Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: A ransom payment won’t prevent a data protection penalty, LinkedIn is the scammers’ favourite brand, and some of the latest lures used in phishing emails.
This week’s action: It’s time for some cybersecurity refresher training.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: Paying the ransom does not reduce the risk of a data protection penalty
The UK’s data protection regulator, the ICO, recently published a letter to the legal profession to address the belief among many in that profession that “payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation”. The ICO goes on to say that this is not the case.
“As regulator, the ICO recognises in setting its response and any penalty level the actions taken to mitigate the risk of harm to individuals involved in a data breach. For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”
It is likely that an investigation by a data protection regulator will include questions about the steps you took to reduce the likelihood of the ransomware attack and to reduce the impact.
If you have not taken any steps to even put some basic defences in place, such as those I describe in The Basics, you will not enjoy the subsequent attention of a data protection regulator after the stress of dealing with a ransomware attack in the first place.
2: Tech companies to offer free cybersecurity training
TechRepublic reports that at a recent White House summit, a number of tech companies committed to train more people to fill many of the estimated 700,000 cybersecurity job vacancies in the US.
Alongside announcements by Cisco and Fortinet, “(ISC)², a non-profit association of certified cybersecurity professionals, [..] announced their (ISC)² One Million Certified in Cybersecurity program. The program pledges to put one million people through its foundational Certified in Cybersecurity entry-level certification exam and education program for free. [..] Those who earn the (ISC)² Certified in Cybersecurity certification will demonstrate to employers that they have the foundational knowledge, skills and abilities necessary for an entry-level cybersecurity role.”
The next challenge is finding companies willing to create truly entry-level cybersecurity roles, so those with foundational knowledge of the topic but no practical experience can get onto the first step of the career ladder. I discussed this challenge on a recent CyberQuest webinar, and I know the CyberQuest team are working with a number of Irish tech firms to address this challenge. If your organisation is struggling to fill lower level cybersecurity roles, you should also think about ways to address this same challenge. There are people out there who have the basic training and want to the step onto the cybersecurity career ladder, but you may need to lower the ladder.
3: About to be charged for a service you never subscribed to? It may be a phishing scam.
Bleeping Computer recently reported on the activities of a particular cyber-attacker gang called Luna Moth. They establish a foothold on their victims’ computers through phishing emails that try to lure victims “with false subscription emails for using Zoho, MasterClass, or Duolingo services”.
“Victims would receive a message allegedly from one of the aforementioned services announcing that the subscription is about to end and that it will be automatically renewed, with 24 hours to process the payment. The email come with a fake invoice in the attachment, which provides a contact for those that want to learn more details about the subscription or to cancel it. Calling the phone number in the invoice puts the victim in contact with the scammer”. From there, the scammer fools the victim into installing their malicious software onto their computer.
If you are training people to look out for suspicious emails, make sure you tell them to be particularly wary of emails that suggest they are about to pay for a service that they did not subscribe to. It may be a lure that fools them into making contact with a scammer, and the first stage of a cyber-attack.
The percentage of phishing emails that exploited the LinkedIn brand during the second quarter of 2022, according to Check Point Research and as reported by TechRepublic recently.
Even though this is a drop from 52% in Q1, it means LinkedIn is still the scammers’ favourite.
If you are training people to look out for suspicious emails, make sure you tell them to be particularly wary of emails that ask them to enter their LinkedIn login details. It may be a phishing scam.
2: 1.9 million
The number of patients impacted by a data breach in a debt collection agency in the US, according to a recent report in TechCrunch.
The ransomware attack was “on a little-known debt collection firm”, called Professional Finance Company (PFC), and which “serves hundreds of hospitals and medical facilities across the U.S. [and] could be one of the biggest data breaches of personal and health information this year.
PFC released a statement confirming “the attackers took patient names, addresses, their outstanding balance and information relating to their account [and] said that in ‘some cases’ dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.”
Up to 1.9 million people will now have to live with the fact that details of their medical treatment may now be in the hands of the bad guys.
1: It’s time for some cybersecurity refresher training
If you follow my Guide to the Basics, you will have trained your staff so they are aware of how they could be targeted by cybercriminals.
It’s now an opportune time to refresh their awareness by giving them some specific examples of how they may be targeted.
Two articles that I’ve mentioned this week point to two specific tactics:
- The use of a trusted brand – e.g. LinkedIn, Outlook.com, or perhaps a bank.
- The creation of a sense of urgency – e.g. by informing you of charges for a service that you did not subscribe to.
Remind your staff that if they receive an email that prompts urgent action, rather than acting immediately:
- Take a deep breath. Let the adrenaline rush pass.
- If they are under pressure to finish their working day, let the email sit there until the morning. This is better than taking a hasty action that could cause serious repercussions.
- Look for obvious red flags – For example, an unusual ‘sender’ email address; typos or poor grammar; a link that does not go to the right website; an unusual file attachment.
- If there are no obvious red flags, think about the likelihood that it is still not genuine.
- If you are unsure, ignore any documents or links in the email, and go to the genuine website directly.
- If you really feel the need to speak to someone, call the service provider on a phone number that you know is genuine.
PS I provide cybersecurity awareness training and testing services that will ensure your staff play their part in your cybersecurity defences.