SureCloud’s Response to the Cyber Security Breaches Survey 2019
The Cyber Security Breaches Survey is a quantitative and qualitative survey of UK businesses and charities. It helps organizations to understand the nature and significance of the cybersecurity threats they face, and what others are doing to stay secure. It also supports the Government to shape future policy in this area.
SureCloud’s Cybersecurity Operations Director, Luke Potter, responds to the survey and gives his views and opinions on some of the key points discussed.
Are instances of cyber-security breaches increasing?
On review of the Cyber Security Breaches Survey from earlier this year, it’s clear that attacks are increasing, but so is the priority that businesses place on Cybersecurity.
“The extent to which organizations consider cybersecurity a priority has increased over time. Compared to last year, more businesses see it as a high priority (40%, vs. 35% in 2018) and since 2016, there has been a nine percentage-point increase in businesses considering it a very or fairly high priority.”
On the hundreds of Penetration Testing and Simulated Cyber Attacks that SureCloud perform each year, we continue to find that targeted phishing attacks continue to the most successful ways to gain access to an organizations data. Genuine attackers know this as well.
It is critical that organizations adopt a ‘top-down’ approach to Cybersecurity, meaning that engagement is gained at the executive/board level for Cyber resilience and that is propagated through the organization. Cybersecurity is the responsibility of everyone in the organization, not just the IT / InfoSec team. We all have obligations and this needs to start at the very top.
Are there any specific examples of data breaches occurring when an executive has been traveling, so changed their habits or whatever?
When executives are traveling, they tend to be at the greatest risk and attackers know this. They are less likely to take extra care and attention to their actions when they are rushing to catch a flight or get to a hotel after a long day. This is when all kinds of hacking attempts can be the most successful, for example, a well-timed targeted phishing, vishing or SMSing attack.
Further to this, it’s critically important that you keep your boarding pass ‘safe’ and treat it like a confident document. By this we mean to destroy it like you would any confident document (cross-cut, shred etc), and never post pictures of it on social media.
Earlier this year, Using barcode scanning mobile apps that are easily obtainable from app stores, SureCloud’s researchers were able to obtain personal data such as the individual’s full name, document verification number and airline frequent flyer account number from an image of a volunteer’s recently-used boarding pass that they had posted to social media.
Combined with wider open-source intelligence (OSINT) techniques, researchers were also able to obtain the volunteer’s driving license number, home address, middle name and date of birth. Using the information gathered, it would be repetitively simple for a malicious party to carry out identity fraud or potentially take over a victim’s existing accounts.
Are there any parts of the world travelers should be especially vigilant about/in?
From a general personal safety perspective, there are no doubt, parts of the world that you should be especially vigilant in, but that said, any location you visit will have ‘safer’ and ‘not so safe’ areas. From a data security standpoint, the same processes and procedures you follow when you are in the office should apply wherever you are in the rest of the world. By this we mean, avoid connecting to ‘untrusted’ networks that clearly include ‘Open’ Wireless Networks, but equally, networks that are protected with a ‘Pre-Shared Key.’ However that key is given to ‘everyone’, meaning that anyone with access to that key can see your communications, if those communications are not separately encrypted. Where possible, use cellular data networks / tethering to a device in your control, make sure the use of a VPN is very much treated as a ‘business as usual’ activity. Finally in addition to the use of a VPN, ensure that all communications use encrypted protocols such as HTTPS, SFTP, SMTPS etc.
Is mobile tech inherently more dangerous than desk-based tech?
No, this is incorrect. Each has its own potential security weaknesses and should be controlled accordingly. For example, by ensuring that devices and all applications on them are kept patched and up to date. Also by ensuring that you are only connecting to ‘trusted’ networks.
What are the red flags people should look out for?
Targeted phishing emails are one of the most likely ways that you will be compromised. For example, in a recent survey, SureCloud found that 63% of people were most worried about being compromised by a targeted phishing attack in 2019. Yet 53% of the organization’s do not tag inbound emails.
Targeted phishing emails could include:
- Emails sent appearing to be from someone else in the organization, such as a Senior Executive or your Manager requesting an action. This may include a request to pay an invoice urgently or purchase something for them.
- Emails appearing to be from an Online Service you Use with links to documents.
- Emails appearing to be from Your Email Provider prompting for password resets etc.
There are various technical controls your IT Teams can put in place to help prevent these emails from arriving in your inboxes in the first place, but from a user standpoint, it’s critical that everyone remains vigilant. A process would be to never follow links in emails that you were not expecting and to always check with the individual requesting an action via another medium (call/text/in-person etc) before proceeding.
And what simple steps can they take to protect themselves and their employer?
This blog explains of the simplest ways to combat phishing. This being by tagging inbound emails to your organization to clearly show that they have NOT originated from an internal source.
One thing that’s simple, free and underused, is to tag emails that arrive from external sources (i.e., outside of your organization). For example, you likely already tag outbound emails with a disclaimer or confidentiality notice, so it makes sense to also tag inbound emails to make it obvious to the recipient that it hasn’t come from an internal source. For example, add a prefix such as EXTERNAL to the subject line of emails, or a highlighted message in the body of the email, making it very clear to the recipient where an email originates from.
If it was genuine and from a legitimate internal source, it wouldn’t have a tag. However, the same email from an attacker and an external source using the examples given above, the address would be clearly tagged. The target would know straight away that the email wasn’t from an internal source and who it claimed to be from. You can make it even more visible by going one step further by changing the tag every month, perhaps by adjusting the color used where the tag is placed at the top of the inbound email (rather than the subject line).
This simple step can raise a warning flag and prevent an organization from being compromised. The vast majority of email systems can support outbound and inbound email tagging. It’s quick and easy to set up, and it’s usually cost-free while being one of the best ways to protect your organization from business email compromise.
Are there common misconceptions about cyber-security?
The biggest and most common misconception about Cybersecurity is that ‘It’s not my job’ or ‘That’s handled by our InfoSec/IT Team’. It is everyone’s responsibility, from the CEO to the most junior members of the company. Everyone has an obligation to protect the information of the company their work for, the same as they’d take steps to protect their own personal information they should treat company information with the same diligence and care.
In addition, there remains a stigma associated with ‘Hackers’, that they are sweaty teenagers sitting in their bedrooms dressed in Hoodies eating heavily processed foods. This is not the case. Hackers can be everything from an IT Professional with a passion for Information Security wanting to work with companies to improve their security postures through to processional criminals through to state-sponsored actors. The key point here is that you should engage with professional organizations with the right experience and accreditations of both the individuals and the company themselves who can utilize the same techniques as malicious individuals but to test for weaknesses and advise on areas of improvement through a service commonly referred to as Penetration Testing.
Is there any sign that regulatory changes such as GDPR are having an impact?
Increased regulatory pressure on all organizations, such as GDPR has seen an increase on the priority organizations place on Cybersecurity. However, pressure also continues to come from third parties who are auditing organizations such as organizations you are supplying to. The organization you are working with will commonly look for evidence of good cybersecurity practice, such as regular penetration testing, technical controls and relevant policies/procedures around Cybersecurity.
Are there any particular products people can buy to help them? (Rather than general/overall software packages, I’m looking for specific gizmos, or software add-ons or similar here, for a sidebar)
There is no ‘one size fits all’ solution to Cybersecurity. There is nothing you can do or by to ‘secure’ your organization completely. It’s about investment in the right places, driving the right behaviors from the top and implementing multiple layers on the control which are a mixture of both technical and procedural throughout the organization. There are numerous organizations that can assist with recommendations in this space, but a few key points would be :
- Ensure that you are performing regular manually led Penetration Tests across your entire IT Estate, both internally and externally. This will give you the depth and should use qualified and skilled Penetration Test professionals.
- Ensure that you are regularly running automated Vulnerability Scanning and/or Assessments against your entire IT Estate. This will give you a breadth of coverage and pick-up ‘low-hanging fruit’.
- Keep all systems and services fully patched and up to date. This should include everything, such as the Operating Systems, Browsers and wider Software Packages.
- Train your staff on how to spot targeted phishing attacks and the signs of their system being compromised.
- Invest in well through-out technical solutions, such as Anti-Virus, Firewalls and SIEM solutions. That said, make sure you have the teams and resources (people) to manage these solutions with the right skills to ensure they are configured correctly.
Any general points?
All organization will have numerous priorities and varying levels of pressure. Cybersecurity can often be something that people consider something ‘they must review’, but never actually get around to until it’s too late. Also, most organizations will be targeted and attacked every single day. You may have already of been compromised and have absolutely no visibility of it. Engage with an organization that specializes in the Cybersecurity space, but also one that has the experience and knowledge of working with organizations similar to your own. Some organizations will offer Penetration Testing or PenTest-As-A-Service models that can ensure there is business alignment, but also provide you with that support going forward which is so critically important to many organizations.
Luke Potter oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognized cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.