Every quarter the ECRC meets with their fabulous Trusted Partners (TP) to discuss what cyber threats they are seeing. This quarter everyone agreed that the economic downturn is likely to be the biggest upcoming challenge.
Why?
When times get tight, businesses prioritise their spending based on their essential activities, and for a lot of companies this will not be their cyber resilience.
They will weigh their perceived threat of cyber-attack against their bottom line and in some cases decide that cutting back is worth the risk.
But is the perceived threat of attack fully known by business decision makers?
If everyone in your supply chain also reduces their cyber resilience spending, what does this do to your risk?
Supply chains are frequently targeted by cyber criminals; Business Email Compromise (where a criminal takes over a legitimate email account and intercepts payments) are becoming increasingly common and are cost businesses thousands of pounds. If businesses cut down on their cyber resilience spending, this might well be in the area which is the hardest to secure - your staff awareness training.
There are multiple reasons why phishing emails continue to be the most common cyber-attack; the criminals need minimum technical knowledge and, ultimately, they work. That's why staff need regular training - it keeps the threat top-of-the-mind and they can remain updated and alert to the latest techniques. So cutting this back, should be avoided.
New phish to warn your staff about
One of our TPs shared a phishing technique that they witness on a fairly regular basis.
· A company employs a new member of staff
· The staff member changes their company on LinkedIn
· The staff member then gets an email purportedly from the new company’s boss asking for their telephone number to be added to a What’sApp group
Why does someone else want that staff member’s telephone number?
Luckily, none of the employees have fallen for this but it is important to remember that a new staff member is likely to have less knowledge of the key members of a company or the company's policies and procedures.
If the employee sends them the contact details, then the group they get added to is likely to be saved as a trusted source of information. This might mean the employee would be more likely to click on links coming from that source.
They might also try and set up MFA using the details that have been provided. For example:-
Criminal managed to 'phish' the credentials of the new employee by sending a link through the WhatsApp group
They can’t get past the MFA
They send the employee a text which looks as if it comes from a legitimate MFA request asking for the code
Employee sends the code to the criminal
So what can companies do when budgets are squeezed?
There are a number of free things all companies can continue to do as they weather the economic storm.
Understand the risk - have detailed knowledge of systems and processes in place and identify the company’s crown jewels (the things without which the company could not function). You can then be pragmatic about where budgets really shouldn’t be reduced. How long could you manage without any emails or core systems? Which systems would you recover? Cost = time to review.
Sign up to NCSC Early Warning – receive high level alerts, in daily and weekly summaries, based on your IP and domain names, containing:
Incident notifications suggesting an active compromise of your system. This might be a host on your network being infected with malware.
Network Abuse Events suggesting your assets have been associated with malicious or undesirable activity. This might be a client on your network found scanning the internet.
Vulnerability and Open Port Alerts suggesting vulnerable services running on your network, or undesired applications are exposed to the internet. This might be an exposed Elasticsearch service. Cost = free
Get Police CyberAlarm - help your business understand and monitor malicious cyber activity. Police CyberAlarm acts like a 'CCTV camera' monitoring the traffic on a member's connection to the internet. It detects and provides regular reports of suspected malicious activity, enabling organisations to minimise their vulnerabilities. Vulnerability Scanning can be added and used to scan an organisation's website and external IP addresses. Cost = free
Register your domain with haveibeenpwned.com – this will alert you if your domain appears in a known data breach allowing you to take action, hopefully before the criminals can. Cost = free.
Join the Eastern Cyber Resilience Centre community – sign up and receive a monthly newsletter about cyber threats, as well as our 'Little Steps' emails which provide easy to understand guidance about fundamental cyber resilience. You can also access our affordable student services and our Forum where you can meet others who might have the same questions. We can also give you signposting to other free tools which might be relevant to your company. Cost = free