One of the five major controls of Cyber Essentials is to configure and deploy a network firewall. Let’s delve into what that means in practice.
What’s a firewall?
A firewall is a network security system that creates a buffer zone between your company’s network and external networks. In simple terms, it creates a secure zone between your devices and the internet.
To qualify for Cyber Essentials, all your internet-connected devices should be protected with a firewall.
Types of firewall
There are two kinds of firewall that meet the cyber essentials firewall requirements:
Personal firewall
Boundary firewall
Personal firewall
You’ll usually find these installed on internet-connected desktops or laptops. Most operating systems come with a built-in personal firewall so you’re likely already using one.
Boundary firewall
Also known as a network firewall, boundary firewalls provide a protective buffer around your entire network of devices. In most cases, you’ll need a hardware firewall to deploy a boundary firewall.
How do firewalls work?
Firewalls restrict inbound and outbound traffic to ensure you connect safely to to external networks like the internet. They prevent desktops, laptops, and mobile devices within your network from accessing malicious or harmful content.
Firewalls do this by using rules to restrict the kind of traffic that gets in. These rules allow or block incoming traffic into a network depending on its source, destination, and communication protocol.
Cyber Essentials firewall requirements
The Cyber Essentials firewall requirements are to use and configure a firewall to protect every device in your business. And, especially the ones connected to public or untrusted Wi-Fi networks.
To comply with Cyber Essentials, you must:
Disable permissive firewall rules once they become obsolete
Make use of personal firewalls on devices connected to untrusted networks like public Wi-Fi or hotspots
Block unauthenticated and untrusted inbound connections by default
Review and update default passwords and settings according to the organisation’s security requirements
Use strong administrative passwords with a mix of upper and lower-case characters, numbers, and symbols, or disable remote administrative access
Set and document administrator-approved firewall rules
Restrict administrative access to the firewall interface. Access should be protected with:
Two-factor authentication
An IP whitelist with a small number of devices only
Does your firewall meet Cyber Essentials requirements?
Setting up a properly configured firewall is one of the first steps towards a Cyber Essentials certification.
If you’d like to learn more about network firewalls and how to configure them for Cyber Essentials, contact us.
Or, if you want to know more about Cyber Essentials and the benefits of certifcation to small businesses like yours, check out our guide.
Cybersecurity threats are a growing concern for businesses of all sizes. Small businesses, in particular, often underestimate their risk, thinking that cybercriminals only target larger corporations. However, this misconception can lead to vulnerabilities that are easily exploited. In this blog post, you will learn about social engineering, how to prevent attacks, respond if an attack occurs, and why practice makes perfect in maintaining your security posture.
What is Social Engineering?
Social engineering is a tactic cybercriminals use to manipulate individuals into divulging confidential information or performing actions that compromise security. Unlike technical hacking, social engineering exploits human psychology rather than software vulnerabilities.
One common form of social engineering is phishing. Phishing involves sending deceptive emails that appear to be from legitimate sources. This tricks recipients into clicking on malicious links or providing sensitive information like passwords and credit card numbers.
Phishing attacks are by far the most common type of cyber attack experienced by UK businesses. 84% of businesses that identified any breaches or attacks in the last 12 months reported experiencing phishing attacks.
Among organisations that identified breaches or attacks, 35% reported experiencing impersonation attempts, where attackers pretended to be the business or its staff in emails or online. More alarming still, although 21% of businesses yet to experience an attack didn’t think they’d need to close in the event of one, 100% of those who have been victims said they would.
So the risk is very real for businesses of all sizes, regardless of industry. But what can you do about it?
Prevention is better than cure
When it comes to cybersecurity, prevention is always better than cure. Implementing technical controls can help safeguard your business from cyber threats. Here are a few to get you started.
Email filtering
Whichever you use, most email platforms include filtering solutions to block phishing emails, it’s how things end up in your spam folder. But what you might not know is that you can calibrate the rules yourself. Setting strict rules for what can and can’t enter your business’s inboxes can almost completely remove the chance most phishing emails will ever reach a human.
Multi-factor authentication
Use multi-factor authentication (MFA) for all accounts within your organisation. MFA adds an extra layer of security by requiring multiple forms of verification before granting access to sensitive information. This means, that even if a hacker does get hold of an employee’s login credentials, it’ll be far more difficult for them to gain access to company platforms, documents, or sensitive data.
Regular software updates
A huge number of successful breaches start with a known vulnerability. In 2023 alone, more than 50% of the high-risk vulnerabilities tracked by Qualys were used by cybercriminals to attack victims.
Fortunately, there’s a quick and easy way to ensure your business doesn’t fall prey. Software developers regularly release patches to address vulnerabilities, usually in the form of updates. Run these updates whenever they’re released, you can even set your operating system to auto-update.
Technology isn’t enough
Although technology is a vital component of cyber defence, we can’t rely solely on it. As I explained at a recent talk, for technology to be successful people must want to use it and our culture must motivate us to do so.
We can start to achieve this culture through security training and awareness. Educating employees about the dangers of social engineering and how to recognise phishing attempts is crucial. Regular training sessions can help employees stay vigilant and understand the latest tactics used by cybercriminals. This understanding and realisation of the threats and possible impacts upon individuals and the businesses they work for will sow the seeds of a strong culture.
Incident Response Procedures
Despite the best preventive measures, breaches can and will still occur. Having a robust incident response procedure in place can mitigate the damage and help your business recover quickly.
Incident response procedures are predetermined protocols that outline the steps to take when a cybersecurity incident occurs. These procedures ensure an efficient and effective response, minimising any impact on your business.
An effective incident response plan should include:
Preparation – Ensure your team is ready to handle incidents by establishing and training on policies, tools, and communication plans.
Detection and analysis – Monitor systems to quickly identify and assess incidents, determining their scope and impact.
Containment, eradication, and recovery – Implement strategies to control the incident, remove the threat, and restore affected systems and data to normal operations.
Post-incident activity – Review and document the incident and response actions, using insights to improve future response efforts and strengthen security measures.
Practise, Practise, Practise
Developing an incident response plan is not enough. You must also regularly practice it to ensure it remains effective.
Depending on your organisation’s size and resources, you must determine which incidents should be subject to a lessons learnt process. For example, all incidents with a critical or high ticket associated with them. After each relevant incident, conduct a thorough review to identify what worked well and what didn’t. Use these lessons to improve your response procedures and prevent future incidents.
Want to know more about the cybersecurity threats facing your customers? Check out the The CyberSmart MSP Survey 2024, our deep dive into the cybersecurity sector in 2024.
Safeguarding your business from cyber threats is crucial. By gaining the Cyber Essentials certification, you can protect your business against a wide range of cyberattacks.
Understanding the benefits of cyber essentials can help you increase trust and safeguard your business.
What is Cyber Essentials?
Cyber Essentials is a cybersecurity certification designed by the government to give organisations a standard level of protection.
There are five security controls with criteria to address cybersecurity effectively and mitigate the risk from cyber threats:
Firewalls
Secure configuration
User access control
Malware protection
Security update management
1. Improve your security processes
Once accredited, you’ll be at less risk of GDPR non-compliance. It’ll protect you against the estimated 7.78 million cybercrimes that UK businesses experienced in the last 12 months.
2. Build trust with customers
With so many high-profile cyberattacks worldwide, consumers are rightly concerned about who to share data with. They want to know that their personal data will be safe.
Having this accreditation lets customers know that you operate your business to a good standard of cybersecurity — providing the reassurance they need to buy from you with confidence. It also helps to build a good reputation for your business as time goes on.
3. Bid for government contracts
If you want to work with organisations within the MoD and bid for government contracts, you’ll need a Cyber Essentials certificate. This is a huge opportunity to work on large-scale projects and form long-lasting relationships with public sector organisations.
4. Become a trusted supplier
For the 12 months your certificate is valid, your company’s name appears on the NCSC website. This makes it easy for potential customers to check your cybersecurity credentials and validate your business.
5. Strengthen your supply chain
Your customers, partners, suppliers, and investors need confidence in your ability to operate safely. Having a registered certification validates your processes and means they know you operate with their best interests at heart.
6. Reduced cyber insurance premiums
Obtaining Cyber Essentials certification can potentially facilitate your cyber insurance application. Insurers recognise the certification as a sign of good cyber hygiene. Many insurers select to insure these controlled risks and some may offer preferential treatment in underwriting.
7. Operational resilience
Cyber Essentials builds your business’s operational resilience, making you better prepared to handle cyber incidents. This means less downtime, quicker recovery, and a stronger response to potential threats
8. Competitive advantage
Demonstrating your commitment to cybersecurity can set you apart from competitors who may not have the same level of protection. This can be a huge differentiator when attracting new customers and partners, who prioritise security and reliability.
Start meeting your business needs
Addressing the basic needs of your business will build you a foundation for success. Getting your cybersecurity in order is a must, and working towards a Cyber Essentials certification will put you on the path to better data management.
Want to know more about cybersecurity certifications and which one is best suited to your business? Our guide has everything you need to make a decision.
The Cyber Essentials scheme provides an effective framework against cyberattacks. Getting Cyber Essentials certified is a great first step to protecting your digital assets and personal data.
For those considering bidding on work such as UK Government supply chain contracts, it’s a mandatory certification.
Like all official certifications, achieving Cyber Essentials requires preparation and investment of time, budget, and some technical awareness. Learn more on how to prepare and pass certification with our Cyber Essentials checklist.
1. Create an information security policy
The first step is to develop an information security policy. Your policy should establish the requirements and rules for cybersecurity that will help you to achieve Cyber Essentials, including:
The requirements for handling and processing first-party and third-party data
A password policy that describes the minimum requirements for passwords (such as length and complexity)
A set of guidelines that define what users can and can’t do, including access controls and internet usage
Your security policy doesn’t have to be a long and complex document. Instead, it should document rules for cybersecurity in a simple, obvious way that all your employees and suppliers can understand and comply with.Consider incorporating guidelines for remote work into your Cyber Essentials checklist, including secure use of personal devices and VPN. It’s crucial to define procedures for responding to security breaches and reporting incidents in and away from the organisation.
2. Assign a data protection officer
Although not mandatory for all organisations, appointing a single senior employee as a Data Protection Officer (DPO) can help you enforce the information security policy within your organisation.
For SMEs, assigning a DPO can be a crucial step in coordinating all security initiatives. For external parties and IT users, they’re a single point of contact for queries and concerns related to security.
Cyber Essentials requires businesses to complete and submit a self-assessment questionnaire and provide relevant evidence to support answers, to achieve certification.
Having a DPO ensures that everybody understands who is responsible for completing the questionnaire and who to go to for advice and guidance. It also encourages the DPO to conduct regular audits and risk assessments – leading to security awareness and promoting training for other employees.
3. Keep track of your digital assets
To make sure that all software and devices are protected, you should keep an inventory of digital assets. Include the details of versions and updates for both software and devices.
Knowing what and where your assets are is good practice, especially with information security assets. It helps you keep software updated, which is essential, and is the best first step to protecting your systems and data.
Knowing what devices your business has is the best way to identify unauthorised devices and to take action to remove or isolate them. Establish a clear process for securely disposing of outdated or unused assets to keep everything organised and safe.
Tracking your digital assets helps to identify vulnerabilities and to keep a close watch on devices within your network.
4. Enforce access control
Access control ensures that only authorised personnel can see sensitive information and enforcing strong access control is an essential step for achieving Cyber Essentials certification.
Make use of a Role-based Access Control (RBAC) system ensures IT users have only the privileges that they need for their job role and access to only those systems they need to be effective and operate safely.
Regularly review and update user permissions when changes occur in roles or employment status, using access control software that provides detailed logs and alerts for unauthorized access attempts.
5. Make use of the right tools and configurations
A firewall and antivirus are essential security tools required for Cyber Essentials.
Your security system helps protect devices on a network from external threats such as those from the internet.
Yourantivirus software protects your systems from viruses and other malware that leads to corruption and theft of personal or proprietary data.
You should ensure your firewalls are properly configured to disallow access to malicious content. Making use of a firewall and antivirus will help your business prevent the most common types of cyberattacks.
6. Conduct regular security reviews
To ensure that your digital assets remain safe and protected, it is vital to document, track, and review the effectiveness of the cybersecurity measures you have taken. Put a security team in place to oversee and act on any findings, so you can use them to improve future security policies and procedures.
Knowing the strengths and weaknesses of your network can help you fine-tune cybersecurity, especially as you grow. You should conduct regular security reviews to:
7. Introduce employee training programs
Interactive training modules on how to recognise phishing scams will provide employees with up-to-date resources and guidelines on best practice. Encourage a culture of cybersecurity awareness through regular, updated training materials that detail the latest threats and optimal procedures.
Use the assessment results to identify gaps in knowledge, tailor training to everyone, and provide more efficient feedback.
8. Use multi-factor authentication (MFA)
Implement multi-factor authentication (MFA) that goes beyond traditional passwords. MFA provides two or more verification factors to gain access, such as a temporary code sent to a mobile device or email account.
Look to integrate multi-factor authentication for all security-critical systems, including cloud services, email, administrative accounts and more. This is especially important when employees are working remotely, where there is a risk of external threats.
Start your Cyber Essentials checklist
If you’re a small or medium scale business, getting started with cybersecurity can seem daunting — especially if you have no technical IT skills. However, achieving a Cyber Essentials certification is a great way to begin, and for a small investment of time and effort, it can significantly reduce risk. Follow the Cyber Essentials checklist outlined above, and you will be well-prepared to pass the certification.
CyberSmart is an automated platform to help businesses stay secure with recognised certification standards including Cyber Essentials. Businesses can gain certification as individual companies or can join the many organisations that have achieved Cyber Essentials by partnering with us today. If you have any questions, whether it is preparing for Cyber Essentials, or how to protect your company systems and data, please reach out to learn more.
How CyberSmart enhances protection against Qilin ransomware
The emergence of Qilin ransomware as a formidable cyber threat requires robust cybersecurity measures. In this blog, we’ll look at how CyberSmart is helping organisations defend against this sophistacted malware.
What is Qilin ransomware?
Qilin ransomware is distinguished by its advanced encryption techniques. It uses a blend of AES (symmetric) and RSA (asymmetric) encryption to secure data. This makes decryption very difficult without the corresponding keys.
Given it’s sophistication, you might expect Qilin ransomware to require an eqaully refined delivery method. But that’s not the case. Most Qilin attacks are launched via common phishing scams. Once in, it exploits vulnerabilities to spread quickly across systems.
Qilin’s Operational Tactics
Qilin’s operational tactics are what make it so tricky to deal with. For example, it can customise its payload to avoid detection or change its approach to exploit the target’s weaknesses.
It also uses lateral movement techniques to spread accross networks, encrypting valuable data and altering file extensions. This makes file recovery extremely difficult.
Global Impact
Qilin primarily targets sectors where data access is critical. These include industries like healthcare and manufacturing which offer criminals the chance for maximum disruption.
All this demonstrates the importance of an adaptive approach to cybersecurity to counter the threat – which is where CyberSmart comes in.
CyberSmart’s defensive strategies
CyberSmart’s comprehensive suite of tools can significantly mitigate the risks posed by threats like Qilin. Here’s how.
1. Endpoint monitoring and compliance assurance
CyberSmart Active Protect continuously monitors endpoints. This ensures that every system in your business complies with the latest security standards. In addition, it quickly identifies vulnerabilities and provides simple instructions for mitigating them – depriving Qilin of gaps to exploit.
2. Education to combat phishing
According to a study from IBM, 95% of all cyberattacks are caused by human error. And, this is especially true of ransomware attacks. CyberSmart Academy focuses on reducing human error. It does this through targeted training to help employees recognise and avoid phishing attempts and other social engineering tactics.
3. Proactive vulnerability management
Routine vulnerability scans are critical in preempting attacks. They help to identify and address the security loopholes threats like Qilin try to wriggle through.
4. Data recovery and continuity planning
With our partners’ support, we encourage all businesses to implement data recovery and backup plans. This approach minimises the downtime and operational impact caused by a breach. So, even if the worst-case scenario happens, you’ll recover quickly.
5. Install and maintain anti-malware solutions
Although CyberSmart doesn’t directly handle malware detection, it ensures that anti-malware solutions are installed and configured correctly. Again, this provides confidence that your whole network is adequately protected.
The need for layered cybersecurity strategies
The threat Qilin poses highlights the need for a layered cybersecurity strategy. What do we mean by that?
Well, in short, protection against sophisticated ransomware is about more than anti-malware tools. Organisations must maintain rigorous update protocols, regularly monitor systems and enhance employee awareness to properly mitigate risk.
By integrating CyberSmart’s advanced security solutions, businesses can strengthen their defences and ensure greater resilience against cyber threats.
Jamie Akhtar, CEO at CyberSmart, adds:
“In an era where cyber threats are increasingly sophisticated, it’s vital that our defences not only match but exceed the level of threat we face. Sectors like healthcare, previously considered off-limits, are now actively targeted due to legacy systems, interconnectedness, and the necessity to restore services quickly. CyberSmart is committed to collaborating with our extensive partner network to deliver complete cyber confidence for organisations against complex threats like the Qilin ransomware. This commitment is crucial for maintaining the trust and safety of the digital systems that power our everyday lives.”
Is Cyber Essentials mandatory? Who needs Cyber Essentials and why
Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber threats. Achieving Cyber Essentials certification demonstrates a commitment to cybersecurity. Unlike GDPR, Cyber Essentials isn’t mandatory for UK businesses.
The Cyber Essentials scheme isn’t covered by binding regulation. Instead, it provides impartial guidance to help businesses improve their cyber posture, built around five security controls: firewalls, secure configuration, user access control, malware protection, and security update management. It’s a great way for any business to improve its cyber credentials, and in some cases it’s mandatory. Learn more about the conditions under which certification can be necessary in this blog post.
Government Contracts
Cyber Essentials is mandatory for businesses looking for specific government contracts.
Unless your business achieves Cyber Essentials, you will not be able to bid for such contracts at all. These contracts involve the handling of personal information or delivering certain IT products and services.
For example:
Handling the personal information of any UK citizens; e.g., bank details or home addresses
Handling the personal information of any government employees, ministers, or advisors; e.g., payroll or expenses information
Delivering IT products or services designed to store, process, or transfer data
Cyber Essentials certification is mandated for businesses entering into these contracts and demonstrates that they have achieved the standards and meet the technical requirements defined in by the scheme.
For all businesses looking to bid for government contracts that involve one of the above characteristics, it makes sense to achieve Cyber Essential certification first.
Ministry of Defence Contracts
The UK Ministry of Defence (MoD) requires all its suppliers to comply with Cyber Essentials.The MoD has previously stated that this requirement must flow down to the supply chain. It mandates that both organisations directly conducting business with the MoD, and organisations delivering to the MoD supply chain must be Cyber Essentials certified.
Importance of Cyber Essentials
Should your business get a Cyber Essentials certification even if it isn’t mandatory?
Yes. Even if you’re not bidding for government or MoD contracts, you could benefit from having Cyber Essentials.
For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity. Most SMEs lack adequate cybersecurity measures because they mistakenly feel that they’re not a target. This is a misconception:
90% of businesses and 94% of charities who experienced at least one type of cyber crime
1.5 million UK businesses hit by cybercrime in 2023
Taking the steps to Cyber Essentials
Considering Cyber Essentials for your business but not sure where to start? We’ve got a guide for that. Our guide to certifications in the UK has everything you need to know about Cyber Essentials and who needs it. Read it here.
7 Key takeaways from DSIT’s Cyber Security Breaches Survey 2024
Every spring the Department for Science Innovation & Technology (DSIT) releases its Cyber Security Breaches Survey. Always hotly anticipated throughout the cybersecurity sector, it acts as a ‘temperature check’ of security and resilience within UK cyberspace.
Although the report primarily intends to inform UK government policy, that doesn’t mean it isn’t useful to small businesses. In fact, the report is a bit of a lodestar for anyone interested in cybersecurity. It gives us an idea of the threats we face, how businesses are dealing with them, and what we can do to improve our collective security.
With that in mind, here are our key takeaways from the Cyber Security Breaches Survey 2024.
1. Breaches remain common
This won’t be particularly surprising to anyone but successful cybersecurity breaches remained commonplace in the last 12 months. According to DSIT’s research, half of businesses (50%) and just under a third of charities (32%) reported experiencing some form of breach.
These figures are highest for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). However, this isn’t to say small (10-49 employees) and micro (1-9) businesses are immune. 47% of micro-businesses and 58% of small businesses were hit with a breach in the last year.
2. The cost of a breach remains low, but constant
This one is a mixed bag. One positive is that DSIT reports the average cost of a single breach across all businesses surveyed was £1,205. That’s considerably lower than figures released in reports like IBM’s Cost of a Data Breach 2023, even when we consider that the average rises to £10,830 for large and medium businesses.
Unfortunately, this isn’t the whole story. Although the headline figure for the cost of a breach is low, companies are being attacked with frightening regularity. Over half of businesses (53%) and just under half of charities (45%) reported that this happens once a month or more often. Grimmer still, a third of businesses and a fifth of charities say that they were attacked at least once a week.
This means that even if the cost of a single breach is low, many businesses are being hit multiple times a year, making the cumulative impact of attacks far higher. What’s more, while larger organisations may be able to swallow these recurring costs, their impact could be ruinous for SMEs.
3. Phishing scams are still the number one threat
By this point, most of us have first-hand experience of a phishing scam. They come in many forms, from speculative email campaigns to more targeted attacks through social media platforms like Facebook Messenger and spear phishing.
So it’s no surprise to see phishing scams at the top of DSIT’s list of most common threats. 84% of businesses and 83% of charities reported being targeted by one in the last 12 months.
However, more interesting is that the second most common threat was ‘others impersonating organisations in emails or online’ (35% of businesses and 37% of charities). This demonstrates that cybercriminals are leaning on social engineering techniques to launch attacks, rather than more technological approaches like malware and ransomware.
There are a couple of possible reasons for this. Firstly, social engineering attacks use our human nature against us, making them more difficult to defend against. Second, social engineering doesn’t require any specialist tools or tech knowledge, just a familiarity with the techniques, meaning the barrier to entry is lower for would-be scammers.
4. Does Cyber Essentials certification have an awareness problem?
Cyber Essentials certification turns ten this June. And, although the scheme has helped thousands of businesses improve their cybersecurity, it appears to have an awareness problem.
Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. These figures are roughly consistent with 2023 but represent a decline over the last 2-3 years. This decline is also more pronounced among smaller businesses with medium businesses (43%) and large businesses (59%) more aware.
More worrying still, only 3% of businesses and charities report adhering to Cyber Essentials. However, this does come with a caveat that a higher proportion of them (22% of businesses and 14% of charities) report having technical controls in all five areas covered by Cyber Essentials.
5. Businesses aren’t prepared for supply chain risks
Although the report reveals organisations have broadly improved when it comes to cyber risk management, there’s still one glaring omission – supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). Given that supply chain attacks are predicted to cost the global economy $138 billion by 2031 this is an area that needs urgent attention in the coming years.
Despite many businesses stating that they’d take action following a cyber incident, very few have anything concrete in place to establish what those steps are. Just 22% of businesses and 19% of charities have a formal incident response plan. Once again, these figures are largely being driven by SMEs; 73% of large businesses have one.
What this suggests is that small businesses are ill-prepared for the worst-case scenario. Creating an incident response plan or security policy can be time-consuming and tricky if you don’t know where to start. SMEs need help, through tools like templates and policy management to better prepare themselves.
Alongside this, when a breach does happen, external reporting of it is uncommon. Just over a third of businesses (34%) and charities (37%) reported a breach outside their organisation. Even then, this wasn’t usually to the National Cyber Security Centre (NCSC) or Information Commissioners Office (ICO), but to their managed service provider or IT supplier. This indicates that vast swathes of cybercrime are still going unreported.
7. Basic cyber hygiene is improving
Finally, let’s end with a real positive. Cyber hygiene – by which we mean basic cyber controls – is on the up across all businesses. Most cyber threats are relatively unsophisticated so organisations can go a long way towards protecting themselves by simply adopting some simple measures.
The good news is that a majority of businesses and charities have a broad range of these measures in place. These include:
using up-to-date malware protection (up from 76% to 83%)
restricting admin rights (up from 67% to 73%)
network firewalls (up from 66% to 75%)
agreed processes for phishing emails (up from 48% to 54%)
And, even more promising, these trends are a reversal of the decline in cyber hygiene we’ve seen over the past few years. This shift is being driven by micro and small businesses, demonstrating that despite the worrying trends in awareness surrounding Cyber Essentials, basic security recommendations are having some cut through.
Hackers sit somewhere between masterminds and master criminals, depending on who you ask. There’s a fascination and frustration that surrounds them and how they do their dirty work.
Ever wanted to get inside the mind of a hacker to help protect your business from threats like malware? The MITRE ATT&CK framework is the perfect place to start.
What is the MITRE ATT&CK framework?
The MITRE ATT&CK framework is a detailed knowledge base of the tactics cybercriminals use to target victims. Using real-world examples, it shows you how hackers prepare, launch, and execute attacks.
The framework matrix is split into tactics and techniques. A tactic is a goal the cybercriminal wants to achieve, such as accessing credentials. A technique is the action or actions that achieve the tactical goal, such as brute force.
It exists to help businesses understand how cybercriminals behave in the preparation and execution of an attack. This helps raise awareness of common threats and how you can detect them in action.
Discovery – gathering system and network intelligence
Lateral movement – controlling remote systems
Collection – gathering relevant, goal-related information
Command and control – communicating with systems without detection
Exfiltration – stealing network data gathered at the collection stage
Impact – disrupting service availability and data integrity
Each tactic includes a list of techniques that explain how a hacker achieves their goal, alongside mitigation information, detection tips, and references for further reading. These are updated twice a year from public threat intelligence and incident reporting, so the information stays relevant.
It’s suitable for any organisation using:
Windows, macOS, or Linux IT systems
Network infrastructure devices
Container technologies
Cloud services such as IaaS, SaaS, Office 365
Android and iOS mobile devices
Keeping your organisation secure
The framework is a great resource to include in your cybersecurity strategy.
It encourages collaboration and information sharing, is easy-to-follow, and helps you improve your knowledge and cybersecurity posture. And, it’s free.
Use it alongside other cyber defence methods to give you broad coverage against common threats, including:
Active monitoring
Investing in an outsourced security operation centre for 24/7 protection from cyber threats on all devices that access company data.
Software
Using robust antivirus or anti-malware software to prevent, detect, and remove malicious software.
With such a powerful resource at your fingertips, you’re only going to benefit by including the MITRE ATT&CK framework in your cybersecurity strategy. Share it with your colleagues so you can all play an active role in protecting your organisation from attacks.
Social media savvy: privacy settings and security on social platforms
Social media platforms connect us with friends, family, and colleagues but can also be a goldmine for attackers. This blog post looks at the world of social media privacy and security, exploring the potential threats and steps you can take to protect yourself (and your business) from them.
Social media at home and work
Social media plays a big role in both our personal and professional lives. In our personal lives, we use platforms like Facebook, Instagram, and Twitter to stay connected with loved ones, share updates, and follow our interests.
In our work lives, LinkedIn is a go-to for professional networking, while companies use platforms like Twitter and Facebook for marketing and customer service.No matter how we use social media, it’s crucial to understand the potential risks.
The threats you face when using social media
Sharing information online comes with inherent risks. Common threats include:
Social engineering: Attackers might try to manipulate you into revealing personal information or clicking on malicious links.
Malware: Links or downloads shared on social media can infect your device with malware that steals data or disrupts your system.
Phishing scams: Fake accounts or posts might try to trick you into sending money or sharing personal details. In addition, spear phishers will often use social media to gather background information on targets.
Privacy violations: Without carefully calibrated settings, your personal information and online activity could be exposed to unintended audiences.
Social media scams in practice
Operation Dreamjob
In 2023 cybercriminals from the Lazarus group, an alleged North Korean state-sponsored hacking organisation, targeted employees at a Spanish-based aerospace company.
Under the campaign ‘Operation Dreamjob’, the cybercriminals identified employees on LinkedIn, introduced themself as a recruiter from Meta and commenced a fake recruitment process.
As the victim progressed through the rounds of the ‘recruitment process’, they were asked to demonstrate their competency by downloading and completing a quiz.
In this case, the victim downloaded the quiz using a work computer. Unfortunately, the download contained more than a quiz and the attackers used this to access the company’s critical systems.
This followed a similar attack by the same group in 2022 which used fake LinkedIn job offers to steal $625 million from the Ronin Network, a blockchain network that powers the popular crypto games Axie Infinity and Axie DAO.
Below is an example of what these attacks typically look like.
A bad romance
In my previous life as a cyber detective, I saw firsthand how cybercriminals frequently harness social media. This ranged from using social media platforms to execute their attacks, like above, or obtaining information from them.
In a previous blog post, I wrote about the case of a business owner who lost thousands of pounds after falling victim to social engineering. In this attack, the cybercriminal used open-source research to find out information about their target – the business owner. The business owners’ use of social media to advertise their business enabled the cybercriminal to locate a business website, mobile number and key information about the business owner that enabled the attacker to go on and effectively build a relationship with the victim.
Here are some key steps to take control of your social media privacy and security.
1. Review and adjust privacy settings
Every social media platform offers privacy settings that allow you to control who sees your posts and profile information. Where possible, set everything to ‘private’ or ‘followers only’.
2. Be mindful of what you share
Think twice before sharing personal details like your birthday, address, or phone number. Could this information be used against you?
3. Beware of suspicious links and messages
Don’t click on links or download attachments from unknown senders.
These measures add an extra layer of security to your accounts and prevent you from being the low-hanging fruit cybercriminals target.
6. Be cautious about location-sharing
Consider disabling location sharing on your posts or using it selectively. Also consider what location information is in the backgrounds of your photos, as this too can be used by cybercriminals.
7. Limit third-party app access
Review and restrict third-party apps’ access to your social media accounts, including add-ons and plug-ins. And, if you need to use these tools, ensure they’re reputable first.
The founding fathers of social media created it with a utopian vision of connectivity. And, although social media has fallen a long way from those halcyon days, that doesn’t mean you can’t use it safely.
By understanding the risks and taking proactive measures, you can create a safer and more secure social media experience. Remember, privacy and security are ongoing processes, so regularly review your settings and stay informed about evolving threats.
Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them.
What is quishing and how can you protect your business?
Quishing or QRishing is a brand of phishing scam that uses QR codes to trick victims into downloading malware or sharing personal data. Despite its unthreatening name, quishing poses a real risk to businesses. However, with the right knowledge, you can stop your business from falling prey to these attacks, read on for everything you need to know.
Why QR codes?
Read most media and you’ll see plenty of stories about the security threat posed by AI or the latest nation-state attack. However, cybercrime doesn’t have to involve the latest tech or be the height of nefarious sophistication. In fact, it’s often simple scams that get you.
QR codes have been around for almost three decades. Very few people think of them as on the bleeding edge of technology, more something you use to attend an event or scan for a marketing gimmick. Yet, since they’ve seen a resurgence in their use post-pandemic, they’ve stirred up a hornet’s nest of security problems.
The most prominent of these problems is quishing. QR code technology might not be sophisticated by today’s standards, but it does lend itself well to phishing scams.
Why? Unlike a URL or email address, QR codes are hard to evaluate for legitimacy. A QR code is opaque to the human eye, making it indecipherable without a scanner. This means that by the time the victim has realised the QR code is bogus, it’s often too late.
Phishing is by far the most common form of cyberattack. According to the DCMS Cyber Security Breaches Survey 2024, 84% of businesses in the UK experienced a phishing attack in 2023.
When it comes to quishing specifically, the scant figures available are equally ominous. Research from cybersecurity company Vade detected over 20,600 quishing attacks in one seven-day period in 2023.
What’s more, it isn’t just the spectre of falling victim that threatens businesses. If your business uses QR codes, cybercriminals could hijack them to target your customers.
What does a quishing attack look like?
Quishing attacks are versatile and can take any number of forms. We’ve seen examples of them conducted in person, with a scammer approaching the victim and asking them to scan a QR code for some sort of benefit. However, the most common approach is to send an email, much like a typical phishing scam, with a QR code included.
This approach was exemplified by the Microsoft 365 quishing attack in 2023. The attack began with a phishing email asking users to reactivate their multi-factor authentication (MFA). The email used the Microsoft Authenticator logo giving it a veneer of legitimacy. Once the victim scanned the code and clicked the embedded link they were sent to a webpage that infected their device with malware.
Microsoft eventually managed to get the situation under control and issued these instructions for detecting a scam, but not before thousands of users had been attacked.
The most obvious fallout from a successful quishing scam is financial harm.Research from BDO found that among the six in ten organisations in the UK hit by phishing scams the average loss was around £245,000.
What are the consequences of a breach?
However, the potential consequences can hit more than your pocket. If the scammers manage to steal customer’s personal data, you could also be looking at serious reputational damage and regulatory fines. What’s more, your standing among partners and suppliers could take a hit too.
How can you protect your business?
Like all phishing attacks, quishing relies on social engineering to trick victims. This means it can be tricky to recognise a bogus QR code, particularly when it’s attached to a seemingly legitimate message. But that doesn’t mean it’s impossible. Here are a few things you can do to protect your business.
1. Provide cyber awareness training for staff
Staff security training is the most important tool for protecting your business from quishing attacks. The rationale behind this is simple. If your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them.
Cyber awareness training can go a long way towards resolving this problem. It can give them the basic cyber skills to spot and avoid a potential threat. And, it needn’t be extensive or time-consuming, just a few hours a month on the basics and regular updates on new threats can make all the difference.
2. Deploy MFA
Multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
3. Use an Anti-malware tool
Anti-malware software focuses on defending against the latest threats. An effective tool should protect your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Most anti-malware tools constantly update their rules, meaning you’ll be protected swiftly against any new threats, including the malware injected by quishing scams.
4. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
Install a network firewall to filter network traffic
Use a VPN to encrypt network traffic
Segment your network to eliminate single points of failure
Regularly update your router’s firmware
5. Follow software providers’ advice
As we saw in the example earlier, cybercriminals will often try to imitate software providers when launching a quishing attack. Software providers such as Microsoft are all too aware of the threat and many have released guidance on how to counter a scam.
6. Limit user access
Limit who has access to what within your business. Staff should only have admin rights within a system or application if it’s critical for their role. It might sound a bit draconian, but the reasoning behind it is sound. If a cybercriminal compromises a user account through a phishing campaign, the fewer permissions that account has the less damage a hacker can do.
7. Tie it all together
Don’t be put off by the length of the list above. If you’re unsure about where to start, complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification.
These certifications can help you adopt good cybersecurity practices (including all of the above) and build your cyber confidence.
However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where continuous cybersecurity monitoring tools like CyberSmart Active Protect can help by giving you an ‘always-on’ view of your business’s defences.
Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them.
