Become a Password Pro – Tips to ensure you are secure.

No matter how frustrating they can be, a password is a key to our digital lives. From bank accounts to emails, cloud services to apps, our digital footprints are growing daily. With the increase in remote and hybrid working practices, the need for passwords has never been greater. They are the first line of defence against cyber criminals.

With this growing requirement for password creation comes an increased threat of cyber-attacks. In 2020 alone, a whopping 37 billion records were compromised, phenomenally this is the largest number since 2005.

The vast majority are choosing passwords that are too easy to guess and using them regularly. Whatever your business size, unwarranted access to connected devices and systems can be devastating. From brute force attacks to manual guessing, cyber-crime methods can range from the most elaborate to the most straight-forward.

According to Kaspersky, robust password policies reduce the risk of cyberattacks to businesses by up to 60%.

What is a secure password?

The weaker passwords and therefore most predictable include names, pet names, dates of birth etc. These examples also do not use common keyboard runs such as ‘qwerty’ or number sequences like ‘123456’.

Whilst it may seem obvious, the top 5 passwords of 2020 demonstrate how common selections like this are:

PositionPasswordNumber of usersTime to Crack ItTimes Exposed
11234562,543,285Less than a second23,597,311
2123456789961,435Less than a second7,870,694
3picture1371,6123 hours11,190
4password360,467Less than a second3,759,315
512345678322,187Less than a second2,944,615

Most modern software has systems in place to monitor password strength. Moreover, they can also recommend improvements on how to strengthen a password. Unfortunately, these can be easily got around by popular techniques known to cyber-criminals.

Improve password strength with our simple guidelines.

1.Don’t use personal information.

Predictable passwords contain easy to guess dates, family, and pet names. Be aware that cyber criminals go to extremes. Did you know a technique used by cyber criminals is to scroll back through personal social media accounts? From here they source potential information required to guess passwords, an example of which being an individual’s children’s names.

2. Use a unique password for each account.

According to Forbes.com, 60% of us regularly reuse passwords across multiple sites. In addition to this, they also reported that 13% use the same password across all their accounts and devices. By choosing to use the same password, understandably, the risk becomes much greater. Information used to steal an identity or commit fraud, such as bank details, is often obtained by guessing just one password.

3. Create a long & complex password – that’s memorable too.

Although they may be harder to be remembered in the first place, long and complex passwords are great for stopping cyber criminals in their tracks. However, stringing together multiple pieces of personal information is not enough.

In addition to this, replacing letters in a single word with numbers for example ‘Pa55word!’ does not create a more secure password. These are still very easy for cyber-criminals to guess.

According to the NCSC, three, well-chosen, random words can prove to be memorable and secure. Whilst not being as easy to guess, this option provides a compromise between protection and usability. Alongside this, if you include a special character or two, you can add an extra layer of security.

Some sites allow you to randomly autogenerate such long passwords when setting up your logins, or you can even use an app to generate these.

4. Use Two-Factor Authentication (2FA)

Last but not least – two-factor authentication, also known as 2FA, adds additional security to all your accounts. The process requires users to sign in using two passwords or codes. Most commonly, a secondary code is sent to your mobile phone number or taken from an authenticator app. Although these are the most popular methods, there are a number of other 2FA options available.

Currently, advice recommends to always set up 2FA for important accounts. If not available, it may even be worth considering changing your service provider to one that offers it as standard.

Protect and prioritise your passwords.

With dozens, or even hundreds to remember, writing passwords in a notebook is no longer a viable option. As such an increase in demand for password managers has arisen.

Using a vault style system, to securely store credentials, password managers allow users to create, and keep track of secure passwords, without having to memorise them all. 2FA should always be used for any password manager as this ensures your database security.

All passwords security is of course equally important. However, it is worth noting that accounts that have privileged access to data are particularly attractive to attackers. Imposing additional password complexity for systems such as these such as these is important as it helps increase protection.

Implement your technical defences.

Juggling vast numbers of unique and complicated passwords may seem like hard work and it can be. But with a solid understanding of what makes them secure and the right tools in place to organise them, as a ryou’ll find peace of mind, and stress-free online experiences. 

If you need more information about how SupPortal can help with your online safety, please contact us today.

Social Engineering in Real Life

Social engineering attacks refer to the attempt to manipulate targeted individuals into providing confidential information online. These attacks fool victims by using techniques to conceal the true identity of the hacker, presenting them instead as a trustworthy individual or organisation.

How common is social engineering in real life?

According to a study conducted in 2018, 17% of targeted individuals fell victim to social engineering attacks. These attacks can place a company’s entire network at serious risk. The most recognised form of social engineering is phishing, where attackers exploit individuals by sending infected emails with links or attachments that lead to malicious websites.

What are the effects of social engineering?

Any cybersecurity attack can have a catastrophic impact on a business, no matter the size. Therefore, ensuring your team is prepared to deal with these seemingly trustworthy messages is so important. Some effects of an attack include:

Financial implications: Most of the time, attackers are after the cash. This technique is often used to fool employees into paying money into fake accounts on behalf of their company. This could be a criminal falsely posing as a legitimate supplier requesting payment. This is especially effective where finance teams do not work closely with purchasing and are less likely to spot a seemingly accurate invoice for something that has never actually been ordered.

Damage to business reputation: Cybersecurity attacks are also dangerous because of the risk to the integrity of both business and customer information. Customers feel safest when those they share their data with incorporate data protection conformance very clearly into their processes.

Halt to business productivity: Social engineering attacks rely on gaining a certain amount of trust over a period to successfully manipulate an individual into handing out confidential information. This often results in a significant amount of lost time. Both the scam itself and resulting recovery operations can be extremely time consuming, not to mention costly.

Real Life Social Engineering Examples

Unfortunately, social engineering attacks such as phishing, baiting and scareware are common because of their realistic appearances online. We all think we won’t fall victim to these scams, right? In reality, social engineering attacks are extremely believable and so many people are easily fooled into freely handing out information or clicking that link.

Here are some examples of real-world stories that might help convince you of the severity of these attacks:

1. The 100-million-dollar Google and Facebook Phishing scam:

One of the biggest social engineering attacks of all time was conducted by a Lithuanian national who went up against both Facebook and Google. The attacker’s team set up a fake company that posed as a computer manufacturer working with the two companies.

Next, emails were sent to employees, invoicing them for goods and services that another supplier had provided. The group then directed this cash to fraudulent accounts.

2. The SharePoint phishing fraud that targeted remote workers

This very recent phishing attack saw attackers use cloud-based software to request signatures on a document hosted by (apparently) Microsoft SharePoint. The email contained the malicious link, which employees believed to be legitimate because of its appearance. Such criminals are extremely sophisticated in the way they present malicious links, which is why so many people fell victim this attack.

3. The White House Hack

The White House itself fell prey to an attack last year – although the intent was more mischief than malice. Many have tried to access the networks within the White House in the past. On this occasion they were successful. Posing as Jared Kushner, a key member of former President Donald Trump’s team, the UK-based individual was able to secure the private email address of the administration’s cybersecurity chief. If the most powerful office in the world can be breached, it just goes to show that just about any organisation is vulnerable.

The time and dedication put into conducting social engineering attacks makes these scams much more realistic and dangerous for anyone who finds themselves a target.

If you want to start taking the right precautions to protect your business from unwanted attacks, then get in touch with us today or find out more here.

Cyber Crime Risks: The Social Media Edition

Social media cyber crime

Use of social media is popular in both our personal and work lives, and this doesn’t look to be changing anytime soon. In fact, it’s a given for businesses nowadays. Most organisations use social media as a tool to help promote their business and engage with customers as a key part of their marketing strategy. However, many underestimate the cyber security risks they could be exposed to.

Between September 2019 and September 2020, email and social media accounted for 53% of attacks in the UK, which shows why it’s important to have an awareness of the potential risks of the use of social media for both the businesses and your staff. Making sure every member of your team is aware in the first place is a great way to start protecting your business. This article explores a few things to be particularly wary of when it comes to social media and cyber crime.

Potential Cyber Crime Risks

Unsecure Mobile Devices

The most common platform on which to access social media is a mobile device. This ease of access means it is important to make sure access control is robust. This can be done by using a personal password, which should be at least eight characters long according to NCSC guidelines, pin code or fingerprint ID to secure your phone.

Unused Social Media Accounts

Deleting unused or unwanted accounts and apps will also help to protect you and your business from hackers, as does keeping track of all activity across active accounts. This ensures you can spot more quickly if hackers are posting counterfeit messages from your account.

Malware

Malware can be hidden in many guises from seemingly innocent links via direct message to malicious apps on the app store. Its main goal is often to steal important, personal information from your accounts to exploit. Be wary of which links you click, especially those that are unsolicited. Installing anti-virus software is an easy way to combat intrusive and exploitative malware.

Imposter Accounts/Scams

Deciding whether an account is real or not can be challenging. In 2020, Facebook blocked 1.3 billion fake accounts. Be sure to report or block any suspicious accounts and only add people you already know directly. A suspicious account may have very little information attached to it and limited activity history. Other indicators are small numbers of friends and only one or even no profile picture.

Sensitive Data

Be careful when sharing information or posting pictures from your workplace. It’s easy to overshare and this information may negatively impact your business or your employees. Be respectful when posting pictures of vulnerable employees and don’t share any unnecessary information. Hackers use clever tactics to monitor your social media and can even guess what your passwords may be. Authentication questions with a personal element, such as a pet’s name, often give enough clues for them to join the dots. Often the criminals can easily obtain this data from your social media posts themselves or information that’s visible in the background. A tactic to look out for is questions within ‘memes’. Answering these questions (i.e. your new name is your pet’s name + your mother’s maiden name) could hand personal information straight to cybercriminals.

Personal Information

For small businesses, sharing personal information often helps customers to get to know the business better. However, as mentioned above, it is easy to overshare and put your employees in danger. Make sure you have the permission of employees before posting anything regarding their personal lives. From a security aspect, by sharing personal information, you can make it easier for the criminals to break into accounts. They can then use this data to guess passwords and gain access. For example, a milestone birthday tells the world wide web that individuals precise date of birth.

Privacy Settings

Checking the privacy settings on your social profiles is a swift way to protect your information from data breaches. Double check who can see which posts and which elements of your profile. In fact, it is worth keeping your profile private, with only friends able to view what you are up to. Who can add you? Anyone? Or only friends of friends?

Third Party Quizzes

Links to quizzes often require you to enable unlimited access to your personal information. So, while it may be tempting to find out what character from Friends you are, don’t. It may come at the cost of your own private data.

Four MORE Ways to Stay Safe

There are even more ways to manage your accounts and combat the threats mentioned above. These are as follows…

Social Media Approval

Using both a social media plan for your business marketing, and an approval system will help to stop the wrong posts being shared. Make sure you have the opportunity to review both the text and any accompanying images that may contain personal or sensitive information, especially in the background. If you spot someone’s password on a post-it note stuck to their monitor, there may well be another conversation to be had…

Training Employees

Making employees aware of the risks through mandatory training on media literacy and security is a great idea to reduce human error and increase overall safety on social media. In fact, many schools are considering making digital media literacy a compulsory part of their curriculum in the near future.

Social Media Policies

Although they can seem tedious and time consuming, policies are there to protect you and your business from harm. A detailed social media policy will ensure the accuracy and suitability of shared content, as well as usage of own devices.

Limiting Access

Ensure only the necessary individuals have access to company social media profiles. Fewer people with knowledge of those valuable passwords decreases the likelihood of leaks and also means you’ll know who’s responsible if there are any issues.

Beware the DM

Although being able to privately message via social media has many benefits; it is important to be careful about what information is sent. Be aware that such methods of communication won’t have the same level of security as an email.

Use 2FA/MFA to Protect Online Accounts

2FA, also known as two-factor authentication helps to protect online accounts by using something you have, something you know or something you are – together. Many software providers now offer this technique as an additional layer of protection if password databases are compromised. Users are required to log in with two different methods of authentication. This could be a password followed by a code sent via SMS or email or even via an authenticator app such as those created by Google or Microsoft. MFA (multi-factor authentication), as the name suggests, uses multiple methods to help identify a genuine user. With 2FA/MFA, it is more difficult for malicious actors to gather all the information they need to gain access.

 Social media use is now a necessary part of working and personal life. However, using these platforms does not need to open your business and employees to dangerous threats. Follow the tips above to ensure you and your business have the protection you deserve.

If you would like more advice on protecting your business from security threats, get in touch with SupPortal today.

Is your business under attack from ransomware?

The use of technological devices has increased on a global scale. As a result, one of the fastest growing online crimes, ransomware, has become a large threat to businesses and their data. After locking you out of your systems, a hacker will proceed to hold your data for ransom before allowing access once again.

In the event of a data leak, you may lose your data. BUT, you could also lose your client base and reputation as well. Businesses need to ensure they can identify the signs that indicate you are under a ransomware attack. This is vital to protect your business and safeguard your data.

If you can stop an attack early on, you have more chances of recovering data more quickly and limiting the damage. Is your business under attack?

Here are some signs you should look out for:

Look for unexpected software 

One method used by hackers is taking control of your system through certain software tools. Software auditing tools, such as Qualys, can give you an up-to-date inventory of the software you have installed. You can then compare this against your approved list of applications to quickly see if anything has been added without your approval.

Whether malicious software can take control of a PC directly or steal passwords and log in credentials, using a network scanner is imperative. This helps to identify exactly who and what is running the unexpected software.

Identifying whether cybercriminals are attempting to infiltrate your network early on may prevent the ransomware attack from happening. This will limit the harm to your business and its data. Contact your IT support partner if you notice software present that your IT provider hasn’t installed. This could be a sign of a bigger problem. Having awareness of what should be installed versus what shouldn’t be will go a long way.

Most ransomware is run as a script, which runs in memory as such, so you wouldn’t find it as part of your installed programmes. More recent large attacks have been focused on those companies such as IT providers, Solarwinds & Kaseya for example. These provide legitimate monitoring tools that sit on the machines of end user’s machines to help monitor and mange them. These installed agents have been compromised and allowed thousand of machines to fall victim to ransomware.

Suspicious emails 

Ransomware often attacks begin with a phishing campaign. This is when a legitimate looking email is sent to your business. Although they do not look suspicious, they have been embedded with malicious links or attachments. It is best practice to stay informed about the different phishing techniques that are currently in use to reduce the risk of falling victim to the crime.

These emails tend to have a sense of urgency around them. They may encourage the reader to forgo the usual safety checks. They may appear to come from a colleague that needs help. This is what makes them so dangerous: they tend to prey on these human traits, compassion, and greed.

You may wish to undertake security awareness training and simulated phishing to gain even more knowledge on the topic. SupPortal can offer suitable training to help with this. This will help you spot the signs of ransomware immediately. One of the best things you can do is think before you click! Clicking on random links that appear in junk emails can easily be avoided. Take a moment to look properly at the email, who it has come from. Then apply what you know about phishing to avoid falling into the trap. Then take the appropriate steps to get rid of the email.

Use firewalls

Monitoring incoming and outgoing network traffic will also significantly reduce the risk of being hacked. These firewalls monitor and filter the traffic and act as a barrier between your computer, and outside intruders. With two different kinds: a desktop firewall which is a type of software and a network firewall that is a separate hardware device, you are drastically reducing the odds of both hackers and phishers infiltrating your business’s important data.

Verify a site’s security 

When disclosure of sensitive financial information is necessary and you are feeling a little wary as to whether you are amid a ransomware attack, make sure you confirm the site’s URL. It should begin with ‘https’ and you should see a closed lock icon near the address bar to show the site has an SSL certificate. If you receive a message claiming the website may contain malicious files, do not proceed!

You can also use the web browsers ‘smart screen’ filter can help to highlight dangerous sites. Ensure you are extremely thorough when it comes to checking the validity of a website and don’t submit your financial information straight away. Being cautious and aware of suspicious content within an email or a site will help you take a step back from the situation and identify any malicious activity straight away.

Using a safe DNS provider, such as OpenDNS powered by Cisco Umbrella, can keep you away from malicious sites. Ensure you have anti-malware software actively scanning webpages as you browse them.

Have you noticed any open RDP links?

An RDP link, also known as remote desktop protocol, is one of the ways cyber criminals can gain access into your network. With remote working on the rise, this can become a very real threat for businesses. Avoid using RDP to directly connect your business machines over the internet. You should only use RDP in combination with a VPN (virtual private network). Should you use them, your IT service provider can ensure your RDP links are closed off by scanning regularly.

Who are your administrators?

Your administrators have the authority and power to authorise applications for download to your network. Keep an eye on what your administrators have changed as cyber criminals can disguise themselves and download apps without you even realising. It is important to note that these tools can also be used by an IT service provider. So, keep up to date with your administrators, and if you’re ever unsure of unfamiliar software, just ask!

It is also important that logins or passwords are not shared, especially for admin accounts. This will make it easier to pinpoint any potential breaches connected to individual logins. Maintain a list of who has admin access and regularly check this against the system. This will ensure you can identify any additions that may have been added. This is part of the guidance given to those undertaking Cyber Essential Certification.

Has anything been disabled?

It can be hard to identify whether your systems have been disabled if you don’t know what to look out for. By completing cybercrime training, users will be more aware of what to look out for in the event of a ransomware attack, and what to do next.

Nobody wants to fall victim to a ransomware attack, especially when they own a business that handles both important and sensitive data. Not every malicious attack has to become a cautionary tale, so follow these crucial tips today and protect your business from harm. If you need further advice about how to protect your business from cybercrime, get in touch with SupPortal today.

Remote Working & Cyber Security – What do I need to know?

It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” – Stephane Nappo

Due to the COVID-19 pandemic, remote working in the UK has increased significantly. According to the ONS, in April 2020, nearly 50% in UK employment worked from home.

Although many are now returning to the workplace, a great deal are choosing to adopt a ‘hybrid’ working rota, combining working from home and the office.

It is important for businesses to consider the cyber security risks that remote working presents. This article will explore what you need to know.

What are the risks?

There are numerous risks that online working itself presents, such as phishing, viruses and malware. Many offices will have established online cyber security policies and practices in place so that their office staff can work securely within work premises. However, flexible and hybrid working opens up the opportunity for hackers to access data through new vulnerabilities.

What about passwords and encryption?

Encrypting data before sending it via email or a secure file-sharing platform can ensure that access to data remains restricted.

Enhanced cyber security options like two-factor authorisation (requiring a password and PIN for example) can provide an added layer of security. Also, any ‘mobile’ device that holds corporate data should be encrypted. These include laptops, removable hard drives, memory sticks and phones. This will ensure that if the device is lost or stolen then the data remains safe.

These safeguards are especially important when employees are transporting work devices between different locations as the likelihood of loss or theft is far greater. It is important that businesses have contingency plans in place to support staff in these instances.

Does your company encourage BYOD?

BYOD, means ‘bring your own device’ and describes when staff carry out work on a personal device. Many companies allow their staff to use their own smartphones and laptops whilst working remotely. This is often a practical and efficient solution for your employees to work seamlessly from wherever they are.

It is important to provide staff with clear IT policies, to set boundaries and retain administrative control of company data. This will help to keep devices, company networks and data secure.

What should an IT policy include?

IT policies may include a range of measures. For example, ensuring employees have up-to-date anti-malware and anti-virus software installed on their devices.

It is important that employees don’t set ‘weak’ passwords for accessing company systems. Commonly used passwords are very easy for sophisticated hackers to guess (and even those less sophisticated. This becomes even more important when employees are accessing company networks and data from their own devices.

IT policies should also cover the essential training requirements that teach employees what security measures are needed when accessing their work and why they should be adhered to. Understanding the risks of common scams (such as scam emails) enables employees to mitigate the dangers from phishing and other hacking strategies.

How can you monitor cyber security in public places?

Steps need to be put in place to enforce cyber security when staff members are working in public places.

There are several ways to keep your device safe on a public Wi-Fi network. When using public networks staff should be advised to:

  • Ensure the credibility of a network before connecting. If in doubt, don’t connect.
  • Disable file sharing.
  • Use a VPN to encrypt data and disguise the device’s IP address from potential hackers.
  • Make sure the device has an up-to-date firewall and anti-virus software enabled.

The National Cyber Security Centre offers helpful information to companies planning their remote working strategy. You can also read our blog here on tips to help keep your corporate network secure when employees are working from home.

For more information, advice and support keeping your corporate network secure, get in touch with SupPortal today.

Cyber Essentials Requirements Have Changed: Here’s What You Need to Know


Cyber Essentials Requirements Have Changed: Here’s What You Need to Know…

Cyber Essentials is a government scheme that covers your business and ensures you are protected against IT threats. By holding a certificate, you protect both your clients and your business from potential devastating threats and indicate how seriously you take IT security. If you would like to find out more about Cyber Essentials, read our handy guide here. In April 2021, changes were be made to the Cyber Essentials Requirements.

As a governing body, IASME reviews and makes the relevant updates to Cyber Essentials technical controls so that they are up to date and relevant. This ensures that Cyber Essentials is as effective as possible at protecting your software and devices against threats. Although no major updates have occurred, there is a series of changes to clarify to the requirements, effective from 26th April 2021. Here, we will help you understand exactly what you need to know about the Cyber Essentials requirement changes.

 

1. New Definitions for a Corporate Virtual Private Network (VPN), organisational services and organisational data.

  • A Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.
  • Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.

Organisational data used to come under the wording “Business Data” but proved a bit too woolly, so two new definitions have been introduced.

  • Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.

Our thoughts..

A VPN (Virtual private network) is a way of securely connecting remote workers to other computers controlled by your organisation. This may be provided with a router that does this for you. The important thing to remember when using a VPN is that all traffic must be passed through your corporate firewall. This is so your organisation can control the traffic going to and from its computer systems and services. However, whilst apps like Nord VPN or Express VPN might be useful for protecting your anonymity online, they don’t give you the same end to end security as one provided by your organisation.

 

2. ‘Out of Scope’ Update for BYOD.

In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).

Our thoughts…

If your organisation allows employees to access data or services owned by the company on their own personal devices, such as mobile phone, laptop etc, then the organisation must ensure that these devices comply in the same way corporate devices do. For example, they must use strong passwords, enable a firewall, have anti-malware installed and up-to-date, etc. It also quite common for a home user of a BYOD to automatically have full admin privileges on a device they own. However, this is not acceptable as part of CE and the user should have a separate login that does not have permission to install programs or change the configuration of the device. In other words, your home user device will need two accounts one for daily use and one just for admin tasks.

 

3. Clarifications on Internet Boundaries and Software Firewalls.

“A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol. Alternatively, where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.”

Our thoughts…

Firewalls are found where your device connects to a network, whether that’s from your computer, server, or from your connection to the internet via a router (which sometimes have an integrated firewall). Corporate networks normally have a separate device called a Firewall to protect and monitor traffic in and out of its network.

If you have employees that work from home, or remotely, and do not connect to the corporate network using a corporate VPN, then they must rely on the Firewall installed on the device they are using. For example, a Windows laptop of MacBook.

 

4. ‘Patch management’ control changed to ‘Security update management’.

Security update management.

Our thoughts…

It was thought that the expression, ‘patch management’ was too technical and ambiguous. The goal is to ensure any updates are made available, especially if they contain a fix for a high or critical vulnerability. This should be done within 14 days of the update becoming available. However, it is advisable to apply updates immediately.

 

 

5. Updated security update management control.

The Applicant must keep all its software up to date. Software must be:

  • licensed and supported
  • removed from devices when no longer supported
  • have automatic updates enabled where possible
  • updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
  • the update fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’
  • it has a severity the product vendor describes as ‘critical’ or ‘high risk’
  • there are no details of the vulnerability severity level the update fixes provided by the vendor.

For optimum security and ease of implementation it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.

*It is important that these updates are applied as soon as possible. 14 days is seen as a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.

Information

If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values:

  • attack vector: network only
  • attack complexity: low only
  • privileges required: none only
  • user interaction: none only
  • exploit code maturity: functional or high
  • report confidence: confirmed or high

Caution

Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues, then it must be installed within 14 days.

Our thoughts…

Updating the operating system and software is critical as it dramatically reduces the risk of attackers gaining control of your device. Auto update features should always be on, where this feature is available. You still need to check and update all software you have installed on your devices to keep them as secure as they can be. This need to be managed so that released updates are installed within 14 days of release.

There are third party tools that can help with updating your devices, or even just to monitor and let you know when an update is required. At SupPortal, we use Qualys, which gives you full visibility of all the software you have installed and its version. You can also view reports detailing any vulnerabilities that exist on your devices. This can help you to manage and maintain your devices.

6. Third party accounts with access to the certifying organisation’s data and services has been added to User Access Control.

The Applicant must be in control of its user accounts and the access privileges granted to each user account that has access to the organisation’s data and services. Importantly, this includes accounts that third parties use for access (for example, device management or support services). It must also understand how user accounts authenticate and control the strength of that authentication. This means the Applicant must:

 

  • have a user account creation and approval process
  • authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
  • remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
  • implement two-factor authentication, where available
  • use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
  • remove or disable special access privileges when no longer required (when a member of staff changes role, for example)

Our thoughts…

Having a clearly defined policy that describes the process of keeping your network safe is crucial. Even if your IT is managed by a third party, they still need to comply to this policy. The policy should cover things like password strength and admin access. Users should only have access to what they need, and admin accounts should not be used for day-to-day work. Even the boss doesn’t need to have an admin account for daily use. Two-factor authentications should also be enabled where available and is a common feature of cloud services such as Office 365, G-suite, accounting packages, and banking.

Is there anything you need to do with the clarification changes to Cyber Essentials?

After the 26th April, all Cyber Essentials assessment questions reflect these changes. All questions are now worded differently, with some extra questions that help clarify the information.

Here at SupPortal, we are fully prepared for the new changes and can support you through the Cyber Essentials certification process. If you have any questions about Cyber Essentials, please do not hesitate to get in touch.

‘Debunking IT security jargon’ – what does it all mean?

it jargon

Cyber threats can be confusing for those with limited IT knowledge. It’s hard enough to understand how to protect your company, without being overwhelmed by all the jargon too. However, with these threats continuously on the rise, it’s vital that you are doing what you can to protect your business infrastructure.

A cyber threat attempts to disable computers, steal data, damage data or to generally disrupt digital life – is a malicious act. With the average cost of a data breach standing at $3.86 million in 2020 and the average cost of a malware attack increasing rapidly over a five-year period, it’s no small matter.

Cyber attacks don’t just cost money either. The practical impact of data breaches are an important consideration, not to mention the time spent dealing with the aftermath. Plus, let’s not forget the potential damage to the company’s reputation, which could take far longer to rectify.

In this latest blog, we’ll walk you through the top five cyber threats you ought to be aware of (without the jargon).

1. Ransomware

Ransomware is a form of malware (malicious software) that blocks access to a computer system until you have paid a sum of money. Usually cyber criminals encrypt, or scramble (to avoid more jargon!) your data and then demanding a ransom to release it.

Ransomware is an illegal money-making system. Scarily, a 3rd party can install ransomware without your knowledge The installation occurs when clicking on deceptive links in emails, social media messages or websites. As soon as you click the link, the ransomware can infiltrate your network, locking up your files causing devastating effects.

Why do you need to be aware of ransomware? It’s unpredictable, difficult to detect and near impossible to prevent except by avoiding the risk in the first place. In the last year, 40% of businesses across the UK, U.S., Canada, and Germany have experienced ransomware attacks. Of these victims, more than a third lost revenue and 20% had to stop their business completely (Spectrum Internet).

2. Phishing

Phishing is a type of cyber attack where victims are misled into handing over sensitive information or installing malware on their own systems. This can happen using email, phone or text message and involves a person posing as someone they are not. They usually pose as a legitimate company or an individual in need of help.

The level of sophistication being used in these attempts has increased recently, over half of cyber attacks in the UK in 2018 involve phishing (PWC).

3. Data Leakage

Data leakage is also known as slow data theft and is most commonly caused by criminal hacking. It occurs when unauthorised individuals access sensitive data. It can also be caused by poor data security practises or worse yet, by accident! This tends to be the type of incident that reaches the mainstream press.

Cyber criminals often look for personal information they can use for identity theft. They can also identify confidential information such as product details or patents that are vital for a business to be competitive in its market. Credit card fraud is another common use of leaked data.

Risk Based Security (2020) reported that in the US a whopping 36 billion records were exposed through 2020. This is over four times the number of records exposed through 2019. This shows that data breaches are a real problem.

4. Hacking

Hacking is a method whereby criminals look for security weaknesses in a computer system or network. They then expose, change, destroy, disable, steal or gain information from the computer system or network.

The reasons for hacking can vary. Criminal hackers can hack to gain profit, to gather information, to protest or even just for the thrill. They often install malware onto a computer system. Sometimes so-called ‘ethical hacking’ is used (with permission) to test security systems to see how robust they are.

5. Insider Threat

This type of threat involves someone from within the targeted organisation intentionally abusing their credentials to steal information. This could be a former employee, board member or business partner. Surprisingly, it doesn’t necessarily mean they still work as an employee for a company.

Insider threats can be difficult to prevent. Many security systems may be designed to keep purely outside threats at bay. However, with some big-name companies recently targeted such as Facebook and Coca-Cola, it is an increased worry for businesses.

Now you’ve deciphered the jargon, how can you stay protected from these five types of cyber-attack?

As our society becomes ever more dependent on technology, it’s likely that cyber security threats will continue to rise. Prevent attacks and save money by making sure that you have the best security procedures in place.

Here at SupPortal, we won’t bombard you with jargon. Our goal is to work with you implement clear cyber security strategies to help protect your IT infrastructure. Take action today to take preventative measures for your business. Get in touch with SupPortal today.

Which cyber security certification is right for your business?

Business today relies heavily on the internet, no matter what the industry. The online world is constantly evolving, from an increase in video conferencing and homeworking to ecommerce transactions and contactless payments. With more and more critical data being stored and processed over both private and public networks, it is important to be aware of the risk and take the right steps to protect your organisation. Below we will go through how to choose the right cyber certification to suit your needs.

The Threat of Cyber Crime

Did you know that almost half of UK businesses are affected by cybercrime each year? Security breaches are a very real threat for businesses of any size, whether that’s cybercriminals, viruses, or malwares. Poor judgement and errors made by employees, alongside weaknesses in your security system can often be to blame. It’s easy to think that it won’t happen to you or your business, but anyone can be a target. So, it’s important to take preventative action to protect your business.

Reassurance for Your Clients and Customers

Your customers and clients are trusting you with their data. A cyber certification can lay their fears to rest, as it enables your business to demonstrate that you have appropriate cybersecurity controls in place that not only protect your own data, but also any that you hold about them. Furthermore, it isn’t a one-time fix. Certification provides a solid foundation of best practice to be maintained within your business and will require renewal every 12 months. Upon certification, your business will be listed publicly in the Cyber Essentials directory and also qualifies for £25K optional Cyber cover.

Below we explore how to choose the right cyber certification for your business, looking specifically at the two most popular certifications – Cyber Essentials and Cyber Essentials Plus.

What is Cyber Essentials?

This is a government scheme that covers all types of organisations to make sure they are adequately protected against IT threats. Having this certificate protects both your business and clients from a potential threat and demonstrates that it is taken seriously. In fact, we recommend all parties are encouraged to adopt the scheme to keep the whole supply chain protected. It is essentially a set of security standards that businesses are required to meet to achieve certification.

The scheme covers the following key areas:

  • Protecting your internet connections with firewalls and routers
  • Protecting any device and software your business may use
  • Regulating physical and digital access to your data and services with access control
  • Defending against viruses and other harmful malware
  • Ensuring devices and software are kept up to date

So, how do you choose between Cyber Essentials and Cyber Essentials Plus?

The certification level you choose will vary on who you are dealing with. If your company has contracts with government, or are in the supply chain, no matter how simple your set up is, you will need to have at least Cyber Essentials certification in place. However, Cyber Essentials Plus will give you that added level of security.

Your business IT infrastructure may only consist of a laptop and use of Office 365. However, many companies will still want you to have a certain level of certification to do business with you. The simpler your IT is, the easier it is to implement.

Cyber Essentials

Are you looking for basic level security certification to prove to your potential and current clients that you have sufficient measures in place?

This is the lowest level of certification and is the minimum requirement if your business wants to submit a bid for a public sector contract. This certification is vital if this is an area where you wish to do business, as you will be responsible for handling critical information regarding public sector activity.

If you decide Cyber Essentials is right for you, SupPortal can organise your self-assessment questionnaire. There is a time and resource commitment required internally to provide suitable evidence for the self-assessment. An outsourced provider such as SupPortal can take a lot of this work off your shoulders. Working with you, we can ensure you are prepared to answer the questions and provide the evidence.

Assisted Cyber Essentials

Should you wish to take on the majority of the work in-house, SupPortal can provide an initial external vulnerability scan. However, doing so can not only be time consuming but will require sufficient IT knowledge to fully respond to the self-assessment.

Cyber Essentials Plus

Government organisations and contractors look for this certification when there is considered to be a greater risk. It is more comprehensive version of the Cyber Essentials certificate involving further external auditing and random testing. To gain this certification, you will need to be Cyber Essentials certified first.

As part of this process, the team at SupPortal would carry out tests on your software and systems to check for vulnerabilities to ascertain if you have the adequate protection against cybercrime.

Do you supply goods or services to government departments like the NHS, or MOD? Do you have remote workers? Or do you have third-party businesses that have access to your systems? Does your business require complex IT infrastructure, software and systems? Does your network cover a broad area? If you have answered yes to any of the above, then this may be the most appropriate certification for you.

If you want to truly demonstrate that your business is committed to high standards of cyber security protection, and you take data protection seriously, then this is a great choice for you. With this certification, you are going above and beyond to keep your client’s data safe. Furthermore, if your business commonly processes data of a highly sensitive nature, then it is well worth considering Cyber Essentials Plus.

Still confused about which cyber security certification is right for your business? Then get in touch with the team at SupPortal today.

Is Home Working Exposing Your Corporate Network?

protecting corporate network when homeworking

Is Home Working Exposing Your Corporate Network?

The pandemic of 2020 saw a rise in homeworking and many businesses have realised that this is a viable option for work going forwards. However, did you know that ransomware is one of the fastest growing crimes on the planet? So, ask yourself, is home working exposing your corporate network?

Below you’ll find some important tips on how you can make sure that your corporate network and all of your data stays safe.

What are the threats to your corporate network?

If your corporate network is exposed, and there are not enough IT safety measures in place. You can be exposing your business to unnecessary risk.

Ransomware, a type of malware, or malicious software gives cyber criminals the ability to hold your business to ransom. With this method, these individuals will be able to gain access to the data in your corporate network. Then they demand a ransom for their release, with the threat of permanent deletion if you fail to pay. We advise you to never pay the ransom, as you are not guaranteed to get your data back and you will be targeted again. Instead, ensure you have a good well tested backup. Thankfully, given the right protection across your network, you can put preventative measures in place to stop this and other malicious attacks.

The stats for ransomware are shocking, with one small UK business being hacked successfully every 19 seconds. Your business and corporate network could also be exposed to other malware attacks, spyware and other viruses. For instance, 55% of UK email is spam. If a well-intentioned employee clicks on an innocent looking email, it could be opening the gates to a cyber-attack.

It’s not all doom and gloom, there is plenty you can do to protect your corporate network against cybercrime. As they say, prevention is better than the cure. So, it’s important to develop a long-term strategy to protect against threats.

How can you stop exposure to your corporate network?

There are a few ways that you can help to protect your corporate network against attacks whilst your employees are working from home.

1.     Train your staff

Unfortunately, and unintentionally, your team can cause a security breach. All it takes is a click on the wrong link or replying to a well-crafted phishing email. Human error can occur, especially when distracted or tired. Home working conditions are different to those in an office. That’s why it is vital to have your staff aware and educated on cybercrime.

By training your staff about cybercrime, you can ensure that whilst they are working at home, they know exactly what to look out for to keep your corporate network safe. Make sure your staff are vigilant with suspicious links and emails. Think about giving regular cyber security training. Here at SupPortal, we offer online training, which consists of a series of short sketch animations. These are only around one minute long, and you’ll find a quiz to check what you’ve learned. We believe this format generates particularly high user engagement. As a business owner, you will also be able to see if your users have watched the training.

We also cover more in-depth training, which can be delivered online or on site. Particularly useful for management teams is a desktop stimulation of a cyber-attack scenario. This is to test how well the things you have put in place work. Being prepared and well-practised is key to survival in the event of a serious attack.

By training your staff, they will know to take cybercrime more seriously, which will help to keep your business’ data and files safe. A team well trained is a great first line of defence.

2.    Be vigilant with emails

Think before you click! Spam email is an extremely common access point for cyber criminals. Delete the suspicious emails, don’t enable macros and alert your IT support partner.

It is also important to be aware of the vulnerabilities in your supply chain. It is good security practise to ensure that your supply chain meets the same standard of security you adhere to yourself. Good IT governance standards like IASME Governance require you to make sure your supply chain does as much as you do to protect your business and its data. Cyber criminals are able to gain access to your corporate network, and business data by sending out a genuine looking software update or email masquerading as someone you know.

However, instead of updating, it is a fast destructive virus that could wipe out the operation of your business. That is why it is vital to source suppliers wisely and ensure your IT security is safe.

3.    Back up your data

There are numerous benefits to using cloud computing, however you do still need to make sure security is in place. You can’t be complacent in thinking just because it is in the cloud that it is safe. You should still make backups.

Keep copies of your files, so that if an attack does occur, you will have a copy of the data and files. By backing up and checking your data, you will be able to access versions from before the attack, minimising the potential impact as well as reducing the chance of reinfection. You should also test that you can restore data from the backup. Backups should be encrypted and if you are using a local drive, this should be removed after each backup.  Even though you may have a copy, you still need to do everything to protect your files, as you don’t want it falling into wrong hands.

Organisations should ensure that periodically that all staff update the devices they are working on and install software and system updates. They should also have sufficient anti-virus software up to date and in place. Poor patching of computer equipment is the most common way to fall victim to an attack and Cyber Essentials require updates to be carried out within 14 days of release.

4.    Safe and Secure Passwords

One of the most common mistakes that companies and individuals make, is setting easy and poor passwords. Due to this, many sites and programs are developing new, multi-layered methods to protect their users and this is why multi-factor authentication is now more commonplace. It would be wise to set this up with your company, to protect your network.

Using password managers can also help, as they can generate complex passwords for you that you don’t even need to remember. However, we recommend you steer clear of free software and use a paid one, such as 1Password. Having good technical policies in place will also help, so ensure users have at least eight characters and include upper, lower, numbers and special characters within passwords.

Don’t share passwords with other users, or applications. Instead, see if you can use an API key to provide access instead. This enables different pieces of software to talk to each other without exposing the passwords for each to other users. These need to have strict cyber security measures in place too, so you may need professional support to double check the stringent data encryption and authentication software.

5.    Review your IT infrastructure and VPN (Virtual Private Network)

A VPN (Virtual Private Network) allows your employees to log into your corporate network from home. They are incredibly useful, but only if they are fully secured end-to-end and send all user traffic through the corporate firewall. If the user can be connected to the office but browse the internet through their own firewall, then your business is actually MORE at risk. An IT support partner will be able to advice if you have the right one in place for the needs of your business. They will also be able to advise on whether the devices and software that your employees use is suitable for their roles and have the right security systems in place.

6.    Seek help from an IT Support Partner for your Corporate Network

Gain peace of mind by having an IT security expert involved, who can assist with a range of solutions including security audits and training. This way, you will know that you have the right security and knowledge to keep your corporate network safe and secure. It also means that if there is an emergency, you have a trusted resource to turn to.

Your IT security partner can keep your software and systems up to date, provide invaluable training for your team as well as ensure all of your remote networks and software is running smoothly.

Remote working, without the risks

Get in touch today if you would like to know more about how we can ensure the safety and security of your corporate network, whilst your team are busy working from home.

Why all Employees Need IT Security Training

Providing IT security training cannot begin and end with your IT staff.

Cyber attacks are on the rise. The 2018 Cyber Security Breaches Survey found 19% of charities and 43% of businesses had reported cyber security attacks in the last 12 months. As technology advances, the risk of a cyber attack is increasing. If your staff don’t have IT security training, it is going to be easy for hackers to take advantage.

STARTING WITH YOUR STAFF

The usual cyber attacks aimed at businesses are viruses,  phishing scams and ransomware.

Security is developing on a personal level. Businesses are beginning to realise the crucial role that all employees must take on in helping to toughen their cyber security .

Ensuring staff are educated in cyber safety, with the help of IT security training, will help improve security drastically.

While training is required across all departments, having tailored courses to each are important. Whether it’s in the customer service area, or the sales team, IT security training will vary along with the basics.

PHISHING FOR FAILURE

Any employee that spends their time on a computer will need a lesson in phishing scams. According to theVerizon Data Breach Investigations Report, 30% of phishing messages get opened by targeted users.

A phishing scam is where a hacker will send an email pretending to be someone in your company. This is usually the CEO or something unrelated to the business such as Google, to withdraw sensitive information out of the victim. The average cost of a phishing attack for midsize companies? It’s a whopping $1.6 million, which is £1.2 million in the UK.

92.4% of malware is delivered via email. Since phishing scams are most likely sent via email,  it’s essential to upskill employees on how to spot these deceptive emails from fake email addresses, prevent them from clicking on suspicious content and ensure they understand the consequences if this occurs.  

MOBILE FRIENDLY SECURITY

With flexible working and BYOD policies, the increase in employees using work mobiles outside of the work environment is likely. Mobile security is a crucial area to provide have training in, with the regularity of working from mobile devices and the introduction of GDPR.

Employees need awareness in the risks that come with using mobile devices in such a cyber orientated world.

Using social media at work and in personal lives is another aspect that can affect the state of cyber security. IT security training in this area could include sections on how to avoid sharing personal details publicly and how to prevent exploitation.

FOLLOW THE RULES

In some circumstances, you may break the law if you do not provide IT security training. Within the financial, government and healthcare sectors, there has always been a requirement to ensure their workforce has cyber security training.

Now, with the introduction of GDPR, it is compulsory for a much wider range of industries.

TRAINING TO TARGETS

Cyber crime damage costs will hit £4.35 trillion annually in 2021.  The end result of training should focus on the bigger picture – creating a culture in your workplace that encourages IT security training in all departments, ensuring all employees can be trusted when encountering a cyber attack.

Companies may be reluctant to invest in cyber security infrastructure, however, it is important to recognise that most situations are caused by human error.  You could prevent most attacks with a security training program is in place.

HOW WE CAN SUPPORT YOUR BUSINESS.

The Government-endorsed Cyber Essentials certification will help your business to stand out from the crowd.

SupPortal UK can complete a cyber essentials audit for your business. This will highlight vulnerabilities, tighten up security and identify an improvement plan. Our managed services will monitor your system and devices around the clock so we can troubleshoot and patch issues before they become business critical.

With SupPortal UK, we take away the worry of cyber security. We will give you peace of mind that you are both compliant and covered. So you can concentrate on successfully driving your business forward.

View our cyber security services here, and request a no-obligations FREE cyber security health check via the form below.