Cyber Attacks: Why Prevention is Better than the Cure

Cyber Attacks: Why Prevention is Better than the Cure

The Cyber Governance Health Check assesses and reports levels of cyber security awareness and preparedness in FTSE 350 companies (i.e., the UK’s 350 largest firms). The report allows these leading organisations to compare how security risks are managed and helps them to identify and address their different vulnerabilities.

According to the latest figures from the Health Check, over half (54%) of FTSE 350 companies list the risk of cyber-attacks as their number one concern (compared with other business threats like economic uncertainty or the unease surrounding Brexit). This figure is up from 29% just three years ago.

It’s likely that the recent spate of ransomware attacks in the UK, and the devastation that followed instances such as the NHS’s WannaCry scare, is cause for the unrest amongst Britain’s market leaders. Whilst it is positive to see the new priority given to limiting cyber-security risks by these leading organisations, the report also highlights a less optimistic statistic: the fact that one in ten organisations currently operate without a response plan for cyber-attacks, and over two-thirds of employees have not received any training as to how handle an event such as this.

However, as Marco Cova, Senior Security Researcher at Lastline, suggests:

“If one was to find a silver lining, I would say that these ransomware attacks will probably do more to raise the security awareness of vendors and organisations than many security measures have in the past.”

Indeed, faced with the seemingly ever-present threat from cyber-criminals looking to steal data (or else hold it hostage) at the moment, it seems obvious that organisations ought to conduct their due diligence and prepare for the worst. More than this, though, and with new GDPR legislation on the horizon for 2018, companies are now more accountable than ever for keeping their clients’ data safe. This means that investments in technology and thorough cyber-security training that is preventative rather than reactive are imperative. This type of risk-mitigating training could mean the difference between keeping confidential data safe and compliant with GDPR, and having to fire-fight the aftermath (financial, reputational, or otherwise) of a data-breach.

It remains true that the biggest risk to any company’s digital security is its own employees. More often than not, users inadvertently create an entry-point for cyber-criminals to take advantage of – by visiting unauthorised websites, re-using weak passwords, or opening an attachment from an unknown sender, for example. This is why VinciWorks offer a range of information and cyber-security eLearning courses, all specifically designed to reduce the risk of a security breach.

Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber-security bundle of courses, which includes full and short-course training to ensure your employees have a full awareness of cyber-security policies and best practices.

Records Mis-Management: NHS Contractor Puts Thousands at Risk

Records Mis-Management: NHS Contractor Puts Thousands at Risk

In a case of records management gone terribly wrong, more than 700,000 letters to NHS patients were discovered to have been piled up in a warehouse and left or disposed of by the bag-full.

The letters contained clinical correspondence that required re-directing due to patients moving GP surgeries or changing home address. Instead, however, the letters – some of which contained cancer diagnosis, treatment plans, and blood test results – were left unprocessed for up to five years between years 2011 and 2016.

The National Audit Office (NAO) discovered that more than 1,700 patients could have been harmed as a direct result of the shocking oversight; these are patients who might have missed important appointments, treatments, and tests. Additionally, 200,000 records are still to be reviewed by GPs to determine if there was a potential for harm to have happened to the patients involved.

Reports suggest that the issue first surfaced back in 2011, when NHS Shared Business Services (NHS SBS) were tasked to re-deliver a backlog of clinical records, around 8,000 pieces, but were soon overwhelmed when, by 2014, this number had reached 205,000. In June of the same year, a review conducted by NHS SBS put this figure at over 300,000 and highlighted the clinical risk to patients who were not receiving their medical letters. No action was taken by senior management to rectify the problem at this time.

By August 2014 bosses were warned that the letters were being destroyed, but it wasn’t until December 2015 that staff began to properly investigate what the letters contained and discovered the clinically urgent subject matter enclosed within so many.

After a thorough investigation into NHS SBS, the NAO found the following data-handling errors:

  • NHS SBS had become aware of a risk to patients in January 2014, but senior managers did not develop a plan to deal with it or tell the government or NHS England for another two years
  • A label with “clinical notes” written on it had been removed from the room where the files were stored.
  • In August 2015, a member of staff raised concerns the records were being destroyed but nothing was done.
  • NHS SBS finally told NHS England and Department of Health of the problem in March 2016, but neither Parliament nor the public were told.
  • The episode suggested there had been a conflict of interest between the health secretary’s responsibility for the health service and his department’s position as a shareholder in NHS SBS.
  • NHS England said the company had been “obstructive and unhelpful” when it had tried to investigate issue.

As the investigation continues, organisations are left wondering whether they have provided adequate data handling and records management training to their own staff. With good records management training, employees will learn how to comply with the law when it comes to handling and storing data and, in doing so, mitigate the risk of data breaches and reputational damage to their company. VinciWorks offer both UK-based and global records management eLearning courses, alongside a bundle of online data protection training specially designed to build confidence and develop data-handling skills.

SME Hit Hard: Devastating £60,000 Fine Confirms the Importance of Cyber Security Awareness

SME Hit Hard: Devastating £60,000 Fine Confirms the Importance of Cyber Security Awareness

The Information Commissioner’s Office (ICO) delivered a wake-up call of some magnitude recently when it announced a £60,000 fine for Berkshire-based SME, Boomerang Video (an online store which rents video games out).

The company’s website was found to have insufficient cyber-security measures in place, which resulted in the personal data of over 26,000 customers being accessed (e.g. credit card numbers, phone numbers, and home addresses) via a type of cyber-attack known as ‘SQL injection’.

SQL injection is only possible where there is already a security vulnerability (e.g. unencrypted data or insecure decryption keys) and works by allowing cyber-attackers to copy identities, change or destroy existing data, and completely take over the administration of the database server (amongst many other malicious activities). In other words, it is because the company failed to take adequate steps to protect their customers’ personal data that their fine was so severe.

Sally Anne Poole, ICO enforcement manager, said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

The ICO is the independent regulatory office responsible for upholding information rights in the public interest. The office deals with the Data Protection Act (1998), the Freedom of Information Act (2000), and the Privacy and Electronic Communications Regulations (2003). By May 18th 2018 the office will also be responsible for enforcing the EU-wide General Data Protection Regulation (GDPR), which directs that fines of between 2%-4% of annual turnover are issued for breaches of data protection guidelines. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The ICO’s investigation into Boomerang Video found the following security breaches:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Is your organisations’ confidential business data secure? Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber security bundle of courses, which includes full and short-course training to ensure your employees, and your organisation, are safe and secure.

Data breach report: what do we know about today’s IT security threats?

Data breach report: what do we know about today’s IT security threats?

What are the biggest threats to your digital security? The tenth annual Data Breach Investigations Report from Verizon offers an overview of the current IT security landscape, including emerging threats and the most common causes of data breaches. While the report covers some new ground, one of the most startling aspects of the research is how many known threats continue to cause problems for organisations of all sizes.

And that brings us neatly to one of the report’s key findings: you don’t have to be a global conglomerate to attract the interest of cybercriminals. Many small organisations are attractive to hackers because they are less likely to have strong defences and up-to-date systems. Small companies might be more vulnerable to phishing – especially if the people in customer-facing roles have not been trained to recognise and avoid phishing efforts. Being aware of phishing is not always sufficient to resist these probes; cybercriminals are constantly evolving and are incredibly creative when it comes to producing emails that look and feel legitimate.

Many of the old threats are still causing problems. Weak passwords are a common point of entry. Organisations are still guilty of using the default passwords that come with new products and applications, and which are widely circulated online.

Initial security breaches, whether caused by phishing, weak passwords or unpatched software, are often followed up with an installation of malware. This creates a permanent backdoor that cybercriminals can then exploit in a number of ways, such as installing other malware, taking over the machine, or using the computer’s processing power to support activities like denial of service (DDoS) attacks or mining crypto-currencies. Having established a backdoor, hackers may seek to extend their reach to other machines in your network. This is often an effective strategy that allows criminals to take control of large numbers of computers after making a single breach.

The type of malware known as ransomware, which involves encrypting your files until a ransom is paid, has shot up the malware charts, and is now the fifth most popular type. An example of ransomware is the WannaCry virus that crippled hundreds of NHS computers recently.

The Verizon report seeks to correct a few misconceptions about cybercriminals. In particular, they remind us that cybercriminals are rarely as sophisticated as we imagine. They may not target specific businesses; they’re more likely to use a scattergun approach to look for weak spots and try to find a backdoor, either by phishing or looking for unpatched software. Most hackers are just trying to make money. They are opportunistic and will happily take data, corporate secrets, marketing lists, contact information, payment details or cash.

One danger for companies with seemingly strong defences is complacency. Your security may have prevented data breaches to date, but is your security evolving as quickly as the hackers?

Verizon point out the importance of training. “Throw your weight behind security awareness training and encourage your teams to report phishy emails.” People will always be the front line when it comes to resisting attacks. Being aware of the risks – and the lengths that cybercriminals will go – is a first step towards digital security.

Other warning signs to look for are large data transfers. Does your system provide alerts when large transfers occur? Internal threats are still significant. Your organisation must also protect against disgruntled employees armed with a USB drive.

How does your organisation keep up with changing threats from cybercriminals?

Going global with VinciWorks

Going global with VinciWorks

Compliance Week Europe

This conference is designed to help compliance, audit, legal and risk executives understand how they can build and manage their ethics and compliance programmes more effectively.

Topics to be discussed include:

  • GDPR
  • Cyber Fraud
  • AML programmes
  • Whistleblowing
  • Anti-Bribery
  • Collusion
  • Ethics & Compliance
  • Sanctions
  • Supply Chain risk
  • Fraud indicators and red flags

By Royal Decree: GDPR is still a Priority Confirms Queen’s Speech

By Royal Decree: GDPR is still a Priority Confirms Queen’s Speech

So important even Her Majesty the Queen focussed her attention to it the 2017 Queen’s Speech, interest in the GDPR legislation shows no signs of slowing down.

The Queen’s speech confirmed that the General Data Protection Regulation (GDPR) will still come into force in the UK on 25th May 2018 and will replace the Data Protection Act, which has governed data handling directives in the UK since 1998. The new GDPR legislation is designed to streamline data handling across the European Union, making it easier for members of the EU to share data safely and also introducing more stringent data protection regulations to suit an increasingly digital age.

So, why would the UK implement EU-wide legislation following the beginning of Brexit negotiations? Firstly, it’s important to understand that the UK was (and still is) a major influence behind the new European legislation, so it’s natural that it would still adopt the GDPR even with Brexit going ahead. Secondly, with UK/EU legislation lining-up following May 2018, the UK will maintain its ability to share data with other members of the EU – for example, police forces and other international authorities. Conserving this ability is imperative in the fight against terrorism and other cross-border crimes.

The GDPR will affect organisations across all industry sectors, and all must ensure they’re up to speed by its implementation next year. Whilst the new legislation will bring with it some welcome consistency for multi-national organisations and employees working across Europe, the legislative burden of new rights for individuals and fines of 2 – 4% global annual revenue for breaches are likely to take a toll.

For this reason, it is important that organisations avoid accidental breaches by ensuring that all employees are prepared and understand what they need to do to remain compliant with the GDPR. Human error (undoubtedly in the form of lack of understanding and knowledge) has proven to be the main cause of data breaches in years past, and so-thought ‘harmless’ mistakes still make-up a large percentage of security law violations and consequent fines.

Organisations need to act quickly to ensure they’re not caught out next May and can take advantage of VinciWorks GDPR eLearning courses to ensure they’re up to speed. We offer three GDPR training courses which together form a comprehensive package covering your preparation for the GDPR, what your organisation’s accountability under new GDPR legislation will be, and a microlearning course created to clarify the new legislation’s ‘right to be forgotten’ regulation.

The courses outline the UK’s Key Priorities for the GDPR, which are:

  1. Ensuring data protection rules are suitable for the digital age.
  2. Empowering individuals to have more control over their personal data.
  3. Giving people the right to be forgotten when they no longer wanted a company to process their data.
  4. Modernising data processing procedures for law enforcement agencies.
  5. Allowing police and the authorities to “continue to exchange information quickly and easily with international partners

Failing to prepare for the GDPR could have disastrous consequences for organisations; with punishments for non-compliance including fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the fine however that could be potentially damaging to organisations but the reputational damage suffered and adverse publicity.

Our GDPR training will help you to prepare for the GDPR in the correct manner and we will be adding to our portfolio of courses as more details come to light about exactly how the GDPR will affect organisations.

Ransomware epidemic and its impact on organisations around the world

Ransomware epidemic and its impact on organisations around the world

It’s boomtime for ransomware and the cybercriminals making easy profits using this virulent strain of malware. The ransomware epidemic will not come as a surprise to the NHS, who recently had thousands of computers frozen by the WannaCry virus.

What can we learn from the spread of ransomware around the world? And what can organisations do to resist the onslaught of attacks?

A ransomware infection often starts with spam. Hackers use social engineering to nudge users into saving attachments or clicking links that look genuine. Emails may appear to be a request from the CEO, a parking fine notification, or a penalty notice from HMRC. Users are often scared into action, believing that something bad will happen if they don’t act quickly. But not all infected computers are the result of user error. In the case of the NHS and WannaCry, hackers exploited a known vulnerability in Microsoft Windows to gain entry into unpatched systems.

A popular exploit kit used by cybercriminals, called Angler, allows for drive-by downloads, in which malware is downloaded automatically when a user visits an infected site. The download happens in the background, without the user’s knowledge. These kinds of technologies are not just the preserve of expert hackers or international criminal gangs; anyone with criminal intent can access ransomware-as-a-service offerings on the underground Tor network, making cyber-crime as easy as setting up a website.

This demonstrates how unsophisticated some hackers are. These are rarely master criminals; they are often just chancers who recognise an opportunity for making easy money. And because web technologies allow ransomware to be deployed and utilised remotely, with money collected using anonymous crypto-currencies like Bitcoin, there is the lure of consequence-free crime. Why risk jail time for the takings in a petrol station when you can work from home and watch your Bitcoin wallet slowly fill? Of course, some of these perpetrators are caught and tried; there is no such thing as the perfect crime.

The ease of use of these tools might be one reason for their proliferation, and may explain why ransomware is on the rise. Security software company Sophos detected thousands of new pages booby-trapped with Angler every day in May 2015. And in their annual security survey, SonicWall reports that ransomware attacks increased by 167x year-on-year and was “the payload of choice for malicious email campaigns and exploit kits”.

The rapid rise of ransomware does pose new threats for organisations, but many of the treatments are familiar. Organisations must start with fully patched and up-to-date software and systems. Every uninstalled update is a potential backdoor for an opportunist cyber-crook.

Security systems must also be in place to limit the spread of any infections that take place, and to alert administrators to their existence before they do lasting harm. Backups provide protection against encrypted files and frozen machines. Training is the best way to ensure employees understand the evolving risks. And given the high stakes of IT security, this training should be regularly refreshed so all staff understand the vital role they play in digital defence.

Are your employees equipped to use the Internet and email securely?

How certain are you that your employees understand the risks posed by their use of the Internet? And do you trust that your employees know how to minimise risks – and what to do when they discover a threat?

We all rely on the Internet and email for marketing, communications and essential business operations – but how often do we step back and assess the risks?

Evolving risks

Hackers and fraudsters are constantly looking for vulnerabilities. Businesses are regularly assailed by financially-motivated agents, as well as state-funded hackers in search of intellectual property and the disruption of commercial activity.

The threat from within

In recent years, organisations have discovered that digital security and processes are not enough to prevent hacks, malware and data loss, because even the most robust systems can be swiftly neutered by an untrained (or disgruntled) employee. This has brought a renewed focus on employee training and the need to defend against internal threats. So, what can your organisation do to help employees use the Internet and email securely?

Assess your technology risks

Before you consider what kind of training your employees require, you must evaluate the potential threats to your business. For example, you might have a database of customer data, precious intellectual property or product designs, vital systems, online resources or costly digital infrastructure. Does your business have any compliance requirements? Are these being met – and protected? Once you have identified the threats, you can devise a strategy for mitigating and managing risks.

Security policy

Does your organisation have an up-to-date security policy? It’s important that your employees read the policy and understand everything it covers, such as:

  • Safe IT usage
  • Acceptable software
  • BYOD – can employees use their own devices?
  • Data protection and sharing
  • Removable media – can employees use USB drives and other media?
  • Password practices
  • Dealing with suspicious emails and content
  • Keeping back ups
  • Digital vigilance and reporting

Training is clearly a core component of modern digital security. Your employees represent a significant risk – whether intentional or accidental – and regular training is the best way to ensure that every individual recognises the threats and their role in preventing a security breach. Training should be mandatory and regularly refreshed to cope with the changing nature of digital security. Employee training programmes should form the core of a comprehensive security setup.

How to protect your business from the growing risk of identity fraud

How to protect your business from the growing risk of identity fraud

Identity theft is fast becoming the dominant area of fraud in the UK: new figures from UK fraud prevention service CIFAS report that identity fraud has risen by 25 percent over the last few years.

Commenting on the findings, CIFAS Chief Executive Simon Dukes said: “What these figures show is that identity fraud continues to be the most serious fraud threat and that the first quarter of the year has been a very profitable one for organised identity theft criminals. Our data is just the tip of the iceberg – more needs to be done to identify the true scale of fraud in the UK and educate individuals about the dangers and the steps that can be taken to protect themselves.”

A primary cause of this wave of identity fraud is the plethora of data stored and shared online since the advent of the digital age. In the first quarter of 2015, over 80% of identity fraud was attempted or perpetrated online. “The increase in fraud, and in particular identity theft, comes as no surprise as we continue to become reliant on the digital world,” said Alan Batey, digital forensic consultant, Security Risk Management Ltd.

Are you worthy of your consumers’ trust?

For businesses entrusted with consumers’ personal data, maintaining strong lines of defence against identity fraud has never been more critical. Protecting private data is a key component of the trust between consumer and business, and once lost, that trust can be extremely difficult to regain. In the last few months, almost half a million customers have abandoned TalkTalk since their highly publicised data breach late last year.

Further, small businesses may be most at risk. “In a large business there is typically a well-defined set of people who have responsibility for security of computers and information assets. In small to medium businesses, that activity is not as clearly well defined,” says Lawrence R. Rogers, a senior member of the technical staff at the CERT Program of the Software Engineering Institute, part of Carnegie Mellon University.

Creating and maintaining a secure online environment is of utmost importance for any business. Clear guidelines for online behaviour and regular staff training are essential to prevent the sort of simple mistakes that can lead to catastrophe. Data encryption or new technology such as biometrics could also prove vital. The sooner a potential data breach is spotted, the less damage it is likely to do, so ensure that staff are alert to any warning signs of attack or data breaches.

How can VinciWorks help?

VinciWorks can help you prevent data breaches by training staff in data protection best practice. As well as detailed courses covering data protection and information security, we provide microlearning modules and immersive, behaviour-focused courses to ensure training transfers to the workplace. Best of all, our Compliance Essentials Suite includes all of these resources and more so you can tailor your training approach to your organisation. Contact us now to take a look.

Seven new microlearning modules released

When annual refresher training time rolls around, you probably take it for granted that you’ll be hearing some of these common complaints:

  • “We’re too busy to complete mandatory training”
  • “The courses are too long and boring”
  • “We already know this information”
  • “It’s just a box ticking exercise to cover the company legally”

If any of these sound familiar, VinciWorks has the solution: Take 5 microlearning modules.

Out Take 5 modules are highly focused 5 minute bursts of learning built around behaviours that meet mandatory training requirements without taking up learners’ time, or re-treading material they’re familiar with.

Take 5s pack a lot of punch despite their small size. Each course features explanatory videos, audio narration throughout, and high levels of interaction.

Want to find out more? We have seven new Take 5 modules available now:

Money Laundering Challenge – do your employees know the lengths people will go to make laundered money look legitimate? In this challenge, learners discover how Frank the Fraudster laundered his cash, and must confiscate the laundered money by answering questions correctly.

Gifts and Hospitality Challenge – do your employees know what gifts are acceptable and what could be seen as bribery? Learners follow the story as a potential supplier offers an employee corporate seats at a football match – but can they make the right choices and keep hold of their integrity handshakes?

Setting a Secure Password – do your employees know how to set a secure password? This module shows learners how to set a strong password, keep it secure, and keep hackers at bay.

Is Your Information Secure? – your workplace contains more information security risks than your employees might realise. In this challenge, learners must collect all 8 information security shields by successfully tracking down the risks in a virtual workplace.

Don’t Get Burnt – would your employees know how to get to safety in the event of a fire? In this challenge, learners evacuate a building that’s on fire, but must make the right decisions along the way to make it out with all of their safety tokens.

Working with Dual Screens – there are numerous benefits to using more than one monitor, but failing to set them up correctly increases risk of injury. Once completed, learners will know how to set screens to the same resolution and set up differently sized screens for safe dual screen working.

Fire – Can You Handle It? – would your employees know which type of extinguisher to use if they had to fight a fire? In this challenge, learners need to choose the right extinguisher to put out all four different types of fire.

The above Take 5 modules are available now as part of Compliance Essentials and Health and Safety Essentials. Get in touch today to arrange a demo.