Author Archive for Andy Wilkinson – Page 2

ICO Highlights Prevalence of GDPR Myths

The Information Commissioner’s Office (ICO) has reported taking 500+ calls per week reporting GDPR data breaches, but one-third of the calls appear to be based on myths and misunderstandings or over-reporting about GDPR matters.

Update After Freedom of Information Request

The update by the ICO about how things appear to be going just three months after the introduction of GDPR came shortly after a Freedom of Information (FOI) by law firm EMW yielded figures that showed that the number of complaints between 25th May and 3rd July 2018 rose to 6,281 versus 2,417 during the same period in 2017.

Over-Reporting

A key problem highlighted by the ICO is that many companies feel that in order to achieve compliance and avoid being penalised, they have to be transparent to the degree that they “over-report” by reporting everything. Also, many of the reports are incomplete.

One common misconception highlighted by the ICO that is leading to unnecessary calls is that instead of reporting suspected data breaches to the ICO within 72 hours ‘from the point of discovery’, many companies appear to believe that the mandatory reporting period is 72 ‘working’ hours.

Fine Fears Unfounded

Another key point that the ICO was keen to make was that even though there have been some high profile cases that have involved big companies receiving big fines since the introduction of GDPR, many thousands of incidents are closed each year without financial penalty but with advice, guidance and reassurance offered instead. Another point that the ICO would like to make known is that the real norm of the work they do is simply audits, advisory visits and guidance sessions.

In fact, ICO Deputy Commissioner James Dipple-Johnstone has been quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.

Cyber Crime Reports

The ICO has said that almost half of the calls that it received weekly involve some cyber element, and around one-third of calls relate to phishing attacks.

Phishing attacks are still such a popular method of cyber-crime because many companies have been focusing on malware detection and may not have trained and educated their staff about the risks, how to spot phishing attacks, and what to do about them.

What Does This Mean For Your Business?

Of course, organisations need to take their data protection responsibilities seriously to protect customers and the company itself, but part of dealing with that responsibility correctly is being clear on what GDPR actually requires a company to do; how and when. This is why GDPR requires (via mandatory appointment under Article 37) organisations / companies to have a data protection officer (DPO) i.e. someone tasked with the responsibility and security leadership role to oversee data protection strategy and implementation, and to ensure proper compliance with GDPR requirements. Part of the responsibilities of a DPO are to educate the company and train employees about GDPR and how it applies to them and their work. A DPO is required to have expert knowledge of data protection law and practices, and having a person on hand to consult about GDPR matters would be a good way to prevent unnecessary calls and complaints being made to the ICO, and to prevent unnecessary concerns, misunderstandings and mistaken beliefs prevailing within the company that could lead to other problems.

Only 32% of Emails Clean Enough To ‘Make It’

A bi-annual study by FireEye has found that less than a third of over half a billion emails analysed were considered clean enough not to be blocked from entering our inboxes.

Phishing Problem Evident

The study found that even though 9 out of 10 emails that are blocked by email security / anti-virus didn’t actually contain malware, 81% of the blocked emails were phishing attacks. This figure is double that of the previous 6 months.

Webroot’s Quarterly Threat Trends Report data, for example, shows that 1.39 million new phishing sites are created each month, and that this figure was even as high as 2.3 million in May last year. It is likely that phishing attacks have increased so much because organisations have been focusing too much of their security efforts on detecting malware. Also, human error is likely to be a weak link in any company, and phishing has proven to be very successful, sometimes delivering results in a second wave as well as the first attack. For example, in the wake of the TSB bank system meltdown, phishing attacks on TSB customers increased by 843% in May compared with April.

A recent KnowBe4 study involved sending phishing test emails to 6 million people, and the study found that recipients were most likely to click on phishing emails when they promised money or threatened the loss of money. This highlights a classic human weakness that always provides hope to cyber-criminals, and the same criminals know that the most effective templates for phishing are the ones that cause a knee-jerk reaction in the recipient i.e. the alarming or urgent nature of the subject makes the recipient react without thinking.

Increase In Malicious Intent Emails

The FireEye study also highlighted the fact that there has been an increase over the last 6 months in the emails sent to us that have malicious intent. For example, the latest study showed that one in every 101 emails had malicious intent, whereas this figure was one in every 131 in the previous 6 months.

Biggest Vulnerability

As FireEye noted after seeing the findings of their research, email is the most popular vector for cyber attacks, and it is this that makes email the biggest vulnerability for every organisation.

What Does This Mean For Your Business?

It is very worrying that we can only really trust less than one third of emails being sent to businesses as being ‘clean’ enough and free enough of obvious criminal intent to be allowed through to the company inbox. It is, of course, important to have effective anti-virus / anti-malware protection in place on email programs, but phishing emails are able to get past this kind of protection, along with other methods such as impersonation attacks like CEO fraud. Organisations, therefore, need to focus on making sure that staff are sufficiently trained and educated about the threats and the warning signs, and that there are clear procedures and lines of responsibility in place to be followed when emails relating to e.g. transfer of money (even to what appears to be the CEO) are concerned.

Cyber-criminals are getting bolder and more sophisticated, and companies need to ensure that there is no room for weak ‘human error’ links of the front line.

Microsoft Launches ‘AccountGuard’ Email Service For Election Candidates

A new kind of pilot secure email service called ‘AccountGuard’ has been launched by Microsoft, specifically for use by election candidates, and as one answer to the kind of interference that took place during the last US presidential election campaign.

Ready For The Midterm Elections

The new, free email service (which people must useOffice 365 to register for) is an off-shoot of Microsoft’s ‘Defending Democracy’ Program. This program was launched in April with the aim of protecting campaigns from hacking, through increased cyber resilience measures, enhanced account monitoring and incident response capabilities.

The AccountGuard pilot has been launched in time for the US Midterm elections which are the general elections held in November every four years, around the midpoint of a president’s four-year term of office.

Who Can Use AccountGuard?

Microsoft says that its AccountGuard service can be used by all current candidates for federal, state and local office in the United States and their campaigns; the campaign organisations of all sitting members of Congress, national and state party committees, any technology vendors who primarily serve campaigns and committees, and some non-profit organisations and non-governmental organizations. Microsoft AccountGuard is offered free of charge and is full service, coming with free email and phone support.

Three Core Offerings

AccountGuard has three core offerings. These are:

  1. Unified threat detection and notification across accounts. This means providing notification about any cyber threats in a unified way across both email systems run by organisations and the personal accounts of these organizations’ leaders and staff who opt in. This part of the service will only be available only for Microsoft services including Office 365, Outlook.com and Hotmail to begin with, and Microsoft says it will draw on the expertise of the Microsoft Threat Intelligence Center (MSTIC / MSTIC).
  2. Security guidance and ongoing education. Registering for Microsoft AccountGuard gives organisations best practice guidance and materials. These are in the form of off-the-shelf materials and in-depth live sessions.
  3. Early adopter opportunities. This means access to private previews of the kind of security features that are usually offered by Microsoft to large corporate and government account customers.

Similar To Google

Some commentators have highlighted similarities between the AccountGuard idea and Google’s Advanced Protection Program (APP), also launched this year, although APP is open to anyone, requires log in with hardware authentication keys, and locks out third-party app access.

What Does This Mean For Your Business?

When you think about it, what Microsoft appears to be admitting is that its everyday email programs are simply not secure enough to counter many of the threats that now look likely to come from other states when elections are underway. Microsoft’s other, non-political business customers who are also at risk from common cyber attacks e.g. phishing, may feel a little left out that they are apparently not being offered the same level of security.

Also, protecting democracy sounds like quite a grand aim for a service provider offering an email service. Microsoft does, however, accept that it can’t solve the threat to US democracy on its own and that it believes this will require technology companies, government, civil society, the academic community and researchers working together. Microsoft also acknowledges that AccountGuard is limited to protecting those using enterprise and consumer services, and that attacks can actually reach campaigns through a variety of other ways. Microsoft also appears to be hinting that it may be thinking of expanding AccountGuard to industry as well as government depending on how the pilot works.

Tech Tip – Using OneDrive Cloud Storage on Windows 10

If you want to set up quick and easy cloud storage from your Windows PC for storing, sharing and saving files across your different devices you can use OneDrive. Here’s how to set it up:

– If you have a Microsoft account e.g. @outlook.com, @hotmail.com, @live.com email address, Xbox Live or Skype account you can use that to sign in.

– If you don’t have a Microsoft account, go to onedrive.com and click the click the ‘Sign up for free’ button – click on the Create a Microsoft account button, create a new email address and password, click ‘Next’ and follow the instructions.

– To set up OneDrive on your Windows 10 PC, open Start, Search OneDrive and click the top result.

– Using the setup experience, enter your email address, and click the Sign in button.

– Enter your Microsoft password and sign in.

– Click on ‘Next’

– Click ‘Not now’ if you’re using the free version of OneDrive.

– Click through the welcome tips, and click the Open my OneDrive folder button.

– To save your files to OneDrive, open File Explorer (Windows key + E).

– Click the OneDrive folder using the left pane.

– Drag and drop or copy and paste content into the OneDrive folder.

Your Latest IT News Update

BA Security Fallout

A discovery of the file containing the code used in the recent hack of the British Airways website and app that affected 380,000 transactions has revealed that it only took 22 lines of JavaScript to cause the massive data breach.

<More>

Criminals ‘Invest’ More Than Businesses

Research shows that one reason why organisations face constant, serious security threats is that cyber criminals, fuelled by a new cybercrime-based economy are spending much more on cyber attacks than organisations are spending on cyber security.

<More>

90% Of Businesses Renew Software Without Checking It

A report by Clear Licensing (CCL) has highlighted the fact that most organisations simply renew software maintenance contracts without assessing whether those contracts deliver value.

<More>

Apple Apps Taken Down For Spying

The Mac App Store has taken down a number of well known security apps for the Apple Mac after it was discovered that they are being used to spy on the browsing habits of their users.

<More>

Businesses Set For Augmented Reality

A report based on research by IT Consultancy Group Capgemini has predicted a big shift towards the use of virtual reality and augmented reality by businesses over the next 3 years.

<More>

Tech Tip – Send Texts From Your Windows 10 PC With ‘Your Phone’ App

If you’d like to be able to send phone texts from your PC without having to unlock your phone, you can do it with the Your Phone app for Windows 10. Here’s how:

<More>

BA Security Fallout

A discovery of the file containing the code used in the recent hack of the British Airways website and app that affected 380,000 transactions has revealed that it only took 22 lines of JavaScript to cause the massive data breach.

Skimming

The hack that took place on 21st August and caused disruption into September is now believed to be down to the injection of a digital skimming file designed to steal financial data from the online payment forms of BA’s website and app. The small skimming file, which was discovered by a cyber-security firm RiskIQ, was used to grab data from BA’s online payment form and then send it to the hacker’s server when the customer hit the ‘submit’ button.

Targeted

The researcher concluded that this was a highly targeted attack where the malicious page in the app was built using the same components as the real website, thereby giving a very close match to the design and functionality of the real thing.

The RiskIQ researcher has described the 22 line digital skimming file implanted by the hackers as “simple but effective”.

Magecart Suspected

The finger of suspicion is now being pointed at a group of hacking operatives known as Magecart. The suspicion is based upon a close match with their modus operandi as highlighted in a recent attack on the Ticketmaster websites where Madgecart also used a similar digital skimmer hidden in a third-party element of the payment process.

More To Come

The attacks on Tacketmaster and BA are believed to be part of a larger campaign by the Magecart hacking group to target big brands, and it is thought, therefore, that more big names will be hitting the headlines soon for data breaches.

Vulnerable

According to some security commentators, the weakest link in payment processes is an obvious place for hackers to strike e.g. by putting older systems or third-party code into a payment chain.

The apparent ease of the attack, which led to the theft of names, email addresses and full credit card details, has led to obvious anger from those affected and criticism of BA by security commentators and professionals.

Big Fine Possible Under GDPR

There is now the real possibility that BA could face a massive £500 million fine (4% of global turnover based on 2017) under GDPR, and this breach is believed to be one of the first really big tests of the new law.

What Does This Mean For Your Business?

Even though the hackers in this case had gone to great lengths to closely tailor their code to the BA site and used a Secure Socket Layer (SSL) certificate, suggesting a serious level of planning and targeting, it still remains a relatively simple method of attack that has exposed vulnerabilities in the payment systems of a big company. The dependable image of BA, the fact that it is such a big brand, and the scale and scope of the theft have caused shock and anger among customers, and there will undoubtedly be substantial costs to BA’s finances and reputation.

As some security commentators have pointed out, there are ways to preventing third-party code taking data from sensitive web pages, and BA should really have been wise to this. In BA’s defence, even encryption of data used in the payment system would not have been effective because the data was intercepted before it had reached the company’s servers.

One positive thing to be taken from this case is that it has alerted more companies to the possibility of this kind of attack, thereby giving them time to build-in defences against it.

Criminals ‘Invest’ More Than Businesses

Research shows that one reason why organisations face constant, serious security threats is that cyber criminals, fuelled by a new cybercrime-based economy are spending much more on cyber attacks than organisations are spending on cyber security.

Cyber Criminals Spending and Reinvesting $Trillions!

Back in 2017, Gartner predicted that organisations would collectively be spending around $96 billion on their cyber-security. Although this is a big number, it is dwarfed by the figures relating to the proceeds of crime.

For example, last year, Cyber Security Ventures predicted that cyber-crime will cost the world $6 trillion annually by 2021, and Bromium’s independent study from April this year showed that the booming cyber-crime economy has generated $1.5 trillion in illicit profits. This figure is the equivalent to the GDP of Russia, meaning that if cyber-crime was a country, it would have the 13th highest GDP in the world!

Although some of these profits have been simply acquired, laundered, and spent, much has been ‘reinvested’ by cyber criminals. This means that there is potentially a great deal more being spent by cyber-criminals on cyber-attacks than is being spent by organisations on cyber security.

Revenues Exceed Those of Companies

In fact, cyber-crime revenues have been found to often exceed those of (mainly SME-sized) legitimate companies, although they can reach the levels of large, multi-national organisations of over $1 billion.

Greater Spending Forecast

Some commentators have forecast hope in the form of much greater security spending by organisations in the not-too-distant future. For example, research company Gartner has noted that, with the average cost of a data breach at $3.86 million (Ponemon Institute figures), and with the recent string of highly publicised data breaches, privacy concerns are becoming the catalyst for increased security spending for organisations. Skills shortages and GDPR are also driving demand for security services.

Gartner predicts that privacy concerns will drive at least 10% of the market demand for security services through 2019 as security and risk management are recognised as being critical part of any digital business initiative. Gartner also predicts that at least 30% of organisations will be spending on GDPR-related consulting and implementation services through 2019.

What Does This Mean For Your Business?

The huge sums being made and re-invested in their activities by cyber-criminals are evidence of a big change in the environment that poses a major threat to data security for businesses. Security commentators have noted that in a world where data has become a valuable commodity, a professional cybercrime-based economy has grown and become self-sustaining system and a platform of criminality that mirrors the platform capitalism model used by big companies. The economic relationships and agents in this criminal system can generate and maintain huge revenue streams that can be used to fund more cyber-crime and other crime such as human trafficking, drugs and terrorism.

The wealth of states is also being used to fund cyber-crime as hacking gangs carry out more state-sponsored attacks (e.g. Russia, China and North Korea) thereby threatening many parts of the UK economy. Clearly, this is a challenging time for UK businesses in terms of planning and spending on security.

90% Of Businesses Blindly Renew Software

A report by Clear Licensing (CCL) has highlighted the fact that most organisations simply renew software maintenance contracts without assessing whether those contracts deliver value.

1 In 10 Companies Check

The CCL report (which is based upon research conducted in and May this year), took into account the responses of 100 global participants, and was designed to understand current trends and identify best practices for the software maintenance market.

The key statistic that the research uncovered was that only 1 in 10 organisations involve the IT asset management function in the decision to renew software maintenance agreements. The inference from this is that software maintenance renewals appear to be blindly renewed without sufficient information to make an informed decision, and without any real assessment of the value they deliver.

In fact, the CCL report found that most software contracts are renewed by system owners or those in finance, and that typical survey respondents had no idea of support volumes, support quality or the strategic value of software maintenance renewals.

Big Spend

Organisations typically spend a large proportion of their annual IT budget on paying for existing software support and maintenance contracts in a market that is estimated to be worth $250 Billion. For example, IT buyers often pay around 20% of the licence fee per year in support and maintenance, thereby meaning that organisations will have paid for their software twice after a five-year term.

Lack of Clarity

Although a software support and maintenance contract typically involves things like bug fixes, security updates, technical assistance and access to upgrades, the CCL report notes that organisations are often confused about what they are actually entitled to and what they are actually getting for their money. For example, maintenance contracts are often perceived as insurance contracts when they are not, and organisations are often afraid and confused about whether they are legally allowed to access to security patches if they don’t have a support contract, and whether they can terminate a software maintenance contract and continue support at a later date.

What Does This Mean For Your Business?

Businesses are worried about a number of things when it comes to deciding about software maintenance and support contract renewals, such as security, stakeholder perception, and the fear of penalties and back-maintenance problems. The CCL report has also highlighted the fact that a lack of clarity about the contracts, not enough scrutiny, the wrong departments making the renewal decisions, and a lack of alternatives at renewal time are just some of the reasons why the path of least resistance is being taken and contracts that may lack value are being blindly renewed.

According to the CCL report, some ways that businesses can avoid this happening include:

  • IT Asset Managers starting with a default position of “no” when it comes to software support renewals.
  • Using ITAM tools / SAM technology providers to help validate the business value of a support contract.
  • Performing a cost / benefit analysis of a contract to help decide about renewal.
  • Applying the 80 / 20 rule. IT Asset Managers can make a big impact on freeing up annual budgets by scrutinising spend on a few well chosen contracts.
  • Getting IT Asset Managers to create decision trees to empower smart decision -making.
  • Collaboration with legal professionals to clarify legal rights around contracts.

Apple Apps Taken Down For Spying

The Mac App Store has taken down a number of well known security apps for the Apple Mac after it was discovered that they are being used to spy on the browsing habits of their users.

Which Apps?

It has been reported that Dr Unarchiver, Dr Cleaner, Adware Medic, Adware Doctor and App Uninstall have all been removed from the Apple-curated Mac App Store on the grounds of spying on users.

Rumbled

A researcher in Germany, identified only by their @privacyis1st twitter identity is credited with alerting the Mac App Store to the fact that the Adware Doctor app attributed to a company called Yongming Zhang (the name of a well-known Chinese serial killer) and the Trend Micro apps were linked to the same suspect IP address in China.

It has also been reported that suspicions and concerns about the apps go back some years. For example, online reports about Adware Doctor from 2016 indicate that the app was using AppleScript to perform actions in violation of Apple’s App Store Guidelines. It has also been alleged that the glowing reviews of Adware Doctor and other applications by the same developer may have been faked.

How?

It has been reported that the suspect apps were able to spy by first tricking the user into giving them macOS home directory access with virus scanning and clear cache options. When this permission was granted, the apps were able to abuse access privileges by gathering browser-history data from Chrome, Firefox and Safari. This data was then sent back to suspected malicious operators.

What Does This Mean For Your Business?

This is not the first time that there have been reports of dodgy apps lurking in legitimate stores. For example, back in January, 36 fake and malicious apps for Android that could harvest your data and track your location, masquerading as security tools were discovered in the trusted Google Play Store. All had reassuring names such as Security Defender and Security Keeper, and many performed some legitimate tasks on the surface, such as cleaning junk, saving battery, scanning, and CPU cooling, but all were found to be hiding malware, adware and tracking software.

Apple generally has a good brand reputation with regards to security so it will undoubtedly be very unhappy to have its name and the store that it curates associated in any way with any malicious apps.

This story is another reminder that, when it comes to apps, even though the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Apple (in this case) didn’t immediately spot the hidden aspects of the apps. Also, we often don’t have the time to make checks on the apps that we download, and good reviews and the ‘halo effect’ of the good name of the store that they’re in are often enough of a recommendation for us to act.

The fact that many of us now store most of our personal lives on our smart phones makes reports such as these all the more alarming, and can undermine our confidence in (and cause costly damage to) the brands that are associated with such incidents.

To minimise the risk of falling victim to suspect apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.

The bad publicity from this story may also make Apple keen to review its systems and procedures for checking the apps that are offered in the store that it curates.

Businesses Set For Augmented Reality

A report based on research by IT Consultancy Group Capgemini has predicted a big shift towards the use of virtual reality and augmented reality by businesses over the next 3 years.

Mainstream Soon

The results of a survey of 700 business executives across multiple sectors show that 46% think that VR and AR technologies will become a major part of their organisation in the next 3 years. Nearly 40% also said that VR and AR would be mainstream in just 5 years.

Based on the findings of its survey, Capgemini thinks that half of all businesses not already using AR and VR technology will start using it as they accept the value-adding and cost-saving benefits that it brings.

Good Results, So Far

The report showed that 82% of businesses already using AR and VR tech said it’s either exceeding or meeting their expectations in terms of can enhancing productivity, efficiency and safety in the workplace.
Driven

The optimism and positive predictions for AR and VR being used by businesses is not just being driven by the positive reinforcement of those who are ready using them, but also by the impressive evolution of immersive technology in a short space time of time.

Relevance?

Some companies may be struggling to see how AR and VR could be applied to their businesses now unless it makes up part of a product, but tech commentators believe that some of the most popular areas where they will be used are in offering remote real-time support to customers and in training staff.

Limitations

Two of the key challenges to the growth of the use of AR and VR by businesses in the UK are a shortage of skilled people (the UK has a tech skills gap) and a shortage of investors.

What Does This Mean For Your Business?

The results of the Capgemini survey show promise and optimism for AR and VR being used by businesses to add value and gain a competitive edge in the marketplace, in much the same way that AI is being embraced and is producing good results.
It is unfortunate that UK businesses are still facing a challenge to their use of technology for growth because of a skills gap that was exacerbated by Brexit fears. As far as this challenge goes, the UK government, the education system and businesses need to continue to find ways to work together to develop a base of digital skills in the UK and to make sure that the whole tech eco-system finds effective ways to address the skills gap and keep the UK’s tech industries and business attractive and competitive. This can only help to boost AR and VR development in business.

It is also a shame that the UK, which wants to be a technology centre, is also at a disadvantage in terms of investors compared to places such as the US and China. Capgemini suggests that UK businesses can meet this challenge by streamlining investment to seize the long-term growth potential of AR and VR technology. Also, Capgemini’s report suggests that in order to leverage the business value of AR and VR, UK companies should adopt a centralised governance structure, as well as proofs of concept that are aligned with business strategy, and that they should work on employee change management in order to able to drive innovation in these new fields.