Majority of SME businesses firms unprepared for cyber phishing attacks

57% of SME small businesses are unprepared for a cyber phishing attack, despite the fact that 78% have been hit by a cyber security attack that started that way, a report shows.

57% of SME small businesses are unprepared for a cyber phishing attack, despite the fact that 78% have been hit by a cyber security attack that started that way, a report shows.
Most cyber attacks can be traced back to a phishing email, but more than half of small businesses are unprepared to deal with email-based attacks, research has revealed

Security teams reported that they are struggling to respond to the number of suspicious emails being received, according to the latest European phishing response trends report by phishing defence firm Cofense.

Other key findings of the small business report include that the top security concern is phishing and email-related threats, with 41% of respondents saying their biggest anti-phishing challenge is poorly integrated security systems.

The UK reports the most suspicious emails each week across Europe with 23% reporting more than 500, followed by the Netherlands (22%), France (20%), Germany (18%) and Belgium (16%).

With phishing and email-related threats being the main security concern of the European-based survey respondents, the report said it is critical that businesses have an effective strategy to counter the attack vector, which is fully integrated with broader security solutions.

According to Cofense, it is paramount that phishing simulations are like the real thing and encourage reporting which, in turn, can not only stop a malicious email compromising an enterprise’s network, but can also give the incident response team a head start.

“The analysis of email-based attacks gives us extremely valuable insight into the security posture of European organisations,” said Rohyt Belani, co-founder and CEO of Cofense. “What we’re really looking at here is addressing human susceptibility and building human resiliency to work in concert with technology to combat security threats facing Europe.”

Cyber Security Phishing Dangers

  • More than one million new phishing sites created each month.
  • Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
  • Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
  • Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.

Cyber attacks, particularly those on a scale that can siphon billions of euros from the financial system, involve a complex web of both victims and potential access points for cyber criminals to elevate the severity of an attack.

Phishing attacks, despite being among the most well-known cyber security attack vectors, are still consistently fooling companies and private individuals.

Phishing presents such a concern because it is the “spark that ignites a long line of malicious activity, creating a pipeline of infected systems and accessible data for threat actors to leverage in further criminal campaigns.

Small businesses need to engage with stringent educational campaigns around these issues across all levels of the organisation.

So if you want to save yourself stress, money and a damaged reputation from a phising data cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Most UK Britons concerned about personal data sharing

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

Britons also feel that the data they share is not being used to benefit them, with 48% saying businesses benefit the most and 63% saying the organisation holding the data should be responsible for protecting it, according to a poll of more than 2,000 UK consumers commissioned by identity management firm ForgeRock.

Only a third (36%) of consumers say they would be likely to share personal data to get a more personalised service, with over half (53%) saying they would not be comfortable for their personal information to be shared with a third party under any circumstances. Just 15% say they would be likely to sell personal data to an organisation or business.

At the same time, UK consumers underestimate how much personal information is available online, with 46% saying they do not feel they know how much data is available about them online, 19% saying they think Twitter has access to data on users’ political affiliations, 31% believing Instagram has access to location data on its users, 48% thinking Facebook holds information on whether they have children, and 20% believing Facebook does not have access to any personal data about its users, despite the fact that social networks have access to this data on a large number of their users.

One in three would take legal action and 24% would contact the police about their personal data being shared.

British consumers are also clear that there would be consequences for any company sharing their data without their consent, with 58% saying they would stop using a company’s services completely if it shared data without their permission, 49% would remove or delete all the data held on them by that company, 44% would advise their family and friends against using the company, and 30% would request financial compensation.

Growing concerns about data sharing

With the EU’s General Data Protection Regulation (GDPR) set to give consumers much more control over their personal data and how it is used, the survey report said it is crucial that members of the public understand their rights and how their data is being used and shared.

The ForgeRock survey suggests there are growing concerns about data sharing, which businesses and regulators should address. Some 63% of UK consumers say they know little or nothing about their rights regarding personal data and 64% have never heard of or know nothing about GDPR.

Banks and credit card companies are most likely to be seen as trusted holders of personal data, the survey shows, with 82% of consumers reporting that they trust these organisations to store and use personal data responsibly. Amazon also performed well, with over three-quarters (78%) of consumers saying they trust the ecommerce company to manage personal data.

Social media platforms performed less well, with 63% of Britons saying they trust social networks to treat personal data in a responsible manner.

There is a clear correlation between the organisations consumers trust with their data and how in control they feel, the report said, with Amazon (60%), banks and credit card companies (58%) and mobile phone operators (51%) ranked as the organisations that give users most control over their data. Just 51% of UK consumers said they feel in control of the data that is shared with social media platforms.

In contrast, social media companies offer consumers experiences without any financial payment – instead they pay in data. If companies were more transparent about how their business models rely on purchases, attention or data, consumers would have a much stronger understanding of what their privacy risks are and could tailor their behaviours and trust levels accordingly.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Small businesses face unprecedented volume of cyber attacks

Small businesses are facing the highest levels of cyber attacks in both number and sophistication as automated swarm attacks increase.

Small businesses are facing the highest levels of cyber attacks in both number and sophistication as automated swarm attacks increase.

A cyber threat report reveals an average of 274 exploit detections per firm were recorded in the last quarter of 2017, up 82% from the previous quarter, according to Fortinet’s latest global threat landscape report.

The Fortinet report shows that the number of malware families also increased by 25% and unique variants grew by 19%, indicating not only growth in volume, but also an evolution of the malware.

Also, automated and sophisticated “swarm attacks” are accelerating, the report said, making it increasingly difficult for organisations to protect users, applications and devices.

As small businesses become more digital, the report warned that cyber criminals are taking advantage of the expanding attack surface to carry out new disruptive attacks, including swarm-like assaults that target multiple vulnerabilities, devices and access points simultaneously.

The combination of rapid threat development and the increased propagation of new variants is increasingly difficult for many organisations to counter, the report said.

The researchers found that encrypted traffic using HTTPS and SSL (secure sockets layer) grew to a high of 60% of total network traffic, but the report noted that although encryption can help protect data in motion as it moves between core, cloud and endpoint environments, it also represents a real challenge for traditional security technology that has no way of filtering encrypted traffic.

Three of the top 20 attacks identified in the quarter targeted internet of things (IoT) devices and exploit activity quadrupled against devices such as Wi-Fi cameras. None of these detections was associated with a known or named vulnerability, which the report said is one of the troubling aspects of vulnerable IoT devices.

Unlike previous IoT-related attacks, which focused on exploiting a single vulnerability, the report said new IoT botnets such as Reaper and Hajime can target multiple vulnerabilities simultaneously, which is much harder to combat.

The data shows ransomware is still prevalent, with several strains topping the list of malware variants. Locky was the most widespread malware variant and GlobeImposter was second.

The report highlighted an increase in sophisticated industrial malware, with the data showing an uptick in exploit activity against industrial control systems (ICS) and safety instrumental systems (SIS). This suggests these under-the-radar attacks might be climbing higher on attackers’ radar, the report said, citing an attack dubbed Triton, which has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis.

Because these platforms affect vital critical infrastructures, they are enticing for threat actors, the report said, adding that successful attacks can cause significant damage with far-reaching impact.

The report also pointed out that steganography, which embeds malicious code in images, also appears to be resurgent.

The Sundown exploit kit, the report said, uses steganography to steal information, and although it has been around for some time, it was reported by more organisations than any other exploit kit, and was found dropping multiple ransomware variants.

The threat data in the quarter’s report reinforces many of the predictions made by the Fortinet FortiGuard Labs global research team for 2018, which forecast the rise of self-learning hivenets and swarmbots.

The report predicted that the attack surface will continue to expand, while visibility and control over today’s infrastructures diminish. To address the problems of speed and scale by adversaries, the report said organisations need to adopt strategies based on automation and integration.

“Security should operate at digital speeds by automating responses as well as applying intelligence and self-learning so that networks can make effective and autonomous decisions,” the report said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

Poor data handling is effecting business sales

The failure to protect customer data is creating sales problems for businesses.

The failure to protect customer data is creating sales problems for businesses.

According to a survey by security firm RSA some 90% of respondents said they were concerned about their personal data being lost, manipulated or stolen.

Monetary theft (74%), identity theft (70%) and having embarrassing or sensitive information made public (45%) were the biggest data security concerns. More than a third (36%) also fear being blackmailed with stolen private images or messages.

Some 84% of UK respondents and 81% of Italians listed security information as a concern, both higher than the global average, while German respondents expressed the most concern about genetic data, US respondent were the most concerned about location data.

As a result, 78% said they try to limit the amount of personal information they share and 49% have falsified information online in an attempt to protect themselves,

More importantly from a business point of view, 62% of consumers said they would blame the company involved above anyone else, even the hacker had exposed their personal data.

With 78% saying a company’s reputation relating to its handling of customer data made an impact on their buying decisions.

In fact, an average of 69% said they have or would boycott a company that showed a lack of regard for protecting customer data, with 82% of UK respondents saying they do so.

Some 60% of all respondents said if they hear that a company has been selling or misusing data without consent they will avoid handing data over to them, and 58% said if they know a company has been mishandling data they are less likely to buy services from them.

RSA said “With more than half (54%) of respondents less likely to buy from a company they know has been mishandling data, and 62% inclined to blame the company above anyone else if data is lost, it’s clear consumers are ready to vote with their feet against organisations that fall short of their expectations.”

“The financial and reputational damage of a data breach in 2018 could be devastating.”

The research further underlines the business benefit of ensuring customers’ data and privacy is protected. More than half (53%) of respondents said they were more likely to shop with a company that could prove it takes data protection seriously.

Consumers clearly understand the value of their personal data and, while there may rightly be occasions for caution, they are willing to part with it under the right circumstances.

After the compliance deadline for the European Union’s (EU’s) GDPR on 25 May 2018, RSA Security predicts that organisational privacy and data protection failings will become even more transparent because businesses will be forced to disclose any breach of the regulation.

Under this microscope, the security firm recommends that organisations must think of the wider business impact of privacy and data protection, while also understanding how to work within the GDPR to their advantage.

The research report points out that the GDPR will affect all companies that handle EU citizens’ data, including US cloud providers and businesses in post-Brexit Britain.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cyber139 supports Safer Internet Day

Cyber 139 is backing Safer Internet Day which is building online safety practices with young people.

Cyber 139 is backing Safer Internet Day which is building online safety practices with young people.

Many organisations including Cyber139 around the UK are contributing to the important work on making the internet a safer place for everyone

Tuesday 6 February marks Safer Internet Day 2018. Using the hashtag #SID2018, organisations globally will celebrate the safe and positive use of technology.

In Britain, the UK Safer Internet Centre, will be coordinating the activities of over 100 countries to “unite for a better internet”.

Last year’s #SID2017 initiative saw its highest engagement with 1,645 UK organisations supporting the event. Some 42% of children aged 8-17 and 23% of parents heard about the day in 2017, and this year we hope to see more people aware and presented with the online resources to help young people navigate the web effectively and safely.

To achieve this, tech businesses can easily support the initiative by promoting and raising awareness through social media and using #SID2018. Some organisations will be going the extra mile by running events and creating resources that will be getting updated on an ongoing basis.

For example, the South West Grid for Learning run sessions for children, staff and parents throughout the year. Activities such as this mean a lot more schools directly working to involve parents actively, including online safety in the curriculum, and even empowering students in peer-to-peer activities to help each other stay safe.

Safe and secure environment

The idea of supporting #SID2018 is that we work throughout the year to ensure the internet is a safe, secure environment for young people at all times. This is not to negate the ongoing challenge that new technologies emerge every year, which adds complexity to this issue. Nonetheless, we need to understand that this evolving environment is one that our young children must move with, as it is likely to be them who will be using these technologies most in their future jobs, lives and relationships.

In a time where the UK must fill a digital skills gap, an acute understanding and practice of online safety education must evolve in parallel with the innovation of new products and services. This will enable individuals now and in the future to be safe, active digital citizens.

A number of organisations working in partnership with UK industry to tackle illegal content issues, such as WePROTECT, Global Alliance and the Internet Watch Foundation (IWF), are excellent sources of information. The Royal Foundation’s Cyberbullying Taskforce has also set up a new code for children which offers simple steps to help tackle cyber bullying – Stop, speak, support.

There are also technical solutions provided by online services such as Google’s Safe Search function and YouTube Kids, as well as Instagram’s keyword moderation tool which allows parents and users to block comments that contain inappropriate language.

Most SMEs unaware of GDPR data protect laws

Less than half of UK SMEs, businesses and charities are aware of new GDPR data laws just four months before the deadline.

Less than half of UK SMEs, businesses and charities are aware of new GDPR data laws just four months before the deadline.

The new data laws will be brought in through the EU’s General Data Protection Regulation (GDPR), which will be implemented in UK law via the Data Protection Bill on 25th May 2018.

The new UK data protection legislation sets similar requirements and penalties for non compliance as the EU’s GDPR in an attempt by the UK government to ensure uninterrupted data flows between the UK and EU member countries after Brexit.

Awareness is higher among businesses that say their senior managers consider cyber security a fairly high or very high priority, with two in five aware of the GDPR.

The survey found that just over a quarter of businesses and charities that had heard of the regulation have made changes to their operations ahead of the new laws coming into force.

Among those making changes, just under half of businesses, and just over one-third of charities, have made changes to cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.

Speaking in Davos, UK digital, culture, media and sport minister Matt Hancock said the government is strengthening the UK’s data protection law to make it fit for the digital age.

The new legislation is aimed at giving UK citizens more control over their own data, he said, as well as supporting innovative businesses to maximise the potential benefits of increasing use of data in the digital economy.

The new UK data protection legislation will give the ICO more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover for the most serious data breaches, which is roughly in line with the penalties contained in the GDPR.

SMEs and organisations that hold and process personal data are urged to prepare and follow the GDPR guidance from the ICO.

There will be no regulatory “grace” period, but the government said the ICO is a “fair and proportionate” regulator.

“Those who self report, who engage with the ICO to resolve issues and demonstrate effective accountability, can expect this to be taken into account when the ICO considers taking action,” the government said in a statement.

Information commissioner Elizabeth Denham said the data protection law reforms put consumers and citizens first. “People will have greater control over how their data is used, and organisations will have to be transparent and account for their actions,” she said.

“This is a step-change in the law – businesses, public bodies and charities need to take steps now to ensure they are ready.”

According to Denham, organisations that commit to the spirit of data protection and embed it into their policies, processes and people will thrive in the new era of data protection.

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice,” she said. “Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

ICO fines Carphone Warehouse £400K over data loss

Carphone Warehouse has received one of the highest fines by the ICO after putting it’s clients’ personal data at risk.

Carphone Warehouse has received one of the highest fines by the ICO after putting it's clients' personal data at risk.

The UK privacy watchdog – the Information Commissioner’s Office (ICO) warns that more stringent data protection laws will apply from 25 May 2018, with potentially much greater fines.The Information

According to the ICO, the personal data at Carphone Warehouse was exposed in a cyber attack because of the company’s failure to protect the data from unauthorised access.

The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.

The records for some Carphone Warehouse employees, including name, phone numbers, postcode and car registration, were also exposed.

In determining the monetary penalty, the ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.

Information Commissioner Elizabeth Denham said that a company as large, well resourced and established as Carphone Warehouse should have been actively assessing its data security systems and ensuring that systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” said Denham.

Following a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information.

Using valid login credentials, intruders were able to access the system via an out of date version of WordPress software.

The incident also exposed inadequacies in the organisation’s technical security measures. The ICO said important elements of the software in use on the systems affected were out of date and the company had failed to carry out routine security testing.

The ICO said its investigation had revealed a serious contravention of Principle 7 of the Data Protection Act 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

According to Denham, the real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

“The law says it is the company’s responsibility to protect customer and employee personal information,” she said. “Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

“There will always be attempts to breach organisations’ systems and cyber attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems and, most importantly, customers and employees.”

From 25 May this year, the law will get more stringent as the General Data Protection Regulation (GDPR) compliance deadline is reached, the ICO said.

Data protection by design is one of the GDPR’s requirements, the regulator said, and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards and polices that an organisation has or should have.

Companies and public bodies should ensure strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law, the ICO said.

Failure to comply with the GDPR requirements will put companies at risk of fines of up to €20m or 4% of their global annual turnover.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cyber 139 wishes You a Safe and Secure New Year

Cyber 139 wishes You a Safe and Secure New Year in 2018

Cyber 139 wishes You a Safe and Secure New Year in 2018
With 2018 now here we hope that you have had a Merry Christmas and a great festive break and hope that you are looking forward to a safe and secure year ahead.

Digital identity needs to be cyber security priority in 2018

Protecting digital identities and protecting employees are key cyber security challenges for 2018.

Protecting digital identities and protecting employees are key cyber security challenges for 2018

The issues of protecting digital identity, gaining data visibility and protecting employees are key cyber security challenges for 2018 according to the cyber security 2018 predictions report by security firm FireEye.

“The idea that you can get someone’s date of birth, and their Social Security number and steal their identity and do fraudulent tax refunds, or try to get a loan or credit card – that has to change,” FireEye said.

“This has to happen. Otherwise, every five months, we’re going to have another huge data breach,” they warned.

In addition to the imperative of finding a better way to manage identity, RedEye said it was also important to find a way of dealing with international privacy.

On the topic of nation state actors in the cyber realm, RedEye considers Iran the most interesting country to watch, rather than Russia, China or North Korea.

RedEye said while Iran started “acting at scale” in 2017, the extent of that activity was not really known. “We don’t know if we are seeing 5% of Iran’s activities, or 90% – although I’m guessing it’s closer to 5% – but they’re operating at a scale where, for the first time in my career, It feels to me that the majority of the actors we’re responding to right now are hosted in Iran, and they are state sponsored,” they said.

On the topic of cloud security, RedEye claimed better visibility was of paramount importance. I know that a lot of people are depending on the cloud, and we need visibility.

“Many of these cloud providers are providing it, but we don’t always have security operations that can take advantage of that visibility and see what’s happening,” he said.

An area many companies are still overlooking, RedEye said, is protecting employees from cyber attack.

He said companies needed to consider whether hackers could access corporate accounts through hacking employees’ private accounts, or if they could make it appear as though they have hacked the enterprise.

“There are hackers out there who will hack an employee at a company, and they will post any document they can get, and they will say they hacked the company even if they haven’t. It’s a reputational thing – while it’s hard to gauge the public response to these types of incidents, right now many companies are being deemed irresponsible or negligent or compromised when they are none of those things,” he said.

RedEye said all security professionals should be thinking about what employees are doing when they go home, how they can be secured, how they can be helped, what policies are needed and how those policies could be enforced.

They advised that all organisations moving into the cloud should know everything that is going on.

While there are bound to be new, interesting attacks in 2018, organisations should be preparing for modified versions of current attacks

“For instance, do you have places where documents are getting uploaded and then going into your back office? That’s a good place to ensure there is some high-grade detection, beyond an antivirus scanner. Because you essentially have unauthenticated input going directly into the key parts of your organisation.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139