Lessons to be learned from Schools hit by data leak after Cyber Attack

Learning from the mistakes made by others is a valuable way of evaluating your Cyber Security Plans.

Fourteen schools in the UK appear to be victims of the Cyber Crime group known as the Vice Society.

It’s always worth looking at these incidents as they highlight weaknesses in our Cyber Security plans.

The take-outs from this incident would appear that GDPR guidelines around not holding information for longer than necessary are eminently sensible.

At first sight, I would say data seems to have been held onto longer than necessary.

Unfortunately, this all too easily happens unless you have strict routines for purging outdated data records; this should be a part of your Cyber Security Plan; sometimes, data just gets forgotten and lurks about potentially posing an unnecessary risk forever.

A word on encryption, it’s relatively easy & cheap to put in place.

Not enough companies employ encryption to ensure data is safe on your PC or server and when it is in transit.

Email encryption and secure data vaults like the Acronis File Share are valuable tools that help exchange sensitive data securely.

Below is a list of affected schools identified so far.

Carmel College, St Helens

Durham Johnston Comprehensive School

Frances King School of English, London/Dublin

Gateway College, Hamilton, Leicester

Holy Family RC + CE College, Heywood

Lampton School, Hounslow, London

Mossbourne Federation, London

Pilton Community College, Barnstaple

Samuel Ryder Academy, St Albans

School of Oriental and African Studies, London

St Paul’s Catholic College, Sunbury-on-Thames

Test Valley School, Stockbridge

The De Montfort School, Evesham

One of the positive things you can do is monitor the dark web to see if data relating to your business is present.

leaked password database

Are your credentials & passwords being advertised for sale on the Dark Web?

We are very excited by the capabilities of our new product Trillion’s leaked password and credential reporting tool.

Trillion’s database and algorithms provide an unrivalled ability to detect data breaches and give you a vital early warning of a potential data leak in your organisation.

Would you like us to provide you with a free report?

Contact Us for a free report to demonstrate how we can protect you and your business.

 

Password data leak?

Password data leak? Are your credentials & passwords being advertised for sale on the Dark Web?

This week I received a call from a customer concerned they might be victims of a password data leak after being emailed by someone claiming to have accessed their computer.

Password data leak email example

My client was worried as the credentials (username and password to you and me) highlighted in the email are credentials that they use to access specific Internet sites.

These are very common, standard Phishing emails trying to draw you into responding. So should you mark these messages as spam and ignore them?

The answer is yes and no. The fact the email quoted accurate information points to the likely hood that your username/password information has been part of a password data leak and is being actively traded on Dark Web sites used by Cyber Criminals.

Do blocklist that email message; however, you should also take action to clean up your credential management habits.

I suggest you adopt the Keeper Password Manager tool to help you manage and clean up your existing cloud accounts.

In addition, we are now actively monitoring all of our customers’ Domains using the Trillion data breach monitoring tools.

We are excited by the capabilities of Trillion’s leaked password and credential reporting tool.

Trillion’s database and algorithms provide an unrivalled ability to detect data breaches and give you a vital early warning of a potential data leak in your organisation.

Would you like us to provide you with a free report?

Contact Us for a free report to demonstrate how we can protect you and your business.

As part of our Managed Service proposition, we actively monitor all customers for password data leaks using Trillion.

Massive Scale

Trillion constantly monitors the billions of account credentials passing through dark markets and criminal forums, looking for the few hidden accounts that might affect your customers.

Intelligent Analysis of leaked password data

Trillion does a lot more than locate stolen credentials. Our intelligent risk engines identify which leaked usernames and passwords have the most significant potential to result in corporate damage.

See What Matters

Without the right tools monitoring breach data can be exhausting. Trillion makes it easy to sort through it by providing data filters and automatic live account detection.

Crowd Co-Operation

Sometimes we all need a little help. Trillion lets your employees play their part in securing your customers by letting them help determine the validity of their leaked password data information and the potential impact it might have on your IT services.

Inbuilt Training

Get your analysts up to speed quickly and easily by following the inbuilt training videos included with Trillion.

Secure By Design

Managing business threats is perfectly balanced with protecting user customers’ privacy because security is at our heart. That makes Trillion trusted by some of the world’s biggest brands.

 

What is Two Factor Authentication

What is Two Factor Authentication?

Traditionally security experts have defined 2FA (Two Factor Authentication) as :

  1. Something I know.
  2. Something I have.

Something I Know.

The something I know or first factor is my password;

I should create my password as a unique and strong first layer of security for whatever service or application I happen to be accessing.

Uniqueness is essential; no matter how complex and lengthy, shared passwords risk my security.

Why? because if any of my services suffer a data breach, the password I used to log in to that service will now be in the hands of Cybercriminals.

The Cybercriminals will then use the stolen credentials to gain access to any of my services that share the password.

For this reason, it is sensible to monitor for breached passwords and take action on any credentials found to have been leaked. We use a service called Trillion to manage this for our customers.

What is Two Factor Authentication? Something I have.

So what is Two Factor Authentication? The simple answer is that when I log on to my application or into my website after I have entered my password, the site requests me to enter a second identifying credential (second factor).

This credential will be sent to the something I have; it may be either sent in an email, an SMS to my mobile phone or generated for me by an app such as ESET Secure authentication, Google Authenticator or any one of the many others available.

Why is it vitally important to have 2FA enabled whenever possible?

What is two factor authentication

I have already described how passwords can be leaked and then used by cybercriminals to gain access to our networks.

Another common scenario is using Brute Force to break your password by submitting random password strings at our logon until the correct combination is identified.

A recent report found that an 8-character complex password could be cracked in just 39 minutes.

As processing power increases, the time to compromise passwords will decrease accordingly.

A seven-character complex password could be cracked in 31 seconds, while a password with six or fewer characters can be cracked instantly.

The algorithm used to break the password is automated and relentless. Hence, the time it takes to succeed is irrelevant, as it will eventually succeed.

You can decrease the effectiveness of these attacks by limiting access to your services and applications using a schedule.

For instance, we only allow access from 9-5, Monday to Friday.

Setting a logon schedule can be particularly effective on platforms such as WordPress

Our recommendation is, as passwords are fallible for many reasons, Two Factor Authentication is a vital layer of defence.

Want to know more

The UK National Cyber Security Centre recommend 2FA for business.

Adopting Two Factor Authentication wherever possible is also the recommendation of the UK National Cyber Security Centre; they also recommend that  Companies include a requirement for 2FA from their external suppliers & services.

“As long as passwords are used for authentication, there will always be a chance that users and administrators will choose machine-guessable passwords and be susceptible to social engineering”. (NCSC).

Keeping your password safe

The Password Safe and randomly created passwordsKeep your password safe, and it will keep you safe on the web.

On average, how often do you enter your password to a website or log into an application?

Most of us use a credential to access our computer when we start up first thing:

We may then log on to Sage, a CRM or any of the business systems we have in place.

Then theirs a couple of social media accounts, your login to the gym booking system, Sky Sports, the bank, the doctors, the list is endless.

Well, not quite, but nearly; a recent survey concluded that most people have more than 100 services requiring passwords.

Add to that all the accounts we use daily, but because they do the authentication for themselves,  we hardly notice that it happens.

I’m talking about the Microsoft M365 suite (teams, OneDrive SharePoint), Dropbox, Google probably even your email.

So you can see it is even more complex than you thought

Keeping track of all your credentials is beyond most people and companies,

Talk to us about how we can help you and your organisation manage your application passwords.

Contact Us

  • Monitor them across the entire organisation.
  • Generate random passwords that are unique long and strong.

It has been estimated we have 25% more passwords than before the pandemic.

Remembering all your various online account details is complicated, and that’s where a Password Manager comes in.

A Password Safe helps by giving you tools to manage your many accounts and ensuring the password you use is unique and robust.

Generating strong passwords

Keeper Security business password manager software

It is also certain that users have downloaded more apps or signed up for new services during the lockdown, which accounts for the increase in passwords.

At the same time, many people downloaded new apps while working from home due to requirements from their employers.

The credential or password is just one of the layers of security employed to create a layered approach to security.

Closely related to passwords is 2FA or two-factor authentication, which helps to improve the security of services, especially those that are web-based or facing.

Did you know a password safe can also manage 2FA.

I will be extolling the virtues of 2FA in my next blog.

In this series that concentrates on the subject of Credentials and how we can keep them safe while they keep us safe.

cyber essentials accreditation

Accountancies and Book keepers are on the front line of Data Security

Being Cyber savvy is a modern requirement for Book keepers and Accountants.

Demonstrate your credentials by taking the HMG backed Cyber Essentials Accreditation.

You are often the first port of call for anxious clients worried by scam calls, emails and even texts received that tend to be alarming and in some cases worryingly plausible.

Beyond re-assuring them you may want to point them to this article from the institute of Certified Book Keepers.

HMRC has warned tax credit customers to be aware of scams and fraudsters who imitate the department in an attempt to steal their personal information or money.

About 2.1 million tax credits customers are expected to renew their annual claims by 31 July 2022 and could be more susceptible to the tactics used by criminals who mimic government messages to make them appear authentic.

In the 12 months, to April 2022, HMRC responded to nearly 277,000 referrals of suspicious contact received from the public. Fraudsters use phone calls, text messages and emails to try and dupe individuals – often trying to rush them to make decisions. HMRC will not ring anyone out of the blue threatening arrest – only criminals do that.

Increasingly cyber criminals are turning their attention to stealing personal and financial information.

As a result their are numerous websites on the Dark Web that specialise in selling this information on.

Cyber Essentials Accreditation is a key difference for Book Keepers & Accountancies

So it makes sense that our Accountancy and Book keeping customers are taking advantage of the Government backed Cyber Essentials certification to demonstrate their commitment to retaining the trust of their customers.

Speak to us about how we can help you become a Cyber Savvy Accountancy or Book Keeper.

UK Gov Cyber Essentials

In addition to Cyber Essentials accreditation we also provide online cyber-awareness courses.

Online learning is particularly popular as they easily fit around busy schedules and are broken into small easily absorbed lessons.

Because being comfortable dealing with this worrying subject can be of real benefit when dealing with worried clients and of course potential new customers.

#bookkeeping #accountancy #accountants #cyberawareness #cyberessentials #cyberessentialsplus

Password management software

Password Management Software & Two Factor Authentication, used together they create one of the most important aspects of IT Security.

We find that one thing everyone seems to find difficulty with is using passwords and managing them effectively.

Why? Because they need to be unique, have sufficient length and complexity .

In addition in accordance with the guidance from the National Cyber Security Centre where possible you should always use multifactor authentication.

Passwords are central to your security , bad password practice is behind the majority of breaches & hacks.

Our advice in line with current National Cyber Security Centre guidance is to adopt a password management software, we recommend and supply Keeper Password Manager.

Keeper is our recommendation for both Microsoft & Apple password manager implementations.

Keeper Security business password manager software

Keeper will save employees time, frustration and eliminate the need for them to reuse and remember passwords.

Keeper password management software  aids the ongoing management by generating strong, random passwords and automatically filling them for users.

BreachWatch® by Keeper scans employees’ Keeper vaults for passwords that have been exposed on the dark web from a public data breach and notifies the user to take action.

It also informs the administrator whether that employee has resolved the exposed password or ignored it.

Security Audit Score and Reporting

Keeper provides password security visibility with robust reporting and auditing tools to enforce internal controls and maintain compliance standards.

Admin Console

Distributes, manages and monitors Keeper across the entire organisation and enforces password security, 2FA and other data security policies.

Whether you are need Keeper for your Microsoft or Apple password manager, Keeper is the answer.

Make use of Two Factor Authentication.

The NCSC have provided guidance on how companies should go about adopting Two Factor Authentication where it is available.

Most of us I think use 2FA in some form for banking these days so using it for the stuff we use everyday makes good sense.

Our customers use  Keeper Password Management Software

I have been really impressed with Keeper since Tamite supplied and set it up for us.

Keeper is the best route I have found to good password hygiene and I recommend Keeper as not only do we use it in the office we use it at home as well.

In the office we have found that Keeper is also brilliant for multi user situations like ours.

Not only will it create really strong passwords and monitor them to make sure they aren’t vulnerable it also takes care of the 2FA part of the login for us.

Andrew Green (Partner Sinnott Green Estate Agents)

BEC is responsible for 60% of fraud

Cyber Awareness Training is a key part of your businesses defences.

Business Email Compromise (BEC) is obviously a major factor in cyber crime.

According to the FBI’s Internet Crime Complaint Centre, consumers and businesses suffered in excess of $4.2 billion in losses tied to cybercrime in 2020, and BEC fraud and romance scams alone accounted for nearly 60% of those losses.

This highlights the importance of cyber awareness training for individuals and business in the run up to Black Friday & Christmas.

Ok those figures came from the USA but the UK and Europe are also major targets and here’s why.

For a more indepth look at why so many  of these scams originate from Africa check out this article by KrebsonSecurity.

As usual Brian Krebs insights make it a well worth while read.

The emails typically originating from places like Nigeria that contain Romance scams, Business Email Compromise (BEC) fraud, don’t target Nigerian citizens, nor do they harm African banks. On the contrary: This activity brings significant amounts of Western money into the Nigerian economy.

BEC is a  threat that isn’t going away any time soon

So it isn’t perhaps surprising that the Nigerian Government might turn a blind eye to an activity that brings in desperately needed Western currency.

Providing  of course it doesn’t harm Nigerian interests.

As such we probably have to live with the problem and realistically the best course of action is to employ a mixture of technology and training to counter the threat.

Phishing Awareness Training is a key part of your security strategy don’t neglect it.

By educating ourselves on the reasons behind the issues we can all become more Cyber Savvy.
In the meantime minimise the risk to yourself and your organisation think Strategy, Training and Technology.

The threat isn’t restricted to your inbox, social media and even browsing are potential sources of infection & intrusion.

Recognising risky behaviours is vital, online training will impart the skills necessary to make you Internet Savvy.

Cyber awareness training teaches you skills that can be passed on to your colleagues and family to create a culture of security.

Regularly simulating Phishing attacks mean you can train like an athlete, repetition is the key to ingraining your new skills.

Email Phishing

Implementing our strategy of defence in depth along with cyber awareness training will significantly reduce the risk to you and your business.

The good news is it’s affordable and scalable even for the smallest SME.

Contact us now to find out how we can protect you and your business.

 

Knowbe4 phishing awareness training

Knowbe4 phishing awareness training for employees.

Annual events like Christmas & the New Year are often busy periods for your business, it’s also when cyber scams peak

We have been making our customers aware for years that a big proportion of breaches actually start with an email.

Knowbe4 phishing awareness training. Email Exposure Check Pro (EEC) identifies the at-risk users in your organization by crawling business social media information and hundreds of breach databases

So it is natural that when we look at how we can protect our customers in addition to providing Knowbe4 phishing awareness training, we begin by filtering out as much of the junk and dangerous content before it hits your mailbox.

This is achieved by optimising a few settings on your domain, this sounds complicated but isn’t.

By correct setup of standard email security records associated with your domain,  we can all contribute to making the Internet a safer place to work and play.

For example, setting up DMARC stops phishers from spoofing your domain (that is, making their emails look like they come from your organisation).
DMARK is one part of a holy trinity of DNS records that aim to make email more secure.

For 10 brownie points who can name the other two.
More importantly how many have your organisation setup?

The technical approach of prevention and intervention is only part of the package.

The second aspect we believe is to provide training to the end users using Knowbe4 phishing awareness training.

By giving you the knowledge to as my daughter would say make good choices.

Is a Spear Phishing attack targeting an Executive near you.

Cybercriminals use peak periods such as Black Friday, Christmas & the New Year, to target busy CFO’s, accounts departments etc. with sophisticated Phishing attacks often using hijacked mail accounts and identities to carry out the scam.

91% of data breaches are linked to Phishing attacks according to research.

We have the strategies & products to protect your critical mail stream.

Adding additional layers of protection to your email service M365 Exchange etc, will greatly enhance security

It has been shown organisations adopting the layered approach are 90% less likely to experience breaches.

By implementing our strategy along with Knowbe4 phishing awareness training will significantly reduce the risk to you and your business.

Our Project360/5 has been designed to help individuals and businesses improve their Cyber Security stance in simple easy to implement stages, join the community today

Contact us now to find out how we can protect you and your business

Keeper Password Manager

Microsoft say the future direction of travel is passwordless, until then Keeper Password Manager seems a good idea to us.

No more Passwords Microsoft

Well we know for a fact that most of us are useless at passwords, I personally get over this fault, (I have many others) by using a product. A highly secure password store called Keeper Password Manager.

The truth is of course a little more complicated, because even though Microsoft has gone “passwordless”, you will still need to set up a password when you set up an account.

You then have to use the password to log in and only then is the option to go passwordless provided.

So you are replacing the password by using a phone app called Microsoft Authenticator and this is what is used instead of a password. Obviously, you need to log into your phone to be able to use the authenticator.

Is it really easier? possibly but it is probably a good idea to make sure that you don’t lose your phone

Keeper Passwords improves your security by making & using strong passwords easy.

Our recommendation is to use a Password App to store and manage your passwords, the great thing is because you don’t need to remember hundreds of logins.

Strong; that’s long and complicated passwords become easy to achieve.

Now you don’t have to remember them you can be more aggressive with your password policies.

Keeper Password Manager will even generate long randomised passwords for you.

Keeper Security business password manager
Keeper Security – business password manager
Project 360/5 recommends - Keeper Password Manager
The longest journey begins with a single step.

 

 

 

 

 

 

 

 

 

 

Project360/5

As part of our Project360/5 we provide strategies and training documents to help you upgrade your IT Security.

The password is fundamental to good security, especially as so many of the things we access everyday are Cloud based.

Password managers work by simplifying how you deploy and manage passwords and Keeper password management works for businesses and individuals.

Keeper password management works for Mac & Windows operating systems.

Good password hygiene like good hand hygiene isn’t too difficult to achieve, but it is so important as a high proportion of infections and hijackings occur because of poor passwords.

We recommend our customers adopt a password manager such as Keeper.

You log into Keeper Password Manager and then every other login that you need to do is done for you.

This includes any 2FA that may have otherwise slowed you down. Keeper Password Management can even help you stay secure by generating new passwords for you when you need them.

Want to know more or if you would like a demonstration organised.

Working from home advice and how to evolve your business to cope.

Working from home advice and the big picture.

Home Office working has become standard practice for many businesses these days, its not just corporates. Home working can work just as well for SME’s and Micro businesses.

We have seen research from Gartner that confirms what most of us had suspected.

The research suggests that businesses are in the process of evolving new approaches to cope with work during and post COVID-19 pandemic.

The study found that 82% of business leaders say their organizations plan to let employees continue to work from home at least some of the time, while 47% plan to allow employees to do so permanently.

So if you are in the 82% Virtualisation of the work environment Desktops and Servers along with upskilling the work force with the vital Security Awareness training.

We will provide your businesses with the tools you need to manage the new “Hybrid Work Place” (I love a new buzz word (Hybrid Work Place) ie. the office and home).

By reducing reliance on expensive hardware, reducing support costs, providing flexibility and maximizing capacity, the case for virtualization is a compelling.

Working from home advice

Virtual Desktops & Servers

  • Flexible, access it from anywhere.
  • Reliable, 99.9% uptime.
  • Cost efficient, Reduce support costs, hardware costs, experience less business interruptions.
  • Scalable, Add or remove Servers and Desktops on demand.
  • Secure, Ensure your Data is always backed up, your Services and Data are Secure.
  • Compliance, ticks the boxes and more.
  • Costs, are predictable.

Working from home advice #WorkCyberSmart

Cyber criminals are targeting the home workforce with highly targeted Phishing campaigns.

Working from home advice#1 Provide online training to all staff so they are equipped to spot the scams.

Its not expensive or difficult to put in place.

Working from home advice#2 Use existing technology to decrease the chances of your home or office based employees falling victim and putting your business in jeopardy.

Get the most from your Office 365 subscription, Exchange Email has advanced security policies that need to be configured to protect you.

When it is configured correctly 365 will take out a high proportion of spam malware and Phishing attacks before they reach you.

Working from home advice#3 Home workers need to be incorporated into your backup scheme.

We are experts getting the most from your new flexible workplace, give us a call now or use our contact form.

Verified by MonsterInsights