Nearly half of UK firms hit by cyber phishing attacks

Nearly  half of UK businesses have been compromised in the past two years using phishing attacks, despite high levels of cyber awareness and training.

Nearly  half of UK businesses have been compromised in the past two years using phishing attacks, despite high levels of cyber awareness and training.

Phishing attacks aimed at stealing legitimate user credentials have been used in the past 24 months to compromise 45% of UK organisations, according to research on behalf of cyber security firm Sophos.

Just over half (54%) of more than 900 IT directors polled in Western Europe said they had identified instances of employees replying to unsolicited emails or clicking on links contained within them, revealed a poll conducted by Sapio Research.

The study revealed that larger businesses are most likely to have been compromised by phishing attacks, despite also being most likely to conduct phishing and cyber threat awareness training.

Although businesses in the UK fell victim to phishing attacks at a similar rate to those in France (49%) and the Netherlands (44%), those in Ireland performed significantly better. Just 25% of Irish respondents said they had fallen victim to phishing in the past two years.

Across all respondents, 56% of companies employing between 500 and 750 people were identified as phishing victims in the past two years, while two-thirds (65%) had identified instances of employees replying to unsolicited emails or clicking on links contained within them.

By comparison, just 25% firms with fewer than 250 people and 36% of organisations with between 250 and 499 employees had been compromised by phishing in the same period.

Half of firms with fewer than 250 people offered training to help employees spot attacks, compared with 78% of those with between 500 and 1,000 people. And 79% of UK companies conduct regular cyber threat awareness training already, while 18% said they plan to offer it in the future.

Adam Bradley, UK managing director at Sophos, said criminals are adept at using social engineering to exploit human weakness, so while well-trained employees are an excellent deterrent, even the best user can slip up.

According to Bradley, phishing is one of the most common routes of entry for cyber criminals. As organisations grow, their risk of becoming a victim also increases as they become more lucrative targets and provide hackers with more potential points of failure.

Given the frequency of these attacks, organisations that don’t have basic infrastructure in place to spot people engaging with potentially harmful emails and whether their systems are compromised are likely to encounter some really significant problems.

Organisations should block malicious links, attachments and imposters before they reach users’ inboxes, said Bradley, and use the latest cyber security tools to stop ransomware and other advanced threats from running on devices even if a user clicks a malicious link or opens an infected attachment.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Businesses warned to prepare for cyber security extortion campaigns

Directors, lawyers and doctors are the top extortion targets of cyber criminals, researchers tracking  sextortion attempts reveals.

Directors, lawyers and doctors are the top extortion targets of cyber criminals, researchers tracking  sextortion attempts reveals.

Cyber criminal groups are promising rewards of £276,300 a year on average to accomplices who help them target high-worth individuals with extortion scams research reports.

The reward promises are even higher for accomplices with network management, penetration testing and programming skills, according to researchers at risk protection firm Digital Shadows.

One threat actor, the report said, was offering £600,000 a year, with add-ons and a final salary after the second year of £840,000.

The main method of cyber security extortion where criminals deem potential victims to be particularly vulnerable is so-called “sextortion”.

Digital Shadows tracked a sample of sextortion campaigns and found that from July 2018 to February 2019 over 89,000 unique recipients faced around 792,000 extortion attempts.

An analysis of bitcoin wallets associated with these scams found that sextortionists could be reaping an average of £414 per victim.

The campaigns follow a similar pattern, the researcher found, in which the extortionist provides the target with a known password as “proof” of compromise, then claims to have video footage of the victim watching adult content online, and finally urges them to pay a ransom to a specified bitcoin address.

However, the researchers said other campaigns can be even more sinister, with one spam campaign from December 2018 claiming that recipients will be “killed” if they did not pay.

Extortion is in part being fuelled by the number of ready made extortion materials readily available on criminal forums, the researchers said, adding that these are lowering the barriers to entry for wannabe criminals with sensitive corporate documents, intellectual property and extortion manuals being sold on by more experienced criminals to service aspiring extortionists for less than £10.

In one example, seen by Digital Shadows, the guide specifically focuses on a sextortion tactic whereby the threat actor begins an online relationship with a married man and then threatens to reveal details of the affair to his partner unless a ransom is paid.

The guide claims this extortion method is the easiest for “novice”’ threat actors to start with, suggesting they could earn between £230 and £380 per extortion attempt. Dedicated subsections exist on criminal forums for this type of dating scam.

Even greater levels of sophistication could be around the corner, the researchers warn, if so-called “crowd-funding” schemes take off.

In April 2018, threat actor “thedarkoverlord” stole documents belonging to the insurance provider, Hiscox, including files related to the 9/11 attacks in the US. The threat actor hoped to play on the public’s appetite for 9/11-related controversy and encourages people to raise funds to view the documents. Currently this campaign has amassed around £8,904.

Crowdfunding models such as this, the researchers said, allow extortionists to raise funds from the general public rather than relying on victims giving in to ransom demands. Organisations dealing with inflammatory or sensational information should therefore consider how they would respond if an attacker opts for this course of action, they said.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Use of Cyber Security Insurance increasing

The use of cyber security insurance is growing – but one in three companies is still ignoring the benefits.

Use of Cyber Security Insurance increasing

Cyber security insurance adoption is expected to continue to grow, but only 38% of companies polled in the US and Europe have active cyber insurance policies in place, a study has revealed.

Of those insured organisations, 45% purchased cyber security  cover in the past two years, 32% purchased their policy three to four years ago, and only 24% have been covered for more than five years, according to the study by IT industry networking organisation Spiceworks.

Despite the fact that the adoption of cyber security insurance policies to offset the recovery costs associated with security incidents continues to grow, the survey of nearly 600 organisations revealed that many organisations are still not sold on the benefits of cyber insurance and are hesitant to purchase a policy.

However, according to a separate poll in the Spiceworks Community, 11% of organisations without coverage plan to purchase a cyber insurance policy within the next two years.

Cyber security insurance drivers

The study shows that increased priority on security is a top driver of cyber insurance adoption, with 71% of organisations purchasing cyber insurance as a precautionary measure, while 44% cited an increased priority on cyber security as the reason they bought a policy.

The risk of managing large volumes of personal data also drove 39% of organisations to purchase cyber insurance. This is likely to be linked to the growing number of data protection requirements around the world, such as the EU’s General Data Protection Regulation (GDPR). However, less than 15% purchased a policy due to a recent security incident or data breach.

When comparing the prevalence of cyber security insurance policies in North America and Europe, the regulatory environment and impact of new regulations such as GDPR become apparent, the report said.

Only 4% of organisations in North America purchased cyber security insurance because of new data protection regulations, compared with 43% in Europe.

Across both regions, 52% of companies with cyber security insurance have a coverage limit between $1m and $5m, 19% have a coverage limit between $6m and $10m, and 16% are covered for more than $10m. However, the results showed only 7% had ever filed a claim with their cyber insurance provider.

Among the companies that do not carry cyber insurance, the lack of knowledge about cyber insurance was found to be one of the top three reasons why they have not purchased a policy. Some 36% of IT professionals said their organisation was not covered due to a lack of knowledge about cyber insurance, while 41% said it was not a priority at their organisation, and 40% said they didn’t have budget for it.

Additionally, 33% of organisations have not purchased a policy because they are not sold on the benefits, and 20% reported insufficient use cases for cyber insurance, while 12% said they were not confident claims would be paid out.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

O2 crash proves that humans are the weakest link in cyber security

The O2 mobile network failure that took out data access for some 30 million people recently was caused by an expired software certificate.

The O2 mobile network failure that took out data access for some 30 million people recently was caused by an expired software certificate

No programming error, no undiscovered bug, no malicious interference, but one of the most basic systems administration mistakes you can imagine. Someone somewhere just forgot to renew a certificate.

As a wise voice once said, there’s no patch for stupidity. And herein lies the great unspoken conundrum at the heart of the digital revolution.

Computers go wrong.

Why? Because they’re designed, manufactured, programmed, configured, secured and operated by the most fallible, unpredictable and unreliable resource in the technology world – people.

Of course, it’s those same people who every day ensure that the IT systems supporting every company and government in the world work mostly as intended, who keep the internet running and protect the vast majority of our personal data.

That’s because people are pretty good at computers these days. But we’ll never be perfect.

The job of running IT systems is becoming increasingly abstracted from the technology – virtualisation, cloud, containers, serverless, orchestration, all these trends aim to remove that human fallibility from everyday tasks. Not forgetting that it still takes another human somewhere to make those technologies work in the first place.

Much as artificial intelligence (AI) and automation are replacing or augmenting corporate jobs, so the IT department will see further dramatic change as more of its responsibilities are taken over by software robots. Of course, those software robots were created and programmed by humans too.

And they aren’t exactly perfect – as the Amazon workers in a New Jersey warehouse found out this week, when a robot accidentally punctured a can of bear repellent, sending 24 staff to hospital.

There is, correctly, much debate about ethics in AI and technology, not least the need to prevent human bias from becoming too infused in the algorithms they rely on.

People outside IT are taking more of an interest in the workings of IT than ever before. It’s fair to assume those non-IT types are pretty fallible too.

The outage was a small reminder of how reliant most of us have become on technology.

When O2 went down, there was much humour taken from the sight of people trying to consult paper maps to find their way around, and attempted insights from those who found a whole new world beyond the smartphone they’d been glued to until then.

For all the great advances of recent decades, it’s going to be a long time before we no longer see headlines screaming “computer crash”. Whether through malice or simple error, human fallibility is a part of our digital future too.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

GCHQ warns of cyber security scams on Black Friday

GCHQ has issued an warning of cyber security scams on Black Friday.

GCHQ has issued an warning of cyber security scams on Black Friday.

Black Friday sales could be targeted as easy pickings for cyber-crime, according to Cheltenham-based GCHQ.

The National Cyber Security Centre, part of GCHQ, is advising shoppers of the risk of online threats. It is the first such official cyber security warning in the run up to Christmas.

GCHQ wants to start a “national cyber-chat” today (Black Friday), when billions are spent online. Known for working in secret, the agency wants to be open and engage with the public over the seriousness of the threat.

The National Cyber Security Centre has tackled more than 550 significant cyber incidents over the past year, and has taken down almost 140,000 “phishing” websites.

The National Cyber Security Centre (NCSC) is giving tips for shoppers to avoid cyber-crime – and for the first time it will be publishing answers to questions from the public on Twitter.

The agency recently warned of a serious and sustained threat from elite hackers in other countries, which could include the theft of millions from retailers and attacks on the financial networks the shops depend on.

The British Retail Consortium is backing the calls for better cyber security during the Christmas shopping season, and retailers continue to invest heavily in protecting themselves against cyber-threats.

The National Cyber Security Centre’s advice to reduce the risk of cyber crime is:

  • Install the latest software and app updates
  • Type in a shop’s website address rather than clicking on links in emails
  • Choose strong and separate passwords for accounts
  • Keep an eye on bank accounts for unrecognised payments
  • Avoid over-sharing unnecessary information with shops, even if they ask
  • Make sure all your home gadgets are secure

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

UK business in the dark on impact of cyber security attacks

UK businesses so not understand the resilience required to withstand cyber security threats, a study shows.

UK business in the dark on impact of cyber security attacks

While 99% of UK business leaders believe that making technology resilient to business disruptions is important, only 54% claim their organisation is as resilient as it needs to be, a study has revealed.

In recent years, the security industry has increasingly recognised the importance of focusing on resilience to ensure that when defences are breached, organisations are able to reduce the impact on the business.

A fifth of more than 1,000 UK business decision makers polled by security firm Tanium admitted they would not be able to calculate indirect costs from lost revenue and productivity following a cyber attack.

The Tanium resilience gap study also found that there are more barriers to achieving the resilience that 97% of respondents believe to be important, with 38% of respondents blaming their organisation’s growing complexity as one of the biggest barriers to building business resilience, while 21% blame siloed business units.

Asked about their team and tools, 35% of respondent said the issue lies with the hackers being more sophisticated than IT teams, 21% claim that they do not have the skills needed within the company to detect cyber breaches accurately in real time, and 27% said poor visibility of entry points is a barrier to resilience.

Business resilience is fundamental to any strategy for long-term growth, yet the findings suggest that many UK businesses still have a long way to go.

The study also revealed gaps in accountability and trust across organisations.

One of the main reasons organisations are unable to achieve business resilience against disruptions such as cyber threats is due to growing confusion internally on where the responsibility for resilience lies.

More than a quarter (28%) believe it should be the responsibility of the CIO or head of IT, the same proportion said every employee should be responsible, while 13% said full responsibility lies with the CEO alone. One in 10 (11%) believe it falls to senior leadership.

Businesses are becoming entirely dependent on their technology platforms. But if that technology stops running, the business will too, with potentially serious consequences for sales, customer confidence, and brand equity, not to mention productivity.

To deliver resilience, a new discipline needs to be instilled across governments and enterprise organisations. This discipline is more than prevention. It’s more than recovery. It’s a shared practice that should unite IT, operations and security teams to ensure strong security fundamentals are embedded across the entire company network. Only then can organisations act and react in real time to threats.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

NSCS warns about business’s third party cyber security risks

GCHQ’s NCSC warns that third party suppliers may be businesses’ biggest cyber security risk.

GCHQ's NCSC warns that third party suppliers may be businesses' biggest cyber security risk.

Despite spending millions on cyber security enhancements and compliance around the General Data Protection Regulation (GDPR), organisations remain reluctant to address the weakest link in their IT security environment – their supply chain and associated third-party relationships.

A report in October from the UK National Cyber Security Centre revealed that the GCHQ offshoot had stopped almost 1,200 attacks in the past two years and is fighting off around 10 attacks every week.

Addressing third party cyber security risks are challenging and significant.

For larger organisations, procurement decisions are usually made without input from those responsible for cyber security, and such agreements can provide access to critical systems via open application programming interfaces (APIs) and other interaction mechanisms.

Supplier relationships are also overwhelming without a standard process to manage cyber risk when the relationship is via an arms-length contractual arrangement. Many organisations are struggling to address their internal network security issues and have not sufficiently considered the risks beyond their own network.

But third party cyber security risk is too significant and too dangerous an issue for board members to continue to overlook.

NIS Directive
Current regulatory initiatives including the Networks and Information Systems (NIS) Directive and GDPR require organisations to take responsibility for ensuring that external suppliers have implemented adequate cyber security measures.

Both NIS and GDPR require notification to the Information Commissioner’s Office (ICO) no later than 72 hours after an organisation is aware of a data breach or a cyber incident having a substantial impact on its services.

Many data breaches affecting large organisations occur within a third party service provider. Organisations that do not have the contractual provisions and processes in place with these suppliers to secure the necessary information surrounding the data breach are unlikely to meet the 72-hour deadline.

Missed deadlines and poor or inaccurate information reveal due diligence and contractual failures. These failures increase the risk of a regulatory investigation and significant financial penalties.

But regulatory fines are just the beginning. There are also civil liabilities, as well as loss of consumer trust and investor confidence that result from a cyber breach. Under GDPR, individuals can claim compensation for material and non-material damage.

A data controller is jointly and severally liable for the damage if it was in some way also responsible for a breach due to unlawful processing by a data processor.

To mitigate these risks, organisations that outsource cyber security functions should comprehensively review their third party contractual arrangements and revise their internal procurement processes and procedures to include cyber security assessments. These reviews should, at a minimum, assess, document and monitor these agreements.

Cyber threats are on the rise in both number and complexity. They are purposely attacking the supply chain. Recent regulatory approaches under NIS and GDPR require organisations to take an active role overseeing their third-party providers.

Failure to do so can result in regulatory fines, civil liabilities and reputational loss. Investing human and financial capital now to assess and mitigate risk can help significantly reduce these liabilities, protect an organisation’s reputation and strengthen consumer trust.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Investors target Board Directors for cyber security incidents PT2

Investors are growing concerned that directors are ill prepared for cyber security incidents and technological challenges.

Investors target Board Directors for cyber security incidents

An investor “We want the board to be tech savvy, but we wouldn’t just want it to be a tech board. Our fear is they appoint a tech expert but then no one else on the board is engaged. We want to understand the extent to which all the board is competent.”

Earlier this week, British Airways was forced to vow to compensate passengers after it revealed hackers had stolen data relating to about 380,000 customers from its website and mobile app during a two-week period in August. The data included personal and financial details.

Companies ranging from Equifax to JPMorgan Chase have all suffered data breaches in recent years. Meanwhile, large multinationals from Moller-Maersk to Reckitt Benckinser and FedEx were all forced to warn shareholders that the NotPetya cyber attack in 2017 had hurt profits, potentially costing each company hundreds of millions of dollars.

Ovidiu Patrascu, research analyst at Schroders, says it is crucial that companies have well-resourced cyber security teams that should ideally report directly to the highest levels of the organisation.

“As seen in a number of recent high-profile public failures, data breaches often uncover poor governance practices and weak management at the heart of companies, while also hitting their revenues and intangible assets such as reputation and trust,” he says.

“Cyber risk should also not just be the preserve of tech specialists — company boards also need to ensure they understand and can effectively oversee these very particular risks,” he adds.

A 2017 study by the Ponemon Institute, a research centre, found that there had been a 22.7 per cent rise in the cost of cyber security for businesses in just one year. It also found a 27.4 per cent rise in the number of data breaches at businesses, based on 2,182 interviews from 254 companies in seven countries — Australia, France, Germany, Italy, Japan, the UK and the US.

A follow-up study in 2018 found that the average cost of a data breach globally is $3.86m, a 6.4 per cent increase from the 2017 report. It also warned that so-called “mega breaches”, ranging from 1m to 50m records lost, could cost companies between $40m and $350m to deal with.

For many investors, the fact that a huge technology company such as Facebook could suffer a data breach has hit home how vulnerable smaller or less tech-savvy businesses could be. In July, Britain’s Information Commissioner’s Office hit Facebook with its first financial penalty over the data leak to Cambridge Analytica, accusing the social network of breaking the law.

A big investor at a large asset manager says that he wants boards to be able to explain where their key vulnerabilities are and whether they have stress tested the financial impact of tech issues. “We think every board member should be able to speak about this issue. They need to know where they are vulnerable, what the impact could be and how the board would respond,” he adds.

Mr Krefting says he wants the businesses M&G invests in to clearly outline in their reports and accounts what risks they face when it comes to technology and cyber security. “When we talk to companies about this, they often clam up — either because the CEO or chair doesn’t know about it or it is delegated to the chief information officer or someone below the board, or they say this is too sensitive.”

But he adds: “We want policies on governance and structures and how they are approaching cyber. We don’t necessarily need to know how many times they were faced with attempted hacks last week, but we want to see processes and that they are doing testing and that the right controls are in place.”

This article was first published by the Financial Times at https://www.ft.com/content/c70caa94-2d88-3ece-b802-79e9bac2f32c.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber security criminals outspend businesses in security battles

Cyber security criminals are spending 10 times more money finding weaknesses in the cyber defences of organisations than the organisations they target are spending on protecting against attack.

Cyber security criminals are spending 10 times more money finding weaknesses in the cyber defences of organisations than the organisations they target are spending on protecting against attack.

Research from Carbon Black carried out in August also asked 250 UK-based CIOs, CTOs and CISOs about the attacks they faced over the past 12 months.

In total, 92% of UK businesses have had cyber security breaches in the past year and nearly half off those reported falling victim to multiple breaches (three to five times in the past year).

A total of 82% of respondents said they have experienced more attacks this year than last year. In the financial services sector, 89% said this is the case, while 83% of government organisations and 84% of retailers had also experienced an increase in the number of attacks.

Malware was the most common attack on the UK organisations surveyed, with about 28% experiencing at least one such attempted breach. Ransomware was the next most common, with 17.4% reporting at least one attack.

“Following a global trend, cyber attacks in the UK are becoming more frequent and more sophisticated, as nation state actors and crime syndicates continue to leverage fileless attacks, lateral movement, island hopping and counter incident response in an effort to remain undetected,” said the report. “This issue is compounded by resources and budgeting. Not only is there a major talent deficit in cyber security, there is also a major spending delta.”

The report found that IT leaders believe Russia and China to be the source of the vast majority of cyber attacks, but it identified North America as the starting point for more attacks than Iran and North Korea combined.

If you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected].com or complete the form on our contact page NOWContact Cyber 139

Money transfer frauds are top aim of business email cyber attacks

Tricking recipients into transferring money to cyber criminals is the top objective of business email compromise (BEC) attacks.

Tricking recipients into transferring money to cyber criminals is the top objective of business email compromise (BEC) attacks.Business email compromise is increasingly popular with cyber criminals to steal money and information as well as spread malware, security researchers find

The second most popular objective is to get the recipient to click on a malicious link aimed at stealing information or spreading malware, according to an analysis of more than 3,000 BEC attacks by Barracuda Networks.

BEC attacks are also known as whaling or CEO fraud because attackers typically compromise the email accounts of CEOs and other top executives so those accounts can be used to send messages to more junior staff members, tricking them into taking some action by impersonating the email account holder.

This tactic is extremely effective in manipulating employees as well as partners and customers of targeted businesses because few organisations have processes in place for checking or verifying instructions ostensibly received from a top executive in an email message sent from a genuine account.

In most cases, cyber criminals focus efforts on employees with access to company finances or payroll data and other personally identifiable information(PII).

The study shows that PII is another top target for BEC attackers, accounting for 12.2% of the attacks studied. Another 12.2% were aimed at establishing a rapport with recipients, which in most cases was followed up with a request for a money transfer.

The effectiveness of this attack method has made it extremely popular with cyber criminals, as is indicated by an 80% increase in the number of BEC attacks in the second quarter of 2018 compared with the first quarter, according to a recent report by email management firm Mimecast.

The Barracuda study reveals that in 46.9% of the cases studied, the objective was to trick employees into transferring business money into accounts controlled by the attackers, while in 40.1% of the cases, the aim was to trick them into clicking on a malicious link.

According to Barracuda, email is the top threat vector facing organisations due to the growing number of email-related threats, which include ransomware, banking trojans, phishing, social engineering, information-stealing malware and spam, as well as BEC attacks.

Not surprisingly, the analysis shows that CEO email accounts are the most commonly impersonated (42.95%), followed by other C-level account holders (4.5%), including the CFO (2.2%), and people in the HR and finance departments (2.2%).

CFOs are among the top recipients of BEC emails, representing 16.9% of recipients in the attacks studied, on a par with the finance and HR departments in general and compared with 10.2% received by other C-level execs.

However, the analysis shows that most recipients of BEC emails are in more junior roles, with 53.7% holding roles outside the C-level, underlining the need for regular, ongoing user awareness training.

If you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139