Hackers don’t go on holiday over Christmas…..

Christmas

Hackers don’t go on holiday over Christmas and consequently everyone needs to be more vigilant than usual during this busy time of year were individuals and businesses can be preoccupied.

The theft of data is is very much on the mind of hackers over the Christmas period as this considered to be a prime time where many transactions are undertaken on-line with bank and credit cards in particularly being targeted.

One of most common methods utilized is via Phishing  which can  occur as follows:-

1.Individuals can be tricked into sharing sensitive data by using a website that is not what it seems

2.Clicking on a dubious website link

3.Responding to an e-mail from a bogus sender.

Risk Management within a business and good cyber hygiene are key to preventing the loss of data and should be practiced at all times irrespective of the time of year.

Some examples of this is as follows:-

Ensure that the latest software patches are installed

Make sure passwords are strong and that they are not replicated by individuals  and consider the use of a password manager.

Apply two factor authentiification as this provides and extra layer of protection 

Outside of Work individuals should practice the following:-

Individuals should practice similar cyber hygiene and carry out the following :-

Be care when entering your debit or credit pin into a machine whether at a shop or withdrawing cash.

If you some reason you do not feel that things feel right do not go through with a transaction of your computer and check the legitimacy of a website.

Ensure that the website you are in is the actual website and not one that pretends to be the website.

Do not click on links from Facebook or other social media sites unless you know who they are from.

Ensure that your Wi-Fi is secure and password protected with your own password

Look to change the default passwords on new toys or devices that are connected to the internet to help avoid hackers accessing these.

The Human Factor plays a fundamental role in managing cyber risks http://cyberbrokers.co.uk/human-factor-cyber-risk/

Whether at work or at home the unpredictable factor of humans may well determine how safe or secure you are and is recognized as a major driver for cyber related losses.

The underlying message is that hackers are all around us and that we must have our wits about us as all times.

Don’t Underestimate The Insider Threat

Insider Threat

The Insider Threat has now become an even more significant risk to businesses following the dismissal against the High Courts decision that Morrisons was vicariously liable for an employees misuse of data. This is despite the fact that Morrisons were deemed to have carried out as much as they could reasonably been expected to do to protect their employees data.

The case Wm Morrisons Supermarkets v Various Claimants (2018) now states that businesses can be vicariously liable for the actions of a rogue employee.

https://www.bakermckenzie.com/en/insight/publications/2017/12/the-morrisons-data-breach-judgment

With the introduction of the General Data Protection Regulations (GDPR) earlier this year the awareness of data protection by the public has increased which is likely to lead to litigation being bought against businesses in effort to seek remedies for a lack of protection of their personal data.

Background to the case

A security breach occurred when a senior internal auditor leaked payroll data of 100,000 employees. Of this 5,518 former and current employees claimed that this incident exposed them to the risk of identity theft and possible financial loss with Morrison’s being responsible for breaches of privacy.

The Class Action Threat 

The Morrisons case is also an example of a class action where it is not only one individual making a claim but a series of claimants , claims of this nature can be significant and impact severely on the well being of a business. The insider threat has therefore increased and it is likely that businesses will need to re focus their efforts in ensuring that they have procedures in place to help counteract such threats.

Emotional Distress

Under GDPR it is now to bring claims for non -material damage i.e. emotional distress caused as a result of a compromise of an individuals personal data.

Why can business do to monitor employees behavior?

Limit computer admin rights within the business

Monitor abnormally high transfers of data by employees within the business

Ensure CV’s of new employees are what they say they are

Make sure data mapping is in accordance with GDPR ensuring that the business knows where their data is located.

Robust training of employees and expectations made clear of how they manage data.

Ensure highly sensitive data is held in respositories

The Insider Threat is intrinsically linked to the human factors that impact upon cyber security please see our blog on this.http://cyberbrokers.co.uk/human-factor-cyber-risk/

Cyber insurance is also a very valuable asset to have in that it provides insurance protection and offers an incident response service so that businesses can effectively manage a data breach.

 

Image : Shuttertock

How Secure Is Your Supply Chain?

Supply Chain

Many businesses are now reliant on third parties in order to function and to provide their goods or services. These third parties are likely to form a supply chain providing such capabilities as IT services, HR outsourcing and hosting services.

The calibre of these services can vary greatly be they a large conglomerate to small local business. Each suppler will have they own cyber security processes and procedures that should be embedded within the business….. but in practice is this the case and what is the impact on a business if they suffer a cyber security breach?

With reliance now placed on a supply chain it is important that due diligence is carried to ensure that this resilience is in place.

What sort of processes can be carried out in order to provide some assurances?

  • Regular cyber security audits of third party vendors
  • Prioritization of vendors for critical services
  • Review of data monitoring standards of third parties
  • Ensure own security procedures remain at a high standard enforcing regular patching and installation of latest firewalls.
  • Managing of privileges provided outside of the business
  • Robust procurement processes for new vendors
  • Management of contractual liability with the vendor in the event of a possible data breach
  • Due diligence of cloud service providers
  • Insurance checklist for professional indemnity and or cyber insurance by the vendor
  • Review interconnected devices to managed The Internet of Things ( IoT) exposures

The supply chain of a business can be their weakest link and managing this should be given the same level of attention as the internal cyber risks that exist.

The National Cyber Security Center publish a list of some of the risks that businesses should look out for :-

https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Cyber-security-risks-in-the-supply-chain.pdf

The consequences of a third party suffering a compromise of their computer systems could lead to  the following:-

1.Business Interruption

2. Reputational Damage

3.Regulatory Actions and Fines

4.Loss of customers

5.Costs incurred to the business to rectify loss of data or damage to computer systems

6.There have been a number of high profile data breaches where losses have emanated from the supply chain :-

Target

In December 2003 hackers gained access to the heating and ventilation system of the retailer Target. As a result of network credentials being stolen from a mechanical services engineer the hackers were then able to gain access to credit and debit card data of customers. The cost of the breach is thought to be close to $300M with 100 million individuals being affected and the CIO of Target resigning soon after the breach.

Stuxnet

This was a malicious computer worm that targeted automated processes utilized to control machinery on factory assembly lines and systems within the nuclear industry.

It was introduced into a supply network via an infected USB flash drive by individuals that had access to the system It was then possible for the worm to move across the network which scans software that controls machinery and n influence the commands that were given.

NonPetya

Last year NonPetya was a malicious code aimed at software supply chains. The targets were outdated and unpatched Windows systems utilizing the EternalBlue vulnerability which hit many global businesses such as WPP DLAPiper and Maersk.

The hackers initially breached a financial services company in the name of MeDoc which was a third party software service readily utilized by goverments. Once access had been obtained they were able to install malware on their software which was then distributed to end users when the latest update was downloaded.

A report earlier this year by Symantec reported that there had been a 200% increase over the last 12 months in hackers injecting malware implants into the supply chain to gain access to the organizations computer systems.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Perhaps one of the keys to ensuring that a supply chain is secure is to try and enforce the supply chain to have in place similar robust cyber security procedures and practices to the business in order to manage the evolving cyber risk landscape that exists.

 

Image : Shutterstock

Sign Of The GDPR Fines To Come…?

GDPR Fines

It was announced last week that the credit reference agency Equifax has been fined by the ICO in  the sum  of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

http://cyberbrokers.co.uk/equifax-the-anatomy-of-a-data-breach/

The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach

The joint ICO and FCA report highlighted the following :-

  • Data was retained for longer than was necessary
  • Inadequate measures were in place to manage personal information
  • IT security was not of the highest standard with the compromise of data being likely.
  • The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
  • Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

 

Image : Shutterstock

Loss of Reputation – The Biggest Cyber Threat ?

Loss of Reputation

Is the loss of reputation on the biggest cyber threats that a business faces today ?

A good reputation takes a long to build up but the emerging cyber threat landscape can ruin this reputation in a matter of hours. It is important therefore that businesses have in place a loss mitigation plan in place in order to manage this disaster case scenario.

One of the highest profile cyber attack in the UK was the data breach at TalkTalk where the long term consequences of this still being felt within the business today.

The impact on the reputation a business of a data breach 

  • Loss of existing customers
  • Loss of confidence in the business
  • Competitors exploiting the situation
  • Share price of the business
  • Loss of future earnings
  • The stigma of a data breach
  • The attractiveness of future investment in the business
  • Attracting new employees
  • Bad management of the data breach

Be Prepared 

It is essential that the business has an incident response plan in place in order to manage the cyber attack and the ensuing  fall out that will inevitably occur.  This would include a crisis management and business continuity plan.

These should be regularly updated with “dry runs” carried out in order to ensure that they work effectively..

Cyber Insurance 

This specialist form of insurance can help manage and mitigate a cyber attack at both the very early stages of a data breach and also help the business through the process. This is facilitated through the incident services that an insurer offers as part of the policy benefits . This includes public relations consultants and access to a solicitors so that sensitive data can be handled in the most effective manner.

The policy also provides coverage for reputational harm or business interruption coverage modules, typically this would encompass loss of profits and increased costs of working as a result of the data breach.

Policy wordings and intent vary considerably in the insurance market and it is therefore important that an insurance broker with a specialism in this area is utilized.

Image : Shutterstock

The Holiday Cyber Risk Landscape

Holiday

The holiday season is now in full swing where people travel to far off destinations to enjoy a well earned break and to spend time with their families. Unfortutely the cyber threat remains with us …… and arguably is increased as people’s guard is somewhat down due to the relaxed environment that being on holiday promotes.

A survey carried out by Keeper Security Inc last year showed that the US posed to the greatest threat to holiday makers from hackers, however more worryingly the UK came in a second place with France, Spain and Italy also featuring in the top ten.

https://www.marieclaire.co.uk/entertainment/technology/cyber-security-holiday-destinations-523668

Some of the cyber threats that exist to indivuals and businesses are as follows :-

Insecure Wi-Fi Networks

A hotel wi-if network may be vulnerable if not secured with the latest security encryption software. This could also be said of restaurants or cafes. Attacks know as “Man in the Middle” where a third party is listening and changing information pretending to both the user and the application can intercept highly sensitive data and use this to compromise a users details.

GCHQ regularly warn travellers of the threats posed by insecure wi-fi networks and the holidayseason is when these threats become more prevalent. It is therefore important to check that the wi-if has the appropriate safety protocols in place in particularly when money is being transacted.

Holiday Scam E-mails 

It is conceivable that an individual could fall foul of a hacker before they leave their house .Holiday scam e-mails may portray a bogus website that offers a holiday deal which is too good to be true and the likelihood is that this could well be the case. Funds could be stolen by an on-line transaction with debit or credit card details also being compromised by a hacker.

Being Aware

Leaving a laptop or smart phone on your beach towel of on a cafe table opens opportunity for a speculative hacker to steal an electronic device and use data themselves or to post on the dark web to be sold at a later date.

Keeping a tight ship

The same principle applies to businesses during the holiday season who may not have their usual numbers in their cyber security team which creates an environment where threats could be missed or not acted upon as quickly as normal. A greater reliance therefore is imposed on everyday users to carry out good cyber hygiene in their everyday work schedule. Watching out for phishing e-mails and dubious website links which could lead for example to an incident of fraud or a ransom ware attack.

Back Home

Once back home it is good housekeeping to to check matters such as bank statements to ensure that no fraudulent transactions have taken place and that you can account for everything spent.

At work looking for any unusual e-mail activity or change in the functionality of your computer in case a virus may have downloaded itself whilst you were away.

Wherever you are on holiday cyber threats exist in many forms , hackers do not go on holiday so it is vitally important that you maintain the same cyber security posture.