Cyber 321: 14th January 2022
Cyber 3-2-1: How the bad guys get a hold of your password, why the US is so concerned about Huawei equipment, and why do large organisations have a CIO AND a CISO? This week's action: Double-check your two-factor authentication.
Cyber 321: 7th January 2022
Cyber 3-2-1: The 4 tech trends that we will be reading about in 2022, how to speak to the Board about cyber, and how law firms are getting on with cybersecurity. This week’s action: Keep it simple.
Cyber 321: 1st January 2022
Cyber 3-2-1: LastPass was under attack but it shouldn’t matter. iPhones were under attack, but it didn’t matter. And Elves are under attack, but they don’t matter. This week’s action: Your New Year’s Resolution should be small but frequent.
Cyber 321: 24th December 2021
Cyber 3-2-1: NatWest’s scrutiny failed to see anything wrong with black bags of cash, Microsoft systems are the prime target of phishing attacks, and more on my journey down the crypto rabbit hole. This week’s action: Have a Happy Christmas!
Cyber 321: 17th December 2021
Cyber 3-2-1: A report explains why the HSE attack was not sophisticated. The UK’s NCSC explains why the most severe computer vulnerability in years may have identified this week. And I ask why so little of your security budget is invested in improving your defences against more than 90% of attacks. This week’s action: Security is not just about technology. It’s about humans. Invest in your human defences.
Cyber 321: 10th December 2021
Cyber 3-2-1: Why use a password manager, what is SIM swap fraud, and why does DeFi defy logic? This week’s action: Put at least some or your eggs in one basket.
Cyber 321: 3rd December 2021
Cyber 3-2-1: A Cyber Security Baseline Standard has just been published in Ireland, Bank of Ireland has been fined €24m for risks that never materialised, and. Ireland’s DPC tells us that If we have a complaint about a neighbour’s use of CCTV, we need to take it up with the courts. This week’s action: Review your Incident Response Plan.
Cyber 321: 26th November 2021
Cyber 3-2-1: How the BBC tried to track down some of the FBI’s most wanted Russian cyber attackers, how cyber attackers are making money simply through fear, and what NOT to do if you’re hit with ransomware. This week’s action: Secure your website.
Cyber 321: 19th November 2021
Cyber 3-2-1: In Cyber: Why BOI has made its customers a little less appealing to the bad guys, what the cost of complying with the current NIS directive is, what the new NIS 2 directive looks like, and why a Romanian city is nicknamed Hackerville. In Crypto: The Love / Hate saga continues. This week’s action: When it comes to payment processing, it takes two.
Cyber 321: 12th November 2021
Cyber 3-2-1: How a social engineer beat £2m of security, why most critical vulnerabilities are not critical, and why you need to worry about disgruntled employees. This week’s action: When someone leaves, disable their access.
Cyber 321: 5th November 2021
Cyber 3-2-1: What is the significant gap in a new security baseline, what happens when crypto and cybersecurity collide (part 1 and 2), and who and how are the vast majority of breaches launched? This week’s action: Follow the 80/20 rule and go back to the basics.
Cyber 321: 22nd October 2021
Cyber 3-2-1: Why cyber insurance is getting more expensive and onerous, why 90% of attacks may be thwarted by one security measure (and you know which one I’m talking about), and why I have a question for you about cryptocurrencies and blockchain. This week’s action: Just ask.
Smishing Example: AIB
Smishing example: An SMS text message that appears to be from AIB telling the recipient that their online access has been restricted.
Cyber 321: 15th October 2021
Cyber 3-2-1: The vast majority of large firms suffer because of cyber breaches in their supply chain, and yet the majority do not know what to ask their suppliers about cybersecurity. How Google and Microsoft are helping us all to be more cyber secure. And how 55 billion attacks are pointless because of one security measure. This week’s action: Keep privileged accounts for special occasions.
Phishing Example: An Post
Example of a Phishing Email: A failed delivery notification email from An Post (Ireland's Postal Service)
Cyber 321: 3rd October 2021
Cyber 3-2-1: What can we learn from the HSE attack? When is 2FA worth Sweet FA? Why wouldn’t cyber attackers be too worried about 30 countries working together to tackle the scourge of ransomware? This week’s action: Check for updates.
Cyber 321: 24th September 2021
Cyber 3-2-1: It’s not as simple as “Windows 7 = bad / Windows 10 = good”, or “Password = bad / Passwordless = good”. But it certainly is as simple as “2FA = Good”. This week’s action: Test your backups
Cyber 321: 17th September 2021
Cyber 3-2-1: Zero-day iPhone hack revealed, but the sky is not falling. Don’t worry about zero-days – Worry about 400-days. And finally, why you shouldn’t listen to me. This week’s action: Review how you are ensuring security updates get installed in a timely manner.
Cyber 321: 3rd September 2021
Cyber 3-2-1: Reliance on passwords has made it onto the cybersecurity naughty list; Cyber insurance is getting more expensive; Use of the cloud is not a guarantee of security; How to convert 21gb of data into 10 years of jail time. This week’s action: A checklist for working from home.
Cyber 321: 20th August 2021
Cyber 3-2-1: Why it’s probably no big deal that Accenture got hit by ransomware, why technology should make you paranoid, why you should never annoy a nerd, and why losing your wallet takes on a different meaning when it comes to cryptcurrency. This week’s action: Protect your crown jewels.
Cyber 321: 13th August 2021
Cyber 3-2-1: Length matters (for passwords). If you pay a ransomware demand, expect more ransomware. And why there will be no end to your clients asking you about your cybersecurity defences. This week’s action: Do the maths on your backups.
Cyber 321: 6th August 2021
Cyber 3-2-1: How one business took 24 years to build and 24 hours to destroy, what the EU’s Agency for Cybersecurity has to say about supply chain attacks, why you should ask more questions about the security of your IT service providers, and why you should expect to be asked similar questions by your clients. This week’s action: Ask questions. Seek evidence.
Cyber 321: 30th July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how ransomware is not just about backups, how Connecticut is incentivising firms to improve their cybersecurity defences, and why Human Intelligence still beats the tech. This week’s action: Hug your staff.
Cyber 321: 23rd July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including why cybersecurity influences the valuation of a fintech, how cyber attackers are after your cryptocurrency, the steps recommended by NIST to reduce the risk of ransomware, the reward offered by the US government for information about cyberattackers and terrorists, and the ongoing problem of password reuse. This week’s action: Find out why passwords are like your toothbrush.
Cyber 321: 14th July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action. This week, my focus is on firms that sell software or services to other organisations. You need to realise what the cybercriminals already know and what your prospects (and their regulators) are becoming increasingly concerned about: You are the perfect stepping stone into your clients’ computer systems and you could be the weakest link in your their cybersecurity defences. It was demonstrated in the WannaCry attack of 2017, the SolarWinds attack of 2020, and this month’s Kaseya attack that has impacted up to 1500 businesses. This week’s action: Recognise that your suppliers are a risk to you, and you are a risk to your clients.
Cyber 321: 2nd July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how multi-factor authentication is not foolproof, how ransomware negotiation is a growing cottage industry, how the EU and the US are hoping to share more information about cyber-attacks, how one gang laundered $500 million before being captured, and how 30 million Dell devices need an update. This week’s action: Verify links, app access and browser plugins
Cyber 321: 25th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including why we’re all getting an increasing number of unsolicited calls these days, what we know about the HSE attackers, and why you may need to check the T&C’s of your insurance policies. This week’s action: If you don’t recognise the number, don’t answer the call.
Cyber 321: 18th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how a framework like NIST CSF or CIS Controls can turbo-charge your security efforts, how our teenagers are ending up with convictions for money laundering and supporting terrorism, and how the FBI fooled 800 criminals into telling them all about their drug deals and other criminal activities. This week’s action: Tell your family to protect their bank accounts.
Cyber 321: 11th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action. This week is dominated by the various findings of the Hiscox Cyber Readiness Report. For 50% of firms, could the cost of cybersecurity risk really be less than €3.5k per annum? In other news, the 5 key things the White House recommends you do to defend against ransomware, and the one thing they did not mention. And finally, why professional services firms are targeted by cyber criminals. This week’s action: Check my maths, and check your numbers.
Cyber 321: 4th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including a major fire at one of Europe’s largest cloud providers, a decision by AXA in France to no longer cover ransomware payments, the ongoing cost and impact of the HSE attack, and a spyware attack on Android phones that is currently circulating in Ireland. This week’s action: Get rid of data you no longer need.
Cyber 321: 21st May 2021
Cyber 3-2-1: In the aftermath of a cyber attack on Ireland’s healthcare system, it will be no surprise that this week’s Cyber 3-2-1 discusses the many aspects of this crime. Most importantly, the fact that this not the human’s fault. This week’s action: Review and restrict access to data.
Cyber 321: 14th May 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how one cyber attack on one firm had significant knock-on effects across the US East Coast, how another attack on another firm became Finland’s biggest criminal case in history, and what it feels like to be a victim of a cyber crime. This week’s action: Plan B Planning
Cyber 321: 7th May 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including BYOD may become Bring Your Own Disaster, fast vs slow when it comes to cloud adoption, and how paying the ransom is not a guarantee that you will get your data back. This week’s action: Ignore those voicemail email notifications.
Cyber 321: 30th APRIL 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including why professional services firms are now ransomware’s #1 target, another survey confirming that remote working is here to stay, and why good is better than perfect when designing security controls. This week’s action: Remote Desktop Protocol (RDP): Search for it in your firm, and remove or protect it.
Cyber 321: 23rd April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including a risk and compliance firm suffers a cyber attack due to stolen credentials, why resistance is futile when it comes ISO27001, and you need to talk to your teenager about the facts of (online) life. This week’s action: Stop relying on passwords to protect your money, data and identity
Cyber 321: 15th April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how some firms handle crisis PR when they are victims of an attack, and how the bad guys love the things we share online. This week’s action: Identify your buddies – The experts you will need if you are the victim of an attack.
Cyber 321: 8th April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the world’s biggest phonebook courtesy of Facebook, Irish colleges are the latest ransomware victims, and emerging evidence that the Rule of 1% is starting to apply in cyber attacks. This week’s action: Disaster recovery – As the name suggests, think about how you will recover from a disaster like a ransomware attack.
Cyber 321: 1st April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the increasing concern that large firms have about their smaller suppliers, a survey that reminds us of the prevalence and cost of phishing emails, and the best defences against phishing emails and ransomware. This week’s action: Tag external emails so your staff are less likely to be fooled by a phishing email.
Cyber 321: 25th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the link between your cybersecurity and your sales opportunities, a recent survey on cyber-crime from Bank of Ireland, and a reminder that cyber-criminals are not ordinary decent criminals. This week’s action: Prepare your people.
Cyber 321: 18th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how insurance is only useful if you’ve got basic security measures in place, and the reasons why less than 20% of cybercrimes are reported. This week’s action: Have a Plan B.
Cyber 321: 11th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the cost to Irish businesses of just one type of cybercrime in 2020, and how the increasing adoption of the cloud has increased the value of your passwords. This week’s action: Stop fooling yourself about passwords.
Cyber 321: 4th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including some key insights from the DPC’s annual report, and an introduction to Cyber Essentials. This week’s action: Backups - Have them, test them, secure them
Cyber Essentials
If you have followed my guide to cybersecurity basics for small businesses, you will have basic measures in place to defend against the most likely attacks. You then consider the next step in the cybersecurity ladder. Cyber Essentials may be that step. It is a set of requirements (split across five themes) that will help any business identify the appropriate technical security measures that should be put in place to protect against common cyber attacks.
Cyber 321: 25th February 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including my guide to the basis of cybersecurity, insight into why small businesses are attacked, and stats on cyber insurance coverage. This week's action: Make sure your valuable data is protected by more than 8 characters.
Your house alarm won’t stop James Bond. So, why do you still use it?
You try to defend your home against opportunist criminals. Are you doing the same in your firm?
Even honest criminals can get your money
To reduce the risk of being the next victim of a cyber crime, you need to focus on the most common ways these criminals will try to get your money and the basic defences needed to stop them.
Incident Response Planning saved Little Red Riding Hood
it turns out that Little Red Riding Hood's village had an incident response plan. I'm sure no-one in the village wanted to consider the idea of a wolf eating one of their kids. But they did consider the awful scenario. And they had a plan to recover from the incident.
Humpty Dumpty, risk management and incident response planning
Humpty Dumpty can tell us a lot about risk management, incident response planning and business continuity planning.
You need to train Little Red Riding Hood
Back in the 10th century, Little Red Riding Hood and her granny were victims of a simple fraud. How many of your staff could fall victim to a similar fraud in the 21st century?
You’ve locked the Windows. But the door is still open.
It's risky for an organisation to rely on technology that is designed for home use. Laptops purchased in retail outlets are just one simple example of this risk. On the outside, they look the same as enterprise-grade laptops. But there can be important components missing on the inside.
Don’t underestimate the value of a near-miss
Near-misses are a learning opportunities. But our outcome bias can make us blind to these opportunities.
Are you relying on Paddington Bear?
What was fit-for-purpose 3 years ago may no longer be fit for purpose now. We knew this when we were 8. Now that we are responsible for the success of our organisations, why have we forgotten this?
Turkeys don’t worry about Christmas
When people talk about 'risk', they usually think about 'likelihood'. But risk is not just about likelihood. It's also about impact. And when we think about impact, we start to pay attention.
Cybersecurity is impossible.
Cybersecurity is an oxymoron: There is no such thing as 100% security. But you should still take steps to ensure you’re not an easy target.
All you can do is everything you can do
We don’t have control over everything. Luck plays its part. But we shouldn’t let luck distract us from the actions we can take.
Small bets
All change involves risk. To mitigate the risk, we try to avoid change altogether, we go all in, or we plan to the nth degree. But there’s another way - Small bets. Small steps. Small spends. Small risks.
The insider threat
Most employees want to get their job done and go home. Most ex-employees want to move on with their lives. But it only takes one to cause havoc for your firm.
There’s always one
IT projects and other planned changes frequently fail - They exceed budgets, timelines, or fail to deliver the expected benefits. It may not be a technology problem. It may be a people problem. And there could be a very rational reason for this problem that should have been considered from the start.
Partying like it’s 1999
The world is changing, and not because of technology. Is your organisation actively assessing and adjusting to these trends, or is it operating as if it's still 1999?
Playing golf with a shovel
Running a professional organisation using technology that is designed for the home is like playing golf with a shovel. From a distance, it all looks fine. But you don't need to get too close to realise things aren't going to go well when there's real competition on the course, or if the weather changes.
Staff are not just for Christmas
Recruiting more staff is one way to ease the pains of a growing business. But staff are not just for Christmas so before you take on this expense, make sure you know the true cost first.
Technology is not the solution to your growing pains
When an organisation is growing, it will often experience problems maintaining a consistent quality of service. Many will turn to technology to relieve these pains. But technology is not the solution.
All your eggs in one basket
Major system failures can cause major headaches. The larger the system, the larger the headache.
Someone who will make me laugh. Must love dogs.
Getting married to someone that we’ve just met online would be insane. So why do we do this when choosing a new business partner or technology?
4 milestones to get capable, secure, and compliant IT
The four phases of the W4 Methodology - Where, What, Why, What (Now) - includes four clear milestones. Each milestone proves the progress you are making as you pragmatically move from your current situation to your desired future state.
The 12 steps that regulated firms are taking to go from unsure to secure
When IT is your responsibility but not your primary area of expertise, it can be difficult to figure out how to gain the IT capabilities that you want while ensuring you have the IT security that you need. My roadmap, containing 12 steps across 4 phases that I call the W4 Methodology, can help you work through the process in a pragmatic and sane way.
Cybersecurity: Top Tips
Alongside my work helping businesses to prepare for GDPR, I continue to help businesses improve their cybersecurity.
I recently wrote an article for the Kildare Chamber of Commerce's quarterly magazine that provided focused actionable advice to individuals and businesses. You can download my tips here.
In-house GDPR compliance: How to do it without losing your sanity
GDPR is seldom black-and-white. But it's not rocket science. If you have decided to work on your GDPR compliance in-house, there are a few things you need to get right from the start so you don't lose your sanity along the way.
Outsourcing GDPR compliance: Avoid the common pitfalls
If you choose to outsource your compliance work, you need to choose your outsourced partner carefully so you don't waste time or money. This article will help you learn from the mistakes of others and avoid the common pitfalls.
Becoming compliant with GDPR: Outsource or in-house?
There are a number of ways to tackle your GDPR compliance work. Depending on your budget, timeline, and attitude, you could outsource it or do it in-house. This article may help you decide which option is best for you, along with suggestions on how to keep things on track.
I run a business: What has GDPR got to do with me?
If you are a business established in the EU, GDPR applies to any processing that you perform on the personal data of living individuals. If your your clients are businesses, GDPR may still apply to you. In this article, I go back to basics and talk about the key obligations of GDPR.
GDPR is here. The sky has not fallen.
May 25. GDPR went live. And the world did not end. Keep up your honest efforts to comply - Not because of GDPR; because it is the right thing to do.
Why data protection is important
GDPR is a growing concern for businesses. As we hear every day, there are potentially big fines for non-compliance.
But today, I want to talk about why data protection is important even if there were no fines or sanctions.
Put aside about your job and your business for a moment.
Think about this as an individual.
What I learned from 2 days with 1500 data protection experts
I recently attended a 2-day conference on data protection in Brussels. While I will spare you the boring details, there are two key messages that could be of interest to real people who just want to be compliant.
GDPR Compliance: Avoid the obvious mistakes
If you are going to make mistakes with your GDPR compliance efforts, at least try to avoid the mistakes that others make.
Don't make the ODPC's job easy!
Is GDPR the new Y2K Millennium Bug?
The current fear-mongering about GDPR has a lot of similarities with what happened for the 'Millennium Bug' (Y2K).
But, don't be fooled. GDPR is real, it is coming, and you need to be ready.
Where do you start with GDPR?
GDPR is a pain in the ass
As an individual, I believe GDPR is a good thing. But as a business owner, I know it's a headache.
So, I'll just focus on specific steps you can take to start complying with GDPR.