Cyber 321: 23rd September 2022
Cyber 3-2-1: 58% of cyber incidents start with a phishing email. Plus: North Face, LastPass, and Uber: 3 breaches; many lessons. This week’s action: On the internet, we’re all Capricorns.
Cyber 321: 16th September 2022
Cyber 3-2-1: A password manager breach, ransomware triple extortion, cybersecurity for startups, and why the gamer in your life may be a risk in your life. This week’s action: Love your children. But don’t trust them.
Cyber 321: 9th September 2022
Cyber 3-2-1: Cyber insurance cover continues to reduce, Bank of America begins training high schoolers to be cybersecurity experts, and a security flaw in a WordPress plugin exposes 140,000 websites. This week’s action: Who is minding your shopfront?
Cyber 321: 2nd September 2022
Cyber 3-2-1: The bad guys are after your money and your phone is their way in (part 1 and 2). And in future, you can’t trust the sound of someone’s voice or their image on a screen. This week’s action: SMS-based MFA is better than Sweet-FA. But Authenticator apps are better than SMS.
Cyber 321: 26th August 2022
Cyber 3-2-1: Gardai warn SMEs about the increasing threat of ransomware, Amazon security director reminds us about the basics, and it hasn’t been a good week for Apple. This week’s action: Keep up-to-date on software updates.
Cyber 321: 19th August 2022
Cyber 3-2-1: Criminals are using Google Drive and Dropbox to avoid detection, Microsoft names-and-shames a cyber broker, and Apple announces a Lockdown Mode to defend against sophisticated attacks. This week’s action: Ask for evidence that your applications are being kept up-to-date.
Cyber 321: 12th August 2022
Cyber 3-2-1: Another ransomware attack on an Irish firm, how scammers are increasingly using SMS text messages to get us to part with our money, and how the departure of KBC and Ulster Bank from Ireland isn't helping the situation. This week’s action: Don’t trust that text message.
Cyber 321: 5th August 2022
Cyber 3-2-1: Why browsers are a key part of your security defences, why Uber has done a deal with the US Department of Justice, and why I tend to surround the phrase “crypto investment opportunities” with quotes. This week’s action: If it sounds too good to be true, it probably is.
Cyber 321: 29th July 2022
Cyber 3-2-1: The University of Limerick is a victim of invoice redirection fraud, self-driving cars remind us that humans are still useful, and DeFi security continues to defy logic. This week’s action: Come to Limerick. Fly from Shannon. Just don’t use a self-driving car to get here.
Cyber 321: 22nd July 2022
Cyber 3-2-1: A ransom payment won’t prevent a data protection penalty, LinkedIn is the scammers’ favourite brand, and some of the latest lures used in phishing emails. This week’s action: It’s time for some cybersecurity refresher training.
Cyber 321: 15th July 2022
Cyber 3-2-1: Multi-factor authentication, multi-factor authentication, 1 billion stolen records, and multi-factor authentication. This week’s action: Yep, you guessed it: Multi-Factor authentication.
Cyber 321: 8th July 2022
Cyber 3-2-1: 80% of Irish firms hit by ransomware pay the ransom, and the US Department of Defense wants to be hacked but their reward are peanuts compared to the jackpot of zero days. This week’s action: Use a safe phone book.
Cyber 321: 1st July 2022
Cyber 3-2-1: This week, $100m of Crypto Craziness, €800k of romance fraud, social engineering lessons, and why your backups may no longer save you. This week’s action: Check your auto-forwarders.
Cyber 321: 24th June 2022
Cyber 3-2-1: Some useful reminders that patches are not just for Windows. And while Carlsberg don’t do social media scams, Heineken is not so lucky. This week’s action: Take a deep breath and pay attention to the devices around us.
Cyber 321: 17th June 2022
Cyber 3-2-1: Ukraine’s responses to Russian cyber attacks remind us of the value of incident response preparation, DuckDuckGo may not be as privacy-centric as you might think, and why paying a ransom may only mean you’ll be paying one again (and sooner than you may think). This week’s action: Reduce the need for an incident response plan by writing one.
The Curious Incident of the Tree in the Night-Time
Someone planted a tree: What has this got to do with cybersecurity?
Stealing candy from a baby
Why do we do things in the online world that we wouldn’t do in the physical world?
Cyber 321: 10th June 2022
Cyber 3-2-1: MFA might be worth Sweet FA, cybersecurity bootcamps might not get you a cybersecurity job, an Enduring Power of Attorney might teach us something about the advisors we trust, and crypto continues to provide plenty of reasons why TradFi is also MoreSecureFi. This week’s action: Remind staff that their password and MFA security code is just like their toothbrush.
What has an Enduring Power of Attorney got to do with Cybersecurity?
When a person is still alive but no longer able to manage their own affairs or to make decisions for themselves, an EPoA provides a legal basis for one or more people who they trust to make decisions on their behalf. So, what has this got to do with cybersecurity?
If there’s no will, what’s the way?
We all know we should write a will, to ensure our loved ones are taken care when we die. And yet few of us (including me) have gotten around to writing our will. Why don’t we always act in our own best interest?
Don’t feel ashamed
When you think about cybersecurity, you should never feel ashamed.
Cyber 321: 3rd June 2022
Cyber 3-2-1: Why a contract doesn’t matter until it’s the only thing that matters. Why the US Department of Defence wants you to do as they say, not do as they do. And why colleges may need to attend a Security 101 class. This week’s action: Check up on those with Access All Areas accounts.
Convenient vs Resilient
There’s some great technology out there that can make our lives so much easier and more convenient. But many of these also make our lives a little less reliable. Be mindful when you trade reliable for convenient.
You don’t need to know
You don’t need to know about accounting rules or the law. That’s what your advisors are for. Why is it different when it comes to IT and cybersecurity?
Cyber 321: 27th May 2022
Cyber 3-2-1: MFA applies to your Tesla too, cyber insurance is covering less and costing more, and 24% of ransomware payments do not enable the victim to recover their data. This week’s action: It’s time to test that your backup is more useful than a chocolate teapot.
A Backup is your Best Buddy
We know all backups matter. But some matter more than others. In this article, I explain the difference between a full, differential and incremental backup, and why the difference matters.
Cyber 321: 20th May 2022
Cyber 3-2-1: It’s time for hugs: Today is ‘Hug Your IT Provider’ Day. Wednesday will be ‘Hug Your Data Protection Officer’ Day. And some day soon, it may be time to hug Microsoft. This week’s action: Check that your browser is up-to-date.
The Cookie Obesity Problem
Four years ago today, the GDPR (General Data Protection Regulation) came into effect. Depending on your perspective, it either marked the beginning of a new level of Cookie Consent Hell or the beginning of a new approach that now forces organisations to consider how they can achieve their business objectives while minimising the use of data about us. Four years on, I look at the use of cookies on one of my favourite sites, Formula1.com.
It’s not me. It’s you.
When I work with a client for the first time, I frequently encounter a fractious relationship between the client and their IT MSP (managed service provider). There are numerous symptoms to the issue. But, at its core, it usually comes down to a lack of trust between the client and the IT MSP. And it's not always the IT MSP's fault.
Cyber 321: 13th May 2022
Cyber 3-2-1: Getting a good night’s sleep is now a little harder. The ransom payment is the least of your worries. And what is appropriate security anyway? This week’s action: Check that Windows is being kept up to date.
Inappropriate Security
Cybersecurity can feel like a blackhole of investment. There’s no end of technologies and vendors selling all kinds of solutions to the real, and perceived, risks. So, how do you know what appropriate security means for your organisation? That depends. But I can tell you what inappropriate looks like.
Cyber 321: 6th May 2022
Cyber 3-2-1: Is the end of passwords in sight? Why is a bank warning us about taxis? Why worry about smart glasses? And why do bad guys love crypto wallets and Android devices? This week’s action: It’s time to do a health check on your Android devices.
Smart Glasses and Privacy
Ahead of the launch of Meta's new smart glasses, Ray-Ban Stories, and their recent public education advertisement in the Sunday Times, here are my own views on the privacy implications of these smart glasses.
Cyber 321: 29th April 2022
Cyber 3-2-1: Insurer says solicitors are driving up the cost of cyber insurance, and the SEC says it wants to know what cyber expertise is in the boardroom. This week’s action: Check your children aren’t roaming the mean streets of the online world.
Cyber 321: 22nd April 2022
Cyber 3-2-1: DeFi enabled the perfect crime, CISA discovered cyber sabotage tools aimed at US energy sector, and a reminder that we need to keep all software up to date, not just Windows. This week’s action: Tell your staff about the brands the bad guys love.
Cyber 321: 15th April 2022
Cyber 3-2-1: Apple AirTags are a stalker’s dream. Modern superyachts are a pirate’s dream. And if cyber-attacks were not a crime, I know one type of attack that would be many people’s dream. This week’s action: Remind staff that attackers love the Easter holidays.
Cyber 321: 8th April 2022
Cyber 3-2-1: Have you recovered from World Backup Day? Are you running an infected website? And do you know how many people are on a rugby team? This week’s action: Check your shopfront.
Cyber 321: 1st April 2022
Cyber 3-2-1: The White House advises us all to act now to protect against cyberattacks. A HubSpot breach may have exposed the customer information of crypto firms. And why you should be using a password manager. This week’s action: When your staff are suspicious, make sure they can get a second opinion.
Cyber 321: 25th March 2022
Cyber 3-2-1: A UK law firm has been fined 98k for not having appropriate security controls to prevent a ransomware attack. A South African insurance firm’s password is no match for cyber attackers who gained access to the data of 54 million customers. And 75% of Irish consumers are concerned about security when they shop online, but only 4% of Irish SME’s have trained their staff in cybersecurity best practice. This week’s action: Don’t be the 96%: Train, test and support your staff.
Cyber 321: 18th March 2022
Cyber 3-2-1: BNP Paribas blocks Russian staff from its global computer network, your website contact form could be the first step in a cyber attack, and the HSE is about to contact people who data was stolen in last year’s cyber attack. This week’s action: Remind staff that the first email is not the only one to look out for.
Cyber 321: 11th March 2022
Cyber 3-2-1: What board members should know about cybersecurity and why cyber insurance will only get more expensive. This week’s action: The 7 questions that board memberd should ask about cybersecurity.
Cyber 321: 4th March 2022
Cyber 3-2-1: Organisations worry about cyber attacks arising from Russia’s invasion of Ukraine, as the Conti Gang that attacked the HSE last year announces their support of the Russian attack, and then learns that it was not its smartest move. This week’s action: 3-2-1 Backup or 3-2-1 Over.
Cyber 321: 25th February 2022
Cyber 3-2-1: Ireland’s NCSC issues an advisory, as warnings continue about the elevated threat of cyber attacks due to the ongoing crisis in Ukraine. Also this week, how blind faith in an IT system led to one of the largest miscarriages of justice in the UK, and why the phrase ‘Too big to fail’ may soon be joined by the phrase ‘Too big to understand’. This week’s action: Bí Ullamh: Consider the NCSC advisory’s recommendations.
Cyber 321: 18th February 2022
Cyber 3-2-1: What is SIM Swap Fraud? How to reduce account hacks by 50%? How is GDPR driving demand for EU data centres? And how could the need to report an attack result in better cybersecurity? This week’s action: Check MFA is turned on for all accounts, especially those used by IT.
Cyber 321: 11th February 2022
Cyber 3-2-1: The Central Bank reminds us that cybersecurity has not gone away. The US Justice Department proves that bitcoin does not necessarily mean anonymous. And a Microsoft study makes me bang my head against a wall. This week’s action: Baseline like it’s 2016.
Cyber 321: 4th February 2022
Cyber 3-2-1: The National Cyber Security Centre has released a ‘Cyber Vitals Checklist’, just as concerns increase that the current tensions over Ukraine may increase the likelihood of a significant cyber attack on the West. This week’s action: Double-check your defences.
Cyber 321: 28th January 2022
Cyber 3-2-1: ComReg has a plan to tackle volume of scam calls to Irish mobile users. Google’s trackers are being investigated in the US, while the Austrian Courts have ruled that Google Analytics contravenes GDPR. And the US Federal Reserve starts a discussion about digital currencies. This week’s action: Don’t answer that call
Cyber 321: 21st January 2022
Cyber 3-2-1: Could simulated phishing tests really make staff more likely to be fooled by a phishing email in the future? What the Russians have done to one of the world’s most successful ransomware gangs? What has ransomware and cryptocurrency got to do with North Korea? And what the hell is the metaverse anyway? This week’s action: Review your approach to phishing test simulations.
Cyber 321: 14th January 2022
Cyber 3-2-1: How the bad guys get a hold of your password, why the US is so concerned about Huawei equipment, and why do large organisations have a CIO AND a CISO? This week's action: Double-check your two-factor authentication.
Cyber 321: 7th January 2022
Cyber 3-2-1: The 4 tech trends that we will be reading about in 2022, how to speak to the Board about cyber, and how law firms are getting on with cybersecurity. This week’s action: Keep it simple.
Cyber 321: 1st January 2022
Cyber 3-2-1: LastPass was under attack but it shouldn’t matter. iPhones were under attack, but it didn’t matter. And Elves are under attack, but they don’t matter. This week’s action: Your New Year’s Resolution should be small but frequent.
Cyber 321: 24th December 2021
Cyber 3-2-1: NatWest’s scrutiny failed to see anything wrong with black bags of cash, Microsoft systems are the prime target of phishing attacks, and more on my journey down the crypto rabbit hole. This week’s action: Have a Happy Christmas!
Cyber 321: 17th December 2021
Cyber 3-2-1: A report explains why the HSE attack was not sophisticated. The UK’s NCSC explains why the most severe computer vulnerability in years may have identified this week. And I ask why so little of your security budget is invested in improving your defences against more than 90% of attacks. This week’s action: Security is not just about technology. It’s about humans. Invest in your human defences.
Cyber 321: 10th December 2021
Cyber 3-2-1: Why use a password manager, what is SIM swap fraud, and why does DeFi defy logic? This week’s action: Put at least some or your eggs in one basket.
Cyber 321: 3rd December 2021
Cyber 3-2-1: A Cyber Security Baseline Standard has just been published in Ireland, Bank of Ireland has been fined €24m for risks that never materialised, and. Ireland’s DPC tells us that If we have a complaint about a neighbour’s use of CCTV, we need to take it up with the courts. This week’s action: Review your Incident Response Plan.
Cyber 321: 26th November 2021
Cyber 3-2-1: How the BBC tried to track down some of the FBI’s most wanted Russian cyber attackers, how cyber attackers are making money simply through fear, and what NOT to do if you’re hit with ransomware. This week’s action: Secure your website.
Cyber 321: 19th November 2021
Cyber 3-2-1: In Cyber: Why BOI has made its customers a little less appealing to the bad guys, what the cost of complying with the current NIS directive is, what the new NIS 2 directive looks like, and why a Romanian city is nicknamed Hackerville. In Crypto: The Love / Hate saga continues. This week’s action: When it comes to payment processing, it takes two.
Cyber 321: 12th November 2021
Cyber 3-2-1: How a social engineer beat £2m of security, why most critical vulnerabilities are not critical, and why you need to worry about disgruntled employees. This week’s action: When someone leaves, disable their access.
Cyber 321: 5th November 2021
Cyber 3-2-1: What is the significant gap in a new security baseline, what happens when crypto and cybersecurity collide (part 1 and 2), and who and how are the vast majority of breaches launched? This week’s action: Follow the 80/20 rule and go back to the basics.
Cyber 321: 22nd October 2021
Cyber 3-2-1: Why cyber insurance is getting more expensive and onerous, why 90% of attacks may be thwarted by one security measure (and you know which one I’m talking about), and why I have a question for you about cryptocurrencies and blockchain. This week’s action: Just ask.
Smishing Example: AIB
Smishing example: An SMS text message that appears to be from AIB telling the recipient that their online access has been restricted.
Cyber 321: 15th October 2021
Cyber 3-2-1: The vast majority of large firms suffer because of cyber breaches in their supply chain, and yet the majority do not know what to ask their suppliers about cybersecurity. How Google and Microsoft are helping us all to be more cyber secure. And how 55 billion attacks are pointless because of one security measure. This week’s action: Keep privileged accounts for special occasions.
Phishing Example: An Post
Example of a Phishing Email: A failed delivery notification email from An Post (Ireland's Postal Service)
Cyber 321: 3rd October 2021
Cyber 3-2-1: What can we learn from the HSE attack? When is 2FA worth Sweet FA? Why wouldn’t cyber attackers be too worried about 30 countries working together to tackle the scourge of ransomware? This week’s action: Check for updates.
Cyber 321: 24th September 2021
Cyber 3-2-1: It’s not as simple as “Windows 7 = bad / Windows 10 = good”, or “Password = bad / Passwordless = good”. But it certainly is as simple as “2FA = Good”. This week’s action: Test your backups
Cyber 321: 17th September 2021
Cyber 3-2-1: Zero-day iPhone hack revealed, but the sky is not falling. Don’t worry about zero-days – Worry about 400-days. And finally, why you shouldn’t listen to me. This week’s action: Review how you are ensuring security updates get installed in a timely manner.
Cyber 321: 3rd September 2021
Cyber 3-2-1: Reliance on passwords has made it onto the cybersecurity naughty list; Cyber insurance is getting more expensive; Use of the cloud is not a guarantee of security; How to convert 21gb of data into 10 years of jail time. This week’s action: A checklist for working from home.
Cyber 321: 20th August 2021
Cyber 3-2-1: Why it’s probably no big deal that Accenture got hit by ransomware, why technology should make you paranoid, why you should never annoy a nerd, and why losing your wallet takes on a different meaning when it comes to cryptcurrency. This week’s action: Protect your crown jewels.
Cyber 321: 13th August 2021
Cyber 3-2-1: Length matters (for passwords). If you pay a ransomware demand, expect more ransomware. And why there will be no end to your clients asking you about your cybersecurity defences. This week’s action: Do the maths on your backups.
Cyber 321: 6th August 2021
Cyber 3-2-1: How one business took 24 years to build and 24 hours to destroy, what the EU’s Agency for Cybersecurity has to say about supply chain attacks, why you should ask more questions about the security of your IT service providers, and why you should expect to be asked similar questions by your clients. This week’s action: Ask questions. Seek evidence.
Cyber 321: 30th July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how ransomware is not just about backups, how Connecticut is incentivising firms to improve their cybersecurity defences, and why Human Intelligence still beats the tech. This week’s action: Hug your staff.
Cyber 321: 23rd July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including why cybersecurity influences the valuation of a fintech, how cyber attackers are after your cryptocurrency, the steps recommended by NIST to reduce the risk of ransomware, the reward offered by the US government for information about cyberattackers and terrorists, and the ongoing problem of password reuse. This week’s action: Find out why passwords are like your toothbrush.
Cyber 321: 14th July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action. This week, my focus is on firms that sell software or services to other organisations. You need to realise what the cybercriminals already know and what your prospects (and their regulators) are becoming increasingly concerned about: You are the perfect stepping stone into your clients’ computer systems and you could be the weakest link in your their cybersecurity defences. It was demonstrated in the WannaCry attack of 2017, the SolarWinds attack of 2020, and this month’s Kaseya attack that has impacted up to 1500 businesses. This week’s action: Recognise that your suppliers are a risk to you, and you are a risk to your clients.
Cyber 321: 2nd July 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how multi-factor authentication is not foolproof, how ransomware negotiation is a growing cottage industry, how the EU and the US are hoping to share more information about cyber-attacks, how one gang laundered $500 million before being captured, and how 30 million Dell devices need an update. This week’s action: Verify links, app access and browser plugins
Cyber 321: 25th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including why we’re all getting an increasing number of unsolicited calls these days, what we know about the HSE attackers, and why you may need to check the T&C’s of your insurance policies. This week’s action: If you don’t recognise the number, don’t answer the call.
Cyber 321: 18th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how a framework like NIST CSF or CIS Controls can turbo-charge your security efforts, how our teenagers are ending up with convictions for money laundering and supporting terrorism, and how the FBI fooled 800 criminals into telling them all about their drug deals and other criminal activities. This week’s action: Tell your family to protect their bank accounts.
Cyber 321: 11th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action. This week is dominated by the various findings of the Hiscox Cyber Readiness Report. For 50% of firms, could the cost of cybersecurity risk really be less than €3.5k per annum? In other news, the 5 key things the White House recommends you do to defend against ransomware, and the one thing they did not mention. And finally, why professional services firms are targeted by cyber criminals. This week’s action: Check my maths, and check your numbers.
Cyber 321: 4th June 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including a major fire at one of Europe’s largest cloud providers, a decision by AXA in France to no longer cover ransomware payments, the ongoing cost and impact of the HSE attack, and a spyware attack on Android phones that is currently circulating in Ireland. This week’s action: Get rid of data you no longer need.
Cyber 321: 21st May 2021
Cyber 3-2-1: In the aftermath of a cyber attack on Ireland’s healthcare system, it will be no surprise that this week’s Cyber 3-2-1 discusses the many aspects of this crime. Most importantly, the fact that this not the human’s fault. This week’s action: Review and restrict access to data.
Cyber 321: 14th May 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how one cyber attack on one firm had significant knock-on effects across the US East Coast, how another attack on another firm became Finland’s biggest criminal case in history, and what it feels like to be a victim of a cyber crime. This week’s action: Plan B Planning
Cyber 321: 7th May 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including BYOD may become Bring Your Own Disaster, fast vs slow when it comes to cloud adoption, and how paying the ransom is not a guarantee that you will get your data back. This week’s action: Ignore those voicemail email notifications.
Cyber 321: 30th APRIL 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including why professional services firms are now ransomware’s #1 target, another survey confirming that remote working is here to stay, and why good is better than perfect when designing security controls. This week’s action: Remote Desktop Protocol (RDP): Search for it in your firm, and remove or protect it.
Cyber 321: 23rd April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including a risk and compliance firm suffers a cyber attack due to stolen credentials, why resistance is futile when it comes ISO27001, and you need to talk to your teenager about the facts of (online) life. This week’s action: Stop relying on passwords to protect your money, data and identity
Cyber 321: 15th April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how some firms handle crisis PR when they are victims of an attack, and how the bad guys love the things we share online. This week’s action: Identify your buddies – The experts you will need if you are the victim of an attack.
Cyber 321: 8th April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the world’s biggest phonebook courtesy of Facebook, Irish colleges are the latest ransomware victims, and emerging evidence that the Rule of 1% is starting to apply in cyber attacks. This week’s action: Disaster recovery – As the name suggests, think about how you will recover from a disaster like a ransomware attack.
Cyber 321: 1st April 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the increasing concern that large firms have about their smaller suppliers, a survey that reminds us of the prevalence and cost of phishing emails, and the best defences against phishing emails and ransomware. This week’s action: Tag external emails so your staff are less likely to be fooled by a phishing email.
Cyber 321: 25th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the link between your cybersecurity and your sales opportunities, a recent survey on cyber-crime from Bank of Ireland, and a reminder that cyber-criminals are not ordinary decent criminals. This week’s action: Prepare your people.
Cyber 321: 18th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including how insurance is only useful if you’ve got basic security measures in place, and the reasons why less than 20% of cybercrimes are reported. This week’s action: Have a Plan B.
Cyber 321: 11th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including the cost to Irish businesses of just one type of cybercrime in 2020, and how the increasing adoption of the cloud has increased the value of your passwords. This week’s action: Stop fooling yourself about passwords.
Cyber 321: 4th March 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including some key insights from the DPC’s annual report, and an introduction to Cyber Essentials. This week’s action: Backups - Have them, test them, secure them
Cyber Essentials
If you have followed my guide to cybersecurity basics for small businesses, you will have basic measures in place to defend against the most likely attacks. You then consider the next step in the cybersecurity ladder. Cyber Essentials may be that step. It is a set of requirements (split across five themes) that will help any business identify the appropriate technical security measures that should be put in place to protect against common cyber attacks.
Cyber 321: 25th February 2021
Cyber 3-2-1: Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action, including my guide to the basis of cybersecurity, insight into why small businesses are attacked, and stats on cyber insurance coverage. This week's action: Make sure your valuable data is protected by more than 8 characters.
Your house alarm won’t stop James Bond. So, why do you still use it?
You try to defend your home against opportunist criminals. Are you doing the same in your firm?
Even honest criminals can get your money
To reduce the risk of being the next victim of a cyber crime, you need to focus on the most common ways these criminals will try to get your money and the basic defences needed to stop them.
Incident Response Planning saved Little Red Riding Hood
it turns out that Little Red Riding Hood's village had an incident response plan. I'm sure no-one in the village wanted to consider the idea of a wolf eating one of their kids. But they did consider the awful scenario. And they had a plan to recover from the incident.
Humpty Dumpty, risk management and incident response planning
Humpty Dumpty can tell us a lot about risk management, incident response planning and business continuity planning.
You need to train Little Red Riding Hood
Back in the 10th century, Little Red Riding Hood and her granny were victims of a simple fraud. How many of your staff could fall victim to a similar fraud in the 21st century?
You’ve locked the Windows. But the door is still open.
It's risky for an organisation to rely on technology that is designed for home use. Laptops purchased in retail outlets are just one simple example of this risk. On the outside, they look the same as enterprise-grade laptops. But there can be important components missing on the inside.
Don’t underestimate the value of a near-miss
Near-misses are a learning opportunities. But our outcome bias can make us blind to these opportunities.
Are you relying on Paddington Bear?
What was fit-for-purpose 3 years ago may no longer be fit for purpose now. We knew this when we were 8. Now that we are responsible for the success of our organisations, why have we forgotten this?
Turkeys don’t worry about Christmas
When people talk about 'risk', they usually think about 'likelihood'. But risk is not just about likelihood. It's also about impact. And when we think about impact, we start to pay attention.
Cybersecurity is impossible.
Cybersecurity is an oxymoron: There is no such thing as 100% security. But you should still take steps to ensure you’re not an easy target.
All you can do is everything you can do
We don’t have control over everything. Luck plays its part. But we shouldn’t let luck distract us from the actions we can take.
Small bets
All change involves risk. To mitigate the risk, we try to avoid change altogether, we go all in, or we plan to the nth degree. But there’s another way - Small bets. Small steps. Small spends. Small risks.
The insider threat
Most employees want to get their job done and go home. Most ex-employees want to move on with their lives. But it only takes one to cause havoc for your firm.
There’s always one
IT projects and other planned changes frequently fail - They exceed budgets, timelines, or fail to deliver the expected benefits. It may not be a technology problem. It may be a people problem. And there could be a very rational reason for this problem that should have been considered from the start.
Partying like it’s 1999
The world is changing, and not because of technology. Is your organisation actively assessing and adjusting to these trends, or is it operating as if it's still 1999?
Playing golf with a shovel
Running a professional organisation using technology that is designed for the home is like playing golf with a shovel. From a distance, it all looks fine. But you don't need to get too close to realise things aren't going to go well when there's real competition on the course, or if the weather changes.
Staff are not just for Christmas
Recruiting more staff is one way to ease the pains of a growing business. But staff are not just for Christmas so before you take on this expense, make sure you know the true cost first.
Technology is not the solution to your growing pains
When an organisation is growing, it will often experience problems maintaining a consistent quality of service. Many will turn to technology to relieve these pains. But technology is not the solution.
All your eggs in one basket
Major system failures can cause major headaches. The larger the system, the larger the headache.
Someone who will make me laugh. Must love dogs.
Getting married to someone that we’ve just met online would be insane. So why do we do this when choosing a new business partner or technology?
4 milestones to get capable, secure, and compliant IT
The four phases of the W4 Methodology - Where, What, Why, What (Now) - includes four clear milestones. Each milestone proves the progress you are making as you pragmatically move from your current situation to your desired future state.
The 12 steps that regulated firms are taking to go from unsure to secure
When IT is your responsibility but not your primary area of expertise, it can be difficult to figure out how to gain the IT capabilities that you want while ensuring you have the IT security that you need. My roadmap, containing 12 steps across 4 phases that I call the W4 Methodology, can help you work through the process in a pragmatic and sane way.
Cybersecurity: Top Tips
Alongside my work helping businesses to prepare for GDPR, I continue to help businesses improve their cybersecurity.
I recently wrote an article for the Kildare Chamber of Commerce's quarterly magazine that provided focused actionable advice to individuals and businesses. You can download my tips here.
In-house GDPR compliance: How to do it without losing your sanity
GDPR is seldom black-and-white. But it's not rocket science. If you have decided to work on your GDPR compliance in-house, there are a few things you need to get right from the start so you don't lose your sanity along the way.
Outsourcing GDPR compliance: Avoid the common pitfalls
If you choose to outsource your compliance work, you need to choose your outsourced partner carefully so you don't waste time or money. This article will help you learn from the mistakes of others and avoid the common pitfalls.
Becoming compliant with GDPR: Outsource or in-house?
There are a number of ways to tackle your GDPR compliance work. Depending on your budget, timeline, and attitude, you could outsource it or do it in-house. This article may help you decide which option is best for you, along with suggestions on how to keep things on track.
I run a business: What has GDPR got to do with me?
If you are a business established in the EU, GDPR applies to any processing that you perform on the personal data of living individuals. If your your clients are businesses, GDPR may still apply to you. In this article, I go back to basics and talk about the key obligations of GDPR.
GDPR is here. The sky has not fallen.
May 25. GDPR went live. And the world did not end. Keep up your honest efforts to comply - Not because of GDPR; because it is the right thing to do.
Why data protection is important
GDPR is a growing concern for businesses. As we hear every day, there are potentially big fines for non-compliance.
But today, I want to talk about why data protection is important even if there were no fines or sanctions.
Put aside about your job and your business for a moment.
Think about this as an individual.
What I learned from 2 days with 1500 data protection experts
I recently attended a 2-day conference on data protection in Brussels. While I will spare you the boring details, there are two key messages that could be of interest to real people who just want to be compliant.
GDPR Compliance: Avoid the obvious mistakes
If you are going to make mistakes with your GDPR compliance efforts, at least try to avoid the mistakes that others make.
Don't make the ODPC's job easy!
Is GDPR the new Y2K Millennium Bug?
The current fear-mongering about GDPR has a lot of similarities with what happened for the 'Millennium Bug' (Y2K).
But, don't be fooled. GDPR is real, it is coming, and you need to be ready.
Where do you start with GDPR?
GDPR is a pain in the ass
As an individual, I believe GDPR is a good thing. But as a business owner, I know it's a headache.
So, I'll just focus on specific steps you can take to start complying with GDPR.