KnowBe4 have recently released details about a new form of Phishing Attack. Users are receiving emails from HR which are offering better benefits or pay rises. That’s something we’d all like just before the holidays. These emails normally have a link which looks like a SharePoint document, but in fact it is a phishing landing page. Quite often phishing attacks spoof email addresses. At first glance it looks like it’s come from a legitimate source, maybe your HR manager. If you receive an email or phone call you feel is suspicious it would pay to call the person appearing to have sent the message. They will be able to confirm if they actually sent it to you. I nformation for this article was taken from KnowBe4

It’s very easy to look at security as just protecting yourself from attacks from outside your own organization. The below article shows there are a lot of things we must think about with our internal staff and contractors. These threats can be either malicious or accidental. One very interesting statistic from SolarWinds shows 62% of businesses found insider mistakes were the leading cause of security incidents. Whether malicious or not, the result can be devastating to an organisation. The article focuses on two commonly overlooked security issues – employees who leave your organisation, and imposters who try to get passwords reset. Continue reading at the link below to see how these can happen and, more importantly, what can be done to help prevent these breaches. Source Article

Ransomware is something may have heard about on the news but don't fully understand. The most high profile cases this year include Baltimore City government who were hit with a loss of over $18 million and multiple healthcare provides. One of these healthcare providers paid $75,000 to recover it's encrypted files.

Companies are test phishing their employees to ensure their staff are security educated to reduce security attacks.

Multifactor Authentication security measures are essential to reduce the risk of automated attacks.

CertNZ recently published the top 11 cyber security tips for your business as cyber security attacks on businesses are becoming more and more common. You have to make sure you do everything to keep your business safe, no matter of the size of your business. This includes protecting your data, network, customer information as well as your reputation. A printable version of this guide is available at Cert NZ . 1. Install Software Updates All devices and software should be up-to-date. Installing software updates is the most effective and basic way to prevent attacks and keep the system safe. Devices should be supported by the manufacturer at any time, and software updates (patches) for the operating systems are installed as soon as they’re available. Patches are much more than adding new features to software, they most importantly fix security vulnerabilities. Installing patches prevents incidents caused by attackers who use these vulnerabilities to gain access to your system. It is to advise to put a decent security policy in place. To do list: Set your system preferences to install any new patches automatically. In case your system may need to have the patches tested before rolled out, make sure your IT support provider has a plan in place to apply them within a few weeks of release. Make sure any servers or computers that you manage for your business run on operating systems that are still supported and patched. Enforce staff to use supported operating systems and to install any patches as soon as they're available also in mobile devices. With staff using BYOD - bring your own devices, make sure they are running supported operating systems and software before they access your business network and keep devices up-to-date. 2. Implement two-factor authentication (2FA) Implement two-factor authentication (2FA) to secure your business protects both your systems and your customers’ accounts. Anyone logging in to your system will need to provide something else on top of their username and password, to verify their identity. It can be implemented on both internal systems and customer-facing systems. Credential reuse, sophisticated phishing attacks, and many other cyber security risks can be mitigated by using 2FA. To do list: Enable 2FA on your key systems, like your: email services cloud aggregator services, for example Office 365, GSuite, or Okta Cloud Connector document storage banking services social media accounts accounting services, and any systems that you use to store customer, personal or financial data. Enforce the use of 2FA for each user in the system. Focus on using systems that support the use of 2FA. They should be a requirement for any new system that your business uses. Make it mandatory, not optional. 3. Back up your data It is essential to regularly back up business data provided from customers or staff, such as employee or customer personal details, customer account credentials, generated by the organisation, such as financials, operational data, documentation and manuals, system-based, such as system configurations and log files. If data is lost, leaked or stolen, it will need to be restored. To do list: Set your backups to happen automatically Store your backups in a safe location that’s easy to get to — and isn’t on your own server and/or offsite. Consider cloud backup services and talk to your IT provider Test backups regularly 4. Set up Logs Logs record all actions been taken on your systems. Logging helps to find out when an incident may be about to occur, e.g. multiple failed logons to your network, or when an incident has occurred, e.g. a logon from an unknown IP address. Logs can be set up to alert you to any unusual or unexpected events. To do list: Set up logs for: multiple failed login attempts, especially for critical accounts. This includes services like Office 365 or GSuite successful logins to your CMS and changes to any of the files in it (if you don’t change them often) changes to your log configurations password changes 2FA requests that were denied anti-malware notifications network connections going in and out of your network. Setting the logs up to notify you about any unusual events by email. Set email notifications up for events that shouldn’t happen often, like multiple failed logons or denied 2FA requests. Store logs in a safe location and make sure they’re encrypted. Access to the logs should be limited to only those that need it. Consider archiving them to offline storage and keeping them for a while in case you ever need them. Talk to your IT service provider, we are happy to help. 5. Incident Response Plan - Create a plan for when things go wrong If your business has a cyber security incident, you’ll need to know what steps to take to keep your business running. An incident response plan helps to get the business back up and running quickly. The plan should be put in place ahead of time. To do list (after identifying a security incident) : Call in reinforcements with prepared contact list Tell your staff Communicate to clients/customers Operate business as usual under unusual circumstances Reflect what happened 6. Update Default Credentials Default credentials are login details allowing full administrative access. They are used for the initial setup, and then changed afterwards. Unfortunately, these default credentials are often forgotten to be changed and easy to find or guess or find online at the same time. To do list: Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset. Change them. Make the new passwords long, strong, and unique. Use a password manager to store your usernames and passwords. They’ll be encrypted and you don’t need to remember. 7. Choose the right Cloud Service Select a cloud service provider who will provide the right services for your business. Cloud services are generally used for access to software without needing to buy it yourself, access to your data from any device, at any time, and for storage space and backups for your data. When using cloud services check the provider if they take your security needs and your data seriously. To do list: Check your cloud services: if they’ll back up your data for you, or if you have to do it yourself if they offer the option to use 2FA (if not, see if there’s another provider who does) if they’ll notify you of a security breach if it happens what happens to your data if they’re bought out by another company, or if they go under if they have a public security policy, and a way for you to report security problems to them. Check where the servers that they use to hold your data are located (jurisdiction). 8. Only collect Data you need Only collecting the data which is really needed from customers should be collected. The level of risk is based on the amount of data stored — the more data collected, the more valuable and attractive it is to an attacker. Reduce the risk by only collecting what is needed. To do list: Only saving and storing the information which is needed from a new customer or client. Be clear about why you need it. Make sure you’re encrypting any data you collect at any time including transition as well as storage in a database. CertNZ refers to the Privacy Commissioner who has built a tool, Priv-o-matic, to help creating a privacy statement that you can share with your customers. It can be used to tell how you’ll collect, use and disclose their information. 9. Secure your Devices Install security/ anti-malware software such as Antivirus on any device that accesses your business data or systems. It prevents malicious software e.g. viruses or ransomware from being downloaded. This includes both company owned devices and any BYOD devices that belong to your staff. This is one of the basics to minimise your risk To do list: Use the security features that come as a default with your computer’s operating system. This includes Windows Defender for Windows 10 devices, or Gatekeeper for OSX. Otherwise, use security software that can prevent and detect malware and that gets updated regularly. Don’t let your staff access your network with devices that are jailbroken or rooted. 10. Secure your Network Configure network devices like firewalls and web proxies to secure and control connections in and out of business network. Also using a VPN that in best case relies on 2FA when remotely access systems secures the network. To do list: Limit access to the internet-facing parts of your network to only those who need it. Use a VPN if you need to remotely access systems on your business network. Make sure the VPN software you use requires 2FA. Use separate VLANs for your business network to control what parts of the network can talk to other parts. Put servers with sensitive data on a separate VLAN from the one that your employees’ computers are on and use firewalls to control how those two VLANs talk to each other. Talk to an IT or network engineer to explain what your business does, and what you use your business network for. They can help you configure any separate networks or network devices that you may need to protect yourself. 11. Check financial details manually Manually checking unusual or unexpected online business requests prevents incidents such as for example invoice scams. It can be hard to tell when an email recipient’s behaviour is ‘phishy’. Therefore, using another channel to check the person or company is recommended. This can be a phone call or a text message before approving any payments. To do list: Set up a clear process for how to make sensitive business transactions or changes. Determine what’s sensitive for your business and make sure these thresholds are clear so your staff know when to raise a red flag. Use a separate channel of communication to verify a transaction or change before it happens. Have a clear point of escalation for your staff. Put a process into your incident response plan.

Internal Facebook documents released by a U.K. parliamentary committee offer the clearest evidence yet that the social network has used its enormous trove of user data as a competitive weapon, often in ways designed to keep its users in the dark. Facebook has been accused of cutting special deals with some app developers to give them more access to data. At the same time other potential rivals have been cut out. Other documents showed Facebook executives discussing how company data and user data is collected. It considered quietly collecting the call records and text messages of users of phones that run on Google's Android operating system without asking their permission. More than 200 pages of documents on the tech giant's internal discussions about the value of users' personal information have been released by the U.K. committee covering the period between 2012 and 2015. It indicates the company's inner workings and the extent to which it used people's data to make money while publicly vowing to protect their privacy. It is concerning how little users actually know about how Facebook treats their data. Facebook called the documents misleading and said the information they contain is "only part of the story." "Like any business, we had many internal conversations about the various ways we could build a sustainable business model for our platform," Facebook said in a statement. "But the facts are clear: We've never sold people's data." In a Facebook post, company CEO Mark Zuckerberg was intending to put the documents in context. "Of course, we don't let everyone develop on our platform," he wrote. "We blocked a lot of sketchy apps. We also didn't allow developers to use our platform to replicate our functionality or grow their services virally in a way that creates little value for people on Facebook." The U.K. committee got hold of the documents from app developer Six4Three, maker of a now-defunct bikini-picture search app. Six4Three acquired the files as part of a U.S. lawsuit that accuses Facebook of deceptive, anti-competitive business practices. The documents remain under court seal in the U.S. The documents "raise important questions about how Facebook treats users' data, their policies for working with app developers, and how they exercise their dominant position in the social media market," said committee chair Damian Collins. Facebook for example collected data about the mobile apps its users favoured to help it decide which companies to acquire. It also said Facebook knew that an update to its Android mobile app phone system — which allowed the Facebook app to hoover up user call logs and text messages — would be controversial. "To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features of the upgrade of their app," the committee summary pointed out. The documents also show Facebook would jealously safeguard its interests. In a January 2013 email exchange, Zuckerberg signed off on cutting access to Twitter's Vine video-producing app, which had allowed users to find their friends on Vine by pulling in data from Facebook. Also, a robust internal discussion about linking data to revenue could be found in the documents.

Protecting your customers from a Data Breach is a very real, very valid concern. With rapid implementation of the General Data Protection Regulation (GDPR) and Australia's new Notifiable Data Breach (NDB), companies across the world are having to react and adapt quickly, to secure their system from the risk of their customers data being exposed. New Zealanders are not immune from hefty fines, penalties and sanctions in failing to protect information of their customers and it is only a matter of time before New Zealand law follows suit, to enforce its own set of laws around the way data is handled. We will keep you updated as we learn more, however ensuring your systems and data are secure from hackers is an essential action with or without legislation.

Changes to the Privacy Act could force NZ businesses to notify people when they have a data breach. Currently in NZ, if a cyber-attacker steals personal information from a company, the company doesn't legally have to alert those people who are affected or even tell the Privacy Commission. But thankfully, new privacy laws that were introduced into Parliament in March 2018 could make this a thing of the past. One of the main changes to the Privacy Act, currently with the select committee, is a mandatory data breach notification which will force public and private sector agencies to notify affected individuals, and the Privacy Commissioner, if they experience a 'data breach which poses a risk of harm'. Failure to do so, could result in a fine of up to $10,000. This would encourage businesses to increase security around data storing and sharing, and potentially obtain insurance specific to cyber-security risks. How do I prevent or minimise data breaches? As a business, there are several things you can do to help you stay one step ahead of cyber- crime, such as: • Learn how to identify and deal with cyber-attacks – Make sure you're up-to-date with the latest ways on how to identify, prevent, and minimise data breaches. • Educate employees - Teach your staff the most secure ways of data sharing and storing, and how to identify and deal with data breaches. • Evaluate your technology – Check if your software and hardware can adequately identify and deal with data breaches in real time. • Analyse your data security - Ensure that IT and printer software and security is comprehensive, up-to-date and monitored on a 24/7 basis. • Minimise the amount of personal information you hold – This can be a tough one, especially when it comes to marketing databases, but if you can, try and decrease the personal data your organisation stores. • Encrypt and anonymise personal data – When you can, encrypt or anonymise personal information.