About half of all businesses are now being “punished” by Google for not making a simple change to their website… that costs very little. Last year the internet giant changed Chrome – the world’s most popular browser – to flag up websites that weren’t encrypted. Six months on and we estimate half of all businesses still haven’t made the change. They’re losing traffic and scaring off potential buyers.
Encryption means that data sent between a website server and someone’s computer is dramatically more secure. You know a site is encrypted when it says https://, instead of just http:// (without the s). This is achieved by installing something called an SSL, an easy task for an IT support firm. Google is on a mission to make the world’s websites secure. Unencrypted websites currently show this warning:
And it gets worse if someone starts to fill in a form on an unencrypted website. Then the warning message changes to:
It baffles me why so many local businesses haven’t made this change. It’s believed unencrypted websites get less traffic from Google. And it’s certainly putting off buyers who see a red warning on a website. Yet it’s cheap and easy to fix.
Nine months on from the implementation of the General Data Protection Regulation (GDPR), there’s an alarming amount of ostrich activity going on. Recent research has shown that 70% of companies are still not fully compliant and are yet to get their heads around what’s expected of them.
A new study by office equipment company Fellowes found that 17% of employees still haven’t been provided with new data protection guidance, and one in ten don’t know who in their organisation is responsible for the GDPR. A further 33% admitted to regularly leaving confidential data unattended!
The reasons for this slow uptake vary. In some organisations, it comes down to a genuine lack of understanding about the new laws. In others, it’s about being overwhelmed and seeing the development of new policies as just another onerous task on the to-do list that they’ll get around to when they have the time. Other managers just think it’s a lot of fuss over nothing – the likelihood of any major data problem arising is minimal, and it’s just an excuse for IT security people to take their money. After all, nobody’s even been fined yet.
And that’s the important word – YET
The European Data Protection Supervisor, Giovanni Buttarelli, recently told Reuters to expect the first round of fines to take place by the end of the year. The commissioners have reportedly been “overwhelmed” with consumer complaints since the GDPR came into force on May 25th, and when do come to enforcing them, the fines won’t be small. Any organisation found to be in breach of the new rules will face fines of up to €20 million, or 4% of global revenue – whichever is higher. Buttarelli believes those likely to be sanctioned will come from all around the EU, including a number of public bodies. He also warns that there’s no excuse for companies to keep dragging their feet
“E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. (Failure to update) would really be a dereliction of duty.”
On the flip side, the Information Commissioner’s Office – the UK’s own data protection body – has been inundated with calls that don’t meet the threshold for a data incident. While it’s encouraging that these organisations are taking their obligations seriously, it demonstrates a huge lack of understanding about the GDPR and what it really means for businesses.
Many reports received by the ICO are incomplete or unnecessary, suggesting that companies think they need to report everything data related, like someone leaving their desk for 30 seconds with a client file on display. While this is clearly bad practice, it’s not a breach until someone else gains access to the file and uses it unlawfully.
The bottom line is this. If you’re still not fully compliant with the GDPR, you can’t go on sticking your head in the sand. The fines are on their way, and by the end of the year lots of companies will find themselves significantly out of pocket. That’s bad enough for the big fish, but smaller businesses who just didn’t manage to get around to sorting things out have the most to lose.
So what happens next?
Here’s what we can do to help. We can make sure that from a technology point of view, you are fully up-to-date and protected. That means making sure your data is safe and accounted for at all times. And you don’t have to worry if someone in your business makes a small mistake, such as leaving a laptop on a train. Essentially – we will give you peace of mind about the security of your data under GDPR. So you can get your head out of that sand and dare to look at the light again.
Iron Dome can assist you with managing your compliance through the use of network tools that provide to you monthly reports showing exactly what data is where and how it is stored. These tools also create task lists for the relevant persons to action within a defined period to get back into compliance. This process is automated as much as possible to make compliance part of the business processes and as smooth as possible.
GDPR has many more aspects to its regulation including the right to be forgotten. We can help you implement systems and processes that make these types of requests easier to manage. Speak to our GDPR experts today on: 0203 358 0203
Cybercrime is big business, and phishing attacks are one of the main routes into an organisation. You might have heard of them but are not quite clear what they are and how they work, so here’s our simple definition:
A phishing scam happens when a cybercriminal pretends to be someone else to gain information. Commonly they do this by sending fake emails designed to look like they’re from a trusted source within your company, such as the CEO or head of accounts. The aim is to make the victim feel a sense of fear, curiosity or urgency so they quickly open a dodgy attachment or send important details like bank/credit card details, user names or passwords.
They rely on the fact that most staff are eager to please their superiors and won’t question them, so they freely give out sensitive information they would normally hang on to.
Cybercriminals are very skilled at what they do and can create emails that look so much like the real thing that even the savviest staff member can easily be caught out at the end of a busy day.
For that very reason, phishing scams are often deployed towards 5pm or last thing on a Friday when people just want to get home and take their eyes off the ball. And in a further chilling development, hackers have been accessing bosses’ email accounts, and waiting for them to go on trips abroad before striking.
With Spear phishing hackers know exactly who they’re looking for and will focus all their efforts on these unsuspecting victims. Because this isn’t a blanket approach the hackers have to be more creative and thoughtful in their hunt. It’s common for them to use carefully chosen phrases and tailor their language to suit each individual person or group. In a lot of cases spear phishing attacks are so convincing that they’re able to completely fool the target into parting with all sorts of information, blissfully unaware that they’ve been caught out.
Hackers play a long game
“What makes this scam both clever and worrying, is that the hackers play a long game,” said local IT security expert Wayne Stanley of Iron Dome. “Hackers get into the boss’s email account. In the past they would have done instant damage and immediately got out. But now they sit and read emails, and over a period of months look for ways to steal cash.” Sometimes that’s by intercepting bank account or card details shared on email. But the most cunning hackers wait till the boss is away on a foreign trip before striking.
“They send an email to staff asking for urgent access to a critical system, or for an urgent bank payment to be made,” Wayne Stanley said. “It looks like it’s come from the boss, but it’s actually from the hacker. They will drop in a few facts that the staff know are true, such as where the boss is holidaying and what the weather is like.”
Wayne added: “Many staff are completely fooled, so go ahead and set the payment up. It can be days before anyone knows there has been a security breach, and by then it’s usually too late to stop it.”
Some interesting stats!
- The average cost of a phishing attack for a mid-sized company is £1.22 million.
- Phishing attempts rose by 65% between 2017 and 2018. They’re not specific to any particular industry and businesses of all sizes have been attacked.
- 30% of phishing messages are opened by targeted users, with 12% of those users going on to click the links or attachments.
- Nearly 1.5 new phishing sites are created every month.
Wide Net Attack!
A recent Gmail phishing scam targeted nearly a billion users across the globe. It was fiendishly simple but tricked a lot of people. Here’s how it worked. Victims received a text message asking if they’d requested a new password for their Gmail accounts. Of course, the vast majority had not. Confused targets were then prompted to text back “STOP” to confirm the request had nothing to do with them. They were then sent another text urging them to send their 6-digit numerical access code to prevent their accounts being compromised. Of course, the opposite was really happening. Instead of protecting their Gmail accounts, they were giving the hackers the ability to reset their passwords. And so, access to all their emails. This type of phishing scam is known as a “wide net attack”. Trawlers cast wide nets to catch a huge amount of fish and seafood that won’t all be good enough to sell, and this method uses the same principle. You can’t expect 100% success, but plenty will fall for it. And in this case, even a relatively small catch can reap impressive rewards.
Iron Dome top tips:
Stay informed: Education is everything, and that goes for you and your staff members. New scams are being developed every day, so it pays to sign up to regular updates and guides that will keep you in the loop. Cyber Security training for all IT users is also highly recommended so you can be confident that everyone knows what to look out for.
Think ahead: Develop a robust IT security policy that includes everything from Bring Your Own Device to password management and backups. Make sure all sensitive company information is encrypted and that all mobile devices – including those that belong to staff members – have to pass security protocols before they can access your network.
Keep it private: Never share personal information over the internet unless you’re 100% certain you can trust who you’re talking to and you’re sure your data is encrypted. If a company ever asks you to impart sensitive information, check with them at source first by visiting their main website and calling the customer services team.
Be suspicious: OK, so it’s a bit miserable going through life being cynical but there are some situations where it pays to expect the worst. If an email doesn’t look quite right, it probably isn’t. If you’re not sure, just hover over the link before clicking on it to see where it leads to. If you don’t recognise the website address or it’s full of funny looking symbols, avoid like the plague. A lot of phishing emails start with “dear customer” so be particularly wary of any that don’t address you by name. And if there are lots of grammatical errors and language that sounds very old fashioned, it’s almost always going to be from a scammer.
Get protection: Install anti-virus protection, SPAM filters, web filters and anti-phishing toolbars and make sure they’re always kept up to date. Failure to install the latest patches and updates leaves organisations wide open to threats. Monitor the anti-virus status of all equipment, particularly mobile devices that are used outside of the working environment.
The best way to keep the phishermen away?
Put your IT security in the hands of trusted professionals. You’re already working hard, so you could probably do without the hassle of having to keep your entire computer system ship shape and safe from cyber attackers. Working in partnership with reputable IT experts who can prove they’re worth their salt will help you sleep better at night and send the hackers further upstream to in search of a better catch.
Iron Dome have put together a series of security measures designed to help local businesses prevent this kind of fraud. They’re making details of the scam public, to try to help more owners and MDs be aware. To find out how Iron Dome can help your business stay safe from cyber-criminals visit www.irondome.co.uk or telephone: +44 (0) 203 358 0203
Since the inception of the internet and email, it seems there have always been phishing scams. They are a global threat to all businesses that utilize the internet for any reason. Within recent years, these scams have increased significantly, and they continue to victimize people around the world every day. You might be wondering, how does a phishing scam work?
A phishing scam involves sending a fraudulent link to an individual with the primary purpose of installing malware or deceptively retrieving sensitive information, such as passwords, banking information, or social security numbers.
Phishing costs businesses billions of dollars in losses. As a managed IT service provider, Iron Dome has the technical expertise to aid your business in the prevention and recovery from a phishing scam. We use the most powerful applications to keep your data safe. Phishing scams are very profitable. They have cost many businesses millions of dollars. According to a report released on July 12, 2018 by the Federal Bureau of Investigation, business email losses are in the billions. This is probably why the phishing scam is one of the most popular internet scams today because it’s a fast way for cybercriminals to obtain money.
How Can You Avoid Being a Phishing Victim?
Here are some of the steps you can take to avoid becoming a victim.
Don’t Download Files from Unknown Users
If you receive an email from an unknown user, don’t click on any links or download any files attached to that email. For some people, this may seem obvious, but thousands of people accidentally click or download infected files every year. Even if the link is from a known party, go to the company’s website instead of attempting to access it from the email. Sometimes cybercriminals will use emails and websites that are cloned versions of the actual business website. If you’re not paying close attention to what you are doing, you can be scammed. You also want to look at the website’s URL address. Hover over it to confirm that it’s the company’s domain name.
Don’t Trust the Display Name
Even if you receive a familiar email, be cautious. A common phishing tactic is spoofing the email’s display name. Unfortunately, some email providers will only display the sender’s name but not the email address. If the email address does not coincide with the name of the sending party, flag it. However, this is not a full-proof indicator that it’s a scam, for any email address can be spoofed.
Install and Maintain Security Software
All of your computers should have a security solution installed on them. It should include at minimum an anti-virus application, firewall, and email filter. The anti-virus application is responsible for preventing viruses, phishing attacks, spyware, rootkits, malware, trojans, and other cyber threats. Maintaining the software is equally important as installing it, for recent updates offer the highest level of protection. Therefore, when you receive security updates, you want to install them immediately.
Educate Your Employees and Bring Awareness
Often employees are not aware of how businesses are targeted. By simply keeping your employees aware of the latest security attacks, you can possibly avoid any future data or financial losses. According to Symantec’s 2018 Internet Security Threat Report, over 50% of email is spam. What’s even worst is that their data shows the average individual receives 16 malicious spam emails per month. With just 10 employees, this would equate to 160 emails per month.
Be Cautious of the Urgency
Be cautious of any email that you receive that expresses an urgency to do something. You may receive an email indicating that there is a problem with your bank account, and you need to log into your account to correct the problem. This is a common tactic used to quickly gain access to your personal information.
Identify Possible Threats
Verify the website’s security before sending sensitive information over the internet. Some ways of analyzing the safety of a website include the following:
- • Look for the “S” in https. This indicates that the site has an SSL certificate, which encrypts sensitive information. Without it, cybercriminals are exposed to the information that you enter
- • Look for contact information. Many website visitors feel uncomfortable doing business with a website that does not have a phone number or physical address. Ideally, most legitimate businesses will have visible contact information
- • Look for key indicators of possible malware. Some key indicators include suspicious pop-ups, ads with improper spelling or grammar, and search engine warnings.
The internet is an amazing tool and you can use it for many things. Like anything else in life, it comes with a dark side. When it comes to your business, be very cautious about releasing any information online. Only transact business on trusted websites that you know are legitimate.
Need Help Avoiding or Recovering from a Phishing Attack
Should your company become the victim of a cyberattack, Iron Dome specialises in disaster recovery, and we can help you recover any lost data.
Contact us today at 0203 358 0203 to learn more about our services and avoiding cyberattacks.
- Physical Security
There are ways to lock your laptop down from outside of the machine. First, be sure that your laptop bag is always on your person, or that you use a padlock to keep the zipper securely closed. Most work benches at the airport have legs that you can easily secure the carry strap to. Or you can utilize a cable lock to secure it to something like a chair fastened to the ground or a building pillar.
Second, always keep a Kensington lock in your bag, and break it out every single time that you use your laptop in a public area. These are inexpensive, and you can always ask your IT provider if they have any spares. Trust us, if you’re showing initiative to protect company assets, your company will listen.
If you are in a hotel, a good way to keep your belongings safe is to put the ‘Do Not Disturb’ sign on the door. If that is posted, then the only foot traffic that should be in your room is your own. If something turns up missing and you and the Hotel are the only people with keys to your room, then this helps narrow down the search for the thief.
- Software Security
We’re not talking about McAfee or Norton here, but something more along the lines of location software. Some examples of this may be Lojack for Laptops if you have a Windows machine, or Find My Mac if you are an Apple user. To help protect your information, these applications will setup passcodes that the thief will have to hack to bypass. Also, they can provide the location of your device if it’s missing or stolen.
- Backup Solution
If, in fact, your device does go missing, you know as well as we do that your work can’t be put on hold. It will continue to pile up – causing a mess of inconveniences – but the world doesn’t stop, even if your laptop is stolen. You need to be able to back up your most valuable data and recover it at a moment’s notice with a legitimate backup solution. And we’re not just talking about a file backup like Dropbox or Google Drive. A truly reliable backup solution allows for virtualizations of your laptop, so you can login to this virtual copy of your machine and it’s just like you’re sitting in front of it again.