NewsRelating to Brigantia DPOaaS
Phishing can be Phun
As a business, you have a choice of two different ways to teach your staff about Phishing. One of them will be VERY expensive.
verb (used without object)
- to try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organisation, usually a financial institution, but contains a link to a fake website that replicates the real one.
verb (used with object)
- to make (someone) a victim in this way.
In this day and age, most of us know what phishing emails are and have seen them. Some of us may have even, (ahem), “known someone” who fell for one…
Like it or not, they exist and are here to stay. Online criminal activity is no longer the domain of the acne covered youth working from his mother’s back bedroom: these days, this is organised crime. The organisations in question are run like businesses with management structures, bonuses, the works, and all geographically outside the reach of the long arm of the law. Going forward, phishing is only going to become more elegant, more believable and altogether, more dangerous to businesses.
It makes no difference how sophisticated your mail filtering system is, it will not manage to catch all the phishing emails heading your way. If you think that your staff will be smart enough to work out what is real and what is not, think again. We are not talking about an obscure member of the Nigerian Royal family that wants to give you billions of US dollars any more, we are talking about believable emails sent to your HR email address with an attachment called “D Smith CV.docx” and will infect your network with ransomware if opened.
This is before we start looking at spear-phishing: this is where YOU are deliberately targeted and then presented with something tailored to you so precisely that unless you really know what to look for, you’ll be reeled in, hook, line and sinker! Still think that your staff are up to spotting this sort of thing?
Your choice as a business is to wait for the day that someone falls for the inevitable phishing trap that’s coming your way sooner or later, or to do something about it now!
Assuming that your plan is to stay in business, the recommended solution is to train your staff with both simulated phishing attacks (that you have control of) and video content with tests where required. A recommended supplier of such training is KnowBe4.
Using the KnowBe4 online platform is straight-forward: campaigns of phishing emails and video training will be quick and easy to build and schedule. You can then see where your attentions are needed the most, which members of staff are most likely to open the wrong email or click the wrong link, so that you can focus your efforts where they are most needed.
Getting this kind of training is cheap. Falling for a phishing scam is not. Which would you prefer?
Call Brigantia on 020 3358 0090 or email email@example.com to find out more.
Should we still worry about GDPR stuff?
The 25th May has come and gone, and I have not had my door kicked down by a crack team of ICO investigators. In fact, other than some bother about Google and Facebook, I’ve heard very little about GDPR. I guess that this means that I was right to not waste my time and money trying to get compliant with some government thing that in the cold light of day, appears to not matter.
If the above is how you are thinking, then the future might hold a few grim surprises for you…
A long time ago, well 1974 actually, the Health and Safety at Work Act was passed and under that if an employer broke the rules and either got caught or worse, caused an accident through negligence, the employer would be tried in a criminal court or indicted with an unlimited fine. At the time, there were plenty of small businesses that thought that it didn’t matter much and that they didn’t count as they were, after all, just small businesses. They would just keep on working in the same way that they always had. That might be painting the top of the barn by tying the lad to the roof with an old bit rope and then getting him to cut himself down when he was done so that you could hopefully catch him in the tractor bucket, but enough tales of the good old days…
The essence of the story is that those small businesses were wrong and over time, through many, many prosecutions, the reality of the situation was driven home and now everyone understands that Health and Safety laws are not optional. Companies that break them do so at their peril and the consensus is that they are incredibly foolish for putting themselves in that much risk.
The new Data Protection Act 2018 (which incorporates GDPR) is a lot like the Health and Safety at Work Act 1974 insomuch as it means a sea-change in how companies must behave. How they look at tasks, how they perform those tasks and how the results of those tasks are seen by both employees and others. If your company does not change to suit these new laws, then it will go the same way that the laughably unsafe businesses went following the 1974 Act.
“In a few years, putting your company at risk by not taking proper care of your data will be seen as being as foolish as breaching basic Health and Safety regulations.”
I can hear the arguments from the people that think this will all go away: that Health and Safety law is different because people could get hurt without that, whereas this is just data and they’ve not hurt anyone with that. The new law however, disagrees and not only can someone be hurt directly by you doing something wrong with their data, but from a legal point of view they can also get hurt by the stress that it causes them! This translates to more time in court, more fines and more damages to pay out to those that the law says that you have hurt in this way. In a few years, putting your company at risk by not taking proper care of your data will be seen as being as foolish as breaching basic Health and Safety regulations.
Sure, Health and Safety is a serious matter but don’t for a second make the mistake of underestimating how serious the new Data Protection law is. If you don’t take it seriously then someone else will and that is trouble that you simply don’t need.
Make the Smart Move
Roughly speaking, if you have anything more complicated than an abacus in your office, then you really need to be Cyber Essentials certified. The ICO’s Christopher Graham said, “Protecting personal data depends on good cyber security, and the threats and challenges are getting ever more sophisticated. All too often organisations fail at the basics. This scheme focuses on the core set of actions that businesses should be taking to protect themselves, their customers, and their brand… Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”.
Cyber Essentials is seen by the ICO as necessary and working towards (the acronym of the moment) GDPR compliance. We all know how bad not working towards said compliance could be so that makes Cyber Essentials pretty much, well, essential.
There are a couple of points that you should be aware of though: firstly, it’s annual and secondly, you should really be meeting all of the safeguard levels all of the time or frankly, what’s the point? Let’s look at these two points in more detail:
- It costs around £300 to apply for certification for Cyber Essentials. If you fail to meet the criteria and take more than a couple of days to rectify everything, that’s another £300 please! This can get expensive quickly… Luckily however, there exists a service that can save you this: it is called CyberSmart. CyberSmart’s online system will not allow you to apply for certification if you are going to fail. It will help you become Cyber Essentials certified without wasting money on multiple applications.
- To get your Cyber Essentials certification, you need to be demonstrating good practice. In short, your business must become safer from the point of view of vulnerability to malware, ransomware, etc. What is the point in getting to this level and then just letting it slide? That kind of thinking is like assuming that your car only needs working brakes for its MOT! This is about the safety of your business, your client data and let’s be frank here, your bottom line: ransomware isn’t cheap to get rid of once your network is infected. CyberSmart has a very light little app that sits on all the PCs on your network and reports back to show that they have adequate safety measures in place or tells you what changes to make to if they don’t.
In short, CyberSmart is about getting your business up to a government recognised level of safety and then helping you to keep your business there. Every business now has a choice: run CyberSmart for not very much money and be safe or save the small costs involved and risk utter devastation.
Talk to Brigantia on 020 3358 0090 or email firstname.lastname@example.org to find out more.
Patching the Humans
How to train your staff how to spot Phishing emails
You’ve worked hard, and you have your IT security pretty well locked down: your network is protected by a half-decent firewall and you have up-to-date antivirus software on your PCs. Then, one of your staff clicks on a link that’s in a very convincing Phishing email and suddenly you’re dealing with a full-on Ransomware attack and everyone locked out of their systems…
An industry source recently stated that 91% of Ransomware attacks are started by someone opening a Phishing email. You can have lots of security on your computer network but if you then invite the bad guys in by clicking on the wrong link, opening the wrong email or visiting the wrong website then there’s not much that your security can do: It’s a bit like living in a fortress then opening the gates when the enemy arrives because it doesn’t look like the enemy to you. The security is not at fault, the problem is the human element.
KnowBe4, which is widely known for its brilliant training videos, has another ace up its sleeve: the ability for companies to run Phishing simulations. Think about the example that I mentioned earlier, if that member of staff had been trained to spot Phishing emails then there’s a very good chance that the Ransomware attack would have been avoided.
With the KnowBe4 system, a business can run entire campaigns and easily see which members of staff are falling for the simulated Phishing emails. Obviously, those individuals then need more training and your business will safer as a result.
KnowBe4 provides lots of templated emails to choose from and setting up a campaign is quick and painless. For the more advanced amongst us there is the option of making your own Phishing emails so that you can include such things as names of certain trusted people within your company and generally refer to things which your staff may not think that a cyber criminal could know. However, these criminals can be very clever and such emails do simulate real-world threats, just in a safe way.
Training by Phishing simulation is not expensive; training by experiencing a Ransomware attack is. Patch your humans before it’s too late.
Talk to Brigantia on 020 3358 0090 or email email@example.com to find out more.
Taking good care of your data
As a senior party in your business, you have two major threats to your data: failure / theft of key bits of your IT infrastructure and your staff doing dumb things. So, with these in mind, and the knowledge that the law now says that you must take very good care of your data or face the consequences, what options are available to you, how much will it cost and how safe will your data be?
As with almost all things in life, the more that you look at it, the more questions you wind up with rather than answers. Let’s run though a few of the obvious ones:
- How quickly do you need to get back up and running in the event of a data loss?
- Have you formed a disaster recovery plan yet? GDPR says that you must have one these days…
- What existing arrangements do you have for Backup and are they good enough?
Many businesses have never asked themselves these questions, preferring instead to just firefight such issues which can quickly get very messy and expensive. If your business needs to be up and running as close to immediately as possible following a data loss, then the first thing to think about is a disaster recovery solution: something that can just pick up where the day-to-day equipment left off.
An affordable Disaster Recovery solution is offered by Egenera: it is a cloud-based system which simply keeps in synch with your server so that if your head of IT accidently pours a cup of coffee into your onsite server, and the inevitable, resulting bang causes damage that looks like it will take a week to fix, then a solution to have you back up and running quickly could be priceless! With this solution, the costs are very low as you are only paying for the disk storage until such a time as you need to use it as a server when you would just be paying the usual cloud server level of fees, so again, nothing massive. One thing to remember though is that this is not really a Backup solution as you only have one version of your data and it is very recent. Let’s look at the difference between Disaster Recovery and Backup!
A Backup solution should:
- be offsite so as to not potentially suffer the same fate as the live data in the event of a catastrophe;
- it should be encrypted so that only your business can gain access to it; and
- it should be secure.
Given the information in the above diagram, obviously cloud Backup would be the only real soliton and the product of choice is called Backup Pro. It is hosted in the UK by Claranet so as to be compliant with lots of laws and regulations about data security. A lovely feature of Backup Pro is the ability to download previous document versions so that if you suddenly realise that you actually did need those pages that you deleted yesterday, you can simply login and retrieve an early version of your document to take the bits from it that you want.
In conclusion, you should have a Disaster Recovery Plan and if that plan requires you to be up and running quickly then get Egenera’s Disaster Recovery as a Service (DRaaS). Either way, you should also have a good automated cloud Backup service from Backup Pro.
To be put in touch with your local IT specialist to talk about these options and to find out exactly how little the costs are for this peace of mind, please call Brigantia on 020 3358 0090 or email firstname.lastname@example.org.
On your network, how much security is too much security?
There is a school of thought that the only real bullet-proof security for computers is to not attach them to the internet or even better, never switch it on. Whilst being technically correct, it is not a very useful point of view as it loses sight of why we use computers in the first place. Security is important, but we must be able to still use our PCs without being too inconvenienced, they are just tools after all.
Usable computer security may, like most things in life, be a compromise, but that doesn’t mean that you have to be unsafe in the day-to-day running of your business. The best policy is to have an approach which combines the best attributes of several disciplines:
- A good antivirus to catch the obvious bad files;
- A patching solution to block emerging vulnerabilities in your installed software;
- Internet traffic filtering to keep an eye on what is hooked up to your computers remotely;
- Possibly the most important element in this list, train your staff about such things as phishing emails.
To go into a little bit more detail about each point:
Good antivirus comes in many forms and different experiences over the years will lead people to differing conclusions. In my oh-so-humble opinion, a good anti-virus product should be light on the system so as to not slow it down too much, get its definitions ASAP, be able to notice virus-like behaviour without the need for a rigid definition and to be effective without getting in the user’s way. At Brigantia, my favourites include Bitdefender and Heimdal (which now has an excellent antivirus element). As I said, other people will tell you different things about this: you might as well ask, “What is the tastiest ice-cream flavour?” You’ll get about the same variety of answers.
A good patching solution is increasingly becoming necessary for every size of business. The reasoning is that a lot of attacks are through unpatched software: for example, if a vulnerability is found in Adobe’s PDF reader then hackers across the world will be trying to gain access to people’s computers in this way: looking for the unpatched versions that are still out there. Relying upon computer users to update their computers with such things is not a good idea as even those that notice will probably not prioritise it. Brigantia’s favoured solution is again Heimdal as this will patch silently without troubling the user, and usually within a few hours of an update being released.
This is starting to read like a Heimdal advert, but to be honest it just does so many things and does them well that it is difficult to write this kind of article without mentioning it. To my knowledge, there is only Heimdal at the SME and below level of the market that can monitor internet traffic and block malicious communications to your computer. This makes it very difficult for hackers to go about their business of infecting your network with Ransomware and other associated bad stuff.
Finally, and without singing the praises of Heimdal any further, it is vital that your staff get some training. Relying on that most uncommon trait, known as common-sense, is a mistake that can cost you enormously. Most people have not got a clue about things like phishing emails. Even intelligent professionals get caught out sometimes when their electricity supplier tells them that they are £300 in credit and they need to log in to arrange for a refund…
A two-pronged approach to training seems to work best: provide online, on demand, entertaining video content with a small quiz and also run false-phishing campaigns and get your staff to have to report the phishing emails with a button on their email client. If your staff is used to looking for phishing emails then when a real one arrives in their inboxes, they know what to look for and do not fall for it. For both online training and false-phishing campaigns, use KnowBe4, a superb multinational organisation which specialises in this. You’ll be surprised about how little this sort of thing costs. Especially if you compare it with the costs of not doing it and allowing your staff to click on the wrong link.
If you would like to find out what the right amount of security is for your business, then why not get in touch? Call Brigantia on 020 3358 0090 or email email@example.com to find out more and to be put in touch with a participating Brigantia Partner to provide professional advice and assistance with everything mentioned in this article. They’ll probably have their own ideas about which is the best antivirus and which is the tastiest ice-cream too!