📡 InfoSec radar #2 – Nov20

Written by Chris Hepple, Head of Information and Cyber Security | Posted in News on 6 November 2020

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stephane Nappo

Your monthly InfoSec roundup from Our Head of Information & Cyber Security, Chris Hepple

The National Cyber Security Centre (NCSC) is a Government organisation that provides advice and support for the public and private sector regarding security threats.  I encourage all colleagues and clients to follow their reporting as it publishes current threats that could affect our businesses, products and/or services.  I have focussed this month’s blog on the most relevant articles to our business and industry.

☁️ Cloud Security: The way forward?

survey completed by over 200 UK organisations, showed that moving to a cloud-based IT environment had saved them from collapse due to the increased demand for remote working availability as a result of the COVID-19 pandemic.

However, the pandemic has also highlighted the potential weaknesses in IT security, with more than half of the businesses polled seeing an increase in hijack attempts on employee accounts and impersonation attacks becoming harder to detect.

Further analysis from security experts has warned of the increased chance of remote workers falling victim to cyber-attacks. This is largely due to inadequate security protection installed on personal devices and home broadband routers or workers becoming ‘distracted’ and clicking on harmful links.

⚠️ HICS comment – The financial sector, just like many other industries rely on cloud to support their products and services.  Senior management buy-in and budgeting is essential to ensure the right balance of security is implemented.  I always recommend Multi-Factor Authentication which puts a big hurdle in front of hackers attempts.

🛳Passenger data compromise confirmed by Carnival

Cruise operator Carnival have confirmed that passenger data was accessed during a ransomware attack on 13 August.

The illegally accessed customer and employee data may have included names, addresses, dates of birth, contact numbers and passport numbers. Carnival’s statement can be read in full here.

Carnival have stated that they have been working as quickly as possible to notify the affected victims.

⚠️ HICS comment – Whilst this is in the travel industry it could quite easily be used against financial services and institutions.  If you fail to secure your systems you are effectively opening the door for criminals to exploit, and they will take full advantage of it.  GDPR has put massive pressure on all businesses to ensure they are taking appropriate steps to secure customers data; you don’t want to be caught up in any breach, especially those that will be assessed on whether you will succumb to a 2% or 4% annual turnover penalties.

🛍 Marks & Spencer CEO spoofed

Cyber criminals are using fraudulent advertising to entice shoppers to claim a free gift voucher as part of a fake prize draw, by impersonating the M&S CEO, Steve Rowe.

Unwitting victims who click on the ad are redirected to an M&S branded portal and invited to enter personal information such as an email address, mobile telephone number and bank details.

Our recent post details the use of malicious URLs linking to fake celebrity-endorsed investment schemes.

⚠️ HICS comment – I have investigated several attempts of spoofing throughout my career.  These attacks can be customer-facing, employee-facing or even targeting specific business functions.  It is vital that you have a set process for authorising budgets, issuing instructions and requesting information/funds – these attacks will be easily spotted if a process is established and all staff understand it.  The attempts in my previous roles were spotted by aware and competent colleagues, it is extremely important you provide your staff with the tools and knowledge to fulfil their roles and responsibilities. 

If you need to report a fraud or a cybercrime attack, please refer to the Action Fraud website. You can also report a potential phishing message to the NCSC using the Suspicious Email Reporting Service (SERS).