The latest release of The Kaspersky Security Bulletin has confirmed that the online world has never been more dangerous, with both the quantity and variety of threats increasing by 13% in the last year. So what are the new threats and how have last year’s threats moved on? We take a look at the key findings from the report, and what it means for your safety.

Web skimming is on the rise

Web skimming attacks, and the malware that enables them, make up a considerable part of the 13% rise – shooting up by a shocking 187%. Web skimming is the practice of introducing malware onto the payment pages of unprotected websites to steal the payment data of the victims who pay using the site, and it is just one of several forms of Trojan attack that has been on the rise against banking and shopping sites in recent years. The rise has been so dramatic that Skimmers are now the tenth most serious threat overall, as hackers turn to skimming after other methods of attack become less profitable, thanks to new initiatives like GDPR.

Malicious URLs remain the biggest threat

While new and exotic methods of attack continue to grow in response to security changes, the most common form of attack remains the malicious URL – representing 85% of security breaches. These URLs fool users into thinking they are visiting the correct site when they have actually been redirected to a fake clone, an extortion site or a site infected with malware designed to steal information. According to the report, this is largely driven by a desire from hackers to directly profit from users’ money, rather than simply stealing their information to sell on, due to the increasing risks of their criminality. Businesses that achieve cybersecurity certification are much less likely to suffer such attacks.

Miners on the decline

One of the positives to come out of The Kaspersky Security Bulletin was the report of a fall in the prevalence of ‘local’ miners who secretly hijack users’ computers via the Internet in order to use their processing power to mine cryptocurrencies – thanks to the crypto companies’ attempts to make the technology safe for users concerned about the virtual currencies’ security vulnerabilities. The difficulty in executing such attacks has made them much less profitable, and they have fallen by 59%.

The world of cybersecurity moves quickly, as new viruses, scams and malware are created as well as increasingly sophisticated tricks and traps used to deploy them. So what’s on the horizon for the next 12 months? We take a look at a few trends that will be making headlines in 2020.

Consolidation, consolidation, consolidation

There are a dizzying variety of items in most businesses’ IT portfolios in 2019 that wouldn’t have been anywhere near their radar a decade ago, from air conditioning units to waste bins, to go alongside the traditional bevvy of computers, phones printers and other hardware, that it’s an increasing challenge to keep on top of it all. In order to ensure that everything in the organisation has equal protection, and to cut down on the number of bulky and power-hungry servers needed on-site, many IT professionals are increasingly moving their data and systems to the Cloud. This allows them to remove old legacy systems and software that can be replaced with Cloud-based alternatives, better comply with GDPR rules on security, and better organises the data that is moved across so it’s more useable.

BYOD is the new threat

While there was initial resistance in the IT world to Bring Your Own Device requests that allow staff to do business on their own phones and tablets, it’s increasingly becoming a key part of their strategy to cut spending on hardware and to bake the ‘work anywhere’ principle into the way the organisation functions. While it’s very convenient, it’s also a major new danger for companies whose employers have a wide range of tech-savviness and level of protection on their devices. Watch out for scammers going after staff-owned devices, and consider what you might do if an employee’s phone is compromised. Getting a certification to show your organisation is compliant with Cyber Essentials or Cyber Essentials Plus, created by IASME, is a great way to get peace of mind if the worst does happen.

Governments under fire

2019 saw a worrying surge in the number of cyberattacks against local Government targets, such as the UK’s NHS, which historically has been less proactive than private companies on cybersecurity. Stretched budgets have left security funds depleted, which is bad news if you’re a member of the public affected or one of the many thousands of businesses who supply local Governments and come into contact with their IT. It might be a good idea to beef up your procedures with items and emails received from your public sector clients, and consider what you might do if you suffered an attack.

There has been some good news from the world of information security, as the latest survey from the Joint Information Systems Committee (JISC) has found that colleges and universities across the UK are beefing up their investment in cybersecurity.

More investment

The group, which exists to highlight the challenges and opportunities in the UK information security sector, has found that not only are higher education facilities more likely to have staff in roles dedicated to promoting and providing cybersecurity, they are also investing more in training and technical solutions than ever before. Particularly encouraging was the news that there has been a 14% increase in the number of institutions implementing industry recognised security standard Cyber Essentials, to 40% of the further education sector.

Alongside this encouraging data, the report also found that 97% of universities and 75% of colleges now use third-party security services to bolster their defences and that 66% of institutions now have a dedicated lead on cybersecurity within their IT staff – all large increases on the same time last year. Despite this, the overall fear of cyber-attacks has grown, probably due to high-profile instances of attacks in the global media and the unsettling effect of new regulations like GDPR.

Protecting your business

Achieving certification in Cyber Essentials with a compliant body like IASME is a big step for any higher education institution, and demonstrates a solid commitment to tackling the problem of security threats within the IT and higher education industries, and is a serious escalation of an institution’s security posture in the face of increasing threat from online criminals. Compliant organisations are much less likely to suffer attacks or to take serious damage from security breaches, and Cyber Smart software can decrease the chances of suffering loss by up to 80%. With a baffling array of threats out there, threats which are constantly changing and evolving, it can seem like a full-time job keeping up with the latest news on what the bad guys are up to – never mind implementing measures to deal with them.

That’s where CyberSmart, delivering Cyber Essentials and Cyber Essentials Plus certifications come in. As government recognised standards, you’ll have the peace of mind that is backed by the knowledge you are at the cutting edge of the industry standard where protecting your business is concerned, not only ensuring that the latest technology is in place to protect you, but that your staff are trained to the highest standards to help mitigate threats before they happen.

Data breaches have become increasingly commonplace for both businesses and consumers. Consumers face worries about the safety of their data, while many businesses seem to be failing to keep up with protection against cyber-attacks. A 2019 report from Bitdefender revealed that six out of ten businesses had been a victim of a data breach in the last three years. As threats continue to grow, it is becoming more and more important for businesses to ensure they prioritise funnelling their budget and resources into cybersecurity.

How worried should I be about a data breach?

Despite IT professionals working to stay on top of cybersecurity and feeling confident with the protection they provide, the reality is that businesses continue to face security breaches. Honest IT professionals have admitted that their business could be being breached without them even realising. The largest threats facing companies’ cybersecurity are thought to be phishing, whaling attacks, Trojans or Ransomware. Cyber-attacks can be incredibly difficult to achieve efficient protection against, which is due to the complex and ever-evolving landscape of attackers and methods used.

As businesses grow and navigate the current economic climate, lower budgets and cuts to training can be a common occurrence. Unfortunately, this can mean inadequate training for cybersecurity teams, insufficiently educated employees, and consequently businesses that are under-protected against attack. Now more than ever, it is vital that businesses invest time and money into their cybersecurity resources, or they risk facing an attack that could be detrimental to the whole business

How can I prevent an attack?

As threats to cybersecurity continue to evolve in their sophistication and complexity, it can be tough for businesses to prepare themselves adequately from attack. There are constant improvements being made in the industry of cybersecurity, and changes in regulations that businesses are expected to comply with. A great idea to protect against a data breach is to educate your employees on cybersecurity, the potential threats and the steps that should be taken to best avoid an attack. There are many well-qualified companies that offer thorough cybersecurity training from skilled professionals.

Furthermore, the most significant step businesses can take to improve their data protection is to invest in cyber-protection software that prevents the maximum amount of attacks, meets current government standards and automatically works to ensure employee devices are compliant. Cybersmart offers a range of certification such as Cyber Essentials and Cyber Essentials Plus, as well as CyberSmart’s applications, providing you, your business and your customers with peace of mind and assurance that your data is well-protected.

A new survey has revealed many small business owners are still clueless about GDPR. The results suggest small businesses could be in breach of GDPR without even realising it, as half of the participants appeared confused when answering questions surrounding data protection and privacy regulations.

A worrying 4/10 didn’t know that losing paperwork could be a data breach, or that emailing or faxing personal details could potentially be breaching data regulations also.

Are you being extra careful when sending that email?

Scarily, 45% of businesses did not know that the ICO (Information Commissioner’s Office) needed to be informed when data was breached and individuals’ rights were affected. It also showed they were unaware and failing to ensure confidential paperwork such as signing in and visitor’s books were kept in a protected environment.

It’s essential as a business owner you stay well informed and aware of GDPR and data protection to ensure you continue to create trust in your employees and consumers. By staying up to date with the changing data laws, you will show that you are consistent in protecting personal and private information.

Breaking GDPR is easily done within a business – it’s as simple as storing files with personal data outside of a defined structure. Many SMEs are digitally renovating their businesses with more intricate technology, however, this essential move is increasing their exposure and vulnerability for cyber-attacks.

The fact that new threats are constantly evolving and developing – and 43% of cyber-attacks are aimed at SMEs – highlights the lack of knowledge surrounding GDPR. Small businesses now need to look at investing more time in digital security. This will not only prevent any future attacks but show that you are being proactive with your digital approach.

What can you do?

By maintaining your security and safeguarding your business, you are able to protect your organisation long term. Utilising Cyber Essentials, Cyber Essentials Plus and IASME GDPR Readiness certifications, which are compliant with the Data Protection Act (2012), you can ensure that you are prioritising your business and data while giving your employees and consumers that added assurance.

Safeguarding your data should be your priority. Considering crisis incidents such as extortion, cyber attacks, and industrial espionage are just a click away, it is critical that SMEs assess their ability to survive a cyberattack, and there are steps to take to prevent and manage this if the worst were to happen.

How confident are you that your business is fully compliant?

Social media and the internet has managed to infiltrate every household, school and SME within modern society. The internet has indeed changed many aspects of our lives for the better, with commercial benefits such as providing opportunities, enabling growth and development, and increasing financial gain.

Many SMEs are digitally renovating their business processes to avoid lagging behind their competitors. This essential move into increasingly more intricate technology can cause a parallel in their exposure and vulnerability.

Here are three reasons why SMEs should invest in cybersecurity in 2019:

1. Protects your business and customers

A solitary successful attack could not only damage your business but affect how consumers view your company and ultimately direct them to choose an alternative one with greater reliability and credibility. Cyber attacks can ultimately destroy your business’ reputation. All businesses hold a range of data, which can include sensitive information which can easily be accessed if you do not have Cyber Essentials. Businesses that fail to manage a customer’s personal data in accordance with GDPR could experience regulatory sanctions.

2. Keep up to date with new threats

Safeguarding your valuable data should be a priority within your business because failing to comply with modern cyber-security and data privacy laws (GDPR, IASME) can put your clients at massive risk.

Even if you feel that your business is safeguarded, compliant and protected, cyber-attacks are increasing every year and are becoming more sophisticated with the ability to attack the most advanced security systems. Ensuring you get Cyber Essentials Plus or Cyber Essentials certified can ensure you stay on top of advanced threats and keep your business secure.

3. Cyber-attacks are preventable

By maintaining security hygiene and safeguarding within your organisation, and following some principle steps to better protect yourself, you are creating a more secure and trustworthy business for clients. By being Cyber Essentials or Cyber Essentials Plus certified, both of which are compliant with the Data Protection Act (2018), you can be confident that you are protecting your business and data, and will give your customers added assurance.

Cyber-crime will continue to evolve, with new threats developing every year. As such, your business should be prioritising taking action against potential cybersecurity breaches. However, today the velocity of cyber-attack evolution is far outpacing the level of security that businesses have deployed, so cybersecurity has never been more valuable to SMEs. Remember, a cyber-attack is more a question of ‘when’ not ’if’.

The Information Commissioner’s Office (ICO) has published new guidance on how and why special category data needs to be handled more carefully.

Some types of personal data are extremely sensitive , and therefore, data controllers must take extra measures to ensure their protection. This is known as special category data and it relates to data that:

• reveals racial or ethnic origin;
• reveals political opinions;
• reveals religious or philosophical beliefs;
• reveals trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning an individual’s health;
• data concerning a person’s sex life; or
• their sexual orientation.

Leaks of this type of personal data can be extremely damaging and dangerous, just imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them. 

This has led the ICO to publish new guidance to support organisations in ensuring they stay GDPR compliant and protect the data they control. 

What does the new guidance say about how organisations should approach processing special category data?

Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for the processing and potentially an associated DPA 2018 Schedule 1 condition. Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing. 

There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase your customers’ confidence in you. 

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

Cyber attacks happen virtually every day, and the impacts data breaches can have on SMEs can be catastrophic. Falling foul of GDPR legislation  can result in fines, loss of trust in your company and ultimately loss of revenue – so it pays to be compliant. 

However, what about the other organisations in your supply chain? Do they require access to your data or systems? Could your security become compromised as a result? While you might have the right cyber essentials in place, can you say the same about your suppliers? These are just a handful of questions all company decision-makers should be asking. 

Supply chain attacks: a history 

Supply chain attacks are nothing new. In fact, one of the largest data breaches in history (when the US-based retailer Target had the credit/debit card information of up to 40 million customers stolen) happened when the firm’s POS system had been infiltrated via malware that came via a supplier. In 2013, attackers used the “trusted” connection between the supplier and Target’s system to gain easy access. 

Putting appropriate controls in place 

All SMEs should understand the risks suppliers may pose and should ensure the supply chain is subject to the appropriate security controls. A good starting point would be to request all suppliers show evidence of having attained “Cyber Essentials” certification – the UK’s recommended security standard. However, this might even be insufficient for high-risk suppliers, who need to go one further and get “Cyber Essentials Plus” accredited.

Mitigating against risk 

As a company, you need to decide which controls you insist upon your suppliers having before you decide to continue doing business with them. If suppliers are unwilling or otherwise unable to comply with these requests, you need to consider whether you can put procedures in place to protect your data that allow you to continue forging a working relationship with them. 

Cybersecurity is one of the biggest threats faced by SMEs in the UK today, and its impacts on every entity within a supply chain, from top to bottom, are far-reaching. It’s therefore imperative for all elements of the supply chain to work together to maintain the strictest possible security measures. 

Find out more 

If you’d like to know more about Cyber Essentials certification or are concerned that your business might not be adequately protected against supply chain cyber-attacks, why not contact Cybersmart today? A member of our team will be happy to discuss your requirements or arrange a security audit of your current systems. 

An upsurge in incidents or cybersecurity crackdown? 

Data breach victims and negligent companies aside, how have everyday companies fared with the new GDPR regulations? The most comprehensive review on the impact of the May 2018 change is the ICO’s annual report. The report has revealed a 29% increase in reported security incidents and data breaches. With the requirement for companies to report significant incidents, within 72 hours of being made aware that there has been a data breach, has greatly increased the number of breach reports. Although on the surface it may look as though incidents have increased exponentially in the last 2 years, the new GDPR rules have actually resulted in a cybersecurity crackdown instead. 

Great news for compliant companies 

The ICO’s conducted analysis shows that there is further good news for companies who are happy to comply with the new regulations. Despite £875,000 of fines being issued between July and September 2018, a closer look at the statistics shows that the data breaches here were mostly caused by individuals or companies with inadequate policies, with fewer successful cyberattacks overall. The NCSC has played a pivotal part in raising the awareness of GDPR compliance, and this has resulted in many businesses finding it easier to follow the regulations laid out in the new laws. This has meant that more companies are GDPR compliant, as a result, are less likely to be involved in a situation where fines might be issued.

Because the GDPR regulations have caused companies to put more effort into data collection as well as data protection, there is far more data available. With improved security comes a more knowledgeable taskforce, with companies beginning to rely on the increased data-opportunities for future planning. This is an incredible boom for companies who are ready to use the new data. It can improve long and short term planning, as well as the analysis of previous years. 

Cost-saving security 

Best of all, companies are starting to report the positive impact that improved security has had on their bottom lines. Fewer data-breaches means fewer fines, fewer compensation claims, less costly mop-up operations and more trust from their customers.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

Many small and medium businesses avoid thinking about their cybersecurity. This may be for a number of reasons, including fear, financial constraints and human resource issues. Predominately, however, many businesses do not focus on their cybersecurity as they believe cyber threats are only real for large businesses. Unfortunately, small to medium-sized businesses are often the target of malicious cybercriminals due to their weak cybersecurity. Below we look at some commonly overlooked threats in SME cybersecurity.

USB sticks 

Due to their small size, USB sticks are portable which makes them incredibly useful. However, USB sticks are therefore also very easy to steal and manipulate if they are not kept in a safe place. Harmful bugs and virus software can be installed on USB sticks so it is essential that you never plug a USB stick into your computer if it has been out of your possession, e.g. if you have been given one for free or if your missing USB stick is miraculously returned to you. It is also important to make sure your USB stick is encrypted and password protected. 

Zombie accounts 

In 2019, GDPR was undoubtedly a dominant topic, and the new regulations forced businesses to consider how they find and store their data more than ever before. Even if a business is compliant with GDPR, they still need to consider the risk of zombie accounts. Zombie accounts are online accounts closed by their user and then re-opened again by a third party, without the original user’s consent. Business owners should also be aware that zombie accounts can also be the accounts of previous employees, giving hackers access to your website and private business information. Identifying, deactivating and deleting any potential zombie accounts is essential to ensure the safety of your business. Cybersecurity services, such as Cyber Smart, can help you do this. 

Data security 

To ensure you can maintain the legally required GDPR compliance, storing your client’s data safely is essential.  Many businesses find data storage overwhelming and feel they don’t have the time or resources to properly understand or manage their data. There are, however, easy steps you can make to ensure your client’s data is protected. 

• Implementing strong passwords is essential to protect your self from a security breach. Using a combination of capital and lower-case letters, numbers and symbols and make it 8 to 12 characters long will make your password hard to crack. 
• Install a firewall – In order to have a properly protected network, firewalls are a must. A firewall protects your network by controlling internet traffic coming into and flowing out of your business. 
• Making sure your computer is properly patched and updated is a necessary step towards being fully protected. Updating your programs keeps you up-to-date on any recent issues or holes that programmers have fixed. 

Cyber Smart can help your business earn Cyber Essentials Plus certification, the highest level of this government-backed certification, helping you ensure your company is safe against the most common threats. In achieving this certification, you can be confident you are protecting your business, data and give your customers the added assurance.

If your business is hit by a cyber-attack, not only could you stand to lose a lot financially, you will also lose the trust of your clients, something that is almost impossible to regain. To ensure you avoid such a problem, contact CyberSmart today and a member of our expert team will help improve your cybersecurity.