Category: Guidance

GDPR has Landed

GDPR is the latest EU regulation intended to give consumers better protection for their personal information held by government, businesses and any other organisations.

And today’s the day it becomes Law.

GDPR may make a worthwhile difference for consumers as it puts pressure (and the threat of large penalties) on businesses to use clear concise language, make it clear what they want your data for and exactly how it will be used, ensure they have your consent for such messages and give you an easy route to making them delete all personal information.

You’ve probably had requests recently in the post or online from businesses wanting to stay in touch with you after today. This is because from today they have to show that you chose to allow them to contact you – not just assume it was OK as often happened in the past.

Plus many are taking the opportunity to revamp their policies over Marketing messages etc.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

 

How Common are Ransomware Attacks

“Ransomware threat on the rise as almost 40% of businesses are attacked”.

Security firm Malwarebytes surveyed companies and found one-third of victims lost revenue as a result of a ransomware attack.

The downtime caused by the ransomware rather than the cost of paying the ransom is what can kill a business.

Malwarebytes™ (software company selling anti-malware products) released its “Second Annual State of Ransomware Report”. The multi-country study surveyed 1,054 companies with no more than 1,000 employees across North America, France, U.K., Germany, Australia, and Singapore. More than one-third of businesses have experienced a ransomware attack in the last year. Twenty-two percent of these impacted businesses had to cease operations immediately.

Key Findings

“Businesses of all sizes are increasingly at risk for ransomware attacks,” said Marcin Kleczynski, CEO, Malwarebytes. “However, the stakes of a single attack for a small business are far different from the stakes of a single attack for a large enterprise.

The impact of ransomware on SMBs can be devastating. For roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours. Further, among SMBs that experienced a ransomware attack, 22 percent reported that they had to cease business operations immediately, and 15 percent lost revenue.

For many, the source of ransomware is unknown and infections spread quickly. For 27 percent of organizations that suffered a ransomware infection, decision makers could not identify how the endpoint(s) became infected. Further, more than one-third of ransomware infections spread to other devices.

The most common source of ransomware infections in U.S.-based organizations was related to email use. Thirty-seven percent of attacks on SMBs in the U.S. were reported as coming from a malicious email attachment and 27 percent were from a malicious link in an email.

Seventy-two percent of respondents believe that ransomware demands should never be paid. Most of the remaining organizations believe that demands should only be paid if the encrypted data is of value to the organization. Among organizations that chose not to pay cybercriminals’ ransom demands, about one-third lost files as a result.

“It’s clear from these findings that there is widespread awareness of the threat of ransomware among businesses, but many are not yet confident in their ability to deal with it,” said Adam Kujawa, Director of Malware Intelligence, Malwarebytes. “Companies of all sizes need to remain vigilant and continue to place a higher priority on protecting themselves against ransomware.”

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

UK Government Cyber Essentials 10 Step Plan

 

This is a summary of the UK Government 10 step plan for Cyber Essentials, which is designed for organisations looking to protect themselves in cyberspace.

1.     Risk Management

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

2.     Secure Configuration

Identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities.

3.     Network Security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding. Your organisation’s networks may use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult.

4.     Managing User Privileges

All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed.

5.     User Education and Awareness

It’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

6.     Incident Management

Invest in establishing effective incident management policies and processes to help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

7.     Malware Prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.

8.     Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies.

9.     Removable Media Controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

10.Home and Mobile Working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security has further information.

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

Why You Need Double Opt-In Marketing

With single opt-in, you let people sign up to your newsletter, subscription or whatever by simply clicking once on a link or filling in a contact form etc.

But double opt-in takes this a stage further and you have to get the person to either return an email confirming their registration or  click on another link in an email to confirm.

Hence it is a two-step process to register.  This extra step will mean you lose some people, who would have otherwise registered with just the single opt-in, but there are advantages to double opt-in and it becomes law in May 2018 with the European Directive General Data Protection Regulation (GDPR).

From May 2018, consent for processing personal data and any Marketing communications must be freely given and unambiguous i.e.no pre-ticked boxes, generic descriptions or over complicated terms and conditions.

GDPR also states that companies must keep a record of how and when the customer gave such consent. The double opt-in method is considered the easiest way to comply.

If you’re offering incentive to get people to sign up to your subscription or newsletter etc. then there are likely to be many people who sign up but with fake email addresses and spambots that try to sign up.  This means that many of the email addresses on your list will be bogus and hence you will be wasting your time sending out emails to them.

Double opt-in takes care of this as only people who give correct email addresses will sign up and if the second stage of confirmation has not put them off then you have a better quality email list.

So, double-opt-in as well as becoming a legal requirement may actually help you.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Identify Ransomware

If you are hit by Ransomware, you need to block off the attack by removing Internet access from your PCs and  servers,  stop any encryption processes in progress and any other processes running that shouldn’t be running.

Then the first stage of investigation is to identify what you’re facing and the website https://id-ransomware.malwarehunterteam.com/ is a good starting point.

You upload one encrypted file or the file that is the ransom message to this website and it will try to identify the variant of ransomware. Currently it can identify more than 500  different variants.

For each there is extra information which can tell you if there are decryption keys available on the Internet.

Some anti-hackers try to find the decryption keys and post them freely, but the blackmailers do know this and try to stay of ahead of them by using new variants for which there are no keys available except for the one held by the blackmailer.

The website is run purely as a free service to the public and does not decrypt files for you – you need an IT  professional for that (assuming it’s possible as many cannot be decrypted without a key from the blackmailer)

If you have a suspected virus rather than ransomware then there is a website that may help to identify it  at https://www.virustotal.com

As always, the advice is that it’s best to avoid being held to ransom – ensure you have adequate systems protection in place, staff that have been educated on the danger of cyber attacks, regular backups (including off-site) and have a plan in place to deal with a ransomware attack.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

The Danger of Internet Connected Gadgets in Your Home

Some homes are now filled with dozens of appliances, devices and children’s toys which can be connected to Wi-Fi and some are useful while others are just for fun, but if they are not fully secure the consequences can be unpleasant .

Often set with a default password or no password, these devices can  provide an easy route for cyber attackers to get into your systems and look for confidential information.

The Internet of Things

The “Internet of Things” is a name for the adoption of Internet enabled devices in the home. The idea being that more and more household objects will communicate over the Internet. Common such items now include thermostats controlled by an APP, smoke alarms that phone you, toys that access Internet stories and music, the Alexa and Google Home devices that you can say instructions to and they use WI-FI to control other devices or find information or translate something. This also includes Internet-connected “wearable” devices, such as fitness bands which upload your GPS co-ordinates and telemetry to the Internet so you can access the data on your PC.

Many companies are working on more of these Internet of things devices.

These devices can give out information to interlopers that you may not consider e.g. the recent case of American Special Forces soldier wearing fitness bands and their location being broadcast on Google.  OOPS.

How to Make Your Connected Home More Secure

  • Secure the wireless network. Use the WPA2 protocol if your broadband router allows that option.
  • Give your Wi-Fi network an unusual name that doesn’t identify your address e.g. General Electric.
  • If guest access is enabled on the network – disable it.
  • If your router is capable of creating two separate WI-FI networks then use one for computer devices and a separate one for household gadgets.
  • Always use strong passwords that cannot possibly be guessed by anyone e.g. a string of random words.
  • Login name is often admin or administrator by default – If you are able to change the login name then change it to something that cannot be guessed.
  • Disable any remote access for gadgets. If you ever need it for allowing the supplier to fix a fault then you can re-enable it temporarily.

Some of these gadgets have appropriate Internet security and insist on strong passwords etc.  but others have little or no thought of security, so you must take care to plug any holes in security.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

What If Your Business Has a Data Breach

If your business suffers a data breach i.e. hackers access your system and steal confidential information then you have a lot to do to deal with the breach, communicate with all affected parties and put in place better security to prevent another breach.

How well you deal with the breach often affects the total cost and the level of damage to your business reputation.

These four steps can help:-

1. Investigate the Breach

  1. How did it happen?
  2. What was stolen?
  3. Can the hackers regain entry to your systems?

You’ll need to know exactly what information was lost in the data breach.

Less sensitive information includes  name, address. phone number etc. This can be used by scammers and cold callers but that information is readily available for most people through the phone directory, social media and  the Electoral register.

More sensitive information includes date of birth, name, financial details, payment card details.  Combined with the less sensitive information this can be used for identity fraud.

If the stolen data includes names with login and passwords then you need to act fast to warn people to change their passwords.

2. Determine the Possible Damage

Once you know what data has been stolen, you need to understand how this can affect people i.e how this data can be used by criminals. Will they likely sell the information to a competitor or to other scammers or ransom it back to you?

3. Communicate with All Interested Parties

You need to inform all affected parties ASAP.  This may be customers, partners, staff, suppliers etc. If the breach is serious then you should inform the Information Commissioners Office.  If relevant inform the Police.

4. Increase Your Security

Unless you have security experts, you may need to hire experts to assess your systems and see how security can be improved. Start enacting those improvements straightaway and of course close off whatever method the hackers used to get into your systems.

A data breach can be very serious and must be dealt with quickly and efficiently to minimise damage to your reputation.

 Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature

Facts About Data Breaches

Hackers break into company computer systems and steal confidential information. i.e. they make copies of it for their own purposes.

The hackers might then ransom the data back to the owner or sell it to a competitor or sell it to other scammers or  might make us of it in phishing scams i.e. to get more confidential information which they can then sell to fraudsters.

This is big business and usually it’s the customers of the hacked business that suffer.

We give our private and financial information to companies to do business with them but we expect they will do everything necessary to keep that data secure.

Many companies do have excellent data security but some fall short.

The cost to a company of a data breach can include:-

  1. Creation of contact databases
  2. Regulatory requirements
  3. External experts
  4. Postal costs
  5. Communications set-ups
  6. Audit services
  7. Helpdesk
  8. Legal expenditures
  9. Reimbursement for customers
  10. Cost of cleaning up data

Besides the material costs, there may be reputation damage.

Recent research shows:-

  • The average cost of a data breach is $3.62 million
  • The average global total cost per record stolen is $141 but there is huge variance across incidents.
  • Companies in South Africa and India have the highest chance of data breaches whereas companies in Germany and Canada have the lowest.
  • The mean time to identification of a data breach is 191 days
  • The faster the breach is recognised, then generally the lower the total cost
  • The increasing use of mobile platforms is increasing the chances of data breaches.

For information on how to recognise a cyber attack see https://fightbackonline.org/index.php/business/102-do-you-know-if-your-business-has-been-cyber-attacked

[facts taken from 2017 Cost of Data Breach Study]

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

Fake Website Links

You will come across fake website links in emails, on websites, social media, text messages and more.

In this context, “fake” means a link that doesn’t take you where it says but instead goes to some other website or web page.

Why do people make such fake links?

Mostly there is a deliberate intention to mislead – promise a link to one site but take you to a different site where you don’t want to go.

This may be an attempt to infect your computer with malware or to get you to a page you have little interest in or simply to get you to look at a video or a webpage for which the link poster gets paid per visitor.

How to Identify Fake Links

  1. On a PC hover the cursor over the link and it should show the real destination URL. If this does not match what the link says then you have a fake link and you should not click it.
  2. On a MAC make sure you have the status bar showing first
  3. On Android phones you can press and keep your finger on the link and a box will open offering options but at the top it shows the complete link

Shortened URLS

Some webpages have very long addresses and if you’re sending a link to someone or posting on Twitter for example then some way to shorten these links would be welcome.  There are various services on the Internet that can do just that.  Twitter does this automatically for long links.

These shortened URLs make it difficult to identify the destination of the link. If in doubt – do not click.

Very Long URLs and Email Addresses

Most people create short URLs i.e. links as they want them to be easy to remember and to type e.g. fightback.ninja/the-inflammation-scam/

But some large websites deliberately create long URLs in order to make the purpose of the page easy to understand  from the name e.g. http://www.sheppardsoftware.com/content/animals/kidscorner/classification/kc_classification_appearance.htm

Scammers use long URLs in order to try to hide the true destination of the URL.  E.g. customerservice.lloydsbank.768092676414336492872654576277@78397123719273917cheapscam.com

That is not Lloyds Bank.

Scammers also use the confusion trick with email addresses e.g. customerservice.lloydsbank.768092676414336492872654576277@78397123719273917cheapscam.com

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature

The Battle Against Illegal Medicine Websites

There are countless Internet sites selling drugs and medicines, without prescription, that should only be available with a Doctor’s guidance and prescription.

The reasons people buy medicines from Internet sites can be just about saving money but can also be about anonymity, fear of approaching a doctor, ignorance of the dangers involved and so on.

There is a government campaign called #fakemeds with a website at https://fakemeds.campaign.gov.uk/

You can use this website to check if a website you are thinking of buying from is registered to sell medicines and you can report suspected fake medicines and suppliers.

The potentially dangerous products seized by the Medicines and Healthcare Products Regulatory Agency (MHRA) had not tested for safety and have been found in some cases stored in dirty, rat-infested warehouses and garden sheds. In 2016, MHRA seized more than 4.6 million fake medical products and closed thousands of websites selling medicines illegally.

The three key messages are

  1. More than half of all medicines bought online are fake
  2. Side effects can include heart attacks, strokes and death.
  3. Buying from dodgy websites also increases the risk of being ripped off through credit card fraud or having your identity stolen.

The #fakemeds campaign is run by MHRA and a recent study in co-operation with Slimming World shows:-

  • One in three slimmers have tried slimming pills purchased online.
  • Three quarters of slimmers (77%) were enticed by promises of rapid weight loss, more than half were attracted to being able to order discreetly (57%) and more than four in ten (44%) ordered online because they didn’t want to speak to a GP or pharmacist.
  • Nearly two-in-three (63%) suffered unpleasant side effects after taking slimming pills bought online. These side effects included diarrhoea, bleeding, blurred vision and heart problems. Worryingly, four out of five (81%) didn’t report these side effects to anyone.
  • Four out of 10 respondents said they had used the slimming pills knowing there were health risks, with more than six out of ten (62%) doing so because they were ‘desperate to lose weight’.

Be careful buying medicine online and if you should get a prescription for the product then do speak to your doctor and do not risk your health on cheap dodgy products.

More than 5,000 websites illegally selling prescription drugs were shut down in 2016.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature