H2 Newsletter Edition 5
Trust H2 – Making sure your information is secure
A record number of scams were taken down by NCSC, a department of GCHQ Cheltenham, in 2021. A staggering 2.7 million, over four times higher than the number recorded in 2020. The head of the GCHQ has said the UK needs to boost its cyber defences amid a growing threats. Sir Jeremy Fleming told the CyberUK conference in Newport that the current 'serious global economic situation' means 'the need to make the UK the safest place to live and do business online is ever more relevant'.
Amazingly, one brazen scam that was expunged last year involved criminals posing as NCSC chief executive Lindy Cameron.
The scammer claiming to be Cameron sent an email informing the recipient that the NCSC had stopped £5 million of their money being stolen and to get the funds back they were required to reply with personal information.
Now that is cheek!!
'As we kick off CyberUK, the latest ACD figures shine a light on how the NCSC has responded to emerging cyber threat trends and security issues to keep the UK safe at scale,' Cameron said.
'We know that scammers will go to great lengths – and indeed my name has been used to try to trick people – but as we continue to expand our defences we can see the tangible impact this is having.'
This comes amid a rise in fake celebrity endorsements and extortion emails circulating around the net. And more than 1.2 million domains linked with the Android malware Flubot were blocked. This malware was distributed to the public via fraudulent ‘missed delivery’ messages or notifications, which might impersonate Royal Mail and tell victims they need to pay a delivery fee.
To help fight this NCSC has announced a new free, yes free, online tool designed to help organisations check whether their email security is adequate.
The tool will help businesses identify any flaws or vulnerabilities in their email system so they can be fixed in order to keep out cyber attackers.
Called Email Security Check, it will analyse a user’s email domain and recommend any security measures to stop scammers and protect privacy.
The free online checker will require no sign-up or personal details to use.
It will work by looking up information about an email domain that is already publicly available and will check for security features which prevent cyber criminals from accessing private messages or abusing their email domain by spoofing it and sending out malicious emails pretending to be them.
'Email plays a central role in how organisations communicate every day so it’s vital that technical teams have measures in place to protect email systems from abuse,' said Paul Maddinson, NCSC director for national resilience and strategy.
'Our new Email Security Check tool helps users identify where they can do more to prevent spoofing and protect privacy and offers practical advice on how to stay secure.
'By following the recommended actions, organisations can help bolster their defences, demonstrate they taken security seriously, and make life harder for cyber criminals.'
Come on guys, it's free and certainly can't hurt.
Awhile ago I wrote a piece about the potential consequences of a data breach under the Data Protection Act 2018, prompted as it was by the breach suffered by Funky Pigeon. This takes a look at the impacts of a cyber-attack on an SME.
The effect of such an attack on an SME is much the same as it is on a major company, it’s all about scale. A resulted loss of cash for a big company of say, £500K, would be just as bad as a loss of £50K on an SME. In fact, the hit on the SME might be a darn site worse as they are generally not financially robust enough to recover.
There has been a recent Cyber Security Breaches Survey, this year, conducted by the UK Government, which says that in the last 12 months, 39% of UK businesses identified a cyber-attack. The survey concluded that, within the group looked at, 31% estimated that they were attacked at least once a week, and 1 in 5 said they experienced a negative outcome because of the attack.
A successful cyber-attack can cause major damage to your business. It can affect your bottom line, as well as your business' standing and customer trust. These impacts are broadly divided into three categories: financial, reputational and legal.
Turning to the financial costs, Cyber-attacks often result in a loss arising from:
- theft of corporate information
- theft of financial information (eg bank details or payment card details)
- theft of money
- disruption to trading (eg inability to carry out transactions online)
- loss of business or contract
- Potential fines from the ICO in cases of losses of personal data
And of course, In dealing with the breach, businesses will also generally incur costs associated with repairing affected systems, networks and devices.
It takes a long time building up trust between you and your customers and, building a reputation within your field, for reliability, high standards, good customer service, etc. A Cyber-attack can destroy that in hours. If you were to lose your customers data, especially personal data, you can quickly erode that hard won reputation. Imagine if you are in the supply chain for a major company and you are connected with them electronically in automate their ordering of whatever commodity you supply. And then you become an attack vector for a cyber-criminal who uses you to break into the network of the major company. Do you think you’d ever work for that company again? That loss of reputation will potentially lead to:
- loss of customers
- loss of sales
- reduction in profits
There are potential legal ramifications to a cyber-attack as well. I have mentioned the Data protection and privacy laws that require you to manage the security of all personal data you hold - whether on your staff or your customers. If this data is accidentally or deliberately compromised, and you have failed to deploy appropriate security measures, you may face fines and regulatory sanctions. I have seen advertisements now from law firms advertising no win no fee terms to represent individuals who have suffered a data breach. If you consider that in such a breach, individual records are almost always not lost, it is more likely that multiple records could be lost, which means multiple claims. And that on top of any fine which may be imposed by the ICO.
And of course, you could face legal action from a larger company if you were the attack vector via the supply chain.
So, given all of that, what do you need to do? Well, you need a business continuity plan to enable you to continue doing business whilst you get sorted out. You need to be able to respond to the attack to:
- reduce the impact of the attack
- report the incident to the relevant authority, in the case of personal data loss
- clean up the affected systems
- get your business up and running in the shortest time possible
This does not need to be an enormously costly thing to do. In fact, for many SMEs it can be quite a simple plan, but it does need to be a plan. You should not ignore this or it could cost you dearly, perhaps even cost you your business.
And I’ll bang my usual drum. Investing a relatively small amount in user training, education and awareness, is always money well spent.
H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.