Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: A UK law firm has been fined 98k for not having appropriate security controls to prevent a ransomware attack. A South African insurance firm’s password is no match for cyber attackers who gained access to the data of 54 million customers. And 75% of Irish consumers are concerned about security when they shop online, but only 4% of Irish SME’s have trained their staff in cybersecurity best practice.
This week’s action: Don’t be the 96%: Train, test and support your staff.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: UK Law Firm fined GBP £98k following a ransomware attack.
The UK’s data protection authority (the ICO) has “fined a UK law firm £98,000 (€116,000) following a data breach caused by ransomware. Hackers gained access to the IT systems of criminal defence firm Tuckers Solicitors LLP and compromised more than 24,700 court bundles containing special category data such as medical files and witness statements. The ICO’s investigation found that Tuckers had breached Article 5(1)(f) GDPR because of data security contraventions and inadequate technical and organisational measures to protect such data. In particular, the regulator noted the lack of multi-factor authentication for remote access to the Tuckers systems, the slow pace at which software vulnerabilities were patched and a failure to encrypt personal data.”
GDPR talks about ‘appropriate security controls’. If a data breach occurs because you did not have appropriate security controls in place, not only will you suffer loss from the breach itself, you may also suffer reputational and financial loss from the regulatory attention that it brings. If you don’t know what ‘appropriate’ looks like, start with my basics and then look at frameworks like CIS Controls, NIST CSF, or ISO 27001.
2: TransUnion South Africa suffers a significant data breach
Bleeping Computer reports that “TransUnion South Africa has disclosed that hackers breached one of their servers [..] and demanded a ransom payment not to release stolen data. The African division of TransUnion operates in eight African countries offering commercial and consumer insurance and risk information solutions across various industries. According to the company’s statement, an unauthorised person obtained access to a server based in South Africa using stolen credentials.”
The Brazilian-based cyber attackers told Bleeping Computer that they didn’t steal any user credentials. They ran a process called a brute-force attack to guess the passwords used on a TransUnion server that was accessible from the internet.
The account they ultimately breached was allegedly using the password “Password”.
The CEO of TransUnion South Africa reassured customers that they will assist any companies whose data was stolen during the attack. He is quoted as saying “The security and protection of the information we hold is TransUnion’s top priority“.
According to the attackers, a server that was accessible from the internet was protected with just a password and that password was allowed to be ‘Password’. So, perhaps he should have said that the security and protection of the information we hold is now our top priority.
Again, according to the attackers, data belonging to 54 million customers that was once held by TransUnion is now in the hands of the attackers. So, he could also have said that the security and protection of the information that we once held but is now out of our control is our top disaster.
3: Code sabotaged to protest at the invasion of Ukraine exposes supply-chain risks
According to a report in Dark Reading, “the maintainer of a widely used open source module for Windows, Linux, and Mac environments recently sabotaged its functionality to protest the war in Ukraine and in the process focused attention once again on the potentially serious security issues tied to code dependencies in software. [The author of the software used by millions of developers] recently inserted code into the [node-ipc] software for deleting all files on developer systems geolocated in Russia and Belarus.”
The initial update checked if it was running on a machine that appeared to be located in Russia or Belarus. If it was, it deleted files on the machine. In a subsequent update a few hours later, this deletion process was replaced by a ‘peacenotwar’ messaging process, where random messages were displayed on these machines to protest about the invasion and linking to news stories about the death and destruction caused by Russian forces.
If this can be done to Russian users, a similar sabotage could be performed by a pro-Russian coder against Western users. It exposes the risks of trusting software developers, especially those who may be the sole developer of a software product. Contributors to the article point out that choosing software that is maintained by just one developer means putting trust in that one developer. Open source projects that are backed by a foundation tend to have controls that make it very hard for a single developer to alter the code in this way.
“75% [of consumers] are ‘very’ or ‘somewhat concerned’ about the security of their personal information when shopping online.”, according to a survey published by .IE (the national registry of Ireland’s online .ie domain) in association with Digital Business Ireland, and reported by RTE this week.
96% of 502 Irish SMEs involved in the .IE survey have not trained staff in cybersecurity best practices, according to this same survey.
1: Do not be the 96%
Your staff play a key role in your cybersecurity defences. They are usually one of your first lines of defence, as most cyber attacks start with a phishing email that fools a staff member.
According to the survey by .IE, 96% of Irish SME’s have done nothing to strengthen their human defences.
Don’t be one of those 96%:
- Train them on why and how they are targeted, and the warning signs to look out for (e.g. unexpected emails seeking urgent action). Sales pitch: I deliver 45-minute staff training (including an ‘Ask Me Anything’ Q&A) over Zoom or Microsoft Teams, which will explain all of this in plain English.
- Support them by ensuring there is someone they can ask if they have any doubts (i.e. someone who is knowledgeable about the latest scams). Sales pitch: I provide a ‘Second Opinion’ service that costs less than 50c per staff member per day.
- Test them with simulated phishing emails to see where your weak points are. Sales pitch: I provide a quarterly testing service so you can see just how strong your defences really are.
Remember: Your staff could be the weakest link in your defences. But with the right kind of training and support, they could become your strongest link. Humans intelligence is better than artificial intelligence – When they know what to look out for, they can spot a scam when the best IT defences may not.
To learn more about how my services may help, go to https://codeinmotion.ie/services/.