Cyber Security - The most common scams and top tips for staying safe from our experts
By Bruntwood
Last year Sophos reported that 53% of all crime recorded last year was cyber crime, and the average cost to clean up an incident is £30,000.
The 30th of November is Cyber Security Day, which actually dates back to 1988 (at that time it was called ‘Computer Security Day’). Since then, it’s safe to say that we’ve all become a lot more tech savvy, tech dependent and interconnected on a global scale. This brings a whole new array of challenges and issues surrounding cyber security and safety.
As the former head of the National Cyber Security centre (NCSC), Ciaran Martin said in 2019, “It’s a matter of when, not if you’ll get hacked.”
In this article, experts from three cyber security businesses from across the Bruntwood SciTech network provide insight into the importance of cyber safety; Jo Balderstone, Head of Business Development at Lucid Networks from Manchester Science Park, Gemma Bridgeman Head of Development at Clarifyi, now Innovation Birmingham alumni, and Nick Deacon Elliot, VP of Operations - Boxphish based at Platform in Leeds.
There’s a lot of noise about ‘Cyber safety’ at the moment, especially since the pandemic has forced a lot of people to work remotely. Why is cyber security so important?
Jo Balderstone, Lucid Networks said: ‘’Cyber Security is the biggest technical issue facing professional services organisations today. However, attacks can happen to anyone with a computer. The main aim of a cyber criminal is usually to steal money, to take control of computer systems to use in other types of online crime, or to steal personal data to use in crime like identity fraud.
“In the majority of cases, cyber criminals are not specifically targeting you or your business – they use automated systems to find vulnerable systems on the internet, and attack them automatically.’’
Gemma Bridgeman, Clarifyi added: ‘’Cyber security is about protecting yourself online from criminals. This is important whether you are connected via a phone, laptop, gaming platform, or any type of smart device that is connected to the internet (did you know that even kettles and fridges can be connected to the internet !?).
“In the physical world you have layers of protection against criminals such as doors, locks and cameras; just because you can’t see the criminals in the virtual world doesn’t mean you shouldn’t take the same steps to protect your important assets.’’
...And what about ‘Cyber Security Awareness’?
Nick Deacon Elliot, Boxphish said: Cyber security awareness is key as it enables individuals to understand the threats in our digital lives and how to make informed decisions about what is safe or a risk. Awareness also means understanding what preventative measures can be put in place to reduce the chance of a successful attack.’’
What do cyber security threats mean for the everyday working person?
Nick says: ''From a business perspective, the harsh reality is that around 95% of all successful cyber-attacks are a result of human error. It is not uncommon for significant attacks to start from an end user logging into a system that has been spoofed, and then without even realising, they have shared login credentials that work across multiple systems or are accidentally downloading a file hidden within an attachment.''
“For businesses, these attacks incur more than just financial damage, they can also massively affect the trust and reputation of that business.’’
Jo agreed: ''A lot of the time human error allows for a security breach to take place, so people are often the first line of defence against many cyber attacks/cyber threats. This means it’s important that businesses offer some basic cyber security training, highlighting what your staff should look out for.’’
''However, technology needs to shoulder as much of the burden as possible. If you can limit the number of ways people interact with risk, that makes you more secure. For example, moving to systems that don’t rely solely on passwords such as passwordless login on O365 or secure single sign on.''
Gemma said: “Your staff and the people around you can be your strongest line of defence, if they are provided with the right tools and knowledge to stop hackers from getting hold of your assets.”
Cyber Security Day (30th Nov) has been around since 1988 - what has changed most about the way we use technology since then and why is cyber security more important now?
Jo said: “Today, organisations and employees rely far more heavily on technology, and for most companies their IT infrastructure is the backbone of that organisation. From emails, servers, networks, hardware, connectivity, software... the complexity of IT systems has significantly increased since 1988, and more complexity means more vulnerabilities. Without access to any of the above, businesses really couldn’t function in today’s world.''
“As organisations we are also acquiring and storing significantly more data and storing it on our systems. This data has a significant cash value in the online underground economy and when exploited can be used to produce fake passports and credit cards and used in identity fraud and other types of online crime.’’
Nick added: ''The sheer abundance of technology in our lives now means there are more devices, more online accounts, increased amounts of data and information stored about you, such as the school you went to, your birthday, your pet's name, your home address…. the internet is a fountain of knowledge for cyber criminals and this will increase as technology develops.”
Does a surge in remote working pose any additional risks?
Jo said: “Absolutely! Cyber criminals are using the Covid-19 crisis as an opportunity to exploit vulnerabilities in networks, systems and through social engineering.''
“The main reason for the increase in attacks is due to employees using an increased number of devices to carry out their jobs, from laptops, tablets and smartphones, all to access company systems and data.''
“The 4 most common types of cyber-attacks during this pandemic are:
Government grant/tax refunds: cyber criminals are disguising themselves as Government officials suggesting the business may qualify for a special COVID-19 grant or tax refund, and asking for confidential business details such as bank details and employee information.
Invoice/mandate scams: a business is contacted by a cyber criminal spoofing themselves as a supplier, but saying that their bank details have changed and can all future payments be sent to a new bank account.
CEO Impersonation Scams: cyber criminals use spoof company email accounts and impersonate executives/senior leaders to try and fool an employee into executing unauthorised payments or sending out confidential information.This is particularly exploiting the homeworking environment when senior and junior staff are not in the same building so thorough checks cannot be made.
Tech support scams: criminals are impersonating themselves as your IT company, and are trying to gain access to passwords and login details with the view to get access to company data. People are now working remotely, from home networks or shared wifi systems which may not be as secure as the company network.’’
Nick says: “The good news is… there is a lot an individual can do to make sure they are keeping themselves safe online, and this doesn’t have to come at a great cost or take a lot of time to implement, a lot of it is about behavioural changes.’’
What are your top tips on keeping cyber safe?
Jo: ''We would recommend becoming Cyber Essentials certified. This is a simple, effective government backed security standard which reduces your company’s risk of a cyber attack by up to 88%.''
''Many organisations require Cyber Essentials certification to adhere to industry standards or to bid for government tenders. It’s also important to secure your company’s data either through a VPN connected to your company network, or adopting cloud technologies such as office 365.“
Gemma: “Test & train your staff on an ongoing basis to empower them with the knowledge of what to look out for and to enable them to be your human firewall. Test your systems to identify where the gaps are and make sure they are updated, and monitor the dark web to see if your data has been compromised.”
Nick: “Firstly, slow down and really think about the authenticity of the email or links you have received.''
“Second, look for excessive emotion – I really like this tip as it is so easy to implement, look for signals where there is a lot of emotion such as pay now, cancellation of services if not settled in 7 days… There are often clues in the language that present a red flag. If anything seems out of the ordinary, double, triple check it!''
“Lastly, use a password manager – a password manager can be a great tool for making sure that weak, common passwords aren’t used as well as having repeating passwords across multiple applications, there are plenty of good ones, some are free or only a few pounds per month for premium editions”
Thanks Jo, Nick, Gemma!
A bit more about these businesses...
Located at Manchester Science Park, Lucid Networks is a specialist infrastructure consultancy and managed services provider that works with businesses throughout the UK. As accredited cyber essentials practitioners the team can help your organisation become Cyber Essentials certified, as well as being a Microsoft Silver Cloud Solutions partner with extensive experience in Office 365 migrations. If you would like to hear more about any of these services then please contact hello@lucidnetworks.co.uk or 0161 513 9650
Located at Platform in Leeds, Boxphish has developed a SaaS platform that has three distinct parts; identify, educate and report. Boxphish’s training is completed by tens of thousands of users every month across 11 countries, making a significant impact in raising cyber awareness.
Clarifyi
Formerly located at our Innovation Birmingham campus, Clarifyi, is the latest brand created by the award-winning company Forensic Pathways. Clarifyi was born from a desire to make knowledge accessible, to demystify threat intelligence and let people focus on their issue rather than having to learn to understand threat intelligence, the acronyms, and tech speak. The team investigates the murky world of the Open and Dark Web to identify brand and data compromise and adopt a forensic approach to threat intelligence, identifying compromised data that is on the Dark Web for a range of UK and international businesses.