Security Stop Press : Fake Funeral Service Streaming Scam

A grieving family from Berkshire have reported how online fraudsters used a photo of their recently deceased son on social media to make mourners click on bogus link for a streamed funeral service with the goal of exploiting their grief to get data and cash.

Alex Chadwick’s photograph was used by the fraudsters and although the funeral service was not filmed (despite the fraudsters using a bogus streaming-link), the family have expressed their shock at the criminals’ tactics and have called for legislation to stop it happening to others.

Alex Chadwick’s father Gary has been reported (BBC) as saying that he believed the family had been targeted because his son was young and had a lot of followers on social media.

Security Stop Press : 900 % Increase In Travel Scams

Marnie Wilking, chief information security officer at Booking.com, has warned that the arrival of generative AI and its use by scammers to create more sophisticated phishing emails is behind an increase in travel scams of up to 900 per cent in the last 18 months.

Speaking at the Collision technology conference in Toronto, Ms Wilking said that the increase in travel scams, using phishing emails containing fake booking links and made to look like they’re from Booking.com and Airbnb, started shortly after ChatGPT was launched.

Ms Wilking called for the industry and customers/travellers and hotels to use two-factor authentication, and an additional check, such as inputting a security code, to combat phishing and credential stealing.

Protect Your Business During Staff Holidays

In this next summer security article, and with the summer holiday season upon us, we take a look at the various aspects of protecting your business when your staff are on holiday, offering practical advice and solutions to help you stay secure and efficient while staff are physically away.

Why Worry? 

Holidays are essential for employee well-being and morale, providing a much-needed break and an opportunity to recharge. However, when staff-members take time off, it can create gaps in your business operations, potentially leading to significant issues if not properly managed. The absence of key personnel can disrupt daily operations, leaving critical tasks unattended and increasing the risk of errors and delays.

Identifying Key Risks 

The first step in protecting your business during holiday periods is to identify the key risks that could disrupt operations, to enable you to make a plan to mitigate those risks. For example, these key risks include:

– Operational disruption. When critical staff members are away, daily operations can be significantly impacted. For example, IT support, finance, and management roles are essential to maintaining the flow of business activities. If these roles are not adequately covered, it can lead to delays and inefficiencies.

– Security vulnerabilities. This is another significant risk because during holidays, businesses often experience an increased risk of cyber-attacks due to reduced staff vigilance. Cybercriminals are aware that businesses may be understaffed and see this as an opportunity to exploit vulnerabilities. For example, in the US, The FBI and Cybersecurity & Infrastructure Security Agency (CISA) have observed that attackers often target holidays for ransomware attacks, as network defenders and IT support teams are typically at limited capacity during these times. Also, physical security can become compromised with fewer employees on-site, making it easier for unauthorised individuals to gain access.

– Communication breakdowns are another common issue. Maintaining effective communication when key staff are on holiday can be challenging. This can impact customer service and internal coordination, leading to misunderstandings and delays in response times.

– Compliance risks. The absence of key personnel responsible for regulatory compliance can lead to lapses in adhering to legal requirements, such as GDPR. This can result in data breaches and significant fines.

– Loss of institutional knowledge. When experienced staff members are on holiday, the temporary loss of their expertise can hinder problem-solving and decision-making processes. This can slow down projects and affect the quality of work.

It is therefore essential to have a plan in place to ensure that communication channels remain open and efficient.

Planning Ahead 

To mitigate these risks, proactive planning is essential. For example, this should include creating a holiday schedule well in advance that allows you to manage and track staff leave effectively. There are various tools and techniques available to help with this, such as scheduling software and shared calendars. By planning ahead, you can ensure that there is adequate coverage for critical roles and that no single department is left short-staffed. Other measures you can take include:

– Cross-training employees is another effective strategy. By training staff to cover for each other, you can ensure that essential tasks are still completed even when key personnel are away. Implementing cross-training programs can be done through job rotation, shadowing, and formal training sessions. This not only helps during holiday periods but also improves overall team flexibility and resilience.

– Documenting processes and responsibilities is crucial for ensuring business continuity. Having clear manuals and guides for temporary staff or colleagues who are stepping in can make a significant difference. These documents should detail the essential tasks, procedures, and contact information needed to perform the role effectively. This reduces the learning curve and ensures that critical processes continue smoothly.

– Implementing automated systems and processes where possible. Automation can help maintain consistency and reduce the workload of remaining staff. For example, automated email responses and workflow management tools can ensure that tasks are tracked and completed on time.

– Establishing clear communication protocols. Define how and when employees should communicate about their availability and who will be responsible for decision-making in their absence. This ensures that everyone is aware of their roles and responsibilities, reducing the chances of confusion and delays. For example, ensuring that employees set up out-of-office messages and provide alternative contacts can help maintain communication with clients and partners.

– Conducting regular reviews and updates of the holiday coverage plan can also help ensure that things go smoothly. For example, as your business grows and evolves, so too will your staffing needs and operational processes. Regularly updating your plan ensures it remains effective and aligned with your current business requirements.

By incorporating these strategies into your holiday planning, you can help mitigate the risks associated with staff absences and ensure that your business continues to operate smoothly and securely.

Enhancing Cyber Security 

Cybersecurity is a major concern during holiday periods, as reduced staff presence can lead to increased vulnerabilities, as mentioned. There are, however, measures you can take to keep your business security strong. These include:

– Implementing strong access controls. Setting up multi-factor authentication (MFA) and role-based access controls can significantly enhance security. By limiting access to sensitive information during holiday periods, you can reduce the risk of unauthorised access.

– Regular software updates and patching are also essential to protect against known vulnerabilities. Ensuring that all systems and software are up to date with the latest security patches can prevent many cyber-attacks. Automating updates can help reduce the burden on IT staff (and the chance of human error), ensuring that security is maintained even when your key personnel are away.

– Continuous monitoring for unusual activities is critical. Setting up monitoring systems to detect and alert you to any suspicious behavior can help you respond quickly to potential threats.

– Developing and communicating a clear incident response plan can also be a way to ensure that all staff know what to do in case of a security breach, minimising the impact and facilitating a swift recovery.

Physical Security Measures 

While cybersecurity is crucial, physical security should not be overlooked.

Securing the premises with physical security measures such as alarms, CCTV, and secure entry points is always a good idea. However, before holiday period, it’s worth ensuring that all security systems are functional and tested because complacency risks unauthorised access and stolen assets.

Updating access control policies to reflect holiday schedules is another important step. Limiting physical access to sensitive areas within the premises can reduce the risk of security breaches, i.e. ensuring that only authorised personnel have access during these times can prevent potential threats.

Providing all staff with emergency contact information and establishing clear protocols for emergencies during holidays ensures that everyone knows who to contact and what steps to take if an issue arises. This can help resolve problems quickly and efficiently, minimising disruption.

Maintaining Effective Communication 

Effective communication is key to maintaining operations during holiday periods. Measures that can help with this include:

– Setting up automatic replies and email forwarding. This can ensure that communication with clients and partners remains uninterrupted. It’s also worth noting that any automated replies should be changed back when staff return from holidays. For example, it often looms unprofessional to see replies that state that a person is away by communicating a date that has long passed.

– Informing clients and partners of staff absences and providing alternative contacts can also help with maintaining trust and satisfaction.

– Using collaboration tools such as Microsoft Teams, Zoom, or Slack can help facilitate seamless communication among staff. Ensuring that these tools are accessible remotely allows staff on holiday to stay informed and participate in critical discussions if necessary. Regular check-ins and updates help keep everyone on the same page and ensure that projects continue to progress smoothly.

Continuity in Customer Service 

Customer service should not suffer when staff are on holiday. Proactively communicating with customers about staff holidays and providing alternative contacts or support options ensures that their needs are still met. This transparency helps maintain customer trust and satisfaction.

Although not appropriate or practical for all businesses, for some, hiring temporary staff or contractors to cover critical roles can be an effective solution. Training these temporary staff members to handle specific tasks and responsibilities can ensure that they can perform effectively, and this can help maintain service levels and prevent disruptions.

Automating customer service through solutions like chatbots can also be beneficial. These systems can handle common queries and issues, providing immediate assistance to customers. Ensuring that these automated systems are well-maintained and monitored ensures that they continue to function correctly and provide value.

Other Measures 

We’ve looked at many of the key measures you can take to protect the business when staff are away. There are, of course, depending on the nature of the business, other measures that can be taken. These could include:

– Scheduling IT Audits before holiday periods can help to identify and address any vulnerabilities. This proactive measure can prevent potential breaches.

– Implementing redundant systems and backup resources (setting up duplicate or additional systems and resources) can help ensure that critical operations can continue smoothly even if primary systems fail, or key staff are unavailable.

– Developing a succession plan that identifies key employees who can step in and assume leadership roles temporarily can help the decision-making processes remain intact.

What Does This Mean For Your Business?

Maintaining security and operational continuity during staff holidays is crucial for the continuity, resilience, and success of your business, as well as for maintaining strong relationships with clients and stakeholders. Identifying key risks, planning ahead, enhancing cybersecurity, implementing physical security measures, maintaining effective communication, and ensuring continuity in customer service are all essential strategies to protect your business from potential disruptions and vulnerabilities.

Proactive planning and comprehensive strategies are necessary to prepare for staff absences effectively. While existing work pressures and time limitations can make it challenging to finalise plans in time, the cost and risk of neglecting this planning are strong motivators and highlight the critical importance of this effort.

Also, considering the benefits of a well-prepared business, such as improved resilience, customer satisfaction, and overall operational efficiency, should underscore the importance of setting up proactive employee absence and holiday plans. A well-prepared business is better equipped to handle disruptions, maintain high service levels, and protect its reputation.

In summary then, protecting your business when key staff members are on holiday requires a multifaceted and proactive approach. By taking the proactive steps identified here (as well as others specific to your particular business or industry), you can ensure that your business remains secure, efficient, and responsive, even during times of reduced staff presence.

With summer upon us, now is the time to evaluate your current practices and plans and take the necessary steps to ensure that the right measures are in place to deal with any staff absence, both during the main holiday periods and throughout the year. This preparation will help safeguard your business against any eventuality, ensuring continued success and stability.

Security Stop Press : Airline Awareness : Fake X Accounts

Consumer association Which? has warned that scammers are posing as airline customer service representatives on social media to steal sensitive data.

Which? says that scammers are crawling social media (often using bots) to find customers contacting airlines, and then contacting them or infiltrating their existing conversations with an airline via fake ‘X’ (Twitter) accounts.

Which? reports that it has “found examples of bogus X accounts impersonating every major airline operating in the UK, including British Airways, EasyJet, Jet2, Ryanair, Tui, Virgin Atlantic and Wizz Air” and that some have even paid for a blue tick in order to appear genuine. Also, Which? claims that the scammers are often faster at responding than the real airlines!

Tactics scammers have been using to steal data for use in identity fraud or to sell to other criminals include sending victims legitimate looking DMs, directing victims to phishing websites (to harvest card details), and using claims of compensation entitlement to trick victims into downloading a payment (money transfer) app such as Remitly, Skrill and WorldRemit.

The advice is this : before engaging with a company on social media, to check the official website for links to its social media profiles, check when an account joined X, and to check how many followers it has to help reveal whether it is genuine.

Thought About Cyber Insurance?

Here we take a look at cyber security, why you may decide you need it, how much it costs, and where to get it.

What Is Cyber Insurance? 

Cyber insurance is a type of insurance policy designed to protect businesses and individuals from internet-based risks, and more generally from risks relating to IT infrastructure and activities. It provides coverage for financial losses that result from cyber incidents such as data breaches, network damage, and cyber extortion. For example, businesses may face costs resulting from data/security breaches, media content liability (e.g. intellectual property infringement), GDPR defence costs or paying GDPR fines, credit/debit card breaches, data breach response services, data breach notification, legal fees, system repairs, and more.

Why Would Your Business Need Cyber Insurance? 

Just as we need to ensure our most valuable and valued physical-world possessions are protected (e.g. our homes and cars), we now live in a digital age where people and businesses now rely heavily on technology and online platforms to operate efficiently. However, this dependence makes businesses vulnerable to a range of cyber-threats, including data-breaches, ransomware attacks, and hacking incidents. Even a single cyber-attack can result in substantial financial losses, legal liabilities, and reputational damage. Cyber insurance, therefore, provides a safety net, so that businesses can recover financially and operationally from these incidents. By covering costs such as data-breach notification, legal fees, and system repairs, cyber insurance helps mitigate the financial burden of cyber-attacks.

Risk Management Too 

Cyber insurance can also play a crucial role in risk management. For example, it encourages businesses to assess their cyber vulnerabilities and implement robust security measures.

Insurers often require policyholders to adhere to specific security protocols, which enhances overall cybersecurity standards. This proactive approach not only reduces the likelihood of an attack but also ensures businesses are better prepared to respond effectively if one occurs. Therefore, having cyber insurance is not just about financial protection, but it’s also about fostering a culture of cybersecurity within the organisation.

Not Forgetting Regulatory Compliance 

In addition to financial and security benefits, cyber insurance is essential for regulatory compliance. Many industries are subject to strict data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe and non-compliance can, of course, result in hefty fines and legal consequences.

Cyber insurance policies, therefore, often include support for regulatory compliance, helping businesses navigate complex legal requirements and avoid penalties. By providing resources for legal counsel and regulatory guidance, cyber insurance ensures that businesses can meet their obligations and maintain trust with customers and stakeholders.

What Kind Of Things Does It Cover?

As mentioned above, broadly speaking, cyber insurance aims to provide financial cover for things like data breaches, network damage, and cyber extortion. Cyber insurance for UK businesses actually provides comprehensive coverage for various cyber-related incidents. Here are some examples of what it typically covers:

Data Breach Response 

– Notification Costs: Covering the expenses of notifying customers and affected individuals after a data breach.

– Credit Monitoring Services: Providing credit monitoring to those whose personal information has been compromised.

Business Interruption 

– Loss of Income: Reimbursement for lost revenue due to a cyber-attack that disrupts normal business operations.

– Extra Expenses: Covering additional costs incurred to keep the business running while dealing with the cyber incident.

Cyber Extortion 

– Ransom Payments: Payments made to cybercriminals to regain access to data or systems.

– Negotiation Costs: Expenses related to negotiating with extortionists and managing ransom demands.

Legal Fees and Defence Costs 

– Third-Party Claims: Legal expenses arising from lawsuits due to a data breach or security failure.

– Regulatory Fines and Penalties: Coverage for fines and penalties imposed by regulators for data protection breaches, such as those related to GDPR.

Crisis Management 

– Public Relations: Costs associated with managing and repairing the company’s reputation after a cyber incident.

– Forensic Investigation: Expenses for investigating the cause and extent of the cyber-attack.

Network Security Liability

– Liability Claims: Coverage for claims arising from failure to protect data, resulting in data theft or corruption.

– Defence Costs: Legal defence costs for claims related to network security breaches.

Media Liability

– Defamation and Infringement: Coverage for claims of libel, slander, copyright infringement, or defamation resulting from digital content.

Technology and Data Recovery 

– Data Restoration: Costs of restoring and recovering lost or corrupted data.

– System Repair: Expenses for repairing or replacing damaged hardware and software

You may be thinking after looking at this list that there are many more costs than you may have thought associated with dealing with the results of a data breach, cyber-attack, or serious and disruptive network issue. These costs, plus the high levels of ever-more sophisticated cyber-crime, may be the arguments behind many businesses now having cyber insurance.

What Proportion of Businesses Now Have Cyber Insurance? 

Considering the large potential costs of dealing with a serious cyber / network incident (as shown above) it may be a surprise to know that the proportion of businesses with cyber insurance in the UK is still relatively modest. For example, the latest data shows that only 43 per cent (UK Home Office 2024) of UK businesses have a cyber insurance policy in place and within this group, a small fraction, around 5 per cent (Insurance Business UK), have specialised cyber insurance policies tailored to their specific needs. Most companies rely on broader policies that include some form of cyber risk coverage as part of their overall insurance package.

This may be particularly surprising given that according to the Cyber Security Breaches Survey 2024 by the Department for Science, Innovation and Technology (DSIT):

– 32 per cent of businesses and 24 per cent of charities experienced a cyber security breach or attack in the past 12 months.

– Among larger businesses, the figures are higher, with 45 per cent of medium businesses and 58 per cent of large businesses have reported cyber-crimes.

– The average short-term direct cost for businesses dealing with a cyber incident was £1,650, which increases to £6,490 for medium and large companies.

– Long-term direct costs, which include expenses incurred after the initial breach, averaged £782 for all businesses but reached £6,010 for larger firms.

Who Provides It? 

Several examples of the well-known insurers in the UK market that offer cyber security insurance include:

– AXA provides comprehensive cyber insurance that covers a range of cyber risks, including data breaches, business interruption, and cyber extortion.

– Aviva offers cyber insurance policies that can be tailored to businesses of all sizes. Their coverage includes protection against data breaches, cyber extortion, and business interruption caused by cyber incidents, and there is access to a 24/7 cyber incident helpline and expert support.

– Hiscox provides coverage which includes costs associated with data breaches, cyber extortion, and third-party liability, and it offers risk management tools and resources to help businesses improve their cyber security posture.

– Zurich’s offers cyber insurance policies covering a wide range of cyber risks, including data breaches, network security failures, and cyber extortion. Zurich also provides access to a global network of cyber experts and offers pre-breach services to help businesses mitigate their cyber risks.

There are, of course, many other companies that offer cyber insurance. For example, even Amazon now offers it with AWS Cyber Insurance Competency Partners, and through a partnership with Superscript is offering cyber insurance to small and medium-sized businesses in the UK. For example, Amazon Business Prime users can access it product by logging in to Superscript using their Amazon account.

How Much Does It Cost?

Obviously, the price of cyber insurance varies according to factors like the size of the business, the level of coverage, and the industry. However, as a very general guide:

– Small businesses in the UK may expect to pay around £115 per month for cyber insurance / £1,380 annually (Insureon), which can fluctuate depending on the specific risks associated with the business and the amount of sensitive data handled.

– Medium-sized businesses may see premiums ranging from £1,500 to £5,000 per year, with the variation being due to the higher risk and more significant potential losses associated with larger volumes of data and more complex IT systems.

– For large businesses, cyber insurance costs can range from £10,000 to £50,000 annually and can include higher coverage limits and broader protection against various cyber threats (reflecting the greater complexity and risk involved).

What Does This Mean For Your Business? 

The rising tide of cyber threats highlights the urgent necessity for businesses to not just strengthen their cyber security measures, but also to consider adopting comprehensive cyber insurance policies. Cyber-attacks are not only becoming more frequent but also increasingly sophisticated, posing severe risks to financial stability and operational continuity. For businesses, this means that traditional security measures alone may no longer be sufficient. Cyber insurance provides a critical safety net, offering financial protection against the costs associated with data breaches, business interruptions, and other cyber incidents.

Investing in cyber insurance can significantly mitigate the financial and operational impacts of cyber-attacks. Policies typically cover a range of expenses, from data breach notifications and legal fees to system repairs and business interruption losses. This ensures that businesses can recover more swiftly and maintain their operations with minimal disruption. Also, cyber insurance often includes access to expert support and resources, helping businesses to manage incidents more effectively and reduce the risk of recurrence.

In addition to financial protection, it’s important to remember that cyber insurance also plays a crucial role in regulatory compliance. For example, many industries are subject to stringent data protection regulations, such as the GDPR in Europe, and non-compliance can result in hefty fines and legal consequences. Cyber insurance policies frequently offer support for navigating these complex legal requirements, helping businesses to avoid penalties and maintain trust with customers and stakeholders.

For businesses evaluating their need for cyber insurance, it’s important to consider the broader benefits. Beyond immediate financial coverage, having a cyber insurance policy can drive improvements in overall cyber security practice. For example, insurers often require policyholders to implement robust security protocols, fostering a culture of proactive risk management within the organisation. This not only reduces the likelihood of successful cyber-attacks but also ensures that businesses are better prepared to respond effectively when incidents do occur.

Given the substantial costs associated with cyber incidents, the investment in cyber insurance becomes a strategic decision. Whether you are a small business, medium-sized or a large corporation, the protection and peace of mind offered by cyber insurance can be invaluable.

The evolving landscape of cyber threats, therefore, appears to necessitate a multifaceted approach to cyber security and you may decide, for all the reasons mentioned above, that cyber insurance should be a cornerstone of this strategy for your business.

Tech Tip – Update Your Software and Drivers

Although cyber security insurance may be all very well for after the event, keeping your software and drivers up to date is crucial for helping to prevent security issues in the first place, and for maintaining the security and performance of your Windows device. Updates often include security patches that protect against newly discovered vulnerabilities. Here’s how to make sure your security is up to date:

Go to Settings > Update & Security > Windows Update.

Click ‘Check for updates’ to see if there are any new updates available.

Install any available updates to ensure your system is protected.

Additionally, check for updates for your installed applications and hardware drivers through their respective software or the manufacturer’s website.

Tech News : Wales Has Put A SOC In It

The UK’s first national security operations centre (SOC) known as CymruSOC, has launched in Wales to protect the country’s local authorities and fire and rescue services from cyber-attacks.

SOC 

The Welsh government has announced that the new SOC service will be managed by Cardiff-based firm Socura, with the intention of ensuring key organisations can continue offering critical services without disruption due to cyber-attacks. Also, the SOC service is intended to safeguard the data of the majority of the Welsh population, as well as 60,000 employees across the public sector.

The Issue 

The Wales First Minister, Vaughan Gething, recently outlined the reasons behind the introduction of CymruSOC, saying that the pandemic showed how important the digital side of peoples’ lives has become. Also, the fact that it is now “central” to the way people in Wales learn, work, access public services, and conduct business i.e., there’s now a reliance on digital), has also led to a “stark increase in the risk of cyber-attacks which are becoming ever more common and sophisticated.”  

24/7 Monitoring 

The Socura SOC team will monitor for potential threats such as phishing and ransomware from its 24/7 remote SOC. Also, the Welsh government says that in conjunction with the National Cyber Security Centre, CymruSOC will share threat intelligence information to ensure they are aware of emerging risks.

‘Defend As One’ Approach 

First Minister Vaughan Gething has also highlighted how CymruSOC (this new national security operations centre), a first-of-its-kind solution with social partnership at its heart, will “take a ‘defend as one’ approach”. Mr Gething views CymruSOC as being “a vital part” of the Cyber Action Plan for Wales, which was launched only one year ago, and which Mr Gething describes as “making good progress to protect public services and strengthen cyber resilience and preparedness.” 

Incidents 

Recent incidents which may have helped speed along the setting up of SOC include a reported hack on the Welsh government’s iShare Connect portal earlier this year, and Harlech Community Council (North Wales) being scammed last November by online fraudsters to the tune of £9,000 (the equivalent of 10 per cent of its annual budget.

A Boost In Defences 

Andy Kays, the CEO of Cardiff-based firm Socura, which is managing CymruSOC, has noted that by sharing a SOC and threat intel across all Welsh local authorities, “even the smallest Welsh town will now have the expertise and defences of a large modern enterprise organisation.”

Also, Mr Kays highlighted the importance of boosting the cyber-defences of and protecting the data held by local councils by making the point that a local council is where people “register a birth, apply for schools, housing, and marriage licences” and it is this that makes them “a prized target for financially motivated cybercriminal groups as well as nation state actors seeking to cause disruption to critical infrastructure.” 

What Does This Mean For Your Business? 

Considering the importance of public sector services such as fire and rescue, plus the fact that the wealth of data and sometimes outdated and underfunded systems of councils and other public sector institutions often make them a softer target for cyber criminals, this is a timely development for Wales. Also, for businesses operating within Wales, this development offers substantial benefits that extend well beyond the immediate protection of public services.

Firstly, the centralised security operations centre, managed by (private) Cardiff-based firm Socura, should help ensure that even the smallest of local councils can enjoy the cyber-defences typically reserved for large enterprises. This is not just a boost for the public sector but also fortifies the security landscape in which Welsh businesses operate. By boosting the cyber-defences of local authorities, businesses that interact with or rely on them for services can expect a more secure and reliable digital environment. This integration of robust cybersecurity measures means that businesses can operate with a greater assurance of continuity, (hopefully) free from the disruptions of potential cyber-attacks on critical public infrastructure.

The ‘defend as one’ approach advocated by CymruSOC emphasises collaborative security, which may be a crucial advantage for businesses. For example, the shared threat intelligence and resources may ensure that emerging cyber threats are identified and mitigated swiftly, not just within the public sector but potentially within the private sector as well.

Also, the focus on safeguarding data across public sector entities could indirectly benefit businesses. With public services handling sensitive information more securely, businesses interacting with these services or handling similar data can align their practices with these enhanced standards, thus improving their overall data protection strategies. This alignment not only helps in compliance with regulatory requirements but also builds trust with customers and partners who are increasingly concerned about data security.

The establishment of CymruSOC, therefore, appears to be a forward-thinking initiative that promises not just to fortify the digital framework of Wales’s public sector, but also for businesses and other entities that interact with them, all of which could help foster growth and innovation in Wales in an increasingly digital business landscape.

Tech Insight : New UK Law To Eradicate Weak Passwords

Here we look at the new UK cybersecurity law that will ban device manufacturers from having weak, easily guessable default passwords, thereby providing extra protection against hacking and cyber-attacks.

The Problem 

With 99 per cent of UK adults owning at least one smart device and UK households owning an average of nine connected devices, but with a home’s smart devices potentially being exposed to more than 12,000 hacking attacks in a single week (Which?), the UK government has decided that protective, proactive action is needed. It’s long been known that easy-to-guess default passwords (like ‘admin’ or ‘12345) in new devices and IoT devices have provided access for cybercriminals. An example (from the US) is the 2016 Mirai attack which led to 300,000 smart products being compromised due to weak security features as well as major internet platforms and services being attacked and much of the US East Coast being left without internet.

The New Laws 

The UK government has introduced the new laws as part of the Product Security and Telecommunications Infrastructure (PSTI) regime. This regime is part of a £2.6 billion National Cyber Strategy, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.

The key security aspects of these new laws are that:

– Common or easily guessable passwords (e.g. ‘admin’ or ‘12345’) will be banned to prevent vulnerabilities and hacking.

– Device manufacturers will be required to publish contact details so bugs and issues can be reported and dealt with.

– Manufacturers and retailers must be open with consumers on the minimum time they can expect to receive important security updates.

– The government hopes that taking this action will increase consumers’ confidence in the security of the products they buy and use and help the government to deliver on one of its five priorities to grow the economy.

– The UK’s Data and Digital Infrastructure Minister, Julia Lopez, said of these new laws: “Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.” 

The Major Role of Businesses 

NCSC Deputy Director for Economy and Society, Sarah Lyons, has highlighted the important role that businesses have to play in protecting the public by “ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks”. She has also advised all businesses and consumers that they can read the NCSC’s point of sale leaflet for an explanation of how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.

What Does This Mean For Your Business? 

The issue of weak default passwords in devices enabling cybercrime is not new and the news that the government is finally doing something about via legislation is likely to be well-received. The new laws will have implications for businesses, consumers, and the overall UK economy.

For example, for device makers (and importers), the requirement to eliminate default password vulnerabilities and to provide clear avenues for reporting security issues places a significant onus on manufacturers to enhance their security protocols. This may not only involve revising the initial security features but also maintaining transparency about the duration of support for security updates. Such changes could, however, require these businesses to invest in better security frameworks, thereby potentially increasing operational costs. That said, it should also improve the marketability and trustworthiness of their products.

UK businesses stand to gain considerably from these heightened security measures. By bolstering the security standards of connected devices, the new laws may ensure that businesses that rely heavily on such technology, from retail to critical infrastructure, are less susceptible to the disruptions and financial losses associated with cyber-attacks. This enhanced security environment should help maintain business continuity and safeguard sensitive data, thereby helping to foster a more resilient economic landscape.

The new laws may also mean that consumers, who are increasingly concerned about their digital privacy and the security of their data, may be able to make more informed choices about and experience greater confidence in the products they choose to integrate into their daily lives. With manufacturers required to adhere to stricter security measures and provide ongoing updates, consumers can expect a new level of protection for their connected devices, which translates into safer personal and financial data.

Economically, by setting a new cybersecurity standard, the UK appears to be positioning itself as a leader in the safe expansion of digital infrastructure. This leadership could boost innovation in cybersecurity measures, potentially leading to growth in the tech sector and creating new opportunities for employment and development. Also, by fostering a safer digital environment, the UK may attract more digital businesses and investments, further stimulating economic growth.

Security Stop Press : Dropbox Data Breach

Popular San Francisco-based cloud storage provider Dropbox has confirmed that it suffered a data breach from a “threat actor” on April 24. The company says, in what it believes to be an isolated incident, the hacker “accessed Dropbox Sign customer information”. Dropbox says the data accessed included email addresses, usernames, phone numbers and hashed passwords, general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.

Dropbox says that it’s found no evidence of unauthorised access to the contents of customers’ accounts, i.e. their documents or agreements, or payment information.

The company says it has “reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.” Dropbox also says it has reported the event to data protection regulators and law enforcement.

Security Stop Press : Thousands Of Brand Subdomains Hijacked For Spam

Cyber Security Company, Guardio Labs, has reported uncovering a major “SubdoMailing” campaign which involves the hijacking of 8,000+ trusted domains to send millions of spam and malicious phishing emails daily.

Brands whose subdomains are being exploited in the campaign include MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay.

Guardio Labs said it has identified the threat actor behind the campaign as ‘ResurrecAds,’ a bogus ad network known for reviving “dead” domains from big brands and using them as backdoors to exploit legitimate services and brands and circumvent email protection.

The advice to businesses, which should already have antivirus protection in place, is to exercise caution and to avoid opening any unsolicited and suspicious looking emails, even if they do appear to be from known brands.