The consequences of not thinking before linking can be professionally catastrophic; new guidance from CPNI will help users of professional networking sites navigate the risk.

Note – for obvious reasons the identity of the individuals has been disguised.

Consequences of linking before thinking

It’s easy to link before you think, at least it was for David. When Penny from an international consulting firm asked to connect on his professional networking site, he accepted. She was offering an auspicious business proposition, and he felt reassured by their mutual online contacts.

One month and many messages later, Penny suggests they switch to email communication. They exchange information on international events, and Penny exacts from David details of his expertise and insights. David is invited to an all-expenses-paid overseas trip, and he readily agrees. At the first meeting David is given a gift and a transaction is agreed: in return for his reports on geo-political events, he will be given a handsome fee. Following intervention by the Security Services, David is spared from further entanglement. However, he is not spared his employment, nor his security clearance, and he is vilified by work colleagues.

Industrial scale targeting

David is – or was – a civil servant, and he is not alone: MI5 estimates he is one of 10,000 British officials to have been targeted by hostile states on sites such as LinkedIn. And it is not just government personnel, or ex-government personnel, who are being targeted: it is professionals from every walk of life. Hostile state actors are posting malicious social media profiles on an ‘industrial’ scale to gain snippets of information from individuals relating to their work, and the industries they work in. The information hostile states gather through malicious approaches can be utilised to seek an advantage over, or even damage, the UK’s economic, technical and trading position in the world.

During the first six months of last year alone, almost 38 million fake profiles were removed on professional networking site LinkedIn.

Flattery will get you everywhere

It is easy to think that you would not be duped like David, but approaches can be very beguiling. Behavioural Science research undertaken by CPNI to inform the campaign, reveals strong parallels with romance and financial scams online. In a similar vein, the perpetrator will ground their approach in an assessment of the individual’s behaviours and circumstances, to tailor and target their messaging. And they will use a combination of charm and flattery to entice someone into a relationship with them.

Fake-out factors

However, on the positive side, there are determining factors that will help users of online professional networking sites recognise the hallmarks of a fake profile. Perpetrator profiles are a smorgasbord of fake names, photos and job descriptions. CPNI advises people to make a judgement call – “if it doesn’t look and feel right, it probably isn’t”–and to always question the legitimacy of the contact. Just because they present a company name and share contacts with you, does not mean that they are bona fide.

The four Rs

CPNI advice centres on a four-step approach:

• Recognise – look out for the hallmarks of a fake profile, check out the individual requesting the contact and the company they say they work for
• Realise – be cognisant of the threat and the ramifications of connecting with a malicious actor
• Report – if you suspect a malicious report,act on it. Report it to your security manager, professional networking site or to CPNI direct
• Remove – remove the connection from your professional network

CPNI has made two videos, ‘Glitch’ and ‘Linked’, which take the viewer through the four steps above and is encouraging organisations to run the campaign for their own workforce. The campaign materials and videos can be downloaded from the CPNI website: https://www.cpni.gov.uk/security-campaigns/think-you-link

Force multiplier effect

By following CPNI protective security advice, employees can have a force multiplier effect; increasing their own levels of awareness and protection helps embed a strong security culture in the organisation. Furthermore, the greater the awareness people have of their digital footprint and the risk of clicking on unknown links in social media and in emails, the more alert they will be to spear-phishing attempts. Understanding the consequences of compromise can also contribute to people reducing their vulnerability to scams and criminality in general.

CPNI quote: “Over the years we have honed our unique position of being able to utilise experience and intelligence from our parent organisation combined with our Behavioural Science and Technical experts to deliver practical solutions to mitigate the threats we face. By following the behaviours advocated by the campaign, individuals and organisations will play a vital role in protecting themselves as well as our sensitive assets and information from malicious actors.”

In summary

Don’t forget for every David, there’s a Penny out there; you are more interesting than you think.

Author: Head of Personnel and People Security & Insider Threat Research Centre, CPNI.  www.cpni.gov.uk

The post Think before you link appeared first on City Security Magazine.

Drones are now widely available, but in the wrong hands, they present a security risk that banks and major corporations need to take seriously.

What strategies can organisations put in place now to strengthen their defences?

How could a drone be used to attack your business operations?

You may already have considered this question and you can rest assured, criminals certainly have.

If your organisation is vulnerable to hacking, to industrial espionage and theft of information, or to reconnaissance ahead of a criminal attack, then drones (or Small Unmanned Arial Systems – sUAS) represent a powerful new tool for hostile actors to use. And they are using them.

It’s with good reason that the  Centre for the Protection of National Infrastructure (CPNI) has issued counter-drone guidance and technology assessments (November 2019).

It’s not just a risk that planners at critical sites need to take seriously; institutions and businesses need to as well.

Last year, Dedrone carried out a drone proximity survey for one of the UK’s biggest financial institutions and what we found prompted them to change their security policies.

Malicious intent

Over eight weeks our system detected an average of six drones being flown close to the head office building every day. And while some of these devices were clearly being operated by hobbyists or tourists exploring the Square Mile without malicious intent, others may not have been.

What emerged from the data was a pattern: we discovered that among all those drones, one was returning repeatedly and the times of the flights were synchronising with the times when the security team shifts changed.

Coincidence? Anyone familiar with risk planning will understand the potential significance of this pattern. The possibility that someone was planning a criminal or terrorist attack could not be discounted, knowing as we do that repeated site reconnaissance is an established risk indicator.

The bank involved took our warning very seriously. So, should you?

Consider that the market for drones has grown rapidly over the last ten years, and particularly over the last three. Applications are now widespread and range from industrial infrastructure maintenance to videography, from urban planning to inspecting telecoms towers.

Range and sophistication

With that market growth, drone capabilities have stepped-up rapidly too. Commercially available devices are increasing in range, agility and sophistication, and they are coming down in price. This means that ever more powerful tools are coming into the hands of ever more people, not all of them well-intentioned.

Once you are aware that somebody is repeatedly flying drones close to your buildings, you start to see things differently, and to ask why. There is a growing realisation that every organisation and every security planner needs to be asking the same question.

Commercial espionage is a pervasive threat. Drones now make it easy for anyone to point a 4K camera into any window in your building, to see and record whatever is left on desks or displayed on screens. It’s as if your access control systems have suddenly been weakened because intruders can now, virtually, walk in through the window.

Similarly, your cybersecurity measures can be targeted. It’s now all so easy to land a drone on the exterior of your premises – a roof, a ledge, a tucked-away service area – and to leave it there sending signals undetected.

Backdoor into networks

Hackers can use this as platform to attempt to open a backdoor into your networks, or to fool visitors to your premises with Wi-Fi spoofing.

Criminals who favour traditional methods of eavesdropping and bugging can now use drones as a powerful new delivery method, a way to target microphones close to sensitive meeting rooms.

Senior executives and those close to commercial negotiations need to be aware of this fast-growing risk. We’ve seen plausible reports of drones being used to follow executives onto golf courses and attempts to spy on high-value assets, as rogue traders try to second-guess companies’ likely share price movements. And one firm of solicitors specialising in mergers and acquisitions has reported a major spike in drone activity in periods running up to major deals being finalised.

The unwanted drone threat needs to be taken seriously, which is why the CPNI has issued guidance on countermeasures for the first time and included counter-drone (C-UAS) solutions in its Catalogue of Security Equipment. This guidance focuses particularly on measures to detect, track and identify drones.

You should now be thinking of counter-drone DTI systems as integral to your company’s existing threat detection infrastructure – i.e. a default technology that sits alongside all the other systems that your 24/7 security operation monitors: access systems, alarms and, most obviously, CCTV.

Alerted to approaches

Counter-drone technologies are easily integrated and are designed to be operated by the same teams, using the same interfaces.

In practice, at any location where you have security staff checking cameras, you should make sure that they are also now alerted to drone approaches. The capability exists.

For security planners the first requirement is iintelligence. Only with accurate data can you assess the scale of the problem, develop a risk mitigation strategy – or take immediate action if the threat is imminent – and persuade the board that the issue needs to be taken seriously, long term.

You shouldn’t wait until a major incident hits the headlines – as it surely will – to get a handle on this issue. Assess the threat, develop proportionate mitigation policies and be prepared to answer questions.

There’s a memorable moment at the start of George Orwell’s 1984 where a government helicopter is described darting around like a bluebottle “snooping into people’s windows”.

Back in 1949, this seemed like one of the book’s more far-fetched predictions. But these days, like so much that Orwell warned about, it seems suddenly less fantastical.

Who needs helicopters though, with drones getting smaller, lighter and quieter? And it may not be Big Brother who wants to snoop on you but plenty of others do, and they have the means.

Amit Samani

Vice President of Sales for The Americas & UK

Dedrone

The post Corporate threat of drones appeared first on City Security Magazine.

As companies continue to invest in cybersecurity for business, can virtual reality be a powerful learning tool for the human firewall?

With businesses such as Marriott, Microsoft, Apple and Adobe feeling the effects of cyber attacks in the last few years there have been plenty of attention-grabbing headlines. Business owners know that they need to improve cyber awareness to prevent the damage caused by cyber attacks.

With leaked data, system failures, loss of earnings, customer compensation and fines to contend with, the negative impact can linger like a bad smell. A recent report by Bitglass found that companies which suffered a security breach in the previous three years saw an average drop in stock value of 7.5 per cent and didn’t return to pre-breach levels for an average of 46 days after the initial attack.

It’s no wonder then that a survey conducted by FireEye found 76 per cent of organisations plan to increase their cybersecurity budget in 2020. But how should businesses be spending their money?

Invest wisely

We need to think outside the box when it comes to raising awareness about cyber threats. Too many businesses throw money at the technical aspect and neglect the need to improve the human firewall. No software is going to stop a threat that is designed to prey on human vulnerabilities, and with 90 per cent of data breaches caused by human error, the problem is widespread.

Cybersecurity is no longer the sole responsibility of specialist staff or trained practitioners. All staff have some level of accountability but this shift in responsibility isn’t going to happen on its own. Businesses need to train people to understand how the problem presents itself in everyday life, and astonishingly, one in ten UK organisations admit they have no cybersecurity training in place whatsoever.

Traditional training falls short

Chief cybersecurity officers are there to educate and advise. However, sending fake phishing emails to target people who are failing to do their part is potentially harmful. Attaching shame and guilt to the topic tends to create a divide and an unwillingness to ask for support in the future. People may even try to cover up mistakes instead of asking for help.

Traditional training methods aren’t the answer either. People will skip through online modules reading the bare minimum to pass the final quiz, or attend a presentation without really paying attention or absorbing any knowledge.

The solution here is to help people not only see and understand the problem of cybersecurity, but to engage them emotionally. In a paper written by neurologist Judy Willis, she states: ‘When students are engaged and motivated and feel minimal stress, information flows freely through the affective filter in the amygdala and they achieve higher levels of cognition, make connections, and experience “aha” moments.

‘Such learning comes not from quiet classrooms and directed lectures, but from classrooms with an atmosphere of exuberant discovery (Kohn, 2004).’

To achieve this major ‘aha’ moment in the form of a cultural shift we need to educate teams in a way that excites them. This is where virtual reality comes in.

How VR is different?

Storytelling is an age old tradition, something that comes naturally to us as humans and helps us learn and grow. Its effectiveness is elevated when integrated with  virtual reality technology. By fusing VR with expert storytelling you can take people on a  journey of discovery, one that doesn’t require note-taking or revision. Learning through VR is engaging from the word go and teams are eager to take part even when the topic – such as cybersecurity – is one that may previously have been considered boring.

• Virtual reality can elicit a 27 per cent higher emotional engagement than TV
• Learners who use VR retain 75 per cent of what they are taught (traditional methods offer as little as 10 per cent)
• Surgeons trained using VR make 40 per cent fewer mistakes than surgeons who are conventionally trained

But beware, only high-quality VR and execution will deliver these astounding results. Simply offering VR experiences for the sake of it is pointless. Businesses need to invest in virtual reality experiences which are expertly designed to solve their cybersecurity needs and address the exact problems that their teams are likely to come up against.

We found this to be true in one of our own VR projects, ‘Date With a Hacker’, which was created and rolled out for Sky employees. Not only did 70 per cent of viewers say that the experience made them more security aware, but 90 per cent said they were more aware of phishing methods and techniques.

When people feel emotions like empathy, fear and excitement, their perceptions around the topic are forever altered. This is what leads to permanent behavioural changes like improved cyber awareness. When all employees are immersed in these experiences, companywide change happens almost of its own accord. Needless to say, our projects have a high retention rate and save businesses thousands in future training costs, meaning that those involved never look at their inboxes in the same way again.

Simeon Quarrie

Founder and Visual Storyteller, VIVIDA

www.vivida.co.uk

For further articles see our category on cyber security

The post Virtual Reality can improve cybersecurity appeared first on City Security Magazine.

Whether it’s your Twitter, Amazon, or Netflix account, the explosion in popularity of online apps and services means more and more of us have to remember an increasingly long list of passwords.

Unfortunately, some of us cope with this challenge by resorting to practices that leave our data, devices and money at risk – using the same password across multiple accounts, or by creating simple passwords that could easily be guessed by a fraudster. Bad password practice is more prevalent than you might think. Data breach analysis carried out by the UK’s National Cyber Security Centre found that more than 23 million users worldwide used 123456 as a password.

But let’s say you’re not one of those people, and you use strong, unique passwords for each of your online accounts. That’s a great start, but you could still be vulnerable to phishing attacks or data breaches. Even the most complex password offers you no protection if you’ve typed it into the ‘password’ field of what you thought was your bank’s genuine website, or if a plain-text version is leaked in a data breach. That’s why an additional layer of security is essential to properly securing your accounts.

If you care about it, put 2FA on it.

Two-factor authentication (2FA) is a way of strengthening the login security of your online accounts. It’s a bit like how an ATM works. You need both your debit card (first factor) and your PIN (second factor) to get access to your account. The main objective is better security. If your card is stolen, they still need your PIN. If your PIN is stolen, they still need your card.

Online accounts with 2FA enabled work in a similar way. They require you to verify your identity using your password (first factor), as well as a randomised code (second factor) that’s delivered to your mobile phone. If your password is stolen, they still need your phone. If your phone is stolen, they still need your password. You should enable 2FA on all of your important online accounts, such as your email, or any account that holds your personal or financial details.

For instructions on how to enable 2FA on popular online services, visit https://www.telesign.com/turnon2fa.

For more simple tips on how to protect yourself online, visit http://www.cyberaware.gov.uk.

If you have been a victim of fraud or cyber crime, report it to Action Fraud at actionfraud.police.uk.

Shumon M
Cyber Protect Officer
NFIB Cyber Protect I City of London Police

The post The easy way to stop your online accounts getting hacked appeared first on City Security Magazine.

City Police work on the front line in the fight against cybercrime and have developed the free training and engagement program Cyber Griffin.

Opportunities in a digital world

The UK is a leader in the tech economy globally; it exported £1.8bn of cyber security services in 2017 and exports are forecast to rise to £3.2bn by 2022. The UK has the largest cyber security market in Europe, valued at just over $5bn, and one third of all global cyber insurance goes through the City of London.

Currently the UK cyber industry employs more than 100,000 people, across 8,000 companies, including start-ups and SMEs.

Doing business safely in a digital world

As one of the world’s leading digital nations, technology is fundamental to how the UK does business in a modern world. This means that much of the UK’s prosperity now depends on the ability to secure technology, data and networks from the many threats faced.

Given reliance on digital tools, the economic effects of cybercrime can be significant. Although there is much uncertainty around the actual figures of fraud, the 2017 Annual Fraud Indicator estimated online fraud losses in the UK of around £73.4bn.

The national cyber security approach

In response to the cyber threat, the Government has committed to making the UK one of the most secure places in the world to do business, with £1.9bn in transformative cyber security investments by 2021. The City Police play a key national role as they are the UK Policing Lead for Economic Crime and Cyber Reporting.

Government activity in cyber is directed by the National Cyber Security Centre (NCSC). It was launched in October 2016, bringing together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure. The NCSC provides UK-wide services, including free resources.

The City of London

The City of London and its police force have a responsibility to support people and businesses in the Square Mile to stay safe online. To give a picture of the scope of the City Police’s work, 8,000 people live in the Square Mile, over 400,000 commute to the City every day for work and over 10 million visit as tourists every year.

41% of people living and working in the City were born outside the UK, 46% of London’s financial services professionals and 18% of England and Wales’s legal professionals work here (ONS, 2019). A fifth of the UK’s financial services Gross Value Added is produced in the Square Mile (City of London Corporation, 2018).

City Police and cyber

To complement and support national efforts, the City of London Police have developed the free training and engagement program Cyber Griffin

“About 80% of the cybercrime reported in the City of London is from businesses, so it’s important that we work with businesses to make sure that they don’t become victims of cybercrime in the future.” – City of London Police Commissioner, Ian Dyson

The City Police work on the front line in the fight against cybercrime and have up-to-the-minute knowledge on the threats facing businesses. They use their insider knowledge, specialist technical and compliance expertise, and their trusted and neutral position to support professionals and businesses.

Cyber Griffin

Cyber Griffin security training is offered by City Police free of charge, with tailorable training options for those who are completely new to cyber security, right through to cyber security professionals in the Square Mile.

Baseline Briefings – Supporting all your staff to do the basics well

People are both the greatest cyber security asset and the greatest risk. This two-hour baseline briefing guides non-technical staff through current cyber threats and provides simple practical protection training, teaching the most effective and easy to adopt defender skills, sufficient to defeat even the most prolific cyber attacks.

Registration of attendance for the monthly briefings can be made at www.colp.uk/cybergriffin/events

Groups of over 40 can book as private briefings, where an officer will come and speak at a company.

Business Continuity – Bespoke advice and threat assessment

The Business Continuity training programme, targeted at those who manage the cyber business plan or business continuity, is an opportunity to discuss company businesses’ cyber planning with experts from the City of London Police and receive an external online security scan of the company. It provides face-to-face, practical, confidential support and guidance.

Table Top Exercise – Simulating the cyber security decision making process

In the Table Top Exercise, a simulation takes executive teams through hard cyber security decisions about technology investments and practical challenges. It reveals the consequences of a sequence of decisions, which would usually be entrusted to IT teams, and gives executives a chance to discuss the strategic principles behind cyber security with expert police.

Gold / Silver / Bronze Training – Incident response training

Aimed at incident responders within an organisation, Gold Silver Bronze training gives in-depth incident response coaching to the private sector, covering Police Major Incident Procedures such as how to form a command structure and how to write a decision log.

Disclaimer: Cyber Griffin is a tool for assisting businesses to manage and deal with cybercrime. It is not in itself a cure for all cybercrime, merely part of a series of measures to be adopted to assist in tackling this phenomenon. More will be revealed during the training courses to be held on this issue.

Lucy Fraser

Policy Advisor (Cyber) City of London Police

www.city-of-london.pnn.police.uk

See also:

Cyber Griffin launched to tackle Cyber Crime

All other articles relating to Police and Partnerships

All other articles relating to Cyber Security

The post Cyber Griffin supports efforts to counter cybercrime appeared first on City Security Magazine.

Doesn’t it seem that not a day goes by without there being yet another reported cyber incident impacting a major corporation or government agency?

I’m sure, like many, you might be thinking: I’m having a hard-enough time keeping myself safe, but what chance have I got when companies and organisations – spending millions on their cyber defences – can’t? It can be somewhat depressing, and many people I talk to can feel, understandably, a bit helpless.

The target for hackers

The readers who know me will also know that I’m not a ‘cyber expert’ in the truest sense. However, I have garnered experience across this subject over the last two decades, working alongside many who are, and the one thing I can say is that if someone is determined enough to hack you, they probably can. And will. Especially if you find yourself in a country where state-sponsored surveillance is prolific, or you are a celebrity, a football team, an IoT device manufacturer, involved in government elections or working on something of specific interest (like NASA) that especially draws the attention of the hacking community.  Where is the vulnerability: The person or the technology?

Most hacks are widespread distributed spyware, ransomware, malware or other viruses intended to impact as many devices as they can. Disconcerting though this may be, you can also take solace that unless you are holding specific information or assets of value, it will likely be more a case of you getting affected through the wave of widely spread threats. This means that you can likely also avoid becoming a victim. Why? Well, I honestly believe it actually often has less to do with the technology and more to do with the person operating it. As a very clever ‘techie’ once said, it’s often: PICNIC – Problem in Chair not Computer.

PICNIC – Problem in Chair, Not in Computer

This I’ve certainly found often to be the case. On the vast number of occasions when certain large organisations have been hacked, we’ve usually found out it wasn’t the super-amazing software which let them down, but the persons responsible for managing it. All too often, the problem will be related to not updating software patches, fixing identified weaknesses like ports left open, administrator rights being widely used, simple passwords or something else equally basic that a little ‘housekeeping’ could have easily prevented.

The same applies to us, personally. I wrote a book last year (Parent Alert: How to Keep your Kids Safe Online) and waited with bated breath for the ‘Cyber’ community to tear into me. OK, it is focused on kids and is, in ‘techie’ terms, pretty basic stuff; but even I was taken aback by the number of experienced IT professionals who responded positively.

Too often our considerations are set at such an elevated level we can often – and easily –forget that if we take care of the basics, we can immediately reduce our exposure to the majority of those nasty cyber threats: prevention over solution, and it does not require too much hard work to do this. In fact, it can be relatively straightforward, and in the most part, somewhat easy.

Taking care of the Cyber Security basics

Name your devices anonymously:

Why call them ‘John/Jane Smith’s’ iPhone or computer? Every time you connect to Wi-Fi this will identify you.

Join a Wi-Fi network, search other devices on Bluetooth or airdrop and you’ll see loads of other people’s named devices. Call it something anonymous like ‘Sponge-bob’, ‘ABC’, ‘Radish’; it does not matter what, just as long as it’s something that doesn’t identify you personally by your name or even your gender.

Turn-off ‘Sharing’:

Unless you have this properly locked down, you are exposing yourself to the huge risk of someone going through your files and documents. I remember using someone else’s iTunes library when on holiday once because they left sharing on.

Your passwords:

What are they protecting: your banking? Email account? Social media accounts? Which of these contain the most confidential, sensitive or important stuff? Which one of these, if compromised, would cause you the most damage or impact? Rate them from ‘most’ to ‘least’ and create a suitably complex password to correspond.

Every one of them should have the following; upper and lower case, alpha, numeric and a symbol. Replace ‘i’s’ with ‘1’s’, ’S’s’ with ‘5’s’ and use ‘*’s, ‘%’s and other symbols in there somewhere.

Maybe just use ‘1Password’ that will create these for you and also, register your email account on https://haveibeenpwned.com .

This site will alert you if your password has been compromised.

The Google Chrome browser has recently introduced a similar service too. If your password has been stolen (I found mine had been from the servers of some app I once used), then these services will let you know.

Two-factor authentication:

Make sure everything you can set up with two-factor authentication you do. This is one of the best ways to ensure that no one accesses that account without you knowing, even if they know your password.

Update your software:

Whenever there’s a new release or update. Each update will have a beneficial security element to it, even if it doesn’t say so. If you’re forgetful or super busy, set your device to ‘auto-update’ to ensure you’re prompted when it needs to be done.

Install a VPN (Virtual Private Network) on all your devices – phone, tablet, computer – so that when you surf the net – especially on a ‘communal Wi-Fi’ – like at a coffee shop, airport or hotel – the bad guys won’t be able to intercept your browsing activity or eavesdrop/sniff your information.

Install a capable anti-virus/malware

Don’t cut corners – get something good.

There are a multitude of other ‘tips’ I can suggest but implementing what I’ve suggested above will give you a good head start.

These cyber threats aren’t going away, but there are things we can do to protect ourselves. There is hope.

Will Geddes
Managing Director, ICP Group and TacticsON

Parent Alert: How to Keep your Kids Safe Online

See also:

The Breck Rules – keeping young people safe online

What is phishing and how does it work?

Hacked! Have your accounts being compromised?

The post Cyber security basics from Will Geddes appeared first on City Security Magazine.

Between April and September 2018, victims across England and Wales reported losing more than £34m to cyber crime.

Extortion and business-related account hackings were among the most common forms of cyber crime affecting businesses. Here we provide some simple steps that businesses, whether big or small, can take to protect themselves from the most common cyber crime threats reported to Action Fraud.

Compromised social media and email accounts

Email and social media are increasingly the main channels of communication between a business and its customers, and any compromise of those channels could lead to significant financial and reputational damage. During a six month period in 2018, businesses reported losing £6.7m as a result of compromised email and social media accounts. We advise business users to lockdown these accounts by using strong, unique passwords and enabling two-factor authentication (2FA) where it’s available.

Hacking and extortion

Whether it’s customer information or intellectual property, criminals use the threat of seizing, damaging or releasing data in order to extort money from businesses. Sometimes the threat is just that, a threat,

but in the majority of cases reported to us criminals will follow through and infect a business’s computers with malware, such as ransomware. Businesses reported losses of over £7m as a result of server hacking and malware infections.

Action Fraud advises business users to follow a few simple steps in order to protect themselves from the financial and reputational damage caused by cyber attacks. Start by ensuring that all of your computers, laptops and mobile devices are running up-to-date software and apps. All laptops and computers that connect to a business’s network should have anti-virus software installed and be updated regularly. Frequent backups of important data is another key aspect of defending a business against extortion attacks.

For more information on how to protect your business, visit www.ncsc.gov.uk/smallbusiness

The post The cyber threat to UK businesses appeared first on City Security Magazine.

Action Fraud received over 8,000 reports about mandate fraud last year, making it one of the most reported types of fraud.

What is mandate fraud?

Mandate fraud is when criminals trick you into changing a direct debit, standing order or bank transfer mandate, often by purporting to be an organisation you make regular payments to, such as a subscription service or a business supplier. This type of fraud is usually targeted and involves perpetrators gaining knowledge about the victim beforehand in order to make the scam more convincing. For example, an urgent payment request that appears to come from a senior employee within your organisation might coincide with that individual going on leave. Fraudsters piece together lots of small details, such as employee leave details or supplier names, in order to create convincing narratives that carry a higher chance of ensnaring victims.

Between Oct 2017 and Sep 2018, mandate fraud victims lost £160m.

Check it twice or pay the price

There are some simple steps you can take to protect yourself, and your business, from mandate fraud:

• Step one: The most important thing you can do is to verify all invoices and requests to change payment arrangements. You can do that by calling the supplier directly using established contact details you have on file.
• Step two: You should also be mindful of how you manage access to sensitive information. Are financial documents only accessible to those employees that require access? Are you mentioning the names of your suppliers in your social media feeds? Fraudsters can use those details to create highly personalised scams.
• Step three: Finally, you should check your bank transactions regularly. If you notice anything suspicious, you should notify your bank immediately.

If you have been a victim of fraud or cyber crime, report it to Action Fraud at actionfraud.police.uk

The post Three simple steps to avoid Mandate Fraud appeared first on City Security Magazine.

According to the Breach Level Index report by digital security firm Gemalto, almost 15 billion data records have been compromised since 2013. From usernames and passwords to date of birth or home addresses, compromised personal information can leave you vulnerable to identity theft and fraud. Analysis by the National Fraud Intelligence Bureau reveals that mass phishing campaigns are using personal details, such as names or address, to tailor scam messages to intended victims. One of the most reported phishing emails to Action Fraud last year was a ‘sextortion’ email that contained the victim’s genuine password. The ability to personalise fraudulent messages makes it increasingly difficult for people to spot as fakes, thereby increasing their chances of falling victim to fraud.

How do I find out if I’ve been affected?

Have I Been Pwned is an online service that allows you to quickly and easily check whether your accounts have been compromised in any known data breaches. Head over to https://haveibeenpwned.com/ to find out if your accounts have been affected. 

My account has been compromised! What should I do?

Don’t panic, you can reduce the damage caused by a compromised account if you act quickly. The first thing you need to do is perform an immediate password reset on any accounts that have been compromised, as well as any accounts where you have used the same password. You should always use a strong, separate password for your important online accounts, such as your email. Where available, enable two-factor authentication (2FA) on accounts as it provides an additional layer of security. 

For more simple tips on how to protect yourself online, visit cyberaware.gov.uk. If you have been a victim of fraud or cyber crime, report it to Action Fraud at actionfraud.police.uk. 

The post Hacked! Have your accounts been compromised? appeared first on City Security Magazine.

Businesses and cities share a very real threat in today’s increasingly complex world, faced as they are with the ever-present possibility of a cyber attack, including state-sponsored cyber attackers.  Here the current key considerations for cyber security are highlighted.

A cyber attack can come at anytime, and without warning – many of them devised by more and more sophisticated hackers, with an ever-expanding arsenal of tools at their disposal.

Profile of a cyber attacker

The profile of an attacker has evolved from the lone actor to highly organised groups often funded by nation states. These state-sponsored cyber attackers are no longer simply targeting your installations or private data – they’re engaging in cyber espionage and IP theft, looking for an entry point into critical infrastructure, or building management systems.

Such attacks have already been shown to cause devastating levels of damage on an increasing scale – in some cases putting companies out of business, shutting down entire power grids across cities, and crippling essential services, leaving lives at risk.

A cyber attacker needs only a single entry point to gain access to a target’s network and critical infrastructure. Physical security systems are increasingly being used as that entry point, with this issue emerging as the most significant evolving risk in the sector.

NCSC warning: UK faces a full category 1 cyber attack

The extent of the nation’s cyber security risk was recently revealed by the UK’s top cyber-defence centre. In its latest Annual Review, the National Cyber Security Centre (NCSC) revealed that the organisation has been defeating an average of 10 attackers per week – most of those attacks executed by state-sponsored cyber attackers employed by hostile nations.

In the same report, the head of the NCSC, Ciaran Martin, warned UK businesses that it’s just a question of time before the UK gets hit with a widespread cyber attack, stating, “I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack.”

A Category 1 attack is defined by the NCSC as a cyber attack that causes “sustained disruption” of essential services or affects national security, leading to severe economic or social consequences, or even to loss of life.

Combatting the threat

The only way to combat this looming threat is to be aware of the risk and bolster existing security systems. Just as you might prepare for the possibility in your area of a natural disaster, such as an earthquake, you must take the correct preventative measures to brace for a cyber attack knowing that although you may not get hit for many years, there’s also the possibility that it could happen tomorrow.

Interconnectivity of operations increases risk

In today’s world, it seems that everything is increasingly connected –  from your phone, to your car, to your toaster, to your surveillance system. With technological advances, businesses and cities have come to rely upon this inter-connectivity for running operations smoothly, allowing for greater convenience and better collaboration.

Yet for all of the practicality presented by the world of IoT, this intertwined approach is also the very thing that can leave your most critical infrastructure vulnerable to an attack – after all, your physical system is only as secure as its weakest point, or the least trusted device connected to it.

In spite of this known risk, the interconnectivity of business operations can’t be easily escaped. An offline strategy is no longer a viable strategy – the base of software and hardware updates alone is so fast that if you keep your system in a closet, you’ll miss out not only on functionalities that keep your system at optimal performance and resilience, but also on critical updates that keep your deployments safe.

Even if you could operate offline, there’s still always the risk of a breach being brought in from a third party. All it takes is a USB stick, or unauthorised access to another local device.

Cyber security starts with trust

The best way to combat a cyber attack is to seal off any and all entry points to a potential infiltrator, such as a state-sponsored cyber attacker. This process starts with building trust.

You need to first be able to trust all the people you work with, starting with your employees. Many businesses have been exposed to a malware attack or data breach that began internally – for example, a loyal employee plugging in a personal device at work, such as a phone, not realising it’s already been hacked.

Many such breaches can be prevented with the simple introduction of generalised employee training, designed with cyber security in mind.

Thorough vetting of your supply chain

It is equally important that you trust those working with you on your supply chain – your vendors, manufacturers, and those deploying your systems.

You must be sure to select vendors and integrators that build their own businesses on a foundation of cyber security best practices. This starts by asking some key questions before engaging in a partnership:

Is the vendor being transparent about cyber vulnerabilities? Do they have a strategy in place to close up security gaps? Do they place a priority on security when developing their own products? Will they take responsibility if your devices get hacked? And finally, who owns the company building the hardware and software?

This final question is particularly critical in light of the latest report from the NCSC’s findings on the level of threat from hostile nations. Choosing the wrong foreign government-owned vendor could leave you vulnerable to “back-door” entry points, allowing a vendor to tap into your devices any time they wish to. In this way, they have the potential to execute denial of service to a third party, or to use their IP cameras to tap into your private network.

With all of this in mind, it is clearly important to take the time to select partners who can show that they have your best interest at heart. The right vendors should rate cyber security as a top priority, over product prices and features. They should also be able to provide the right answers to all of the above questions.

Laurent Villeneuve, Product Marketing Manager. Genetec Inc. www.genetec.com

The post Cyber security in an age of state-sponsored cyber attackers appeared first on City Security Magazine.