It’s that time of year again – snow stubbornly refuses to fall on the rooftops as offices wind down and prepare for their respective office parties (ours was a blast – photos on our Twitter and LinkedIn!) Everyone has a lot on their plate during the festive season, which can increase the chance of all manner of scams succeeding in compromising your organisation.
We’re not trying to be all “bah, humbug” here, promise. Instead of a Christmas card this year, we just thought we’d share with your some seriously useful festive security tips – print ‘em out, hang ‘em up, send ‘em round your office – do what you want with them, just make sure your colleagues, friends and family are protected from the baddies looking to take advantage of the distracting power of Christmas cheer.
‘Tis the season
Over the festive period last year, UK shoppers spent £24 billion online, with around 45% of transactions taking place via a mobile device, as people attempt to beat the high street rush. What those figures don’t show are how many of those transactions were made on work devices, or devices with business information on them. The rise of BYOD (Bring-Your-Own-Device) working combines with the pressure for employees to be seen to continually be performing while still managing their personal commitments and Christmas purchases – often spread across multiple work and personal devices – to create a melting pot of potential risk.
Financially motivated phishing scams spike over the festive period – for the whole of 2015, financial phishing attacks made up 34.33% of all phishing but for Q4 between October and December that jumped to 43.38%. These could take the form of fake websites masquerading as retailers in order to capture credentials or payment details.
Phishing attacks are becoming more and more sophisticated, and emails can be easily made to appear as if they are sent from a legitimate source or retailer in order to gain the trust of the reader, along with an innocuous-looking invoice attached. If in doubt, don’t open – while looking harmless, these could contain a payload of malware – an even nastier surprise than unwrapping a lump of coal from Saint Nick!
While this represents a significant risk to consumers, that translates to a business risk too. At this time of year, how many of us can honestly say we’ve never had a sneaky look at personal emails on our work computer? Or quickly logged in to online shopping on our lunch break to order that must-have gift in between bites on our turkey & stuffing meal deal sandwich?
Fail to realise that the emailed delivery invoice for the gift you can’t remember ordering is not from Amazon as it claims to be and you could be unleashing the ultimate digital Grinch on your co-workers. While sharing may be in the holiday spirit, I’m not sure your colleagues will be thankful if you share the gift of ransomware with them this Christmas.
In our rush to complete a transaction or skim through personal emails at our desk, it can be easy to miss tell-tale signs that the source of the site or email we’re accessing or unwittingly entering our payment details to is not all it seems. Spelling mistakes in web or email addresses can be dead giveaways, as can a site’s security certificate (or lack thereof). Be vigilant and always check the address bar and padlock symbol to verify a website’s security.
Sleigh bells ring, but who’s listening?
There are solutions out there which can help organisations strengthen their defences through the implementation of controls and process to try to prevent damage being done in the event of a cyber-attack.
Schemes like Cyber Essentials help businesses to put in place controls to help prevent a data breach and protect their networks from cyber-attacks. Human beings are by nature inherently trusting, so when our own internal alarm bells fail, it’s good practice to have security controls implemented to prevent a minor error becoming a Christmas disaster.
For more advanced protection, a SIEM (Security Incident and Event Management) system can be your eyes and ears inside your company’s networks, no matter their size. Real-time monitoring and constant vigilance can let you know if a bad Santa has let his digital elves loose on your systems, allowing you to round the little tykes up early and send them back to the North Pole, avoiding damage from a more sustained attack.
Maintaining routine, off-site backups and a sturdy incident response and business continuity plan can be as valuable as a spare turkey should your Christmas dinner emerge slightly burnt from the oven. Thinking ahead and knowing how to react to a compromise or breach can mitigate damage – and cost – in the event of an attack.
Socks again? Same as last year…
The effects of good cybersecurity practice can have a great protective effect on both a personal and a business level. The lines of defence between the two areas are becoming increasingly blurred as the number of accounts we hold credentials for continues to grow. Attacks which target credential re-use are on the rise, with the National Lottery, Deliveroo and KFC among big brands blaming credentials stolen in previous breaches and re-used on their own sites as the reason for compromised accounts for their own services.
Why should this worry you? Well, if an employee happens to have signed up to a service using their work email address and used the same password as they do at work it could be only a matter of time before those credentials are used to sign on to your business network. Employee password reuse led to a 2012 data breach at DropBox where around 60 million user records were compromised. Take one look at the credentials thieved from other major breaches – Ashley Madison a case in point – and all beliefs that ‘people don’t sign up for these things with their work email’ evaporate like sherry off a burning Christmas pudding.
Another way scammers look to harvest credentials is by offering vouchers for high street vendors online – to access these amazing discounts, users often must set up an account with email address and password. Too good to be true? Often the case, but consumers admit that they’re more likely to take a financial risk online if there’s the chance of a bargain. With many feeling the squeeze and the January Sales fast approaching, this enticing threat could easily carry on tempting shoppers into 2017.
Cybersecurity skills are for life, not just for Christmas. By ensuring employees are aware and equipped to deal with these holiday scams we can make sure that it’s you and your colleagues – and not the scammers – that have a Merry Christmas and a Happy New Year.