Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.
This week: Another issue laden down with news about recent cyber attacks, including against a UK financial advisory firm with some very interesting high-value clients.
This week’s action: The 5 steps you need to take right now to avoid the worst-case scenario of a ransomware attack.
And I will help you for free.
To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1. UK’s Royal Mail is still struggling to recover from January’s cyber attack
The UK’s postal service, Royal Mail, suffered a ransomware attack on January 10th. Over a month later, the organisation seems to have finally completed its recovery.
This article from the Guardian describes how the cyber criminals have been attempting to extract a significant ransomware payment from Royal Mail, apparently demanding a payment of USD $80 million.
The criminal gang’s logic seems to be based on the view that a fine from the UK’s data protection regulator would be significantly higher than this amount if the ransom is not paid and the data is published by the criminals. Unfortunately, the ‘unauthorised disclosure of data’ that may result in a data protection fine has already occurred – It happened when the gang gained access to the data. From a data protection perspective, paying the ransom now won’t make much of a difference.
When you’re trying to deal with a cyber attack, also having to consider the data protection implications is.. fun.
PS Unfortunately, it looks like Lagan Specialist Contracting Group is now also a victim of the same ransomware gang.
2. Succession Wealth suffers a cyber attack
Succession Wealth, a UK-based wealth management and financial planning specialist that was acquired by insurance and pensions giant Aviva in 2022, has been the victim of a cyber attack. This is according to reports in Computer Weekly, the Financial Times and Cybersecurity Insiders,
The company released a statement that it first became aware of the issue on February 8th, but did not disclose any further information about the nature or impact of the attack. It added that it will ensure its clients do not suffer financial loss if their personal data is misused as a result of the attack. At the time of the Aviva acquisition, Cybersecurity Insiders reported that the firm had 200 planners and 19,000 clients. It also had a specialist team advising sports and entertainment professionals who would be particularly interested in keeping their affairs confidential.
3. Virgin Media Television suffers a cyber attack
The Journal recently reported on a cyber attack on Virgin Media Television. Due to the firm’s cybersecurity defences, the attack was contained, limiting the disruption to a subset of the company’s TV channels.
As Brian Honan says in the article, “we’ve had so many wake up calls, but we keep hitting the snooze button.”
Before you reach for the Snooze button, take a look at my one thing to think about this week. If you still choose to hit that Snooze button, you only have yourself to blame.
$208,992.06 – The payoff for one cyber criminal who sent the ‘right’ email to the ‘right’ person at the ‘right’ time.
A cyber criminal, pretending to be an existing supplier, emailed an accounting assistant who worked for the city, asking for the supplier’s bank payment details to be changed. The assistant did as they were asked.
A day later, the city paid a genuine invoice from the supplier (for $208,992.06). But the money didn’t go to the supplier. It went to the bank account of the cyber criminal.
Tell me again how much you are investing in training staff and locking down accounts payable processes?
200 – The number of cyber attacks on Irish companies in the last 12 months that resulted in private data being accessed or stolen by cyber attackers.
This is according to Ireland’s Data Protection Commission, and quoted in an article in The Journal earlier this week.
This is only a sample of the attacks that are happening every day and excludes attacks where the victim organisation did not report the incident to the DPC, either because they are unaware of their legal obligation to do so (a key element of GDPR) or because they didn’t want to attract the regulatory attention.
As I mentioned earlier, when you’re trying to deal with a cyber attack, also having to consider the data protection implications is.. fun.
ONE THING TO THINK ABOUT
Avoid the worst-case scenario
This month, on the island of Ireland alone, we’ve heard about the significant disruptions caused by cyber attacks on Munster Technological University, Virgin Media, and Lagan Specialist Contracting Group.
I recommend 5 specific steps below so you can avoid the worst-case scenario if you are attacked.
And I am offering free 1:1 help for smaller organisations that may struggle to get through these 5 steps.
The increasing destructiveness of attacks is making me very concerned for smaller organisations, especially those with access to information that needs to be kept confidential.
Information that could cause significant harm to individuals if it was ever made public (which is now a common occurrence in ransomware attacks).
When I say ‘harm’, I don’t mean potential financial loss.
I mean the emotional distress to individuals when they believe that their most private information could become public knowledge.
Individuals who are probably in a vulnerable state already.
Information such as:
- Medical histories or reports
- Psychological assessments
- Counselling notes
- Sensitive personal data that may be included on application forms
- And yes, financial information too – e.g. information about pensions or bank account balances.
From a selfish perspective, I am concerned that this type of information about me, my family, or my friends could become public knowledge – And it’s out of my control.
What must you do?
I’d love to spend time with every organisation so we can beef up security defences and reduce the risk of an attack succeeding.
After all, it’s how I make a living.
But right now, faced with this rampant threat, I need you to do something more immediate.
I need you to focus on these 5 steps:
- Imagine your organisation has been the victim of an attack, and the criminals have told you they stole a copy of all the data stored by your organisation.
- Then imagine being able to say the following: “I know we were attacked and it’s a complete mess. But at least they didn’t get their hands on [X].”
- Identify what your [X] is.
- Identify what you can do RIGHT NOW to make it more difficult for the criminals to get their hands on [X].
- Whatever actions you identify in step 4, complete those actions RIGHT NOW.
What will I do?
If you (or someone in your network) works in an organisation with the type of sensitive information that I mentioned above, and you are unsure how to complete these steps, I will help you.
This is not a sales pitch.
This is a selfish act to ease my conscience.
I want to know that I did everything in my power to help you avoid the most destructive and distressing element of an attack. If you don’t take me up on my offer, at least I know I offered.
To read more about the free and confidential service, and to register your interest, go to https://codeinmotion.ie/avoid.