Over the course of the last month, we have been running our Cyber Crime Essentials series, exploring the rise in cyber-crime and arming you with the tools and knowledge you need to educate your teams to help tackle the latest and realist cybersecurity threats. The series has taken place across Swindon, London, and Peterborough – but fear not if you missed out! This blog will bring you up to speed on the content explored across all these events.
If you thought you weren’t going to have to hear about GDPR after the 25th May, think again. We were joined by Assure Data, GDPR training specialists and the Data Support Agency, providers of a solution aimed at SMEs to help them become GDPR compliant, using an online readiness assessment.
Jim Sneddon, from Assure Data, took to the stage at our Peterborough and Swindon events and looked back at what we have learned since the GDPR came into force. Jim highlighted the abundance of emails I’m sure all of us received in the lead up to the 25th May, trying to get us to ‘opt-in’ to those fabulous marketing emails we all love to open. Unfortunately for us, if you chose to ignore those emails in the hope that you would no longer receive them, should the company in question truly understand the regulation we can still expect to receive the emails we were hoping to avoid. This is down to the notion of ‘legitimate interest’ – If you have previously purchased from, or interacted with the companies in question, then under the grounds of legitimate interest they are perfectly entitled to continue to send you marketing news. Think of all the effort those companies could have saved if they attended one of our Cyber Crime Essentials events before blasting their whole database!
The Data Support Agency joined us in London, again looking at the topic of GDPR. The presentation kicked off with a GDPR myth buster task which led into a live demo of their solution. The Data Support Agency has built an online solution aimed at SME’s who have neither the time, expertise or resource to dedicate to the GDPR. The solution comes in the form of an online portal that acts as a virtual Data Support Officer, taking you through a step-by-step process to bring your organisation up to a level of compliance. The portal encompasses a dashboard and templates of important documentation, along with a ticket logging system to access a team of GDPR certified experts to answer any queries you may have. If you are interested in exploring this further email, firstname.lastname@example.org.
2) Cyber Crime
Our very own Dan Scott was with us at each of the Cyber Crime Essentials events, bringing with him a very eye-opening presentation. Dan took us through his most recent cybersecurity Buzzword Bingo, bringing to life some of the latest terms within the cybersecurity world. I will try my best to briefly summarise each term now.
So to start we have ‘Spear Phishing’, a term coined to explain a type of cyber-attack that comes in the form of an email. Phishing emails tend to appear to come from a trusted source, usually someone in a position of authority within the organisation or someone you may know personally. Make sure your team are aware of phishing tactics and always encourage them to check the sending email carefully – most of the time it can be the difference of one character within an email address that can make your employees believe it has come from a trusted source.
Next up we heard the term DNS Hijack. The best way to imagine a DNS Hijack is to see it as a redirection practice that tricks your computer into thinking it has landed on a page like Facebook, when in reality it is not Facebook but instead a page made to look like Facebook by the hijacker. The malware tricks your computer into thinking it is heading in the right direction when really it has guided your computer to malicious sites through the use of ‘fake signs’.
The next term Dan explained was an SQL Injection. This is one of the most common web hacking techniques, and occurs when an attacker exploits a security vulnerability within an application and injects a rogue piece of code that can allow them to access parts of the database no attacker should ever see. One of the best ways to prevent an SQL Injection attack is to think like the attacker – launch your own attack on your applications and see if you get in. If you do, then make sure you patch your vulnerabilities!
Finally in the Buzzword Bingo we had a Man in the Middle attack. To demonstrate this, Dan pulled out his trusty (or not so trusty) Wi-Fi Pineapple. And no, we aren’t talking about one of the most contentious fruits going, or trying to start a debate on whether it should be allowed on top of pizzas (it should be). Instead, we are talking about a device originally designed for networking penetration testing that is now better known for its ability to steal personal data. The Wi-Fi Pineapple acts as a Wi-Fi access points that tricks your device into thinking it is connected to a network it knows and trusts when in reality it allows Joe Bloggs (or Dan) in the corner of Costa Coffee to control your device’s network.
Dan fascinated the audience when asking them to open their web browser and go to bbc.co.uk, successfully displaying a dancing banana on some of the audience’s devices instead of the trusty BBC homepage. Fear not though, unlike Joe Bloggs sat in Costa, Dan left it there and pulled the plug on the pineapple. This demonstration really highlighted how easy it is for potential hackers to infiltrate your device in literally a matter of minutes, and brought home the widespread issue of cybersecurity.
Don’t worry though, it wasn’t Dan’s job to scare the audience and leave them there. The aim of the second part of the presentation was to inform our audience as to how they could stop Joe Bloggs from infiltrating their devices in the first place. First thing first – kill Adobe Flash Player. Dan did not hold back on his hate for flash player and encouraged us all to remove it from our machines, well before Adobe themselves kill the beast in 2020. Other recommendations include the use of a two-factor authentication system, namely our partners Duo. Using a two-factor authentication tool like Duo means you can even give Mr. Bloggs your password if you wish – your devices will still be safe.
3) Data Recovery
take a look. The IT department opened the stick, which so happened to be riddled with ransomware, on the organisations main server. Within minutes all documents on the server had been encrypted and the organisation was at a standstill. So what do you do if you are in the position of Sue-s-b and her colleagues in the IT department? Well, the reality is that if you haven’t already taken the necessary steps to ensure your data can be recovered, there is not much you can do apart from trusting your attackers and paying the ransom in the hope that they send you the decryption key to take ownership of your files once again.
So back to Ben and his ransomware demonstration. Within a matter of seconds of downloading an infected file, Bens computer was totally overridden by the ransomware and all his documents had been encrypted. Luckily for Ben, he had taken the necessary steps beforehand to allow him to recover his lost data. This is where Datto comes in. Opening Datto’s online portal, Ben was able to restore not only individual files but also a whole server. Within 5 minutes of being infected by the ransomware, Ben now had access to all the files that had been encrypted and was back up and running, without paying a single penny to the attackers.
So, the moral of Ben’s presentation is to have a data recovery plan in place, which is constantly tested to ensure that in the event of such an attack, your organisations data can be recovered. The best thing is that with Datto, you don’t need to do any of the testings yourself. Set it up to send a screenshot each morning to prove it can recover a whole server and rest easy knowing that your data is safe.
4) Making the most of Microsoft
The final topic covered in the Cyber Crime Series was from Microsoft, showing how all of us can work smarter and safer. Microsoft’s presentation focussed on getting the most out of Microsoft 365 Business, a solution that packages together a whole wealth of applications such as Teams, Planner, SharePoint, OneDrive, OneNote, Groups and a whole lot more. These were explored with the audience through live product demonstrations. It was also a chance for all of us to give some feedback to Microsoft directly, as well as getting a sneak preview of applications that will soon be added to the 365 suite.
We also saw some of the best 365 applications helping SME businesses like ourselves. These include Microsoft Connections – a simple to use email marketing service, Microsoft Listings – an easy way to publish business information on top sites, and MileIQ – a simple and smarter way for tracking your employee’s mileage. If you’d like to see our take on how to make the most out of Microsoft 365, have a look at our recent blog post: Working Smarter and Safer with Microsoft.
So there it is – all you need to know from our Cyber Crime Essentials series. If you’d like to receive a copy of the presentations, please get in touch today.