Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Have you recovered from World Backup Day? Are you running an infected website? And do you know how many people are on a rugby team?
This week’s action: Check your shopfront.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: Have you recovered from World Backup Day?
As I am sure you know, World Backup Day was March 31st. Hopefully, you have recovered from all the festivities..
In case you missed the special day, Sophos’ Naked Security blog provides some great advice on how to ensure you have a good backup strategy in place, even for your personal life. It provides tips to get you on the right track, including:
- Identify your critical data and make sure it is being backed up regularly
- Remember the 3-2-1 principle: At least 3 copies of data, using at least 2 different types of backup process, and at least 1 stored offline and preferably in a different physical location.
- Make sure you can restore from your backups by testing this regularly – Otherwise, a backup is as useful as a chocolate teapot
- Don’t put it off until tomorrow – The only backup you will regret is the one you didn’t make.
2: How Microsoft plans to fill 3.5 million cybersecurity jobs
Protocol.com reports that “Microsoft [has recently] announced that it will expand its cybersecurity skilling initiative to 23 additional countries. The campaign, which began last year in the U.S., is part of the company’s push to help solve the cybersecurity industry’s growing talent problem. [..] Microsoft originally launched the skilling campaign in the U.S. last [Autumn], partnering with 135 community colleges to skill and recruit workers into the cybersecurity industry. [..] expanding skilling and training to 23 countries, Microsoft aims to get ahead of the demand. The countries, which include Australia, Brazil, Canada and India [and Ireland], were chosen due to their “elevated cyberthreat risk. The company plans to work with the countries’ local schools, non-profits, governments and businesses to develop the skilling programs.”
When we think of Microsoft, we may think about Windows and Microsoft Office. But don’t forget their many cloud & SaaS offerings, like Office365, Dynamics CRM or Azure. This skilling initiative is obviously not a completely altruistic and charitable act by Microsoft. However, whatever their motives, given the amount of data we entrust with them, it’s no harm that we provide people with the necessary skills to ensure these Microsoft environments remain secure.
3: Hundreds of out-of-date WordPress sites identified as running malicious ads
CyberNews reports that “hundreds of compromised WordPress sites have been running malicious phishing adverts [as part of] an illicit money-making scheme that compromised hundreds of sites, using outdated versions or WordPress and employing lacklustre security measures. The affected pages were then forced to run bogus ads linked to malicious sites. [..] The issue with WordPress sites owners is that in a lot of cases they are not being updated about newer versions, which makes [their sites] prone to breaches.”
CyberNews goes on to ask why hosting providers (e.g. GoDaddy, Blacknight, Hosting365 and hundreds of others) do not do more to keep these WordPress sites up-to-date or to alert site owners that their WordPress sites are out of date. To me, this comes down to roles and responsibilities. Most hosting providers are responsible for providing the servers, and the site owners are responsible for the websites that they place on these servers. Unless the hosting provider is being paid to deliver a full-service WordPress hosting solution, it’s the site owner’s responsibility to manage their website and to decide when it can be updated.
The reality is most standard web hosting services cost €5-10 per month. Site owners shouldn’t expect Rolls Royce service for Toy Car money.
1: 22.5 million
“A total of €22,500,000 million was stolen from Irish bank accounts through account takeovers in 2021, with Gardaí revealing that they received over 3,500 reports of the fraud in 2021. This is an increase of 552% compared to 2020, where there were just 544 reports made to Gardaí.” [..] ‘Sophisticated fraudsters use texts, calls and emails to trick members of the public into giving away their personal data, enabling the fraudsters to take over their bank account/devices or debit/credit card details’, said a Garda spokesperson.”
According to analysis by Microsoft, for every 100 people employed in cybersecurity jobs in the US, there are another 45 jobs vacant. And the problem is only going to get worse.
As they describe, it’s like going into a baseball match with 6 players when the other team has 9. Or to use a more localised example, going into a rugby game with 10 players, when the other team has 15. And when the other team consists of highly-skilled malicious actors, this is not a good news story.
PS Fore anyone that knows me, they will know that I had to confirm with Wikipedia that there are 15 players on a rugby team.
Read more: https://blogs.microsoft.com/blog/2021/10/28/america-faces-a-cybersecurity-skills-crisis-microsoft-launches-national-campaign-to-help-community-colleges-expand-the-cybersecurity-workforce/ via Cyber Ireland
1: Check your website
When we think about cybersecurity, we worry about laptops running up-to-date software and security scanners, and reliable backups of our critical data. And yet we forget about our websites.
Our website is our shop front. If it is attacked, there could be any number of repercussions:
- We face business disruption while we try to restore it.
- If we realise we don’t have a recent and reliable backup, we face significant cost to rebuild it.
- We face reputational damage when customers try to visit our site and can’t get in. Error code 404 is never a good look.
- And we could suffer significant reputational and financial damage if the attack causes our site visitors to be infected.
So, it’s time to review your website and make sure you have all the basics covered – For example: backups, two-factor authentication, up-to-date software (including plugins).
I also recommend you set up a free monitoring service which will alert you if any of your key pages are changed. This may enable you to spot something is not right before your customers do. Take a look at a service like Follow That Page.
If your website uses WordPress:
- Make sure you have a security plugin such as WordFence installed and configured. Even the free version is a significant upgrade in your defences.
- If you want me to take a look on your behalf, get in touch. I have managed a number of WordPress sites over the years, so I can point you in the right direction.