2020

How can you protect your business from the very people who work with you?

While you might have everything in place to protect you from external cyber-attacks, unexpected security threats can come from right under your nose – even from good willed and trusted employees.

It’s all well and good to keep your data safe and secure, but it can just take one employee not following the right security protocols, or disgruntled ex-employees having access to data – and you might find your business in serious trouble.

With the majority of us working remotely, this brings with it a whole raft of security issues – do employees have access to the right servers for their work, are staff updating their apps and systems accordingly, are they using work laptops for personal use?

That’s why it’s so important to drill security practices into everyday actions for staff – while many basic security principles may seem obvious, the consequences of even a minor slipup can be severe.

So, how can you protect your business and data from well intentioned employees who might not be in the know about IT security?

It starts with Cyber-Sensibility, ensuring your staff are well educated with regards to your company’s IT operations, passwords and keeping data confidential and secure.

Start by taking time out to train employees on IT best practices – saving documents to the correct files, ensuring passwords remain secure, and that employees know not to use their computers or laptops for personal use

Consider implementing a password manager for secure and confidential passwords and access to shared services)

Ensuring employees are well-enough educated in regards to cyber-security can be one of the most important methods to keeping safe.

A study conducted by Cyberark discovered over half of all employees are happy to allow co-workers using their login details, meanwhile 45% revealed they don’t tell IT when they download an unauthorised app to their device.

This sort of behaviour comes with severe risks of viruses and hacks, leaving IT systems much more vulnerable to attacks – it’s well worth double-checking staff understand basic IT security to protect themselves and the business.

The next step is to keep on top of remote setups.

The pandemic has seen unparalleled amounts of workers working remotely from home, which has completely moved the goalposts in terms of cyber-security.

A recent survey discovered 95% of security professionals were facing added IT challenges with employees WFH in thrown together home offices not fit for purpose.

Threats like phishing scams and malicious webpages are now having greater impacts than before, posing a huge threat to all businesses and employees.

Your IT security needs adapt to the changing environment, ensuring employees know what potential scams look like through training and flagging up anything they’re unsure about.

Be aware of what potential scams look like, through training and avoiding complacency, keep a distance from anything that could pose a threat, and ensure apps and systems are consistently updated.

What about ex-employees?

The process of removing moved-on workers from your system is another action that has to be taken seriously. It’s estimated that around 92% of UK businesses don’t automate this task as part of an off-boarding process, leaving plenty of room for human error.

Allowing a former employee to have access to your IT systems runs the risk of a whole load of IT security issues.

In fact, a Gurucul study discovered around one in ten workers would take as much corporate data as they could on the way out of a job, with a further 15% saying they would change passwords and even delete files.

Of course, not everyone will take files or change passwords, but that doesn’t mean you shouldn’t be meticulous about your offboarding processes and take all the necessary precautions to prevent data breaches from former employees.

Much of the time, departing staff might not have any ill will but can still leave your business open to data breaches by keeping business files and information on personal computers, failing to handover correct log in details, and not returning all of their company IT equipment.

There are a few ways you can look to prevent this such as wiping work-devices, changing passwords, and removing access to files (especially company social media accounts) and notifying the IT department well in advance about staff changes.

How can we help?

Getting the best IT advice is essential to help prevent breaches and security issues from damaging both your reputation, your business, and your profits.

If you’re interested in how you can improve your business security, please get in touch with our friendly team of IT experts – who will run through everything cyber-related with you.

You can find out about all of our different services here

How can you make sure staff don’t fall for email scams?

Phishing scams aren’t new to the scene.

In fact, we’ve become so used to the headlines about businesses paying out fortunes to get their data after some unsuspecting employee clicked a dodgy link in an email.

Even today’s (03 December 2020) news from IBM of a targeted global hacking campaign aimed at the COVID-19 vaccine supply chain hasn’t surprised us – it’s something governments and businesses have been warning against for months.

IBM believes the campaign began in September 2020, with phishing emails sent to six countries linked to the delivery ‘cold chain’ used to keep the vaccine at the right temperature when it’s transported.

Attackers reportedly impersonated a business executive from a Chinese company involved in the cold supply chain to trick targets into opening emails, as well as targeting transport organisations with malicious phishing emails asking for log in details.

If successful, hackers could have procured sensitive and confidential information about the distribution of a high value and high priority.

According to IBM’s security researchers, targets included the European Commission, companies involved in solar energy, a software development company in South Korea, and a German web development company.

It’s not just bigger organisations being hit by more phishing scams, smaller businesses can easily could become exposed to scammers purely by the fact that your good-natured employee didn’t think to message or phone their colleague about a slightly odd or unusual email they received.

Covid-19 has created the perfect environment for phishing, with remote working, digital appointments and a rise in health and medical information, hackers are finding it easier to take advantage of people, reaping in the stolen benefits.

From the beginning of the pandemic, fraudsters changed their tune and started using sophisticated methods of exploiting innocent victims and companies – from fake government emails and support schemes to business relief funds, hackers are now more creative than ever.

In February phishing attacks related to HM Revenue and Customs (HMRC) impersonations averaged at 26,100 per month, a figure that by March increased to 40,184 attacks, roughly 73% rise within a month. The number of attacks has steadily been increasing between March and September with recent figures suggesting 57,801 attacks per month.

In August, the HMRC declared it was investigating more than 10,000 email, SMS, social media and phone scams specifically exploiting the pandemic.

These attacks are on the rise, and are becoming more and more convincing. We’ve outlined some vital steps you and your business can take to prevent these attacks and identify the scam before it’s too late.

How to recognise phishing

1. Emails usually look identical to messages from reputable organizations
2. The content sounds urgent
3. The content tries to stir fear
4. Claims to enclose breaking news or important information
5. Asks you to download a link or attachment
6. Email address does not match organisation

How to protect against phishing

1. Train your staff

It may sound a little boring but it is so important to understand the threat and be able to identify spam emails and webpages as a collective unit.

As harsh as it sounds, staff are often the biggest weak point when it comes to phishing – so it’s vital to train your staff in recognising risky spam emails.

This includes understanding URLs and being able to recognize the ones that are safe and legitimate versus those that are fraudulent.

We offer phishing simulations as a service to help identify and train you and your staff to make your business less vulnerable.

2. Triple check everything

If uncertain of an email a website or a company, visit the website or google the address. If the site comes up with an error or details are not matched, this should be considered a warning.

If you ever receive any suspect emails, always refer to your colleagues and your IT support team – it’s always better to be safe than sorry!

3. Invest in your security

Installing and updating anti-spam, anti-virus, and anti-spyware software. Deploying a spam filter that detects unidentifiable senders, webpages, or downloads will prevent any further interaction with spammers and keep your business safe.

It’s all about balance, right? At Consider IT, we can help support your digital and cyber security needs, with our proven cyber security solutions.

Our team of experts can help support your business by securing both technical and operational measures from implementing software to designing new security policies and strategies that work.

With complete protection, we can become the first point of contact for every area of security, directing potential attacks to our expert team who can react sooner and faster.

As a Cyber Essentials Plus-accredited team, we can guide you through security processes to better protect your businesses and employees, helping your business achieve your own Cyber Essentials plus accreditation.

We’re a full CREST-accredited body with CREST-accredited staff, including CREST Practitioner Security Analysts and CREST Registered Penetration Testers.

So, we can help give you peace of mind, as well as helping you protect your business. Becoming accredited is an incredibly powerful way to gain trust and confidence from your customers and workforce.

If you’re interested in how you can improve your business security, please get in touch with our friendly team of IT experts – who will run through everything cyber-related with you.

You can find out about all of our different services here 

Are your passwords giving hackers access to your accounts in seconds?

How long does it take a hacker to figure out your password? The reality is that millions of apparently secure passwords can be bypassed in seconds.

Think about that. It could mean five to 10 passwords have been compromised in the time it took you to read to this point. Scary stuff.

These kinds of incidents are known as “brute force attacks” and the culprits let computers run through millions of possible combinations at lightning speed until they find the combination. The results can be so fast as to appear almost instantaneous.

Most people have used bike locks, padlocks or other locks which have four-digit combinations. For an ordinary person, forgetting the number is a huge inconvenience. It would be all but impossible to try all 10,000 possible combinations. However, a computer can crack the right code in less than a second.

Mike Halsey, a six-times recipient of Microsoft’s Most Valuable Professional (MVP) award, pulled together this handy table which outlines how easy it can be for a hacker to crack your password, based on whether you’re using just numbers, letters or a combination of upper and lower case letters and symbols.

Where do you fit in?

So, how easy is it to make a difference? Easier than you might think. Yet, just a few relatively simple tweaks and updates could turn seconds into years, decades or even centuries when it comes to cracking your passwords.

For example, while the cyber crooks can bypass a four digit password instantly, an eight-character password with a combination of numbers, upper and lowercase letters and symbols poses a far more difficult challenge – taking more than two YEARS of computing power to crack.

As mentioned in our previous blog post on password security, the easiest passwords to crack are those with names, dates, or personal information that a hacker could gather from your social media (parents’ names, a birth place, or even your date of birth).

If you’re using personal details in your passwords, you can be providing the exact information a hacker needs to gain access to your emails, bank accounts, work data – nothing’s off limits once your password is in the hands of a hacker.

How can you protect yourself against hacks?

The best possible protection you can give yourself is to create a password with a strong combination of different letters, numbers and symbols. Numbers can be easily substituted for the letters O and S – and the longer the password, generally the better.

Avoid using names, football clubs, fictional characters – anything really easily identifiable. Last year, the National Cyber Security Centre published an analysis of the 100,000 most commonly used passwords that have been accessed by third parties.

The top passwords used by British people included:

• 123456
• 123456789
• qwerty
• password
• 11111

While some of the most-used words were:

• Ashley (used 432,276 times)
• Michael (425,291)
• Liverpool (280,723)
• Blink 182 (285,706)
• Superman (333,139)

To make your accounts more secure, considering making your passwords longer, with combinations of characters. Enable two-factor authentication on whatever devices you can. This doesn’t just apply to your personal social media accounts, it’s also important to keep in mind for your business and professional accounts.

You might also want to consider using a password manager to create and store complex passwords for you. There are also many affordable and user-friendly password management services, which create uncrackable passwords for all of your services (social media profiles, online banking) – then securely log you in whenever you need access. Popular options include LastPass, Dashlane and 1Password.

If you’re interested in how you can improve your business security, please get in touch with our friendly team of IT experts – who will run through everything cyber-related with you.

You can find out about all of our different services here

If you’ve read our blog on CEO fraud, you’ll know that hackers are getting more and more sly when it comes to different ways to attack people and businesses.

Whether it’s through hacking IT systems, sending fake emails or carrying out malware attacks, there are so many different ways a hacker can actively get into your systems and find out sensitive information about you or your business.

But, did you know you might be giving hackers easy access to your private information through your own social media?

Have you heard of doxing? Doxing (or reconnaissance) is the way criminals research and gather information about a target before using it maliciously, whether its by hacking directly, guessing passwords, or even going so far as to create the perfect, personalised trap to target you.

Cyber criminals look to collect all of the information available about you, and social media can make you an easy target.

We willingly and freely publish so much personal information about themselves publicly on social media, from friends and family members to photographs, home and workplace addresses – all of which makes us more vulnerable to attack.

Passwords and password recovery answers often use seemingly innocuous details like children’s names, pet’s names, their year of birth, place of birth. But, when researched on social media and combined, these can be the perfect tools to unlock your email, social media and bank accounts.

Even more concerning, stats released by the National Cyber Security Centre last year showed millions of people in the UK used combinations of basic, easy-to-guess passwords including:

• Passwords that include basic information that can be found easily from your social media – including your real name or username and family names, the football team you support.
• Place names, birthdays, or single dictionary words.
• Numerical or keyboard sequences (e.g. QWERTY, 12345)
• Names of comic book characters and bands

These types of passwords are easy to guess and pose a threat the security of your accounts. Hackers will be able to easily guess these types of passwords by analysing your personal information and making informative guesses.

Make it more difficult for hackers by taking extra steps to minimise these threats.

There are simple, straightforward ways to make your social media more secure, including making social media profiles private and removing anyone you don’t personally know from your following. Enabling two-factor authentication with phone numbers and separate emails can also make your online presence more secure.

Other ways to secure your accounts include:

• Regularly updating apps
• Blocking unknown accounts
• Making your passwords long, with combinations of upper- and lower-case letters, symbols and numbers
• Be careful when logging into accounts through email links – always check the sender details because this is another popular phishing scam
• Never share your passwords with anyone
• Use different passwords for different social media accounts
• Consider using a password manager

By making these simple changes, you can protect your own personal information from being analysed by potential hackers. By being aware of the dangers and taking some proactive, positive steps to reduce these risks can help keep your information from falling into the wrong hands.

These tips apply to your personal social media accounts, as well as your business and professional accounts. Want to talk to us about your business security? We offer a range of services including Cyber Essentials and Cyber Essentials Plus, backup services, a top-range Disaster Recovery Suite, and IT support.

You can find out more about all of our different services at https://considerit.com/what-we-do/managed-it-services/

Would you leave your house unlocked if nearly half the homes in your area had been burgled? If an attack was likely, would you wait until after the break-in to act?

No? Then why treat your business that way?

As with any breach of security, a proactive response is always better than reactive – why wait for the damage to be done when you can try to prevent it in the first place?

With cyber attacks continually on the rise, it’s really important that all businesses, no matter their size, act proactively in response to the increase in attacks and successful hacks.

You might think reactive IT security will save you money, but it’s only in the short-term. In the longer-term you run the risk of increased financial costs, using the wrong tools for damage control, and no clear way of resolving issues.

Proactive approaches are all about anticipating that something might happen and being prepared for it. Proactive IT security leaves less room for cyber attackers to exploit your systems, and also makes it easier to identify problems sooner – and makes it easier to fix them.

Here are just two reasons why we think being proactive is the best attitude to take towards your IT security:

1. No more constant clean-up

Unfortunately, cyber-attacks are no longer a rarity. Once upon a time, it might have been worth your while holding off on investing in IT security. Now, when 1/3 of UK businesses suffered an IT breach last year alone, it’s no longer a matter of “if” we see another breach, it’s “when”.

1/3 of UK organisations suffered IT breaches last year, even though 70% invested in some sort of IT security. Without an element of proactive IT security, this figure would be a lot higher.

After an attack, more damage will have been done when you don’t have some element of proactive IT security in place. Attacks damage your safety measures; you likely lose data which causes financial and reputational damage as well.

Clean-up costs can be enough to make your eyes water, and even more when coupled with loss of productively or revenue. It’s best to have security measures continuously in place to lessen some of the damage.

2. Reactive security measures are often light work for pro-hackers

As much as you might believe otherwise, hackers will generally always be one step ahead – whether it’s through developing stealthier ways to attack, or new ways to hack and fool people.

Even the most unsophisticated hackers have access to coding which can easily evade antivirus (AV) detection. They’re often tuned into AV provider updates as well. This means that hackers get the same messages as clients when they are told to update their systems to account for new hacking codes.

This works as a push for hackers to roll out their new methods – putting businesses one-step behind the criminals.

It’s easy to treat IT security as something you don’t need straight away, but in the long run it’s much better for your company if you’re proactive about it. We can’t pretend a cyber attack just won’t happen – they’re becoming more and more likely every year as we become more globally and digitally-connected.

We can sit back and wait to do something after an attack, or we can be proactive and put in place some preventative measures to make your business less likely to be breached in the first place. Not only will this help put your mind at ease, it can also make your clients and customers at ease that their information will be less accessible to hackers.

With all this in mind, there’s so much that we at Consider IT can do to help you protect your business and your clients from cyberattacks before the take place, saving you in the long-term.

We can help you with everything from support services to improve productivity, increase security and reduce the overall costs to your business, to bring you through Cyber Essentials Accreditations. We’ll turn your back up platform from a “recovery in days/weeks” situation to “we’ll have you online anywhere in the world within 15 minutes”.

We even offer our purpose-built Disaster Recovery suite for your team to use in times of crisis.

Find out about all of the services we have on offer at https://considerit.com/what-we-do/managed-it-services/cyber-security/cyber-essentials/

Get in touch with us on 0131 510 0110 or [email protected] to chat about our IT support services.

You read that right – now is the time to sign up for a chance to stake a claim on vouchers worth up to £1,000 to help protect your business from online threats.

We’re so proud of our Cyber Essentials accreditation, we want your business to have a slice of the pie as well.

We want you to stake a claim on the £500,000 pot up for grabs through the Government’s Cyber Essentials Voucher Scheme – before it runs out.

The Cyber Essentials scheme aims to improve Scotland’s cybersecurity, making it one of the most secure places to do businesses.

We’re one of a handful of CREST-accredited specialists in the country which can deliver Cyber Essentials, while helping you claim back up to £1,000 of the costs from Scottish Enterprise.

With hundreds of high-profile IT security breaches happening every year, cybersecurity should be a top priority for any business as it affects every one of all shapes and sizes.

If your business falls victim to a cyber-attack, the costs involved in recovery can be incredibly expensive, so why not help protect your business with a government grant – how easy could it be?

Becoming CREST-certified can protect your business from up to 80% of cyber risks. It also shows your customers and clients that you’ve taken a proactive approach to security – giving you an edge over your competitors.

Our team of IT experts is one of the very few teams in Scotland which can manage both Cyber Essentials and Cyber Essentials Plus certifications for clients.

Both certifications involve a rigorous assessment of business processes, data security and security testing. CE Plus involves double the tests on a client’s infrastructure – including assessments of exposure to malware, internal vulnerabilities, workstations and mobile devices.

Cyber Essentials is an intensive undertaking, but it’s well worth it – and even more so when the government is helping to foot some of the bill.

Early March 2020 has been earmarked as the closing date for applications to the scheme, so what are you waiting for?

You can find out more about Cyber Essentials and all of our services at https://considerit.com/