Category Archives: Uncategorised

what to do with DMARC reports

The requirement to implement DMARC on domains is going to cause lots of companies difficulties as only a fraction, less than 70%, are compliant, and once you set DMARC in place, you are faced with the necessity of dealing with the data, what to do with DMARC reports?

Do you know if your domains are DMARC compliant and what to do with DMARC reports?

Make no mistake, this is a good and necessary move, and as a result, Email security is about to get better with the rollout of stricter DMARC compliance by major email platforms such as Google and Yahoo, and supported by many corporations.

In summary, DMARC is a powerful tool that helps protect your domain from being spoofed (impersonated) by verifying the authenticity of email messages sent from your domain and preventing unauthorized access to your email accounts.

Without a strict and accurate reject policy, attackers can easily:

  • Spoof customer emails
  • Send convincing phishing messages using your domain
  • Steal data and credentials

what to do with dmarc check

An alarmingly high number of cyber breaches use spoofed domains to help them to trick their victims.

The reason for this update is simple – it is too easy for cybercriminals to impersonate legitimate domains and send us illegitimate emails that appear to be from legitimate businesses.

DMARC compliance provides us with additional proof that the emails we receive are legitimate and will prevent our brands from being hijacked to carry out phishing attacks on our customers and suppliers.

If you’re not sure whether you’re DMARC compliant, we can check for you. DMARC settings are designed to verify sender identity and prevent unauthorized emails from domains from being delivered.

Without a strict and accurate reject policy, attackers can easily spoof customer emails, send convincing phishing messages, and steal data and credentials.

Google and Microsoft will start blocking all non-DMARC emails on the 1st of February to clamp down on threats initially for high-volume email senders, but this is only the first phase, and they will extend the update to cover everyone in the near future.

“We have expertise in resolving email issues and also offer our customers a DMARC report management service.” Get your free DMARC compliance report. 

 

Will Microsoft Copilot AI be boosting your productivity

Will Microsoft Copilot AI  prove that not all additives are bad for us?

We think Artificial Intelligence (AI) is poised to play a crucial role in our daily digital and professional interactions, and we aren’t the only ones.

Recently, Amazon announced its investment in Anthropic, a move that will enhance the capabilities of Alexa and provide AI support for the Amazon online store and AWS Cloud platform (Amazon Web Services).

Earlier this year Bill Gates said that the businesses that grasp the opportunities presented by AI are the ones that will succeed in the next few years.

Microsoft is certainly doing their bit to fulfil the old bosses’ predictions as this “fall” that’s Autumn to us Brits Copilot will be made available as part of upgrades to Windows 11, their browser Edge and of course, M365.

We will be blogging regularly on the new AI capabilities and as a security focused organisation Tamite will of course be looking at the privacy  implications.

Microsoft poised to launch its AI assistant, Copilot, into its M365 suite (formerly known as Office 365). As a helpful and reliable AI-powered assistant, we will assist our clients in understanding the potential of AI in their organizations and guide them towards easily achievable benefits by showing them how to snatch some low-hanging fruit

Read the BBCs article on this subject

https://www.bbc.co.uk/news/technology-66914338 Artificial

Today is Safer Internet Day

Safer Internet Day is the ideal opportunity to do your-self, your business, your children and family an enormous service.

Become informed about safety on the Internet this year.

11th February 2020 is Safer Internet Day

Doubtless like mine your children will be being told about Safer Internet Day.

Across the UK at the school assembly and in many cases as at my child’s school, they intend to cover e-safety.

In schools across the UK Children will take part in a number of activities in around the global theme of ‘together for a better internet’.

Your child’s school will encourage them to explore how they manage their online identity, this leads on to how the internet shapes how they think of themselves and others.

To be honest this is a message we should all be taking on board whatever our ages.

By championing Safer Internet Day we at Tamite are doing our bit this year. We are making training and providing information to our customers and followers the top priority for our business.

This is an area of life where a little knowledge isn’t dangerous but ignorance certainly is.

Being informed about safe usage and avoiding the pitfalls isn’t really that hard. Like anything that is of value you need to devote some time to it.

We can show you how, by devoting one hour per month to computer security. By next year you will be making your contribution to a Safer Internet and maybe even be one step ahead of your children for once.

Sign up today to our Project 360-Five

 

Marriott & BA GDPR fine

UK ICO shows its teeth with record breaking fines for GDPR breaches at Marriott & BA

By serving up the BA GDPR fine of £183m & following up with £99m for Marriott the UK ICO has signaled its intent to punish transgressions where Personal data has been put at risk.

The fact that the initial reaction from both BA & Marriott is that the fines will be contested only confirms that the new punitive approach is having its desired effect, both companies have questioned the size of the proposed fines.

The signal being transmitted by the ICO is that making sure data security, especially where it is in the context of protecting Personal Data is taken seriously within organisations.

BA’s squeals that the fine is excessive as nobody has provably suffered damage as a result of the breach will probably not prove a defensible position.

The Information Commissioner Elizabeth Denhams’ statement on the BA GDPR fine : “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The fact that the fine represents 1.5% of BA’s global turnover, the maximum fine that could have been imposed is 4% means BA are unlikely to see much success in their proposed appeal and will probably only result in further damage to their brand should they proceed.

The Marriott group faces a similar dilemma, the groups reaction to claim in mitigation that they didn’t own the Starwood Hotels Group at the time of the offences will not cut much ice.

The UK ICO Statements on BA & Marriott

The ICO pointed out part of the buying company’s due diligence should have been to ensure that they were aware of any such failings

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

The Information Commissioner is clearly sending a message, companies that fail to put data security at their core and then find themselves the victims of a data breach will be dealt with severely, pleading that you didn’t know (Marriott) or you were the victim of a sophisticated attack (BA) are not necessarily mitigation.

The online world has been going through its own period of crisis. Google, Facebook etc. have since Cambridge Analytica had to deal with a new reality where Social media is now widely distrusted by its customers and have regularly been hit by billions of pounds in GDPR fines as European Regulators respond to breaches.

Having seen the writing on the wall, the Social Media giants for the first time in a very long time are having to respond to events rather than shaping them.

Ironically they seem to have forgotten where their huge incomes are derived, the social revolution has been based on a delicate balance of surrendering some valuable information about ones self in order to access services that are perceived as “free”.

As a result of revelations of systematic exploitation and casual sharing of personal data. Many of its customers are now actively distrusting the the organisations behind the Social media they love to use.

As a result the industry is in turmoil and the big players are now actively trying to regain credibility by actively portraying their privacy credentials.

As a result of the BA GDPR fine and fallout that is the inevitable consequence. The correct response from businesses in the service sector will be to re-assure customers, that they are taking their duty of trust seriously, as the current flurry of adverse publicity and doubtless more to come has put the industry under the spotlight.

The Service sector needs to look to its most important relationship that is the one with its customers, it’s time to review data security and learn the hard lessons that are presently being in-acted by the Social Media giants.

The Tamite Secure IT View

The Internet Age has redefined the relationship between the service industries and their customers, to which trust is intrinsic, this is an increasing trend and Big Data and the Internet of Things will further define the new reality.

GDPR has been a pivotal event in fostering a responsible attitude towards data and privacy across all industries.

The pressure on organisations to meet complex requirements, resulted in GDPR fatigue setting in for many businesses, who were slow to learn that GDPR compliance represents a journey rather than a destination that needs a marathon runners mindset rather than a sprinter.

New studies have revealed that nearly a third of European firms have still to make sufficient progress toward becoming GDPR compliant in the long term. A rise in prosecutions and companies receiving fines for breaking laws protecting consumers’ data are becoming public – and these fines have the potential to dent a company’s reputation and balance book.

Making Privacy by design and default part of the company culture will take time for firms who are still working to understand how GDPR is applied to their business model or industry. Undoubtedly there has been a sea change in how companies use and process data.

The anniversary of the introduction of GDPR coming into force, has seen businesses become more mindful of how and why they collect and store data and are taking steps to process this in a lawful way.

For a free consultation on your GDPR progress contact Richard Bristow Tamite Secure IT Sales Director

Contact Us

When did you last update your Disaster Recovery plan?

If you haven’t revised your disaster recovDisaster recovery plan & backupery plan for a while the sobering statistic that Cyber breaches across UK finance sector up 1000% in 2018 emerged in a Freedom of Information request to the Financial Conduct Authority. This trend is not purely a problem for Finance but will be reflected in any industries that are attractive targets to Cybercriminals.

Making sure your disaster recovery plan reflects the modern landscape of risk is a regular task every business needs to undertake. Risks are not fixed in stone but change and evolve, new issues loom on the horizon as old threats recede in the corporate rear view mirror.

 

Two years ago Ransomware was the looming threat, WannaCry was the hot news, a virulent Ransomware threat that caused panic for a few days in May 2017.

Wannacry has now receded into corporate memory. The Wannacry ransomware was highly effective, in the event WannaCry was thwarted more by luck than judgement, having infected 200,000 systems in 150 countries over the course of a single weekend.

Monetisation by the Cybercriminals controlling the ransomware was inefficient and patchy, estimates of the income from WannaCry are approximately £50,000, basically they were unable to exploit the Ransomware to its full potential.

Sadly the organisations behind it haven’t gone away and the indications so far this year are that its back and they have learnt their lessons.

The resurgence has been fueled by factors like the cost of entry has never been lower for prospective cybercriminal, ransomware is now available using a franchise model, so no real technical knowledge is required, just criminal intent.

Of course criminals need victims, however this presents no issue as the data required for a campaign can be readily acquired and due to a glut of information at a record low cost. High grade personally identifiable data records from data breaches are regularly being traded on the Dark Web. (HaveIbeenpwned)

This years trend is the targeting of prospective victims, individuals, companies and industries to maximise the earning potential witness recent events at Norsk Hydro who suffered a targeted attack in March and having decided not to pay the ransom are still in the process of recovering their systems four months on at an estimated cost of £52M.
It is little wonder that many victims or their insurance company’s pay the ransom rather than try to remediate.

It would logically follow that companies deciding to pay the ransom also don’t notify the Information Commissioner and so probably don’t initially hit the headlines. Until of course the breach comes to light because customer and supplier data is tracked back to an unreported breach. How many unknown victims in Finance, Accountancy, Travel & Tour Hotel Chains etc. are sitting on a ticking time bomb.

Making sure your company has layers of protection and effective backup regimes is one way we help our customers, we also help you create effective disaster recovery policies to put your business back on track in the shortest possible time.

3 Steps to better IT Security

Step Two: Windows Antivirus

Firstly you are probably aware Windows 10 comes with far better protection by default than any previous version of Windows, in itself the Operating System is as IT security professionals term “harder” and has its’ own protection including Windows antivirus built into the Operating System this is known as Windows Defender is an anti-malware component of Microsoft Windows.

The Antivirus products being added to systems these days are built to protect the system from multiple, varied and evolving threats that are being deployed in order to exploit the systems and the users of those systems, you and me.

When we talk about Antivirus these days we are talking about a product that actually performs many other functions, all of which are aimed at keeping us safe in a landscape of constantly evolving threats. All are seeking to find ways to exploit us, with the aim of  exploiting us via direct monetization of an infection for example “Ransomware”, indirectly by stealing data and selling it on, “weaponizing” your PC to infect other PCs or en-roll in a Botnet in order to launch attacks known as DDoS attacks.

Because of the sophistication of the attacks and the many different ways they are carried out the commercial Windows Antivirus developers use a strategy of layered defenses to guard your machine.

Typically because most commercial Windows Antivirus carries out most of these functions without bothering you, acting like a good bouncer by stopping the undesirables at the door so that most of the time the owner of the system is unaware of an attack being averted and often oblivious to the sterling work being done.

In fact as a user it is worth while getting to know your Antivirus program as typically they have capabilities that are often going untapped, I will list some useful content available through YouTube that will demonstrate the powerful toolkit available.

One I would especially recommend to worried parents is the ability of the Home version of Eset Internet Security to manage web access based around pre-set rules graded on age.

You also can easily edit the rules for each user to more finely tune their access.

Key Features
  • Antivirus and Antispyware eliminates all threats, including viruses, rootkits, worms, spyware.
  • Host-Based Intrusion Prevention System (HIPS) prevents any unauthorised tampering with the system registry.
  • Two-Way Firewall is essential for a mobile workforce, particularly if they have external access to your company network.
  • Botnet Protection protects against infiltration by botnet malware.
  • Web Control limits access to websites: you can use pre-defined categories or whitelist/blacklist on a case by case basis.
  • Exploit Blocker strengthens the security of common applications such as web browsers, PDF readers, email clients and MS Office components.
  • Cross-Platform Protection prevents malware moving from one OS to another.
  • Anti-Phishing defends end-users against fake websites looking to harvest sensitive information, such as passwords, usernames or bank/credit card details.
  • Device Control allows you to block unauthorised devices (CDs/DVDs and USBs) from being connected to your systems.
  • Idle-State Scanning performs a scan on your systems whilst they aren’t being used, avoiding interruption during the working day.
  • RIP & Replace removes other security software during installation, making transferring from an under-performing antivirus even easier.
  • Customisable GUI Visibility allows you to customise how much of the GUI end-users can see, can be set to full, minimal, manual or silent.
  • Low System Demands fully protect your system or network with minimal system resources.

With the present anxiety around social media and advertising through the web, the next generation of tools and web browsers will be about protecting us and our identities from intrusive and targeted advertising.

More on this in the next couple of weeks when I will be discussing the war being waged between the Internet giants, governments who want to tax and regulate them. With a growing wave of distrust and disenchantment from the user base and hostile press coverage. I will discuss why the repercussions of the abuses such as Cambridge Analytica that have put them into the spotlight may shape the very future of the web.

Eset #1 Best Buy (Which? Magazine)I would like to know more about Eset Security Products

Top Tip : Regularly check that your antivirus is actually running as a broken or out of date Antivirus will offer little protection .

Top Tip: Using a simple password manager takes away a lot of the angst from having sensible password policies and will make a massive impact to your security online, ESET Password Manager is part of the ESET Smart Security Premium package. It is a password manager that protects and stores your passwords and personal data. It also includes a form completion (autofill) feature that saves time by completing web forms automatically and accurately. .

Top Tip: Businesses should use the Eset Management console to monitor all of their installations across the network.

Is a Spear Phishing email attack targeting a CFO near you

Spear Phishing email is the description given to highly targeted spam campaigns, typically targeting specific individuals or departments within a company. These are often the CEO or Finance Director.

Messages are directed to the target via email, social media, etc, because they often appear to have come from a trusted supplier, partner or even an internal communication. Because that’s where the cyber criminal will have done their home work on you. To devise an attack vector that will look plausible to you the intended victim.

The aim of the Spear Phishing email campaign is to dupe someone with in an organisation into inadvertently giving access to the network, by downloading a pay load such as ransomware.

Criminal gangs are also actively defrauding many companies directly with fake invoices or requests for payment.

This form of fraud has seen companies lose thousands of pounds to cyber crime gangs specialising in what is known as CEO fraud.

The Problem for everybody is that the Dark Web is awash with personal data from multiple data breaches.

Recently the existence of the data leak known as Collection #1 was made public, collections #3-5 are now in circulation comprising some 3.5 billion user records.

The importance of this is, that because information is available about you on the Dark Web, usually as a result of a breach at an organisation that hold your personal data. The task of the cyber criminal is greatly simplified and the chances of you becoming a target are multiplied.

How do I find out if my personal data has been compromised?
Email Exposure Check Pro

Spear Phishing Emails are targeting key individuals within businesses

Breaches like those at Marriott, British Airways, LinkedIn and Equifax have created an extensive repository of Personal Data for potential Spear Phishing email scams and other Social Engineering based attacks.Email Exposure Check Pro

 

Spear Phishing emails are a constant threat but it is worth noting that a tactic employed by Cybercriminals is to use peak periods such as Black Friday, Christmas & the New Year, to target busy CFO’s with sophisticated Phishing attacks.

The attacks often using hijacked mail accounts and identities to carry out the scam.

Recent research has shown that 91% of data breaches are linked to Phishing attacks. Tamite Secure IT put in place strategies that include training and detection technologies that will protect your critical mail stream. We recommend you employ advanced email filtering with Phishing protection as well as Security Awareness Training.

Knowledge is your first line of defence.

Users today need to understand the proliferation, sophistication, and wide range of attacks possible through Security Awareness Training. Because it is only through continuous training and testing that you will take on a mindset that keeps your guard up when interacting with the web or email, across any device being used.

Amadeus Booking Platform flaw puts customer data at risk

Amadeus Rocked As Booking Platform Flaw puts customer data at risk

News that a flaw found on the Amadeus Booking platform had the potential to not only leak personal data, it could have also have allowed changes to be made to the clients bookings. Fortunately thus far no evidence has been found to say it has happened.

The potential chaos that could have been caused had the defective code been found by bad actors and exploited cannot be over-stated, hopefully the security researcher is in line for a bug bounty having notified Amadeus of the issue and potentially spared the industry from another major incident.

The problem was initially identified by an Israeli security researcher, Noam Rotem while he was booking a flight with the Israeli national carrier ELAL, Amadeus were notified and the bug was subsequently patched.

Allegedly the bug could not only have been used to view information, it could potentially have been used to make changes to bookings, imagine the uses cyber criminals and even tech savvy terrorists might have made of that one.

Worryingly some researchers have claimed the actual fix may not be as effective as it should be.

Amadeus Booking Platform Security Flaw
A security flaw in the Amadeus booking platform could have exposed customer data

The problem was not restricted to EL AL however as the coding flaw would have potentially affected all of the carriers served by Amadeus.

The security issue at Amadeus is the latest in a series of incidents to affect the Travel Industry with British Airways and Eurostar both having been hit in recent months and the sobering fact is that none of us are immune to the possibility of data breach and we are also likely to suffer adversely when our suppliers are targeted as could easily have been the case with Amadeus.

The fact that Amadeus supply services to a large proportion of the Travel Industry graphically illustrates that we must all be vigilant across the entire supply chain and our DR plans need to be inclusive of incidents that are to an extent beyond our control.

Doing our bit to ensure the Travel Industry retains customer trust

While we have to trust our major suppliers to be on top of their security we need to make efforts to ensure we don’t become the weak link in the security chain of trust.

Two essential steps companies can easily take to raise levels of security are to adopt staff training programs in Security Awareness Training and in addition adopting good password hygiene.

Take this opportunity to update your Cyber Security practices.

Sign up for the Tamite Security Awareness Training or call 0800 088 7201 to discuss ways we can help your business

The Equifax Data Breach 2017, Learning The Lesson

Equifax fined for 2017 data breach

As it turns out, the Equifax data breach from a purely fiscal point of view the timing could be said to have been fortuitous; Because the breach happened before the implementation of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.
The fine of £500,000 is the highest possible under that law, this appears paltry when compared to the possibility of an eye watering €20 million Euros or 4% of global turnover under GDPR.

The credit-monitoring company announced its breach on September 7, 2017, hackers were able to gain access to social security data on 147.7 million Americans, in addition to details of UK citizens and various other nationals.

Equifax have become synonimous with hacking on an industrial scale. The hack revealed personal data that affected more than half of the American population, including ironically Jamil Farshchi, who would become Equifax’s chief information security officer.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.
“This is compounded when the company is a global firm whose business relies on personal data.”
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

As the ICO makes clear in its report, as a  result of the Equifax data breach the company has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

If you would like to read further on the Equifax data breach and their ongoing efforts to recover we suggest you read the very informative article on new Equifax CISO Jamil Farshchi in this months CNet

in which Jamil Farshchi outlines his three year plan to recover Equifax’s tarnished reputation.

Most companies don’t have the luxury of being able to spend three years rebuilding customer trust.

Talk to us about the ways we can help you reduce the possibility of a breach, or if the worst does happen detect and deal with possible data breaches.