fbpx
0

World Password Day

World Password Day

With the rise in cyber-attacks and intelligence growing alongside technology in these attacks, it’s more important now than ever to ensure you have a fortified front. This is to avoid the risk and stress of losing not only what is important – but everything.

In this article, we will discuss how to improve passwords, and how to stay on top of them in 5 easy steps.

Nothing simple

This one is obvious, but it’s easy to forget when we’re in a time crunch or feeling a bit lazy. Don’t put anything easy that can be guessed just because you can’t be bothered to take the time to make a proper one.

Don’t keep things the same

Don’t use the same password for everything you have accounts for. This way, hackers only need to correctly guess one password, and then have access to them all. It seems like another simple tip we all know, but it can happen. It only takes one password repeat, and before you know it all of your passwords are the same on every account.

Do keep things the same

It makes sense to change your password often, but it may not actually be the right thing to do. Changing your password often could lead to you making some poor choices out of habit, like just adding a few numbers on the end.

Make it as long and as random as possible

We’re going to talk about password management and how to ensure you remember your passwords – so don’t worry if you make the password as crazy as you can imagine. That’s what we’re encouraging! The more random and long, the harder it will be to hack in to. You could even turn it into a game, making the longest and craziest password possible.

Good management

With all these passwords in all these different accounts, it’s impossible to remember them all alone. There are plenty of reliable apps and sites that can store and remember all your passwords for you. For extra protection, keeping track of passwords and storing them on a data storage device can be an extra step.

Avoid paying a King’s ransom for your data

Avoid paying a King’s ransom for your data

By John Michael

The path of digital transformation, accelerated by the unique requirements of the pandemic, has led to untold efficiencies and revolutionary connectivity – but it has also ushered in a new era of threat. More pernicious ransomware puts data at greater risk than ever, and the rise of remote and hybrid working means criminals now have a vast number of new avenues through which it can be deployed. Analysts are calling this the ‘golden age of ransomware’ – and it’s time for the industry to fight back.

Ransomware works

Recent ransomware attacks have demanded upwards of US$70 million1 and cybercrime itself costs organisations $6 trillion per year in global damages2. Spreading through means including phishing emails, unprotected personal computers, exposure to public Wi-Fi, and Zero-Day vulnerabilities, 46% of those hit with a ransomware attack pay the ransom at an average of over US$800,0003. The money behind ransomware makes it an increasingly professional criminal endeavour.

Ransomware-as-a-Service (RaaS) sees ransomware authors offering clients off-the-shelf malware variants and cybercrime expertise. Criminals are also getting bolder, moving from locking down data to stealing and threatening to share it – known as double extortion – or making ransom demands to a business’s third-party clients, called triple extortion. An attack could cause serious reputational damage as well as significant business downtime4 and the resulting financial loss.

Ransomware:

Avoid paying a King’s ransom for your data

The human element is a greater liability

Ransomware’s rise has much to do with the vast growth in network-connected hardware and software. IoT devices, particularly if not patched, can act as a gateway to an improperly secured network. The speed at which IT departments were forced to roll out remote access systems during the pandemic left many inadvertent loopholes. These are easier to exploit following the move to more home and hybrid working, which sees employee hardware placed on insecure home networks and public Wi-Fi.

While Zero-day attacks, which exploit platform vulnerabilities, are a real and present threat, they aren’t something that can be easily prepared for. Moreover, phishing – a common method of network infiltration – has become ever more complex and devious over time. The richest prizes have come from those with the highest level of access, and hackers perform detailed reconnaissance on key targets.

Employing a Zero Trust strategy

Minimising the possibility of IT infrastructure attack means taking a Zero Trust approach – building a framework whereby no entity which interacts with your organisation has any implicit trust. Every device, user, platform, tool or vendor must clearly demonstrate its security credentials, particularly as liability for data breaches is highly unlikely to be passed on to third parties. Employees must be trained to understand this, and a workplace culture must be built around cyber hygiene and resilience.

However, even savvy employees can slip up in a tired moment. Hackers with enough insider knowledge may be able to gather sufficient information to infiltrate a network regardless of an organisation’s policies. The tactic now must be to secure the key asset of any business – its data – by implementing consistent encryption and employing a backup policy. Backups must be as protected as core data, ideally with strong encryption, and kept in triplicate online, offline, and off-site.

Protecting the keys to the kingdom

Key access must be protected. The Zero Trust philosophy is doubly important here: trusting keys to a cloud storage provider, for example, could result in the data and keys being compromised in the event of a data centre breach. Moving encryption to a hardware module ensures that data can be protected end-to-end and rendered functionally useless as collateral for hackers. Using hardware encryption on backup drives or USB sticks further strengthens protection in the case that the media is lost or stolen.

There may be no real technological way to stop ransomware attacks from happening, particularly with the human element so vulnerable. True security comes from physical and logical separation between keys and data: if we can render ransomware attacks useless and have a plan in place for recovery, they will end up little more than a very temporary inconvenience.

Learn more about ransomware and how to better protect your business

1 - https://www.theverge.com/2021/7/5/22564054/ransomware-revil-kaseya-coop

2 - https://www.sdxcentral.com/articles/news/cisco-ceo-cybercrime-damages-hit-6-trillion/2021/05/

3 - Sophos State of Ransomware 2022 - https://assets.sophos.com/X24WTUEQ/at/c5234fvn45pvmk5w6nhh4vkh/sophos-state-of-ransomware-2022-infographic.pdf

4 - https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack/

Maximising data protection for secure remote working

Maximising data protection for secure remote working

By John Michael

The dynamic of the workplace has shifted. A hybrid or flexible model has become the preferred method of working for millions of employees, with remote capabilities allowing greater freedom to collaborate and innovate outside of the confines of the 9-5 office. Yet, despite its many benefits, remote working raises questions about data vulnerability.

Rising cybercrime and the emergence of ‘ransomware-as-a-service’ means that the safeguarding of company and personal data has never been more critical. With data being regularly moved between home, fixed office and even a co-work space, it’s imperative to consider security hygiene and how it can be improved if the hybrid model is to succeed long term.

Transport files securely

The demand for flexible working means a growing number of devices that are potentially on the move, rather than being kept at a permanent desk within a fixed office. The likelihood of a device being left or stolen, therefore dramatically increases, potentially placing sensitive files and company data directly into the hands of a malicious threat actor.

The demand for flexible working means a growing number of devices that are potentially on the move, rather than being kept at a permanent desk within a fixed office. The likelihood of a device being left or stolen, therefore dramatically increases, potentially placing sensitive files and company data directly into the hands of a malicious threat actor.

Encrypt data in the cloud

The cloud is often the preferred option for remote workers to connect and collaborate. However, concerns over cloud security mean that a business might hesitate to utilise its services for data storage. To ensure total privacy, data must be encrypted, but this requirement for encryption cannot be dependent on the cloud service provider (CSP) where the encryption key is stored in the cloud and therefore accessible to hackers and cloud staff alike.

The solution is to remove the encryption key from the cloud and physically store it within a PIN authenticated external USB module. This allows users to access data stored in the cloud, while also being able to securely encrypt information from a local computer, a network drive, or sent via email or file sharing service.

Centralise data management

Multifactor authentication is a highly recommended best practice for data protection compliance. If a hacker were to obtain a cloud user’s credentials, the breach would go unnoticed to the cloud service provider as it wouldn’t be able to differentiate a legitimate user from an attacker. The encryption module increases security measures to as much as five-factor authentication.

Use of an encryption module by authorised staff will reduce the risk of data loss due to human error but doesn’t eliminate the possibility entirely. This is where central management is needed, enabling those responsible for cloud and data security to monitor file activity, set geo-fencing and time-fencing restrictions, encrypt file names and disable users’ access to data remotely.

Back up sensitive information

Regularly backing up encrypted files is essential best practice. Using a 3-2-1 strategy, for example, means having at least three total copies of the data, two of which are local but on different mediums, and at least one copy stored off site.

Consideration should also be given to the means of data storage. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with an on-device crypto-chip and AES-XTS 256-bit hardware encryption offers the highest levels of protection. Adding an extra layer of security, such as a secure microprocessor that is Common Criteria EAL5+ Certified, utilises physical protection mechanisms designed to prevent a wide array of cyber-attacks.

Retaining full responsibility for data encryption and management will contribute to maintaining business continuity, helping managers uphold staff compliance to data protection regulations and eliminating any complexity associated with flexible working models. This ultimately results in peace of mind and safer data.

Learn more about improving data security.

Three critical ways to help financial services protect their data in the cloud

Three critical ways to help financial services protect their data in the cloud

By John Michael

As the digital transformation agenda continues the majority of retail and commercial banks aim to triple their use of cloud services by 2025, according to research1. Cloud-hosted data will enable them to improve agility and take advantage of greater storage capacities, streamline processes and move away from legacy systems. Yet, keeping that data secure can be incredibly challenging. In this blog we look at three critical areas that should be addressed to ensure high levels of data security while still benefitting from cloud technology.

Use encryption technologies to reduce risk

State-of-the-art encryption could save a business from hefty fines in relation to the GDPR in the event of a data breach. Yet worryingly, recent figures suggest that as much as 82% of the databases in the public cloud are not encrypted2. While cloud providers do offer encryption to customers, the only information required to access their data is a username and password. It therefore falls to financial services organisations to take matters into their own hands and ensure data is securely encrypted before it is sent to the cloud, both in transit and at rest.

For ultra-secure encryption, data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key, providing the highest levels of security and protection. The user should retain full control of this key, ensuring that it is stored separately to their data. Taking this approach means that even if the cloud account is targeted and hacked, the data cannot be accessed.

Share information securely using multi-factor authentication (MFA)

In the financial services sector, highly sensitive information is shared regularly between businesses. While the cloud facilitates instant collaboration, co-operating parties should ensure that data is encrypted and that relevant stakeholders are provided with a copy of the encrypted encryption key to access the files. This introduces a multi-factor authentication (MFA) security procedure, even when data is sent to a third party.

As an example of unsecure third-party access causing major issues, a data breach suffered by a South African bank in 2020 effectively put the data of 1.7 million customers at risk. While the bank’s own network remained secure, the breach concerned the premises of a third-party business who had been entrusted with customer data for marketing purposes. Here, encrypted data with an encrypted encryption key stored separately would have prevented the incident.

Control access and centralise data management

Controlling access is a major factor in mitigating the risks associated with human error. Through centralised management, those responsible for cloud and data security in the organisation will be able to monitor and control file access, set geo-fencing and time fencing restrictions, encrypt file names and disable users’ access to data remotely. This will go a long way to eliminating security risks.

As financial services organisations continue to collect more data, the cloud can be a viable solution to the processing, storage and sharing of confidential information. But the cloud will only be useful in this regard as long as security measures can be enforced. High-quality encryption and effective centralised control of access to sensitive information will provide the financial services industry with the peace of mind that comes from having safer data.

Learn more about managing, sharing and encrypting data in the cloud.

Who is liable for your data in the cloud?

Who is liable for your data in the cloud?

By John Michael

In an age of ‘cybercrime-as-a service’, cyberattacks, arising from both state-sponsored groups and hacking collectives, are now inflicting unprecedented levels of damage, with the Cisco CEO reporting it now costing USD $6 trillion per year1. According to the Allianz Risk Barometer 20222, cyber incidents have become the most important business risk, increasing in regularity and complexity. In a single month (May 2022), 49.8 million records were breached3 with extensive media coverage reminding organisations to be mindful of their responsibilities.

Despite initial concerns about data hosted in the cloud, providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. The terms and conditions of many major cloud providers include a ‘limitations of liability’ clause which places data-security responsibility with the cloud user. More stringent measures, therefore, should be considered when considering cloud storage.

Encryption and key storage

When looking to establish robust security measures for cloud data, a vital step is to consider encryption. Cloud providers will offer encryption as part of their service, which, on the surface makes the roles of IT and security personnel easier when this burden is taken away as part of a convenient managed service. However, there is a pitfall in relation to the way this data can be accessed.

Unlocking the stored data requires an encryption key. As this is often also stored in the cloud, it therefore has the potential to be accessible, not only by malicious threat actors, but also by anyone working on the systems that hold the data. To be truly secure, the user needs to have full control of the encryption key, and to ensure that it is stored separately to their data. Following this approach will mean that, even if the cloud account is targeted, the data it contains cannot be accessed.

Controlling shared data

While encrypting data to be shared is imperative, posting encrypted USB flash drives to and from stakeholder becomes time consuming and highly impractical. Sharing encrypted data securely in the cloud allows for instant collaboration. Keeping the encryption key, which is itself encrypted with a PIN authenticated code, away from the cloud, increases the number of security measures from just one authentication - the cloud account login - to up to a five-factor authentication.

1 SDX Central (2021): Cisco CEO – Cybercrime damages hit $6 trillion

2Allianz (2022): Allianz Risk Baromter 2022: Cyber perils outrank Covid-19

3https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-may-2022-49-8-million-records-breached

Launch of Lockbit 3.0 ransomware and bug-bounty program

Viewpoint

Launch of Lockbit 3.0 ransomware and bug-bounty program

Recent news points to a new version of Lockbit ransomware which includes a bug-bounty program. The program offers payment in exchange for information about vulnerabilities in its own code as well as for intelligence about high-profile individuals. With cybercrime constantly on the rise, the emergence of ‘ransomware-as-a-service’ presents real cause for concern, meaning that the safeguarding of company and personal data has never been more critical.

Cyberattacks, arising from both state-sponsored groups and hacking collectives, are now inflicting unprecedented levels of damage, with figures reaching USD $6 trillion per year1. Information held on any device, and even in the cloud, is vulnerable to such threat, but there are simple and effective steps that can be taken to minimise risk and maximise protection.

How can you

Protect your Data against Ransomware?

Firstly, data should be encrypted and regularly backed up. Using a 3-2-1 strategy, for example, means having at least three total copies of your data, two of which are local but on different mediums, and at least one copy stored off site. This ensures that businesses always have an up-to-date record of their valuable information, and that even if it falls into the wrong hands, it remains secure.

In addition, data should be encrypted with a FIPS certified, randomly generated, AES 256-bit encrypted encryption key. AES 256 is a military-grade encryption algorithm that can be embedded into appropriate hardware as required. Confidential information stored locally on a computer or hard drive, sent via email or file sharing service, or shared via data transfer in the cloud should equally be securely encrypted.

Check out our

Goverment Certifications

Secondly, the encryption key should itself be encrypted within an ultra-secure Common Criteria EAL5+ secure microprocessor along with a PIN authenticated code. Storing the encryption key away from the data means that even if the data is obtained, it cannot be unlocked.

Retaining full responsibility for the encryption of sensitive information, even when stored in the cloud, will bring companies the peace of mind that comes from ensuring compliance with privacy and confidentiality laws, and ultimately, having safer data.

1 SDX Central (2021): Cisco CEO – Cybercrime damages hit $6 trillion

Ransomware bundle offer:

Prepare, prevent and protect yourself from ransomware