Thursday Thoughts - 25th February 2021
This week’s Thursday thoughts has the usual mix of News, advice and guidance. Be sure to read about the NurseryCam hack and Slightly shorter this week because the Altrincham and Sale Chamber of Commerce hosted Andy Burnham for a “Question Time” and I am running to catch up as a result! It was a great session and some very open and honest answers given to searching and sometimes controversial questions. You should be able to view the video on the Chamber YouTube channel in the near future.
This week has seen an increase in cybercrime targeted at friends family and colleagues. 2 friends Facebook accounts were targeted. The culprit (again) a malicious video sent in FB messenger. I have now deleted the messenger app and will not be answering any messages that I see on my FB profile. Everyone who I want to contact me already has my mobile, WhatsApp, twitter linked in or email address so why would I take the risk. Other scams: recorded messages on house phones and mobiles from HMRC (apparently issued an arrest warrant), Amazon (account being frozen), email from Royal UK Mail (missed a delivery here’s a link to click) oh and more worryingly news from a colleague that a payment nearly went to a criminal who had changed the banking details on an invoice.
Stay safe out there folks. Don’t click links, don’t fall for the scams and if you get something that worries you report it to the platform, the NCSC or Crime Stoppers.
Blogs and Videos of the Week
Neil James - How To Smash A Zoom/Teams Virtual Interview
Michael Lough - 20 questions to help you get ‘Digital Ready’ after Covid
The NurseryCam is a product operated by FootfallCam Ltd. It is a series of web-connected cameras in day-care centres which let parents see how their child is getting on. NurseryCam was hacked last week in what has been called a “digital burglary of its nursery webcam operation”. The UK National Cyber Security Centre is helping FootfallCam Ltd shore up security. The point of point of access was a poorly secured Odoo business apps server using a default admin password for its web connection. A timely reminder for us all to remember to set our own passwords and not rely on default admin passwords when we purchase new tech.
Have You Registered With The ICO?
If you are a local business that processes personal data in the UK then it is a legal requirement that you register with the ICO. If you process personal data and are not registered you can face a maximum fine of £4350. A number of companies are finding that they have received letters from the ICO because they are not on the ICO register. It’s simple to register, takes 10 mins and costs £40 for small businesses (and you get a reduction if you set up an annual payment). Some may even be exempt. So don’t wait till the fine arrives before acting. The ICO self-assessment tool link is: https://lnkd.in/deYHCSE
Total Fitness data breach
Total Fitness health clubs have suffered data breach that included name/bank account/sort code. If you are a member or past member of Total Fitness I’d recommend changing your password.
Cyber Security Advice For Farmers (and the rest of us)
The NCSC have recently issued a guide written in clear and understandable for a range of technical abilities, to help farmers become more aware or enhance their knowledge of cyber security measures. While this is targeted at the Agriculture and Farming Sector it is such a simple guide I commend it to anyone who is worried that they have seen an increase in email, online accounting tools, online payment systems or automated equipment no matter what their sector. You can download the document here: https://www.ncsc.gov.uk/guidance/cyber-security-for-farmers
Why SMEs Need To Know About Cybersecurity
Cybersecurity is rarely at the front of a SME owner’s mind. However, investing in cybersecurity is becoming more important especially as many undergo digital transformation. With all the conflicting priorities it is easy to leave cybersecurity “until later”. However, putting your company and your customers at risk of a cyberattack can have huge consequences. Not only could your reputation suffer the data your business needs to function may be wiped out or you may find your company bank accounts empty or that large invoice paid to a third party. Take the time to find a trusted “expert” and chat through your concerns. A 30-minute call can make the world of a difference. I am always happy to have a no obligation chat with the worried SME owner.
Cookies and Consent
If your website drops cookies without consent it can be seen as an indication that you are “blasé” about cookie banners. It may lead to customers thinking that you could be equally blasé about other matters like cyber security and customer service. Take a look at your banners now before we get back to “normal” times and see if you can make them better.
What To Do When You've Been Hit With Ransomware
A new organization is a victim of ransomware every 10 seconds in 2020 with remote workers experiencing a sharp increase in threats. Many of the attacks aren’t actually that sophisticated. It’s more likely that the organization is behind on the basics and are poorly prepared to recover from a ransomware attack. Before you are “hit” by a Ransomware attack this Wizer training webinar contains some super helpful advice: https://www.wizer-training.com/webinars/ransomware
How do Cyber Criminals Breach Your Email Address?
It really is surprisingly easy. The criminals setup a website, email hosting, and put some nastiness on the website. Then send a spammy email that makes it look like you're on a mailing list (using a few tricks to get past spam filters). The user gets the email. Gets cross that they have been added to another mailing list without permission and clicks on unsubscribe.
If you are then taken to the dodgy website and you click ok to confirm the process. You are breached. The moral of the story Don't click it. Junk it!
Whistle-blowers Claim Massive Security Shortfalls at Amazon
We all know that Amazon has pages and pages of data about it’s clients. One recent Subject Access request produced 600+ columns of data about the subject’s shopping. The least we could hope for is that our data would be safe. However Amazon insiders have accused the tech giant of side-lining staff who flag problems with the e-commerce giant’s data security and compliance. Separate accounts paint a picture of a culture that prioritizes growth over security of customers' information, compliance with rules and careers of those hired to flag problems. This will be one to watch. You can read more here: https://www.politico.eu/article/data-at-risk-amazon-security-threat/
Microsoft's Patch Tuesday
There were patches for 56 MS vulnerabilities in a range of operating system and software products in the February patch Tuesday. The headlines include fixes for multiple Windows OS frameworks and components, including the “MS Office Product line” and Skype for Business and Windows Defender. 11 of the 56 vulnerabilities are assessed as "critical" and 43 are classified as "important". If you use MS products check if you need a software update. You can read more here: https://www.securityweek.com/patch-tuesday-microsoft-warns-under-attack-windows-kernel-flaw
Irish DPC Reprimand for Groupon
The Irish Data Protection Authority has reprimanded Groupon because it asked to too much information in order to identify a person asking to have their data removed from the Groupon database. This is because Groupon had asked for a copy of a national ID card in order to verify account ownership when they had in fact not asked for identification verification when the account was set up. What we can all learn from this is that an organisation should identify an individual exercising their rights using information it has not something new. So if it only has a phone number it should call the number and ask the person who is answering the phone if the request came from him or her. The same with email.
Italian Garante Fines Companies For Disclosing Patient Data
The Italian Data Protection fined three Italian “sanitary facilities” for failure to have appropriate measures in place to protect personal data. The companies concerned had failed to stop the accidental disclosure of patient data to third parties.
Spanish DPA Confirms Decision Against IBERIA
The Spanish DPA announced it has confirmed its decision about IBERIA’s unlawful cookie practices. I anticipate that this will have implications for cookie users throughout Europe and the UK.
Graphics Cards and Cryptomining
Did you know that graphics cards are not just used for graphics. Because of their capabilities many graphics cards are often used for cryptomining. Nvidia launched a new graphics card this week GeForce RTX 3060 which contains software drivers that detect cryptocurrency mining algorithms, and limit the hash rate, or cryptocurrency mining efficiency, by around 50 percent. You can read more here: https://nakedsecurity-sophos-com.cdn.ampproject.org/c/s/nakedsecurity.sophos.com/2021/02/22/nvidia-announces-official-anti-cryptomining-software-drivers/amp/
Spy Pixels in Your Emails
Two-thirds of emails sent to personal accounts can contain a "spy pixel". Even if you have screened it for spam. This is because of the use of "invisible" tracking tech in these emails. Pixels can be used to log if and when an email is opened, how many times it is opened, what device or devices are involved and the user's rough physical location. The information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles. You can read more here: https://www.bbc.co.uk/news/technology-56071437
Blogs of the Week
Neil James - How To Smash A Zoom/Teams Virtual Interview
With so much recruitment and selection being done online at the moment this blog by bselected is a timely reminder of things you can do to prepare for interview and therefore maximise your chance of success. The key is to be prepared. From making sure the environment, tech and tools work, to setting up your screen so you are looking at the webcam and practicing with a family member before. There are some excellent tips: https://bselected.com/how-to-smash-a-virtual-interview/
Michael Lough - 20 questions to help you get ‘Digital
Ready’ after Covid
Most SMEs believe that the pandemic has fundamentally changed the way they do business (or will do business). We need to plan now so that we can take full advantage of available digital technology, otherwise we are at risk being left behind by more our proactive and dynamic competitors. This blog by Blue Wren gives 20 questions you can use to assess the digital readiness of your business. https://www.bluewren.co.uk/blog/20-questions-to-help-you-get-digital-ready-after-covid/