What Takes Place Every Day, Can Happen To Any-One And Throughout The World?

…Email hacking and it’s one of the most common forms of cyber-attacks today.

The rate of cyber-attacks is increasing and happening to businesses of all sizes. Our goal is to protect businesses against these attacks, which can be difficult if the employees are not properly trained to identify potential threats. I’ve spoken previously about Security Awareness Training in some depth, but you can use this ‘at a glance’ list of seven red flags to look out for:

1. “From” Line

The first thing to pay attention to is the address you are receiving the email from. Pay close attention to the sender because the person may appear to be someone you know but, it could be a spoof. A quick example of this could be:

Real Email: nicola@softlinksolutions.co.uk
Spoofed Email: nicola@softllinksolutions.co.uk

There is a double ‘l’ in the spoofed email instead of an ‘i’, therefore at a quick glance it appears legitimate, but the domain is not correct.

2. “To” Line

If there are lots of names in the ‘To’ line, or your email address is being ‘cc’ on an email you are not expecting, that should be a red flag

3. Hyperlinks

This to some extent, is an easier one to spot. Most of us are cautious of clicking on an embedded link within an email unless we are sure it is from a trusted source. To be sure, before you click on a link, hover over it with your mouse to see the destination URL. If the URL has no relevance to what the email says, don’t click on the hyperlink. If you still think the email was from a trusted source, call the person who sent the email to be sure it actually came from them.

4. Time

You come into work, and first thing most of us have to do is check our emails. If your inbox is like mine I have quite a few, but before opening or clicking on an email look at the time you received it. Is this a normal time to receive an email from this person or company? If not, this is an indication of a potentially spoofed email.

Phishing attempts typically increase around public holiday’s, or end of a tax year when financial information is being shared or online shopping sees a surge.

5. Attachments

As a rule of thumb, do not open attachments that you are not expecting. Ask yourself, does this sender usually send you attachments? Another red flag is if the attachment has a strange file type such as .exe or a duplicate file type such as .xls.xls.

6. Subject

If the subject line seems suspicious, such as “Need wire transfer now” or “Change password immediately”, validate the source before you take any action. The subject may also be irrelevant to the email content, which can be another red flag.

7. Content

Hackers want to instil fear to prompt an action from you, like your Google email account has been compromised and you need to change a password or update some information. Also, if the grammar or spelling are incorrect and the email seems out of the ordinary, confirm the legitimacy before you click on links or download any files.

To summarise:

• • never click on links
  • download files

• or transfer money

…unless you are sure the email is legitimate.

If you haven’t before, you must take email hacking seriously. Having proper spam filters and firewalls installed are vital, but lack of employee education is what makes it difficult to properly secure an environment.

Speak to us about our Security Awareness Training to help you keep your employees alert and vigilant at all times. 0845 094 0010.

 

Could Your Cyber-Insurance Policy Be Flawed?

Mactavish, the UK’s leading expert on insurance governance has been operating in the commercial insurance sector for over 15 years.

Building on their knowledge they gained in 2018, they have launched a new Cyber Risk Consulting Practice who can negotiate bespoke insurance cover. Why is this important? Mactavish warn that most ‘off-the-shelf’ cyber insurance policies have serious flaws.

When carrying out an analysis of market-leading ‘standard’ cyber insurance wordings, they found at least 8 common flaws :

1. Cover can be limited to events trigger by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions.
2. Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice).
3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted.
4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded.
5. Exclusions for software in development or systems being tolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems.
6. Where contractors cause issues (e.g. data breach) but the business is legally responsible, policies will sometimes not respond.
7. Notification requirements are often complex and onerous.
8. During a cyber incident, businesses often have no freedom to choose their IT, PR or legal specialist, as the policy only covers insurer appointed advisers.

If you’d like to read more you can download Mactavish Cyber Risk & Insurance Report for free:

https://mactavishgroup.com/services/research/cyber-risk-insurance-report/embed/#?secret=JuT9VpOuTf

To find out more information on how we can help protect your companyvisit here or call us on 0845 094 0010. You can also download our Cyber-security Tips for Employees e-book which covers mobile security, email use, password management and more!

7 Reasons why Security Awareness Training is important

A fantastic article I read recently, published by cybsafe.com sums up brilliantly why companies should be prioritising SAT (Security Awareness Training).

In 2018 data breaches cost UK organisations an average of £6.4 million.
Human error, meanwhile, accounted for anywhere between 60% and 90% of those breaches.
Those facts alone are usually enough to convince people security awareness training is important.
Usually….

A survey CybSafe carried out found that around 31% of businesses are without SAT whatsoever, while a recent UK Government survey found UK businesses introduced fewer new SAT measures than they did in 2017. Crazy!

“Businesses are less likely to have implemented extra staff awareness or training measures than in the 2017 survey (18% versus 28%), despite human error or staff awareness continuing to be among the most common factors contributing to the most disruptive breach.” Department for Digital, Culture, Media & Sport Cyber Security Breaches Survey 2018

As a Managed Service Provider, we can only advise our Client base of the benefits of why they need to introduce SAT. It’s not just another product we’re pushing to get them to spend more money – SAT provides more value than monetary terms. Don’t just take our word for it, here are 7 reasons why SAT is still so important today according to CybSafe:

1. To prevent breaches and attacks

Starting with the most obvious, security awareness training helps prevent breaches.

The precise number of breaches security awareness training prevents is difficult to quantify. In an ideal world, we’d be able to run a controlled trial in which the exact same people working for the exact same company were divided into two groups: a control and a test group. The latter would be given training, the former would not. The two could then be compared.

Such a situation is an impossibility – but that doesn’t mean advanced security awareness training providers are unable to demonstrate the ROI of security awareness software. Although an imperfect measure, it’s possible to measure the incidence and prevalence of breaches pre- and post-awareness campaigns and use the resulting metrics to glean an indication of ROI. The metric might not be ideal, but considering the average costs of a data breach now run into the multi-millions, and considering security awareness training is relatively inexpensive, it certainly doesn’t take much for serious returns.

This is your first line of defense. If someone wants to access your device, they will first need to break this code. This is not an easy task, and can operate as a deterrent against theft. Some device manufacturers have an option to automatically wipe your device after a few unsuccessful attempts at your passcode or pin; so, even if your phone is stolen, your information cannot be accessed. For this reason, you should consider mobile device management (MDM) for your users.

2. To influence company culture

A culture of security has long been seen as the holy grail for chief information security officers (CISOs). Equally, such a culture is seen as notoriously difficult to achieve.

With the aid of security awareness training, some are heading in the right direction.

At least some of today’s security awareness training platforms acknowledge the value of a secure culture – and attempt to measure it from the outset. The same metrics are then monitored as time goes on.

By keeping an eye on indicators of culture, advanced security awareness training platforms can actually help security professionals monitor, nurture and develop a culture of security – making their people a proactive defence.

3. To make technological defences more robust

Technological defences are, clearly, a valuable weapon in preventing breaches. But technological defences require input from people. Firewalls need to be turned on. Security warnings need to be acknowledged. Software needs to be updated.

Few businesses today would dream of operating without technological defences. And yet, without security awareness training, technological defences are not used to their full potential.

To make matters worse, attackers today rarely bother attempting to penetrate businesses through purely technological means. Today’s attackers typically prefer to target people, who are often seen as an easy way in to protected networks.

4. To win more customers

Security awareness training helps people win more high-profile contracts.

This isn’t conjecture. During CybSafe’s recent survey of 250 IT decision makers, more than half said a business customer had made cyber security precautions part of either an existing contract or part of the RFP process in order to win the contract. More than two thirds said at least one customer had required the achievement of a recognised cyber security standard.

While security awareness training might seem unimportant to some, it’s often far from unimportant to some business customers.

5. For compliance

To be clear, compliance alone is no reason to introduce security awareness training. As we’ve highlighted before, those who introduce training solely to comply with regulations are probably heading for trouble.

But more and more regulators are demanding specific industries implement security awareness training.

“Over the next year, we will strengthen our supervisory assessments of the highest impact firms to better understand their current and planned use of technology, resilience to cyber-attacks and staff expertise. We will also review how governance, strategy, systems architecture, risk management and culture contribute to firms’ data security.”

CybSafe partner, the Financial Conduct Authority, on shaping future policies

Compliance can be a happy offshoot of security awareness training. Those who introduce it become more secure and, in many industries, meet a regulatory requirement.

6. To behave in a socially responsible manner

As WannaCry and NotPetya have recently demonstrated, cyber attacks spread at unprecedented speeds. The more networks that become infected, the more at-risk other networks become.

Equally, thanks to connected networks, a decrease in individual network security increases the overall threat landscape for others.

The absence of security awareness training in one organisation makes other organisations vulnerable. It’s a little like leaving your house door unlocked – with the keys to next door waiting inside.

Security awareness training doesn’t just benefit you. It benefits your customers, your suppliers and everyone else interlinked with your network.

7. For employee wellbeing

It’s well-documented that happy people are productive people – hence employee welfare schemes, company away days and a large part of any given HR department’s focus. So it’s worth remembering: security awareness training doesn’t just keep people safe at work. It keeps them safe in their personal life, too.

For the most part, this particular benefit remains unseen. If security awareness training does what it’s supposed to do, it isn’t just an employer benefit. It’s an employee benefit, too.

To find out more information on how we can help protect your company and provide you with SAT please visit here or call us on 0845 094 0010. You can also download our Cyber-security Tips for Employees e-book which covers mobile security, email use, password management and more!

3 Mobile Security Tips

We live a mobile lifestyle. Our mobile devices keep us connected, and we can do anything from our mobile devices – from anywhere in the world. Online banking, hotel reservations, email – all can be accessed with a tap of the finger.

If you forget your phone at a restaurant, at work, or at the pub – how confident are you that nobody else can access your information?

While browsing the Internet, how confident are you that your information is only being viewed by you?

Follow these steps for a confidence boost in your mobile security:

1. Set a pin or passcode

This is your first line of defense. If someone wants to access your device, they will first need to break this code. This is not an easy task, and can operate as a deterrent against theft. Some device manufacturers have an option to automatically wipe your device after a few unsuccessful attempts at your passcode or pin; so, even if your phone is stolen, your information cannot be accessed. For this reason, you should consider mobile device management (MDM) for your users.

2. Remote locate and wipe tools

There are thousands of applications out there, and many involve more than just crushing candy or shooting birds at pigs. Certain software can help you locate your lost or stolen device through its GPS. Apple offers a service like this for their mobile devices aptly named Find my iPhone. For Android users, the Android Device Manager offers these services. Windows Mobile users also have this option from the Windows Phone website. Similarly, many third party applications are available in each of the app stores.

3. Keep your device clean

Utilising an Antivirus and Malware scanner is never a bad idea. Your phones are mini-computers, and just like your “big” computer—they need to be cleaned up from time to time. Malware and Virus threats can compromise information stored on your mobile devices. Malware has a snowball effect, and can continuously pile up until it slows downs or stops your device.

In the end, the number one security measure on your mobile device is you. Be proactive. Protect yourself and your information using the steps above!

To find out more information on how we can help protect your users mobiles please visit here or call us on 0845 094 0040. You can also download our Cyber-security Tips for Employees e-book which covers mobile security, email use, password management and more!