WannaCry biggest incident to date for National Cyber Security Centre

The WannaCry ransomware attack that started on 12 May 2017 is the biggest single incident that the new UK National Cyber Security Centre (NCSC) has faced.

The WannaCry ransomware attack that started on 12 May 2017 is the biggest single incident that the new UK National Cyber Security Centre (NCSC) has faced.

Although the global ransomware attack that heavily affected the NHS was unwelcome, it has provided an opportunity to test systems and raise awareness on key issues, according to Alex Dewdney, director for engagement and advice at the National Cyber Security Centre (NCSC).

“If you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this,” he told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.

“I never thought I would hear so many ministers using the word ‘patch’, which has now become part of everyday conversation, so we need to take that opportunity and to build on that.”

Dewdney emphasised that the NHS was not targeted specifically, although NHS networks were affected significantly in the UK. Other UK organisations were affected, but the diversity of victim organisations was much greater in other countries around the world, including Russia.

Although the spread of the ransomware has slowed, it spread initially very quickly by using a specific vulnerability in the Microsoft file sharing protocol sever message block known as SMB to propagate in and between networks.

“In March 2017, Microsoft issued a patch for supported operating systems, and following the attack they issued emergency patches for unsupported operating systems as well,” said Dewdney, noting that while these patches prevent the spread of the infection, they do not help organisations to get back encrypted data.

Dewdney confirmed that the attackers behind the ransomware are still unknown, but he said the level of sophistication is well within the reach of “criminal entities” requiring the NCSC to work at an extremely high tempo. “It is easily the biggest and most complex cyber incident the NCSC has had to manage so far,” he said.

In response to the attacks, the NCSC’s incident management function was called into action. The initial focus was on understanding the technical characteristics of the attack, how it was spreading, and who the victims were.

The incident management team was also working to establish who was behind the attack and what the initial attack vector was, but these questions remain unanswered to a high level of confidence five days after the attack.

The NCSC also started looking at ways to protect victims and potential victims in terms of publishing advice on how to immunise against the ransomware and contain its spread, as well as what to do if already a victim. The NCSC was also working directly with some victim organisations to help put guidance into practice and help remediate.

The incident underlined the importance of partnerships for the NCSC, said Dewdney, including partnerships that were formed to scale the response and make inroads into this problem in a way that the NCSC could not have done on its own.

“We are still working very closely with the National Crime Agency (NCA), which has staff embedded in our teams. The NCA was able to deploy on the ground with victims at scale. They are also a vital source of information and forensic data, as well as analytic and investigative effort,” he said.

The NCSC is also still working with NHS digital and Care Cert. “The size and complexity of the health sector meant that we needed that central docking point to work with, and they did a fantastic job under very difficult circumstances,” said Dewdney.

The role of the NCSC’s industry partners was also absolutely critical, he said. “I cannot emphasise enough how grateful we are for the extent to which our partners in the cyber security industry really leaned in to help and pool the information they were gathering.”

According to Dewdney, the Cisp cyber information sharing platform “really came into its own”, both as a platform for sharing information and for discussion. “We need to build on that as a really key way of getting stakeholders to have live discussions about this kind of problem,” he said.

There was an international aspect too, said Dewdney, including the information that was provided to the international computer emergency response network and collaboration with the US.

At the same time, he said it was a truly national response, with the NCSC quickly establishing contact with authorities in Northern Ireland, Wales and Scotland.

Dewdney also highlighted the importance and the challenges of the media. “I think we did pretty well at pace in briefing senior politicians to speak, preparing ourselves directly in broadcast media, and using our web presence and social media to get the right messages across at the right time.

“LinkedIn proved to be a really important and useful platform, but we didn’t really engage in that, and that is an important lesson for us,” he said.

Overall, Dewdney said the NCSC bringing various organisations together under one roof also really proved its worth.

“There was a lot of consistency in what government was saying – officials, ministers and across our platforms. We achieved a greater consistency and therefore a greater sense of authoritativeness in what we were saying than we would have achieved before the NCSC was set up. We were able to get the messages out quite quickly and provide the assurance that patients’ confidential data had not been stolen,” he said.

However, he admitted that producing specific, usable and helpful guidance was a challenge. “How do you get messages across that are sufficiently technically detailed to be of practical use, but also easy to understand and follow.”

The NCSC decided therefore to publish a set of guidance for enterprises and another set for small to medium-sized enterprises (SMEs) and consumers, which is continually being refined and updated in response to feedback from those communities.

“We are really in the market for feedback around how we are getting those messages across and how they can be improved and made more useful,” said Dewdney.

One of the key lessons learned, he said, was about the power as well as the limitation of advice and guidance.

Dewdney said people are continually told to patch and update the systems, “but the fact is that people don’t always do it, so what we have got to realise as cyber security practitioners is that advice and even instruction is much easier to give than it is to follow”.

“We have to recognise that in the real world competing pressures and hard choices can easily get in the way. So we will continue with those exhortations, but as we mobilise campaigns to really make this happen across government, business, critical infrastructure and for consumers, we need to find the right mix of the ‘stick’ on the one hand and help to overcome those hurdles on the other,” said Dewdney.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

ICO reports record number of data breaches and fines

The UK Data Protection privacy watchdog reports that it has dealt with more data breach reports and issued more fines in the past year than ever before.

The UK Data Protection privacy watchdog reports that it has dealt with more data breach reports and issued more fines in the past year than ever before.

The Information Commissioner’s Office (ICO) has dealt with a record number of data protection incidents, nuisance marketing cases and individual complaints in the past year, according to its latest annual report.

The ICO’s annual performance statistics for 2016/17 also reveal that the regulator received more reported data protection breaches and fined more companies for unlawful activities than any previous year. The rpory can be found at: https://ico.org.uk/about-the-ico/our-information/annual-operational-reports-201617/

It seems that from a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.

Wake up and get the knowledge to heep your data protected.

The record numbers are in part ascribed to the fact that the ICO’s free telephone helpline, live chat service and online reporting tool all helped make it easier for the public to report their concerns to the regulator, and the fact that audits and new self-assessment tools helped increase organisations’ awareness of their responsibilities.

The statistics show that data protection complaint cases rose to 18,354, around 2,000 more than the previous year. Some 2,565 self-reported data breaches resulted in 16 civil monetary penalties totalling £1,624,500 for serious breaches across a range of public, private and voluntary sectors.

The ICO received more than 166,000 reports about nuisance calls and texts. The ICO issued a record number of 23 fines in this regard, totalling £1,923,000, and issued nine enforcement notices and placed 31 organisations under monitoring.

More than 5,400 freedom of information (FOI) cases were received and 5,100 closed during the year, with 1,351 decision notices, which was “broadly similar” to the previous year, the ICO said.

“We have continued to monitor compliance and raised the threshold for our intervention, taking action if fewer than 90% of their FOI responses fall in the statutory timescale,” the ICO said.

The statistics show the ICO received more enquiries about the legislation it deals with than in the year before.

“Although calls to our helpline were slightly down on last year at 189,942, this was more than made up by new channels including our live chat service, which received 18,864 contacts. Letter and email contacts remained similar to last year,” the ICO said.
People at heart of ICO, says deputy commissioner

The ICO expects its work to intensify next year in the run up to deadline for compliance with the EU’s General Data Protection Regulation (GDPR) on 25 May 2018.

The GDPR introduces a more rigorous data protection regime and stricter penalties for breaches of up to €20m or 4% of annual global turnover, whichever is greater.

Deputy commissioner Simon Entwisle said: “We have advised and educated organisations to help them work within the law and we have taken action when they’ve fallen short of the mark.”

People will continue to be at the heart of what the ICO does as it looks to the future, he said, with the GDPR giving people greater control over their own data.

“We are working closely with organisations to help them understand their obligations and be ready for the new rules,” he said.

Entwisle said ICO staff at every level deserve credit for the contribution they have and continue to make. “Information commissioner Elizabeth Denham’s programme to strengthen the team – in both numbers and expertise – will equip the ICO to meet the challenges ahead.”

Testifying to the House of Lords EU Home Affairs Sub-Committee in a hearing on the new EU data protection package, Denham planned to expand the ICO’s staff to deal with the extra work burden to be imposed by the GDPR.

This includes plans to recruit 200 additional staff to take the total number to around 700 in the next three years, with the most pressing staff needs being in relation to the increased duties imposed by the GDPR and the need to educate people about the implications of the regulation.

Denham said Brexit had also added work for the ICO’s policy staff to ensure they can give advice to government and to parliament about what the various impacts would be of different regulatory arrangements post-Brexit.

In addition to the new work related to the GDPR and Brexit, Denham said the UK is increasing the work it is doing internationally regarding data protection enforcement.

“The ICO is one of the largest regulators globally. We have 35 years’ experience in this space and we have a newly developed international strategy,” she said.

“We are going to continue to lean in and engage deeply in work with our European colleagues on the implementation of the GDPR, but at the same time we are engaging in global enforcement work beyond Europe, which involves building bridges with other regulators around the world.”

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

GCHQ-developed phone security open to surveillance

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls.
In a blog, University College London researcher Steven Murdoch said the encryption process was vulnerable.
GCHQ said it was “totally wrong” to suggest there was a “backdoor” into conversations.
Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system’s security.
The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch’s chief concerns was that the security standard has “key escrow” by design – meaning, for example, that a third party has access to data sent between two people in a conversation.

This, he said, is an example of a backdoor. In this case, it could allow an intelligence agency, or the organisation which is using the standard, to intercept phone calls, Dr Murdoch said.
“I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy – so they facilitate spying,”
Dr Murdoch added that he was aware of two products which use the standard, both of which are government certified. “They could be in use inside government,” he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying).

It works by generating encryption keys that are used to encrypt and decrypt voice conversations. Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this.
Instead, keys are distributed by a third party to the conversation participants – the process known as key escrow – meaning that they are much more vulnerable to interception.
It was up to GCHQ, he said, to make the scope of the protocol clear.
“If you don’t explain how you’re going to use it, what systems it’s going to be used in, what the scope and limit of the escrow facility is, then you’re going to get bad publicity,” he said.
A spokesman for GCHQ said: “We do not recognise the claims made in this paper.
“The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products.”
In a statement, GCHQ added: “Organisations using Mikey-Sakke do not share a common Key Management Server, so it is totally wrong to suggest there is a secret master key or ‘backdoor’ that would allow GCHQ or any other third party to access real time or historic conversations.

What to do first when hit by a cyber attack

At some point, the chances are growing that your business will have to deal with a cyber security incident.

At some point, the chances are growing that your business will have to deal with a cyber security incident.
But when you are under pressure and your team is stressed, people make mistakes.

Crisis patterns over the past decade have changed dramatically. 10 years ago elements such as civil war and oil prices were the top global risks to take into account. Now we see water crisis and extreme weather events taking control of keeping us up at night.

Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.

There are many ways you may suspect that a security incident has happened, from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild.

However, indicators such as unusual CPU (central processing unit) and network usage on a server may have multiple potential causes, many of which are not information security incidents. So it is vital to investigate further before jumping to conclusions.

Do you have any corroborating evidence? For example, if the IDS (intrusion detection system) detects a brute force attack against the website, do web logs support this having occurred? Or, if a user reports a suspected phishing attack, has this email been received by other users and did the user click on links or open documents?

You also need to think about answering questions about the nature of the incident. Is it a generic malware infection, or an active system hack? Is there an intentional denial of service (DoS) attack in progress and is this an incidence of deliberate insider action?

Once you have confirmed an incident has occurred, you need to take time out from initial response activities to prioritise your actions and decide, definitively, what the business objectives are for the response operation. Incident triage generally consists of classifying the incident in terms of impact and urgency and how it should be handled. The incident response team can then use the impact, urgency and priority evaluation to define the objectives for the incident response operation and assign actions or further investigation, as required.

Impact classifications defined by the National Cyber Security Centre’s (NCSC) GovCertUK and adopted by Crest, the body that represents the technical security industry, may provide a useful point of reference for initial classification based on the perceived or established impact.

Many minor types of incident can be capably handled by internal IT support and security. All events should be reported back to the information security team who will track occurrences of similar events. This will improve understanding of the IT security challenges and may raise awareness of new attacks.

It is not necessary to report on incidents with little or no impact or those affecting only a few users, such as isolated spam or antivirus alerts, minor computer hardware failure and loss of network connectivity to a peripheral device, such as a printer.

The urgency of an incident should also be assessed along with the impact. Some incidents are unlikely to worsen over time, such as the discovery of a historical compromise by a former employee. But in other cases, such as a ransomware outbreak, it may be absolutely critical to respond rapidly to isolate the infection.

Mobilising full emergency incident response capabilities may not be applicable or appropriate in every situation. You need to understand as much about what you are dealing with as you can. For example, who is the attacker? How was the attack introduced? When did the attack occur? What data or systems have been compromised? Is the attack ongoing? Why were we the target of the attack?

The goal of triage is to understand the methodology and the extent of the attack as fully as possible, in the shortest possible time.

Information about the incident, the impact, urgency and business impact analysis for the affected data or systems will guide the incident response operation. If possible, the business priorities should be pre-determined and documented in incident response plans.

Objectives for the incident response team could include:

Resumption of service as quickly as possible, where the affected system is critical in terms of availability for the business.
Rapid ring-fencing and protection of confidential information, where the affected system or network is critical in terms of confidentiality for the business.
Integrity checking of the affected systems, where integrity of data is critical for the business.
Preservation of evidential integrity, where criminal activity is suspected and prosecution is likely to be an outcome of the incident, or where culpability must be established definitively.
Identification of the origin of the threat and gathering intelligence about the activities being conducted during the incident.

For organisations with known advanced threat actors, continued covert observation of an attacker to determine their goals and modus operandi may be an objective of the incident response operation for intelligence-gathering purposes, even if the urgency for containment is high. Experienced internal or external incident handlers should be used to inform these decisions.

Once the priority of the incident and the objectives of the response have been defined, it is time to act and allocate activities to the incident response teams.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Only 5% of FT 100 cos have cyber board member expertise

Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.

Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.This is despite cyber risk being identified as a principal risk by the vast majority of them. Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19%), followed by hacking (13%) and malware (13%). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that we could see ten million DDoS incidents in 2017.

More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58% disclosed that these plans had been simulated in test scenarios over the year.

The most commonly disclosed potential impacts of cyber breaches were business disruption (68%), reputational damage (58%), and data loss (45%).

Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company. Interestingly, very few reports identified employee action as one of their cyber security threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.

Deloitte’s analysis proposes seven principles to improve cyber disclosure when finalising reporting:

  • Every sector, although not every company, identifies cyber as a principal risk – think carefully if you have not done so.
  • The value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.
  • The better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders.
  • Boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk.
  • Companies should take credit for what they are doing, including describing who has executive responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans.
  • Boards should think about what could be missing from their disclosures, for example a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks.
  • Finally, if your disclosure does not look strong enough after taking credit for what the company is doing already, it is time to ask whether you are actually doing enough to manage cyber risk.

The report can be found at: https://www2.deloitte.com/uk/en/pages/press-releases/articles/just-5-of-ftse-100-companies-disclose.html

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Kreb’s Immutable Truths About Data Breaches

Cyber 139 have been following Brian Kreb’s writings for a while and his Dilbert style post below caught our imagination:

Cyber 139 have been following Brian Kreb's writings for a while and his Dilbert style post below caught our imagination:

I’ve had several requests for a fresh blog post: A list of immutable truths about data breaches, cybersecurity and the consequences of inaction.

“There are some fairly simple, immutable truths that each of us should keep in mind, truths that apply equally to political parties, organizations and corporations alike:

-If you connect it to the Internet, someone will try to hack it.

-If what you put on the Internet has value, someone will invest time and effort to steal it.

-Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.

-The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.

-Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”

They may not be complete, but as a set of truisms these tenets probably will age pretty well. After all, taken as a whole they are practically a model Cybercriminal Code of Ethics, or a cybercrook’s social contract.

Nevertheless, these tenets might be even more powerful if uttered in the voice of the crook himself. That may be more in keeping with the theme of this blog overall, which seeks to explain cybersecurity and cybercrime concepts through the lens of the malicious attacker (often this is a purely economic perspective).

So let’s rifle through this ne’er-do-well’s bag of tricks, tools and tells. Let us borrow from his literary perspective. I imagine a Cybercriminal Code of Ethics might go something like this (again, in the voice of a seasoned crook):

-If you hook it up to the Internet, we’re gonna hack at it.

-If what you put on the Internet is worth anything, one of us is gonna try to steal it.

-Even if we can’t use what we stole, it’s no big deal. There’s no hurry to sell it. Also, we know people.

-We can’t promise to get top dollar for what we took from you, but hey — it’s a buyer’s market. Be glad we didn’t just publish it all online.

-If you can’t or won’t invest a fraction of what your stuff is worth to protect it from the likes of us, don’t worry: You’re our favorite type of customer!

From: https://krebsonsecurity.com/2017/01/krebss-immutable-truths-about-data-breaches/

Hackers follow the money too

Deepthroat suggested during the Watergate investigations to “follow the money”- for Nixon then, read hackers now.

Deepthroat suggested during the Watergate investigations to follow the money- for Nixon then, read hackers now.Now hackers are going after law firms for exactly the same reason. This month, US prosecutors charged three Chinese traders with securities fraud, saying they had made more than $4m trading on information allegedly stolen from two of the US’s best known law firms.

Though prosecutors did not identify the firms, the descriptions of them and the work they had done match Cravath, Swaine & Moore and Weil, Gotshal, two firms routinely hired by Fortune 500 companies to help run their big deals. Both firms have declined to comment.

Though prosecutors did not identify the firms, the descriptions of them and the work they had done match Cravath, Swaine & Moore and Weil, Gotshal, two firms routinely hired by Fortune 500 companies to help run their big deals. Both firms have declined to comment.

The US Securities and Exchange Commission said the hackers targeted seven firms known for their mergers and acquisitions work, hitting them with more than 100,000 attacks over a three-month period. They then struck gold with two

They then struck gold with two organisations. After installing malware on each law firm’s computer network, they gained access to their IT departments and from there broke into the files and emails of senior M&A lawyers. They ended up stealing nearly 60 gigabytes of data related to at least 10 potential deals.

In several cases, the information bore fruit — the hackers gained early word of Pitney Bowes’ 2015 offer for ecommerce group Borderfree and Intel’s 2015 purchase of Altera, and were able to trade ahead of them.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking because you have information valuable to would-be criminals,” said Preet Bharara, the US attorney for Manhattan.

Other professional services firms should take note- your reputation and organisation are at risk from hackers.

This is not the first time the industry has been hit by hackers who specialise in what is becoming known as “outsider trading”. Last year federal prosecutors charged nine people in the US and Ukraine with trading ahead of earnings press releases that had been provided to Marketwired, PR Newswire and Business Wire. That case inspired other Ukraine-based hackers to try their luck with law firms, according to intelligence firm Flashpoint, which put out a warning in March.

Accounting firms that provide tax advice on mergers, boutique advisory firms, and consultants who weigh in on synergies and downsizing plans are almost certainly on the criminals’ hit list. Retailers, telecoms groups and internet companies, including Target, TalkTalk and Yahoo, have already had to pay the price for weak defences.

But in some ways, they got off easy. Most of the stolen passwords were old and the account details rarely included immediately usable information. At most, the hacks involved theft of credit card numbers, which come with fraud defences. So customers have rarely felt much need to hold hacked companies accountable. Yahoo, for example, seems to have suffered very little drop off in customer loyalty after announcing the first of two giant hacks, although the jury is still out after the second one.

Professional services firms will not be so lucky. Banks and companies pay extremely high prices for outside advice. They expect professionalism and confidentiality in return. Getting hacked by a bunch of Chinese traders is hardly a strong recommendation of either.

Faced with a choice of five law firms that invested in cyber defences that were strong enough to withstand a pointed attack, and two who did not, which would you choose?

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139From: https://www.ft.com/content/f52f6fee-ccf4-11e6-864f-20dcb35cede2

Cyber 139 wishes you a secure and prosperous New Year

Cyber 139 wishes you a secure and prosperous New Year for 2017.

Cheltenham based cyber security and protection firm Cyber 139 wishes you a secure and prosperous New Year for 2017.

Cheltenham based cyber security and protection firm Cyber 139 wishes you a secure and prosperous New Year for 2017.

Overall 24% of ALL businesses surveyed in 2016 had had one or more cyber security breaches in the past 12 months- so please don’t let you be a victim in 2017.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cyber crime costs small businesses the most

New research has found that cyber crime is disproportionately effecting small businesses the most.

New research has found that cyber crime is disproportinately effecting small businesses the most.

The Federation of Small Businesses (FSB) has found that small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy.

The report Cyber Crime: How to protect small firms in the digital economy suggests smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.

Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.

Cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size.

Currently the responsibility largely falls on small businesses to protect themselves. FSB is calling for more support to be given to those smaller firms least able to bear the burden of the increasing global cyber threat.

Almost all (99%) of the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three (66%) offering, or planning to offer, goods and services online. Without intervention, the growing sophistication of cyber attacks could stifle small business growth and in the worst cases close them down.

Mike Cherry, FSB National Chairman, said: “The digital economy is vital to small businesses – presenting a huge opportunity to reach new markets and customers – but these benefits are matched by the risk of opportunities for criminals to attack businesses.

“Small firms take their cyber security responsibility very seriously but often they are the least able to bear the cost of doing so. Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”

The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).

Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.

To combat this, four in five small firms (80%) use computer securing software, and well over half (53%) perform regular updates of their IT systems.

The FSB report also found room for small firms to improve security.

Currently just a quarter of smaller businesses (24%) have a strict password policy, four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.

Mike Cherry added: “Small firms are understandably focussed on building their businesses and creating the jobs which drive economic growth. The vulnerabilities of the digital world affects everyone and the responsibility for improving resilience should not be left to the group with least resource to do something about it.

Yahoo confirms one billion users have had data hacked

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.

Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.

“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.

“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”

The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.

“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.

Yahoo admits that staff knew about the data breach two years before it was confirmed publicly, and that the incident could affect the $4.83bn sale deal with Verizon.

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”

Which suggests that many personal questions have been hacked as well.

This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.

At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.

After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.

In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.

“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”

“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”