Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: What has the HSE cyber-attack got to do with skyscrapers, and how hackable are you?

This week’s action: If you work for yourself and have concerns about a cyber attack, I may have a solution for you.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1: The bots are coming to LinkedIn

What? There appears to be a growing problem of fake profiles on LinkedIn, according to a recent report by Krebs on Security (and mentioned by Secure The Village). “[The] recent proliferation of phoney executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.”

So what? Don’t believe everything you read online. It’s easy for the bad guys to create a fake profile that can then be used to fool you into doing something that you later regret – For example, getting conned into opening a malicious file or visiting a malicious website. LinkedIn is a major hunting ground for the recruitment industry. So, I never thought I’d say it, but I pity recruiters right now.

2: The HSE attack: What really happened?

What? The HSE (Ireland’s health service) was crippled by a cyber attack in May 2021. A detailed report on the what-how-and-when was published by the organisation in December. You can read the full 157-page report here. I won’t reveal the plot twists, but I recommend you read Brian Honan’s view on the key findings. Brian is a voice of reason in the midst of ‘The sky is falling’ world of cybersecurity, so it’s useful to read his take on the report. He sees plenty of positives arising from the HSE’s transparency in publishing a report targeted at a non-technical audience. There are plenty of nuggets in Brian’s analysis – Here are just a few:

  • Don’t stop at the scapegoat: identify all causes of an incident”
  • “Most breaches aren’t sophisticated; they require a chain of events that lead to a bigger breach”.
  • “If your business needed a fleet of cars for salespeople or vans for deliveries, it would keep those vehicles up to date and maintained properly. [..] Similarly, the longer your business operates on aged equipment and underinvests in cybersecurity, the bigger the probability that you will suffer a major breach or an outage”

So what? If you remember one quote, remember this one: “Getting the basics right isn’t as simple as it sounds. Patching software and keeping antivirus up to date for five or ten computers is straightforward; doing that for 5,000 or 10,000 machines, with all dependencies they have on different legacy systems, is much less so. We need to be mindful of the wider context.”. When you read about the latest a solution or service that addresses a particular cybersecurity risk, you need to think about whether it is a good fit for your situation. A solution that is designed to solve a problem for an individual is not suitable for a large company, and vice-versa. Each has different needs and capabilities. A large global organisation may not be able to operate effectively without a skyscraper. But a small company would be crippled trying to maintain that same skyscraper.

3: How hackable are you?

What? Secure The Village recently published an easy-to-read personal cybersecurity guide which uses plain English to help you assess just how ‘hackable’ you and your family members are. It also provides very useful pointers on how to reduce your hackability. And yes, I am insisting that ‘hackability’ is a word. Recommendations include the old reliables like multi-factor authentication, backups, antivirus, and cyber awareness.

So what? As mentioned by Brian Honan in his HSE analysis, most breaches aren’t sophisticated. Do not underestimate the significant value of the simple steps described in this guide. If you work for yourself and this guide raises questions about your own cyber defences, take a look at this week’s action.

TWO NUMBERS

1: USD $35m

What? Morgan Stanley has been fined $35m for failing to securely destroy the personal data of customers that had been stored on the company’s old hard drives and servers, according to a report by Teiss.

So what? When a laptop or PC comes to the ends of its life, your responsibilities for the data stored on that device do not end. You need to ensure the data is securely destroyed, so it does not fall into the hands of others. Using the Windows ‘File Delete’ function is not enough, as the data could still be restored from the device. Many companies arrange for the the storage disks to be physically shredded, to guarantee the data cannot be accessed in the future. That’s not particularly good for the environment, but it’s good for our personal data.

2: 1 million

What? Facebook has reported that the login details of up to 1 million people may have been stolen by over 400 rogue apps available on Apple and Google’s mobile app store, according to a recent report in the Irish Independent.

So what? If an app requires you to log in with your account credentials of another platform, this should set off the ‘Scam Alarm’ in your head. And remember, your social media and email accounts are ‘you’ on the internet. If someone gains access to these accounts, they become ‘you’. Which prompts the question: Is there ever a bad time to watch Face/Off?

ONE ACTION

1: IF you work for yourself AND you are not a techie BUT you worry about a cyber attack, THEN is it time you nailed cybersecurity so you can get back to your real job?

What? I recommend that everyone reads the Secure the Village guide that I mentioned earlier. Multi-Factor Authentication; Strong Passwords; Backups; Cyber Awareness; Disk Encryption – What’s not love about it?

So what? If you work for yourself and you are concerned about the impact of a cyber-attack, but this guide is not enough, I may have the solution. I run a programme (or ‘program’?) in a few weeks for people who work for themselves, who are not ‘techies’, but who are concerned about the impact that a cyber-attack would have on their professional reputation. Signup for the next session closes on 31st October. If it sounds interesting, more information is available here.

PS If you know anyone else who fits the description (works for themselves; relies on a laptop / phone / email account / online systems; is not a techie; worries about a cyber-attack), I’d appreciate it if you could point them in my direction.