I’ve been writing, OK moaning, almost annually about the stupidity of some people, feelings that are based on nothing more than their choice of passwords.
Every year, I hope things will get better. And every year they never seem to. More and more people are falling victim to Cyber Crime.
What happens is that major data centres are hacked and the hackers release details of the accounts they have acquired. Then a security company, such as NordPass in this instance, comes along and grabs all the data and simply finds which are the most popular, least popular and weakest passwords. Then they publish a “Top 20” of the most common passwords.
And the fact that things rarely change shows that a lot of people aren’t learning the lesson. There appears to be an assumption that simply picking a password that includes a per name, a birthday or something similar will be OK.
But, guess what, if you are being targeted by a hacker, they’ll already have that information. And they’ll use it to break in to your bank/savings accounts, go shopping online using your Amazon account (or other shopping account) and have their ill gotten gains delivered elsewhere. Alternatively they’ll use a Pavement Pirate to steal the delivery from your doorstep.
According to the research, the passwords used for streaming platforms are often the weakest but if I can get in to your Amazon Prime Video I can also get in to your Amazon Shopping account. And don’t fall in to the trap of using the same password for multiple accounts, or simply incrementing a password for different accounts. So, no more Password1, Password2 etc.
Just to recap, here’s how to create a really strong password
Rule 1. Make it longer than 12 Characters Rule 2. Include numbers and symbols Rule 3. Use a Password manager. they are everywhere these days and loads are free, such as the ones built in to your web browser Rule 4. If you use a Password manager, let it create the really complex passwords for you Rule 5.If you don’t use a Password Manager, think of 3 words and substitute some numbers for l3tt3r5 Rule 6. Don’t write your password down, anywhere Rule 7. Don’t send user names and passwords together in an email. Send a user name by email and the password by SMS, for example
Believe it or not, 123456 was also the most popular password in 2021, 2020, 2019, and 2018.
And if you want to read the 2019 to 2022 internationally most used passwords lists you can read them on the NordPass website.
Please don’t allow yourself to become another statistic in Action Fraud’s Cyber Crime files, be smart and get strong passwords.
Here are the most common passwords in the UK
123456
password
qwerty
liverpool
123456789
Arsenal
12345678
12345
abc123
chelsea
qwerty123
football
dragon
password1
cheese
letmein
1q2w3e4r
monkey
killer
rangers
And, for the record, I have 1,175 unique, very strong (over 16 Characters, numbers and symbols) passwords securely stored in my Password Manager and if you want to check to see how secure your password is, NordPass provide a secure way to see how long it would take a hacker to crack a password of yours. Their tool will also let you know whether your passwords have been found in any Hacker databases.
And PLEASE, if this applies to to you – STOP USING PASSWORD or 123456
Have a great Christmas, a happy new year and stay Cyber Secure. I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media
In today’s interconnected digital world, Solopreneurs, sole traders, small and medium-sized enterprises (SMEs) face an increasing number of cyber threats that can have severe consequences for their operations, reputation, and financial stability. Cybersecurity has become a critical aspect of business management for all businesses as they are often targeted by cybercriminals seeking to exploit their vulnerabilities. Vulnerabilities that are easier for the cybercriminals to take advantage of than in larger companies that have dedicated cyber security teams. This article explores the importance of cybersecurity for SMEs, highlighting the risks they face and the measures they should take to protect themselves.
Growing Cybersecurity Threats:
Small businesses and Sole Traders are an attractive target for cybercriminals. This is due to their limited resources, inadequate security infrastructure, and lack of awareness. This makes them a very profitable target for Cyber attacks such as data breaches, ransomware attacks, phishing scams, and social engineering opportunities. All of these are on the rise, and SMEs are increasingly falling victim to these malicious activities. The financial and reputational damage resulting from such incidents can be devastating for a small business.
Financial Implications:
Cyberattacks can lead to significant financial losses for SMEs. Data breaches can result in the loss of sensitive customer information, leading to legal repercussions, fines, and lawsuits. The cost of recovering from a cyberattack, including investigation, remediation, and system restoration, can be exorbitant for SMEs with limited budgets. Additionally, businesses may experience a loss of customer trust, impacting future sales and long-term growth.
Reputational Damage:
The reputation of an SME is a valuable asset that can take years to build but can be destroyed in an instant due to a cyber incident. A breach of customer data or a successful hacking attempt can tarnish a company’s reputation, resulting in decreased customer loyalty and damaged relationships with stakeholders. Rebuilding trust and recovering from reputational damage can be a challenging and time-consuming process for SMEs.
Compliance and Legal Requirements:
SMEs must comply with various data protection and privacy regulations, such as the General Data Protection Regulation (GDPR) and industry-specific requirements. Failure to meet these obligations can lead to severe penalties and fines. Implementing robust cybersecurity measures is crucial for SMEs to ensure compliance with these regulations, protecting both their customers’ data and their own legal standing.
Competitive Advantage:
Investing in cybersecurity can provide SMEs with a competitive edge in today’s business landscape. Many customers prioritize security when choosing a service or product provider. By demonstrating a strong commitment to protecting customer data and maintaining secure operations, SMEs can build trust with potential clients and gain a competitive advantage over less secure competitors.
One of the most effective ways of demonstrating cyber security to the outside world is through the Government backed Cyber Essentials schemes where businesses that can demonstrate their cyber security are provided with a certificate that proves their cyber security credentials to existing and potential customers
Supply Chain Risks:
SMEs are often part of complex supply chains, working closely with other businesses. Weak cybersecurity measures within an SME can create vulnerabilities that can be exploited by cybercriminals to gain access to larger organizations. A breach in one link of the supply chain can have a cascading effect, affecting multiple businesses. Therefore, SMEs must prioritize cybersecurity not only for their own protection but also to ensure the security of their partners and customers. Many large organisations often demand proof of good Cyber security practices and the Cyber Essentials program is a good way to demonstrate this
Employee Awareness and Training:
Employees play a crucial role in maintaining cybersecurity within an organization. SMEs should invest in cybersecurity awareness and training programs to educate their employees about best practices, common threats, and how to respond to potential incidents. By fostering a culture of cybersecurity, SMEs can empower their employees to be proactive in identifying and mitigating cyber risks.
Proactive Cybersecurity Measures:
SMEs can take several proactive measures to enhance their cybersecurity posture. Implementing strong password policies, regularly updating software and systems, utilizing multi-factor authentication, encrypting sensitive data, and regularly backing up critical information are some essential steps. It is also advisable to invest in reliable antivirus software, firewalls, and intrusion detection systems to protect against external threats.
Collaboration
Collaboration and External Support: SMEs can benefit from collaborating with cybersecurity experts, industry associations, and government agencies. These partnerships can provide valuable insights, guidance, and resources to help SMEs strengthen their cybersecurity defences. Engaging with third-party cybersecurity providers can also offer specialized expertise and solutions tailored to the specific needs and budget constraints of SMEs.
Continuity and Disaster Recovery Planning:
SMEs should develop comprehensive continuity and disaster recovery plans to ensure business operations can quickly resume in the event of a cyber incident. Regularly backing up data, testing backup and recovery processes, and establishing redundant systems are vital components of such plans. By preparing for potential disruptions, SMEs can minimize downtime and mitigate the financial and operational impact of cyberattacks.
Ongoing Risk Assessment and Adaptability:
Cybersecurity is not a one-time effort but requires continuous monitoring, risk assessment, and adaptation. SMEs should regularly evaluate their cybersecurity measures, identify vulnerabilities, and implement necessary updates or upgrades. As technology and cyber threats evolve, SMEs must stay informed about emerging risks and adopt proactive measures accordingly.
Building Customer Trust:
Strong cybersecurity practices help SMEs build trust with their customers. By prioritizing data protection and privacy, SMEs can assure their clients that their information is safe and secure. This trust can result in increased customer loyalty, positive word-of-mouth recommendations, and repeat business, contributing to long-term success and growth.
Conclusion:
Cybersecurity is of paramount importance to small and medium-sized enterprises (SMEs) in today’s digital landscape. The increasing prevalence of cyber threats and the potential financial, reputational, and legal consequences emphasize the need for robust cybersecurity measures. By investing in cybersecurity, SMEs can protect their sensitive data, maintain customer trust, comply with regulations, gain a competitive advantage, and ensure the continuity of their business operations. Through proactive measures, collaboration with experts, and a focus on employee training, SMEs can mitigate cyber risks and safeguard their future in an increasingly interconnected world.
If you need help with your Cyber Security I can help and can even point you in the direction of a really excellent Cyber Security company if you need more in-depth help and support.
Get in touch – even if it’s just for a free consult. You can call me on 01793 238020 or 07966 547146, email andy@enterprise-oms.co.uk or book a slot using my calendar and we’ll take it from there
In my previous post I wrote about the key Cyber Security threats that individuals and businesses of all sizes face. If you’ve not read it you can catch up here.
This time around I am going to review some of the key protective measures that you can take. Measures that will make your business harder to defraud, harder to hack and less likely to fall victim to Cyber Crime.
Let’s start with your website. Hackers around the world are queuing up to take over your website or to simply to bring it too it’s knees to stop it working so they can demand money to restore it to good working order. This latter approach is a Distributed Denial of Service attack – aka DDoS. (My previous blog describes a DDoS so I won’t replicate the description here, for brevity).
How do you stop a DDoS attack from bringing your website down
DDoS attacks are happening all around the world, right now, as you can see from this Cyber Attack screenshot
From https://www.digitalattackmap.com
There are two approaches. You can choose a web host that has the necessary provisions in place to ensure that they have the connectivity and technology to make sure that DDoS attacks can’t prevent their web servers from running. They will use a variety of technology, including sophisticated firewalls, traffic filtering and DDoS defence systems. Not all web hosts offer such a high security level so you’ll have to shop around.
A better option, in my opinion, is to use a Content Delivery Network (CDN). A CDN uses many servers located around the globe. This means that if a single server location is targeted regular visitors are simply directed to the next nearest server, totally mitigating the threat. Another big benefit of CDNs is that they also mean that if your website targets different countries then visitors from those countries will connect to your web server that is closest to them – which ensures that your website is always delivered at the fastest possible speed – which benefits both the visitor and your SEO because no-one, not least Google, likes a slow website. Top CDNS are Cloudflare, Amazon Cloudfront and Microsoft Azure
Passwords
I know, I know, I am always banging on about Passwords but passwords are gateways in to PCs, Phones, Networks, your web host and so much more.
So, your gateway passwords needs to be really secure if you want to keep the hackers out – and you really do want to keep them out. You might think that there’d be no interest in your website but hackers are targeting every single website they can find. The UK’s National Cyber Security Centre recommend using a password comprising of 3 random words and a unique password for every site you access. I recently made a short video about this very topic
Firewalls
A Firewall provides an impenetrable, unhackable barrier (provided it’s properly configured) between the internet and your computer or computer network.
Yes, Windows has a Firewall and it’s certainly better than having no firewall at all but, in reality, it’s about as much use as a chocolate fireguard. It’s just too easy to misconfigure, especially if you have a small network and have fiddled with the settings as you try to share files and folders from one PC to another.It might deter the casual hacker but won’t stop a determined one.
There are software firewalls that are provided by the same companies that sell anti-virus software. These are better than the Windows firewall but similar issues remain. Each device on your network has to have one installed and kept up to date.
A far better solution is to use a firewall appliance. A little box that goes between you, your internet router and the internet.
And talking about your router, the device that was supplied to you by your broadband provider. The router does include a Firewall but it’s a tad rudimentary, at best, and if you have’t set a secure password it will still be using the password and user name that it shipped with. This could be as daft as having “admin” as both the user name and password which makes as easy to access from the internet as it does from inside your home/home office or office.
And all somebody has to do is Google the make of router that’s used by broadband company X and the default user names and passwords are readily available. Targeted at those who might have lost their user manual but available to all.
These types of firewall are about as much use as a wall made of paper if you are running a business. It’s much better to invest in a dedicated firewall appliance.
The most popular are provided by Watchguard, SonicWall, Cisco and these prevent computers and networks from a wide range of Cyber attacks.
My set up looks like this. My office provider uses a Watchguard firewall in their comms room. I have a D-Link firewall in my office AND use the Windows firewall on my computers
VPN
Imagine the scenario. You are in your favourite coffee shop and need to jump on their free Wi-Fi. You spot the password on a tent card on your table and fire up your laptop/Chromebook/tablet/phone and search for the Wi-Fi. There it is, right at the top “FreeCoffeeShopWiFi”. You click, you enter the password and you’re away.
You log in to your office email account, then your private email. Then a quick check of your bank account confirms that you have enough to buy that latest thing you’ve been after.
Later that day you check your emails. There’s an unexpected one from your favourite shopping site confirming a change of password – not something you remember doing – so you check your bank account. It’s empty, drained of everything while you were finishing your coffee.
What’s happened? When you logged in to the coffee shop WIFI you weren’t logging in to the legitimate account. Somebody had set up a clone inside the coffee shop, which you found and logged in to. The person behind the clone was “sniffing” all of the traffic going through their portable WiFi hotspot that they’d set up and were merrily pulling off websites, user names and passwords and happily started to spend other people’s money, including yours. This is known as a man-in-the-middle attack.
Could you have prevented it? EASILY.
Just get yourself a VPN, they’re inexpensive but provide a very secure way to access the internet. Simply put, a VPN creates a secure, encrypted, private tunnel between your device (phone/tablet/laptop etc) and the destination website, (bank, email account, online shopping site etc). It doesn’t matter whether you are on a genuine account or a cloned account, your tunnel can’t be broken in to, your data is secure.
Another use of VPNs is when you work remotely and needs to access office files, remotely. A VPN will secure the data that moves between your office and your device and keep everything safe.
You might also use your VPN at home, just in case your neighbour is on your WiFi and “sniffing” your data.
And, finally, if you want to appear to be in a different country – let’s say you are on holiday abroad and want to watch BBC iPlayer content that is only available in the UK – you can use a VPN to give you a “point of presence” in the UK. Your VPN makes it look as though you are in the UK when in reality, it’s just the end of your VPN connection.
If you subscribe to a Google business service then you have free access to a Google VPN on your phones and tablets. If you don’t want to use that then some of the best are provided by ExpressVPN, TunnelBear and StrongVPN.
I use TunnelBear but am not an affiliate so if you sign up, there’s no benefit to me just added security for you
Not clicking
Phishing, SMSmishing and SpearPhishing emails are mainly designed to make you click on a link to visit a genuine looking but fake website where your log-in information can be harvested.
I’m going to be blunt – DON’T CLICK. If you think the email may be genuine you can either contact the sender (by phone or with a fresh email – not a “reply”) and ask them for clarification. If it’s a link to a website then enter the domain name yourself in your web browser, don’t click on the link in your email, don’t “copy” the link but DO hover over the link in your email program (it will have been designed to look legitimate) but hovering your cursor over it will show you where the click will actually go. It might look similar to the pukka site but won’t be. If the proper URL is company.com the fake address could look like company.com.fakesite.eu or company123987.com, for example.
Even if you believe the link to be valid, don’t click on it but either enter a URL you KNOW in your browser or search for the company. 99% of the time you’ll see that that your email is a fake, an attempt to extort you.
Fake News and Fake Reviews
Although you can’t prevent third parties from posting Fake News and Fake Reviews about your company, you can be on the lookout for the posts so you can take remedial action. Use tools such as Google Alerts and Drumup.io which can conduct keyword searches for your brand and alert you by email when something turns up that uses your brand or company name. Then you can see where the article has been posted and review it. If it’s obviously fake news you should post a reply AND contact the host of the review platform and advise them of this
Hacking
What can you do to prevent your devices and networks from being hacked?
You can use a Firewall to provide a secure “wall” between your network and the outside world. You can make sure that you have changed the default user-name and password and use a hard to crack password – something like the three random words recommended by the National Cyber Security Agency.
You should use biometric access controls, fingerprint or facial recognition on your phones, tablets and computing devices. You should be wary of emails and their attachments.
Ensure that your anti-virus programs are up to date and that Windows is allowed to keep itself up to date too.
You should consider encrypting your data, so if it is stolen then it won’t be of any value, or use, to anyone and you also need to be regularly backing up your computers and servers. AND don’t forget to regularly check that you can restore your backed up data. There’s nothing like finding out that your backups are corrupt, or discovering that you’ve not been backing up what you thought was being backed up, when you lose data. It’s too late then.
And finally, train your staff and keep their training up to date so they know how to identify potential threats and to whom they should share their concerns with.
Insider Threats
Office staff having a meeting
Insider threats are the most insidious. By definition, it’s people who you trust. So what can you do?
You should control what they have access to. Nobody outside the Accounts department (with the exception of some board members) needs to have access to financial systems, and files. Nobody outside of Sales needs to have access to details of ALL clients at all stages of the sales process. Give a lot of thought to who can see, and access, what.
Work hard to know your staff. Talk to them. Understand what makes them tick, their personal situation, without being creepily intrusive. Join conversations “around the water cooler”. Have an “open door” policy so that your people know they can bring their concerns to you.
You should also have a very clear policy on BYOD (Bring Your Own Device) where people are permitted to use their personal phones, tablets and laptops and can connect them to the company networks and Wi-Fi. Yes, it’s a great way to save money by allowing people to use their own equipment but it opens up a whole host of risks.
What are they taking home with them to “work” on?
What websites do they visit during work time whilst connected to the company network?
What security protection are they using on their private devices?
What Social Media platforms are they on whilst in company time and on the company network
What policies are in place to manage their use of external memory devices (such as USB sticks and external hard drives)
What files and folders can they access
Ultimately, you might decide that the risk is not worth the saving and simply provide all the equipment and tools that your people need to be able to do their job.
USB Memory
As discussed in my previous Post, “Top Cyber Security Threats to YOUR Business“, USB storage devices can be an absolute nightmare. You must have a policy in place that covers how they are used. How/whether your employees can use their own, what the policy is in relation to found devices. How you will manage lost devices that might have company information on them and an overall policy with regards to USB ports.
I know of many companies that have simply banned the use of unauthorised USB connections (remember, connecting a phone or tablet to charge it means that device can also be used as USB storage to remove data or introduce a virus).
I even know of one business owner who used superglue to ensure that absolutely nothing could be plugged in to the majority of computers and servers in his business. Even I agree that that was an extreme solution but I get his point.
Ransomware
Ransomware normally arrives either as an attachment on an email or via a link contained in an email so, good email security and data hygiene will minimise the risk from this threat
Viruses, Trojans and other Malware
Again, most viruses and trojans infiltrate a business via attachments on Emails and links in emails. The attachments might look like PDFs, Word or Excel documents or pictures but they won’t be. They will either have embedded macros (Word, Excel etc) or mask their true type. Something that looks like picture.jpg might actually be picture.jpg.exe – a file that will be run when clicked rather than a nice picture that will open when clicked.
And rogue USB devices remain an ever present threat.
Avoiding a lot of these threats comes down to good email security and data hygiene although this will be reliant on good training, regular updates and reminders.
You might have a decent anti-virus application running on all devices (including phones and tablets) but it’s a constant war. The cyber criminals are always on the lookout for ways to circumvent security software so you still need to be alert to the threats.
And Ditch Microsoft Windows
Yes, I know. It sounds almost like heresy, but Microsoft does have a bit of a reputation for insecurity. Yes, it’s better than it was but, as the most popular operating system, it’s also the most popular target for hackers. It even has it’s own day of the week – Patch Tuesday, when all manner of updates are released, including security fixes. Apple Macs are better. However, as sales increase so does the hackers interests and it’s not as secure as some would like you to think.
So is there a solution?
Yes, it’s called Linux. It’s been around more than 30 years, is properly free and very secure.
But don’t you have to be a bit of a geek to install, and use a Linux machine?
Nope, not these days. For most, it’s as easy as installing Windows AND it even looks, and works, a lot like Windows because that’s what we’re all used to. I run a Linux machine in the office and it’s uses Linux Mint – which is probably one of the easiest to come to terms with. And you can learn more about Mint, download it and learn how to install it here. Another popular Linux distribution is from Ubuntu and you can run Ubuntu from a USB stick if you want to give it a try without installing – oh and you can also create dual-boot scenarios where you can keep Windows, install Linux and simply choose which one you want to run when you boot your PC.
I am not a cyber security expert although I’ve done my fair bit, especially when working in IT support, and I do my best to stay up to date so feel free to send any questions you might have to andy@andypoulton.com or give me a call on 01793 238020 or 07966 547146,Tweet me @AndyPoulton or contact me on LinkedIn and if I can’t help, I know some real cyber security experts that I can put you in touch with.
Thanks for reading and if you need help with your #SEO or any other element of of your digital marketing, please don’t hesitate to get in touch.
We are living through troubled times. Covid seemed to be under control, we were learning to live with it and we were starting to look forward to a quieter 2022.
And then Putin invaded Ukraine!
As a result of sanctions imposed on Russia by the West I have no doubt that the professional Russian Cyber Criminals have ramped up their activities. Not only to attack Ukraine but to attack western institutions for having the temerity to support Ukraine and actively punish Russia via sanctions.
I thought that my next two posts should focus on possible cyber security threats that this will pose. Why two posts? Simple – length and volume of information make it easier to take in of it’s split in two.
The first post, this one, will look at the threats we face as individuals and businesses when we use our computers and the internet. The second will took at ways that we can protect ourselves, and our businesses.
Although 100% security may be prohibitively expensive for SMEs most of us can do more to secure our data and reduce the risk from infiltration, theft, misuse and other malfeasances.
So, without further ado, let’s take a look at the top Cyber Threats that can be used against us, right now.
A DDoS attack is designed to bring a website, or internet connected system, to a standstill. Simply put, the Cyber Criminals will have gained access to a Botnet ( a network of internet connected devices that they have control over without the computer owners knowledge). They then issue commands to the Botnet to visit a given web address. When thousands of computers try to access a website the website grinds to a halt.
It’s analogous to closing a busy motorway and diverting all of the traffic on to a single lane, country, road. Very soon the road will be so full of traffic that everything grinds to a halt.
When the target website, or service, comes to a stop the hackers approach the website owners and demand a ransom payment, threatening to continue making the website unreachable until the ransom is paid. The busier the site the more it costs for it to be unavailable and the faster the owners are likely to pay.
As an example of this, in the last couple of years a major, online, bookies website was targeted. It was brought to a grinding halt for about 10 minutes. The criminals then contacted the company and identified themselves as the cause of the website failure. They demanded a ransom and threatened to bring the website to a halt over a significant betting weekend (Cheltenham Gold Cup weekend to be precise). For obvious reasons, it’s unknown whether the betting website paid up, or not.
Fake news is insidious. Whenever something controversial happens there will always be people posting fake news, and reporting fake news, with the aim of either reducing the apparent severity of reported activity or distracting the news consumer, encouraging them to take their eye off the real story and try to get them to look elsewhere.
Fake news is difficult to ignore, by intentional design, and creeps in to every area of the media.
At a business level, it could be a competitor who posts positive fake news about themselves, to make them appear better than they are, or someone posting negative stories about your business hoping that they can reap the rewards.
Like Fake News, Fake reviews go two ways. Competitors, or people with a grudge, publish negative reviews on places like TrustPilot and Google reviews. Not only does this impact the public’s perception of your business but it can have a negative effect on your SEO, especially when it comes to Google Local, where part of Google’s decision making process is the quality of your reviews in comparison to your competitors.
The other way is for your competition to post fake, high quality reviews of their business to boost their business at the detriment of yours.
Frequently imagined to be conducted by aggrieved teenagers hacking/cracking websites from the depths of their bedrooms, hacking has evolved in to a massive industry. It’s escalated in to an activity that’s carried out at all levels, all the way up to state sponsored hacking where individuals & organisations are paid by, sponsored by, or simply work for, a county or an organisation.
At the state level they look to attack the infrastructure of a foreign country using the internet as their weapon. The goal being to take services off line, for example. Imagine an attack on a country’s power supply network that could just switching the electricity off.
At the business level, hackers look to break into individual computers, servers or networks. This would provide access to confidential information and intellectual property.
Imagine that you invented something that stood to give you an incredible competitive advantage and make your company a lot of money. Hackers could break in, steal the data and sell it on. It’s believed, for example, that the Chinese government had access to the secrets of US military giants for years. This enabled them to modernise the Chinese military far faster than if they had to do all their own research and development.
Hacking could also be used to plant false information on servers. Imagine a knock on your door, by the police, with a warrant for pirated material (or worse). They take control of your network – banning your people from it and bringing work to a halt – whilst they conduct their examinations to find said material. Whether they find anything, or not, you’ll be prevented from working for days, weeks, months, possibly years while they conduct their examinations. And if there’s whisper of wrongdoing to the media, whether ultimately proven or not, justified or not, your reputation could take a massive hit, from which it might prove impossible to recover from.
Insider threats are probably the most insidious because they are carried out by people you trust, your employees or partners. As well as stealing from you, someone inside your organisation could also conduct a cybercrime against you. It might be as simple as deliberately installing a virus from a USB stick (for accidental virus installation see “USB Sticks and other forms of removable/portable storage“) or opening up your firewall to external intrusion (see Hacking).
Without proper tools and tracking in place you’ll probably never find out where the problem came from, which could lead to repetition once you fix the problem for the first time
Malware is a generic “cover all” term for malicious software. It has been reported that Malware affects 32% of global computer systems. The goal of malware is to infect your computer system with malicious software with the aim of slowing down, or stopping, your computers and network.
As with a lot of other attacks, businesses that are affected by malware are likely to be approached by the perpetrators who will demand payment to stop the attack.
Phishing is an attempt by an unknown third party to persuade to you voluntarily hand over essential log-in credentials for critical web sites (think of your banking info as a single example).
It starts, typically, with a genuine looking email that lands in your inbox, purporting to come from a trusted source. The email will contain a scary message encouraging you to log into your bank account, for example, because failure to do so would see you being “locked out of your account due to a security risk”.
To make it easier, the email also includes a “Click here” link. You click, you arrive at a page that looks like your bank, enter your user ID and password but you can’t log in.
And you can’t log in because it’s not your bank. If smart, the Phishing site (because that’s where you are) will automatically forward you to your actual bank page where you’ll try to log-in again, convinced you made a typo first time around, and this time, you get in to your account.
In the meantime you will have confirmed to the Phishers that you have an account with the bank they targeted AND gifted them your user ID and password. Even though most banks now require an additional form of authentication, getting the first two parts of the authentication chain is a great place to start.
Ransomware is the generic term that covers a wide range of attacks on computer systems with the aim of preventing their effective and proper use. The expected resolution is the payment of a ransom to make the attack stop. The only problem with this is that the criminals are passing on the details of companies (and individuals) who paid up on the premise that they paid once, so will probably pay again.
A SMish attack is an attack that starts on a mobile phone. The Cyber Criminals send you an SMS message that will encourage you to click on a link in the message. The link will take you to a website that has been set up to collect critical ID information. This might be bank account details in “payment” to “release” a parcel that’s been held up at the couriers, for example.
A Spear Phishing attack is like a Phishing attack but more focused. The criminals won’t be targeting random individuals but will have done their research and will target named individuals within an organisation.
The targeted person (let’s say they are a manager in accounts) will be sent an email, purporting to come from an internal department, asking for an expedited payment to XYZ company for ABD services/supplies/components etc. The payment is made – only it’s not for services etc it simply goes straight in to a bank account operated by criminals.
A Trojan attack, named after the Trojan Horse of Greek mythology is where a criminal distributes a piece of software that looks legitimate but harbours a nasty surprise. You’ll typically find Trojan Horse software on the internet, hiding behind hacked websites. You might search for something specific, picture editing software, for example, and come across a website giving away something that seems to do everything you need – for nothing.
You click, after all it doesn’t cost anything so where’s the danger. These’s no demand for bank or credit-card details and it doesn’t cost anything so you click to download. After all, where’s the risk?
You download the software, navigate to your downloads folder and click to install. You screen might go blank for a very short time but soon comes back. There’s no evidence of anything being installed, or anything else happening, so you assume the download is broken. Do you download it again or try something else? Most people will look for something else but the damage has already been done.
In the background, unbeknownst to you, the malicious software has installed itself, and hidden itself so there’s no record of it’s installation. If clever, it might even have disabled your antivirus protection too.
Your computer might now be added to a Botnet to be used in DDoS attacks or might be capturing every keystroke you make – including credit card and banking details, and surreptitiously send them back to the criminal who distributed the software,
Occasionally, when out and about, perhaps enjoying a coffee in your favourite coffee shop, you might come across a USB memory stick or memory card that someone has “forgotten”. You might ask at the counter whether they know who left it behind but they probably won’t have a clue so you take it back to the office, or your home.
Gleefully, you insert this new trophy into your computer, perhaps to see how large it is, perhaps to see whether you can determine the identity of the owner in the hope that you can return it to them. Or you might simply want to be nosey and see what’s on there.
Whatever your reason, it’s too late. The software that was set to autorun when inserted in to a computer has installed itself on your PC and is now running maliciously, in the background. Either letting an unknown third party take control of your computers and network or sending all your keystrokes back to some criminal.
Computer viruses are the most common form of cyber security threats out there. They land on your computer as an email attachment that you have been encouraged to click on (perhaps an innocent looking document for example) or pushed down on to your computer when you visit an infected website. As with other threats, you won’t necessarily know you have been infected until they do their dastardly deed. The smarter viruses can circumvent some of the best anti-virus systems and can remain hidden whilst they conduct their criminal actions. Stealing data, monitoring keystrokes and feeding them back to a cyber criminal, for example.
What should you do
Part two of this email will go in to preventative and detective measures in more detail. However, for now, the guidance is simple. Trust no one. Any email that arrives that has a hyperlink or an attachment, no matter who it comers from, should be considered suspect. Don’t click the link or the attachment unless you trust the source, were expecting it or have validated it in a different way.
Don’t plug-in “found” USB drives and memory cards, don’t visit websites on a whim and make sure you keep your anti-virus software up to date, allow Windows (if you are a Windows user) to install Windows updates and please , please, please make sure your firewall is up and running.
And finally, the pitch.
If you need help with your Cyber Security I can help and can even point you in the direction of a really excellent Cyber Security company if you need more in-depth help and support.
Get in touch – even if it’s just for a free consult. You can call me on 01793 238020 or 07966 547146, email andy@enterprise-oms.co.uk or book a slot using my calendar and we’ll take it from there
…yes you can and you must be. But serious about what? About your passwords, that’s what. Like many others, I’ve been banging on about passwords for years and years and years. From a company that would put a new laptop on a desk for the user with the password on a post-it note attached to the lid to companies that shared passwords by email to people using easily guessable passwords the whole issue of password security is not going away.
And it’s causing major problems and financial loss.
In 2019, 80% of all data breaches which resulted in financial loss, were the result of compromised passwords whilst IBM have stated that the average cost of a data breach to businesses in 2020 was $3.86m so you can see stealing passwords (and other information) is big business.
But this post is not about the physical stupidities like leaving passwords lying around it’s about the passwords you and I use that are part and parcel of our day-to-day web access.
Every year a company called NordPass* evaluates the latest password data across 50 countries. They get this by examining a database of 4TB of data, all of these passwords have been nicked, stolen, and hacked. These security breaches are the result of hacking, phishing and other “nocturnal” cyber activities.
Passwords, credit card numbers, bank account details, usernames, dates of birth and other details are made available for sale on the Dark Web and this is where NordPass gets their seed data.
The Most Common Passwords 2021
And it seems that in 2021 little has changed. The most common passwords they found were
123456 (used a staggering 103 million times)
123456789 (46m uses)
12345 (33m uses)
qwerty (22m uses)
password (21m)
12345678 (15m)
111111 (13m)
123123 (10m)
1234567890 (10m)
1234567 (9m)
All of the above would be cracked in under one second. That’s how secure these passwords are
Apparently a “stunning” number like to use their own name – “Charlie” being the 9th most popular password in the UK whilst popular music acts and sports also have their own claim to fame. “Onedirection” being popular, along with “Liverpool” whilst in Canada “hockey” was the top sports related password and “dolphin” was number one amongst animal related passwords.
NordPass have mapped the data too and, according to their data 187,219,153 passwords have “leaked” from the UK, that’s an average of 2.785 passwords per capita.
How should you formulate your passwords?
Passwords should be 16 characters or more – a M1xture! of UPPER case, lower case, numbers and characters and should NOT be used for more than one account. They should not use ANY personal information, no address details, no phone numbers, no pets names in fact nothing that can be gleaned from social media and day to day interactions
Challenge to remember? You bet. Difficult to crack? Most certainly. According to How Secure is my Password 45Erp!VBN?1869y& will take 41 trillion years to crack.
I have over 250 passwords that I use so I have to use a Password Manager to store them. I use LastPass but many others are available, including NordPass’ own, and some are free. I suggest, though , that you use one that can synchronise across all of your devices, PCs, Macs, tablets, phones etc so that you always have your passwords with. A good Password Manager will not only store your passwords very securely but should also create secure passwords for you.
Go ahead and test your passwords using their secure tool.
I might not be a cyber security expert – but I know quite a bit and know some very good ones so if you need some help with your cyber security, your SEO or any other element of your online marketing activities then why not kick things off with a free consultancy session, drop me an email or just give me a call on 01793 238020 or 07966 547146.
In the meantime, be safe out here. The World Wide Web can be a dangerous place
*NordPass have a vested interest in password security – they sell a Password Manager
For years and years the Americans have been very clever with phone numbers, using words to make them memorable, 1-800-468 3647* is quite tough to remember, but using the letters on a phone pad it instantly becomes 1-800 Hot Dogs, which is far more memorable. I also reckon that it made for quite a fight between businesses and telephone companies for the best numbers. The best we seemed to manage in the UK was the fight for “special” numbers – such as 0800 123123
And then came the mobile phone explosion, and the numbers you used were the ones handed out by your mobile phone company, there was no choice. Well, there was, but you had to hunt it down and “special” mobile phone numbers were expensive, because the providers knew the value.
For a long time, companies would display both landline and mobile numbers – and quite a few still do. However, for the last 5 years (maybe more) I have noticed that a lot of companies only use their mobile number. This is possibly sole traders and other businesses who work from home, or a home office. It enables them to easily keep business telephony separate from private. I’ve worked with many people who have 2 mobile phones, 1 for business and the other for personal calls.
I’ve noticed that more and more sign written vans only have a mobile number on them, and in my opinion, this is a missed opportunity. And there are still people who won’t trust a company that only uses a mobile number simply because it used to shout “rogue trader” or similar, a company lacking any form of physical base.
Why should a mobile only number be a missed opportunity?
Simply put, a mobile phone is harder to remember than a geographic number. Mainly because we are familiar with geographic numbers, the one for our region for example. We might also be familiar with surrounding regional numbers and those from the major cities too, 020 for London and 0117 for Bristol for example). This familiarity makes a landline number easier to remember because all you have to do is remember the region and a 6 or 7 digit number (Swindon 123456 for example).
And this is the next benefit. If I see a tradespersons’ sign written van and it has a landline and mobile number, I’ll instantly know whether they are local to me, or “just visiting” and I’ll be far more likely to contact a local trade than one based elsewhere.
But landlines have their own issues too. If you change phone providers, move from one exchange region to another or move from one office to another you may not be able to “take” your landline number with you. This means you’ll have to update websites, your Socials, letter heads, compliment slips, business cards etc. Which is a very good reason for just using a mobile number.
Is there a better way to use phone numbers?
Get an IP (Internet Protocol) phone number. An IP number is a virtual phone number. It’s not associated with any telephone exchange but is based in the Internet. You can have a physical desk phone (but you need one that’s IP Phone capable, not a cheap £10 phone from Amazon). You can use your PC/Laptop/tablet instead. Simply set up an IP Phone App and configure it correctly, have a headset and microphone (Bluetooth is great) and your “good to go”. You can even take IP calls on your mobile phone, yes really. I’ve used a Sipgate number for more than 10 years now. 01793 238020. It’s moved with me from an office, to working from home and then when I got a different office it “came” with me too. I could have gone with Vonage, who offer a similar service. If you are a larger business, you might need something more sophisticated, and there are plenty to choose from and now the Video Conference provider, Zoom, has launched a very competitively priced IP Phone service too. Read about IP telephony on the Money Supermarket website.
And, best of all, when you move location you don’t have to do anything at all. Your phone number comes with you, wherever you choose to go. All you need is an internet connection.
You could even get an IP phone number for the next town/city that you want to expand in to, giving you a virtual presence there and making it even easier for potential clients to contact you.
If you need help with your telephony then I probably know enough to be able to point you in the right direction and if you need assistance with your SEO, Email Marketing, Social media or any other type of online marketing activities then I can definitely help you so you really should get in touch – even if it’s just for a free consult. You can call me on 01793 238020 or 07966 547146, email andy@enterprise-oms.co.uk or book a slot using my calendar and we’ll take it from there
*(1-800 being the US equivalent of a free phone number, known in the States as a Toll Free Number)
October is National Cyber Month. What is National Cyber Security Month?
Threats of Cyber Crime from Cyber Criminals continue to increase and we all need to be increasingly alert and focussed on the threats, the impact they could have on our lives AND the things we can do to minimise the risk to ourselves and our businesses.
National Cyber Security Month 2021 has the overarching theme “Do your part. #BeCyberSmart” and looks to empower individuals and businesses to own their role in protecting their part of cyberspace.
If we all do our part then we will all benefit from a safer place to live and be in a safer place to do business. Not only that but we’ll also be denying the cybercriminals the space they need to extort, employ fraud and generate the money they lust after.
How can we contribute?
We can all look to implement stronger/better security practices such as not clicking links in emails, not opening emails from people we don’t know or even opening emails we weren’t expecting. We can install security software on our phones, our tablets and our computers. We can use stronger passwords, and make sure we use unique passwords for EVERY application.
Each week, National Cyber Security Month will have a different focus, starting with Week 1 – Be Cyber Smart
Week 1, Starting October 4 – Be Cyber Smart
Our lives are increasingly intertwined with the internet and the World Wide Web. Pretty much all personal and business information is stored on internet connected platforms, from banking to social media, from email to SMS, from phone and video calling to watching TV and listening to music and beyond. The internet simplifies some areas of our lives and makes it more complex in others but the one, overarching common factor, is the need for a strong level of security to keep our data safe.
That’s why Week 1 of National Cyber Security Week focuses on the best security practices and “cyber hygiene” to keep our data safe, owning our role in Cyber Security and starting with the basics. That includes using unique, strong, passwords and making sure that we use multi-factor authentication (2FA) where it’s available, preferably avoiding SMS (text Message) authentication where possible.
Week 2, Starting October 11 – Fight the Phish – Trust No One
Phishing attacks, where emails and text messages are sent containing web links encouraging you to click the link, visit a website set up by cyber criminals and enter your user names and passwords are still on the increase. Why are they on the increase? Because they work. People see an email that purports to come from their bank, HMRC, DVLA, Post Office, BT etc. and are given a warning claiming that the recipient needs to do something NOW or they will be locked out of their account, will be arrested, won’t have an order delivered …. or one of many other ruses. You click the link and either have malicious software sent to your computer without your knowledge and approval or give away user names and passwords to cyber criminals, enabling them to access your personal accounts and to steal from you.
The X-Files mantra of “Trust No one” applies here. Any email that contains a request for such information should always be approached with caution and, if you have even a small inkling of concern, then simply open your web browser and visit the website of the sender to check out the veracity of the email.
Week 3, Starting October 18 – Explore, Experience, Share
Week three focuses on the National Initiative for Cyber Security Education (NICE), inspiring and promoting the exploration of careers in the cybersecurity sector. Whether you are a student or a veteran or seeking a career change, this week is all about the exciting, ever changing, field of cyber security, a rapidly growing business sector with something for everyone
Week 4, Starting October 25 – Cybersecurity First
The last week of National Cybersecurity Month looks at making security a priority. Actually taking a Cyber Security First approach to designing and building new products, developing new software, creating new Apps.
Make Cyber Security Training a key part of onboarding when taking on new employees (and, at the other end, making sure that technology rights are revoked when people leave organisations).
Ensure that your employees are equipped with the cyber secure tools that they need for their jobs. If you practice a BYOD (Bring Your Own Device) policy, allowing employees to use their own phones, tablets and computers then you need to ensure that the cyber security deployed is as strong as that on equipment that you provide.
Before buying new kit, or signing up to a new service, do your research, check the security. Is it secure enough? Can it be made more secure? Can it be remotely wiped? Who has control? All of these questions, properly answered, will ramp up your cyber security defences and help keep the cyber crims at bay
When you set up new equipment, that new phone, tablet or laptop, I know it’s exciting but please invoke the Cyber Security first, don’t leave it until last – it might be too late. Make sure default passwords are replaced with something secure and lock down those privacy settings.
Cyber Security MUST NOT be an afterthought. If it is, you could find yourself paying the price
And if you need some help, you can always ask me. I might not know the answer but I know people in the Cyber Security industry that I can put you in touch with. Email andy@enterprise-oms.co.uk, phone/message me 07966 547146, call 01793 238020 or message me on Social Media and we’ll get it sorted.
Wow, what a year. One thing’s for certain, 2020 is one year that will never be forgotten. Covid, Lockdown, Furlough, words that have been added to the canon of speech this year. And, to cap it all, Christmas is just around the corner and the world is still full of massive levels of uncertainty.
Whether you are working from home, #WFH, working in an office or still out and about I know that as Christmas approaches the big wind-down starts to feature in our minds.
Nothing wrong with looking forwards to Christmas but it’s important that you don’t allow your Cyber Security guard to fall too.
Why not? Simply because the hackers and cyber criminals won’t – if anything they’ll be upping their activity because they know that our minds will be on other things. In previous years we’d have been looking forward to Christmas Markets, Christmas parties, gifts, food, television and everything else that’s associated with the season of goodwill.
Our vigilance MUST remain high, both in the office and when working from home. Keep your eyes open for suspicious looking emails, especially those coming from unexpected quarters, with messages that promise much, such as tax refunds or deliveries of items you don’t remember ordering. Also beware of emails with links to websites that look OK but in reality will do harm.
It’s also a good idea to take a fresh look at your password security. Turkish researcher Ata Hakcil analysed more than 742m passwords that have been revealed in data breaches (hacks) that turned up on the Dark Web. Ata went on to make a worrying number of discoveries.
Of the 742m only 169m were unique which just goes to show how frequently we reuse passwords and how many passwords are used by a lot of people.
Worst passwords of 2020
Unfortunately, not a lot has changed over previous lists
123456 (same place as 2018 & 2019)
123456789 (up 1 place) (same as 2019)
passwords (up one place on 2019)
qwerty (a fall of one place on 2019)
password (slips two places)
12345678 (up 1 on 2019)
123123 (a new entry)
111111 (up from No. 10 in 2019)
1234 (yes, I kid you not, 1234)
1234567890 (a new entry in this Top 10)
Disturbingly, at least 1 in 10 people have used at least one of these poor passwords – I hope you’re not one of them.
Data breaches are inevitable. To be as secure as possible you need to use strong, unique passwords for each individual account that you have. This makes the theft of one password much less of a disaster than if you use the same (or close variant) across all of your accounts.
What’s a Strong Password?
A strong password isn’t a word at all. The best ones are passphrases comprising of a random combination of words with 12 characters or more, using mixtures of alphanumeric, UPPER & lower case characters and symbols.
Think of a nonsense phrase, or even a line from your favourite song. Science Friction Burns My Fingers for example. Noe, run the words together, use hyphens, underscores and number substitution.
Sc13nce-fricti0nBurnsMy_Finger5%
That’s one password – you need a unique one for EVERY account that you have. Now, that’s a challenge to remember so you need a password manager. Because of my work, I have access to 789 accounts of one sort or another and I have 789 different passwords. Obvious there’s no way I could remember all of those – I struggle to remember 4 important ones which his why I use a password manager. Not only does it store all of my passwords in a safe place it also generates new, random, ones for me.
Top 10 Password Managers
There are loads of great password managers out there. I use LastPass because it was one of the first to integrate with my browser AND be available across all of my devices, desktop, laptop, Chromebook, phone and tablet.
TechRadar recently reviewed Password managers and their top 10 free and paid-for password managers is as follows
You TechRadar’s reviews here. And don’t forget, your web browser probably has a password manager built in and may even generate new ones for you but it may not synchronise across all of your devices
And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of the above instead
Have a great Christmas, a happy new year and I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.
For years, technologists have been promoting digital transformation, using technology to communicate rather than having to attend endless, often pointless, meetings. Corona virus, lock-down and working from home has really pushed many businesses to take a fresh look at the options available to them.
Lock-Down means that a lot of us are having to work very differently, working from home, whether from a home office, the dining table, the kitchen table or a bedroom dressing table or a shed at the end of the garden it’s all quite new.
There’s no doubt that as a result of this forced, rapid, transition, many of us will find that continuing to work from home is far better than commuting to an office, warehouse, workshop or other business location. And, in the long term, everybody wins. No commuting means time saved, no travelling to meetings means time and travel costs saved and no travelling is much much better for the environment too. It also means we get to spend more time with our families.
There are a number of platforms that will help you to do this. Simple platforms such as Skype and Messenger are familiar to a lot of people, Google Hangouts and Microsoft Teams are also in pretty common use but they often lack some of the features that make video-conferencing much easier.
Video Conference Options
The key features that I look for include
Maximum permitted meeting length
Screen sharing – so that I can share presentations etc.
Recording, can the session be recorded so that I can share it with the delegates for them to refer back to?
What services do the free accounts NOT have?
As an example, Zoom, which has really increased in popularity over the last couple of months has a Free account that allows video conferences of any length with 2 people but this drops to just 40 minutes for 3 or more but does permit screen sharing. However, there are concerns over the security of Zoom.
To overcome this, the Zoom Pro account at £143.88 + VAT annually increases the meeting length to 24 hours and provides 1Gb of cloud storage,
Webex, a Cisco product, is more secure. The free account limits the number of people in your call to 100, places no limits on meeting length but does not offer any recording and does not offer screen sharing.
The Webex Small Teams account, £135.00 + VAT PA adds screen sharing and recording to the free account.
If you want any help with your digital marketing please don’t hesitate to get in touch for an informal chat by email (andy@enterprise-oms.co.uk) by phone (01793 238020) or ask me on Social Media – Linkedin or Twitter and I’ll be only too happy to talk.Thanks for reading and I hope you stay well
Times are tough, I know but having worked with companies through 3 recessions I know that some will thrive, some survive and others go to the wall.
Some will fail no matter what they do but for a lot of companies there are alternatives.
You can accept the status quo and roll with the punches OR you can fight for your survival.
My experience is that those who fight for their survival will come through the current situation fighting fit and with a great chance to thrive because they will be better than they were and they’ll be ready to leap on opportunities that have been left begging by those who simply accepted the status quo.
So FIGHT for your business and if I can help – get in touch.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
