IT Security

Gone Phishing!

ITCS Cyber Security expert, Wayne Harris, discusses the growth in ‘Phishing’ attacks – and how ITCS are protecting their customers

Information is now the lifeblood of most businesses, and the more we do on-line, the higher the risks of cyber-crime and greater the rewards for the attackers.

Let’s face it, we all receive a mass of emails every day, and as good as the email spam filters are getting, inevitably rouge mails will get through.  Your next line of defence are your users, and this raises the importance of adequate cyber security awareness training, and the investment in your staff.  I meet with companies on a regular basis, who are looking to invest in their information security, but often they haven’t covered the basics when it comes to their staff training.

So, what is ‘phishing?   A phishing email (or sometimes SMS or instant message) is an electronic message sent to a user (or group of users) purporting to be from a trustworthy organisation or government department.  These messages invite you to open a link (such as viewing an online invoice), or an attachment that will lead the user to a malicious website or install malicious software on your devices (such as ransomware).  These malicious websites are designed to draw you in, and may look genuine to a casual user.  This year we have seen attacks masquerading as energy providers, parcel delivery notifications, and popular on-line auction and e-commerce sites.  They all have something in common – they all invite the user to click the links!

Great care should be taken with these types of attacks, as they are either designed to infect computer systems, steal personal details, user credentials (and often users will use the same password on multiple accounts), or to coerce the user into paying fake invoices and initiate banks transfers.  Our advice to users is to never click links on emails unless you are absolutely certain that it is genuine – if you are in any doubt, check or better still, go directly to the genuine website.  We also advise that any bank details provided via email should be double checked directly with the provider before making payment – use the existing information you have for them, don’t reply to the email, and speak to a known contact.

At ITCS, we have gone to great lengths to protect your systems, where possible through the implementation of software restrictions, and enhanced spam filtering, and offer next generation security solutions to further enhance the security of your network.  In the event of a successful attack, our Backup and DR solutions will ensure that your data is protected and your business can recover quickly.

Over the last year, we have run cyber security briefing sessions for our business customers, and have offered over 100 free places to our business support customers.  In addition, we have written and delivered bespoke user training to various customers throughout the UK at their own sites to further protect their business information and financial assets.

For further information, or to book your free cyber security briefing session, please call 08456 444 200, email support@itcs.co.uk or visit our website for more information.

WebGone Phishing!

ITCS responds to publicity surrounding CPU Chipset Vulnerabilities

Wayne Harris, Compliance Officer & Cyber Security expert at ITCS discusses the impact of the much-publicised chipset vulnerabilities revealed on 3 January.

There has been a flurry of publicity surrounding vulnerabilities identified within the Intel chipset (processors), however this vulnerability also affects other mainstream manufacturers AMD and ARM.  Together, these manufacturers provide the vast majority of processors in use by modern computer manufacturers.

Who is at risk and what is the threat?

The two vulnerabilities which have been revealed, ‘Meltdown’ and ‘Spectre’ affect every modern computer containing one of these processors, i.e. the majority of PCs on the market.  The CPU chipset vulnerabilities are present in most of the processors produced in the last decade and in certain circumstances the vulnerability allows access to contents of protected memory areas by some applications such as javascript in web browsers.

That said, despite the hype, the threat is currently considered low on the Common Vulnerability Scoring System (CVSS).

What is being done to tackle the risk?

The underlying vulnerability is primarily caused by CPU architecture design choices, so fully removing the vulnerability will require the replacement of the CPU hardware.  The true long-term solution will be the replacement of the vulnerable chipsets entirely – but don’t expect a product recall any time soon.

While it may be technically accurate to say a completely redesigned chip is the ultimate solution, large-scale hardware replacements would possibly amount to a needless, over-the-top reaction.  It is unlikely that manufacturers will offer chip replacements – we expect them to instead provide a solution to fix any chipset vulnerabilities with a patch.

Microsoft, Apple and other Operating system vendors have all responded quickly and they have released (or are working on) solutions which will ‘patch’ these vulnerabilities.

Will I notice any difference when my PC is patched for chip vulnerabilities?

Unfortunately, at present there is a performance cost to this patch solution –  because the solution involves segregating the kernel into a completely different address space, it takes additional time to separate the memory addresses and switch between the two.  The impact on performance will vary – anything from a 5% to 30% reduction in processing speed can be expected.

How are ITCS responding?

At ITCS, we have been monitoring the vulnerability since the news broke.

We have already implemented a roll out of the Microsoft patch update throughout our contracted customers to address these vulnerabilities.  Users may have had to restart their computers to apply the changes, and we will monitor these installations to ensure our customers continue to be protected with up‑to‑date vulnerability patching.

How should our customers respond?

This vulnerability highlights the need and importance of regular vulnerability reviews, and the timely installation vendor patching to reduce the risks to businesses from cyber-attack.

For a review of your cyber security, please contact ITCS on 08456 444 200, or use the call back request to speak to one of our support team.

 

 

WebITCS responds to publicity surrounding CPU Chipset Vulnerabilities

‘Tis the Season to be Cautious

Wayne Harris, Compliance Officer at ITCS shares his monthly IT security blog – this month, he talks about fraud and phishing attacks.

As the festive season approaches rapidly, we see an increase in cyber-crime, phishing attacks and fraud attempts.  I’m sure we have all read about or seen these attack emails, and believe that we would not fall for them, but beware, they are becoming more and more complex and plausible. 

A common attack at this time of year is a phishing email masquerading as a supplier email such as Amazon or delivery tracking email.  As our shopping habits change to on-line services, it opens up an opportunity for the criminals to gain your trust, after all you probably have just ordered goods from one of these suppliers or used your Pay Pal account haven’t you?  These attacks may be trying to gain access to your banks account/credit card details or using these emails and links to deliver a Virus or Trojan on to your systems such as Ransomware.  

Here are a few tips to avoid falling for these scams:

  • Make sure the website you are ordering from is legitimate, we see more and more online shopping scams at this time of year, and they are becoming more difficult to spot – gone are the days of poorly constructed websites or emails.
  • Do not use your business email address for registering to these services, that way if you get one of these emails to your business email address you know it is a scam.
  • Do not click on any links contained in the email.  If you have ordered goods from an on‑line store, use the store website to track your order progress.  Clicking on links within an email may download malicious software or take you to a fake website to steal your credentials or financial information.
  • Check the sender address very careful, and look for badly composed emails or spelling mistakes – however, this is becoming more difficult to spot as the attacks are becoming more complex and organised.
  • When you place the order, you probably received a confirmation number – make a note of it, suppliers generally include these details in any emails they send – check it.
  • Do not reply to any emails that you receive, this builds up a sense of trust between yourself and the attacker, and you could just get in deeper.

Email spam services will generally not pick up on these types of attacks, as they don’t contain malicious code in the source email, and unless are from a blacklisted domain will not score highly on the Bayesian database which is used to calculate the probability of spam.  Users are therefore the best form of defence against these types of attacks.

ITCS are currently running new courses on managing IT security, including the new GDPR regulations due to come into force in 2018. If you would like to book a place, or if you have any questions or concerns around computer security, please don’t hesitate to contact the ITCS support desk on 08456 444 200.

 

Web‘Tis the Season to be Cautious

Why Data Security starts in the Boardroom, not the IT Department

Wayne Harris, Compliance Officer at ITCS shares his monthly IT security blog – this month, he talks about information security and the part the boardroom must play in the security of your data.

Who is responsible for Data Security?

When I ask the question ‘who is responsible for data security at your organisation?’, without a doubt, the number one response given is ‘the IT department’.

However, if you think about it, data isn’t only about computers. Yes, it is the IT department who manage where the electronic information is stored and secured, but information security is also about how people access data, how and who they share it with – and let’s not forget about those hard, printed copies, often carelessly left on a printer, or face up on a desk.

The C-Suite cannot dismiss this important responsibility as an ‘IT issue’.  Information security must be dealt with in the board room, and should be a regular item on the agenda.  It is only by top lead risk management that you can implement a robust information security management system.  After all, if your senior management don’t understand the importance of compliance, how can you expect your shop floor users to implement and adhere to the requirements?

A clear understanding of what is expected must be communicated throughout the organisation, and involves co-operation between the C-Suite, HR leaders, marketing and other heads of Department – as well as IT.

What should Leaders do?

As a minimum, we suggest that you include the following in the management meeting agenda at least quarterly:

  • Current Risk environment
  • Suitability of current technical prevention/detection solutions
  • Information Audit (Do you know what information you hold, and is the correct security applied to protect it?) – Annual agenda item.
  • Data backup and recovery (Is all of your data protected? Include testing schedule, and DR solution fitness for purpose)
  • Staff communication and training
  • Breach reporting (include near miss reporting and security reports).

What changes will GDPR  bring?

As many leaders are already aware, the requirements for data breach reporting are changing with the implementation of the new GDPR legislation.  Organisations will be required to self-report within 72 hours of the detection of a breach, or face additional financial penalties.

Along with the new rules comes an increase in potential penalties for a breach, which could reach a new upper limit of €20 million or 4% of annual global turnover – whichever is higher.  Board members cannot afford to assume that ‘the IT Department’ are managing the risk, and training key staff in secure data practices will be vital.

If you have been a victim of a cyber-attack, and the personal data you are responsible for is encrypted by one of the Ransomware variants, the Information Commissioner’s Office may take the view that you have not taken appropriate measures to keep it secure.  Even if you are able to recover your data, the ICO may still look at the circumstances of the case to determine whether or not there were appropriate measures in place to have prevented the attack from succeeding.

How are ITCS supporting customers through the changes?

ITCS have an experienced team of data security specialists who have worked with clients to help them secure their network infrastructure.   As well as providing GDPR advice, we are able to take clients through cyber accreditations and implement robust DR and BCP solutions, including data recovery and scenario testing – and we are offering clients a free security overview.

We are also offering a series of courses on IT Security and compliance with the new GDPR regulations – we are offering limited free places for existing ITCS clients, although paid places for non-clients are only £35.

Clients can book up to two free places online.  If you have any questions or concerns around computer security, please don’t hesitate to contact the ITCS support desk on 08456 444 200.

WebWhy Data Security starts in the Boardroom, not the IT Department

Wayne’s IT Security Blog: The importance of using strong passwords

Wayne Harris, Compliance Officer at ITCS shares his monthly IT security blog – this month, he talks about the importance of using strong passwords

OK, so we’ve secured the firewalls, Installed AntiVirus, filtered out the spam, locked down your desktop PC, encrypted your drives and enforced password complexity – what could possibly go wrong?

Well, if you are using the same passwords for multiple accounts, sharing passwords with others, writing them down, using weak passwords, dictionary terms etc, then you should consider yourself as the weak point in the system!

Commonly used passwords that a hacker will try

Do you recognise any of these commonly used passwords?


These common passwords make it easy to hack into your account – so if one of them is familiar, change it now!

Other insecure passwords

Are you using names of loved ones, favourite sports teams, new film release? Even if you are subtlely changing these by the use of additional numbers, replacing characters with numbers, recycling passwords with sequential numbers etc. you should consider your passwords weak – and change them.

Don’t forget Social Media

Often people don’t think they are at risk – until it happens.  Even on social media, which is seen as ‘just for fun’, being hacked can be horrific. Social media is often where people have the least secure passwords, yet that password protects details about the most important people in your life.

You may wonder why people would bother to hack a social media account, but usually all the information people include in their passwords (family names, friends names, pet names etc.) is available for all to see – often even without a hack!  Plus, social media attacks can be incredibly personal and have a big impact on your life.

Many people use the same password on social media that they use for their work accounts, email accounts etc. Be smart and use secure passwords everywhere, at work and at home, and use a different password for each account.

Who would want my information, anyway?

If your password was compromised consider what information would get in to the wrong hands, especially if you use the same password on multiple accounts.

At home, this might be access to your emails and contacts which start spamming, or access to your financial information/bank accounts etc. At work, this breach might take down your network if you are targeted by hackers, causing expensive downtime and irreparable damage to your company reputation.

Secure passwords

No password is 100% secure, however you can increase your password security by following standard protocols.

Make passwords longer

While most password systems allow you to have 8 characters, we would recommend using a minimum of 9 or 10 characters – and your passwords should be changed regularly (we recommend doing this monthly).

No Names Rule

Passwords should NEVER contain names or usernames, and should also follow the standard ‘complexity rules’.

Password Complexity Rules

Strong passwords normally incorporate 3 out of the 5 characteristics:

  • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

It goes without saying that writing down passwords, or sharing them with others is an insecure practice.  Guard your passwords like you guard the PIN to your credit card!

CyberCrime is on the increase, and you have a part to play in the defence of your network. Secure your passwords now, and make sure you keep vigilant as to the risks that we all face.

If you have any questions or concerns around computer security, please don’t hesitate to contact the ITCS support desk on 08456 444 200, we are always happy to help.

WebWayne’s IT Security Blog: The importance of using strong passwords

Research finds just 9% of SMEs teach staff about IT security risks

IT Security continues to be a key issue hitting the headlines for SME’s.  The ITCS team saw new research released today, which worryingly found that only 9% of SMEs offer training or send emails to educate staff about  IT security risks.

Politecnico di Milano School of Management ran a Cyber Crime Observatory which analysed the information security systems and expenditure breakdown of 803 SMEs operating last year.  As well as the shockingly low level of awareness in SME’s. large firms were not much better, they found only about a quarter of the largest firms were educating staff on IT security.

This means that the majority of staff are unaware of the vital role they play in IT security – leaving most companies exposed to the increasing risks.

Alessandro Piva, director of the research observatory said: 

“Cybercrime has grown dramatically over the past months, alongside a continued rise in ransomware, where hackers demand payment of a ransom to release data, and attacks on products linked to the Internet of Things.

“The need for a long-term approach to how information and privacy are managed and the organisation’s data is kept confidential should be a top concern of a company’s upper management.

“It seems that smaller organisations don’t anticipate that they will be targeted as victims of cybercrime in the same way as, say, Yahoo in 2013, where a hack left over one billion users’ information publicly available. Yet without a contingency plan or any preventative measures, these companies are leaving themselves wide-open for potentially devastating cyber-attacks.”

So why are businesses being so complacent?  Brian Stokes, Managing Director of ITCS explains:

 “Actually I don’t believe UK businesses are as complacent as they were 12 months ago, because the new GDPR rules due to come into force next May are giving many businesses a wake-up call. However, the wake up call is bringing risks too.

We’ve seen new GDPR ‘experts’ pop up charging businesses huge fees to get them ‘GDPR ready’, when often the measures needed to reach compliance are quite simple.  

“We are offering any business a free IT Security audit and data health check.  It’s our way of giving something back to the South Wales business community we are proud to be part of. Security and compliance have always been priorities for the ITCS team and our Compliance Team will continue to support businesses ahead of the planned changes and beyond.”

If you have any questions about IT Security or GDPR, call 08456 444 200 and ask for our Security Team.

WebResearch finds just 9% of SMEs teach staff about IT security risks

Equifax data breach highlights need for IT security audits – it’s not ‘just an IT issue’, says ITCS.

Cyber security professionals are hot property at the moment, with a 70% increase in job vacancies across the sector. It’s therefore no surprise that that the ITCS IT security team are in constant demand.

The recent Equifax data breach and the Wannacry ransomware attack have made world headlines, highlighting the need for robust IT security, especially with new GDPR rules due to come into force.

Two Thirds of FTSE Companies have been hit by a cyber attack

IT security audits are increasingly important. In case you think your company can’t be affected, the 2015/16 Cyber Governance Health Check made sobering reading. Two-thirds of FTSE companies have been hit by a cyber-attack in the past year alone, so IT security audits have to be a high priority for every business, even SME’s.

Staff often pose the biggest risk to IT Security

HR and the C-Suite need to lose the view that IT security is something they can pass off to ‘the IT team’.

That’s because no matter how robust your IT infrastructure, the biggest security risk comes from inadequately trained or complacent staff. In fact, at a recent Cybersecurity event, 57% of cyber security experts said they would like to see human employees replaced by AI!

IT experts like ITCS can help provide a robust infrastructure, combined with security advice and training, and we can advise your internal IT team on how to carry out regular IT security audits.

However, it isn’t only an issue for ‘techies’.  Line managers and HR have a vital role to play in maintaining secure working practices on a day-to-day basis. IT security isn’t just IT’s responsibility – it’s everyone’s responsibility. The CIPD are now encouraging HR Managers to take the lead and educate staff on secure working practices.

Here’s some things you can do to mitigate your risk:

Tighten up your physical security

Hacking isn’t just done by anonymous remote hackers. Train your staff to challenge anyone who they don’t recognize (in person or on the telephone) requesting access to your PC or password information, and train staff to lock their PCs when leaving their desk.

Your password is not usually something you need to provide, and being asked should raise a red flag. If in doubt, check with IT before granting access. If your firm has an ID system, challenge anyone who doesn’t have company or authorized contractor ID. This is good common sense anyway with current terror threats.

Keep your IT systems up to date

If you don’t outsource your IT, you are responsible for updating your system. Make sure staff know what to do if their system prompts them about software updates. We can help if you aren’t sure what to do – you definitely shouldn’t ignore them.

Manufacturers often update their software in order to protect against a specific threat.  The Equifax breach apparently resulted when a staff member failed to apply a software patch in a timely fashion – affecting 400,000 UK customers alone (and an estimated 143 million worldwide). Ouch.

Offer regular IT security training and updates

Training in cyber security adds a layer of resilience. It means staff understand which threats are out there, how to prevent them, and how to deal with them when they occur.
Sending out a memo is usually ignored, so formal IT security training is essential – and your in house team should reinforce secure working practices in between sessions.

Drive home the importance of password security

Most people know they ‘should’ create strong passwords, but nonetheless choose the name of their child, dog or even their address.

It’s vital that employees understand the importance of this. Passwords are the first line of defence. Managers should enable their systems to ‘force’ the use of strong passwords, and frequently educate staff on the need for them.

Managing the risk of insider attacks

Disgruntled employees pose a very real risk, whether having their own agenda, or receiving an incentive from a third party. A disgruntled Morrisons employee who leaked employee data literally cost the company millions of pounds.

The first step to protect your business from insider threats is to carefully control who has access to what information. Staff should only have access to data they need to do their job, access to sensitive data should be controlled and recorded and access levels should be regularly reviewed, especially if job roles change.

A formal starting and leaving procedure should be followed, rather than just making changes when someone leaves. On leaving, the formal leaving process should terminate access immediately, not a few days later and any shared passwords (which should not exist anyway) should be changed.

ITCS offering free IT security audits

Whilst many customers rely on us for IT support, we believe IT Security is equally important.

We are happy to offer any business a free review of their current IT security with a thorough audit. We will advise you of the next steps to take and you can decide how to proceed next.

ITCS services include IT security consultancy and training. We can also ‘train the trainer’ if you prefer to deliver staff security training in house.

IT security remains a threat that businesses cannot afford to ignore, and staff need to be on board to help combat the threat. Wayne Harris, our Compliance Officer says:

“No matter how secure your systems are, your people have a vital impact on security. Alert and well-trained staff add an important layer to your security. Unmotivated, untrained staff simply add an additional risk – with so many threats these days, that’s not a risk worth taking.”

To take advantage of your free review, click here and complete the form at the bottom of the page – our team will be in touch.

WebEquifax data breach highlights need for IT security audits – it’s not ‘just an IT issue’, says ITCS.