Security Stop Press : Fake Funeral Service Streaming Scam

A grieving family from Berkshire have reported how online fraudsters used a photo of their recently deceased son on social media to make mourners click on bogus link for a streamed funeral service with the goal of exploiting their grief to get data and cash.

Alex Chadwick’s photograph was used by the fraudsters and although the funeral service was not filmed (despite the fraudsters using a bogus streaming-link), the family have expressed their shock at the criminals’ tactics and have called for legislation to stop it happening to others.

Alex Chadwick’s father Gary has been reported (BBC) as saying that he believed the family had been targeted because his son was young and had a lot of followers on social media.

Security Stop Press : 900 % Increase In Travel Scams

Marnie Wilking, chief information security officer at Booking.com, has warned that the arrival of generative AI and its use by scammers to create more sophisticated phishing emails is behind an increase in travel scams of up to 900 per cent in the last 18 months.

Speaking at the Collision technology conference in Toronto, Ms Wilking said that the increase in travel scams, using phishing emails containing fake booking links and made to look like they’re from Booking.com and Airbnb, started shortly after ChatGPT was launched.

Ms Wilking called for the industry and customers/travellers and hotels to use two-factor authentication, and an additional check, such as inputting a security code, to combat phishing and credential stealing.

Protect Your Business During Staff Holidays

In this next summer security article, and with the summer holiday season upon us, we take a look at the various aspects of protecting your business when your staff are on holiday, offering practical advice and solutions to help you stay secure and efficient while staff are physically away.

Why Worry? 

Holidays are essential for employee well-being and morale, providing a much-needed break and an opportunity to recharge. However, when staff-members take time off, it can create gaps in your business operations, potentially leading to significant issues if not properly managed. The absence of key personnel can disrupt daily operations, leaving critical tasks unattended and increasing the risk of errors and delays.

Identifying Key Risks 

The first step in protecting your business during holiday periods is to identify the key risks that could disrupt operations, to enable you to make a plan to mitigate those risks. For example, these key risks include:

– Operational disruption. When critical staff members are away, daily operations can be significantly impacted. For example, IT support, finance, and management roles are essential to maintaining the flow of business activities. If these roles are not adequately covered, it can lead to delays and inefficiencies.

– Security vulnerabilities. This is another significant risk because during holidays, businesses often experience an increased risk of cyber-attacks due to reduced staff vigilance. Cybercriminals are aware that businesses may be understaffed and see this as an opportunity to exploit vulnerabilities. For example, in the US, The FBI and Cybersecurity & Infrastructure Security Agency (CISA) have observed that attackers often target holidays for ransomware attacks, as network defenders and IT support teams are typically at limited capacity during these times. Also, physical security can become compromised with fewer employees on-site, making it easier for unauthorised individuals to gain access.

– Communication breakdowns are another common issue. Maintaining effective communication when key staff are on holiday can be challenging. This can impact customer service and internal coordination, leading to misunderstandings and delays in response times.

– Compliance risks. The absence of key personnel responsible for regulatory compliance can lead to lapses in adhering to legal requirements, such as GDPR. This can result in data breaches and significant fines.

– Loss of institutional knowledge. When experienced staff members are on holiday, the temporary loss of their expertise can hinder problem-solving and decision-making processes. This can slow down projects and affect the quality of work.

It is therefore essential to have a plan in place to ensure that communication channels remain open and efficient.

Planning Ahead 

To mitigate these risks, proactive planning is essential. For example, this should include creating a holiday schedule well in advance that allows you to manage and track staff leave effectively. There are various tools and techniques available to help with this, such as scheduling software and shared calendars. By planning ahead, you can ensure that there is adequate coverage for critical roles and that no single department is left short-staffed. Other measures you can take include:

– Cross-training employees is another effective strategy. By training staff to cover for each other, you can ensure that essential tasks are still completed even when key personnel are away. Implementing cross-training programs can be done through job rotation, shadowing, and formal training sessions. This not only helps during holiday periods but also improves overall team flexibility and resilience.

– Documenting processes and responsibilities is crucial for ensuring business continuity. Having clear manuals and guides for temporary staff or colleagues who are stepping in can make a significant difference. These documents should detail the essential tasks, procedures, and contact information needed to perform the role effectively. This reduces the learning curve and ensures that critical processes continue smoothly.

– Implementing automated systems and processes where possible. Automation can help maintain consistency and reduce the workload of remaining staff. For example, automated email responses and workflow management tools can ensure that tasks are tracked and completed on time.

– Establishing clear communication protocols. Define how and when employees should communicate about their availability and who will be responsible for decision-making in their absence. This ensures that everyone is aware of their roles and responsibilities, reducing the chances of confusion and delays. For example, ensuring that employees set up out-of-office messages and provide alternative contacts can help maintain communication with clients and partners.

– Conducting regular reviews and updates of the holiday coverage plan can also help ensure that things go smoothly. For example, as your business grows and evolves, so too will your staffing needs and operational processes. Regularly updating your plan ensures it remains effective and aligned with your current business requirements.

By incorporating these strategies into your holiday planning, you can help mitigate the risks associated with staff absences and ensure that your business continues to operate smoothly and securely.

Enhancing Cyber Security 

Cybersecurity is a major concern during holiday periods, as reduced staff presence can lead to increased vulnerabilities, as mentioned. There are, however, measures you can take to keep your business security strong. These include:

– Implementing strong access controls. Setting up multi-factor authentication (MFA) and role-based access controls can significantly enhance security. By limiting access to sensitive information during holiday periods, you can reduce the risk of unauthorised access.

– Regular software updates and patching are also essential to protect against known vulnerabilities. Ensuring that all systems and software are up to date with the latest security patches can prevent many cyber-attacks. Automating updates can help reduce the burden on IT staff (and the chance of human error), ensuring that security is maintained even when your key personnel are away.

– Continuous monitoring for unusual activities is critical. Setting up monitoring systems to detect and alert you to any suspicious behavior can help you respond quickly to potential threats.

– Developing and communicating a clear incident response plan can also be a way to ensure that all staff know what to do in case of a security breach, minimising the impact and facilitating a swift recovery.

Physical Security Measures 

While cybersecurity is crucial, physical security should not be overlooked.

Securing the premises with physical security measures such as alarms, CCTV, and secure entry points is always a good idea. However, before holiday period, it’s worth ensuring that all security systems are functional and tested because complacency risks unauthorised access and stolen assets.

Updating access control policies to reflect holiday schedules is another important step. Limiting physical access to sensitive areas within the premises can reduce the risk of security breaches, i.e. ensuring that only authorised personnel have access during these times can prevent potential threats.

Providing all staff with emergency contact information and establishing clear protocols for emergencies during holidays ensures that everyone knows who to contact and what steps to take if an issue arises. This can help resolve problems quickly and efficiently, minimising disruption.

Maintaining Effective Communication 

Effective communication is key to maintaining operations during holiday periods. Measures that can help with this include:

– Setting up automatic replies and email forwarding. This can ensure that communication with clients and partners remains uninterrupted. It’s also worth noting that any automated replies should be changed back when staff return from holidays. For example, it often looms unprofessional to see replies that state that a person is away by communicating a date that has long passed.

– Informing clients and partners of staff absences and providing alternative contacts can also help with maintaining trust and satisfaction.

– Using collaboration tools such as Microsoft Teams, Zoom, or Slack can help facilitate seamless communication among staff. Ensuring that these tools are accessible remotely allows staff on holiday to stay informed and participate in critical discussions if necessary. Regular check-ins and updates help keep everyone on the same page and ensure that projects continue to progress smoothly.

Continuity in Customer Service 

Customer service should not suffer when staff are on holiday. Proactively communicating with customers about staff holidays and providing alternative contacts or support options ensures that their needs are still met. This transparency helps maintain customer trust and satisfaction.

Although not appropriate or practical for all businesses, for some, hiring temporary staff or contractors to cover critical roles can be an effective solution. Training these temporary staff members to handle specific tasks and responsibilities can ensure that they can perform effectively, and this can help maintain service levels and prevent disruptions.

Automating customer service through solutions like chatbots can also be beneficial. These systems can handle common queries and issues, providing immediate assistance to customers. Ensuring that these automated systems are well-maintained and monitored ensures that they continue to function correctly and provide value.

Other Measures 

We’ve looked at many of the key measures you can take to protect the business when staff are away. There are, of course, depending on the nature of the business, other measures that can be taken. These could include:

– Scheduling IT Audits before holiday periods can help to identify and address any vulnerabilities. This proactive measure can prevent potential breaches.

– Implementing redundant systems and backup resources (setting up duplicate or additional systems and resources) can help ensure that critical operations can continue smoothly even if primary systems fail, or key staff are unavailable.

– Developing a succession plan that identifies key employees who can step in and assume leadership roles temporarily can help the decision-making processes remain intact.

What Does This Mean For Your Business?

Maintaining security and operational continuity during staff holidays is crucial for the continuity, resilience, and success of your business, as well as for maintaining strong relationships with clients and stakeholders. Identifying key risks, planning ahead, enhancing cybersecurity, implementing physical security measures, maintaining effective communication, and ensuring continuity in customer service are all essential strategies to protect your business from potential disruptions and vulnerabilities.

Proactive planning and comprehensive strategies are necessary to prepare for staff absences effectively. While existing work pressures and time limitations can make it challenging to finalise plans in time, the cost and risk of neglecting this planning are strong motivators and highlight the critical importance of this effort.

Also, considering the benefits of a well-prepared business, such as improved resilience, customer satisfaction, and overall operational efficiency, should underscore the importance of setting up proactive employee absence and holiday plans. A well-prepared business is better equipped to handle disruptions, maintain high service levels, and protect its reputation.

In summary then, protecting your business when key staff members are on holiday requires a multifaceted and proactive approach. By taking the proactive steps identified here (as well as others specific to your particular business or industry), you can ensure that your business remains secure, efficient, and responsive, even during times of reduced staff presence.

With summer upon us, now is the time to evaluate your current practices and plans and take the necessary steps to ensure that the right measures are in place to deal with any staff absence, both during the main holiday periods and throughout the year. This preparation will help safeguard your business against any eventuality, ensuring continued success and stability.

Security Stop Press : Airline Awareness : Fake X Accounts

Consumer association Which? has warned that scammers are posing as airline customer service representatives on social media to steal sensitive data.

Which? says that scammers are crawling social media (often using bots) to find customers contacting airlines, and then contacting them or infiltrating their existing conversations with an airline via fake ‘X’ (Twitter) accounts.

Which? reports that it has “found examples of bogus X accounts impersonating every major airline operating in the UK, including British Airways, EasyJet, Jet2, Ryanair, Tui, Virgin Atlantic and Wizz Air” and that some have even paid for a blue tick in order to appear genuine. Also, Which? claims that the scammers are often faster at responding than the real airlines!

Tactics scammers have been using to steal data for use in identity fraud or to sell to other criminals include sending victims legitimate looking DMs, directing victims to phishing websites (to harvest card details), and using claims of compensation entitlement to trick victims into downloading a payment (money transfer) app such as Remitly, Skrill and WorldRemit.

The advice is this : before engaging with a company on social media, to check the official website for links to its social media profiles, check when an account joined X, and to check how many followers it has to help reveal whether it is genuine.

Security Stop Press : Google Maps Data Security Announcement

Google has announced that Google Maps Timeline (formerly known as Location History) data will be stored locally on users’ devices instead of their Google account (in the Cloud) from December 1, 2024. Timeline helps users track routes, trips, and places they have been to over time if Location History and Web & App Activity settings are enabled.

The change, first announced in December 2023, is understood to be a move to help with user privacy and control of their data, e.g. following allegations that Google misled consumers and illegally tracked their movements despite turning off Location History, and to reduce the risk of unauthorised access and data breaches.

Also, the move may help Google to comply with increasing data protection regulations. Google says, however, that since the data shown on a user’s Timeline comes directly from their device, Timeline won’t be available on Maps on the user’s computer after their data is moved to their phone but there is the option for users to back up Timeline data to the cloud with end-to-end encryption.

Ex-Employees : Offboarding Checklist

Here we look at why organisations need to have an effective employee offboarding procedure in place and suggest a checklist for you that could form the basis of this procedure.

Why? 

Members of organisations inevitably change over time for various reasons, perhaps to relocate to another job and move away, or they may be asked to leave, or for many other reasons. However, when employees or contractors/third parties leave a business and there is no effective ‘offboarding’ plan or system in place, they are likely to still have access to your organisation’s systems and data through old passwords and access-rights. Like it or not, this makes them a potential threat to your business.

Creating an effective offboarding plan and process that can be actioned (immediately) as the employee leaves, therefore, can protect you and your clients, maintain the security plus help ensure safe continuity of the business, whilst help to fulfill legal and stakeholder responsibilities.

Such a plan and process can start with a simple checklist, although you may find it ends up being longer than you first thought. With this in mind, we take a close-up look at employee offboarding and provide a summary offboarding checklist that you may want to use to help with your own offboarding process.

What Kind of Threats? 

Examples of the kinds of potential threats that an organisation may need to guard against upon employee exit include:

– Damage, theft, and disruption. Departing employees can cause significant harm by stealing data, attacking company systems, or disrupting network operations due to lack of proper security measures.

– Insider threat. Ex-employees with active access rights can leak sensitive information, engage in industrial espionage, extort the company, or steal customer data. Insider threats account for a significant portion of data breaches.

– Data exfiltration. Departing employees might take sensitive information like client lists or intellectual property with them (intentionally or unintentionally), leading to competitive disadvantages and legal issues.

– Social engineering. Ex-employees may manipulate current employees using their insider knowledge to gain unauthorised access, often through phishing attacks.

– Sabotage. Disgruntled former employees might delete important files, corrupt data, or disrupt services, causing operational and financial damage.

– Legal and compliance risks. Failing to revoke access can lead to breaches of data protection regulations, resulting in legal penalties and reputational damage.

– Continuity of business operations. Inadequate access control can disrupt business processes, especially if the ex-employee held key roles or knowledge, leading to operational bottlenecks.

– Financial fraud. Ex-employees with access to financial systems may commit fraud, manipulate accounts, or process unauthorised transactions, impacting the company financially.

– Loss of customer trust. Compromised customer data due to inadequate offboarding can erode trust, damage the company’s reputation, and lead to business losses and legal actions.

How Big Is The Problem? 

A 2023 PasswordManager.com (US) survey found that 47 per cent of 1,000 workers admitted to still using their employers’ passwords even after leaving the company, with 58 per cent of them saying this was because the passwords had not changed since they left the company. Interestingly, 44 per cent said someone still working for the company shared it with them!

Also, a UK government Cyber Security Breaches Survey 2022 revealed that while many UK businesses are aware of the risks, implementation of robust off-boarding procedures remains inconsistent. For example, only 36 per cent of businesses had formal cyber-security policies, and even fewer medium-sized enterprises reviewed these policies regularly.

Examples 

Some high-profile examples of organisations who have suffered data breaches at the hands of ex-employees include:

– In 2023, Tesla reported that a significant data breach had been caused by two former employees who leaked personal information of over 75,000 individuals, including employee records and other sensitive data.

– Also in 2023, a former RAC employee was found guilty of stealing personal data of road traffic accident victims. The ex-employee had accessed and photographed sensitive data, which he later attempted to sell.

– Back in 2016, broadcasting watchdog Ofcom suffered a large data breach when a former employee downloaded around six years’ worth of third-party data before leaving for a new job at a major broadcaster. The data was then offered to the new broadcaster who informed Ofcom.

Legal Responsibility

The examples above highlight one important reason for closing any potential holes in security during an employee exit which is the legal responsibility under current data laws. The United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (an updated version of the DPA 1998) are the primary legislative frameworks governing how businesses or organisations in the UK should manage the protection and handling of data. Within these frameworks, the data controller (i.e. your company or organisation) holds the responsibility for data matters.

Protecting this data is crucial not only to safeguard the individuals whose data the company holds but also to protect the company itself from legal penalties, reputational damage, and other consequences. In addition to personal data, businesses must ensure the protection of other sensitive data such as financial records, intellectual property, and details about company security controls.

Procedure 

These threats and responsibilities demonstrate that businesses and organisations need to address them as part of due diligence. This can be done by developing a built-in company procedure when an employee leaves (offboarding).

The Checklist 

This company procedure could be built around a checklist / a kind of security audit that covers all the main areas from which leaving employees need to have their access revoked and which plugs any potential loopholes. The checklist could include, for example:

1. Notification and Planning 

– Inform the IT security team and relevant departments about the employee’s departure, especially if the departure is contentious.

– Plan the off-boarding process and assign responsibilities.

2. Email and Communication Management 

Emails are a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘vector’ for cyber-criminals. Therefore, Revoke access to company email accounts.

– Set up auto-forwarding and out-of-office replies with new contact details.

– Revoke access to other email programs and mass mailing services (e.g. Mailchimp).

3. Access to Systems and Networks

Revoke login details and permissions for company computer systems and networks.

– Disable VPN and remote access accounts.

4. Customer Relationship Management (CRM) Systems

– Revoke login access to CRMs containing customer and stakeholder data.

5. Collaborative Working Apps and Platforms

– Remove access to cloud-based platforms and collaboration tools (e.g. Teams, Slack).

– Ensure that the employee cannot access shared working groups.

6. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) 

– Deactivate any 2FA or MFA devices or apps used by the employee.

7. Privileged Accounts 

– Revoke access to any privileged accounts, including admin rights and root access on servers and databases.

8. Physical Security Measures

– Retrieve all company-related keys, pass cards, ID cards, parking passes, and similar items.

– Update physical security systems like alarm codes and biometric access.

9. Return of Company Assets 

– Ensure the return of all company devices, including laptops, phones, and tablets.

– Keep a record of which devices were allocated to the employee.

10. Data and Document Access 

– Retrieve any backup/storage media (e.g. USBs).

– Transfer or delete any items stored in separate folders on the employee’s computer.

– Conduct a thorough audit of the employee’s digital footprint within document management systems.

11. Password Management 

– Change any passwords shared with multiple members of staff.

– Implement a regular password-changing policy as a fail-safe measure.

12. Financial Security 

– Change PINs for company credit/debit cards authorised for the employee’s use.

13. Social Media and Online Presence 

– Remove the employee’s email address and extension from the company website.

– Update company social media to reflect the departure.

– Ensure the ex-employee is not featured in the business’s online estate.

14. Legal and Compliance

– Ensure the off-boarding process complies with legal and regulatory requirements.

– Remind the departing employee of their obligations under non-disclosure agreements (NDAs) and data protection laws during the exit interview.

15. Monitoring and Follow-Up 

– Implement monitoring to detect any unusual activity associated with the former employee’s accounts.

– Regularly review and update access review processes to adapt to organisational changes.

16. Customer and Client Notification 

– Notify clients and customers of the change and provide new contact details to ensure continuity.

17. Physical Document Retrieval 

– Retrieve any physical documents (e.g. handbooks) that could contain sensitive information.

By following a comprehensive checklist like this one, you can effectively manage the security aspects of employee off-boarding, ensuring that all potential loopholes are addressed, and that the company’s data and resources remain secure.

BYOD Threat? 

Where companies offer ‘Bring Your Own Device’ (BYOD) meaning that employees can bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information, this could pose an additional level of threat during employee exit.

This threat may be lessened where companies opt for different types of BYOD such as corporately owned/managed, personally enabled (COPE), choose your own device (CYOD), personally owned and partially enterprise managed or personally owned with managed container application.

In any case, BYOD should always be accompanied by clear policies and guidance as part of effective management.

Ex-Employee’s Legal Responsibilities 

It should be remembered that, although the business / organisation has legal responsibilities to protect company data, the ex-employee is also subject to the law for their behaviour. This is of particular importance where an employee, who has dealt with the personal details of others in the course of their work, leaves or retires. For example, the ICO prosecuted a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his former work email account (2017) containing sensitive personal information of 183 people. Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

What Does This Mean For Your Business? 

An effective offboarding procedure is essential to ensure that when employees or contractors leave an organisation, they pose a significantly reduced security risk. Without a proper system in place, departing employees may retain access to sensitive systems and data, which can lead to significant security breaches. This not only endangers the privacy and integrity of company and client information but also exposes the organisation to potential legal liabilities and reputational damage.

Implementing a comprehensive offboarding checklist is really a matter of due diligence and helps to systematically address all potential vulnerabilities. Such a checklist ensures that all necessary steps are taken to revoke access to company emails, systems, and networks, and to retrieve company assets. By meticulously following these steps, businesses can prevent former employees from inadvertently or maliciously accessing confidential information.

A well-structured, regularly updated checklist, therefore, facilitates clear communication among various departments involved in the offboarding process, ensuring that no critical task is overlooked. This organised approach can help maintain the continuity and security of business operations, safeguard the company from potential threats and ensure compliance with data protection regulations. A detailed offboarding procedure is a crucial element of any organisation’s overall security strategy, protecting both the company and its stakeholders.

Featured Article : New Windows Screenshot Feature Sparks Privacy Concerns

The new AI-powered Windows ‘Recall’ feature that takes 5-second screenshots to generate a searchable timeline of everything a user has interacted with has prompted security and privacy concerns.

What Is Recall? 

The Recall feature for Windows (currently in preview status) is a new feature that’s exclusive to Microsoft’s forthcoming Copilot+ PCs. Recall takes snapshots of whatever is on your screen every five seconds (e.g. emails, and photos), while content on the screen is different from the previous snapshot. These snapshots are then stored (encrypted) and analysed using optical character recognition (OCR), which uses AI, locally on the user’s PC. The collection of snapshots is designed to give users not only a timeline of everything they’ve done and seen, but they can use voice commands to search through it for what they need, e.g. for any content (text and images) they may have been working on or seen. Microsoft says the functionality will be improved “over time” to enable users to open the actual source document, website, or email in a screenshot.

When Recall opens the snapshot a user has requested, it enables ‘screenray’.  This runs at the top of the snapshot and allows the user to interact with any of the elements in the snapshot, so for instance, the user can copy text from the snapshot or send pictures from the snapshot (to an app that supports jpeg files).

Won’t It Just Fill Up The PC’s Storage Space With Snapshots? 

With different screen snapshots (captured every-five-seconds having to be stored locally on the PC) you may be wondering what this will do to the storage space. Microsoft says the minimum hard drive space needed to run Recall is 256 GB (whereby 50 GB of space must be available) and that the default allocation for Recall on a device with 256 GB will be 25 GB, which can store approximately 3 months of snapshots. Users can increase the storage allocation for Recall in the PC Settings and old snapshots are deleted when the allocated storage is used, allowing new ones to be stored.

Why Use Recall?

According to Yusuf Mehdi, Microsoft’s executive vice president and consumer chief marketing officer, with Recall, Microsoft “set out to solve one of the most frustrating problems we encounter daily — finding something we know we have seen before on our PC”. 

Broadly speaking therefore, Recall is essentially a productivity and user experience-enhancing feature. Microsoft hopes that Recall will transform how users interact with their digital content by providing powerful, AI-driven tools for retrieving and managing past activities while maintaining a high level of control and (hopefully) privacy too.

Privacy Concerns 

While on the face of it, it’s possible to see how useful this feature could be, Recall has set privacy alarm bells ringing for some users. For example, it’s been reported that the Information Commissioner’s Office (ICO) is contacting Microsoft for more information on the safety of the product and that Recall has been described as a “privacy nightmare” by some privacy watchdogs. Examples of some of the key concerns about the potential privacy issues of Recall include:

– Since the feature doesn’t moderate what it records, very sensitive information including snapshots of passwords, financial account numbers, medical or legal information (and more) could be accessed and taken, presenting an obvious risk. Microsoft says: “Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

– With gaining initial access to a device being one of the easier elements of an attack, this is all that would be needed to potentially access the screenshots and steal sensitive information or business trade secrets.

– Anyone who knows a user’s password could access that user’s history in more detail.

– Recall is currently at the preview stage, but unless Microsoft assesses the data protection, and peoples’ rights and freedoms before the feature is released to the wider market, there may be some serious legal issues and consequences.

Elon Musk also posted about the feature on his X platform saying: “This is a Black Mirror episode. Definitely turning this ‘feature off.” 

What Does Microsoft Say? 

In defence of Recall and to allay the privacy concerns expressed, Microsoft points out that:

– Recall is not enabled by default – it is an opt-in feature. Users must manually activate it to use it and can configure its settings to control what data it captures and stores.

– Microsoft says it built privacy into Recall’s design “from the ground up”.

– By clicking on the Recall taskbar icon after user’s first activate their Copilot+ device, they can choose what snapshots Recall collects and stores on their device. For example, users can select specific apps or websites visited in a supported browser to filter out of snapshots, snapshots on demand from the Recall icon in the system tray, clear some or all snapshots that have been stored, or delete all the snapshots from the device.

– Microsoft says: “For enterprise customers, IT administrators can disable automatically saving snapshots using group policy or mobile device management policy. If a policy is used to disable saving snapshots, all saved snapshots from users’ devices will be deleted, and device users can’t enable saving snapshots.” 

– The snapshots captured by Microsoft’s Recall feature are stored locally on the PC but are encrypted and protected using BitLocker encryption.

– Recall data is only stored locally and isn’t accessed by Microsoft or anyone who does not have device access.

What Does This Mean For Your Business? 

It’s possible to see the value of the Recall feature (in the forthcoming Copilot+ PCs) in terms of offering UK businesses a potential boost in productivity and efficiency. Being able to search by voice and quickly find (and eventually click through to) anything you’ve been looking at could make it much faster and easier to retrieve and manage digital content. This could, of course, save valuable time and reduce frustration, leading to more streamlined workflows and increased operational efficiency.

However, the elephant in the room with this feature which has piqued the attention of many commentators and the ICO is the significant risk to privacy that it could seemingly pose to businesses and individual users. For example, the unmoderated collection of everything (which could include sensitive information such as passwords, financial data, and confidential business details), raises substantial security and privacy risks. For example, if these snapshots were to be accessed and fall into the wrong hands, the consequences could be severe, including data breaches and the exposure of proprietary information. It appears, therefore, that the only thing standing between a potential bad actor and your personal/sensitive/business information is knowledge of the password for the PC.

Microsoft’s assertion that Recall is an opt-in feature, with snapshots stored locally and protected by BitLocker encryption, may, however, provide some reassurance, as may the fact that users can control what data is captured and stored, plus enterprise customers can disable automatic snapshot saving through group policy or mobile device management. Nevertheless, despite these measures, the potential for misuse remains, especially if a device is compromised or accessed by an unauthorised individual.

To address these privacy concerns, Microsoft will need to provide comprehensive transparency and robust security assurances to the ICO, businesses, and privacy advocates too. Demonstrating that Recall complies with data protection regulations and adequately safeguards user data will be crucial. Clearly, even though Recall is still just at the preview stage, there are serious concerns, and failure to address these could result in significant backlash, legal challenges, and a loss of trust among users.

If / when Recall is thought to be suitable for wider release for businesses, the decision to implement it will require a careful evaluation of the trade-offs between increased productivity and potential privacy risks. Companies will need to establish clear policies and provide training to ensure that employees understand how to use the feature securely. IT departments will also need to remain vigilant, continually monitoring and managing the feature’s settings to maintain data protection standards.

While Recall offers exciting possibilities for enhancing business efficiency, its success will depend on Microsoft’s ability to address privacy concerns and provide robust security measures, so it remains to be seen how Recall progresses though this preview stage and whether risks can be mitigated to an acceptable level.

Security Stop Press : $6 Million Fine For Deepfake Robocalls

A political consultant who paid a local street magician $150 to make a deepfake anti-Biden robocall, asking people not to vote in the New Hampshire Democratic primary, is now facing $6 million fine.

It’s been alleged that Steven Kramer, 54, of New Orleans, commissioned and paid for the bogus Biden AI deepfake voice call, used ID spoofing to hide the source, and hired a telemarketing firm to play fake recording to 5,000+ voters over the phone.

Mr Kramer now faces felony charges of voter suppression and misdemeanor impersonation of a candidate and faces the multi-million dollar fine from the US Federal Communication Commission (FCC) for the bogus call. This is likely to send a powerful message to those looking to misuse AI deepfakes in this year’s US presidential election.

Tech Tip – Set Up Dynamic Lock to Automatically Lock Your PC

Dynamic Lock uses the proximity of your Bluetooth-paired phone to automatically lock your Windows PC when you step away. This helps enhance security by ensuring your device is locked when you’re not around. Here’s how to set it up:

– Pair your Bluetooth-enabled phone with your PC.

– Go to Settings > Accounts > Sign-in options.

– Scroll down to the Dynamic lock section and check the box for Allow Windows to automatically lock your device when you’re away.

– Windows will use the signal strength of your paired phone to determine when to lock your PC, adding an extra layer of security.

Security Stop Press : Insurance Industry and Security Coalition To Tackle Ransomware

Three major UK insurance associations have united in a coalition with GCHQ’s National Cyber Security Centre (NCSC) to help reduce ransom payments made by victims of cybercrime.

The Unprecedented cross-sector coalition is comprised of the NCSC and the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA).

With Ransomware being the biggest day-to-day cyber security threat to UK organisations, the coalition, working closely with the NCSC, has developed a set of guidelines and a frameworks for a broad range of stakeholders including insurance providers, businesses, and cyber security professionals, aimed at reducing the frequency and impact of ransomware attacks.

NCSC CEO Felicity Oswald said: “It’s really encouraging to see all corners of the insurance industry unite to support victim organisations with guidance that will help them to better understand their options and reduce harm and disruption to their businesses.”