ActiSoft Technology - Blog , Cyber Security

The Hidden Cost of Cyber Crime And How to Avoid it

Mon, 04 Apr 2022 14:34:15 +0000

When a new story hits the news about another organisation being hit by a cyber attack, it’s mostly numbers we hear about. We’re told how many records were compromised, how many hours were lost, how much ransom money was demanded and how big a fine the company will have to pay to the ICO.

What we don’t hear so much about is the human cost of cyber attacks, or how those responsible for handing over valuable data (mostly completely innocently) feel about their mistakes.

Fraudsters know how to play on people’s weaknesses, and they’re very good at it. It’s easy to think you’d never fall for a scam if it’s never happened to you, but the truth is that hundreds of thousands of people do get caught out every year. Often, those people are highly intelligent, organised and diligent, and just happened to be having a bad day.

Being tired, overworked, stressed or simply relaxing in the lead up to a holiday can cause even the brightest spark to make simple mistakes. Nobody is immune to cyber attacks, and hackers capitalise on that fact every single day. The situation is now so serious that mental health professionals are referring to cyber crime as a new, hidden epidemic, and those who fall victim to hackers often pay a heavy psychological price. It goes way beyond having information stolen or even handing over money. It’s about deep-seated feelings of guilt, embarrassment and powerlessness, and in an increasing number of cases victims are being diagnosed with depression, post traumatic stress disorder or other related health problems.

A recent survey found that almost 70% of victims said they felt they could no longer trust strangers, and over half said they were no longer able to enjoy the activities they used to. Depression and anxiety were reported in over half the respondents, with almost 85% experiencing insomnia following a data breach. More than 60% said they experienced difficulties with concentration and cognitive function, while just under 57% said they regularly experienced aches, pains and headaches.

In severe cases, the shame of compromising company data and being seen as “the weakest link” in an organisation has even led to suicide. So, how do you protect your employees and your company from the chaos of a data breach? These 7 simple security measures will help keep you and your people safe and help you avoid the long term repercussions of cyber crime.

1. Make Sure You Have Endpoint Protection Software on Every Device

A lot of people still think that anti-virus software is just for laptops and PCs, but you should have it installed on every device on which people access your systems.

2. Use Different Passwords

Many of us are guilty of re-using the same password for different accounts, but it’s a really bad habit to get into. Having to remember different passwords for all your online activities can be exhausting and frustrating, but if you use a system like Keeper you won’t have to. Password management systems remember everything for you, so you and your team can stay safe without having to deal with an administrative nightmare.

3. Switch to Multi-factor Authentication

Entering a username and password is just one step in the online security process, so more and more organisations are choosing to protect their data with several layers of protection. Multi-factor authentication requires you to provide more information to confirm your identity, such as:

Something you know – a password or PIN
Something you have – like a Security Key, secure USB or phone number
Something you are – such as a fingerprint or retina scan

4. Protect Every Device

One of the downsides of remote working is that your team members will most likely be using their own devices to log into your network. It’s imperative to clearly outline everyone’s responsibilities when it comes to looking after those devices, from keeping them safe on public transport to ensuring nobody else has access to them.

You’ll need a robust Bring Your Own Device (BYOD) policy in place to ensure everyone knows what’s expected of them – get advice on how to create one here.

It's important to note that under the GDPR, if any device containing personal information is stolen it must be reported to the ICO within 72 hours. It’s also a good idea to install tracking software on your devices so they’re easier to get back in the event of theft or loss.

5. Make Sure Your Software is Always Up to Date

One of the easiest ways for hackers to infiltrate organisations is through outdated software. Every time someone hits the “update later” button it makes your organisation more vulnerable, so make it policy to ensure all software is updated at the same time every week.

6. Back up Regularly

Even if the worst does happen and you lose your data, it will be a whole lot easier to deal with if you’ve got everything backed up in another place. You can store copies of your data in an external hard drive, but most businesses nowadays choose to back up in the Cloud. A good security provider will perform backups on your behalf and regularly monitor activity on the network, which means you won’t have to give it a second thought.

Don't forget to test your backup regularly!

7. Educate and Support Your Staff

This is the number one most important thing you can do when it comes to cyber security. Human error is the biggest cause of data breaches, so by keeping everyone trained and up to date with the latest phishing threats and how to recognise them, you’ll be going a long way towards keeping your customer information safe.

With the right training, employees should all be able to spot a phishing email or dodgy link and know what to do if something doesn’t look right. It’s also important to create a culture in which people feel comfortable to ask if they’re not sure about something, and don’t feel under too much pressure. Of course, an element of pressure is expected in every job, but when people are overloaded, they’re more likely to make mistakes. And as we’ve already seen, sometimes those mistakes have far reaching consequences. Creating a culture of fear won’t work, but providing a supportive, educational environment just might.

We are here to help you and your team stay safe online. To find out more, or to book a cyber security training session, contact us today.

Endpoint & DNS Protection Together

To secure businesses, you need endpoint protection that’s stronger and smarter than traditional business antivirus and secure your DNS connection against cyberattacks, get total visibility into web usage, and enforce acceptable web usage policies to reduce security risk.

Why it's different:

Stop sophisticated cyber attacks

Streamline Management

Save time and money

Skip the hardware and software with our DNS Protection

Block threats at the domain level

Reduce costs relating to infections

Protection wherever you are

Try it now!

How To Harness the Power of Data in Your Organisation

Wed, 30 Mar 2022 13:40:01 +0000

Companies all over the world are learning that one of the best ways to future-proof their organisations is by harnessing the power of data. According to a recent survey from McKinsey, today’s leaders understand that data isn’t just part of business, it is business. But there’s a big difference between simply collecting data and using it properly, so how do you ensure you’ve got all the information you need to succeed without getting bogged down in statistics?

For most companies, data collection is about three things:

Informing and improving decision making
Refining operations
Creating new revenue streams

Informing and Improving Decision Making

A recent study by Bain & Company, which looked at over 400 organisations, found that those who used advanced data analytics made decisions five times quicker than their peers. Data helps us understand the way our customers think and provides deep insights into which processes are working, as well as those that would benefit from a different approach.

Refining Operations

Today’s data sources allow organisations to refine everyday operations and processes and work more efficiently. From customer feedback to production line reports, we now have a host of information at our fingertips to help us be bigger and better than ever.

A good example of this is the use of GPS software in delivery vehicles – companies like Amazon have used this new technology to their full advantage, giving customers and managers alike regular updates on deliveries. They’ve also used data in all sorts of ways to influence customer decisions, like the recently introduced Personal Recommendation system that prompts consumers on the products they might need, before they even know it themselves.

Creating New Revenue Streams

The more in-depth and interesting your data, the more attractive a business asset it becomes. So much so that companies are now being bought based on how much data they collect, like in the case of IBM’s takeover of The Weather Company. Originally founded as the Weather Channel in 1982, the company invested in technology that allowed it to offer an impressive line of digital products. They changed their name to the Weather Company in 2012 and a number of eagle-eyed investors noticed the wealth of information they had collected about weather patterns. IBM soon snapped them up and has since been able to position itself as one of the leading suppliers of weather information in the world. Even if you don’t want your company to be acquired by one of the big fish, your data will still be valuable to someone.

However far along you are in your journey, you’ll need a robust data strategy in place. Before you go on a mission to collect all those facts and figures , it’s important to know what you want to do with it. That means starting with a robust data strategy that clearly identifies what you’re trying to achieve and how you plan to do it.

The amount of data that exists around the globe is growing rapidly – 90% of it has only become available over the past couple of years. As that data continues to increase, managing it properly has become essential, which is why all businesses need a data strategy.

Like all business planning activities, your company data strategy should be SMART and flexible, allowing you to scale up and down according to need.
Without a data strategy in place, different departments and team members find themselves having to make decisions about information and solve data decisions on their own. This adds up to confusion and a lot of wasted time and money, so it’s important to develop clear guidelines in order to keep costs low and operations running smoothly.
Define how your data will help you meet business goals.
Identify how you will complete data collection activities in line with those goals.
Outline any changes you need to make within your organisation to make the most of your data.
Establish a timeline for all your data collection activities and milestones.
Describe your short-, mid- and long-term data collection strategies.
Discuss how these activities can be financially justified.
Identify what software you intend to use and how your insights can be monetised.
Include information about how your data will be stored and kept safe.

Data Security should be your number one priority when it comes to collecting any kind of information. Since the introduction of the GDPR and the ever-increasing risk of hacking, it’s never been more important to make sure your data is safe. Here are some important things to consider for your new data strategy:

Always make sure your data is regularly backed up
Ensure all your staff are well trained in cyber security and clear about access and data sharing
Use Cloud computing systems to keep your information remotely
Invest in some reliable Antivirus software and install it on all devices that access your systems
Always keep your data protected with a robust cyber security strategy

We are here to help you keep your data safe. Contact us today to find out more about our cyber security products and services, including data strategy implementation and staff training.

Endpoint & DNS Protection Together

Why it's different:

Stop sophisticated cyber attacks

Streamline Management

Save time and money

Skip the hardware and software with our DNS Protection

Block threats at the domain level

Reduce costs relating to infections

Protection wherever you are

Try it now!

How to Run a Successful Security Awareness Training Program

Fri, 01 Oct 2021 15:18:27 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

As we're now in Cybersecurity Awareness Month, thinking about how to strengthen your security awareness training program is probably top of mind.

Luckily, we've got you covered with helpful tips you can use to run a strong security awareness training program in your organisation! We asked our Security Awareness Advocates for their expert advice on questions like how to get started, how to motivate your users, and how to develop a strong security culture over time. While not an exhaustive list, here is a handy one-sheet with what they had to say:

Click here to download the full infographic

Critical components of a successful security awareness program:

Use good, high quality content that’s highly relevant to your users
Reinforce the training with regular simulated phishing attacks
Stay current with what is happening in real phishing attacks - mirror the topics and methods used by cybercriminals

How to motivate your users to do their training on time:

Lead with a carrot, not a stick! Reward users upon completion (could be a sticker, certificate, raffling off a gift card, etc.)
Make it a game and create healthy competition between departments or other groups
Get your leadership involved publicly - make sure it’s well known and seen. It will make the rest of the organisation want to follow in their footsteps

How to gain and maintain executive support for your security awareness program:

Speak their language: Don’t get too technical, and tie it to business objectives (risk, reputation, business benefits, profit and loss impact, etc.)
Address the “why” and how does it help your organisation be more successful
Talk about cybersecurity in the news, how it was a result of human error, and how this program will help to mitigate human error

How to measure the benefits of a successful security awareness program:

Track metrics like the phish-prone percentage of your organisation or number of phishing emails reported over time
Conduct surveys with different stakeholders to gauge their perception of the program’s success
Whatever you use to measure success, make sure it is defined, agreed upon and tracked

How to develop a stronger security awareness culture over time:

Evaluate your organisation against the 7 dimensions of security culture, and measure it against your industry’s benchmarks (we have done studies on this!)
Tie your security culture into your overall organisational culture so the two are not at odds
Understand that there is no fast track to a good security culture - by consistently following the advice above, you will develop a strong security awareness culture over time

We hope these tips can help you implement new-school security awareness training for your users. Here are more in-depth videos on our partner support site. Make sure you're prepared for Cybersecurity Awareness Month and beyond!

Get Your Free 2021 Cybersecurity Awareness Month Resource Kit

In today's hybrid work environment, your users are more susceptible than ever to attacks like phishing and social engineering. Cybercriminals know this and are constantly changing tactics to exploit new vulnerabilities. We've put together these resources so you can keep your users on their toes with security top of mind. Request your kit now to help your users defend against cybercrime whether they are fully remote, back in the office, or a combination of both.

Here's what you'll get:

Access to free resources for you including our most popular on-demand webinar and whitepaper
Resources to help you plan your activities, including your Cybersecurity Awareness Month Guide and Cybersecurity Awareness Weekly Planner
Two free training modules for your users; "Your Role: Internet Security and You" and "2021 Social Engineering Red Flags," both available in multiple languages
Resources to share with your users including Kevin Mitnick cybersecurity demo videos, infographics, tip sheets, awareness posters, and wallpapers
All assets are printable and available digitally, so they can be delivered to your users no matter where they are working from

Get Your Free Resource Kit Now!

Probability of Experiencing a Vendor Email Compromise Attack Increases 96%

Mon, 20 Sep 2021 14:51:00 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

Vendor Email Compromise requires first taking control of a strategic email account within the victim organisations. According to new data, cybercriminals are getting really good at this.

Vendor Email Compromise – an attack where an email account is actually taken over rather than simply spoofed as seen in business email compromise attacks – can have a far greater impact on the organisation. Emails coming from a threat actor-controlled legitimate email account are much harder – if not impossible – to discern as being malicious in nature.

According to new data in Abnormal Security’s Q3 2021 Email Threat Report, email account takeovers are rising in both number and success rates:

The chance of experiencing a VEC attack has risen 96% over the last 12 months
Mid-sized companies are 43% likely to have at least one account takeover per quarter
Enterprises with 50K+ employees are 60% likely to be a victim of account takeover
The C-Suite is the most targeted group, at three times than VPs – the next targeted group
14% of account takeovers occur at department head levels within organizations
The average request in a VEC attack is $183,000, with the highest documented being $1.6 million

With the potential for VEC attacks to cost organisation’s millions annually, it’s first imperative to protect email accounts from the possibility of account takeover using multi-factor authentication and zero trust solutions that scrutinise requests to access email. It’s equally important to educate users involved with the organisation’s finances using Security Awareness Training to maintain a sense of vigilance – even when a request comes from a legitimate source. It’s necessary to validate any unexpected requests using a separate communication medium to ensure the person believed to be asking is actually doing so.

Request A Demo: KCM GRC

The new KCM GRC platform helps you get your audits done in half the time, is easy to use, and is surprisingly affordable. No more: "UGH, is it that time again!"

With KCM GRC you can:

Reduce the amount of time and money required to easily manage your compliance, risk and audit requirements
Automate reminders so you can quickly see what tasks have been completed, not met, and are past due
Simplify risk management with an intuitive interface simple workflow based on NIST 800-30.
Efficiently manage your third-party vendor risk requirements
Quickly implement compliance and risk assessment processes using KnowBe4's pre-built requirements and assessment templates

Request Your Demo!

Enterprise Organisations Have as Much as an 85% Chance of Receiving a BEC Attack Every Week

Mon, 20 Sep 2021 08:31:00 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

In addition to enterprises having a high probability of attack, according to Abnormal Security’s Q3 2021 Email Threat Report, businesses of every size are at risk:

Small organisations under 500 employees have a 42% probability of receiving a BEC attack each week
Mid-sized organisations, a 60-70% chance

Part of this growth is the expansion in operational methods used by cybercriminal groups seen on the dark web. Posts on cybercrime forums have been spotted that attempt to recruit or outsource functions related to BEC scams – particularly those looking for native-English speakers to help improve the credibility and efficacy of social engineering elements in BEC attacks.

Because BEC relies pretty heavily on social engineering and spoofing companies, domains, and/or an individual, putting employees through Security Awareness Training is an effective way to minimise the threat surface of phishing attacks and stop BEC attacks before they have an opportunity to make an organisation a victim.

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organisation, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.

Try To Spoof Me!

U.K. Organisations See Double the Number of Ransomware Attacks in the First Half of 2021

Tue, 31 Aug 2021 07:28:00 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

Additionally, 63% of U.K. businesses affected by ransomware reported their organisations' brand was negatively impacted, according to CyberReason’s Ransomware: The True Cost To Business report, making ransomware a legitimate threat to business longevity in the U.K.

CybSafe’s analysis found that phishing was the primary cause of all cyber breaches reported to the ICO in the first half of this year, making up 40% of all successful attacks. Phishing continues to be a thorn in cybersecurity’s side, with some percentage of attacks finding their way past security solutions and into the Inbox where an unsuspecting user is fooled into clicking on malicious links and attachments.

It’s only through continual Security Awareness Training that users will elevate their state of vigilance, always being on the lookout for malicious content and reducing whatever threat surface remains by the time an attack reaches the Inbox.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

Here's how it works:

100% harmless simulation of real ransomware and cryptomining infections
Does not use any of your own files
Tests 21 types of infection scenarios
Just download the install and run it
Results in a few minutes!

Get RanSim!

Can the Microsoft 365 Platform Be Trusted to Stop Security Breaches?

Fri, 20 Aug 2021 13:45:50 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

Lax security policies, a lack of security measures and solutions in place, and an expectation that Microsoft will address any security issues is putting organisations at risk.

Microsoft has gone to great lengths to ensure their Microsoft 365 platform offers modern security measures to keep their customers' data safe. But according to new data from cloud email security provider Hornet Security, 25% of organisations have reported a known email-based security breach, and it begs the question “why?”

According to Hornet Security, a lot of the issue resides with organisations not taking advantage of security features – whether from Microsoft or a third-party:

33% of organisations are not using Microsoft’s multi-factor authentication (MFA)
Of those using MFA, 55% of organisations are not using Conditional Access which scrutinizes connection requests beyond just providing credentials and additional authentication factors
Only 43% leverage Microsoft’s data loss prevention policies to keep data from leaving the organisation
68% of organisations expect Microsoft to keep email safe from threats

What’s interesting is that almost none of these features (with the exception of MFA) address the core issue – phishing and compromised credentials. For every organisation that has experienced a security breach, there’s a phishing email riddled with social engineering tactics and, more importantly, a recipient user who engages and activates attacker’s malicious content.

It’s imperative that organisations recognise the need to follow the attack kill chain and see one of the weakest links is the user who unwittingly enables threat actors by falling for phishing scams. Users that undergo continual Security Awareness Training are better equipped on a daily basis to see phishing attacks for what they really are and keep the organization safe by not playing their role in an email-based attack.

Request A Demo: Security Awareness Training

New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilise users as your last line of defence. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

Defending Against Ransomware Attacks Should Start (and Can End) With Security Awareness Training

Fri, 20 Aug 2021 13:45:50 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

Most cybersecurity strategies focus on layering in security solutions that prevent, detect, and respond to any kind of malware-based attacks – which includes ransomware. One aspect of the attack chain that can have a material impact on the effectiveness of your ransomware defence is the very prevalent human element. In most cases, phishing attacks are the primary initial attack vector, causing your users to stand squarely in between the ransomware attack and your organisation.

No single security solution can stop every attack, so it makes sense that because ransomware gangs – in part – require users to interact with malicious email content to enable an attack, educating those users via Security Awareness Training to spot an attack to stop it from ever continuing.

So, your ransomware defence strategy should start with Security Awareness Training because you have no guarantee that the next attack will be stopped by solutions. But a user can make the difference between a boring normal workday and one where your entire operations has come to a screeching halt.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

Here's how it works:

100% harmless simulation of real ransomware and cryptomining infections
Does not use any of your own files
Tests 21 types of infection scenarios
Just download the install and run it
Results in a few minutes!

Get RanSim!

79% of Employees Have Knowingly Engaged in Risky Online Activities in the Past Year

Wed, 18 Aug 2021 15:01:00 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

With employees not believing that it’s important to personally worry about cyber security risks, they also tend to believe they’re not a target, new data suggest as the reason for the risky behaviour.

In most cyberattacks, the employee plays some role – clicking on a malicious attachment, giving up their corporate credentials to an impersonated logon page on the web, or taking specific action because they were fooled into believing their CEO or boss told them to. So, it’s important for employees to not engage in risky online behaviours.

But according to new data from security vendor Thycotic, employees simply aren’t prepared and educated to think about corporate risk, let alone their role in helping to mitigate that risk. In their newly released Balancing Risk, Productivity and Security report, Thycotic point out some specific insights that clearly point to how and why employees are creating risk:

45% see the organisation being at little or no risk of cyberattack
51% say IT should be solely responsible to protect the organisation from cyber threats
79% of employees have engaged in one or more risky activities that include sharing credentials with colleagues, using the same password across multiple sites, using unauthorised personal devices to conduct work, and allowing family members to use their corporate device

One of the reasons is clear from the report’s data: 56% of employees have received no Security Awareness Training in the last year. Over half of employees aren’t having the concept of needing to be vigilant continually reinforced – so it’s no wonder these organisations are seeing employees introduce risk regularly.

If you want a vigilant and cyber security-minded employee, you need to continuously teach them about the importance of cyber vigilance. Otherwise, you’re going to end up with an organisation that is demonstrated by the Thycotic data.

Request A Demo: Security Awareness Training

Save My Spot!

BEC Attacks Are Targeting Lower-Level Employees

Wed, 18 Aug 2021 07:40:00 +0000

Blog courtesy of KnowBe4

Written by Stu Sjouwerman

A new report from Barracuda found that most business email compromise (BEC) attacks are now targeting employees who aren’t in executive or financial roles.

“Many organisations focus their training and protection on who they perceive to be the most targeted individuals within the organisation—usually executive and finance teams,” Barracuda’s researchers write. “However, 77% of BEC attacks targeted employees in other departments. Attackers look for an entry point and a weak link within your organisation, and then they work their way to more valuable accounts. This highlights the need to secure and educate every employee to the same level.”

Barracuda also found that one in five BEC attacks target employees in sales roles.

“Due to the nature of their role, sales reps are used to getting external messages from senders they haven’t communicated with before,” the researchers write. “At the same time, they are all connected with payments and with other departments including finance. For hackers, these individuals could be a perfect entry point to get into an organisation and launch other attacks.” They also have access to a lot of contacts

IT departments were another prime target, with each IT employee being targeted by an average of forty attacks.

“When we look at the number of phishing emails targeting IT teams, although they received only 5% of the total number of attacks, each employee was targeted by 40 email attacks, which is well above average,” the researchers write. “IT staff has access to business-critical applications, so compromising their accounts can be extremely valuable to hackers as it will give them access to organisations’ security and IT infrastructure. Cybercriminals tailor their attacks to their victims, so there were barely any BEC attacks, which usually look for quick monetary return, targeting IT teams. However, when it comes to attacks that include phishing URLs designed to compromise accounts, IT was one of the top targets.”

New-school security awareness training can enable employees throughout your organisation to recognise and thwart social engineering attacks.

Barracuda has the full story.

Request A Demo: Security Awareness Training

Save My Spot!