Phishing scams globally related to COVID-19 are on the rise. Whilst we work from home, juggling work and home priorities is stressful and hackers are taking advantage of our increase level of anxiety.
We’re looking for information and reassurance and are falling foul of phishing messages about PPE or even treatments and cures, or even pretending to be from health agencies and offering the latest statistics and safety measures.
Phishing is when scammers try to trick you into opening a malicious attachment, or clicking on a link in an email with intention of infecting your device or stealing your data.
93% of phishing emails involve ransomware
91% of cyberattacks start with phishing
So, if you receive a message you were not expecting, maybe with an incredible offer:
DO NOT CLICK
In addition, remember the following rules:
Never give away personal or financial information in any form or website unless YOU have initiated the request.
For up-to-date COVID-19 information use only reputable sources, such as gov.uk or local government websites, HMRC or the NHS. Bookmark useful websites to ensure you are always visiting the correct sites and subscribe to their newsletters.
Uncertainty makes us more vulnerable to scams, so Stay Alert. Yes – follow health and social distancing advice but also:
Protect your computers
Protect your data
Stay Alert to phishing
Make sure you and your staff are aware of the increased risk of phishing during COVID-19.
iTeam Solutions Ltd
(Source of data – IBM Cyber Security Intelligence, Microsoft and Verizon)
What the Foreign Secretary’s Covid-19 Briefing Said About Cyber Security
If you are as obsessed as I am about the daily Covid-19 briefings from Number 10, you’d have heard the Foreign Secretary, Dominic Raab, make specific reference to cyber security on Tuesday 5th May.As this is something in the briefings that I actually understand (for once!) I thought I would take the opportunity to discuss it.
If you would like to read the transcript of what he said in its entirety, you can find it on the government website by searching for “Foreign Secretary’s statement on coronavirus (COVID-19): 5 May 2020”.
Mr Raab confirmed that the government is aware that cyber criminals are targeting individuals, businesses, and other organisations by deploying Covid-19 related scams and phishing emails. He referred to ‘advanced persistent threats’. These arenetworks of hackers using sophisticated techniques who are not specifically looking for short term gain, but instead infiltrating computer networks slowly over a long period of time.Social engineering is used in most APT attacks, a term given to when people are conned into giving out important and private information such as passwords and bank details.
Though it is unlikely that a small business will be an initial targetof a world-renowned APT, the same methods are often used by allhackers to steal passwords, data or money from individuals, businessesand organisations of all sizes and it is important to know their methods and be aware that you could be at risk. As Mr Raab went on to say, making sure people are aware of cyber threats, the steps necessary to protect themselves or mitigate the harm that could be brought against them are the most important measures that can be taken against any cyber threat.
He announced that the UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency have published a joint warning about APTs to potential targets, specifically a warning to healthcare organisations to ensure that everyone is using a secure password, and this makes reference to ‘password spraying’ attacks where access to a large number of accounts istried using commonly used passwords.
It is acknowledged that cyber criminals are seeking to exploit the Covid-19 pandemic through malicious cyber activity, targeting healthcare bodies, pharmaceutical companies, research organisations, and local government and whatever the objective this activity will continue and evolve over the next few months.Although Mr Raab said that the current attacks are ‘designed to steal bulk personal data’ and ‘are often linked with other state actors’ this does not mean that only the NHS or the government are at risk or that individuals or smaller organisations are immune.
Mr Raabrecommended that everyone takes a look at the National Cyber Security Centre (NCSC) website for practical advice to safeguard against cyber-attacks – for example the use of passwords and guidance on trusted sources of online information relating to Covid-19. There is a very good section specifically for small businesses that he didn’t mention that I would highly recommend.
He concluded that the UK will ‘counter those who conduct cyber-attacks’, work with international partners on response to cyber threats and ‘deter the gangs and the arms of state who lie behind them’. Hopefully he and GCHQ will continue to do that very much behind the scenes, and we’ll never know what really goes on in that regard.
In conclusion, the Foreign Secretary’s briefing was probably aimed at reassuring the public that major healthcare organisations and government agencies were being given special attention during the current upturn in Covid-19 related cyber attacks, but individuals and smaller business should also take note as much of the advice is relevant to them as well.
David Hewett Managing Director iTeam Solutions Ltd.
Zoom is a video conferencing platform that has seen a huge increase in use during the Working From Home pandemic that has swept the globe for some reason over the last few weeks. The main reason it is so popular is that it is extremely easy to use and it ‘just works’.
Zoom has its HQ in USA but was, and still is, developed in China.
You may have seen in the media articles claiming that Zoom is not secure. Security experts have concerns that the encryption built-in to Zoom is not as strong as the company claims and that there are privacy problems.
A report published on Friday 3rd April by Canadian security experts Citizen Lab goes into some detail about the problems. It’s not all about Zoombombing (more on that later) but that the security of the platform doesn’t conform to the current standards in that it is not designed using security best practices and Zoom’s own claims of how secure it is are exaggerated.
The conclusion of the experts at Citizen Lab is that they would discourage the use of Zoom for the following:
Governments worried about espionage
Businesses concerned about cybercrime and industrial espionage
Healthcare providers handling sensitive patient information
Activists, lawyers, and journalists working on sensitive topics
I would agree that if you fall into any of the above categories, do not use Zoom.
If you need an alternative use Teams which is designed specifically for business use and developed and owned wholly by US company Microsoft. Most people who use Office365 already have Teams included in their subscription.
Zoom does have some features you can use to improve security and the company has promised to work on it further. You may have heard of Zoombombing. This is where someone simply guesses the meeting code and joins your meeting by chance. You can stop this by requiring a password to join (set this up when you create the meeting – people joining with a link will not need to enter the password but those joining by typing the meeting ID in manually (or guessing it) will be prompted for a password), or by locking the meeting once it is underway to stop anyone else joining (the host can go to the participants list > More > Lock meeting).
For straightforward ease of use and for (the new) normal day-to-day conversations Zoom is good enough and you can consider the claims about lack of security to apply only to those of you working as spies.
David Hewett – Managing Director – iTeam Solutions Ltd
We’ve been asked several times what companies should do when they furlough staff who have company-owned phones and laptops at home? Should they be made to switch them off for the entire time?
No, I do not agree that business devices in the possession of staff who are furloughed should be switched off for the entire time. I think that the employer has a duty to tell them that the terms of the furloughing are that they are not allowed to work. You are not going to want to have people doing helpdesk jobs, or paying the wages for instance, but they might want to occasionally check emails to keep in touch or do something in order to ensure that their job and the business stays viable and nobody in the world is going to tell them they can’t or that this is a bad idea. They might want to forward sales enquiries to someone who isn’t furloughed or take the opportunity to do some online training, research, writing – it might be something to do with the company but not their actual job. Using company assets to do this might help them perform better when they return, help with boredom and/or improve their mental health whilst they are stuck in isolation at home.
I expect each employer will take a different stance, but as long as they tell their furloughed staff that they cannot work then they have met their obligations.
It is not for us to lay down the law on what people can and cannot do, it might not even be a law but just a guideline and we do not want to be accused of what is in essence taking it all a bit too seriously when a huge dose of common sense is what is required. I firmly believe that now is not a time for pendantry
If the government tell employers that they must take every possibly step to ensure that furloughed staff cannot work or have any access to work resources or contact anyone in relation to work whatsoever my advice would be different .. but then we would be in a police state and world will already have gone to hell in a handcart.
David Hewett – Managing Director – iTeam Solutions Ltd
Cyber Essentials is 5 years old and the National Cyber Security Centre (NCSC) has reviewed the scheme. They will be looking to improve it by appointing a new Cyber Essentials Partner in order to ensure that Cyber Essentials keeps pace with the changing nature of the cyber security threat and remains relevant.
The aim is to:
refresh the service
provide a simpler path to certification
The current system is administered by several Accreditation Bodies and this has brought about a lack of consistency and added complication. To simplify it there will only be one. The new partner has not been appointed yet, but the new system is expected to be in place by April 2020.
Cyber Essentials is required by Government to be affordable and accessible and the new system will have to meet these requirements.
There are currently 5 Accreditation Bodies operating the scheme on behalf of the NCSC and each one appoints a number of Certification Bodies with the knowledge, training and experience to be able to review and assess Cyber Essentials applications. iTeam is a Certification Body through the IASME Accreditation Body.
As we do not know what the new system will look like it is difficult to predict whether iTeam will continue to be a Certification Body with the new Accreditation Body but whatever happens Cyber Essentials will continue to exist. It is not necessary for iTeam to be a Certification Body for us to continue to provide our Total Secure Systems Management (TSSM) cyber security add-on to our support contracts and continue to get ourselves and our clients Cyber Essentials certified.
Other non-Certification Body MSPs use third parties to certify their clients. Services are being developed to certify in a different way, for instance rather than having us to complete your questionnaire once a year it may be possible to run an application to constantly assess your compliance.
One good thing is that the refresh of the Cyber Essentials scheme will give it better visibility in the business community and encourage more organisations to adopt it which means we will all be safer.
iTeam Solutions Ltd
When thinking about securing your business from cyber threats, the mind quickly turns to phishing, hacks and viruses, but there are many security threats in and around the office that can expose your business to a host of threats and cybersecurity issues. In conjunction with a solid cybersecurity solution provided by your MSP, be sure you and your employees follow these office tips to protect your physical workspace from system comprises, unauthorised breaches and data loss.
1. Unlocked devices
Mobile phones, laptops, desktops, tablets and even printers/multi-function devices should all be locked and password protected when unattended, as these (and any other) network-connected devices can be comprised, allowing for unauthorised access into your system or unauthorised removal of data from it. Even though most devices lock/power down after idling for some period of time, create an office culture where locking devices becomes second nature for all employees. It’s not that you don’t trust your colleagues, it is just being safe.
2. USB Drives
USB drives pose a host of security issues and we don’t like them at iTeam. Unknown drives should never, ever be used, as they could easily contain hidden malware or spy software that could steal data or install ransomware on your network. However, those drives that you do use for normal business functions must be recorded and kept under lock and key so they are not compromised with malware, misplaced or stolen. USB drives make it far too easy for curious eyes or unauthorised users to get a peek into sensitive or confidential business information and are unfortunately left behind in public places (airports, coffee shops, etc.). Make sure any and all USB drives used in your business are cataloged and their whereabouts known at all times—or perhaps look to cloud solutions for sharing/transporting data and ban the use of them completely.
3. Paper Documents
What may be innocuous to your employees could be valuable to others who want to infiltrate your systems. At the end of the day, be sure that papers, reports, financial records and any other proprietary data is off the desks and locked away. When they are no longer needed, shred any documents with financial records, proprietary data or confidential information. And of course, to minimize the problem, go paper-free wherever possible.
It’s a common occurrence, even in the face of many strict cybersecurity policies, but many employees use notes or cheat sheets for the various usernames, logins and passwords they require for day-to-day work. Nothing could defeat the purpose of a password more easily than doing this, and leaves the door wide open to anyone who accesses your office to gain entry into your network and systems. We recommend the use of a software-based password management system to prevent this risky behaviour. It may not be as quick to access those important passwords as writing them on a sticky note, but is far more secure so just get used to doing it.
5. Wallets and Keys
Just as easily-accessed passwords are a threat, wallets and keys that are left on desks during meetings, bathroom breaks, lunches, etc., can all leave your business exposed to unauthorized entry. Pay special attention to this if there are areas of your business under lock and key, or if ID/keycards are used, as these are typically kept in wallets. Lost keys and access IDs can quickly lead to tampered or duplicated methods of access, so if need be, offer lockers or secure places where employees can store their personal belongings while they work.
So as well as considering technical measures to guard against cyber threats, consider these security best practices. They are largely not about spending money but changing your workplace culture to become more aware of how physical security and cyber security can help protect your business.
I’m always happy to talk about how iTeam might be able to help you look after your data and systems more securely. Please get in touch if you think we can help.
iTeam Solutions Ltd