Majority of SME businesses firms unprepared for cyber phishing attacks

57% of SME small businesses are unprepared for a cyber phishing attack, despite the fact that 78% have been hit by a cyber security attack that started that way, a report shows.

57% of SME small businesses are unprepared for a cyber phishing attack, despite the fact that 78% have been hit by a cyber security attack that started that way, a report shows.
Most cyber attacks can be traced back to a phishing email, but more than half of small businesses are unprepared to deal with email-based attacks, research has revealed

Security teams reported that they are struggling to respond to the number of suspicious emails being received, according to the latest European phishing response trends report by phishing defence firm Cofense.

Other key findings of the small business report include that the top security concern is phishing and email-related threats, with 41% of respondents saying their biggest anti-phishing challenge is poorly integrated security systems.

The UK reports the most suspicious emails each week across Europe with 23% reporting more than 500, followed by the Netherlands (22%), France (20%), Germany (18%) and Belgium (16%).

With phishing and email-related threats being the main security concern of the European-based survey respondents, the report said it is critical that businesses have an effective strategy to counter the attack vector, which is fully integrated with broader security solutions.

According to Cofense, it is paramount that phishing simulations are like the real thing and encourage reporting which, in turn, can not only stop a malicious email compromising an enterprise’s network, but can also give the incident response team a head start.

“The analysis of email-based attacks gives us extremely valuable insight into the security posture of European organisations,” said Rohyt Belani, co-founder and CEO of Cofense. “What we’re really looking at here is addressing human susceptibility and building human resiliency to work in concert with technology to combat security threats facing Europe.”

Cyber Security Phishing Dangers

  • More than one million new phishing sites created each month.
  • Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
  • Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
  • Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.

Cyber attacks, particularly those on a scale that can siphon billions of euros from the financial system, involve a complex web of both victims and potential access points for cyber criminals to elevate the severity of an attack.

Phishing attacks, despite being among the most well-known cyber security attack vectors, are still consistently fooling companies and private individuals.

Phishing presents such a concern because it is the “spark that ignites a long line of malicious activity, creating a pipeline of infected systems and accessible data for threat actors to leverage in further criminal campaigns.

Small businesses need to engage with stringent educational campaigns around these issues across all levels of the organisation.

So if you want to save yourself stress, money and a damaged reputation from a phising data cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Most UK Britons concerned about personal data sharing

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

Britons also feel that the data they share is not being used to benefit them, with 48% saying businesses benefit the most and 63% saying the organisation holding the data should be responsible for protecting it, according to a poll of more than 2,000 UK consumers commissioned by identity management firm ForgeRock.

Only a third (36%) of consumers say they would be likely to share personal data to get a more personalised service, with over half (53%) saying they would not be comfortable for their personal information to be shared with a third party under any circumstances. Just 15% say they would be likely to sell personal data to an organisation or business.

At the same time, UK consumers underestimate how much personal information is available online, with 46% saying they do not feel they know how much data is available about them online, 19% saying they think Twitter has access to data on users’ political affiliations, 31% believing Instagram has access to location data on its users, 48% thinking Facebook holds information on whether they have children, and 20% believing Facebook does not have access to any personal data about its users, despite the fact that social networks have access to this data on a large number of their users.

One in three would take legal action and 24% would contact the police about their personal data being shared.

British consumers are also clear that there would be consequences for any company sharing their data without their consent, with 58% saying they would stop using a company’s services completely if it shared data without their permission, 49% would remove or delete all the data held on them by that company, 44% would advise their family and friends against using the company, and 30% would request financial compensation.

Growing concerns about data sharing

With the EU’s General Data Protection Regulation (GDPR) set to give consumers much more control over their personal data and how it is used, the survey report said it is crucial that members of the public understand their rights and how their data is being used and shared.

The ForgeRock survey suggests there are growing concerns about data sharing, which businesses and regulators should address. Some 63% of UK consumers say they know little or nothing about their rights regarding personal data and 64% have never heard of or know nothing about GDPR.

Banks and credit card companies are most likely to be seen as trusted holders of personal data, the survey shows, with 82% of consumers reporting that they trust these organisations to store and use personal data responsibly. Amazon also performed well, with over three-quarters (78%) of consumers saying they trust the ecommerce company to manage personal data.

Social media platforms performed less well, with 63% of Britons saying they trust social networks to treat personal data in a responsible manner.

There is a clear correlation between the organisations consumers trust with their data and how in control they feel, the report said, with Amazon (60%), banks and credit card companies (58%) and mobile phone operators (51%) ranked as the organisations that give users most control over their data. Just 51% of UK consumers said they feel in control of the data that is shared with social media platforms.

In contrast, social media companies offer consumers experiences without any financial payment – instead they pay in data. If companies were more transparent about how their business models rely on purchases, attention or data, consumers would have a much stronger understanding of what their privacy risks are and could tailor their behaviours and trust levels accordingly.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Poor data handling is effecting business sales

The failure to protect customer data is creating sales problems for businesses.

The failure to protect customer data is creating sales problems for businesses.

According to a survey by security firm RSA some 90% of respondents said they were concerned about their personal data being lost, manipulated or stolen.

Monetary theft (74%), identity theft (70%) and having embarrassing or sensitive information made public (45%) were the biggest data security concerns. More than a third (36%) also fear being blackmailed with stolen private images or messages.

Some 84% of UK respondents and 81% of Italians listed security information as a concern, both higher than the global average, while German respondents expressed the most concern about genetic data, US respondent were the most concerned about location data.

As a result, 78% said they try to limit the amount of personal information they share and 49% have falsified information online in an attempt to protect themselves,

More importantly from a business point of view, 62% of consumers said they would blame the company involved above anyone else, even the hacker had exposed their personal data.

With 78% saying a company’s reputation relating to its handling of customer data made an impact on their buying decisions.

In fact, an average of 69% said they have or would boycott a company that showed a lack of regard for protecting customer data, with 82% of UK respondents saying they do so.

Some 60% of all respondents said if they hear that a company has been selling or misusing data without consent they will avoid handing data over to them, and 58% said if they know a company has been mishandling data they are less likely to buy services from them.

RSA said “With more than half (54%) of respondents less likely to buy from a company they know has been mishandling data, and 62% inclined to blame the company above anyone else if data is lost, it’s clear consumers are ready to vote with their feet against organisations that fall short of their expectations.”

“The financial and reputational damage of a data breach in 2018 could be devastating.”

The research further underlines the business benefit of ensuring customers’ data and privacy is protected. More than half (53%) of respondents said they were more likely to shop with a company that could prove it takes data protection seriously.

Consumers clearly understand the value of their personal data and, while there may rightly be occasions for caution, they are willing to part with it under the right circumstances.

After the compliance deadline for the European Union’s (EU’s) GDPR on 25 May 2018, RSA Security predicts that organisational privacy and data protection failings will become even more transparent because businesses will be forced to disclose any breach of the regulation.

Under this microscope, the security firm recommends that organisations must think of the wider business impact of privacy and data protection, while also understanding how to work within the GDPR to their advantage.

The research report points out that the GDPR will affect all companies that handle EU citizens’ data, including US cloud providers and businesses in post-Brexit Britain.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Most SMEs unaware of GDPR data protect laws

Less than half of UK SMEs, businesses and charities are aware of new GDPR data laws just four months before the deadline.

Less than half of UK SMEs, businesses and charities are aware of new GDPR data laws just four months before the deadline.

The new data laws will be brought in through the EU’s General Data Protection Regulation (GDPR), which will be implemented in UK law via the Data Protection Bill on 25th May 2018.

The new UK data protection legislation sets similar requirements and penalties for non compliance as the EU’s GDPR in an attempt by the UK government to ensure uninterrupted data flows between the UK and EU member countries after Brexit.

Awareness is higher among businesses that say their senior managers consider cyber security a fairly high or very high priority, with two in five aware of the GDPR.

The survey found that just over a quarter of businesses and charities that had heard of the regulation have made changes to their operations ahead of the new laws coming into force.

Among those making changes, just under half of businesses, and just over one-third of charities, have made changes to cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.

Speaking in Davos, UK digital, culture, media and sport minister Matt Hancock said the government is strengthening the UK’s data protection law to make it fit for the digital age.

The new legislation is aimed at giving UK citizens more control over their own data, he said, as well as supporting innovative businesses to maximise the potential benefits of increasing use of data in the digital economy.

The new UK data protection legislation will give the ICO more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover for the most serious data breaches, which is roughly in line with the penalties contained in the GDPR.

SMEs and organisations that hold and process personal data are urged to prepare and follow the GDPR guidance from the ICO.

There will be no regulatory “grace” period, but the government said the ICO is a “fair and proportionate” regulator.

“Those who self report, who engage with the ICO to resolve issues and demonstrate effective accountability, can expect this to be taken into account when the ICO considers taking action,” the government said in a statement.

Information commissioner Elizabeth Denham said the data protection law reforms put consumers and citizens first. “People will have greater control over how their data is used, and organisations will have to be transparent and account for their actions,” she said.

“This is a step-change in the law – businesses, public bodies and charities need to take steps now to ensure they are ready.”

According to Denham, organisations that commit to the spirit of data protection and embed it into their policies, processes and people will thrive in the new era of data protection.

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice,” she said. “Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber security skills shortage can be addressed

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

There could be up to 1.8 million information security related roles unfilled worldwide by 2022, according to the latest Global information security workforce study from (ISC)2, but the organisation believes there are ways to address this potential shortfall.

“It makes no sense that we have employment issues for veterans and other communities on the one hand, and information security jobs being unfilled on the other,” according to John McCumber, director of cyber security advocacy at (ISC)2.

In this newly created role of advocacy for the information security profession, McCumber is engaging with the governments on issues such as workforce development and supporting information security professionals in the work they do.

McCumber, who has been working in information security in military, national security and civilian roles for the past 30 years, argues that in the light of the fact that there are jobs for people coming out of trade schools, there is no reason that aspects of cyber security cannot be turned into trades.

“By treating cyber security as a trade, it will enable school leavers to get some basic skills without having to do a four-year course and to provide valuable services in well-paid jobs in the cyber security field,” he said. “There are a lot of productive jobs in the cyber security field that do not need a four-year degree.”

The training is aimed at enabling veterans to join the (ISC)2 associate membership programme, which provides them with the experience required to qualify for various information security certifications.

“By enabling veterans to get certified as information systems security professionals, systems security practitioners and cloud security professionals, we are able to connect them with well-paying jobs,” said McCumber.

McCumber predicts that cyber security jobs will also begin changing in future as new technologies enable organisations to automate a lot of their cyber attack responses.

“Things like penetration testing are also likely to be automated with advances in so-called artificial intelligence, so (ISC)2 is working with information security professionals to position themselves for the new world of work and show organisations how they can help them understand their cyber risk and provide an objective way of managing that risk,” he said.

“As a result, that projected 1.8 million cyber security skills gap will not look as insurmountable in two to three years’ time,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

ICO wants jail terms for personal data misuse

The Information Commissioner’s Office (ICO) says it wants prison sentences for anyone misusing personal data unlawfully.

The Information Commissioner’s Office (ICO) says it wants prison sentences for anyone misusing personal data unlawfully.

A nursing auxiliary has been fined for accessing a patient’s medical records without a valid legal reason, prompting the Information Commissioner’s Office (ICO) to reiterate calls for prison sentences.

Cwmbran Magistrates’ Court fined 61-year-old Marian Waddell of Newport £232 after she admitted accessing a patient’s records at Newport’s Royal Gwent Hospital.

She was also ordered to pay £150 costs as well as a £30 victim surcharge for breaching section 55 of the 1988 Data Protection Act.

Waddell accessed the records of a patient, who was known to her, on six occasions between July 2015 and February 2016 without a valid business reason and without the knowledge of the data controller, the Aneurin Bevan University Health Board.

David Teague, the ICO’s regional manager for Wales, said it is disappointing that people continue to get into serious trouble over behaviour that is easily avoidable.

“Staff training, and the publicity around previous cases of this nature, means that they really should know better,” he said, adding that anyone whose work allows them to access sensitive personal data must realise that this information is out of bounds unless they have a valid and legal reason for looking at it.

Mike Shaw, enforcement group manager and head of the ICO’s criminal investigations team, warned that anyone accessing personal data without a valid reason or without their employer’s knowledge is guilty of a criminal offence and will be prosecuted by the ICO.

“If found guilty, you will face a fine and possibly have to pay prosecution costs,” he wrote in a blog post. “The court case will likely be covered by local media and the details played out over the internet. Not only could you lose your job, but your future employment prospects could be irreparably damaged too.”

“Of course, this issue is not unique to the NHS,” he said. “In 2017, we have also prosecuted cases involving employees in local government, charities and the private sector, the latter cases often involving an element of financial gain.”

Currently, section 55 offences can be punished only with a fine, and the nine convictions this year attracted fines and costs totalling more than £8,000.

“But in the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases,” said Shaw.

The ICO has long campaigned for custodial sentences for people convicted of accessing personal data unlawfully, especially for financial gain, under former information commissioners Richard Thomas and Christopher Graham, and now under current information commissioner Elizabeth Denham.

Most small businesses (SMEs) not prepared for GDPR

There is still much work to be done before small businesses (SMEs) are fully prepared for the EU’s General Data Protection Regulation (GDPR).

There is still much work to be done before small businesses (SMEs) are fully prepared for the EU’s General Data Protection Regulation (GDPR).

With the GDPR compliance deadline just over six months away, the UK’s small business community remains unsure about a number of related issues.

Small businesses are struggling to come to grips with what “personal data” really means, their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR.

This is one of the key findings of the Close Brothers Business Barometer, a quarterly survey that questions more than 900 SME owners and senior management across a range of sectors and regions in the UK and Republic of Ireland.

“GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK regardless of Brexit,” said Neil Davies, CEO of Close Brothers Asset Finance.

“It will ensure that all personal data has to be managed in a safe and secure way, has to be gathered lawfully, is only used for the purposes for which it was collected, and must be accurate and up to date.

Poor understanding of GDPR compliance requirements

“The figures from the barometer tell us that uncertainty persists on a number of key compliance issues, and SMEs are concerned about the implications for their business.”

Less than a third (31%) of SMEs answered “yes” to the question, “Are you clear what ‘personal data’ means in a business context?”, with 50% responding “sort of” and the remaining 19% saying “no”.

“On a positive note, 73% of firm owners categorically stated that they do not share customers’ personal data with third parties,” said Neil. “There are, however, companies openly admitting to sharing customers’ details (8%), and a further 18% conceding they were unsure of whether they do or not.”

Less than half (48%) of respondents said they understand the new and extended rights that customers have when it comes to collecting and utilising their personal information.

Despite the lack of clear understanding of the extended rights customers will have, 58% of SMEs are confident that the permissions they currently have to contact customers will meet the requirements of GDPR.

“This still leaves more than 40% of firms which are unconvinced about their readiness ahead of 25 May 2018,” said Neil. “How it works is that companies must get prior consent from data subjects – opt in – and record that consent. What’s more, the consent must relate specifically to the purposes of why a company needs that data – companies cannot get consent for one purpose and then use the gathered personal data for another.

“On top of this, consumers must be able to revoke their consent as easily as it was originally given, because many consumers complain that it is easy to opt in to data gathering, but difficult to unsubscribe or opt out.”

Of those polled, 44% said they had a process in place to ensure their firm was collecting data in the correct manner, against 35% who were “unsure” and 21% admitting they had no existing process in place

“Businesses have to be seen to be compliant, and this includes ensuring these sorts of processes are in place to ensure customers are fairly treated,” said Neil.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Wannacry cyber security money laundering attempt thwarted

The Wannacry cyber security ransomware hackers have tried to conceal who they are by using a virtual currency that is more anonymous than Bitcoin.

Wannacry cyber security money laundering attempt thwarted

Victims paid more than £107,000 in bitcoins to recover files scrambled by Wannacry.

Earlier this week the gang behind the attack started to move the bitcoins out of the wallets they were paid into.

But the operators of the exchange they used to swap the bitcoins have now frozen the accounts they used.

Wannacry caught out thousands of firms around the world when it infected computers on corporate networks and encrypted their files, making them useless.

Victims were told to pay between £229 and £458 in bitcoins to have their files unscrambled and return computers to a working state.

Many security experts believed the money paid into three bitcoin wallets set up by the Wannacry creators would never be moved, because there was so much attention focused on who was behind the attack.

Moving the cash might expose key details about the attackers that could be used to track them down.

Whilst no one knows who owns the 3 accounts- the details of the acounts are known to the blockchain community as they can track the specific accounts.

But the bitcoins were moved earlier this week and some were piped to an exchange network called Shapeshift.io in an attempt to convert them to another virtual currency called Monero.

The Monero crypto-currency was set up to be more anonymous than Bitcoin and seeks to hide as much information as possible about every transaction.

The Wannacry gang is believed to have chosen Shapeshift.io for the digital cash transfer because the service can be used without signing up for an account.

However, the attempt to launder the cash via the platform seems to have been thwarted soon after Shapeshift was told what was happening.

Shapeshift said it would block any further attempts to change the Wannacry bitcoins into Monero or any other crypto-currency.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Defence minister opens £3m cyber security centre in

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

The Cyber Works centre, which employs 90 people, will enable Lockheed Martin to work more closely with UK partners to share knowledge and best practice, undertake research and develop new cyber defence capabilities.

In February 2017, Lockheed Martin announced that it would support the UK government’s CyberFirst scheme to inspire and support young people considering roles in cyber security.

The Cyber Works centre is designed to deliver cyber capabilities to UK government as well as support the development of skills and careers in cyber security and intelligence.

Harriett Baldwin, UK minister for defence procurement, said that with its £1.9 billion National Cyber Security Strategy, the country is a world leader in the field.

“The opening of today’s cutting-edge centre is a great example of how partnerships with industry are at the heart of that strategy,” she said. “Together, we are developing solutions to national security risks.”

A key part of the Cyber Security Strategy is partnerships with industry, with £10 million being invested in a new Cyber Innovation Fund to give startups the boost and partners they need

Baldwin said the UK is already leading Nato in its support for offensive and defensive operations in the fight against Islamic State (IS) and complex cyber threats. “This centre will further boost the UK’s cyber capabilities,” she said.

Lockheed Martin is the world’s largest aerospace and defence company and a longstanding leader in the fields of cyber security and intelligence.

The company pioneered the development of the cyber kill chain, an analysis method for cyber network defence that has been broadly adopted across industries and sectors.

Lockheed Martin is also a top provider of capabilities to defence and intelligence communities around the world and operates facilities to defend its own networks across 70 countries.

As well as investing in the new facility, Lockheed Martin plans to take part in the National Cyber Security Centre’s £6.5 million CyberInvest scheme to support cutting-edge cyber security research in the UK.

With National Offensive Cyber Planning allowing the UK to integrate cyber into all of its military operations, defence plays a key role in the country’s cyber security strategy, according to the Ministry of Defence (MoD).

Offensive cyber is being routinely used in the war against IS, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates, the MoD said.

In defence, the MoD said the £800m Innovation Initiative has already boosted investment in UK research and business, with multimillion-pound competitions to develop artificial intelligence and automated systems.

In January next year, the ministry will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all military joint cyber training into one place.

The MoD also has a key role to play in contributing to a culture of resilience, which is why the Defence Cyber Partnership Programme was set up to ensure its industrial partners protect themselves and meet robust cyber security standards, the ministry said.

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139