoing employee training and a company-wide program of cyber security awareness

Our focus is cybersecurity culture and security awareness

It’s these last two points we’ll talk about in more depth, after all they are our focus here at The Defence Works.  A Forbes Insight/Fortinet survey this year of 200 CISOs found that companies with an enterprise-wide strategic approach to cybersecurity saw better results. And, the study found of the highest priorities for cybersecurity funding this year, 14% of CISOs declared theirs was “creating a culture of security,” 14% said hiring more staff, and 13% said “better security training of employees.”

United Airlines CISO Emily Heath says:

“Too often security puts themselves in a corner, with the weight of the world on their shoulders. And it really is the entire organization’s responsibility.”

Heath explains that cybersecurity “resides across the whole organization” telling Forbes that to build its culture of security awareness, United Airlines created “cyber ambassadors” and “friends of security” adding:

“We talk to our employees in very real terms about what cyber actually means so that it’s relevant to them within their job. So we have an entire team of people who focus on the cultural aspects of embedding security within United’s operations and within our education and awareness team.”

The cliche is that “employees can be the weak link”, but the reality is that they can be your strongest defence

Most successful cyber attacks have an employee at their origin, one who unsuspectingly gets manipulated or makes a mistake, though there can be malicious actors internally too. With cyberattacks often occurring via vectors such as phishing attacks it is vital that every employee within an organisation both understands cyber risk and buys in to a corporate wide cybersecurity strategy. The answer to both these tasks, coupled with deploying security systems and software, is a culture of cybersecurity which includes cybersecurity education and security awareness.

– Check out our hilarious security awareness training series:

Achieving a cybersecurity culture

SecurityIntelligence writes that a culture of cyber awareness is attainable and that CISOs would stress less if they were confident the whole of their organisation was cyber risk aware. A culture of cybersecurity should include:

  • Expecting mistakes
  • Not punishing errors
  • Building morale
  • Regular training
  • Achievable, company-wide goals

And, of course, security awareness training. Not convinced? Try 5 Ways Security Awareness Training Prevents Cybercrime.

Share this:

We’ve talked about the increasing sophistication of cyberattacks at length. But, did you realise that a cyberattack could reach your business via a drone?

Dronelife’s Mirium McNabb reports on the DroneDeploy 2019 Conference where a cybersecurity expert, Rhea Naidoo, warned hackers are attacking business infrastructure with drones.

A threat of surveillance, data theft, system attacks and even physical damage

Naidoo is co-founder and Director of Automated Solutions at Cambrian Cyber Group, she says the attack risk from drones has never been higher and that drones can carry out surveillance, capture data, and even cause damage by colliding with buildings and other infrastructure. Drones are cheap, simple to use, and are hard to detect without the right preparation and equipment, which can be expensive.

Drones can be used to approach businesses, power plants, and other infrastructure, carrying cyber attacker’s technology close enough for direct attacks on an organisation’s network.

Attackers can manipulate or disable systems when in close proximity

Naidoo says cyber attacks which target operational technology (OT) networks are growing and there have been multiple attacks on the US and EU energy sectors. Attackers are able to steal confidential data, manipulate controls or disable alarm systems, and even take systems offline.

Cybercriminals can conduct GPS spoofing from their drones, use Bluetooth to steal data and RFID scan access or credit cards. Drones can even be used to setup malicious WiFi networks imitating, and in close proximity to, an organizations legitimate network and allow cybercriminals to monitor WiFi traffic. Or, drones can be used more simply, just to crash into their targets.

Malware can be passed from drone to drone

It’s even possible for one drone to pass malware to another during flight. Gartner data estimates that 170,000 commercial drones will be sold in 2019. This is 58% increase since 2016 and points to the increasing usage of drones in today’s workplaces.

Goldman Sachs also predicts that businesses and the public sector will spend $13 billion on drone technology between 2016 and 2020. Though military use is the greatest today, the commercial and civil sectors will be the biggest growth areas for the technology.

PwC estimates that worldwide, drones could replace $127 billion worth of business operations and labour costs across a range of industries, but especially in infrastructure, agriculture and transportation.

Delivery drones could reach our skies in what could be a matter of months, rather than years. Energy companies themselves already use drones, putting them at even greater risk.

You don’t have to use drones to be at risk

Though the cybersecurity risk from drones is arguably higher if you use the technology within your own business it’s clear that as an attack vector every business with a physical location a drone could approach is theoretically at risk.

Europol’s latest cybercrime report points to a growing boldness of cybercriminals, the threat to data, and the increasing targeting of high-value victims. Cyber criminals are targeting businesses and are not afraid to attack using multiple steps and methods.

Artificial intelligence (AI) is already also being used in attacks. One unsuspecting CEO was tricked out of thousands after cybercriminals used AI to impersonate the voice of his boss and give him instructions over the telephone.

Infrastructure can be protected from drone attacks

Naidoo, according to Dronelife, says there are cybersecurity and technology tools which can protect infrastructure from attack. Organisations, of course, need to assess their threat risk and action as part of an overall cybersecurity strategy. Geofencing can be used, as well as SoundWave detection like radar. Existing counter drone solutions have scanning methods to keep drones away.

For drone owner the solutions are similar to keeping corporate networks safe. Naidoo says “good security hygiene” is needed. Drone systems should be kept up to date and the built-in solutions which come with more expensive drones utilised.

OT networks should have protection from drones or other proximity attacks if there is likely to be such a risk to a business. Many businesses of size may choose to employ this anyway. McNabb of Dronelife writes that though the idea of drone attacks may seem “farfetched,” Naidoo says it needs to be considered in a good cybersecurity program adding:

“We’re living in a world where it used to be OK for companies to live with an ostrich approach, and put their heads in the sand.”

Today that’s not possible. Cyberattacks can come in any shape or form companies need adequate protection from any realistic risk to their business or industry and must asses this accurately. Cybersecurity is not only essential to protect systems and data and from costly rectification expense. Consumers lose trust in businesses that have been attacked and regulators look increasingly harshly at why and how any cyberattack is successful, especially when it leads to a data breach.

Here at The Defence Works we don’t miss a trick, and neither should you. Start with awareness of every cybersecurity threat your business could face.

Share this:

Europol expects the risk of cyberattacks and data breaches that initiate along an organisations supply chain to increase.

The National Cyber Security Centre (NCSC) says companies are trusting their unproven third-party connections when they shouldn’t.

Cyber Security Connect UK says there is a fragmented approach to supply chain cybersecurity and that the risks are high.

Supply chain risk a prominent theme in cybersecurity

In Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2019, just released last week, supply chain cyber attacks were highlighted. Professor Alan Woodward from the UK’s University of Surrey says:

“As hardware and software manufacturing supply chains become ever more extended, the cybersecurity of some extremely important targets will become dependent upon the weakest link in this chain. Due diligence and sound engineering processes must be a part of any Secure Development Life Cycle.”

An increasing concern

Europol says companies in the private sector are increasingly concerned about cyber attacks originating in the supply chain:

“i.e. the use of compromised third parties as a means to infiltrate their network.”

Some businesses even indicate that supply chain attacks are viewed as the highest risk. These supply chain cyber attacks could come from suppliers of hardware or software but also from other business services, especially those that are more tightly integrated with a company.

The recent Marriot hotel data breach is an example of where an attack occurred as a larger company acquired a small company with less cyber protection.

Europol points to reporting that says supply chain attacks increased by 78% in 2018. These attacks are increasing in sophistication with even fourth- or fifth-party suppliers exploited to reach further up the chain. Europol’s latest cyber update also found that attacks were increasingly bold and focusing on high-value targets, businesses, and their data.

The Ponemon institute says last year 61% of US organisations blamed a vendor or partner for a breach. And, that 75% believe supply chain breaches are likely to reoccur.

Security awareness essential for all business managers, not just CISOs

Other new research by Cyber Security Connect UK (CSCUK) in its “CISO and vendor relationships in the supply chain” report points to:

“A fragmented approach to cyber security in the supply chain and that a high level of risks are present which need to be closely monitored and reviewed.”

The CSCUK says CISOs focus on supply chain cybersecurity but other business managers are less aware. Therefore, CISOs need to be more involved in the procurement process when taking on new suppliers and vendors.

Chair of the Cyber Security Connect UK steering committee and CISO at Freshfields Bruckhaus Deringerors, Mark Walmsley, says:

“We found that 97% of CISOs see the supply chain as a source of risk, so there is an urgent commitment needed to mitigate risk exposure when undertaking a procurement exercise.”

And that “fragmented standards and cross-border working exposes some sectors to greater risk.”

ZDNet spoke with Paul Chichester, director of operations at the National Cyber Security Centre (NCSC) who said what organisations are “not currently doing is seeing is third-party connections to their network as untrusted.”

Companies are defending their own networks with processes, patches, updates, two-factor authentication and so on, but are wrongly assuming third-party suppliers are doing the same. They shouldn’t make this assumption unless they have reason to trust supply chain cybersecurity.

Chichester says there are also mature organisations that recognise a “duty of care” to their supply chain and:

“We see companies who’ve spent many millions defending themselves realise that’s actually just the first stage and actually investing further down the supply chain is the next.”

Can larger companies help smaller ones?

It may be that larger companies can assist their smaller vendors with cybersecurity, actually giving their own cybersecurity a boost. Chichester further says:

“Maturity in the supply chain is recognition that this is a shared problem. The most mature organisations take a really positive approach to that and recognise they’ve got a duty of care to the companies that supply them.”

Chichester’s NCSC believes its message to public and private organisations about investing overall in cybersecurity, not just supply chain risk, is getting through. But, that as companies are improving their defences cybercriminals are using new attack methods to sidestep these protocols. Chichester told ZDNet:

“The adversary is never going to give up, they’re going to change their tactics and we have to move further down the chain and think about how do we protect those smaller organisations that aren’t as well protected.”

Corporate supply chains are becoming more complex, compounding supply chain cybersecurity risk. Another survey found some companies said they shared confidential and sensitive information with as many as 583 third parties. Here at The Defence Works we penned another article on supply chain risk including a number of actions to mitigate the problem.

Share this:

A new report says 65% of cybersecurity and IT workers are considering quitting their jobs. And, a chief information security officer (CISO) stays in their job, on average, for a much shorter period than a chief financial officer (CFO) or a chief executive officer (CEO). This is despite a talent shortage that sees CISO salaries and benefits totalling up to $6.5 million in some parts of the US. The reason for high turnover in cybersecurity roles could be stress, part of the solution may be a culture of cybersecurity.

CNBC reported on Friday on the findings of a recent Nominet UK survey which found the average tenure of a CISO is 18-24 months whereas the average tenure of a CFO is 6.2 years. For a CEO it’s 8.4 years. CISOs cite stress and job urgency as their reasons for leaving a role.

The report points to a Ponemon Institute study that concluded that 65% of IT and cybersecurity professionals consider resigning because of burnout.

Cybersecurity salaries and rewards can be great

A Bloomberg article in August 2019 titled “Cybersecurity Pros Name Their Price as Hacker Attacks Swell” summarised a few of the huge salaries available to CISOs.

One of America’s largest companies paid a $650,000 salary to its 2012 CISO hire. In 2019 it had to pay $2.5 million for the very same position.

IT recruiters Caldwell Partners, Matt Comyns, says “it’s a full-on war for cyber talent,” and that “everyone’s throwing money at this.” Comyns says firms on the West Coast of the US can pay as much as $6.5 million in salary and stock rewards for CISOs.

CISOs are able to negotiate for better deals, with their senior CEOs often giving greater benefits to retain these security executives as their own jobs may be on the line if an expensive cyberattack occurs.

In March 2019 CNBC cited non-profit security organisation (ISC) figures of 2.93 million cybersecurity vacancies globally.

The pressure is on for cybersecurity executives and CISOs

In just the first half of 2018 data breaches totalled four billion records. IBM and the Ponemon Institute put the cost of an average data breach at $3.86 million with larger scale breaches costing up to $350 million for the company affected.

Jon Oltsik, a senior analyst at IT research firm Enterprise Strategy Group said earlier this year that trained cybersecurity staff are essential to prevent cyberattacks and added:

“I always say that cybersecurity professionals are like physicians, in that they have to spend ample time studying the latest research and threat intelligence.”

Years ago, general IT staff used to deal with cybersecurity problems. The sheer growth of cyberthreats and the implications of cyberattacks to future business success mean that a whole team of cybersecurity professionals following a defined cybersecurity strategy is often needed today. Even smaller firms need someone in charge of cybersecurity and/or data privacy to ensure sufficient focus on the issue. These factors are driving a shortage of cybersecurity talent. Oltsik is also quoted by CNBC as outlining another issue:

“When the cybersecurity team is busy putting out fires, they don’t have enough time to develop training courses, work with business units, or educate the workforce.”

Another recent study found 77% of UK workers have not received cybersecurity training, despite individual employees being a critical last line of defence against cyberattacks enacted via phishing emails.

According to IT Governance data breaches in 2019 could have affected over 10 billion records. The latest 2019 cybercrime report from Europol, published last week, says cybercrime is becoming more bold, increasingly targeting companies and that ransomware is still the most pressing issue.

A culture of cyber security could help IT employees fight cybercrime and reduce stress

CNBC’s recent news article was penned by Stephen Boyer, CTO of BitSight and a member of the CNBC Technology Executive Council. It mentions a recent high-profile data breach where it was suggested the CISO clashed with employees, leading to high turnover in the cybersecurity team and potentially contributing to the breach.

Boyer says that cyber culture is one key to cybersecurity and CISO success, writing:

“Strong CISO candidates will demonstrate the ability to find, hire and retain the right people to execute on security strategy and create a culture in which employees are trusted and empowered security practitioners.”

Cybersecurity leaders must demonstrate management skills in the same way that CEOs do, as well as executing cybersecurity processes. Cybersecurity teams as well as their CISOs must be motivated.

For a true culture of cybersecurity, not only do CEOs need to empower and reward their security personnel but every non-cybersecurity employee should have complete buy-in to corporate cybersecurity. Every part of a business should have some cybercrime awareness and thus added protection from cybercrime when combined with cybersecurity teams and systems. Cross-company security awareness training can help to achieve this.

Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Share this:

We know cyber attacks are getting far more sophisticated, ransomware attacks in particular are becoming far more focused, and data is always a target.

Social engineering is a relatively new term in the cybersecurity sphere, and it refers to attacks where criminals use information they have gleaned to trick employees into revealing even more sensitive information or downloading malicious files. Once these cybercriminals gain a digital foothold in a corporate network, they can steal valuable data or pursue a ransomware attack.

A recent GetApp data security survey, as reported by Small Business Trends, found that only 27% of companies provide social engineering awareness training. GetApp says:

“That means nearly 75 percent of businesses could be leaving their employees to fend for themselves against masters of manipulation. Companies must train employees on how to recognise social engineering techniques that are designed to exploit human nature for access to sensitive company data.”

It also found that 8% of employees have received no cybersecurity training at all. Small Business Trends notes that a previous survey found 43% of all cyberattacks hit small businesses. Of these businesses attacked, 60% will go out of business within six months.

What is a social engineering attack?

A social engineering attack is a cyber attack that uses some form of “psychological manipulation” to trick an individual into breaching their own, or their employers, security. Cyber attackers can use phishing emails, social media, and research, to find personal information. GetApp warns:

“This includes conducting background research using social media, corporate websites, Google maps, and public records. Armed with this knowledge, scammers are able to conduct their schemes inconspicuously, put employees at ease, and even build a rapport with their targets.”

Cybercriminals can use information to engage employees or try and form a relationship and open a line of communication where they can find out what they need to complete an attack. Cybersecurity software provider Imperva says:

“A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.”

Imperva produced the following graphic to detail a social engineering attack’s life cycle.

social-engineering

Security aware employees can help to protect your business

Social engineering attacks rely on human error. Here at The Defence Works we penned a previous blog on how individuals are the last line of defence against email cyber attacks. Proofpoint’s Annual Human Factor Report found that 99% of phishing attacks rely on unsuspecting victims clicking unscrupulous URLs. Add social engineering to this mix, if cybercriminals use personal connections or information to make a phishing email look even more convincing – it’s even more likely to be opened, a link clicked, and a malicious file downloaded by an unsuspecting employee.

Imperva says social engineering attacks can take the form of baiting, scareware, pretexting, and phishing and spear phishing attacks.

Baiting could be leaving a malware infected flash drive where a curious employee could pick it up or sending an enticing advert.

Scareware, or deception software, might trick an individual into thinking their device is already infected prompting them to install the software containing the real threat.

Pretexting can involve a cybercriminal pretending to be someone else to gain information or to get someone to perform a task. Imperva says:

“The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.”

Let’s not forget a cyber attack this year saw the CEO of a UK energy firm swindled into transferring €220,000 to who he thought was a supplier after cybercriminals used artificial intelligence (AI) powered software to impersonate the voice of his boss in a telephone call.

But, educating your workforce about these risks doesn’t need to be a complicated or dull affair.  In fact, organisations should try to ensure the training given to employees is interactive and engaging – making the lessons more memorable and also giving employees the opportunity to experience a “real-life” situation.  At The Defence Works, our Interactive Episodes do just that – created brand-new, each month and always based on a recent, real-life event, they’re a great way of educating the workforce in a modern, engaging and fun way.

Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

A comprehensive and holistic cybersecurity strategy is essential

The cybersecurity software firm warns that “social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps.” They recommend the use of multifactor authentication for accounts and logins and always ensuring antivirus and antimalware software is kept up to date. And, avoiding suspicious emails and offers that sound too good to be true.

These latter points are part of security awareness, a vital ingredient of an overall cybersecurity strategy that should include cybersecurity software, systems that protect data, and regular assessments of strategy and software and network vulnerabilities.

On reporting GetApp’s findings of a lack of cybersecurity and social engineering risk awareness training, Small Business Trends writes:

“Investing in enterprise cybersecurity alone is not going to cut it. small businesses need to invest in regular training for their employees in order to fully address this threat. This will help in adding yet another layer of protection for the company’s sensitive data.”

Europol’s just released 2019 cybercrime report also pointed to the need for cyber education.

There’s no better time to start educating your workforce about the dangers of social engineering. Try our free demo to get started, today.

Share this:

Not only do we have to deal with the growing threat of cybercrime, but the evolution of cybersecurity platforms creates its own issues too. Fragmentation and a lack of interoperability between cybersecurity products could be hindering the fight against cyber threats as businesses invest in more and more tools they might not be getting the best from.

IBM, McAfee, and 16 other key cybersecurity industry players collaborating under the OASIS International Consortium banner have announced an Open Cybersecurity Alliance (OCA). The OCA, as per ZDNet reporting, plans to connect market products as work to solve interoperability and create data-sharing practices.

Any company can contribute to the OCA

The newly formed OCA project has issued an open invitation and call for participation to any company who would like to contribute. Participants do not have to be members of the non-profit consortium OASIS which works to create open standards for our “global information society.”

“OASIS promotes industry consensus and produces worldwide standards for security, Internet of Things, cloud computing, energy, content technologies, emergency management, and other areas.”

The new project will be led by IBM and McAfee who are initially joined by Advanced Cyber Security Corp, Corsa, CyberArk, Cybereason, DFLabs, Crowdstrike, Electric Power Research Institute, EclecticIQ, Fortinet, Indegy, New Context, ReversingLabs, Safe Breach, Syncurity, Threat Quotient, and Tufin.

An open cybersecurity ecosystem

Project participants can contribute threat insights, code or expertise. As per OASIS the OCA consists of cybersecurity vendors, users, thought leaders and individuals who are interested in “fostering an open cybersecurity ecosystem,” where, it says:

“Products from all vendors and software publishers can freely exchange information, insights, analytics, and orchestrated response, via commonly developed code and tooling, using mutually agreed upon technologies, data standards, and procedures.”

The OCA is answering a cybersecurity industry challenge where it adds:

“Cybersecurity teams are on average using 25 to 49 different security tools from up to 10 different vendors, each of which generate an explosion of data & insights.”

– Check out our hilarious security awareness training series:

Answering an efficiency challenge for better cybersecurity

A lack of industry collaboration and data sharing, including the findings from insights and incidents, creates a reduction in efficiency across the cybersecurity battle and produces interoperability problems for end users of cybersecurity products.

The OCA hopes to develop common code and tooling as well as better data-sharing practices for a more seamless cybersecurity software experience for those who utilise it. It says:

“End user organisations have consistently wanted to be able to integrate ‘best-of-breed’ products and solutions into their operational environments with minimal effort and time. However, they have been unable to because of the lack of real interoperability at the communications and data levels.”

End users of cybersecurity software may not realise some of their cybersecurity threats and challenges may have been resolved in products they use for other purposes. They may end up investing in new software unnecessarily or not getting the most out of existing platform subscriptions.

“Further, poor integration can also lead to missing critical insights and findings that would have otherwise been detected if the tools were more well-integrated.”

For the everyday business, the work of the OCA may well result in better performing cybersecurity products and reduced unnecessary investment, leaving funds available to invest in other methods to fight cybercrime.

Share this:

Cloud access management company Centrify has found 77% of UK workers surveyed revealed they have had no cybersecurity training.

Independent survey company Censuswide questioned 2,000 UK professional services workers for Centrify. They found over three quarters had received no cyber skills training from their employers.

Passwords are still a major cybersecurity weakness for UK businesses

Not just that but 27% of workers use the same password for many of their logins, like their work email and their social media accounts. A worrying cross-over between personal cyber security and that of the business they work for. 14% admit to keeping their passwords written down and stored on or in their desk or office.

This despite cybersecurity initiatives

The Commentator notes that these frightening figures are despite the UK government’s Cyber Essentials programme available to many businesses. Suppliers to the UK government who handle some sensitive and personal information must have the certification. And, according to Wikipedia 6,000 Cyber Essentials certificates have already been awarded. These figures are also despite the implementation of GDPR, which one would hope would raise cybersecurity and even good password awareness somewhat.

The survey also found that a massive 69% of the workers asked said they didn’t have confidence in their personal cyber security processes to protect their own data. And, 14% don’t use multi-factor login authentication measures for their banking and social media accounts even when they are available. Centrify Vice President Andy Heather was duly surprised:

“In an age where cyber attacks have emerged as one of the most ruthless and successful forms of crime that can be committed against a business on a large scale, it is astounding to hear that so many UK companies neglect to instil even the most basic cyber security measures in their employees.”

With so many attacks focusing on password vulnerabilities businesses are at a huge risk if a cyber criminal manages to get hold of an employee’s password. Weak passwords leave “easy entry points” so it’s vital “to ensure malicious parties cannot run riot in company systems with stolen log-in credentials.”

Heather adds:

“Just one misplaced password could result in the theft of millions of sensitive company documents, personal information and financial fraud, allowing hackers access to critical data.”

Other research by the Pew Research Center found 86% surveyed do memorise their passwords but 49% write them down on paper. This noting of passwords is perhaps less surprising, but still incredibly shocking, when you consider a LastPass study found the average person has to keep track of 191 passwords. Verizon illustrates that passwords could be the weakest cybersecurity link by finding that 81% of data breaches occur due to stolen or weak passwords.

To meet this problem head on Centrify’s Heather recommends “urgent investment in cyber skills training and adopting a zero-trust approach.”

Cybersecurity awareness training is needed

These latest figures from Centrify’s survey are worrying. They are not alone. Cybersecurity Ventures predicts cyber security clean-ups will cost £4.7 trillion by 2021. Even to a small company, a cyber breach recovery could cost £25,700.

Companies have to calculate their return on investment (ROI) for cybersecurity awareness training. We attempted the math here at The Defence Works. Cybersecurity training ROI is not necessarily easily quantifiable. The facts are that a cyber attack could hit any business at any time, but your business may well dodge the proverbial bullet. If you do fall victim to a cybercriminal or network, it will cost you dearly.

– Check out our hilarious security awareness training series:

Cyber security awareness training can start simply and be planned and conducted internally. It all helps.

Or, consider talking to us here at The Defence Works about security awareness training. We cover complete professional security and personal cyber security protection with effective bite-sized modules suitable for any sized business. Try our free demo to learn more.

Share this:

Cloud access security broker Bitglass has published a report that suggests some of the world’s largest companies perhaps aren’t as committed to cybersecurity as they should be.

Bitglass researched Fortune 500 companies, looking at public-facing information like websites to discover “whether the world’s leading companies are committed to enhancing their cybersecurity initiatives.”

It found that 77% of Fortune 500 companies don’t list who is responsible for cybersecurity on their websites. And, 52% make no explanation, other than standard privacy notices, of how they are protecting the data privacy of their customers. BitGlass says:

“The results demonstrate that most organisations lack an authentic, lasting commitment to cybersecurity, with certain industries being less security-conscious than others.”

In other key findings, BitGlass believes that 38% of Fortune 500 companies do not have a chief information security officer (CISO) and of this 38% only 16% cite someone else as responsible for cyber security strategy. It says that of the 62% that do have CISO only 4% have them listed on their websites. BitGlass adds:

“As breaches continue to cost brands millions, incite executive turnover, decrease stock prices, and harm countless stakeholders, it is crucial that organisations appoint relevant leadership and prioritise proper cybersecurity.”

Cybersecurity conscientiousness varies from industry to industry

BitGlass found the transportation, aerospace, and insurance industries appeared to be more security conscious as they were more likely to list a person responsible for cybersecurity strategy. Further:

“89% of organisations in the aerospace industry have information available on their websites about how they are protecting the data of customers and partners. Aerospace is followed by finance (72%) and technology (66%).”

Those appearing worst at cybersecurity, or at least demonstrating publicly if they are committed to cybersecurity, are the hospitality, manufacturing, oil and gas, and telecommunications industries.

Anurag Kahol, Chief Technology Officer at Bitglass says:

 “Corporate social responsibility initiatives have made it onto the websites of the Fortune 500, but research has shown that the same level of importance is not being given to publicly demonstrating commitment to cybersecurity initiatives.”

More action, less demonstration?

To play devils advocate here a little, the information for this report seems to have been gained mainly from what Fortune 500 companies publish on their websites. It could be that these companies are far better at cybersecurity than they are publicly telling us. There’s a hint of that in the number of companies that do have a CISO, but don’t list them on their websites. Not every company keeps its website up to date, though you might expect that a Fortune 500 company would.

– Check out our hilarious security awareness training series:

So, let’s hope many of these companies are far better at cybersecurity than they appear to lead us to believe. Especially those in the telecommunications industry where you would perhaps expect companies to be closer to the leading edge of the fight against cybercrime.

We should be shouting about cybersecurity

A definite take from this report is that Fortune 500 companies and others should be telling their customers and partners far more visibly about their cybersecurity strategy.

Consumers are increasingly aware of the risk to their data or services from cybercrime and now expect businesses to deploy cybersecurity protection and practices to protect their data and needs too. Consumers today are far more likely to spend their money with a company they trust.

These Fortune 500 companies which appear to fall down on their cybersecurity commitments, but maybe aren’t in reality, are doing themselves no favours at all.

For companies smaller than the world’s Fortune 500 there is a message. Firstly, if you have cybersecurity protocols, training, and responsible executives in place you could be doing better than some of the globe’s biggest companies. Secondly, if you tell your customers about your commitment to their data privacy and cyber safety by publishing on your website who is responsible for cybersecurity as well as a little of your strategy to protect consumers, you could gain a little competitive advantage.

Interested in hearing how easy – and cost-effective – cyber-security measure can be? Arrange for your free, no-hassle, demo here.

Share this:

One cyber-crime campaign costs hackers just $160 to setup, it’s called “MasterMana Botnet” and could reach your business via a phishing email.

Cybersecurity compromise management company Prevailion has discovered the botnet attack has still been active this September, after first being reported in December 2018. The story was also reported by The Next Web.

MasterMana Botnet is contained in a phishing attack

This cyber-attack’s victims receive a phishing email with an infected attached document that could be an excel file or disguised as an invoice or product requirement document.  Prevailion’s research uncovered details of the MasterMana Botnet attacks and it says:

“In one case, an email impersonated a small-sized legitimate company based out of Dubai, UAE. Both of the emails that we discovered were sent from free email providers, such as Yahoo and Yandex.”

It costs $160 or less for cybercriminals to deploy

When an infected document is opened it releases a “multi-pronged, labyrinth-like kill-chain.” The botnet has added features to avoid some cybersecurity and antivirus measures like automated detection and sandboxing. Victims of the botnet end up downloading a .NET dll, determined by Prevailion to be a remote access trojan (RAT) called “Revenge Rat” or a trojan called Azorult.

Revenge Rat can be found online by cybercriminals for free, Azorult for around $100.  Cybercriminals can lease a Virtual Private Server (VPS) for around $60 giving Prevailion its estimated $160 cost of a MasterMana Botnet attack setup.

Prevailion says:

“As companies increasingly spend more money on security solutions, threat actors are able to operate on shoestring budgets.

The MasterMana Botnet attacks discovered by the cybersecurity company demonstrate a “perfect balance” of sophistication “to avoid automated detection through third-party services and obfuscation while remaining below APT-level sophistication to avoid drawing attention to their campaign.” Prevailion adds:

“While most companies fear they may become compromised by advanced actors, this particular report highlights that actors do not have to rely on advanced tools or techniques to have a serious business impact.”

Phishing attacks aren’t always easy to spot

To combat these attacks Prevailion recommends “a defence-in-depth strategy with multiple security solutions including properly configured firewalls, email protection, and end-point antivirus solutions.”

Such phishing attacks aren’t always easy to spot. Prevailion gives an example of an email that appears to be regarding a product order. An attached, infected, Excel file could open normally but requests that the user runs an Excel macro, which then releases the malicious files into the victim company’s network.

Check out our hilarious security awareness training series; in this preview we take a look at phishing emails if they were in real life:

MasterMana Botnet attacks are expected to continue as they have such low setup costs for cybercriminals and, says Prevailion, because public reporting has not deterred them. The company hopes to highlight the threat so that network defenders may more easily identify this risk.

Security awareness and simulated phishing attacks may help cybersecurity defence

Back in April, here at The Defence Works, we asked if simulated phishing was worth the effort. Simulated phishing is a where a business tests the knowledge and response of their employees by sending fake phishing, or malicious emails. Using this method cybersecurity defenders can assess any vulnerabilities and further educate a workforce – the people who will receive these real phishing emails and who are often a company’s first line of defence.

One report discovered phishing attacks were up in 2018, compared to 2017. But, also that companies that deployed security awareness training saw an increase in attack detection when employees had been trained to recognise cyber risks such as phishing emails.

Phishing simulation can replicate many different types of attack and if delivered in a way that empowers employees it can be an interactive, and thus less forgettable, method of security awareness training. Though such simulations need to be coupled with learning first, and follow up after, so that employees have enough knowledge to feel confident.

Here at The Defence Works we know that 91% of all cyber-attacks start with a phishing email so phishing simulation is just one of our security awareness training packages, try a free demonstration here.

Share this: