[Reading time: 5 minutes]
Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.
This week: Attacks don’t just happen to valuable targets. Telling staff “Don’t click bad links” isn’t working. And why we need to worry about LockBit.
The action this week: If you want to learn more about the past, present, and future of cybersecurity and regulatory compliance, then I have a webinar for you.
To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1. Attacks don’t just happen to valuable targets.
If you don’t worry too much about a cyber-attack because you question “why would anyone bother attacking us”, then maybe you should reconsider.
According to the BBC, several schools in England were victims of attacks in recent months, with plenty of data about students and teachers now leaked online. In at least one case, the information leaked included photocopies of the passports of students and parents who went on school trips over 10 years ago. If the incident involving the Teaching Council of Ireland teaches us anything, it’s that these schools are also about to go through a painful data protection audit.
PS The salaries of some teachers were also leaked, but this information is public knowledge anyway – Just ask any teacher what they get paid and they will tell you ‘too little’…
2. Telling staff “Don’t click bad links” isn’t working.
A blog post by the UK’s National Cyber Security Centre (NCSC) this week reminds us that we can’t rely on staff members as our only line of defence.
While staff play an important role because attackers target them, it is not the staff member’s job to spot a malicious email. In other words, it is the organisation’s responsibility to secure its systems – not a staff member’s. We must have other lines of defence in place to protect our organisations. This is the concept of ‘Defence-In-Depth’ or multi-layered security, so when one layer fails, there are others that may still block the attack. I’ve spoken about it before.
What layers are mentioned in the article?
Surprise-surprise, the use of Multi-Factor Authentication (MFA) pops up. The NCSC also recommends the use of password managers – You can read my thoughts on this here. It also recommends restricting access so only your organisation’s devices can access systems. BYOD is officially interpreted as Bring Your Own Device, but it should also be translated as Bring Your Own Danger.
3. Attackers are moving to new types of file attachments
Deep Instinct published a report last year on the trends it is seeing with recent cyber-attacks. A very simple and actionable insight appears on page 12.
Due to a tightening of security on Windows, Deep Instinct is the latest security firm to observe attackers shifting away from the use of Microsoft Office file attachments and towards other file types, such as shortcut files (e.g. .LNK), HTML files (e.g. .HTML / .HTM) and email archive files (e.g. .PST, .EML).
As I mentioned last week, a simple defence is to automatically block or quarantine emails that contain these types of file attachments – After all, how many genuine emails would need to include these types of attachments?
50% – 50% of firms that were victims of a ransomware attack say they lost customers as a result. This is according to a survey of 300 IT leaders in the USA published by Delinea this month (and mentioned by Cyber Rescue Alliance on LinkedIn this week).
55% – 55% of the organisations attacked by the LockBit ransomware gang are in the BFSI (Banking, Financial Services, and Insurance) industry or Professional Services industry. This is according to research published by Cyble Research Labs in July 2022. This is important because, according to the Deep Instinct report that I mentioned earlier, LockBit is now the most prolific ransomware gang.
Delinea, Cyble, and Deep Instinct may all be selling cybersecurity services. But that doesn’t mean their research findings should be ignored.
ONE THING TO THINK ABOUT
If you want to learn more about the past, present, and future of cybersecurity and regulatory compliance, then I have a webinar for you.
Next Friday (January 27th), Paul Burke of Link Group and I will be discussing ‘Cybersecurity for Regulated Firms’, as part of the Irish Funds Fintech Working Group’s Speaker Series.
It will be a whistle-stop tour of the Central Bank’s guidance from the past, the basic mistakes that I see firms making in the present, and how we will all need to be wary of DORA The Enforcer in the future.
Registration is free, although I am not sure if there is a limit on the number of registrations.
You can find out more on the IrishFunds.ie website.