Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Penetration Testing, Cyber Security

Is your Organisation Protected While Working from Home? I Q&A with Ethical Hacker

Is your Organisation Protected While Working from Home? I Q&A with Ethical Hacker
Written by

Elliott Thompson

Published on

20 Mar 2020

Is your Organisation Protected While Working from Home? I Q&A with Ethical Hacker


In response to our request for comment for the Sunday Times Cybersecurity report, we spoke to our Principal Cybersecurity Consultant Elliott Thompson to gain his insight into the hackers ‘cashing in on coronavirus in the WFH era’.

As the whole of the UK is now working from home due to the coronavirus pandemic, cyber hackers are exploiting vulnerabilities in companies cybersecurity levels to steal valuable information during this time of uncertainty and panic.

In response to our request for comment for the Sunday Times Cybersecurity report, we spoke to our Principal Cybersecurity Consultant Elliott Thompson to gain his insight into the hackers ‘cashing in on coronavirus in the WFH era’.

We asked Elliott some burning questions…

What are the likely attack routes for hackers at this time and what new types of phishing etc are we seeing?

A great deal of cybercrime is psychological – it’s about understanding people’s likely behaviours and fears at a time like this coronavirus pandemic. People may be naively opening unrecognised attachments relating to current news, or not thinking as clearly when it comes to clicking on malicious links. A lot of individuals are eager to tap into some good news, which means criminals are capitalising on this messaging and creating a high risk for many. This includes emails pretending to be the World Health Organisation (WHO) who suggest they link to a new positive insight article. See some examples of the emails being sent by attackers on the BBC News site here.


We also have a few phishing blogs you can check out here to keep your organisation safe:

The Simple Way to Combat Phishing

How Confident Are You Against Email Threats?

Underpainting External Email Labels


 Are video conferencing calls now more vulnerable? What else is now more at risk for businesses and individuals?

Cybercriminals follow the money. If coronavirus causes a dramatic increase in the use of videoconferencing and other collaboration tools due to the rise of people working from home, then we’d expect to see criminals trying to target them. In the short to medium term, we’d expect to see existing phishing campaigns asking people to download and execute malicious payloads designed to look like working from home software. Similarly, companies quickly adopting consumer-grade video conferencing can make it easy for an attacker to pretend to be a member of staff. The cybersecurity industry is going to have to be dynamic and responsive on this front – as we always try to be. This is a unique situation that we’ve haven’t experienced before and so people are unsure of the guidelines and what they should and shouldn’t do. Perfect for a cybercriminal to exploit.

Do you think employers should take the lead and ensure employees working from home ought to boost their cybersecurity, or is the onus on individuals?

The onus is primarily on employers as they hold the most power to make sure security standards don’t fall with a large number of staff working remotely. Specifically, in this situation, the focus should be on aggressive email filtering and ensuring that all entry points into the business require strong credentials and two-factor authentication. This is especially true where individuals previously could only access company resources from the office, passwords may not be sufficient to protect accounts now that they’re exposed over the internet.

Here’s a handy blog on how CISO’s can help to support their organisations effectively focusing on communication, collaboration and technology.

What are the best tips you can provide for businesses looking to improve cybersecurity across their organisations?

Cybersecurity is complicated, but many attacks are very simple. With the current ongoing health issue, the following steps would help organisations protect themselves from opportunistic attackers:

  • Enable two-factor authentication for all accounts that can be used remotely. If this isn’t possible, increase the minimum password length and force a reset.
  • If at all possible, avoid staff using their own personal computers to access internal company resources. If this absolutely can’t be avoided, virtual desktops could be used as a more secure alternative to a client VPN.
  • Inform staff that they may receive phishing emails/texts/calls/etc purporting to be information about COVID19 to prepare them to treat the messages with suspicion.
  • Check out the National Cyber Security Centre’s homeworking advice which can be found here and here.
  • Share this blog with your team so they can understand the full breadth of issues the cybersecurity team are facing during this unique period

Webinar with CREST President to discuss the New Normal and Beyond…

Check out our fireside virtual conversation on how to ‘Secure Your Cyber Baseline For The New Normal’ with Ian Glover (CREST) and our Risk Advisory Practice Director.

Key takeaways:

  1. ‘Top ten’ return to work tips including establishing new ways of working
  2. Advice on how to secure a new cyber baseline following a crisis
  3. Guidance for defining a resilient cyber strategy

Click here, to check it out. 


About Elliott

Elliott Thompson, one of SureCloud’s Senior Security Consultants, delivers on a variety of large and unusual pen-testing engagements. Elliott engages targets throughout Europe, Asia, and the Middle East through infrastructure testing and reverse engineering to physical, social engineering and red teaming. Elliott has also appeared on the BBC as a cybersecurity expert, is a CVE identifier, CHECK Team Leader and CREST Registered Tester.
Elliott is passionate about security and involved in various article pieces for Infosec Magazine, the BBC and the UK consumer watchdog Which?. Furthermore, last year Elliott discovered and disclosed an exploit on Android tablets, which allowed attackers full access to the device including access to the webcam, speakers and microphone.