How Secure is your Data? Seven tips for creating strong passwords

How Secure is your Data? Seven tips for creating strong passwords

Are your passwords as secure as an open door? While many IT security experts are focused on patching software, closing weaknesses, and implementing expensive security software, your employees could be using simple passwords like ‘password’ and ‘abc123’. Weak passwords remain one of the easiest ways to hack into a system, and there are many millions of weak passwords in existence (what’s more, these ineffective passwords are often re-used by employees across multiple sites, making it even easier for hackers to gain access). Leaked databases of email addresses and password pairs exceed the hundreds of millions, and these exposed passwords may still be in use by your employees – all a hacker has to do is check.

It’s not hard to see why people use simple passwords. These days we all need to remember so many combinations of usernames, email addresses and passwords that it’s tempting to reduce this mental overload by recycling one or two memorable passwords.

This is why organisations must constantly remind employees of the importance of strong passwords. A weak password isn’t just a threat to the individual and their information. A weak password is an open door to the entire organisation, meaning that it’s more than a matter of personal preference: it’s an existential threat.

Here are seven tips for creating and maintaining secure passwords:

Keep passwords secret

This may sound obvious, but many people share their passwords with friends, colleagues, or family members at one time or another, but never go back and change their password afterwards. Remind employees to keep passwords to themselves, and never enter or create a password when someone else is watching.

Don’t recycle passwords

Enormous databases of passwords are circulated widely online. These contain hundreds of millions of stolen passwords – which your employees could still be using to gain access to your systems. Remind people to use unique passwords for every service. Password managers can help generate and store complex passwords securely.

Avoid using personal information

Your children’s or pet’s names may spring to mind when you try to create a password, but these details are often available to anyone who cares to scan our social media profiles. Avoid such easy-to-find details and choose something harder to guess.

Don’t use dictionary words

A single word from the dictionary is quick and easy to crack. Even if you replace some of the letters with numbers and characters, you’re making life too easy for the hackers.

… Unless you use six unrelated words

Putting six random words together in a string that makes no sense can be a viable password strategy. For example:

  • PerplexBravadoMonkeyRivalsAttentionSponge is a long, secure password that would make life difficult for hackers and their password-cracking software.

Turn phrases into random strings of letters/numbers

Turn a phrase into a password – i.e. ‘I loved eating ice cream in Venice in 2016’ becomes IleiciVi2016 – or ‘I went camping and lost £20 in my sleeping bag’ becomes Iwcal£20imsb. This tactic can create impenetrable passwords that are also easy to remember, particularly if the phrase relates to a fond memory or a happy occasion.

Change passwords regularly

However good your password, there’s a chance that it could be circulating online. By changing your password every year, you limit the risk of hacking considerably.

Does your organisation enforce strong passwords? Do you have a method for helping employees manage multiple passwords?

VinciWorks offer a suite of cyber security training courses, including one that is dedicated to setting a secure password.

Employing a culture of security and training, and then testing this knowledge on a regular basis, is the most effective way to safeguard against data security threats and eliminate user errors. eLearning is a great way to foster a culture in which everyone understands and respects data security protocols, and wherein cyber-security risks are kept to an absolute minimum.

Man in the Middle Hacks: is Your Organisation Vulnerable?

Man in the Middle Hacks: is Your Organisation Vulnerable?

Everywhere you look, hacking seems to be on the rise, and it’s true that many of these attacks are opportunistic. However, some hackers are more calculating than this, conducting attacks over time so they can harvest the data they value. One such approach is the ‘man in the middle’ (MITM) attack. This involves hackers gaining access to your network, or intercepting your communications so that they can eavesdrop, collect data, and interfere with your own transmissions.

As you can imagine, once a hacker can get between you and the people or systems you communicate with, they have the power to cause immense harm. They can easily gather valuable information such as payment card information, legal documents, and company secrets. But it’s hackers’ ability to amend and corrupt this information that makes MITM attacks so potentially damaging. Instead of simply harvesting data, hackers can, in fact, change your information to suit themselves. With a few taps of the keyboard they can alter your bank details so that payments land in their accounts, not yours … and you may not notice until months later. This is not a hypothetical threat; hackers have even amended mortgage documents sent from a private home buyer to a solicitor so that hundreds of thousands of pounds were unwittingly redirected into their accounts.

So how do MITM attacks occur? They typically involve two different kinds of interception: either between you and your peers on your company network, or between you and an internet access point – usually over WiFi. The threat from open WiFi networks is particularly dangerous – and another reason why sensitive information should never be sent or received over an open wireless network.

We may imagine that our company networks and intranets are more secure, because we know who can gain access, but there may be a temptation for employees to use their privileges for nefarious purposes – particularly disgruntled employees who decide to gather valuable information before they leave the company. Employees may also be persuaded by a third party to create an access point for external hackers. Given the high value of this kind of access, companies must consider the great lengths that criminals may go to for this kind of fraud. And, as we’ve discussed in previous articles, employees can easily give hackers access without intent or awareness.

The question is, then, what can your organisation do to limit the risks of MITM attacks? As always, there is an educational component; employees need to understand their role in maintaining a secure network. Employees should never work on company laptops (or phones) from unsecured, public Wi-Fi networks. Employees also need to understand how to spot unsecured websites, and to look for websites using the ‘https’ rather than ‘http’ protocol, particularly when sharing sensitive data or making payments online.

From a company IT perspective, using HTTPS on all web and intranet sites is essential for preventing these attacks. An Intrusion Detection System (IDS) can alert you to problems – and help prevent an attack from turning into a costly loss of data, reputation or cash.

Is your organisation protected against MITM attacks? Or is it time to shore up your defences?

VinciWorks offer a suite of cyber-security training courses designed to deliver effective cyber security training in an easily digestible, highly motivating format. Each course highlights a particular learning objective (e.g. phishing attackssetting a secure password, using email and browsing the internet) and can be completed in approximately five minutes in order to maximise knowledge retention and keep engagement levels up.

Additionally, we also offer more holistic, longer information security and preventing a data breach courses that address physical as well as digital security threats, as well as courses on the new EU-wide GDPR legislation, with its increased focus on internet security and affirmative consent.

Bupa data breach: 108,000 personal details leaked

Bupa data breach: 108,000 personal details leaked

Related Courses

Bupa, the global health insurance company, admitted recently to a massive data breach affecting their international customers. A rogue employee copied and distributed the details of 108,000 customers. The data did not include financial or health information, but did include names, dates of birth, nationalities and some contact information. Whilst this information may not be enough to defraud Bupa customers, the data could be used by hackers to create more convincing phishing attacks to fool unsuspecting members of the public.
Security expert Marco Cova said to The Register: “Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. Data breaches provide a distribution hub for malware for years to come.”
Bupa quickly admitted to the data breach and explained that the employee has been fired, and the matter was being investigated by the police. The Financial Conduct Authority and other relevant regulators were also notified and Bupa contacted all the customers affected to provide advice on how to spot any fraudulent emails and scams that may come their way. Following the breach, Bupa has also reported plans to review its security procedures.
While Bupa has responded rapidly and openly to this incident, many will question how a company that handles so much sensitive personal information could fall victim to this kind of attack – particularly from inside their own walls. Presumably they have a Data Loss Prevention system configured to stop employees from downloading or copying data without authorisation. So how could one employee harvest 108,000 records?
The Bupa attack is another example of cyber-crime that doesn’t fit the common misconception. This was not a carefully planned operation by a hardened criminal; it was an opportunistic theft by a trusted member of staff. This kind of crime is difficult to prevent, particularly when organisations are striving to remove barriers to innovation and enable employees to do great work efficiently.
Has your organisation struck the balance between security and digital freedom? Or do you need to do more to secure your data and systems against internal threats?
eLearning can help warn against potential repercussions for data theft and educate employees on the laws and regulations in place to deter cyber-crime. VinciWorks offer a suite of cyber-security eLearning courses, as well as short courses on the upcoming GDPR legislation with its increased focus on digital security.

Related Courses

The Skills Gap Threatening GDPR: How eLearning can Help

The Skills Gap Threatening GDPR: How eLearning can Help

A skills gap refers to the space between what employers want or need their employees to be able to achieve, and what employees actually have the know-how and experience to do. At the moment, there seems to be unrest in the UK regarding the General Data Protection Regulation (GDPR) and the amount of cyber-security and data-handling professionals that are available to help organisations comply by the deadline in May 2018.

Since GDPR affects nearly every organisation in the EU (and all those who wish to do business with EU countries) – and with constant warnings and alarming headlines about large penalties for breaches of GDPR legislation (up to €20M) – it is perhaps understandable that UK organisations are feeling the pressure along with everyone else.

The question remains, though, how best to bring employees up to speed, particularly those who need a good understanding of the basic principles and directives of the GDPR, but who wouldn’t need as much expertise as, say, a dedicated Data Protection Officer (DPO). Even for organisations that employ a DPO, it makes sense to nurture and develop staff from within prior to the May 2018 deadline, if only to help mitigate the risk of said employees leaking customer data, storing it incorrectly, or otherwise inadvertently misusing it.

As part of your GDPR preparations, it makes sense for all staff to be aware of the GDPR, its implications, and what GDPR-compliance looks like compared to The Data Protection Act. Organisations will need to go into detail about what constitutes a breach from May 2018 onwards, as well as put in place policies about mobile-technology and data governance. It will also make sense to schedule regular, e.g. annual, refresher sessions in case anything changes and to really ensure compliance; and to arrange for new employees to undertake the same training as part of their induction.

How can VinciWorks Help?

We offer GDPR online training courses to bring your employees up to speed with the GDPR. All our courses are automatically updated and the amended versions made available to users should legislation change.

A quick summary of our most popular GDPR courses can be found below:

  • Preparing for GDPR
    This course offers organisations the chance to learn how to prepare for the upcoming GDPR in time for May 2018 as well as informing them what they’ll need to do differently after this time. It also looks to answer any queries your employees may have about staying compliant after GDPR legislation comes into place.
  • ‘Accountability’
    This course looks at the GDPR directive and the need for transparency within your organisation. Other areas covered include why the GDPR directive legislation is so important, how to demonstrate accountability and how to minimise the risk of a data breach.
  • ‘Erasure: The Right to be Forgotten’
    This is a user-friendly microlearning course which takes five minutes to complete. It offers a focussed look at “The Right to be Forgotten” as it’s such a fundamental consideration of the upcoming GDPR legislation. After purchasing this micro course, your employees can expect to learn what responsibilities and obligations they have when receiving a request to erase personal data from others.

All our eLearning courses can be accessed and re-accessed as many times as you require to ensure compliance and, together with our full compliance suite of eLearning courses, form an ideal base for employee learning and development.

Cyber Attacks: Why Prevention is Better than the Cure

Cyber Attacks: Why Prevention is Better than the Cure

The Cyber Governance Health Check assesses and reports levels of cyber security awareness and preparedness in FTSE 350 companies (i.e., the UK’s 350 largest firms). The report allows these leading organisations to compare how security risks are managed and helps them to identify and address their different vulnerabilities.

According to the latest figures from the Health Check, over half (54%) of FTSE 350 companies list the risk of cyber-attacks as their number one concern (compared with other business threats like economic uncertainty or the unease surrounding Brexit). This figure is up from 29% just three years ago.

It’s likely that the recent spate of ransomware attacks in the UK, and the devastation that followed instances such as the NHS’s WannaCry scare, is cause for the unrest amongst Britain’s market leaders. Whilst it is positive to see the new priority given to limiting cyber-security risks by these leading organisations, the report also highlights a less optimistic statistic: the fact that one in ten organisations currently operate without a response plan for cyber-attacks, and over two-thirds of employees have not received any training as to how handle an event such as this.

However, as Marco Cova, Senior Security Researcher at Lastline, suggests:

“If one was to find a silver lining, I would say that these ransomware attacks will probably do more to raise the security awareness of vendors and organisations than many security measures have in the past.”

Indeed, faced with the seemingly ever-present threat from cyber-criminals looking to steal data (or else hold it hostage) at the moment, it seems obvious that organisations ought to conduct their due diligence and prepare for the worst. More than this, though, and with new GDPR legislation on the horizon for 2018, companies are now more accountable than ever for keeping their clients’ data safe. This means that investments in technology and thorough cyber-security training that is preventative rather than reactive are imperative. This type of risk-mitigating training could mean the difference between keeping confidential data safe and compliant with GDPR, and having to fire-fight the aftermath (financial, reputational, or otherwise) of a data-breach.

It remains true that the biggest risk to any company’s digital security is its own employees. More often than not, users inadvertently create an entry-point for cyber-criminals to take advantage of – by visiting unauthorised websites, re-using weak passwords, or opening an attachment from an unknown sender, for example. This is why VinciWorks offer a range of information and cyber-security eLearning courses, all specifically designed to reduce the risk of a security breach.

Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber-security bundle of courses, which includes full and short-course training to ensure your employees have a full awareness of cyber-security policies and best practices.

Records Mis-Management: NHS Contractor Puts Thousands at Risk

Records Mis-Management: NHS Contractor Puts Thousands at Risk

In a case of records management gone terribly wrong, more than 700,000 letters to NHS patients were discovered to have been piled up in a warehouse and left or disposed of by the bag-full.

The letters contained clinical correspondence that required re-directing due to patients moving GP surgeries or changing home address. Instead, however, the letters – some of which contained cancer diagnosis, treatment plans, and blood test results – were left unprocessed for up to five years between years 2011 and 2016.

The National Audit Office (NAO) discovered that more than 1,700 patients could have been harmed as a direct result of the shocking oversight; these are patients who might have missed important appointments, treatments, and tests. Additionally, 200,000 records are still to be reviewed by GPs to determine if there was a potential for harm to have happened to the patients involved.

Reports suggest that the issue first surfaced back in 2011, when NHS Shared Business Services (NHS SBS) were tasked to re-deliver a backlog of clinical records, around 8,000 pieces, but were soon overwhelmed when, by 2014, this number had reached 205,000. In June of the same year, a review conducted by NHS SBS put this figure at over 300,000 and highlighted the clinical risk to patients who were not receiving their medical letters. No action was taken by senior management to rectify the problem at this time.

By August 2014 bosses were warned that the letters were being destroyed, but it wasn’t until December 2015 that staff began to properly investigate what the letters contained and discovered the clinically urgent subject matter enclosed within so many.

After a thorough investigation into NHS SBS, the NAO found the following data-handling errors:

  • NHS SBS had become aware of a risk to patients in January 2014, but senior managers did not develop a plan to deal with it or tell the government or NHS England for another two years
  • A label with “clinical notes” written on it had been removed from the room where the files were stored.
  • In August 2015, a member of staff raised concerns the records were being destroyed but nothing was done.
  • NHS SBS finally told NHS England and Department of Health of the problem in March 2016, but neither Parliament nor the public were told.
  • The episode suggested there had been a conflict of interest between the health secretary’s responsibility for the health service and his department’s position as a shareholder in NHS SBS.
  • NHS England said the company had been “obstructive and unhelpful” when it had tried to investigate issue.

As the investigation continues, organisations are left wondering whether they have provided adequate data handling and records management training to their own staff. With good records management training, employees will learn how to comply with the law when it comes to handling and storing data and, in doing so, mitigate the risk of data breaches and reputational damage to their company. VinciWorks offer both UK-based and global records management eLearning courses, alongside a bundle of online data protection training specially designed to build confidence and develop data-handling skills.

SME Hit Hard: Devastating £60,000 Fine Confirms the Importance of Cyber Security Awareness

SME Hit Hard: Devastating £60,000 Fine Confirms the Importance of Cyber Security Awareness

The Information Commissioner’s Office (ICO) delivered a wake-up call of some magnitude recently when it announced a £60,000 fine for Berkshire-based SME, Boomerang Video (an online store which rents video games out).

The company’s website was found to have insufficient cyber-security measures in place, which resulted in the personal data of over 26,000 customers being accessed (e.g. credit card numbers, phone numbers, and home addresses) via a type of cyber-attack known as ‘SQL injection’.

SQL injection is only possible where there is already a security vulnerability (e.g. unencrypted data or insecure decryption keys) and works by allowing cyber-attackers to copy identities, change or destroy existing data, and completely take over the administration of the database server (amongst many other malicious activities). In other words, it is because the company failed to take adequate steps to protect their customers’ personal data that their fine was so severe.

Sally Anne Poole, ICO enforcement manager, said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

The ICO is the independent regulatory office responsible for upholding information rights in the public interest. The office deals with the Data Protection Act (1998), the Freedom of Information Act (2000), and the Privacy and Electronic Communications Regulations (2003). By May 18th 2018 the office will also be responsible for enforcing the EU-wide General Data Protection Regulation (GDPR), which directs that fines of between 2%-4% of annual turnover are issued for breaches of data protection guidelines. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The ICO’s investigation into Boomerang Video found the following security breaches:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Is your organisations’ confidential business data secure? Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber security bundle of courses, which includes full and short-course training to ensure your employees, and your organisation, are safe and secure.

Data breach report: what do we know about today’s IT security threats?

Data breach report: what do we know about today’s IT security threats?

What are the biggest threats to your digital security? The tenth annual Data Breach Investigations Report from Verizon offers an overview of the current IT security landscape, including emerging threats and the most common causes of data breaches. While the report covers some new ground, one of the most startling aspects of the research is how many known threats continue to cause problems for organisations of all sizes.

And that brings us neatly to one of the report’s key findings: you don’t have to be a global conglomerate to attract the interest of cybercriminals. Many small organisations are attractive to hackers because they are less likely to have strong defences and up-to-date systems. Small companies might be more vulnerable to phishing – especially if the people in customer-facing roles have not been trained to recognise and avoid phishing efforts. Being aware of phishing is not always sufficient to resist these probes; cybercriminals are constantly evolving and are incredibly creative when it comes to producing emails that look and feel legitimate.

Many of the old threats are still causing problems. Weak passwords are a common point of entry. Organisations are still guilty of using the default passwords that come with new products and applications, and which are widely circulated online.

Initial security breaches, whether caused by phishing, weak passwords or unpatched software, are often followed up with an installation of malware. This creates a permanent backdoor that cybercriminals can then exploit in a number of ways, such as installing other malware, taking over the machine, or using the computer’s processing power to support activities like denial of service (DDoS) attacks or mining crypto-currencies. Having established a backdoor, hackers may seek to extend their reach to other machines in your network. This is often an effective strategy that allows criminals to take control of large numbers of computers after making a single breach.

The type of malware known as ransomware, which involves encrypting your files until a ransom is paid, has shot up the malware charts, and is now the fifth most popular type. An example of ransomware is the WannaCry virus that crippled hundreds of NHS computers recently.

The Verizon report seeks to correct a few misconceptions about cybercriminals. In particular, they remind us that cybercriminals are rarely as sophisticated as we imagine. They may not target specific businesses; they’re more likely to use a scattergun approach to look for weak spots and try to find a backdoor, either by phishing or looking for unpatched software. Most hackers are just trying to make money. They are opportunistic and will happily take data, corporate secrets, marketing lists, contact information, payment details or cash.

One danger for companies with seemingly strong defences is complacency. Your security may have prevented data breaches to date, but is your security evolving as quickly as the hackers?

Verizon point out the importance of training. “Throw your weight behind security awareness training and encourage your teams to report phishy emails.” People will always be the front line when it comes to resisting attacks. Being aware of the risks – and the lengths that cybercriminals will go – is a first step towards digital security.

Other warning signs to look for are large data transfers. Does your system provide alerts when large transfers occur? Internal threats are still significant. Your organisation must also protect against disgruntled employees armed with a USB drive.

How does your organisation keep up with changing threats from cybercriminals?

Going global with VinciWorks

Going global with VinciWorks

Compliance Week Europe

This conference is designed to help compliance, audit, legal and risk executives understand how they can build and manage their ethics and compliance programmes more effectively.

Topics to be discussed include:

  • GDPR
  • Cyber Fraud
  • AML programmes
  • Whistleblowing
  • Anti-Bribery
  • Collusion
  • Ethics & Compliance
  • Sanctions
  • Supply Chain risk
  • Fraud indicators and red flags

By Royal Decree: GDPR is still a Priority Confirms Queen’s Speech

By Royal Decree: GDPR is still a Priority Confirms Queen’s Speech

So important even Her Majesty the Queen focussed her attention to it the 2017 Queen’s Speech, interest in the GDPR legislation shows no signs of slowing down.

The Queen’s speech confirmed that the General Data Protection Regulation (GDPR) will still come into force in the UK on 25th May 2018 and will replace the Data Protection Act, which has governed data handling directives in the UK since 1998. The new GDPR legislation is designed to streamline data handling across the European Union, making it easier for members of the EU to share data safely and also introducing more stringent data protection regulations to suit an increasingly digital age.

So, why would the UK implement EU-wide legislation following the beginning of Brexit negotiations? Firstly, it’s important to understand that the UK was (and still is) a major influence behind the new European legislation, so it’s natural that it would still adopt the GDPR even with Brexit going ahead. Secondly, with UK/EU legislation lining-up following May 2018, the UK will maintain its ability to share data with other members of the EU – for example, police forces and other international authorities. Conserving this ability is imperative in the fight against terrorism and other cross-border crimes.

The GDPR will affect organisations across all industry sectors, and all must ensure they’re up to speed by its implementation next year. Whilst the new legislation will bring with it some welcome consistency for multi-national organisations and employees working across Europe, the legislative burden of new rights for individuals and fines of 2 – 4% global annual revenue for breaches are likely to take a toll.

For this reason, it is important that organisations avoid accidental breaches by ensuring that all employees are prepared and understand what they need to do to remain compliant with the GDPR. Human error (undoubtedly in the form of lack of understanding and knowledge) has proven to be the main cause of data breaches in years past, and so-thought ‘harmless’ mistakes still make-up a large percentage of security law violations and consequent fines.

Organisations need to act quickly to ensure they’re not caught out next May and can take advantage of VinciWorks GDPR eLearning courses to ensure they’re up to speed. We offer three GDPR training courses which together form a comprehensive package covering your preparation for the GDPR, what your organisation’s accountability under new GDPR legislation will be, and a microlearning course created to clarify the new legislation’s ‘right to be forgotten’ regulation.

The courses outline the UK’s Key Priorities for the GDPR, which are:

  1. Ensuring data protection rules are suitable for the digital age.
  2. Empowering individuals to have more control over their personal data.
  3. Giving people the right to be forgotten when they no longer wanted a company to process their data.
  4. Modernising data processing procedures for law enforcement agencies.
  5. Allowing police and the authorities to “continue to exchange information quickly and easily with international partners

Failing to prepare for the GDPR could have disastrous consequences for organisations; with punishments for non-compliance including fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the fine however that could be potentially damaging to organisations but the reputational damage suffered and adverse publicity.

Our GDPR training will help you to prepare for the GDPR in the correct manner and we will be adding to our portfolio of courses as more details come to light about exactly how the GDPR will affect organisations.