Cybercriminals are combining system disruption with demands for cash, or cryptocurrency, in ransomware attacks that are happening more and more frequently.

One particular ransomware campaign called FakeUpdates, reports Politico, uses fake browser update notifications to trick computer users into downloading or releasing malware to their systems and which can infiltrate whole IT networks and take down essential business processes.

Politico cites a recent blog post by US cybersecurity company FireEye which says some attacks to companies are occurring “en masse” via the FakeUpdates campaign which first surfaced in April 2018. The campaign has appeared frequently in reports of cyber-attacks between May and September this year. FireEye says:

“Understanding that normal business processes are critical to organisational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts.”

In a ransomware attack malicious software, or malware, is released into an organisation’s computer network. It can completely take down systems and be controlled externally by the cybercriminals involved. Once these criminals have control of a computer system, often shutting down key business processes, they demand massive ransoms in return for restored business functionality or even stolen data.

FakeUpdates is back

FireEye identified the FakeUpdates campaign first in April 2018 and now believe the attack method is back. Cybercriminals use compromised websites to deliver their malware, often Trojan software, disguised as Chrome, Internet Explorer, Opera, or Firefox browser updates.

When fake browser updates are activated the attack begins in earnest. Some of the compromised websites have been those with old Content Management System (CMS) applications. This is a notable warning for businesses who are using older CMS systems for their websites. Keeping all systems and software, including any published websites, up to date is vital to the cybersecurity of an organisation.

FireEye says:

“We have seen ransomware graduate from a nuisance malware to one being used to extort victim networks out of significant sums of money. Furthermore, threat actors are now coupling ransomware with multiple toolkits or other malware families to gain stronger footholds into an environment.”

This points again to the increased sophistication of cybercrime. FireEye adds that ransomware attackers don’t need to access the “most sensitive” parts of a company, they just need to get a hold of systems that will “disrupt business processes.”

Enterprise Times in the UK warned of fake browser updates in March 2019 quoting cloud provider Memset’s Head of Security, Thomas Owen, as warning:

“Many of these exploits require vulnerabilities in the browser or Operating System, ensuring the user’s browser and OS are up to date (and have automatic patches) and running a reputable antivirus product will protect you from the majority of these issues.”

Organisation-wide security awareness will help

Owen adds that some browser security plugins can help but that “good hygiene” is key including avoiding less reputable websites. This is an important part of security awareness, coupled with knowing what kind of attacks, like FakeUpdates, can ensue from browsing the internet or clicking an unexpected pop up.

Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Ransomware attacks are increasing in the UK

IT Pro reported early this September that UK businesses had seen a 195% increase in ransomware attacks this year, but that ransomware is still low on the list of potential cyber-attacks facing companies.

Interestingly in the same study, US businesses had seen a 21% decline in the number of attacks. IT Pro cites the study by AT&T Cybersecurity where 40% of cyber security professionals believe that it should be illegal for a company to comply with a ransomware demand but a further over 40% would consider paying a ransom for easy restoration of corporate systems. AT&T’s lead product manager, Rick Langston says:

“Organisations are still struggling when it comes to ransomware. Many do not know the best practices when it comes to ransomware, or worse, do not feel confident to handle attacks efficiently.”

It emerged in July this year that the UK’s largest private forensic company, Eurofins Scientific, which serves much of the UK’s police force was the victim of a ransomware attack. Reporting suggests that “immediate steps” to respond to the attack included paying the ransom. The same report mentioned the ransomware attack on the NHS is 2017 which led to the cancellation of 19,000 patient appointments.

Another ransomware attack in June 2019 cost aluminium producer Norsk Hydro £45 million. The global company, with 170 locations in 40 countries and 22,000 computers completely lost all their systems but it didn’t pay the ransom.

Norsk Hydro didn’t even respond to the cybercriminals. It incurred the £45 million costs for downtime and recovery, which took months. However, according to a BBC report, the company gained in reputation after being open and honest about the experience and is held up as a “gold standard” example of how to deal with a security breach. The same report suggests some well-known companies have secretly paid ransoms to hackers without ever revealing the cyber-attack to the public or to shareholders.

Here at The Defence Works we’ll tell you cybersecurity systems and processes are essential, but so too is company-wide cybersecurity awareness in order to plan and to meet the challenge of any form of cyber-attack your business may face.

Check out The Defence Works security sketches written by BBC comedy writers:

Share this:

It’s looking highly likely that 2019 could be the worst year ever for data breaches. That’s hardly surprising considering cybercrime is a growing pandemic. Can companies get their data protection and cybersecurity practices caught up and keep them up to date?

On September 16, Security Magazine reported on the 2019 Midyear Quickview Data Breach Report from Risk Based Security which put the number of data breaches up by 54% at 2019’s midpoint. According to the data, 3,800 data breaches had been reported by this time, compromising around 4.1 billion consumer and individual records.

Latest figures show data breaches are increasing

A new report by IT Governance on September 30 puts the total number of breached records for 2019 to date at 10,331,579,614. Though there may have been slightly fewer incidents in September than there were in August, overall, according to the report there was a 363% increase on the number of records breached.

IT Governance lists the cyber-attacks, ransomware attacks, data breaches, and other malicious cyber events. It includes the recent Facebook revelation that 419 million records including user phone numbers may have been exposed in an online database. Though the data could have been scraped before Facebook made changes to its systems much of the data could still be valid and it’s a very relevant breach.

Just some of the data breaches so far

The site also lists this year’s Yves Rocher breach where 2.5 million records were left on a database and the Teletext Holidays breach where 212,000 audio records of customer purchases were left unprotected online.

Charing Cross Gender Identity Clinic accidentally shared patient data after a mistake in the CC field of an email.

A misconfigured database potentially containing information on the entire population of Ecuador exposed 16.6 million records.

A Tesco parking application exposed up to 20 million car registration number plates and unshredded NHS records were used to weigh down scaffolding at an art festival. The list goes on.

SelfKey timelines 2019’s data breaches with a number of them yet to be attributed a figure. Data breaches can take months to surface and continue to grow in their impact as investigations are carried out.

Malindo Air reported data had been leaked onto public forums on September 18 and on September 9, 50,000 student records were reportedly exposed through the Get application.

Then there is the Flipboard hack where unauthorised access to some of its databases between June 2018 and March 2019 has yet to be quantified into number of records breached. The platform has 145 million monthly users

New incidences occurring daily – now Zynga’s Words with Friends

Breaking in the news just now and as reported by VentureBeat, the records of 218 million players of Zynga’s Words With Friends social media/mobile game may have been accessed by a cybercriminal. The same hacker could also have been responsible for gaining access to a billion user records stolen from 45 other online services earlier this year.

For Zynga, the breach affects Android and iOS players who signed up for Words with Friends before September 2, 2019. The game company boasts over a billion players of its games worldwide and their last reported hack was in 2012. Zynga says:

“Cyber attacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.”

Cyber-attacks are a risk and reality for any sized business. Though social media platforms, games, the healthcare sector, government data, retailers and of course, financial institutions are often hardest hit the truth is if you store data you are at risk of a breach. That breach could be the result of an attack but just as easily result from a software misconfiguration or the unwitting mistake of an employee.

Can businesses keep up to the threat of data breaches?

Though the reality is that no business may be 100% protected from cybercrime or even accidental data breaches forever there is much that can be done to limit risk. It’s all in the try, though admittedly an unlimited cybersecurity budget would always help.

Businesses must simply do the best they can to protect valuable data. Companies where data collection forms part of their business model must do more.

Cybercrime is evolving, but so is cybersecurity. Employing the best systems and processes, choosing the best cybersecurity contractors, or hiring the best technology talent helps. Complying with data protection regulation, like GDPR, is the law.

Continuous development of systems and processes to meet evolving threats is essential. Ongoing assessment of vulnerabilities is vital. Security awareness in every part of an organisation is critical.

Share this:

Capgemini Research Institute finds only 28% of businesses achieved GDPR compliance but those that did are seeing the rewards. The consultancy firm also found that 81% of compliant companies reported that GDPR has a had a “positive impact on their reputation and brand image.”

The new report by Capgemini saw 1,100 senior executives surveyed and discovered:

“Companies have responded to new requirements more slowly than they expected, citing barriers including the complexity of regulation requirements, costs of implementation and challenges of legacy infrastructure.”

Heavy investment into GDPR compliance continues

But firms are continuing to invest “heavily” in data protection and privacy to make sure they are regulatory compliant and “to lay the foundation for those to come.” 40% of companies asked say they expect to spend over $1 million on legal fees and 44% say they will spend the same amount on technology upgrades.

A further 30% of those surveyed believe they are close but are “still actively resolving pending issues.” Those who are having problems cite GDPR complexity and high costs. And, many companies have received “queries from data subjects.”

Benefits of GDPR compliance are becoming apparent

Despite the fact that many still appear to be struggling with the GDPR challenge, for those companies that have achieved compliance the benefits are clear.

Capgemini found that a massive 92% of compliant companies surveyed say they have gained competitive advantage. Only 28% expected to gain competitive advantage, so these companies maybe a little happier with the impact of GDPR than most. A further 84% say they are experiencing a “positive impact on customer trust,” 81% on brand image and 79% a positive impact on employee morale.

Companies haven’t just found benefits to their external positioning, 87% are finding improvements with their IT systems and 91% with their cybersecurity practices.

These improvements to data privacy and cybersecurity infrastructure can only add even more benefits, protecting from other cyber risks as well as data breaches.

A company’s technology stack influences its ease of compliance

The report discovered that the level of technological adoption within a business may have influenced quicker compliance. Those using cloud platforms, data encryption, and other advanced systems seem to have fared better in the race to achieve compliance.

Don’t forget third-party vendors when considering GDPR  

These compliant firms also seem to faring better at checking and ensuring their third-party technology suppliers are GDPR compliant. Capgemini says:

“While 82% of GDPR compliant organisations had taken steps to ensure their technology vendors were compliant with relevant data privacy regulations, only 63% of non-compliant companies could say the same. A majority (61%) of the compliant organisations said they audit sub-contractors for data-protection compliance, compared to 48% of non-compliant companies.”

Data privacy and cybersecurity practices must have equivalent and sufficient standards all along an organisations supply chain. Supply chain cyber risk is growing with cybercriminals looking to exploit weak links further along a company’s network. Ponemon Institute research found 61% of US organisations last year reported a data breach within their vendors or partners.

Continuous action and awareness are vital

One executive who joined the Capgemini survey, Michaela Angonius, Vice President and Head of Group Regulatory and Privacy, Telia Company says GDPR is something that needs to be worked on “continuously.” Angonius says:

“We started raising awareness internally, long before the law was adopted. This was because we foresaw that this would be one of the biggest compliance projects that we would undertake in the company’s history.”

Zhiwei Jiang, CEO of Insights & Data at Capgemini concludes:

“Organisations must recognize the higher-than-expected benefits of being compliant, such as increased customer trust, improved customer satisfaction, strengthened employee morale, better reputation, and positive impact on revenue. These benefits should encourage every organisation to achieve full compliance.”

It’s great to hear more “carrot” than “stick” incentives for GDPR compliance, and that the time and money firms have spent achieving compliance is being returned as potential bottom line revenue.

After all, the result of non-compliance could have a serious impact both financially and on a company’s reputation. In July it emerged that British Airways and the Marriott hotel chain were facing record breaking fines for data breaches.

Edward Whittingham, our very own Managing Director of The Defence Works, provided his comments to the Financial Times at the time, including:

“Until now, we knew GDPR had teeth, but we didn’t know how hard it could bite. These penalties will raise some serious concerns for other businesses going forward.”

Here at The Defence Works we offer engaging, employee focused, GDPR training. Our sessions are interactive and quick-fire, taking minutes, but helping you to meet your legal requirements. Our training can make the difference between secure data and data breach. We also help to empower your employees with GDPR knowledge, so you are willing, able and prepared at every level to achieve and maintain compliance.

Share this:

One of the largest tenets for promoting ongoing cybersecurity awareness combined with stringent cybersecurity practices is the constant evolution of attack methods.

The number of cyberattacks faced by companies globally is increasing, cybercrime is on the rise, but so too is the sophistication of attacks.

A World Economic Forum (WEF) blog post penned by WEF’s Centre for Cybersecurity Head of Operations William Dixon and Equifax CISO Jamil Farshchi says “AI is transforming cybercrime,” and that:

“Cyberattacks are becoming more potent thanks to AI – but it’s helping those defending against them, too.”

CEO transfers €220,000 to cybercriminals after AI-powered fake call from his boss

The article uses the example of an artificial intelligence (AI) powered cyberattack which saw the CEO of a so far unnamed UK-based energy firm swindled into transferring €220,000 to what he thought was a supplier. The cybercriminals used AI-based software to impersonate the CEO’s boss at the energy company’s parent organisation during a call to request the money transfer. This according to Wall Street Journal reporting and the company involved’s insurers Euler Hermes. Rüdiger Kirsch, a fraud expert at the insurers is reported by WSJ as explaining:

“The U.K. CEO recognised his boss’ slight German accent and the melody of his voice on the phone.”

In fact, the call was a “voice-spoofing” attack and potentially one of the first of its kind in Europe. Most cybersecurity tools aren’t prepared for fake, AI, voices and security products are only recently emerging which can detect what WSJ describes as “so-called deepfake recordings.”

Knowledge is power

The attack is an important lesson in security awareness. Firstly, companies may need to consider if their cybersecurity protocols need to be ramped up with newer protection vectors. For those that can immediately afford it – that could mean better cybersecurity systems.

But, secondly and potentially more importantly, security awareness of the potential for this kind of attack is paramount. Awareness helps firms prepare, whether that’s with training or capital investment.

Awareness at all levels that this type of attack can occur allows employees, like the victim CEO, the opportunity to request simple verification of the contents of a telephone request. Maybe, had he known attacks of this nature happen he could have asked questions only his real CEO might know or asked for the request in writing, for example.

Of course, that doesn’t offer complete protection and we don’t know his level of awareness or all the details. Cybercriminals equipped enough to use AI may also have access to detailed information or email accounts, but it could offer an extra layer of security that certainly wouldn’t hurt.

Executives responsible for authorising large and fast payments could even set passwords for just such requests. It’s a thought, it’s down to CEOs, CTOs and CISOs to add in the protection they need once they are aware of the threat and pass that security awareness throughout a business. Organisations can be attacked and infiltrated at any level.

Cybercriminals will adopt anything that works – including new technologies

Philipp Amann, Head of Strategy at Europol’s European Cybercrime Center told WSJ that it is hard to predict whether more AI-enabled cyber attacks are likely but that cybercriminals are more likely to use the technology if it works. WSJ writes:

“The attackers responsible for defrauding the British energy company called three times, Mr. Kirsch said. After the transfer of the $243,000 went through, the hackers called to say the parent company had transferred money to reimburse the U.K. firm. They then made a third call later that day, again impersonating the CEO, and asked for a second payment. Because the transfer reimbursing the funds hadn’t yet arrived and the third call was from an Austrian phone number, the executive became suspicious. He didn’t make the second payment.”

Cyberthreats are evolving to incorporate new technologies and to bypass cybersecurity, the WEF article confirms:

“Certain use of powerful developing technologies such as AI, 5G, biometrics and new encryption technologies will change the landscape of cybercrime for both attackers and defenders.”

Equifax and the WEF are planning events to explore how AI will change cybersecurity, they say:

“Cybercriminals are adept at adopting any techniques or innovations that give them an edge over cybersecurity defences.”

The expert partnership suggests AI could increase both the volume, through automation, and sophistication of cyberattacks. But companies can fight back by using AI and automation to add efficiencies to their own cybersecurity systems. The time taken for routine security processes could be reduced, lessening the “friction associated with following security requirements.”

Fight AI risk with AI response, but start with security awareness

Using AI and automation for security processes could free more human time for other aspects of defence, like security awareness and future planning. Fighting AI-powered cyberthreats with artificially intelligent cybersecurity is the very near future, especially for big business. These threats and the opportunities to use new technology to defend against them will become a risk and a potential response for all.

Here at The Defence Works we focus on delivering security awareness training to help business plan and build their own defences and empower all employees to understand potential cyberthreats and how to overcome them to the best of their abilities.

Share this:

As data privacy issues threaten the oligopolies of the globe’s largest technology companies, initiatives are emerging that might hand back the control of personal data to individuals. This, in turn, could impact the technology employed by many other companies.

Privacy issues are the biggest threat

A new GlobalData report says data privacy issues are the biggest threat to “Big Tech,” indeed technology giants like Facebook, Google, Microsoft and others are under increasing scrutiny, facing scandal, and being hit with huge fines from regulators.

According to reporting by ZDNet Microsoft has a new “Data Dignity” team in its CTO’s office that is focused on giving users more control of their data. Potentially even, in the future, enabling individuals to sell their data to third parties like data-hungry advertisers.

The privacy project

The ZDNet reporter had discovered an incubation project of Microsoft’s entitled “Project Bali.” The project may have been in private testing in January and included work on a “personal data bank” putting users in control of data that has been collected about them and which would allow individuals to view and manage, and even share and monetise their data. ZDNet discovered an “About” page for the project which it says, “Microsoft has since hidden.” The publication speculates as to whether more news on Project Bali could be forthcoming after a data privacy themed feature about Microsoft chief scientist Jaron Lanier in The New York Times.

Lanier, in “The Privacy Project” is featured in three video episodes titled “The Great Data Robbery,” then “You Should Get Paid for Your Data” and “Hope for Our Internet Future.” He believes that people should be paid for their personal data, and that a small family could eventually earn up to $20,000 per year for doing so. Lanier refers to “Data Dignity.” ZDNet found a website which says, “The Art of Research organisation is “embedded” in the Microsoft CTO’s office under the leadership of Lanier,” and that:

“Here at Microsoft, we have a brand new Data Dignity team headed by Christian Liensberger (now hiring!).”

According to the reporter’s investigation the team at Microsoft are looking to “evolve the approach to ML/AI & data at Microsoft and throughout the industry.” A Microsoft job posting also mentions “Data Dignity.” Microsoft’s Office of the Chief Technology Officer’s (OCTO) remit includes exploring technology trends like artificial intelligence (AI) and machine learning (ML) as well as data security, privacy and even blockchain technology. Microsoft did not comment for the ZDNet reporter.

Is blockchain a solution too?

Elsewhere Datawallet predicts that by 2022 around $7,600 worth of personal information will be bought and sold per person each year. Right now, personal data is collected, bought and sold by all kinds of firms and data brokers.  Equifax earned nearly $500 million in profit in 2016. In September 2018 it revealed a data breach that affected 145 million people.

Datawallet is a blockchain startup developing an application where using blockchain’s immutable security and distributed ledger approach users can control their data using blockchain’s key, hashing, and smart contract technology. Users can send their encrypted data to selected purchasers who only have the key to decrypt the data. This permissioned exchange excludes any unauthorized parties.

Though we’ve no idea if Microsoft is looking to blockchain to hand the control of personal data back to its owners, blockchain technology is offering up a potential way to solve this issue too. The keynote is that the digital landscape we’ve known for the past few decades is changing.

Microsoft is not alone

ZDNet reported on Microsoft’s “Project Bali” back in January 2019, the then available “About” page says the project is a:

“New personal data bank which puts users in control of all data collected about them…. The bank will enable users to store all data (raw and inferred) generated by them. It will allow the user to visualize, manage, control, share and monetise the data.”

There are scant details available as to how Microsoft plans to achieve their personal data bank or when they might tell the world more. We’re waiting to hear what “Data Dignity” looks like. What’s for sure is Microsoft is unlikely to be alone amongst the technology giants working on new technologies and innovations to protect data privacy and impress consumers tired of the constant risk to their personal information.

Facebook, for example, is planning a more private future by encrypting its messaging services and changing to build smaller, more private, communities. As reported by Computer Weekly, Mark Zuckerberg told the F8 developer conference:

“This is not just about a few new features, this is a change in how we build these products and how we run this company. It is not going to happen overnight. And, to be clear, we don’t have all the answers for how this is going to work yet.”

What’s also sure is the implications of new data privacy regulations, like GDPR, and innovation in some of the world’s largest companies will influence the technology and the practices of every size business over time.

If “Big Tech” moves then others will follow, data management and cybersecurity is ever-changing. Even if smaller businesses aren’t ready to invest and investigate like the giants, they should at least be aware of what is happening across the technology landscape.

Share this:

Web services provider Yahoo has reportedly emailed users announcing they are close to a $117.5 million settlement to put an end to a class-action lawsuit following data breaches between 2012 and 2016.

TechRepublic writes that Yahoo users during the affected period may even be entitled to “a bit of money” as Yahoo looks to settle following the numerous breaches. Cybercriminals were able to access Yahoo email accounts, calendars, contacts, telephone numbers, birthdays, passwords and even security questions and answers.

Three billion Yahoo accounts hacked

In August 2013, as confirmed by Yahoo in 2017, all three billion Yahoo user accounts were hacked. There were other breaches in 2012, 2014, 2015, and 2016. Yahoo domain websites are still popular, ranking 9th in the world according to Alexa and Wikipedia, and Yahoo was the most read news and media website in 2016. But the internet company may never have recovered from the breaches. Verizon Communications bought most of Yahoo’s Internet business in 2017 for nearly $4.5 billion.

As per the recent reporting Yahoo is offering two years’ worth of credit-monitoring services to those with affected accounts during the period January 1, 2012 and December 31, 2016. Those users who already have a credit monitoring subscription could be able to ask Yahoo for around $100 instead.

TechRepublic writes that on Yahoo’s claim website, rather than the email to affected users, Yahoo says the amount of compensation “may be less than $100 or more (up to $358.80) depending on how many Settlement Class Members participate in the settlement.” And, that:

“The Settlement Fund will provide: a minimum of two years of Credit Monitoring Services to protect Settlement Class Members from future harm, or Alternative Compensation instead of credit monitoring for Class Members who already have Credit Monitoring Services (subject to verification and documentation).”

Yahoo have also agreed to cover other costs incurred by users because of the data breaches including legal fees. Yahoo Premium and small businesses users may be “entitled to some reimbursement.”

Yahoo settlement to be approved

The proposed settlement is due for approval in a San Jose, US, court on April 2, 2010 and Yahoo has a dedicated website covering the settlement’s terms and eligibility and which describes the breaches as “where malicious actors got into system and personal data was taken” and also intrusions where systems were accessed but “no data appears to have been taken.” The settlement states:

“If you received a notice about the Data Breaches, or if you had a Yahoo account at any time between January 1, 2012 and December 31, 2016 and are a resident of the United States or Israel, you are a “Settlement Class Member.””

Said Class Member’s are able to file claims online to ask for the credit monitoring services or the alternative compensation if they can prove they have already had a credit monitoring subscription for the past year.

2013 Yahoo data breach is the largest to date

The Yahoo data breaches of 2013, affecting three billion accounts, is believed to be the largest such incidence in the history of the internet.

According to Wikipedia, Yahoo suspected a “state sponsored actor” or hacker as being behind both breaches. Though this has been disputed. The FBI is reportedly still investigating the 2013 breach and four men were charged regarding the 2014 breach in March 2017. The Yahoo breaches affected its servers and forged cookies may have been used to access user accounts. Stolen data from the 2014 breach was discovered for sale on the dark web.

First American Financial Corp and Facebook data breaches are the next largest

Following Yahoo as the largest data breach ever is that of First American Financial Corp where 885 million records were exposed including bank transactions, mortgage details, and social security numbers. The data was found accessible to the public on a server this year. The breach was apparently caused by a “design defect” in an application.

Also this year, 540 million Facebook user records were exposed on an Amazon cloud server. A report by UpGuard explained that third-party Facebook application developers had somehow posted the records publicly. Just recently another breach may have been revealed with up to 419 million Facebook user records discovered openly available on the internet, though the records may have been obtained by data scrapers some time ago.

Cybercrime costs companies millions

Varonis puts the average cost of a data breach at $3.86 million. Data breaches happen to companies large and small and 1,244 occurred in the US in 2108 alone exposing a total of 445.6 million personal records. Another report shows data breaches in the first half of 2019 may have increased already by 54%.

As well as a monetary cost, a data breach will cost a business important consumer confidence and thus revenue affecting it for months and years afterwards.

Businesses can do many things to protect against data breaches including operating rigid and comprehensive data security practices. Security awareness training is one of a number of key tactics, teaching employees to identify vulnerabilities and attacks and understand the importance of cybersecurity throughout any organisation and its suppliers.

The Defence Works is already helping many organisations to protect against cybercrime. Try our free demo to find out how.

Share this:

Though cybercrime is an evidently growing concern for most businesses, a new survey has found some businesses are becoming less confident in their ability to understand and assess cyber risk, prevent cyber attacks, or deal with the impact of an attack or event.

The Global Cyber Risk Perception Survey Report 2019 compiled by Marsh in partnership with Microsoft “investigates the state of cyber risk perceptions and risk management at organisations worldwide.”

Cyber risk is a top concern

The survey of 1,500 companies found that 79% put cyber risk as a top five concern. A figure that has risen from 62% in 2017.

This correlates with another recent survey of UK banks and financiers which found expected cybersecurity investment rising from eighth on a list of technology investment priorities in 2018 to fourth in 2019.

The Marsh and Microsoft Survey found 77% of respondents were considering investment in new technology but 23%, including many smaller firms, believe the cyber risk of new technology outweighs potential benefits. 64% of those asked said a cyber incident or attack would be the biggest prompt for a “planned increase in budget allocation” with 46% saying news of an attack on another organisation would impact potential spend.

But, confidence in dealing with cyber risk is falling

The percentage of businesses who said they had “no confidence” in understanding and assessing cyber risk rose from 9% to 18% from the previous survey. A lack of confidence in preventing cyber threats rose from 12% to 19% and a lack of confidence in responding to cyber events, like attacks, rose from 15% to 22%.

This waning confidence could point to a greater need for security awareness and relevant training within businesses as they face ever evolving new threats. And, that it’s not just about employing new technology to cope with the threat of cybercrime, accompanying technology needs to be education, following the old adage “knowledge is power.”

In fact, this latest survey found 83% of companies have “strengthened computer and system security of the past two years, but less than 30% have conducted management training or modelled cyber loss scenarios.”

Security awareness training could raise confidence

Empowered companies, and their employees, may gain confidence in dealing with cyber threats and in using new technology without the perception new technology could mean a new wave of threats. Some of the most common types of attack, like phishing attacks, rely on cybercriminals fooling individuals into opening scam emails and clicking on malicious URLs.

Cyber security is a long and broad game

In the Marsh and Microsoft survey, 50% of companies did say cyber risk is “almost never” a barrier to deploying new technology. 75% of respondents evaluate the risks of new technology before using it but only 5% said “they evaluate risk throughout the technology lifecycle.” A concerning figure with the evolution of threats from savvy cyber criminals constantly adapting to thwart cybersecurity practices.

Security awareness should also be broad across an organisation. IT managers and professionals must be ahead of their games but employees who use any software or systems at all need to be aware of risks and best practices for dealing with risk.

So too must security awareness stretch to the implications along a company’s entire supply chain. Businesses must evaluate the processes and practices of third-party suppliers or vendors especially where data is handled, stored and at risk.

Marsh and Microsoft found that 39% of companies said the cyber risk from their technology supply chain was “high or somewhat high.” But only 16% recognised that their own risk impact along the supply chain could also be high. And, according to Marsh:

“Respondents were more likely to set a higher bar for their own organization’s cyber risk management actions than they do for their suppliers.”

Again, relatively few firms were “highly confident” in their ability to mitigate supply chain risk.  Marsh suggests that supply chain risk should be a collective issue between partners. In its key takeaways overall, the report says companies should:

“Create a strong organisational cybersecurity culture, with clear, shared standards for governance, accountability, resources, and actions.”

Comprehensive, cross-company, security awareness can help to prevent cybercrime in a number of ways including preventing human error or employees becoming unsuspecting victims of scams and phishing emails which often lead to system breaches. Awareness is proactive and preventative, helping to maximise the cost-effectiveness of technology investment and hopefully prevent cyberbreaches and the immense costs that they can cause.  Security awareness also helps with regulatory compliance.

Security awareness training can boost corporate confidence

Most importantly, in relevance to this latest survey on the growing issue of cyber risk, good awareness and knowledge can boost confidence, empowering individuals at any level to meet risk head-on, or to at least know what to do, or who to go to, if they identify a potential risk.

The Defence Works is already helping many organisations to protect against cybercrime. Try our free demo to find out how.

Share this:

The Lloyds Banking Group “Financial Institutions Sentiment Survey” finds that cybersecurity investment is now more of a priority for UK banks and financiers than before.

In last year’s survey cost cutting and improving customer satisfaction came ahead of cybersecurity in the corporate priorities of 100 influential executives from leading banks, insurance companies, asset managers, and other financial firms. This year it’s different.

Cybersecurity is moving up on the list of priorities

Computer Business Review reports on the new data, pointing out that still sat as first, second, and third priorities are Brexit, economic uncertainty, and new regulation respectively. But, importantly cybersecurity has moved from eighth on the list of technology investment priorities in the 2018 survey to fourth in this new, 2019, survey.

The respondents were asked how their companies would prioritise investments in a list of 10 technologies and use cases. 70% said they would be investing in information security/cybersecurity in the next 12 months. Only 6% said they “weren’t actively monitoring” the problem.

Running second on technology investment priorities was cloud technology with 60% potentially investing in the next 12 months. 49% said APIs were a likely investment in the next 12 months, followed by 38% citing data science, machine learning and artificial intelligence (AI).

Interestingly 27% of the survey’s participants saw investments in “RegTech,” or regulatory technology, as a priority for the next year, this lower figure despite GDPR’s ongoing demand for better data management and compliance.

The survey also revealed that 46% of the companies involved expect to grow overall fintech investment in the next year, with 51% continuing at current investment levels, and only 3% likely to reduce technology investment spend.

Robina Barker Bennett, Head of Financial Institutions at Lloyds Bank Commercial Banking, says:

“In 2019, firms are arguably more dependent than ever on technology. With this rapid advancement, the risks from cybercrime are increasing, placing extra pressure on financial institutions to change the way they operate.”

Five main types of cybercrime affect UK businesses

MSSPAlert recently reported on the National Cyber Security Centre’s (NCSC) findings of five types of cybercrime which are most affecting UK businesses today. These attack trends were apparent between October 2018 and April 2019.

Ahead of the list are attacks on Microsoft Office 365 patrons where cybercriminals deploy tools and scripts to attempt to guess user’s passwords. Ransomware attacks are common across all industries and size of organisation. Phishing attacks, via email, are the most common, but the exploitation of software vulnerabilities also occurs frequently, and the use of third-party IT providers or vendors can leave companies at risk too.

Systems and employees are the best defence

It’s worth noting another recent report put the best defence against phishing attacks on companies as individual employees, as 99% of email attacks rely on human interaction to be successful. Educating employees on security awareness and the type and features of phishing attacks helps to protect against this type of cybercrime.

To protect users of cloud software, like Office 365, strong and complex password deployment is key to thwart the tools and scripts used by cybercriminals.

And, vulnerabilities need to be checked for, and patched, with regular software updates and vulnerability scanning to close gaps in networks and systems.

Supply chain risk, occurring when vendor and partner systems are attacked risking your company’s own data are indeed increasing. In 2018 research by the Ponemon Institute found 61% of US organisations said one of their suppliers or partners had caused a breach.

Security awareness is vital

Security awareness plays a part in protecting against supply chain risk as well as most other types of cybercrime. For those considering increasing cybersecurity investment over the next 12 months, investing in cybersecurity awareness as well as systems and software is a prudent choice.

The Defence Works is already helping many organisations to protect against cybercrime. Try our free demo to find out how.

Share this:

94% of consumers surveyed by IBM in partnership with The Harris Poll agree that businesses should be more proactive in protecting them against cybersecurity threats. And, of those surveyed over half put data privacy protection as a factor in their purchase considerations ahead of product or service quality. IBM says, “consumers are demanding to understand and have control over where their data goes.”

The new poll, published at the IBM News Room and reported by Security Intelligence covered 1000 adult US consumers and was conducted during August 2019.

Generally, IBM concludes that data privacy expectations are “highest” for healthcare providers, banks and insurance companies, and for e-commerce websites. And, the general public have higher expectations for the role companies who collect personal information have in “developing a clear understanding of the use of personal information in business today.” Indeed, more so than the expectations for consumers themselves, governments, watchdogs, and third-party users of data.

Consumer awareness is growing

The poll also outlined the ongoing threat of data theft or misuse, with 58% of respondents having had their own data compromised or knowing someone who has. It’s also clear that knowledge of data privacy concerns and data sharing behaviours is growing. IBM says:

“There is little doubt that companies share information with other companies: only 3 in 10 think it stays with the original company always (7%) or most of the time (24%).”

Control of personal data appears key to consumers

Consumer feelings also appear to be strong around control of personal data with around two-thirds being more willing to share personal data if there was a way to retrieve it and if companies can demonstrate how data is being used.

As it stands 84% of the survey’s respondents believe they have lost control of how their personal information is being used by companies. 83% would also cease doing business with a company if it were to share their personal information without their permission.

IBM launches new z15 enterprise platform

IBM itself has been working on a new enterprise platform for its business users which could better manage customer data privacy. The z15 enterprise platform was announced today and it works across hybrid multicloud business environments. It has “Data Privacy Passports” and policy-based controls with the facility also to revoke access to data which it describes as an “industry-first.” IBM’s press release which included the findings of the new poll, says:

“The movement of data between partners and third parties is often the root cause of data breaches. In fact, 60 percent of businesses reported they suffered a data breach caused by a vendor or third party in 2018. With the growing adoption of hybrid multicloud environments, the importance of maintaining data security and privacy only grows more acute and challenging.”

Consumer attitudes similar across the globe

Though IBM and The Harris Poll concentrated on US respondents, consumer attitudes towards data privacy are not too dissimilar in the UK and Europe. In the UK, a year after GDPR came into effect, 75% of consumers are still concerned about the security of personal data. This from a poll of 1,000 UK consumers conducted by fingerprint identification technology company IDEX Biometrics and as reported by Computer Weekly in July 2019. A TrustArc survey published in May 2019 found that only 36% of over 2000 respondents trusted companies more post-GDPR.

Systems and Awareness go hand-in-hand

For businesses, especially large organisations which need to manage millions of items of personal data, choosing the right systems to manage consumer data is important. For all sized businesses, critical too is the awareness of data privacy regulations, like GDPR in Europe and potential new and state data privacy regulations in the US. Such privacy and security awareness is needed at every level of an organisation and with every employee that handles or collects consumer data.

Want to know about how you can adopt security awareness training easily? Sign up for a free demo, today.

Share this:

The US could follow the EU’s GDPR as CEOs from technology giants like Amazon, Dell, IBM and Salesforce pen an open letter to the US Congress requesting federal level data privacy laws.

A total of 51 leaders from major companies which also included AT&T, Mastercard, Walmart and JP Morgan Chase signed a letter on behalf of America’s Business Roundtable, according to reporting by ZDNet and others.

Data privacy law, as in Europe, is progressing in the US. However much new legislation is passed at state level or by various US law making agencies. The result of this is different regulation across parts of the US, with national and multinational companies needing to adjust their operations regionally.  A federal law would provide blanket data privacy law for the whole of the US which could be more simply applied to software products, data storage, and everyday compliance.

Following the example of GDPR?

GDPR, implemented for the EU as of May 2018, covers the data and data privacy of EU and European Economic Area (EEA) citizens as well as what happens to the data if it travels outside of Europe’s borders. Consumer and government concerns, coupled with GDPRs likely influence and reach, may well be inspiring the US and other countries to take a closer look at comprehensive data laws.

The Business Roundtable in the US boasts many of America’s largest companies as members. It has produced its own “consumer privacy framework,” broadly similar to GDPR, that it hopes the US Congress will build upon when creating federal level data privacy law.

The organisation and the CEOs signing the open letter believe a federal law will ensure “strong, consistent protections for American consumers” and allow “American companies to continue to lead a globally competitive market,” as per CNBC reporting. The letter explains:

“As Chief Executive Officers of leading companies across industries, our companies reach virtually every American consumer and rely on data and digital platforms every day to deliver and improve our products and services,” continuing that “Consumer trust and confidence are essential to our businesses. We are committed to protecting consumer privacy and want consumers to have confidence that companies treat their personal information responsibly.”

An impact on companies across the globe?

In the same way as GDPR applies to companies operating in Europe, any federal data privacy law passed by the US government will surely apply to companies operating within the borders of the US. But, in the same way that GDPR followed similar policies of its predecessor The Data Protection Act, companies already complying with GDPR will have laid the foundations to comply with other global data privacy frameworks.

Data privacy protection will always be a work in progress

That said GDPR compliance was not achieved with one single click for most companies. As well as an IT systems and software challenge, GDPR needs employee awareness at all levels.

Achieving GDPR compliance has been and remains a steady process for many companies. As other countries, like the US, follow with their own regulations, all companies will need to continue to assess their systems and processes and educate their employees to achieve and retain compliance.

As the EU enters its second year of GDPR, European companies still need to work to maintain their compliance and build employee awareness. This work can include process and practice audits, the updating of policies and conducting refresher training. All companies must also keep themselves and their systems up to date and protected against cyber threats and cyber-crime.

The Defence Works offers GDPR training with a free demo available. We’ll also be on hand and be improving our offering as global data privacy laws impact our customers too. Data privacy legislation is here to stay and likely to be even more comprehensive in the future as consumers and lawmakers respond to the continued threat of the theft and misuse of very valuable personal data.

Share this:

Phishing emails are one of the most simple and common attack methods for cyber criminals. Though widely used to target individuals and their valuable personal and financial information, phishing emails can also contain dangerous files, trojans and viruses. Through individual recipients, these malicious files can embed themselves in company servers, steal information, and even shut down systems with their illicit creators demanding a ransom to release their cyber-hold.

Phishing attacks rely on individual victims

A new report by Proofpoint, the “Annual Human Factor Report,” and as reported by ZDNet puts 99% of phishing attacks relying on unsuspecting victims clicking URLs which lead to malicious sites and downloads.

Proofpoint Vice President Kevin Epstein says:

“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”

Increasing sophistication of phishing attack

Email-based cyber-attacks, known as phishing emails, are becoming “increasing sophisticated” writes ZDNet. Indeed, they are, many now contain snippets of personal information or appear to be from a colleague or reputable service provider.

The clue to a nefarious email is often in the sender’s email address domain, the slightly off wording, or the details of the URL, or link, included in the message. An email sender domain or link from PayPal for example, is as simple as “…paypal.com.” A suspect link or originating domain may have extra letters, numbers or symbols, subtly hidden.

Edward Whittingham, Managing Director of The Defence Works told SC Media back in March 2019:

“Hovering over the link to see the destination URL is always a good idea. By doing this, users can check out the true destination which will typically not reflect the actual brand that it pretends to be from, or it will be close, but misconfigured in some way.”

At the time SC Media was covering a report by CyberInt researchers where phishing emails sent to financial sector employees were disguised as an internal anti-fraud exercise. If the phishing emails were opened a malicious file was released on the corporate network in question, potentially without the employee’s knowledge. The file, a type of trojan and malware, has the ability to extract the hidden coding used to protect sensitive information within a financial institution, or bank.

Very targeted attacks are dubbed “spear phishing” and as they are more convincing the number of individuals who unsuspectingly click and open a doorway to their employer for a cybercriminal, is higher. Said cybercriminals are often chasing specific information.

Barracuda Networks reported another case of a phishing campaign targeting airline travellers. The malicious email’s subject line contained enough information about the airline, destination, and price of flight, that it was opened by over 90% of recipients.

Education and security awareness offer protection

The key to protecting individuals and thus their employers is in education, and of course we agree with Proofpoint, in security awareness. Training in how to identify and deal with phishing emails safely is vital. Hovering with your mouse over a URL in an email for example could reveal the real direction your click will take you, if it looks suspect, then it probably is – don’t click. If unsure it’s worth avoiding the email, deleting it, or contacting a system administrator for more advice.

There is also the dilemma of what to do if you do fall for a malicious email. A 2018 survey of 700,000 phishing emails revealed that half of the recipients opened the emails and about a third clicked a phishing link. That link could have asked for financial data or login credentials or released dangerous malware onto the user’s computer. Here at The Defence Works we have a quick guide on what to do if you click a phishing link.

Proofpoint’s recent report compiles 18 months of data from corporate customers. It’s also found that cybercriminals are more closely copying businesses in order to convince recipients an email is genuine, using tactics such as sending email during normal business hours. This evolution from an initial volume hit and hope approach by phishing operators means even the most savvy of individuals might just fall for a scam.

Corporate action to combat phishing is evolving

Companies are evolving to cope with such cyber attacks too. As well as performing security awareness training, increasingly common is simulated phishing or phishing tests to cement employee awareness. This is where a company or IT security provider tests its employers with fake phishing scams, helping them to spot real attacks in the future.

The Defence Works can help your company to keep up with the increasing sophistication of phishing attacks. Helping to protect from what can be a devastating impact by safeguarding individual employees through security awareness training. We too can help with simulated phishing campaigns, carried out in a way that supports individuals and reinforces employee knowledge.

Try our free demo to learn more. Individuals can be empowered by knowing they are the last line of defence and take an engaged role in the fight against cyber crime.

Share this:

After ongoing data usage and privacy concerns, Facebook is facing new controversy from an old issue as it appears that millions of user phone numbers are easily available online.

Just a few short weeks ago the US Federal Trade Commission hit Facebook with a $5 billion US dollar fine for improper use of personal data. The fine, equivalent to CEO Mark Zuckerberg’s net worth, will be a record one if approved by the US federal government.

Now, an apparently anonymous online server containing data without any password protection has been discovered hosting up to 419 million Facebook user records contained in a number of databases. Without adequate protection literally anyone may have been able to access the stored information.

TechCrunch reports that the databases contained the records of 133 million US Facebook users, 18 million UK users, and 50 million users from Vietnam. The information breached appears to include Facebook ID’s and corresponding user telephone numbers. TechCrunch verified the authenticity of a number of records by checking user’s phone numbers against their Facebook ID’s. The publication also used Facebook’s password reset process which reveals part of a user’s phone number, to verify further records were indeed legitimate Facebook users.

Facebook has restricted personal data access

In April 2018, after revelations, Facebook made a number of changes “to restrict data access on Facebook.” This included halting public access and ability to search Facebook using phone numbers or email addresses to derive further user information and which said facility was being abused by data scrapers. Facebook wrote at the time:

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.”

Back in 2011 Facebook disabled an API used by developers in other applications that shared user’s mobile phone and address details without express user permission.

The discovered data may have been scraped from Facebook over a year ago

The database in question today was discovered by security researcher Sanyam Jain who could not identify who owned or published the information and reported his find to TechCrunch. The web host, after being contacted by TechCrunch, has now removed the files.

A Facebook spokesperson, Jay Nancarrow, has reportedly responded to the news saying there is no evidence Facebook accounts have been compromised and that:

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.”

Nancarrow also stated that the data had been removed from the internet. TechCrunch believe the data “appeared to be loaded to the exposed database at the end of last month,” but agreed that doesn’t mean the data published is new.

The data then, was potentially scraped from Facebook at a time when it was easier for illicit actors to do so and before Facebook made key changes in response to concerns. However, the 419 million reported records could well have been recently uploaded and without password protection obtained by others such as marketers, or worse. The issue remains as to who obtained the data in the first place, what they have used it for, and why it was uploaded to the internet.

Increasing pressure for companies to provide better data privacy

Though Facebook is making changes to its policies and processes such a data breach adds to the pressure on the social media giant to better protect its users and their data. In addition to the very recent $5 billion fine Facebook has also reportedly agreed to greater government oversight of how it handles user data. Though the conditions of the settlement don’t appear to limit Facebook’s ability to collect and share user data with third parties.

Pressure to provide better data privacy is not just ramping up for Facebook. The implementation of GDPR has led to British Airways and the Marriott hotel chain receiving potential fines of £183 million and £99 million respectively and both for data breaches.

Both recent fines exceed the previous maximum fine of £500,000 issued by the UK Information Commissioner’s Office (ICO). That maximum fine was only ever issued once – to Facebook for its part in the Cambridge Analytica scandal where the data of 87 million of its users was shared with the company. GDPR means that the ICO can now impose fines of a value up to 4% of a company’s annual revenue. The latest mammoth fine from the US for Facebook also hints that the US, like Europe, is getting serious over data privacy.

Consumers too are far more privacy aware today than ever before. Data breaches eat away at consumer confidence in a brand, though Facebook’s user numbers are hardly plummeting, individuals expect better privacy protection.

Data hacks, breaches, and accusations of misuse, don’t just happen to big brands either, any company of any size which obtains and stores the personal data of its customers or users is at risk.

Want to know more about security awareness training? Why not sign up for a free demo and find out how we’re already helping government and public sector organisations dramatically improve employee security awareness across their supply chains.

Share this: