4 Common Mistakes – Safeguard Your Business From Cyber Attacks

A post by Carla Lopez

Small and mid-size businesses are primary targets of cyber-attacks as unlike large corporations, they often do not have sophisticated security systems in place. Additionally, by attacking a small/midsize business, hackers can gain access to a large network of data which includes personal information, bank details, and passwords of suppliers, clients, and partners of the business. As reported by GOV.UK, two out of five businesses in the country were impacted by a cyberattack in the last 12 months. To tackle the increased risk of cyberattacks, this post by Fight Back Ninja explores four common security mistakes to avoid and the best practices to safeguard your business.

Mistake 1: Not Having Trained Cybersecurity Professionals

Cybersecurity for your personal device is entirely different compared to a business. While an antivirus plus malware protection software will suffice for your laptop, business machines and servers need multiple layers of security. This can include a firewall, anti-malware software, backup services, data encryption, system monitoring, and more.

As with any important business function, the responsibility of cybersecurity should be delegated to professionals. You can either hire professionals in-house or outsource it to an agency. Hiring multiple professionals can be costly compared to an agency but will make supervision easier. Regardless of your choice, the business will be in much safer hands with the involvement of professionals.

Mistake 2: Not Keeping Software Up To Date

Whether it be third-party software used for marketing, finance, sales-related activities, or the operating system, developers periodically release new versions that should be installed promptly. Updates are often released to patch security bugs and include new features. Using older versions of software exposes you to the risk of cyberattacks. By exploiting security bugs hackers can gain easy access to your data and reduce the chances of detection by the security system.

While hacking a third-party software may not compromise your entire system, hackers can still steal valuable customer and supplier data. To avoid this predicament, enable the option of auto-update for all software. Additionally, periodically check for newer versions of your operating system and ensure it is applied to all machines in the office.

Mistake 3: Not Password Protecting Documents

Daily, various stakeholders of your business will share documents through email, messaging applications, or other online mediums. As mentioned in the previous point, hackers can steal your data by targeting third-party software (including email as well). However, you can safeguard documents with sensitive information by converting them into password-protected documents.

For instance, if you’ve created a PowerPoint regarding the company’s financials, performance, and supplier partnerships, before sharing it digitally, convert your PPT to a PDF that can be password protected. This way only individuals who know the password can view the document.

Oftentimes, only the owner retains the right to make alterations to the PDF, reducing the risk of important documents being tampered with. As a best practice, instruct all employees to always convert documents into password-protected PDFs before sharing.

Mistake 4: Not Having Data Back-Ups

As reported by Data Bacisx, the average remediation cost of a cyberattack in the UK is $840,000. This can include the ransom companies deciding to pay hackers and the costs of rebuilding the business. However, paying the ransom never guarantees that you’ll get your data back. Hackers do not work on goodwill and use ransomware attacks to trap businesses in a vicious system of extorting money. One of the reasons businesses may agree to pay a ransom is because they do not have a backup.

Not having a backup puts your business at grave risk. Along with cyberattacks, natural disasters, server malfunctions, human error, and other foreseen events can lead to data loss, causing major financial damage to a business. Hence, it is important to create a data backup policy on priority. This can include creating a secure server not connected to primary servers used by the business, having a weekly automatic backup schedule, periodically running recovery exercises to check data integrity, and having a recovery plan for cyber attacks.

Avoiding these four mistakes will significantly reduce the threat of cyberattacks, and safeguard the long-term health of your business.

August 4, 2022

How to Report a Data Breach to the Information Commissioner

Not all organisation data breaches need to be reported to the Information Commissioner’s Office (ICO).

ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.

Ways in which detriment can occur include:

exposure to identity theft through the release of non-public identifiers, eg passport number
information about the private aspects of a person’s life becoming known to others, eg financial circumstances

The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.

Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.

The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
The sensitivity of the data lost / released / corrupted:

How to Report a Breach

Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the DPA security breach notification form, which should be sent to the email address [email protected] or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.

ICO may:

Record the breach and take no further action, or  Investigate the circumstances of the breach and any
remedial action, which could lead to further action;
Set a requirement on the data controller to undertake a course of action to prevent further breaches;
Start formal enforcement action which could lead to a fine of up to £500,000

For further information see https://ico.org.uk

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

August 1, 2022

Blackmail Online

These are a class of scam emails that attempt to blackmail people into paying money to prevent disclosure of their online activities.

The emails are very general – trying to scare the recipient into believing that the sender has found something that the recipient cannot allow to be disclosed to the public or to their family and friends.

Clearly, this wont work on many people, but for the scammers it’s a numbers game. They hope by sending out huge numbers of these emails randomly they will hit some people frightened or confused enough to pay up.

The email title is “Your life can be destroyed – everything is in your hands”

The message contains badly written sentences designed to frighten but be general enough to potentially include as many people as possible.

e.g.

“I uploaded the malicious program on your system”

“I pilfered all privy background from your system”

“I have more compromising evidence”

“After adjusting, your camera shot the videotape of you”

“My malware collected all your social and work contacts”

“When I get transaction I will destroy all evidence in perpetuity”

The scammer wants a payment in Bitcoins and sets a short time limit for the payment.

I hope that no-one responds to this attempted blackmail, but who knows.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

July 31, 2022

Is Your Brain leaky?

This is a recently popular scam topic which tries to convince everybody they have a leaky brain and ned help in fixing that leak.

Researchers at the University of Southern California recently discovered leaky brain”

“If you’re over 30 then it’s 99% likely you have a leaky brain”.

That is a made-up statistic as there is no such thing as leaky brain despite some pill pushing scammers trying to make people believe it’s real.

To make people believe they have such a problem, the emails list common symptoms such as forgetting where your glasses are or losing your wallet or forgetting appointments.

These are a normal part of life and not leaky brains.

There is supposedly lots of science behind this claim, but it’s rubbish – the science referred to is about rats with specific problems and does not apply to humans in any way.

Ignore this rubbish.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

July 30, 2022

Time-Wasters Update

Another email arrives claiming we owe an overdue invoice of unspecified amount. This one is from floridapythonhunts.com which sounds like a fun company but never heard of them. They claim to have an office in Leadenhall Street, London. Seems unlikely. The sender says she is Jane Campbell but that doesn’t match her email address of “chudsi”. Just a dumb scammer.

Yippee – I have won a donation of 2,500,000 Euros from the Open Society USA. Apparently my email address was chosen at random. No-one in their right mind would believe an organisation (if it exists) is giving away millions of Euros to random email addresses but the scammer clearly believes someone will reply and is then open to being scammed. Strangely this scammer keeps sending out the same message then resends it with the other scam messages included so it’s a chain of emails in one. How dumb must this scammer be?

Oh No!!! My Cash App is blocked according to the latest scam email. What must I do? The email says I must confirm my PIN number, email address and name and update my billing details i.e. financial information. Hang on a minute. I don’t have a Cash APP and have never heard of one. Just a scam message.

Docusign is a well known and trusted service – you receive a document , sign it and return it to the sender. This may be part of a recruitment process, contract agreement, verification of something and so on. But the scammers also send out emails pretending to be from Docusign. This latest one says Review the invoice for your reference. This is an electronically generated notification. Additional Signing Way. Please visit DocuSign.com, click on ‘Access Documents’, enter the code: E1D4699E14. But it’s all fake – the link to sign the document is the giveaway as its not docusign. Beware.

Jason says he has looked through our website and is interested in our products. Can we please send him further details. Obviously that’s a NO as he’s a scammer looking for active email addresses and people dumb enough to reply to stupid messages.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

July 29, 2022

NCSC Early Warning Service

The National Cyber Security Centre (NCSC) has set up an early warning service to help organisations investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds.

Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere.

https://www.ncsc.gov.uk/information/early-warning-service

Early Warning is open to all UK organisations who hold a static IP address or domain name.

Organisations will receive the following high level types of alerts:

Incident Notifications – This is activity that suggests an active compromise of your system.
For example: A host on your network has most likely been infected with a strain of malware.

Network Abuse Events – This may be indicators that your assets have been associated with malicious or undesirable activity.
For example: A client on your network has been detected scanning the internet.

Vulnerability and Open Port Alerts – These are indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet.
For example: You have a vulnerable application, or you have an exposed Elasticsearch service.

Early Warning does not conduct any active scanning of your networks itself, however some of the feeds may use scan derived data, for example from commercial feeds.

How Early Warning works

Cyber security researchers will often uncover malicious activity on the internet or discover weaknesses in organisations security controls, and release this information in information feeds. In addition, the NCSC or its partners may uncover information that is indicative of a cyber security compromise on a network. The NCSC will collate this information and use this data to alert your organisation about potential attacks on your network.

Your organisation can then use the information passed on by Early Warning to investigate the issue and implement appropriate mitigation solutions where required. The NCSC’s website provides advice and guidance on how to deal with most cyber security concerns.