survival in the digital age

How are Word-based fileless attacks targeting aid organisations?

Imagine you have opened a Word file that was emailed to you by a prominent organisation in your field. On the surface, nothing else happens. You notice no changes and your antivirus system doesn’t detect anything suspicious. Would you (or your employees) expect to be spied on by hackers?

This March, McAfee identified a new fileless hacking operation which is targeting humanitarian aid organisations worldwide. ‘Operation Honeybee’ tricks its targets into opening compromised Word documents. When this is achieved, their malware takes hold in the computer and allows the hackers to spy on their target undetected. They are able to escape scrutiny because of their fileless strategy.

Fileless Attacks

There has been a surge in fileless attacks. A study by the Ponemon Institute predicts they will comprise 35% of all cyber attacks in 2018. As hard drive-focused antivirus scanners become more effective, hackers are resorting to strategies which do not leave files in your directory. Instead, they exploit known weaknesses in legitimate programs which are already on your computer. Once they have gained a foothold there, they can run commands which allows them to spy on you, mine cryptocurrency, ransom your files, and even take over your entire system.

 Honeybee and spear phishing pierce your defences

Another dangerous aspect of the Honeybee operation is its use of ‘spear phishing’; a more sophisticated form of phishing. Where ordinary phishing campaigns send out misleading emails in bulk, and cross their fingers, spear phishing tailors its message to appeal to a particular target in order to increase its chances of success.

In the case of Honeybee, the hackers designed their initial email to pass for a message from the International Red Cross. They then used the decoy document to ambush employees of the aid organisations they wanted to spy on.

The Red Cross is a perfect disguise for a spear phishing operation, as it is a well-known, trusted organisation. Combining this with the fileless nature of the attack, it is even more likely to escape detection. This joint strategy can be adapted to target any industry.

Joint strategy; twofold solution

If hackers are purposefully evading traditional antivirus strategies, how can you keep your system safe? There is a twofold solution.

First of all, there are innovative antivirus programs which do protect against fileless attacks. The latest cybersecurity tools use machine learning to pinpoint unusual activity on your system. This allows them to eliminate threats which would otherwise remain hidden.

Secondly, you can implement a training strategy which will increase awareness of the strategies used by hackers. When properly prepared, members of your organisation can neutralise a threat by taking as little as a minute to verify the source of emails they receive. It really can be that simple.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.

 

Flag of Europe

Building trust: What GDPR can do for your council

How would the introduction of GDPR have affected Basildon Council?

Prior to the introduction of GDPR (General Data Protection Regulation)  in 2017, Basildon Council was fined £150,000 for failing to store personal data securely. Because there was no adequate data protection policy in place, details of a family’s disabilities, including mental health issues, were published online. They remained publicly accessible for weeks. This incident had huge reputational and financial repercussions for the Council.

The £150,000 fine was imposed under the old Data Protection Act. With the enforcement of GDPR in May, the ICO are now able to impose higher fines, which go up to 4% of the organisation’s turnover, or €20,000,000, whichever is greater. What’s more, the scope of the new legislation is far broader, setting higher standards of transparency for any organisation that handles EU citizens’ data.

Councils are already failing internal audits and incurring fines on an annual basis. What will happen now GDPR is enforceable? Unless action is taken now, councils stand to fall short of the new rules and be subject to the new fines. The purpose of GDPR is to protect citizens’ rights, not to cause councils to incur avoidable costs. How can GDPR help councils prevent the kind of incident Basildon has seen, and foster trust among residents?

How can new legislation help?

There is a lot of apprehension among residents regarding their privacy. Who holds my data, and why? If personal data is stored, is it being held securely? GDPR is designed to provide answers to those questions.

If an organisation is GDPR compliant, it means that personal data is only being stored when strictly necessary and under the best possible safeguards. More than that, GDPR puts control over data back into citizens’ hands, creating a new era of transparency. This is how GDPR, instead of remaining a looming spectre, can become a tool for councils to build trust.

GDPR compliancy for councils

The task for councils is clear: they must be able to map out the exact course data takes through their systems. When a resident requests to see their personal data, the council must be able to recover it. If you imagine the amount of data currently in the hands of councils, much of it in archival storage, you will see that this is a huge undertaking.

There are other liabilities councils may not even be aware of, such as their Active Directory management. Too often, when council employees change roles, their accounts remain active. This means that they can be exploited by disgruntled ex-employees, and even become targets for hackers. By implementing a system which closes obsolete accounts, councils can ensure that access is granted only to the right people.

There are big cost-saving benefits to be achieved by creating a safe, streamlined and transparent data policy. As well as avoiding fines and passing internal audits, in the process of becoming GDPR compliant, councils can effect substantial savings by reducing their storage of obsolete data.

We have the experience and expertise to reform your data management. If you are a council looking for a GDPR compliancy solution, please contact us on 0844 586 0040 or [email protected].

 

secure email image

Private Schools and Parents Face Cyber Threat

Private schools and parents face cyber threat as cybercriminals are always seeking new targets, digital security for education should not be ignored. Organisations receiving large payments, and with poorly secured IT systems are a treasure trove for hackers. Their latest campaign attacks private schools, with the aim of tricking parents into paying thousands of pounds of school fees to fraudsters’ accounts. Cybersecurity for the education sector needs to be taken seriously.

Digital Security for Education

Unfortunately, many private schools lack adequate digital security. Cybercriminals are using phishing attacks to compromise school email systems to obtain parent’s data and contact details. A common tactic involves emailing parents to explain the school’s payment details have changed and issuing a new invoice with their own bank details. Parents who reply to the email for confirmation, risk emailing the hackers instead.

It has been reported that one parent with three children at an independent school paid £70,000 to hackers after being offered a 10 per cent “early bird” discount.

“These emails can seem very real,” says Colin Tankard, Digital Pathway’s Managing Director, “And, while the private school sector seems to be the latest target of these fraudsters, they are certainly not the first or will be the last.

“Always hover your cursor over the URL and check that the address is correct.  Sometimes it may differ by one digit or letter, so vigilance is key”, he adds.

Schools and parents who find themselves the victim of these attacks are unlikely to recover their money. Payment by bank transfer is not protected, and few schools have taken out cyber insurance. For the few that have, only 38 percent of policies cover this type of crime.

Cybersecurity Training

Staff need to receive ongoing training to help them identify phishing scams that enable hackers to gain access to their systems.

Also, schools need to act quickly to ensure they are protecting the personal data they store and process. On 25th May 2018, the General Data Protection Regulations (GDPR) will replace the Data Protection Act. Failure to protect their systems from unauthorised access could see independent schools hit with colossal fines.

Compliance requires preparation, including auditing what information is held, and where, assessing threats, training staff, and updating policies and systems.

In light of the current email scam, independent schools should use a GDPR-compliant secure email service. Utilising end-to-end encryption, messages are protected from unauthorised access and e-mails rendered trusted and binding. Hackers are unable to decrypt the information being passed between the organisation and individuals. This restores confidence in email communications, knowing messages have come from a trusted source and are being sent to the intended recipient.

Our secure email service turns regular email into secure electronic communication. It is convenient, integrating with existing email solutions, and makes regular email compliant with GDPR.

With schools holding large amounts of sensitive and personal data, independent school fees attracting cybercriminals, and the imminent arrival of GDPR, it is essential schools invest in their digital security to protect themselves, their students and parents.

For advice and support with protecting your organisation from cybersecurity threats, contact us on 0844 586 0040 or email [email protected].

General Data Protection Regulation

GDPR: Is Your Law Firm in the 75%?

Cybersecurity for Your Law Firm

In November 2017, it was reported that 75% of UK law firms aren’t ready for the General Data Protection Regulation (GDPR). With less than three months to go until the compliance deadline of 25th May 2018, it is more important than ever for law firms to be prepared.

The legal sector is already highly regulated, with firms needing to comply with money laundering obligations, for instance. However, we have encountered some firms who believe this degree of regulation means they will already comply with GDPR. This isn’t true. Compliance with GDPR requires its own preparation, auditing, and changes to systems and policies surrounding the processing and storing of personal data.

General Data Protection Regulation (GDPR)

GDPR places greater responsibility on organisations to review third-party agreements for compliance too. Depending on your current processes and use of third parties, this could take significant time and resource.

As a firm, you must decide if you need to appoint a Data Protection Officer, based on criteria specified in the incoming legislation, as well as reviewing (or in some cases, implementing) your data protection policy, data breach notification procedure, subject access request forms and procedures, data protection impact assessments, and consent forms.

If you aren’t sure where to begin, the Law Society is collating guidance and support to help law firms prepare for GDPR.

Cybersecurity remains as important under GDPR as it is under the current data protection framework. The legal sector is an especially attractive target for cybercriminals seeking the sensitive data and significant funds held by law firms. Alarmingly, 62% of law firms reportedly suffered a cybersecurity incident last year.

Here are three ways you can protect your law firm from cybersecurity attacks:

Cyber Training for your Law Firm staff

Every member of your firm is responsible for protecting your data. This is why it is essential to educate your staff through cybersecurity training. From spotting attempted social engineering attacks, to understanding the risk posed in finding an unidentified USB, being able to identify risks and threats could prevent a successful attack against your firm.

Secure email

Standard email is not a secure option for law firms. Unencrypted emails travel through servers located all over the world. Anyone who intercepts these communications will have access to the information being sent.

Law firms are especially likely to send emails containing sensitive information. Secure email is essential for the legal sector and has come a very long way, offering both security and convenience. Our trusted partner provides an encrypted email service that protects messages from unauthorised access and renders e-mail trusted and binding, making ordinary email compliant with GDPR.

Secure file sharing for your Law Firm

The legal sector relies on document sharing. A secure file sharing system will protect your important documents and the sensitive data you hold. Cloud services such as Dropbox and OneDrive do not encrypt your documents, leaving you vulnerable to an attack on the cloud storage provider or access requests by government authorities. Through our partnerships, we also offer a secure file sharing solution. Utilising end-to-end encryption and anonymised key management via a trusted third party, all data is securely stored within the UK.

Would you like to discuss GDPR or cybersecurity for your law firm? We’d be happy to help. Contact us on 0844 586 0040 or email [email protected].

 

 

Law book & hammer, cybersecurity for law firms

Client Data: Is Your Law Firm the Weakest Point in the Cyber Security Chain?

Financial Fraud is big business for cybercriminals

During 2016, 73 out of 100 top UK law firms were targeted by hackers. Meanwhile, many smaller firms mistakenly believe they are too small or niche to attract the interest of cybercriminals. As a law firm, the information you store and process is highly valuable. By aggressively targeting law firms, hackers seek to steal sensitive information, such as commercial secrets, intellectual property, personal information, mergers and acquisitions, and market strategies. This is why you are and will continue to be the target of cyber-attacks and potential financial fraud.

Cybersecurity issues for law firms

Unfortunately, several high-profile breaches indicate that the legal sector has a cybersecurity problem. This is something cybercriminals are acutely aware of and seek to exploit. The issue is global, affecting firms all over the world. The revelation of the Panama Papers, for instance, was the result of a single cyber attack against Mossack Fonseca, a small Panamanian law firm. It is the largest data breach in history. Read more

IOT network image

Internet of Things: Balancing Benefits and Risks in the Workplace

Internet of things: Benefits and Risks

The benefits of IoT. A recent survey of over 1000 buyers of IT across Europe and North America showed that 29% of companies have already embraced IoT, with an additional 19% planning to adopt IoT within their organisation over the next year. By the end of 2018, these figures suggest IoT will be adopted by nearly half of all businesses.

The benefits of IoT are already being seen in the home, with smart thermostats and smart speakers becoming commonplace over the last year.

Naturally, IoT brings infinite potential and possibilities for businesses, with everyday devices able to connect, monitor, and transfer large amounts of data between each other. Read more

Spectre and Meltdown

Will we be haunted by Spectre and Meltdown for decades to come?

Spectre and Meltdown: Will we be haunted by vulnerabilities in modern devices for decades to come?

2018 began with the alarming news that nearly every computer chip manufactured in the last 20 years contains basic security flaws. These flaws have been collectively named Spectre and Meltdown, and were discovered by security analysts at Google.

In contrast to malware and viruses, which affect the software, these vulnerabilities are inbuilt into the hardware. The scale of the risk is unprecedented, as the flaws are not unique to one type of chipmaker or device. Instead, billions of devices, from desktop PCs to tablets and smartphones, are vulnerable. Read more

cyber security image

Could a Data Breach be the End for Your Business?

Building a business is hard work. To lose it all as a result of a data breach would be devastating.

Unfortunately, we recently learned of a SME who found themselves in this situation. Facing the threat of legal prosecution following a data breach, the company had no other option than to close its doors for good.

With the new and extensive EU General Data Protection Regulations (GDPR) coming into force in May 2018, there is a real risk we could see more smaller companies folding, unable to face the litigation and fines following a breach.

What is at stake?

On 25th May 2018, GDPR will replace the current Data Protection Act in the UK. These new regulations have been designed to give individuals greater control over what happens to their personal data when in the hands of organisations or businesses.

All businesses and organisations that store, manage, or process the personal data of EU citizens will be expected to comply with the new legislation.

Under GDPR, businesses will be more accountable for personal data breaches and data loss. Failing to understand your responsibilities could see your company facing a fine of up to 4% of your global, annual turnover, or €20,000,000, whichever is greater.

For SMEs, the ‘whichever is greater’ element of the new rules is the key phrase. It is easy to see how a smaller organisation would be unable to face this level of financial penalty, leaving them more vulnerable to collapse following a breach, than larger companies who might be more able to weather the impact of a fine.

Alarmingly, the Zurich SME Risk Index has suggested that many of the UK’s SME may be non-compliant on the GDPR implementation deadline. This isn’t a risk businesses can afford to take.

What can you do?

With less than 2 months left to prepare for GDPR, there is no time to waste. If you don’t fully understand the issue, finding out how the new regulations will work or what it will mean for your business and industry should be your first priority.

It is likely you will need to update your IT and privacy policies to ensure you are compliant. It is also vital that you communicate the new regulations and any changes to your policies to your staff.

If you don’t have the time to fully investigate and prepare, the best option is to work with an experienced cybersecurity company with a thorough understanding of GDPR.

At Digital Pathways, we have the expertise to audit your current systems and identify which elements are already in line with GDPR and what needs to change. We can ensure your company is compliant and ready for these new digital security regulations.

Don’t let a data breach be the end for your business. Contact us today on 0844 586 0040 or email [email protected]

password security image

3 Business Benefits of 2 Factor Authentication

Why do businesses need 2 Factor Authentication (2FA)?

What are the 3 benefits of 2 Factor Authentication?

Passwords are the weakest link in digital security. They can be guessed, captured by hackers logging keystrokes, or stolen by social engineering techniques. Additionally, individuals are often guilty of writing them down or using passwords that are easy to remember.

For businesses, this is bad news. Unauthorised users exploit the weak protection afforded by passwords to gain access to company data and systems. Whether it is personal data, intellectual property (IP), or research and development, all data has a value. This is what makes it an attractive target for cybercriminals.

Two-factor authentication adds an extra layer of protection, strengthening digital security across your organisation. Read more

digital padlock

Secure Email: Simplified

Despite the clear benefits of secure email, organisations and individuals continue to send unencrypted emails around the world, risking their digital security and email privacy.

Relying on unencrypted email is the digital equivalent of sending a postcard in the mail. Before landing in your recipient’s inbox, regular email travels through servers all over the world. Anyone who intercepts this communication can read the content.

Law firms, healthcare professionals, and social services need to ensure email privacy to preserve their clients’ confidentiality. Organisations and businesses of all sizes need to protect their data and intellectual property, as well as that of their clients and employees. Individuals should also never send any information via regular email that they would not be willing to share publicly. Read more