Fresh from the Press

cyber security

Action Fraud launch a 24/7 live cyber-attack helpline

In the event of a live cyber-attack, Action Fraud’s helpline gives access to specialist advisors who can offer advice and support to businesses, charities or other organisations reporting the attack. These reports are immediately sent to the National Fraud Intelligence Bureau (NFIB) who review the report and conduct a range of enquiries in order to see if there are any other connected reports or links to known criminals. Live cyber reports are sent to the relevant law enforcement agency for investigation within the UK for the appropriate response; this could be from a local police force or the National Cyber Crime Unit, (NCCU) which forms part of the National Crime Agency (NCA).

A live attack is defined as one that is ongoing and is still affecting an organisation’s systems and ability to function. Business/charities/organisations in Cambridgeshire are advised to call Action Fraud as soon as possible when they discover a live attack. Once reported and if the attack is still ongoing Cambridgeshire Constabulary’s Fraud and Cybercrime Investigation Unit (FCIU) can also be contacted using the 101 police non-emergency number (To facilitate the process a reporting organisation/charity/business should quote their Action Fraud report number to the unit).

To reach the 24/7 cyber helpline a business, charity or other organisation is suffering a live cyber-attack, call Action Fraud on 0300 123 2040 immediately and follow the instructions.

The National Cyber Security Centre (NCSC) provides information and advice about cyber security.

Further information can be found at the link below:

According to a survey undertaken by the International Data Corporation (IDC) Western Europe, 56% of organisations have not started preparations for GDPR. With GDPR less than 6 months away it is important that SMEs understand what this new legislation means for them and their processes.

Please feel free to use any of this information and cascade among your wider networks.

Social Engineering Education
Ethical Hacking, Social Engineering

How To Educate Your Employees About Social Engineering

A common saying is “Amateurs Hack Systems, Professionals Hack People”. Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.

Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks:

Explain Policies

It is common to see organisations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realise its standard legal language.

Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.

Provide Examples

Organisations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, amazon scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks.

Make Security Fun

One common problem is people leaving their computers unlocked while away from their desk. In a previous job, my team use to send out silly emails from systems found unlocked while unintended. People would laugh and start locking their systems so they don’t become the next victim. Same tactic can be done for mobile devices.

Password Policy

Many people use weak passwords. Try providing education around best practices for developing passwords. My favorite trick is coming up with a long sentence and using the first letter of each word. This way you can remember it and it’s random. Hopefully users will extend tricks like this with password for their personal systems as well.

Human Firewalls

Try calling and obtaining information over the phone or through social media. Test physical security by having a non-employee put on a suit and attempt to walk around the building without authorised access. Send out a periodic update of social engineering attempts (without people’s names) and what company information was provided over untrusted channels. Close with explaining why social engineering attacks are a high risk and lessons learned from the social engineering penetration test.

Ethical Hacking
cyber security, Ethical Hacking

Cyboar demonstrates ‘Live Hack’ at Business Resilience Forum event

Cyboar, the newest member of DSM Group, delivered a highly successful Cyber Security workshop at the recent Business Resilience Forum event on 4 October.

Delegates were astonished by how much information can be harvested in order to specifically target certain companies and individuals, and the ingenious methods that cyber criminals use to trick their way into capturing highly sensitive data such as user names and passwords for online transaction sites.

The workshop included several demonstrations of live hacks on systems to explain how cyber criminals exploit vulnerabilities within the infrastructure of an organisation.  Cyboar used a number of tools to analyse the security of some selected organisations and generate reports recommending appropriate action to improve both system security and staff awareness of the importance of things such as use of strong passwords, two factor authentication, application of software patches and configuration of firewalls.

Anyone who missed the event but would like to learn more about how they can improve defence against this growing threat should contact Cyboar on 03333 221100 or email

Compliance, cyber security, GDPR

What is… GDPR?

Whether you’re a family bakery in Birmingham that keeps a list of local delivery addresses, or a multinational giant headquartered outside Europe that sells globally online, the EU’s General Data Protection Regulation almost certainly applies to you.

GDPR is short for General Data Protection Regulation, and it’s the name of a law in the European Union (EU) that sets out to protect the rights of individuals in respect of their data.

Loosely speaking, any organisation that holds data about any resident of the EU is expected to comply.

Whether you’re a family bakery in Estonia that keeps a list of local delivery addresses, or a multinational giant headquartered outside Europe that sells globally online, GDPR applies to you.

GDPR was adopted as an EU law in April 2016, but the regulators decided to give us all plenty of time to become compliant, so the law only takes effect in May 2018.

That’s just as well, because although it’s officially just “a regulation”, GDPR runs to 11 Chapters, 99 Articles and several hundred pages of legislation.

Indeed, GDPR covers a lot more issues than many people realise.

You’ll often hear GDPR mentioned as though it were concerned mainly with mistakes – in other words, that it’s mostly about data breaches and data breach notifications.

In fact, only three of the 99 Articles actually deal with breaches, because GDPR is more of a digital privacy lifestyle guide, covering all aspects of personal data and how you use it.

Amongst other things, GDPR deals with the data you collect in the first place, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and – the part that seems to attract the most interest and attention – what happens if you fail to comply.

Falling foul of GDPR means the possibility of a fine, and GDPR fines can go significantly higher than most laws that existed around Europe before GDPR came in.

At the very worst, GDPR penalties can go up to €20,000,000 or 4% of your global annual turnover, whichever is bigger.

Of course, the regulators aren’t compelled to impose penalties that large, and it is reasonable to assume that they won’t blindly plump for the maximum every time, so we shan’t know how big the fines are likely to be until the first few have been handed out.

In short: GDPR will standardise data protection across the EU; if you do business in Europe you almost certainly need to comply; the law may seem onerous, but in a world with as many breaches as we have had in recent years, GDPR seems like just the sort of regulation we need; and you can expect to end up in hot water if you don’t comply.

Oh, to be clear: GDPR applies in the UK, which is currently part of the EU, and will effectively apply even after the UK leaves the EU, because the government plans to pass a local law that will mirror GDPR.

For more information regarding GDPR or how to become compliant contact

Source: Sophos
Call me!