Why would anyone want to hack my website?

log on boxWith the news that 30m credit and debit card details from US customers and over 1m sets of card details belonging to visitors to the US, have been put up for sale on the Dark Web following a malware attack against US convenience retailer Wawa I thought I’d take time out to explain why small businesses are just as at-risk from hacking as large organisations.

But first, let’s take a look of some of the major security breaches that occurred last year. According to Risk Based Security’s Data Breach Report there were 5,183 breaches by the end of September 2019 alone. These exposed more than 7.9 billion records. This was a 33.3% increase on the same period in 2018.

Here are some of the worst breaches.

  • Orvibo Smart home products – 2 billion records discovered on an unprotected database. These comprised of private individuals, hotels and businesses who were using Orvibo’s smart home devices. The data included email addresses, passwords, user names, family names and addresses.
  • Dream Market Breach – 617m online account details stolen from 16 hacked websites, including MyFitnessPal (151m). Data stolen included user names, passwords and email addresses.
  • Canva – 139m records stolen, names, user names, passwords, email addresses and location.
  • Capital One – 106m records hacked with names, addresses, credit scores, email addresses, dates of birth and more stolen.
  • Words with Friends – 218m records stolen, including names, email addresses, passwords, phone numbers and, where linked, Facebook ID info

However, these are just some of the ones that hit the headlines. Thousands don’t,  particularly attacks on smaller businesses. Research indicates that nearly 70% of SME’s experience cyber attacks (Ponemon State of SMB Cyber Security 2018) but why SMEs?

I talk to many people who believe their businesses are too small to have anything of value to the hackers. However, the truth is that they are too small to have a dedicated cyber security officer/specialist and so are easy targets.

Let’s take websites – most businesses use WordPress – over 1/3rd of websites use it. There’s nothing wrong with WordPress but, as the world’s most popular web development tool, it is also the hackers main target. (A bit like the way Windows is targeted compared to Apple’s operating system – its all in the number of targets)

WordPress is pretty secure and there are Plugins to make it more so BUT you have to keep everything up to date. Keep WordPress up to date, keep your plugins updated too because if you don’t you might be leaving holes in your security for the bad guys to exploit. 

But why would they?

  • Small companies are frequently connected to larger organisations and they might be a way in
  • Hacked systems can store illegal material
  • Hacked systems can be used in attacks on other websites (DDoS)
  • Hacked systems can host Malware
  • Hacked systems could provide access to valuable Intellectual Property
  • Hacked systems could provide easy access to other valuable data

Malware

Safer Internet DayImagine you have a reasonably popular website. Hackers will look to gain access to your site and plant malware on it that will automatically download (and install) itself on the computers of everyone who visits your website. The malware could allow the hackers to record the keystrokes of infected machines, could enable the hackers to take remote control of infected machines or turn them in to storage depots for illegal material.

Imagine how your reputation will suffer when this comes to light. 

  1. Keystroke recorders
    A keystroke recorder does what it says on the tin, it records every single keystroke made on a keyboard and secretly transmits it to a malicious 3rd party. This could be bank/card details, online shopping details, log-in user names and passwords, and much more
  2. Remote Control – DDoS (Distributed Denial of Service Attack)
    With the ability to remotely control your PC, and hundreds or thousands of others, malicious 3rd parties can “take down” target websites simply by overwhelming them with more web traffic than the website can cope with. Remember what happens to the Glastonbury website when the tickets are released – although not malicious the number of people desperate to get their tickets tend to bring the website to its knees as soon as tickets are made available

    Imagine a bookmakers website going off line a week before a major betting event. They’d be contacted by the Cyber Criminals who will admit responsibility. The bookmakers will then be told to “pay up” or their website will be blocked again, much closer to “big day” and prevent bets being placed.
  3. Illegal data storage
    Imagine the scene. There you are working in your office and there’s a battering ram through the door followed by police storming in with a warrant to take ALL of your computing devices. Your business will grind to a halt but why have you been targeted? Simples, as the meerkats say – the police have identified one or more of your computers/servers as the source of illegal material. This could be pirated software, music, films or worse. In the worst case scenario this information hits the local (and possibly national media) and your reputation is trashed. And you may not even have been at fault!
  4. GDPR
    Under all of the above scenarios you’ll probably have to report the matter to the Office of the Information Commissioner (ICO) under GDPR. After investigation, If your security and procedures are found wanting then you might be liable for a fine. GDPR states that fines can be up to 4% of your turnover, and that’s no laughing matter

How do I prevent this happening to me

No security system is 100% watertight, there are just too many variables and access points. The closer you get to 100% the more expensive it becomes to close those last few security percentage points. However, like home security, your job is to make sure that your security is as good as it can be so that the bad guys choose an easier target.

Get in touch with a good IT company or Cyber Security company or you could #AskAndy. Drop me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020 and we can start the ball rolling. I know that I’m not a security consultant but I know quite a bit and can always point you in the direction of a trusted third party if you need more help.

New Year – New Security Resolution

Tamara EcclestoneIn December last year Tamara Ecclestone’s London home was burgled and jewellery worth £50m was stolen.

Leaving aside the fact that this is a phenomenal sum of money to have invested in jewellery only to leave it “lying around” there are many rumours as to the particular timing of the heist.

Just a few hours before the robbery took place, Tamara and her husband shared a picture on Instagram of them boarding a private jet.

As a billionairess it’s no doubt that people of a dubious background will have been watching her social media updates hoping for just such an opportunity. They will have lists of targets, important addresses and social media accounts and probably even have plans in place, ready for execution as soon as an opportunity presents itself.

So, think about the pictures you post to Social Media. What do they give away? All those photos of you sunning yourself on a beach somewhere warm and exotic tells near do wells that you are not at home. Photos of road trips tell people that you are not at home, or in your business.

You even need to make sure that there’s nothing in the background of the picture that can be zoomed in to that might give away something you’d rather kept private. An innocent looking photo taken outside of your house could, if zoomed in, give away your house number whilst previous, or subsequent pictures could give away your street name – for example.

If you are going away, and you are an important cog in your business, it could encourage scammers to target employees with fake emails requesting money transfers, payment of fake bills and invoices etc.

log on boxSo why not make 2020 the year you strengthen your security fortifications. Make a start with passwords and email.

  • Conduct a password audit of everything AND everybody involved in your business.
  • Enforce the use of strong passwords and encourage the use of password managers
  • Make sure that you have a strong email policy in place.
  • Educate yourself and your employees on the tricks used by scammers-
    • how to check whether a link in an email takes the clicker to a safe site or not
      Hint – hover your cursor over the link to see the full web address
    • Ensure that the email comes from a trusted address. Is it from mycompany.co.uk or mycompany.co or myc0mpany.co.uk for example?
      hint – hover your cursor over the address or just hit “reply”
    • Are there any obvious spelling or grammatical errors?
    • Would you be expecting an email from this particular source?
    • Does the email express an urgent response?

Don’t forget that people new to your organisation should also receive the same level of training. Always remember that “if it feels to good to be true” then it probably is

And if you are still unsure, look up the phone number for the company that you think the email is from and give them a call – don’t rely on the phone number that’s displayed within the potential scam email.

Watch out for more emails looking at security issues and if you have any concerns, please don’t hesitate to get in touch for an informal chat by email (andy@enterprise-oms.co.uk) by phone (01793 238020) or ask me on Social Media – Linkedin or Twitter and I’ll be only too happy to talk.

Thanks for reading and I hope you have a great, and secure 2020.

 

 

Christmas is coming, don’t let the hackers get fat

Christmas is nearly here, people are beginning the big “wind down” and it would be so easy to let your guard down too.

Andy, checking out websites as part of his workWell, let me tell you, the hackers and cyber criminals won’t – if anything they’ll be ratcheting up their activity because they know that our minds will be on other things.

You know, things like Christmas parties, gifts, food, television and everything else that’s associated with the season of goodwill.

So, vigilance must remain high, both in the office and when working from home. Keep your eyes open for suspicious looking emails, especially those coming from unexpected quarters, with messages that promise much, such as tax refunds or deliveries of items you don’t remember ordering. Also beware of emails with links to websites that look OK but in reality will do harm.

It’s also a good idea to take a fresh look at your password security. SplashData have just released their ninth annual “Worst Passwords of the Year” list which has been compiled from more than 5m passwords that have ended up on the Dark Web after being purloined by hackers.

Unfortunately, not a lot has changed over previous lists

  1. 123456 (same place as 2018)
  2. 123456789 (up 1 place)
  3. qwerty (a return to the top 5 for this old favourite)
  4. password (slips two places)
  5. 1234567 (up 2)
  6. 12345678 (falls out of the top 5)
  7. 12345 (falls by 2 places)
  8. iloveyou (this perennial is up 2 places from 10 in 2018)
  9. 111111 (yes, people do use this although it’s fallen 3 places from last year)
  10. abc123 (up 7 and breaking in to the top 10)

You can see passwords from 11 to 25 here.

SplashData estimates that at least 1 in 10 people have used at least one of these poor passwords.

Data breaches are inevitable but by using strong, unique passwords for each individual account that you have makes the theft of one password much less of a disaster than if you use the same (or close variant) across all of your accounts.

3 simple tips to make your digital life more secure

  1. Use passphrases (random word combinations) of 12 characters or more with mixed character types
  2. Use a different password for each of your log-ins so if you loose one password you haven’t lost all of the keys to your digital empire
  3. Use a password manager to secure your digital assets, to generate random password combinations, store them securely and make them available across all of your devices

And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of these instead

Top Password Managers (in no particular order)

Have a great Christmas, a happy new year and I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.

However, I hope to enjoy Christmas too so may be slower than normal in responding to your requests. I’ll be back in the office on January 2nd.

How secure is your password?

Government Communications Head Quarters (GCHQ) – where the UK spooks provide signals intelligence to the UK’s government, military and Military Intelligence and the Department for Digital, Media and Sport (DCMS) carried out their first UK Cyber Survey and the results didn’t make for great reading.

Apparently

  • 42% of us Brits expect to lose money to on-line fraud
  • 23.2 million worldwide victims of cyber breaches used 123456 as their password
  • 15% say they know how to properly protect themselves from harmful on-line activity
  • 33% rely on friends and family for help with their cyber security
  • Young people are the most likely to be cyber aware, privacy concious and careful of the details they share on-line
  • 61% of internet users check Social Media daily, 21% say they never look at it
  • More than 50% use the same password for their email that they use elsewhere
Hacker Inside

Dr Ian Levy, NCSC Technical Director said “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” whilst Margot James, DMCS Minister said “We shouldn’t make their (cyber criminals) lives easy so choosing a strong and separate password for your email account is a great practical step. “

Most Regularly Used Passwords

RankPasswordTimes UsedPasswordTimes Used
1.123456 23.2mashley432,276
2.1237567897.7mmichael425,291
3.qwerty3.8mdaniel368,227
4.password3.6mjessica324,125
5.11111113.1mcharlie308,939

It’s a shame that the top password list hasn’t really changed for at least 10 years – it shows how complacent a lot of us are with our on-line security.

I used to have 3 passwords, a simple one that I used really casually for newspaper sign-ups etc – name123 (not my real passwords, merely examples) a medium security one that I used on shopping sites, n@m3123 and a more secure one, used for banking etc – c3ler0n! (and all of the ones that I used feature on the Have I Been Pwned list).

log on box

About 5 or more years ago I switched to a Password Manager. I have 801 log-ins and 801 different passwords. All of them are at least 16 random characters long and comprise upper & lower case letters, numbers and symbols (where permitted).

My Password database is stored securely in the cloud and is replicated on my PC, Phone and Tablet and accessible from my Chromebook too. I use LastPass but others exist and here’s a review of some of the top ones.

As you can see, I do my best to stay on top of my security but if you feel adrift, or need some help, just give me a call on 01793 238020 or email andy@enterprise-oms.co.uk for a free chat.

Have you had your electronic ID stolen?

In other words, have you been pwned*. There have been millions of email addresses and passwords stolen in hack attacks and millions more that have been left exposed by incompetent website owners. However, it’s not just your email address that’s been stolen, your name will have gone with it, possibly your address and maybe even credit card (and other) data.

The stolen information is then made available for sale on the dark web and here’s a sample of the prices it can fetch

  • Credit/debit card number – $5-$11
  • With the CVV (3 digit) security code – + $5
  • “Fullz” (card, CVV, name, address, date of birth etc.) – $30
  • Bank account access – 10% of the credit balance in the account
  • Online Payment Services, such as PayPal – $20-$200

But how do you know whether your information is “out there” just waiting to be abused by cyber criminals? Well, I don’t know but I know a man who does, and he’s set up a rather useful website

Have I been Pwned?

There’s a website called Have I Been Pwned. This has been created by Troy Hunt, a Microsoft Regional Director & MVP (Microsoft Most Valuable Person for developer security). After data from a major cyber incident was “found” on the Dark Web Troy decided to put a database together – in his own time & at his own cost – as a way of allowing people to check whether their data was amongst stolen information and to “keep his hand in” from a programming perspective.

The site is now a comprehensive source of information about data hacks and data loss and is simple to use. All you have to do is enter your email address to see whether you have been “pwned”

And if you have been, as shown in the image above, it will also tell you which data breach (breaches) your email address has been found in.

Not every data breach leads to passwords being available. Some databases have encrypted passwords, making them worthless to the cyber criminal. However, many don’t and, like email addresses, there are millions (over 550) of passwords available on the Dark Web.

As he’s done with email addresses, Troy has now gathered all the stolen passwords that he can find and has created another searchable database dedicated to stolen passwords.

So, why is it so important to know whether your passwords are available to cyber criminals?

At this point, all the criminals have is a list of emails and and another list of passwords. They may not know which ones go together and they also don’t know which websites these email addresses and passwords relate to.

But, from our perspective, there’s a significant weakness. This comes in to play because a lot of people use the same password for many websites simply because it’s easier to remember one password than many. This use of the same password makes things a lot easier for the cyber criminals to put our data to fraudulent use.

Let’s say, for example, that the criminals target Amazon. You might have your credit card details already stored against your account so if a cyber criminal can gain access, all they have to do is change a delivery address and Bob’s their uncle.

They’ll use a “Credential Stuffing Attack” which means that they’ll load all the email addresses in to one database and the passwords in to another and start the attack. First they pick their target (Amazon in my example) and use software that will add an email address to the log-in box. They’ll then turn to different software to try all the passwords in the password database to see whether there’s a match. And once they’ve tried one email address they’ll automatically move on the next one. Once they’ve tried all combinations, and flagged those that work, they’ll move on to another site.

This sounds like a long, slow process but they’ll probably use a “Botnet” – a network of tens, hundreds or possibly thousands of hacked computers around the world that they have control over.

So, you should check “Have I Been Pwned” for both email addresses and passwords and if you’ve got a compromised password you should find the sites you use it on and change it – remembering to use a different one for each site.

Top 10 Passwords of 1018

Different, not similar – Password, PassWord, PAssword1960 and Pa55W0rd are NOT different to a cyber criminal. Criminals will also use these, and other variants of the world’s most popular passwords (2018’s shown in the image to the right) in their attempts to hack your accounts.

If you are concerned about your digital security, or need some help with your website, SEO or anything else online then just drop me an email, andy@enterprise-oms.co.uk , or give me a call on 01793 238020 for a free, no obligation conversation about your requirements

*Pwned – When a map designer in the online game called Warcraft beat another player he wanted to say “Player x has been owned”. Unfortunately, he mis-typed and actually said “Played x has been Pwned”. This is now a “thing”

Worries with WordPress and what happens if you don’t keep up with updates

WordPress LogoYou might have a website that’s been build using WordPress. No one will blame you, after all it’s free and has become probably the most used Content Management Systems (CMS) out there. In fact, in 2018 around one third of all websites were built on WordPress.

You might have built the site yourself or paid a developer to design and build it for you. You might not even know that your site has been built using WordPress.

It’s popular because it’s free and pretty easy to use – well it is when compared to some of the alternatives out there anyway. Although popular and free, it may not be the best and although it It is OK it does have a number of issues.

WordPress Editing screenBecause it’s so popular it’s become a top target for hackers. This means that the people behind WordPress have to be on their toes, always on the lookout for weaknesses & flaws that the hackers can exploit to break into a website and create mayhem. When the WordPress developers come across such a flaw they create a patch and release a new version of WordPress. As an example, the current version is 4.7. However within the next couple of weeks there will probably be a new version. 4.7.1 and then 4.7.2 and so on and so on and so on, releasing updates as and when flaws are discovered.

You and your web developer need to be on top of this by making sure that you’re running the latest version of WordPress. The newer versions, if setup properly, should update themselves automatically but you need to keep an eye on things just in case. Older versions had to updated manually, by clicking the ‘Update Now’ link so it all seems pretty straightforward. But it’s not!

Why things may not be as easy as they seem

WordPress MenuMost websites using WordPress use a number of Plug-Ins, small pieces of software that add extra functionality to the website and make it easier to manage. However, you need to exercise caution when updating – especially if you use a lot of plugins to manage different elements of your site because some of the plug-ins may not have been updated to work with the latest version of WordPress. This means that hitting the WordPress Update link might cause a plugin to stop working and this could break your website.

But what happens if you don’t update WordPress?

Well, you might find that your website gets hacked and will start to do things that you would’t want to be associated with. It could start to download malware to the computers of all the people who visit your site – siftwre that could monitor their keystrokes and pass banking details back to criminals in Eastern Europe or China, for example.

Or you could find – as one news website found out to their embarrassment – a lot of unsavoury spam being inserted into the first paragraph of every news story on their website.

Hacked WordPress pageHow did this happen?
The company were very lax – their site was built using WordPress and was last updated in June 2012. Since then, there have been 114 updates to WordPress, some to improve performance and some to improve security.

By failing to keep up to date this gave the hackers and “easy in”. The hackers were able to use automated tools to find websites using WordPress and to find out which version was being used. From there, it would have been simple for the hackers to target a known weak spot and break in. From there, it would have been the work of moments to install their own spammy code.

What should the website do?
It’s easy to cure – all they have to do is identify and delete the malicious software and then update to the latest version of WordPress, although they are so behind with their updates that they might find their site gets broken by the update so they might be caught between a rock and a hard place.

If you are worried about WordPress, then don’t hesitate to get in touch. Give me a call on 01793 238020 or drop an email to andy@enterprise-oms.co.uk for a free, confidential and obligation free chat.

4 plug-ins every WordPress site should have

WordPress Logo

A Content Management Systems (CMS) is a tool that business owners, web developers and others use to build their websites. There are loads to choose from, depending on your specific requirements, and WordPress, Joomla, Drupal, Magento, Umbraco, Squarespace, and Wix are some of the most popular.

If your website uses WordPress(WP) then you find yourself in good company. It’s by far and away the most popular CMS, being used by 32% of all websites. WordPress is popular for a number of reasons, the software is free (but you’ll still need hosting that will cost), it’s pretty easy to use and there are thousands of “themes” (designs and templates) that you can use to define the way your website looks and many of them are free to use. There’s lots of places you can turn to for advice and support and lots of professional developers who can customise your site so that is does exactly what you need.

Customising WordPress

WordPress is not perfect though, it may not do everything that you need. However, it’s an open system which means that if you understand how to write software you can create your own enhancements. You don’t even need to be a software developer to benefit. Somebody, somewhere has probably already had a similar need to yours and written something to do the job. Thousands of people have created additional enhancements and have made their tools available to everyone. These enhancements are called plug-ins. A lot are free whilst others require a payment, although the majority of these are inexpensive.

Plug-Ins

The downside to plug-ins is that each one you use makes your website run a little slower, and with Google beginning to penalise slow sites the speed of your website is something you need to keep an eye on. This means that you shouldn’t just keep adding plug-ins. You should make your choice, install your plug-in, give it a test and if it doesn’t do what you need then uninstall it.

Example of WordPress Menu

Not only should you keep your plug-in count to a minimum but each plug-in MUST be kept up to date. The authors regularly update them, some updates patch security flaws, some improve performance and/or add extra functionality and some updates are required to make sure the plug-in runs with the latest upgrades to WordPress itself – so you need to be regularly checking, unless you have a program that monitors then for you. Best case scenario is that nothing happens, worst case scenarios are that the unpatched plug-in breaks your website or a security hole lets a hacker in .

Three Ss and a B

Security, Speed, Search Engine Optimisation (SEO) & Back-up

Security

WordPress Plug-in Menu

Your WordPress site needs to be secure so that hackers can’t break in and do their hacking thing. Which could be to use your website host malicious software and force it on the computers of all that visit. They might create pages with links to their web pages, or look to capture details identifying visitors to your site. Thankfully, there’s a plug-in that will fortify your WordPress website against attack.

Speed

Your website has to be fast. To stop people drifting away, your pages need to open within 3 seconds. Slower that that and people will not wait. Slower than that and Google may start to penalise your site by pushing it down in their search results pages. There’s a plug-in that will keep WordPress running as fast as possible.

Search Engine Optimisation

In order for your customers to be able to find you in Google (or Bing, or Yahoo or one of the other search engines) the search engines have to be able to understand what it is your website is offering. The discipline that enables the search engines to understand your website and hopefully put your site on Page 1 of the results is called Search Engine Optimisation. There’s a plug-in that makes it easy to search optimize your site – so long as you know what you are doing.

Back-up

Hopefully you regularly back-up your business data. Well, you also should be backing up your website too. If you make an editing mistake and break your site, you can restore a working version, if something else breaks your website then you can restore a working version and if you have a problem with your host then a back-up will make it relatively easy to move your site to a new host. Guess what, there’s a plug-in for that too

So, which are the best plug-ins to use?

I can’t tell you that because there are thousands of the things but I can tell you which are the first ones that I install and configure on every WP website that I work with, in my mind they are essential and should be installed before you even think about developing your WP website

4 free plug-ins every WordPress site should have

WordFence for security

WordFence is a security enhancer. It is an “endpoint” firewall which means it cannot be bypassed, unlike a Cloud Firewall. This means that everybody trying to access the admin area of your site (both you as the site admin and the bad guys – the hackers) have to get past WordFence first.

It defends against “brute force” attacks, where a hacker attempts to guess usernames and passwords and after a certain number of failed attempts (you set the limit) it blocks the attacker, effectively making your website invisible to them. WordFence keeps a blacklist of known hackers (by their IP address) and automatically blocks them. WordFence also sends you an email when one of your plug-ins requires updating, making plug-in management a whole lot easier.

It scans your WP files for malicious software and if you need even more functionality (most users won’t) then the Premium version is just $99

Learn more about WordFence

Updraft Plus – for back-ups

Updraft Plus is a back-up plugin for WP. Now that you have secured your site from external threats you should look to guard yourself from internal problems, accidentally deleted pages, server/host issues, and (in the unlikely event of an intrusion) issues caused by hacking and penetration. It could even be something as simple as a WP, or plug-in, upgrade that breaks your site

To do this you need to be making regular back-ups of your WP installation and your content. Updraft Plus will do this for you. You can set a schedule so if you want an automatic hourly, daily, weekly back-up you just set the plug-in and it does the rest. You can even save your back-up to your Google, Microsoft or one of many other Cloud accounts,

Should you need to restore your WP site, Updraft Plus makes this easy too.

Find out more about Updraft Plus

WP-Rocket – for speed

WP-Rocket is the only plug-in on this list that doesn’t have a free version. However, the cost for a single site won’t break the bank at just $49.

What WP-Rocket will do for your website is make it faster to open on a visitors computer.It uses a number of tools to achieve this. It compresses your site for faster transmission across the internet, it manages images so that the only images downloaded are those that are visible on screen, if allows a web browser to cache key elements of your site so that they don’t have to be reloaded every time a visitor navigates to a different page. You can see everything that WP-Rocket does here.

Yoast – for SEO

In order to stand a chance of being found on the internet, your website needs to be “Search Friendly” which means that Google, Bing, Yahoo, Duck Duck Go etc can find your site, visit all the important pages, understand what’s on offer and (hopefully) put your site on the first page of the search results when someone is looking for your products, goods or services.

However, WordPress doesn’t make it easy and this is where the YOAST plug-in comes in to play. As long as you understand the requirements for effective SEO then the YOAST plug-in makes it easy to implement key SEO requirements.

Find out more about YOAST

So, there you have it, four essential plug-ins for your website before you start working on the design, the look, the feel and your content and if you need more help with your website, no matter what CMS you are using, your SEO or digital marketing then all you have to do is pick up the phone and give me a call on 01793 238020 or send andy@enterprise-oms.co.uk an email

007 in ‘For your GDPR Only’

MI6 headquartersWhen “M” has finished spymastering for the day, or pops out for a cheeky Nandos, we always see M locking the “Top Secret” files away in the office  safe. We know that’s so that no secrets will be discovered, even if an enemy spy (or the tea person) manages to gain access to the empty office.

In business, we need to be like “M”.

In a previous post I looked at Data Protection and the forthcoming General Data Protection Regulations (GDPR). However, I didn’t make it clear that the regulations don’t just apply to digital data stored on your IT systems and network but also apply to paper records too.

Anything that contains personal data, whether paper or digital, falls under the auspices of the Act, including the recordings from your CCTV cameras, phone systems (think “this call may be recorded for training purposes”) and biometric data – such as fingerprint or iris recognition systems used to unlock systems or grant access.

Keyboard with the word 'Privacy' overlaid

This means the files on your desk, the files in your filing cabinet, your paper archives as well as your electronic records, anything that includes personal data.

To start with, you need to ask yourself

  • Who has overall responsibility for the data you have and/or use?
  • What data are you holding, why are you holding it and where is it held?
  • Are your Privacy and Data Use Policies as good as they need to be?
  • How long do you need to keep data & how will you securely destroy it when you no longer need to keep it?
  • Who has legitimate access to it and who else can access it?
  • How secure is your building, your paper records and IT systems?
  • What happens out of normal business hours?
  • Can data be exported and removed without authorisation (to a USB key for example)?
  • Is your network connected to the internet and how secure is your connection?
  • Can your network be accessed remotely – is this secure?
  • Is your electronic data encrypted so, in the event of a breach, data cannot be accessed and used?
  • Can your network prevent unauthorised intrusion (hacking)?
  • How do you manage Subject Access Requests, (when someone requests to see the data you hold about them)?
  • How will you manage a data breach, whether it’s a hack, unauthorised file copy or unauthorised removal of paper records?

So, how can I help?

I can put you in touch with reliable IT companies and trusted partners 

  • Blob figure staring, "James Bond like" down the barrel of a gunthat will be able to inventory all of your IT and data assets.
  • who’ll test your network to see how secure it is and whether hackers are likely to be able to gain access
  • who will secure your network from external threats (hacking) and ensure that your remote access requirements are reliable, easy to use and secure.
  • who will help you secure your data inside the organisation and set things up so that only appropriately authorised employees can access the data they need to do their job and no more.
  • who will secure your network so that it’s almost impossible for data to be copied onto a USB key or external hard drive and removed from the organisation
  • who will put transparent encryption in place which means that it doesn’t slow anything down but is so strong that only GCHQ or the NSA would be likely to crack it.

Take the first step now, by giving me a call on 01793 238020 or emailing andy@enterprise-oms.co.uk to find out how I can help mitigate data security risks and start preparing for GDPR guidelines.

Why worry about Accreditations?

I do a lot of work for an IT support company in Bristol – Bristol IT Company – and at the bottom of their website is a list of badges, icons and logos, there’s a couple of ISO related ones and the rest come from well known (and less well known) brands in the IT sector but why are they there and why should you be concerned?

Bristol IT Company accreditationsWell, ISO’s easy, it’s a way of demonstrating a certain credibility by being assessed every year to ensure that we remain up to scratch. A lot of businesses have ISO9001 which is a quality management certification that demonstrates their commitment to consistently provide products and services that meet the needs of our clients. ISO27001 is an information security standard that demonstrates commitment to information security, both their own and that of clients.

The other accreditations come from manufacturers such as Cisco, Microsoft, Dell, Aruba, Cyberoam, VMWare and Veeam and demonstrate that the Bristol IT Company has the necessary skills to not only supply their equipment but to ensure that it is properly installed, configured and supported.

Why is this important
Let’s take a look at the security of your network – they have 2 vendors that are accredited with in this area, Cisco and Sophos. You can buy some Cisco & Sophos equipment on Amazon at competitive prices, have it delivered pretty much the next day and get it up and running very quickly. This might make you feel secure, after all Cisco are a market leader in networking and security – right?

Is this the right way to do things?
Probably not! Even assuming that you order the most appropriate device for your needs, installing equipment using the default settings could cause you a whole heap of pain.

Most hackers worth their salt know, and understand, these default settings making it really easy for them to penetrate your business’s network. It’s almost like advertising that you’ve installed the best locks in the world but have left a key under the doormat.

Not only that but the default settings are a one-size-fits-all option that are unlikely to be best suited to the way your business works and could actually slow your network, and internet connectivity, down if left untouched.

You could probably find hundreds of internet forums where people discuss the settings but which ones are the best for your particular needs? Which ones speed things up without compromising security and which ones increase security without compromising speed and which ones are actually posted by hackers looking to lure you into making your network even more insecure?

Accreditation
That’s where accreditation comes into play. By buying your equipment from an accredited supplier, Bristol IT Company will first of all advise you on the correct product that most closely matches your existing and future needs, possibly saving you money – certainly saving you pain.

They then ensure that your network is made as secure as possible by changing default settings to something much more secure and applying their training, experience and skill to ensure that your network is as secure as it can be by optimising the setup and performance of your kit.

Still think accreditation’s just an icon on a website? Well, give them a call on 01173 700 777 or email andy.poulton@bristolitcompany.com to find out that there’s much more to it than a pretty picture

Are we already at war?

Are we already at war?
This is the first (of two) articles taking a look at the hacking and cybercrime that’s taken place in 2015. Part 2, to be published soon, looks at the simple steps we can take to enhance our security and minimise the threats from cybercrime.

2015
Cost of Cyber Crime in 2014Although we’ve yet to reach the end of 2015, there’s already been an unprecedented number of data breaches and hacks compared to previous years, measured by both the number of breaches and the amount of data exposed.

The graphic on the right shows the estimated cost of cybercrime for 2014. In 2015 the cost has increased by 14% according to the “Cost of Cyber Crime Study: UK“, conducted by the Ponemon Institute and sponsored by HP.

The institute conducted 326 interviews with personnel from 39 UK companies to assess the incidence and cost of cybercrime for businesses. and the latest news is that the very recent TalkTalk hack has cost the company £35m so far

Major data breaches in 2015

FebruaryBillion dollar cyberheist
Up to 100 banks were penetrated and more than $1bn stolen
US health insurer Anthem
80 million patient and employee records including date of birth, social security
numbers, home and email addresses, employee information and more
May 2015 – BlueCross, US Health Insurance provider
11.2 million names, birth dates, email addresses stolen
US office of Personnel Management
21.5m US Federal employees confidential data was accessed and presumed
stolen
June 2015Kasperski Labs (yes, the security vendor) was hacked
Technical information was stolen, thought to be industrial espionage by a
sovereign Nation State
July 2015 – Harvard University
One of 8 universities hacked in 2015 but it’s not known what information was
accessed (and stolen)
Hacking Team
Hacking Team develop spy tools for government agencies and the breach
exposed 1 million emails including those of a sensitive nature from a number
of security agencies around the world
US Army National Guard
850,000 social security numbers, home addresses, names and other
personal information stolen
August – Ashley Madison
32m member’s data stolen and posted on the dark web for sale. The
ramifications are ongoing
September – John Brennan
CIA Director had his personal AOL email account hacked
October – TalkTalk
Major hack of the TalkTalk website and a lot of user data was stolen

In the US it is a legal requirement that all hacked companies make a report to the appropriate government department, however similar legislation has yet to be enacted in Europe so the reported incidents may just be the tip of the iceberg – and that’s assuming that hacked companies know that they’ve been hacked.

So who was behind these hacks and what was their goal?
hacker at laptop?At the time of writing, 4 people had been arrested, and bailed, for the The TalkTalk hack – 3 teenagers and a young adult although no charges have been brought.

Some hacks might be carried out by the stereotypical spotty teenager in a bedroom just doing it for fun, however the majority are likely to be carried out by more worrying groups, ranging from organised crime to extort money to government organisations.

The Ashley Madison hack looks to have been for the purpose of extortion, of both Ashley Madison themselves and their members (pay us £xx or we’ll let your friends and family know where you spend your time etc).

Others will be industrial espionage, companies looking to gain a competitive advantage whilst the remainder might have been carried by departments acting for state security and it’s believed, although almost impossible to prove, that the Kasperski, US National Guard, US Office of Personnel Management & Hacking Team hacks were conducted by sovereign Nation States, believed to be North Korea and/or China.

These attacks by non-friendly sovereign nation states on infrastructure may even be attacks seen as acts of war.

Safer Internet DayWhy do hacks occur?
For some, it’s simply for fun, the challenge and the bragging rights.

However, there’s a lot of money to be made from the theft of intellectual property and business sensitive materials, and nations stand to learn a great deal about their friends and enemies. It’s widely believed, for example, that China has been inside US military design systems for many years which could explain why their military have made extremely rapid advances with the design and manufacture of new military equipment, including stealth planes, missile defence systems and drones in recent years.

Towards the end of 2015 we’re seeing that China is negotiating two way, anti-hacking, arrangements with a number of major economic partners, including the UK, USA and Germany, theoretically enshrining in law that the countries won’t attempt to hack China and China won’t try to hack them. However, even if the above is true they don’t need to hack any further if they already have access to core systems.

A cynic might also say that history indicates that China may not stick to it’s side of the deal, and even if they do – they can always ask their friends to do it for them.

Protecting your business and yourself.
Although I’ve mentioned high-profile attacks, SMEs are also at great risk and so in Part Two I’ll be looking at some simple steps that you can take to maximise your security and minimise the risk that you are exposed to.