This week’s Thursday thoughts contains several warnings we could all do with listening to. There is lots of “cyber activity” from both sides as a result of Russia’s attack on Ukraine. The Ukraine digital infrastructure is being attacked as well as the physical one, and there’s advice from the NCSC that the west should also be on it’s guard. The activity is also in the opposite direction with many Russian websites and agencies being targeted. Some have even been taken down or altered and even Russian army communications and phone calls have been listened in on. So what does this mean for businesses and us as individuals. Well on the business front good cyber security isn't just switching on a firewall and hoping for the best it’s about understanding what the current risks are and adapting your systems to counter them. Knowing which devices are within your community/environment is a vital piece of the puzzle. But the latest round of fines from the ICO show that doing your best isn’t enough you need to make sure you keep up to date with what “best practice” looks like. and I’m grateful that Wizer released their blog on phishing because there is so much we can all learn from it.
It’s not all bad news though as a result of the UK public engaging with the “report phishing” initiative over 76,000 online scams have been taken down so well done “us”. Other things to follow in are the 2 trends that are emerging so far in 2022 Deep Fakes and Supply chain cyber scams and digital exclusion is also a key topic for 2022.
Blogs and Vlog of the Week
Gabriel Freelander (Wizer): What is Phishing? And How to Avoid Phishing Scams
Rachel Tobac: We just hacked a billionaire!
NCSC warns organisations improve their cyber resilience
Following Russia’s attack on Ukraine the NCSC warn that there is an increased cyber threat (although there is nothing specific yet). It has therefore recommended that organisations take action to improve their resilience as there is a historical pattern where there are international consequences as a result of cyber-attacks against for example a wiper malware which erases data from a computer’s hard drive has been used against Ukrainian but could just as easily be deployed in the west. organisations has the potential to impact organisations outside of Ukraine. Wiper malware computer. To combat the potential threat the following should be our priority:
Set access controls Make sure defences are working
Monitor and log activities Check and keep backups
Have an incident plan Check your internet footprint
Develop a response to phishing Limit third party access
Sign up for advance warnings Let your wider organisation know what is going
Russian government websites have seen an ‘unprecedented’ wave of hacking attacks
So often it’s the other way round but we have seen reports that Russian government websites and state-run media have experienced “unprecedented” numbers of hacking attacks (their public services portal suffered more than 50 crippling denial-of-service attacks). The situation is so bad that Russian regulators started to filter traffic originating from abroad. Some examples include changing the content on the Russian Emergency Situations Ministry website replacing their hotline with a number for Russian soldiers to call if they want to “defect from the army” and changing the ministry’s front page massage to read “Don’t believe Russian media — they lie”.
Cyber Trends for 2022
Deep Fake
Technology is now moving faster than we or the government can adapt. DeepFake Voice Cloning makes it almost impossible to Identify what’s real and what’s not. We’ve seen a spate of “fake messages” including one from the “Ukraine president”.
Supply Chain issues
We all have many 3rd party suppliers (computers, devices, software solutions, Google Docs/drop box etc.). Questions we need to be able to answer. Would you be able to tell if the invoice you received from a supplier was a phishing email scam. What are the tell-tale signs that someone is lurking in your email system “filtering” emails and syphoning off money. What process do you have in place when a supplier changes bank account?
Digital exclusion in 2022
This week saw the release of a film that brought to life the sheer scale of the digital exclusion problem in Greater Manchester. Showing the day-to-day challenges met by those (estimated 1.2million) without the basic digital skills, connectivity or tools to get online. Digital inclusion and digital skills are areas I will be focussing on over this year. You can find more about the GM Digital Inclusion Taskforce at: (https://www.greatermanchester-ca.gov.uk/what-we-do/digital/digital-inclusion-agenda/greater-manchester-digital-inclusion-taskforce/).
Data Protection Master Class
I’m delighted that I will be delivering two Master Classes on 20th April covering "UK GDPR and Data Protection”, one “in person” in the morning and the other “online” in the afternoon. The sessions are aimed at Small and Micro Businesses (but others are welcome to attend) and will provide business leaders with the training and skills they need in order to comply with the UK GDPR and get back to their "day job" as quickly as possible. Places can be booked via https://www.eventbrite.co.uk/e/uk-gdpr-and-data-protection-masterclass-tickets-262527566017 (there is a discount for members of the ASCC).
Personalisation is it creepy or convenient?
There’s a fine line between convenience and creepiness. While many are delighted to hear from their favourite retailer about their latest product even showing how close you are to their nearest outlet (wherever you are). Others are less happy with such choices being made on their behalf. There was a great article in Forbes this week which ask if the issue "is not the personalization in itself, but the realization that someone owns all of this information about you and is simply selling it to the highest bidder."
In the News
Latest EU proposal to allow governments to scan personal messages and photos
The US regularly uses “crimes against children” as an excuse for intercepting and photos and messages. There’s a new EU proposal do the same. Making scanning of user messages and photos mandatory throughout the E.U. Somewhat inconsistent with the idea of end-to-end encryption! This will be something to watch over the next few months!
More than 10.5 million suspicious emails reported in UK
76,000 online scams have been taken down as Brits reported over 10.5 million suspicious emails to the UK’s National Cyber Security Centres. It’s great to know that scams relating to the NHS, online delivery companies, cryptocurrency investments have been taken down as a result of public engagement.
The next step is a government campaign to make sure we all (individuals as well as businesses) use passwords made up of three random words and enable 2-step verification.
Did you know that responding to a data breach doesn’t mean you have to change your password
We know that data breaches happen pretty much every day and that most organisations can expect to suffer at least one breach. We also know that in a breach, customer data is stolen (or accessed without authorisation). What is less well known is that a breach does not always include a breach of passwords. The latest guidance from the NCSC is only to change your password if the organisation tells you that it was part of the breach. You will find the guidance here: https://www.ncsc.gov.uk/blog-post/introducing-data-breach-guidance-for-individuals-and-families.
Is your smart doorbell or CCTV infringing someone else’s privacy?
Over recent years there has been a huge increase in the use of smart doorbells and CCTV. But there are risks attached and you need to be careful. The individual installing the system can infringe their neighbours privacy or capture public spaces without the individuals being captured on film being aware of it. Many owners maybe unaware that this is not permitted and the use could be challenged. Often it can cause neighbour disputes. The ICO advice is to keep it simple: limit what you film to your house boundaries, turn off the audio, and delete it when you don't need it anymore.
The UK Online Safety Bill will add protection from scam adverts
The upcoming UK Online Safety Bill will add a new legal duty for social media platforms and search engines to prevent paid-for fraudulent ads appearing on their services. As a result of the number of fake adverts (using deep fakes impersonating celebrities) which are used to steal data, access bank accounts or promote products the famous person does not endorse.
NCSC Latest threat report
NVIDIA Hack
NVIDIA was hit by a cyber-attack recently and the attackers started to leak the data when the company refused to negotiate. The leaked information includes signing certificates which act as a security assurance label that shows who published a piece of software. There are reports that cyber criminals are using these codes to execute malicious code. Microsoft Enterprise Security advises that businesses configure their Windows Defender Application Control to block the leaked NVIDIA certificates.
Microsoft Patches
Microsoft released the March 2022 security update that addresses a number of security issues. More information can be found at: https://msrc.microsoft.com/update-guide/releaseNote/2022-Mar
UK Fines
Following complaints from the public, Action Fraud, Trading Standards, Which? and TrueCall the ICO have fined five companies a total of £405,000. The Information Commissioner said: “These are unlawful predatory marketing calls that were targeted at some of the most vulnerable members of our society and driven purely by financial gain. It is clear from the complaints we received that people felt frightened and distressed by the aggressive tactics of these companies, sometimes giving their financial details just so they could hang up the phone. This is unacceptable and clearly exploitative. It is only right that we take tough and prompt action to punish those companies responsible using our full powers.” The companies were:
UK Appliance Cover Ltd based in London were fined £100,000. For making more than 39,000 unsolicited marketing calls between June and 31 December 2020 and failing to provide the necessary caller information The evidence suggested the company targeted vulnerable people for financial gain – there was no evidence the services were actually being provided.
Domestic Support Ltd (Littlehampton) - fined £80,000 for making 69000 marketing calls. Complaints suggested that DSL used different trading names when calling people which is illegal.
Home Sure Solutions Ltd (Hove) - fined £100000 for making 229,483 unsolicited calls. The company purchased personal data from a third-party provider without carrying out due diligence and specifically targeted personal information of over 60s.
Seaview Brokers Ltd (Chichester) - fined £15,000 for making 4,737 unsolicited direct marketing calls. The company had failed to screen calls against the TPS and did not give the “customer” the opportunity to object to marketing calls.
UK Platinum Home Care Services Ltd, (London) - fined £110,000 who specifically bought in personal data targeting people aged 60-80 and then made 412,556 unsolicited marketing calls between 4 March and 8 October 2020.
The ICO also fined Tuckers Solicitors £98,000 after a data breach (caused by ransomware) in which hackers accessed 24,000 court bundles containing sensitive data such as medical files & witness statements. 60 of these bundles were published on the dark web. The company was fined for “failing to secure sensitive personal data”. The ICO says this is a text book example of how not to do security (specifically failure to promptly patch systems, no use of MFA for remote access and lack of encryption). This is something we should all consider because if an incident like this should happen in our business the ICO will judge the adequacy of our security controls and compare it to “best practice”. It’s really important therefore to keep up with what best practice looks like because it changes all the time.
VLOGs and Blogs of the Week
Rachel Tobac: We just hacked a billionaire!
It is frightening how easy Rachel Tobac and her partners in crime found it to hack a billionaire. They managed to steal family pictures, emails, and contacts even turned on his mic (without an indicator light) & listened to his phone calls in minutes. I’m glad they got consent before hand and that the data subject was such a good sport. Before you say it would never happen to you watch the video and see if you would have fallen for their tricks: https://www.linkedin.com/feed/update/urn:li:activity:6909929974212812800/
Gabriel Freelander (Wizer) - What is Phishing? And How to Avoid Phishing Scams
In Gabriel’s latest piece “the sneaky world beyond phishing emails” you’ll find loads of examples of phishing and how we get suckered in. It’s not just emails we need to be careful with: there are fake business listings on google maps where legitimate businesses are replaced with fake phone numbers and websites, google search scams where the scammers use SEO to make sure their site is at the top of the search result rather than a genuine site and of course QR code scams where a genuine code is replaced with something that takes you to a fake site. Then there are fake apps in the app store, fake job posts, scam ads on Facebook, deep fake videos circulating and of course the latest social media phishing attacks with fake social media accounts replicating genuine ones and those dating and romance scams. You can read the article here: https://www.wizer-training.com/phishing