Cyber 321: 1st April 2021

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: The increasing concern that large firms have about their smaller suppliers, a survey that reminds us of the prevalence and cost of phishing emails, and the best defences against phishing emails and ransomware.

This week’s action: Tag external emails so your staff are less likely to be fooled by a phishing email.

THREE ARTICLES

1. A survey of almost 1500 UK firms shows phishing is the most common attack, and 20% of those who receive phishing emails end up losing money, data or other assets.
   A survey of almost 1500 businesses in the UK provides up-to-date insight into the occurrence of cybersecurity attacks across industries. Phishing is the most common attack (83% of firms that reported being attacked had received at least one phishing email). Of these, 27% of firms receive at least one phishing email a week. 20% of firms that receive phishing emails have lost money, data or other assets as a result. There is good news here. As the report states, “the proportions experiencing negative outcomes .. are significantly lower [this year] ..due to more organisations implementing basic security measures”. The authors suggest this improvement was driven by the requirements of GDPR. The average cost of a breach in a firm with fewer than 50 employees is about GBP £8.5k.
   Read more: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021 (and referenced at https://www.ncsc.gov.ie/news/21-03-26/ )

2. Half of large firms have cybersecurity insurance, while regulators become increasingly concerned about how insurance providers are pricing these policies
   Staying with this UK survey, about 50% of large firms have cybersecurity insurance cover, with the majority covered as part of a wider insurance policy. The real value of a good cybersecurity insurance policy is the breach response expertise that can be available to a firm in its moment of need and I recommend that all firms investigate the cost of putting some sort of cyber insurance cover in place (if it is not already covered in their existing insurance policies). Regulators are becoming increasingly concerned about how insurance companies are pricing these policies, given the lack of independent data about the severity and frequency of attacks, and the obvious systemic risk that arises (e.g. one vulnerability in one cloud service or one piece of software potentially exposing thousands of firms). The Department of Financial Services in New York has issued specific guidance to insurers, including eliminating exposure to “silent” cyber insurance risk that arises because an insurer has not explicitly excluded a particular type of cyber incident, the need to evaluate systemic risk, and the importance of educating customers about the “limitations to cyber insurance”. This court case between AIG and a SS&C is a good example of the gap in perceived coverage between the insurer and insured. Insurance does not remove the need for basic security measures.
   Read more: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021 (Section 4.2). DFS NY guidance is available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202102041, and mentioned in https://securethevillage.org/cybersecurity-news-of-the-week-march-28-2021

3. Recommended steps to reduce the likelihood and impact of a ransomware attack
   Staying with our friends across the Irish Sea, the UK’s National Cyber Security Centre has published some useful pointers / reminders on how to mitigate the risk of a ransomware attack against your firm, amid an increase in the number of ransomware attacks targeting the education sector. As many attacks start with a phishing email, their four-layered approach to defend against phishing is also useful – Layer 1 focuses on reducing the number of phishing emails that get through to users (using technology); Layer 2 focuses on staff awareness; Layer 3 includes technical measures to block access to malicious websites and the use of Two Factor Authentication so a disclosed password is less valuable; Layer 4 focuses on developing a plan of action for when the three previous layers fail.
   Read more: https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector#section_6, with their phishing guidance at https://www.ncsc.gov.uk/guidance/phishing. Media coverage from https://www.zdnet.com/article/ransomware-attacks-against-schools-are-rocketing-with-students-coursework-encrypted/

TWO STATISTICS

1. 40% vs 65%: According to the UK report mentioned earlier,about 40% of all businesses report being a victim of a cyber security breach or attack last year. The percentage increases to 65% of larger businesses with more than 50 employees. So, does this suggest a signficantly lower incidence of cyber attacks on small firms with fewer than 50 employees (as would be required to bring the average from 65% down to 40%)? Or does it suggest most small businesses do not realise they have been breached or attacked?
   (Read more: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021)
2. 10% vs 36%: 10% of small firms with fewer than 10 employees have reviewed the risk posed by their suppliers (e.g. suppliers’ access into systems, data and other assets or their potential as a pathway for phishing emails, viruses and other malware). This figure increases to 36% of large firms. In other words, if you are a small firm selling to large firms, you may not think about your supplier risk but at least 36% of your large clients are thinking about it. One interviewee in a client firm was concerned about “the burden placed on smaller suppliers if they were made to adhere to cyber security standards”. They also indicated that they had lost suppliers because of their inability to meet the large firm’s compliance demands. The percentage of large firms taking in interest in their smaller suppliers will increase, especially in regulated financial services where the Central Bank of Ireland, EIOPA etc are now asking firms about their supply chain risk management activities. You may believe you are a solution, but your large clients will see you as a risk.
   (Read more: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021)

ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.

1. Mark external emails: Make it easier for your staff to identify an email that has come from outside of the organisation. This will remind staff that external emails cannot be trusted and reduces the likelihood of them being fooled by an email pretending to be from one of their colleagues. Most large firms are now doing this by tagging external emails – e.g. Adding the world [EXTERNAL] to the subject line; adding a warning to the top of the email body itself. The process depends on your email provider. If you use Office 365, search for information on how to implement mailflow rules. In the next few months, Microsoft will make this a bit easier to implement, according to https://www.bleepingcomputer.com/news/microsoft/microsoft-365-adds-external-email-tags-for-increased-security/.