Cyber139- Protect, Prevent Cybercrime

Small business risks cyber attack damage

February 15, 2016 By Cyber SecurityNo Comments

Small businesses are underestimating the impact a cyber attack would have on their reputation and must take steps to protect themselves.

The warnings come as a result of research published according to the findings of the Small Business Reputation and the Cyber Risk report, by the Government’s Cyber Streetwise campaign and KPMG.

Less than a quarter of small businesses cite cyber security as a top concern, but it’s of vital importance to consumers and within the supply chain.

The impact of a cyber attackbreach can be huge and long lasting, affecting brand, client retention and ability to win new business.

In the past few years there has been a rapid expansion in the development and adoption of new communications technologies which continue to transform Government, business and the ways in which we interact with each other. Cyber crime undermines confidence in our communications technology and online economy.

There were an estimated 5.1 million incidents of fraud and 2.5 million incidents falling under the Computer Misuse Act recorded last year (ONS, 2015). Add in recent high profile hacking cases and the issue of cyber security is now more important than ever.

Cyber Streetwise and KPMG surveyed 1,000 small businesses and 1,000 consumers across the UK to assess how small businesses feel about cyber security, how they are protecting themselves and the impact of a cyber breach on their reputation.

Key cyber security research findings:

Cyber security was cited as one of the top concerns by less than a quarter of small businesses (23%), yet it is fast becoming the only way to do business:
83% of consumers surveyed are concerned about which businesses have access to their data and 58% said that a breach would discourage them from using a business in the future.

Recently published KPMG Supply Chain research supports this; 94% of procurement managers say that cyber security standards are important when awarding a project to an SME supplier and 86% would consider removing a supplier from their roster due to a breach.

UK small businesses value their reputation as one of their key assets. Yet they are hugely underestimating the likelihood of a cyber breach happening to them and its long term impact:

60% of small businesses surveyed have experienced a cyber breach, but only 29% of those who haven’t experienced a breach cited potential reputational damage as an ‘important’ consideration.

The impact of a cyber breach can be huge and long lasting. 89% of the small businesses surveyed who have experienced a breach said it impacted on their reputation. Those who experienced a breach said the attack led to:
Brand damage (31%)
Loss of clients (30%)
Ability to win new business (29%)

Quality of service is also a risk. Those surveyed who experienced a cyber breach found it caused customer delays (26%) and impacted the business’ ability to operate (93%).

The full report was published at: https://home.kpmg.com/uk/en/home/insights/2016/02/small-business-reputation-and-the-cyber-risk.html

UK businesses expect cyber attacks to cost £1.2 million

February 12, 2016 By Cyber SecurityNo Comments

Half of UK businesses expect to be hit by a cyber attack and that recovery costs will be £1.2 million or more.

This is the highest figure globally, according to the Risk:Value 2016 report by information security and risk management company NTT Com Security.

The report is based on a survey of business decision-makers in the UK, the US, Germany, France, Sweden, Norway and Switzerland.

Although about 50% of UK respondents said information security was vital to their organisation and agreed it was good practice, 20% admitted that poor information security was the single greatest risk to the business, ahead of decreasing profits (12%), competitors taking market share (11%) and on a par with lack of employee skills (21%).

Well over half (57%) agreed that their organisation would suffer a data breach at some point, while only one third disagreed and one in 10 said they did not know.

They expected recovery from a cyber attack to take an average of two months, and they anticipated a 13% drop in revenue, on average, following a breach.

The survey showed that recent high profile data breaches are starting to hit home, with organisations spending 11% of their IT budgets on information security, up from 10% the previous year.

However, nearly a quarter of the UK businesses surveyed revealed that more is spent on human resources than on information security.

Detailing remediation costs following a security breach, the report said respondents indicated that they expected 18% to be spend on legal fees, 18% on fines or compliance costs, 17% on compensation to customers, and 11% on third-party remediation.

Other anticipated costs included PR and communications (14%) and compensation paid to suppliers (12%) and to employees (11%).

According to the report, the vast majority of UK respondents admitted they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%), as well as direct financial loss (41%). More than one-third of decision-makers (34%) expected to resign or expected another senior colleague to resign because of a breach.

The study found that although only 41% of UK organisations have a disaster recovery plan in place and only 40% have a formal security policy, in both cases almost half are in the process of implementing or designing one.

In terms of responsibility for managing a company’s recovery plan, 15% of respondents said the CEO now has responsibility, although it still largely falls to the chief risk officer, chief information officer or chief security officer.

While 77% agreed it is vital that their business is insured for security breaches, only 26% have dedicated cyber security insurance – but 38% are in the process of getting a policy.

One in five UK respondents said they did not know if their organisation had any type of insurance to cover for the financial impact of data loss or an information security breach.

Cyber criminal activity by UK teens grows

February 10, 2016 By Cyber SecurityNo Comments

More than 10% of UK teens say they know someone who has engaged in an illegal cyber activity, a survey has revealed.

The survey was commissioned and published by security firm Kaspersky Lab to mark Safer Internet Day 2016 yesterday- which aims to promote the safe, responsible and positive use of digital technology for children and young people.

The survey also found that just over one third of respondents would be impressed if a friend hacked a bank’s website and replaced the homepage with a cartoon, and one in 10 would be impressed if a friend hacked the air traffic control systems of a local airport.

When asked how they would feel if a friend found their way into a celebrity’s online email account and discovered lots of private pictures, 18% said they would be impressed, and 17% would be impressed if a friend managed to obtain all the names and addresses of people who had bought adult films online.

More than a quarter of respondents said they knew how to hide their IP address, 41% said they knew about malware, 44% knew about phishing, 24% knew about distributed denial of service (DDoS) attacks, 17% knew about ransomware, and 13% knew about crypto-malware.

Recent research by the National Crime Agency (NCA) revealed the average age of a cyber criminal is now just 17, raising concern that youngsters are increasingly becoming involved in cyber crime, many of them unwittingly.

In the light of this finding, public awareness and understanding of the online behaviour of young people is vital, said David Emm, principal security researcher, Kaspersky Lab.

“It’s frighteningly easy for teenagers to find their way into the dark corners of the internet today as they explore and experiment or take their first steps towards making some easy money online by searching for tools and advice,” he said.

Once lured in, youngsters are vulnerable to exploitation by cyber criminals who use them to distribute and create malicious software or help launder funds from cyber crime, said Emm.

UK based criminals were the second highest originators of cyber crime attacks after the US in the second quarter, according to ThreatMetrix. Rising cyber crime suggests criminal law does not deter criminals and that a better legal solution is required to prevent further rises.

The survey also revealed misguided loyalty among teenagers. When asked what they would do if a friend was doing things online that could be illegal, more than half said they would tell the friend to stop, but would not tell anyone else.

One third said they would not get involved, 22% said they would ask about it but not join in, and only 21% said they would report it to the police.

The NCA recently launched a campaign aimed at preventing young people from becoming involved in cyber crime.

The Safer Internet Day 2016 campaign website provides guidance for parents and teachers on how to recognise signs of cyber criminal involvement and ways of encouraging the positive use of cyber skills.

SME’s poor security practices targeted by ransomware

February 5, 2016 By Cyber SecurityNo Comments

SME’s poor security knowledge and practices are being targeted by ransomware.

It is important not to underestimate the scale of ransomware attacks or to believe that you are safe if you are not a Microsoft user, as the first attacks on Android devices were identified in 2011.

According to one industry report, the number of cyber ransomware attacks increased in 2014 by more than 4,000%, with small to medium sized enterprises (SMEs) being the main target due to poor security practices.

On the technical side, we can have spam, malware and bad URL detection engines or services that can be installed in networks – generally as part of an internet security appliance or firewall – rather than individual boxes installed in front of email servers.

The reason we would want such protection as part of the general internet connection is to provide protection for email, browsing and other internet related operations such as file transfer and remote access.

There are also a number of very good commercial cloud based email spam, malware and URL detection services available. These are well worth a look for smaller enterprises that must consider costs of ownership, support and overall effectiveness.

Even with the best spam, malware and URL detection services, some emails that could form the start of a ransomware attack may get through. These emails contain a URL link that, when clicked, will take the user’s web browser to a website that will attempt to download the ransomware.

These emails could not have been detected as malicious for a number of reasons, such as the URL being too new to have been identified as malicious; the patching or updating of an onsite box being out of date; or the URL pointing to a perfectly legitimate website that has been compromised in preparation for a watering hole attack.

The rise in legitimate websites being compromised for the purposes of executing watering hole attacks as a way of delivering malware – including ransomware – means enterprises need to add malware detection to web browsing activities.

Protecting against a ransomware attack

Having got the technical side sorted according an enterprise’s risk appetite and budget, what else can be done to help protect against a successful ransomware attack?

Staff awareness training and regular follow up initiatives are key. It is important to make staff aware that unexpected emails – even from known sources – are suspicious, particularly those that require a URL link to be activated.

If all else fails and a ransomware attack is successful, then having access to good, well-tested backups with at least one copy that is held off network will be vital in service restoration. Note that the off network backup itself should not be used as is, but copied. The copy should then be used to bring the network back, which will protect the good backup from being compromised.

TalkTalk lost 100,000 customers after cyber attack

February 2, 2016 By Cyber SecurityNo Comments

TalkTalk has admitted that is has lost 101,000 customers since it’s cyber hacking which saw the personal information of 155,000 people compromised.

The breach shut down TalkTalk’s sales operation for some time and substantially affected its ability to bring on board new customers and upsell mobile, broadband and TV services, it said.

These sales channels took longer than expected to come back online, with full functionality not being restored to its mobile services sales operation until January 2016.

The inability to sell anything meant that TalkTalk saw fewer net customer adds, which, in addition to the high customer churn, had an impact on the headline figure, it said.

The communications service provider (CSP) disclosed the figures in its latest quarterly trading update, in which CEO Dido Harding said it was encouraging to see the business getting back to normal after a period dominated by the breach.

“Our customers have responded well, with almost half a million choosing to take up our unconditional offer of a free upgrade,” said Harding.

“Both churn and new connections recovered during December and January and independent external research has revealed that customers believe we acted in their best interest.

“In fact, trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”

TalkTalk estimated the trading impact of the breach at £15m, and said it now looked like the incident would incur exceptional costs of £40-45m, substantially more than it had previously forecast.

These costs include restoring its online capability with fit-for-purpose security measures in place, associated IT costs, incident response and consultancy costs, and free upgrades.

TalkTalk reiterated its confidence in its long-term outlook, and said it saw regulatory opportunities ahead that could support growth in its fixed line and mobile business.
Losing confidence

It is possible that the true number of customers lost was higher than TalkTalk claimed because it was counting net additions in its figures- as such the total loss could be as high as 250,000.

Businesses warned to take action on Data Protection Day

January 28, 2016 By Cyber SecurityNo Comments

This year Data Protection Day is warning businesses to do more to protect personal data.

Data Protection Day is an international holiday that occurs every January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, and 47 European countries.

Global businesses are re-evaluating their data privacy programmes this year as new privacy regulations targeted at businesses start to gather.

The European General Data Protection Regulation (GDPR), which is expected to come into force in 2018, provides for fines of up to 4% of annual global revenue or €20 million- whichever is greater for failing to safeguard data of EU citizens and residents.

However, despite the introduction of this legislation, many enterprises are still not doing enough to protect consumer data, according to security and privacy industry experts.

“Data privacy day is a great opportunity for organisations to re-evaluate their privacy programme,” said Tim Erlin, director of IT risk and security strategy for security firm Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”

According to Erlin, the top five data privacy mistakes businesses make are:

Failure to keep only essential consumer data
Failure to encrypt customer data
Failure to secure access to data at all times
Failure to patch known vulnerabilities
Failure to monitor and control simple misconfigurations

Many organisations keep a lot of customer data in case they need it, he said, but it can easily become a major target for cyber attackers, and may not receive the same level of protection as business critical data.

The EU’s data protection rules will impact every entity that holds or uses European personal data both inside and outside of Europe.

More than two thirds of global companies expect EU data protection laws to dramatically increase costs of doing business in Europe.

Erlin said companies need to establish internal processes to keep data encrypted. “Leaving customer data unencrypted makes it much easier for attackers to grab.”

And while encrypting customer data is important, it must be decrypted for use in an application at some point, with attackers trying to compromise those applications so they can get to that data, Erlin warned.

Successful attacks are more likely to exploit vulnerabilities that are several years old if that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.

More than one of the security breaches that have been in the headlines recently has been the result of a misconfigured database or server, said Erlin. “If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can exploit.”

The UK’s Information Commissioner’s Office (ICO) has also highlighted the potentially devastating effect of reputational damage as a result of a personal data breach.

And it is not only the new privacy legislation in Europe and the US that is a factor. Lawrence Munro, European director at security firm Trustwave for Europe and Asia-Pacific, said the mounting number of breaches involving consumers’ financial and private data means that people are increasingly aware that their information is at risk, and much less willing to forgive businesses that betray their trust.

Munro said security professionals see “Password1” as the most common password year after year. “Such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers,” he said.

According to Munro, security in many organisations continues to be seen as a “box to be ticked” as cheaply as possible rather than an essential operation necessary for survival.

“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” he said.

Phishing cyber fraud up 21% reports police fraud unit

January 22, 2016 By Cyber SecurityNo Comments

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB).

Social engineering phishing is a non technical method of intrusion used by cyber criminals that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.

Typically, the aim is to trick people into malware laden email attachments or to divulge sensitive information that can be used to steal information and credentials to commit fraud.

The harvesting of account and login information is known as phishing and can happen through fake emails, phone calls, texts or social media posts.

Phishing attacks frequently involve piecing together information from various sources- such as social media and intercepted correspondence, to appear convincing and trustworthy.

The most common themes for contacting potential victims are an update to BT account details, an iTunes invoice and a tax refund.

Others themes include Tesco vouchers, Apple ID, accident injury claim, invoices, suspended bank and credit card accounts, and Sky services upgrades.

According to the government backed GetSafeOnline campaign, cyber criminals have become increasingly sophisticated in their attacks, with more than 95,500 phishing scams reported in the 12 months up to October 2015.

Research by GetSafeOnline reveals that 26% of victims of online crime have been scammed by these types of social engineering emails or phone calls.

According to the research, 29% of reported phishing emails contained a potentially malicious link that could infect a victim’s computer with malware, 17% requested a reply and 15% requested personal information.

The research notes that although the number of emails with malicious links is decreasing, requests for money transfers are on the rise.

In response to these findings, GetSafeOnline has launched an advertising campaign to warn of the dangers of social engineering, in partnership with Barclays, NatWest, Royal Bank of Scotland, Lloyds, Halifax, Bank of Scotland, City of London Police, anti-fraud organisation Cifas and Financial Fraud Action UK (FFAUK).

Phishing attacks are the most popular causes of data breaches in the enterprise. Phishing attacks on mobile devices are increasing as adoption of internet connected mobile devices and services grows.

Tony Neate, chief executive of GetSafeOnline, said social engineering is becoming ever more targeted and personal.

“What is worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic,” he said. “If you get an email purporting to come from someone we trust, such as our bank, about something that is emotive to us all, like money, and then demand that we act urgently, it’s almost like the perfect storm.”

The newly launched advertising campaign aims to encourage people to think twice before they act and not to let panic override common sense.

The campaign highlights the importance of having strong passwords or pass codes to secure devices, and ensuring that all software and apps are up to date.

Research shows that email is the most popular channel for phishing, accounting for 77% of all reported incidents, followed by phone calls, making up 12% of incidents.

Risk of cyber attack underestmated by countries WEF warns

January 15, 2016 By Cyber SecurityNo Comments

Most of the world’s economies are underestimating the potential risk of cyber attacks on businesses and their economies- the World Economic Forum (WEF) warns.

A major study by the WEF reveals that, with the exception of the US, most countries have underplayed the risks of cyber attacks on their economic well being.

The warning comes as business leaders, politicians, and academic and non-government organisations prepare for the Davos summit on 20-23 January 2016 to discuss the “fourth industrial revolution” and the global impact of new technologies.

Businesses of all sizes have been affected by complex cyber attacks, and have suffered economic, legal and reputational damage, the WEF’s Global Risks Report 2016 revealed.

Studies show that cyber crime cost the global economy £445 billion in 2014. The costs will be much higher if economic espionage and state sponsored hacking are taken into account.

However, only eight economies have concluded that cyber attack is a risk of the highest concern: Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland and the US.

The findings reveal a lack of appreciation of the effect of cyber crime in the rest of the world, said John Drzik, chairman of the Global Risk Centre at Marsh & McLennan, and one of the contributors to the risk report.

According to Drzik, US companies are more aware of cyber risks because legal requirements to report security breaches have focused the minds of company leaders. As a result, 90% of the world’s cyber insurance is taken out in the US.

“I think there is going to be similar regulation outside the US and that is going to trigger the growth of the insurance market and bring more attention in the corporate sphere,” he said.

The report warns that the threat of sophisticated government sponsored espionage exceeds the ability of companies to defend themselves.

Over the past year, the number and impact of cyber attacks has increased. Hackers are turning their attention to industrial control systems, placing power plants, transportation and other infrastructure at risk.

“There was the recent cyber attack in the Ukraine on a power plant and an industrial control system. There were earlier attacks in Germany on manufacturing systems and there are unreported attacks as well,” he said.

Although terrorist groups have not yet resorted to cyber warfare, this may change in the future. “You have certainly seen organised crime – a different form of terrorism – participating in this sphere,” said Drzik.

Hacking attacks, which have led to loss of confidential information, have cost companies millions of dollars – but companies have lost far more through damage to their reputation.

“If your customer base starts to worry about you being unreliable and being unable to protect confidential data, they may go to a different company – the reputational amplifier can be enormous,” said Drzik.

Some companies have invested in sophisticated technology to monitor and detect security breaches. However, said Drzik, companies realise they cannot prevent every attack and will spend more resources to mitigate and managing the effects of an attack.

“We are not only in a cyber arms race between countries, but between the security community and the hackers. If you are on the defence, you are trying to get ahead of the offence, but it’s going to go back and forth and it’s not going to go away,” said Drzik.

Cybercrime and cyber security tops business worries for 2016

January 8, 2016 By Cyber SecurityNo Comments

Cybercrime and cyber security tops business worries for 2016.

This year, cybersecurity will be the main issue worrying global business, firms say, and it will become more critically important as the internet of things takes off and our world becomes ever more mobile and connected.

Lawyers, accountants, digital agencies, research analysts, telecoms and tech firms all gave the BBC’s Technology of Business their views on what the key tech trends were likely to be in 2016.

Here’s a summary of the Top 10 tech trends affecting business in 2016 that emerged:

Cybercrime and a renewed emphasis on cybersecurity
The internet of things and the development of the hyper connected world
Real time data analytics, not intuition, driving business decisions
New data protection laws forcing firms to rethink compliance strategies
Artificial intelligence and robotics replacing repetitive tasks
Smartphones becoming the primary tool for almost everything
More business applications for virtual and augmented reality tech
Increased personalised and in-store location-based marketing
Drones to be allowed to make deliveries and perform other public tasks
Established businesses to face increased competition from start-ups

Allowing customers’ data to be stolen by hackers is not good for business, firms are finally realising. It damages corporate reputations and erodes the public’s “comfort with sharing their data”, says Rashmi Knowles of cybersecurity company RSA.

But the worrying news is that breaches are inevitable, warns Geoff Smith of Experis, while a shortage of skilled cybersecurity professionals is likely to push up the costs of beefing up defences and dealing with attacks.

On top of this, new European data protection laws coming into effect in 2018 will see a “dramatic increase in fines” for data breaches, says James Mullock of law firm Bird and Bird, forcing firms to reassess their compliance procedures this year. Dedicated Data Protection Officers reporting to the board would be “a sensible measure”, he says.

Ransomware is opening up new income for cybercriminals.

Several security experts are forecasting an increase in ransomware attacks, whereby criminals hack into your system, encrypt your data and then demand a ransom before they decrypt it.

“The ransomware arms race will come to the fore in 2016,” says Hitesh Sheth, chief executive of Vectra Networks. “The threat will take on a new, larger role by concentrating attacks on enterprises, holding critical assets hostage in return for even bigger money.”

Other experts warn that the growth of mobile payments systems will offer new opportunities for hackers, while others think criminals will increasingly target employees, suppliers and contractors as a way of infiltrating corporate systems.

Gadgets and objects wirelessly transmitting sensor data to each other and central computers will accelerate in 2016, many believe, leading to a host of new applications – and a host of new cybersecurity threats.

Internet of Things (IOT) cybersecurity concerns will also loom large in 2016.

This new world of “connected everything”, says Tudor Aw, head of technology sector at consultancy KPMG, “should finally see real momentum in 2016”, from connected cars recording driver behaviour data for insurance purposes, to smart watches and other wearables delivering health data and even initial diagnoses.

And all the data that these connected things generate will be stored, analysed and translated into practical insights using real-time analytics, enabling companies to “move beyond just quickly responding to changing customer needs, to actually anticipating those changes,” says Andy Lawson, managing director at Salesforce UK.

But many warn that greater connectivity means more points of entry for hackers constantly on the look out for weak points in any network.

Cyber Security Force wishes you a safe New Year

January 5, 2016 By Cyber SecurityNo Comments

Category: Cyber Security Force