Why Backups Are Key Ransomware Targets

Tony MasonCyber Security, Data Backup, Data Protection

And 10 Best Practices for being Ransomware Resilient

We keep hearing “Ransomware is the new normal.”  Cyberthreats such as ransomware are a constant concern, now more than ever. The frequency of ransomware attacks continues to increase and new regulatory standards for cybersecurity are constantly being introduced. This means safeguarding your data (and business) against ransomware attacks is a necessity.

The frequency of attempted ransomware attacks respondents experienced over the past 12 months​:

IT managers, CISOs, and CIOs recognise the crucial importance of data protection within their organisations. They are seeking a ransomware solution, understanding that the risk extends beyond data to the entire business. Plus, ransomware is increasingly targeting backup data.

So, what’s the level of concern across those tasked with cyber resilience?

According to the Enterprise Strategy Group (ESG) report, “2023 Ransomware Preparedness: Lighting the Way to Readiness and Mitigation,” of the 600 IT and cybersecurity professionals surveyed, only 4% were not concerned at all about ransomware attacks affecting their data protection copies. That means 96% have at least some level of concern for their backup data! That’s nearly one in three voicing serious concerns.

Access the full report

Let’s examine the current ransomware landscape. This will help us understand why backups are becoming prime targets.  Then let’s identify the proactive and reactive measures companies should implement to avoid falling victim to ransomware. This analysis will guide us into discussing data protection best practices that ensure cyber readiness.

6 Reasons why backup is targeted by ransomware
  • Data recovery Ransomware attackers know that organisations depend on backups to recover from data loss incidents. By encrypting or deleting backup data, cybercriminals greatly diminish the victim’s ability to restore their systems and data without paying the ransom.
  • Business continuity: When backup data is compromised, an organisation’s ability to continue its operations is severely hindered. Ransomware attacks are designed to disrupt business continuity and inflict financial damage.  So targeting backups is a particularly effective way to achieve this goal.
  • Data value: Backups often hold a comprehensive record of an organisation’s data, including sensitive customer information, intellectual property, and financial records. Ransomware attackers may threaten to expose or sell this data to pressure victims into paying the ransom. They can also exploit compliance-critical data, putting organisations at risk of serious liabilities, substantial fines, and reputational damage.
  • Access and control: Once ransomware infects a system, it often spreads to other network devices. By compromising backups, attackers gain a strategic foothold in the organisation’s infrastructure, facilitating further attacks, ransom demands, and additional damage. This is a significant concern for businesses utilising Entra ID.
  • Lack of separation:  Cloud backups are often stored on the same network or in the same cloud environment as the primary data. This is true for Microsoft backups and others using public cloud services. If ransomware infiltrates one part of the network, it can easily spread to inadequately separated backups.  This will make them vulnerable. Put simply, one attack could reach all your production data and backup data. This brings to mind the saying ‘Don’t put all your eggs in one basket’.  It is also why true backup requires having backup data stored on a logically separate infrastructure. 
  • Minimal security measures: Historically, cloud backups have not received the same level of security scrutiny as production data. Many companies focus their security efforts on their active systems.  They also underestimate the need to secure backups adequately. If your backups aren’t stored safely and independently, how can you restore your data from them in the event of an attack? Organisations also now need to concentrate on how to secure their backups in a way that is compliant with all the new cybersecurity regulation being introduced.
The Protection Gap

The protection gap in data security refers to the potential vulnerability that exists between a company’s primary data and how well it can recover or restore that data should they experience data loss or a cyberattack.

This gap comes from the fact that while organisations invest in various security measures to protect their active data, they can often overlook comprehensive backup and recovery strategies. This oversight can mean your critical data is left exposed and susceptible to loss, damage, or theft.

We can see from the respondents’ answers in the report that backup infrastructure security is one of the most critical to protect. However, it is also one of the areas with the biggest gaps in ransomware preparedness.

Top four preventative security controls, as well as the top four gaps in ransomware preparedness:
What are the common vulnerabilities in data protection?
  • Inadequate access controls: Weak or improperly configured access controls mean that unauthorised users or malware are able to infiltrate backup systems.  This leads to compromising the integrity of the data stored there
  • Lack of air gapping: Ransomware can easily move between systems when backup systems share a network with primary systems. Without air gapping (network segmentation) this increases the risk of cross-contamination.
  • Insufficient authentication: If backups lack robust authentication mechanisms, cyber attackers can gain unauthorised access to backup data, then manipulate, or even delete it without any problems.
  • No data immutability: Without data immutability, backup data is vulnerable to tampering by ransomware. Attackers can alter or delete backup files, making them useless for recovery.
  • Single points of failure: A company can create a single point of failure if they rely on a single backup solution or location. If this point is compromised by ransomware, the company could lose both primary and backup data.

It is essential to understand the vulnerabilities and the tactics used by ransomware to attack backup systems in order to develop a comprehensive defence strategy that will protect valuable data assets and maintain business continuity.

Safeguarding your data: Data protection best practices

Organisations use many strategies and technologies to protect their cloud-based backups and to ensure data integrity.  There are also well-established best practices that are proven effective at keeping data safe and companies compliant with all regulatory bodies, such as NIS2 and GDPR.

These methods are essential for safeguarding cloud data against various threats, including ransomware.

Here are 10 best practices that organisations typically follow. 

These ensure cloud-based backups are protected and that businesses meet regulatory and compliance standards: 

  • Access control: Access to cloud backup systems is tightly controlled. Only authorised personnel are granted permission to modify or delete backup data stored in the cloud. Access control mechanisms may include role-based access control (RBAC) and multi-factor authentication (MFA) to enhance security. It’s also important to limit the number of subprocessors to as few as possible: Some backup solutions even have zero subprocessors.
  • Encryption: Backup data stored in the cloud is encrypted both in transit and at rest. This ensures that even if an attacker gains access to the data, it remains unintelligible without the right decryption keys.
  • Data immutability: Immutability features are implemented to prevent the unauthorised modification or deletion of backup data. This safeguards the integrity of the cloud backups, making them resilient to ransomware attacks.
  • Regular cloud backups: Organisations perform regular backups of their cloud data to ensure that information is backed up frequently. This minimises the amount of data that could be lost in an attack or data corruption.
  • Offline and air-gapped backups: Some organisations maintain offline or air-gapped cloud backups. These backups are physically disconnected from the network, making them immune to online attacks, including ransomware. Air-gapped cloud backups are especially effective in preventing data loss due to cyber threats.
  • Versioning/snapshot: Cloud-based backup systems often support versioning, allowing organisations to recover previous versions of files stored in the cloud. This feature is crucial for restoring data to a known-good state when ransomware has altered files.
  • Geographic redundancy/sovereignty: Large organisations may store cloud backups in multiple geographic locations within the cloud infrastructure to mitigate the risk of data loss due to regional incidents or localised cyberattacks. It’s vital that your data protection provider offers regional data centres and that they guarantee no data transmission outside of your selected region.
  • Regular testing: Cloud-based backup systems are regularly tested to ensure that they are functioning as expected. This involves not only verifying the backup process but also performing restoration tests to confirm that cloud data can be successfully recovered.
  • Monitoring and alerts: Continuous monitoring of cloud backup systems and alerts for suspicious activities are set up. Any unusual access or data modification triggers alerts that can be addressed promptly.
  • “Offsite storage” in the cloud: Backups are often stored offsite in cloud services. This protects cloud data in the event of on-premises disasters, such as fires or floods. But in cloud storage, having backup data outside of the production environment is key.

By implementing these protective measures, organisations can maintain the security and availability of their cloud-based backup data.  It helps them reduce the risk of data loss due to ransomware and other potential threats and thereby strengthening cyber resilience.

As organisations have become aware of the vulnerabilities in their data protection processes for backup and recovery, many are taking extra precautions to safeguard their backup copies, which are crucial for recovery in case of a crisis.

Let’s look at the percentage of organisations taking additional measures to protect their backup copies​:

As awareness grows of the vulnerabilities and data protection best practices, unfortunately only 40% of organisations are making extra efforts to protect all their backup copies. This gap in data protection is highlighted in the finding that after a ransomware attack, not all data can be recovered.

The amount of data organisations were able to recover after a ransomware attack:

The numbers show that there is still a lot to be done to prepare for the threat of ransomware.

For more information about data backup by our partner Keepit check here.

Keepit back up Microsoft 365, Dynamics 365, Power Bi, EntraID, Salesforce, Google Workspace, ZenDesk and AzureDevOps. They have immutable backup, encrypted in transit & at rest, air gapped, stored in 2 separate locations inline with NIST framework, with granular restore.

How To Build A Business Case For A Password Manager in 8 Steps

Tony MasonCyber Security, Data Protection, Email Security, Password Management, Security Awareness & Phishing

There are many reasons to be investing in a Password Manager.

Verizon’s recent Data Breach Report showed that 81% of hacking-related breaches used either stolen or weak passwords.

This is because most users are faced with credential overload, being responsible for at least 200 passwords, and often revert to bad password practices, such as:

  • creating simple, easy to remember passwords
  • reusing passwords
  • saving them in browsers or on sticky notes

When your users save passwords in the browser, it makes it easy for the bad guys to hack into your network.

Verizon’s recent Data Breach Report shows that attackers are increasingly successful using a combination of phishing and password dumper malware to steal your users’ credentials.   Once hackers gain access, they can steal usernames and passwords to any accounts saved in browsers. With 50% of employees using the same password for work and personal accounts, this makes the risk of credential theft and account takeovers even greater!

So you know it’s important to get a Password Manager but your boss or their boss is still hesitant.  Follow this guide to get the buy-in you need to implement a password manager:

1 Reveal the Risk

The first thing to do is show that poor password habits can put your company data at risk.  This is especially the case when more people are working from home & using more applications than ever, with an ever-increasing digital footprint.  On average users have at least 200 passwords and use the same passwords for personal and work accounts.

2 Hear Them Out

It’s important to hear what hesitations the key decision makers have, whether that be cost, time or adoption. Then counter the arguments with facts, such as:

  • The average cost of a data breach caused by compromised or stolen passwords is $ 4.77 million according to IBM 2020.
  • 70% of people reuse passwords across business and personal accounts
  • 81% of all hacking related data breaches are caused by weak, stolen or reused passwords.
3 Highlight The Benefits

Focus on the tangible benefits of getting your employees to use a password manager.

  • Eliminating Reused Passwords
  • Secure Sharing of Passwords
  • Ensuring Employees Don’t Leave with Sensitive Company Information
  • Cutting Down on Help Tickets for Lost Passwords

Check out this webinar from our partners at KnowBe4 https://info.knowbe4.com/truth-about-password-managers-partner-s3 

And this article from the National Cyber Security Centre https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers

4 Reveal Real Reviews

Investigate what other customers/suppliers have said about their experience with Password Managers. Our partner Dashlane helps 20,000 customers with 15 million users protecting their passwords.  Ask us for case studies: sales@s3-uk.com.

5 Present Your Roll Out Plan

Put together a step-by-step guide, including employee training material, to make deployment seamless & simple.  To prepare your company for onboarding, send out an announcement message & create a password policy, if you haven’t already. Check here for a useful guide on What Your Password Policy Should Be.

Once you’ve rolled out your password manager, continue by following up on pending invitations to ensure everyone is onboard. Then use the dashboard to check your Password Health Score. You’ll be surprised when you first start off!

6 Show How A Password Manager Can Integrate With Existing Cyber Security Efforts.

If you are using single sign on, a password manager is even easier to integrate into your IT security systems.

A password manager can enable you to bring up the subject of password hygiene in your cyber security discussions. It will help you drive a security culture change within the business & provide you with true facts about the password health of all staff members & the company as a whole, showing you your level of risk.

7 Conduct A Test Run

Many providers of password managers offer you a trial run.  Our partner Dashlane offer a free 30 day free trial up to 500 employees and the results are fascinating.  Get in touch with us and we’ll set you up: 01628 362 784.

8 Make An Immediate Impact

During the trial period, as employees create their accounts, and start to save logins, you can start measuring your company Password Health. Getting full visibility into your Password Health can be an eye opener. 

From there you can identify employees with bad password habits and take action.

With Dashlane, at the end of your trial, you can see how you’ve improved password security over time in your reporting dashboard.  This will give you a strong business case for the board.

For more information on Dashlane, check here

For KnowBe4’s best practices guide, check here

What is World Backup Day?

Tony MasonCyber Security, Data Backup, Data Protection, Microsoft 365 Security

World Backup Day, established in 2011 by a Reddit Group, is celebrated annually by the backup and tech industry all over the world.  It serves as a crucial reminder for both businesses and individuals to safeguard their data. Highlighting the importance of protecting data and keeping systems and computers secure. It encourages the creation and maintenance of backup copies to protect against potential data loss due to threats such as hackers or equipment malfunctions.

World Backup Day is 31st March, perfectly timed before April Fool’s Day. Reminding us that we’d be fools not to back up our data.

Since the pandemic and move to hybrid working, many companies feel that their data is less secure than pre-pandemic.  IT managers are worried that sensitive data is being saved on local machines, hard drives and cloud storage.  It’s no wonder that so many organisations have had at least one data breach.

Why is Data Backup so Important?

Having said this, more people are backing up their data year on year. However, many have still suffered a data loss.  Data can be lost via cyber threats such as ransomware & viruses but can also be device failure or simply human error.

Attackers are also known to specifically target backups, making it harder to recover your data. This leaves companies with no option but to pay ransoms.

Securing your data is vital to the survival of a business.  Not only from a business continuity point of view, but also from integrity and trust with customers & to maintain a business’s reputation. Therefore, companies need to create data backups as well as enforce data retention processes. 

Data Backup can protect you against cybercrime, ransomware and data loss.  It can also save you time and money from a management point of view as well as data recovery time after a data loss.  Plus, it can help you stay compliant.

Know Your Data

To start the process, it’s important to get a thorough understanding of your data.  What do you have, what’s critical and where is it stored?  It’s also important to understand your compliance requirements, policies that govern the data & its retention. Businesses should have a data protection strategy, put processes in place and communicate these to the business.  Then ensure these processes are adhered to.

Restoring Data

The primary goal for data recovery after a cyber attack or loss of data, is to restore all the data.  However, secondary to this is the speed at which this can be done.

Therefore, it’s well worth moving from traditional tape or disk based back ups to modern cloud storage, enabling you to get up and running with minimal impact. 

You’ll also want regular recent backups so you can take off where you left off with as little data loss as possible. 

Having an immutable storage means no changes can be made; no corruption, deletion, modification or encryption of your files, providing you with restored data as soon as possible. It also means hackers won’t have leverage over you by holding your data at ransom or encrypting it.

Data Backup

National Cyber Security Centre (NCSC) New Principles For Ransomware-Resistant Cloud BackUps & Suggested Implementations

Having assisted many organisations where their backups have been compromised, the NCSC have come up with a set of new procedures which lay out best practice to make sure cloud backups are more resistant to ransomware.

They describe the features a service should offer for backups to be resilient to ransomware actors.  Be a Harder Target

Principle 1 – Backups should be resilient to destructive actions

Ransomware attacks look to destroy backups, so organisations cannot recover without paying the ransom. Therefore, the backup service should be resilient to attempts to destroy backup data including malicious editing, overwriting, or deleting:

  • Block any deletion or alteration requests for a backup once it’s been created.
  • Offer soft-delete by default – but monitoring is needed during the allowed review period.
  • Delaying implementation of any deletion or alteration requests – alerts need to be set up in a monitoring schedule. However, system owner needs to be confident that alerts will be successfully delivered if their infrastructure is compromised.
  • Forbidding destructive requests from customer accounts – all exceptional destructive requests must be authorised out-of-band using a pre-agreed mechanism between the customer and the backup service.
Principle 2 – A Backup system should be configured so that it isn’t possible to deny all customer access
  • Allowing customer access to the backup service, even if all existing corporate IT systems and assets are unavailable. Agree a separate out of band mechanism.
  • Forbidding any IAM policy that restricts access to a single account within an attacker’s control.
Principle 3 – The service allows a customer to restore from a backup version, even if later versions become corrupted
  • Providing mechanisms so that system owners can test whether they can restore from the current backup state. Test regularly as part of a regular monitoring process.
  • Storing backup data according to a fixed time period.
  • Creating and retaining a version history – so you can restore from a previous healthy version.
  • Offering flexible storage policies
Principle 4 – Robust key management for data-at-rest protection is in use.
  • Offering an out-of-band key backup option – commit a master key to paper, maybe QR Code, & held in a safe.
Principle  5 – Alerts are triggered if significant changes are made, or privileged actions are tempted.
  • The service offers a wide range of customisable alerts – monitor activity that affects the backup system.
  • Significant changes to how the backup system behaves or is accessed require extra authorisation and should automatically initiate extra protective monitoring.

For the full report see here: https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-backups

For immutable cloud backup for M365, Azure AD, Salesforce, Google Workspace, Dynamics 365 check out Keepit: https://www.s3-uk.com/wp-content/uploads/2024/03/Keepit-for-Microsoft-365-Product-Sheet-S3-Ltd.pdf

How Essential is an Incident Response Plan?

Tony MasonCyber Security, Penetration Testing

What is an Incident Response Plan? 

An incident response plan is a comprehensive and structured approach to addressing and managing security incidents within an organisation. Particularly, it outlines the steps, roles, responsibilities, and procedures to follow in the event of a security breach or any other adverse event that may impact the organisation’s systems or data.

What’s the Purpose of an Incident Response Plan? 

The main purpose of an incident response plan is to minimise the damage caused by a security incident. It helps to ensure a swift and effective response, reducing the impact on business operations, reputation, and customer trust. Having an IR plan helps to ensure that everyone knows what to do in the event of a cyber attack. It includes the plan and procedures. This can help minimise the damage caused by an attack, as well as help you recover more quickly. Additionally, having a plan in place shows that you take security seriously to clients and suppliers. It shows you are prepared to deal with any cyber attacks that may pose a threat. This can also help to deter attackers. They are more likely to target businesses that do not have strong security measures in place.

Benefits of an IR Plan 

Specifically, having an incident response plan in place offers several key benefits for organisations. These include:

  • Minimising Downtime: An incident response plan helps to minimise the impact of a security incident on business operations. By having predefined steps and procedures to follow, organisations can quickly and effectively respond to incidents. They can reduce downtime and ensure that critical systems and services are restored as soon as possible.
  • Protecting Data and Systems: An IR plan helps to protect an organisation’s data and systems by outlining the necessary steps to contain and mitigate the impact of a security incident. This includes isolating affected systems, identifying the root cause of the incident, and implementing measures to prevent future incidents.
  • Maintaining Customer Trust: Prompt and effective incident response is crucial for maintaining customer trust and confidence in an organisation. By having an IR plan in place, organisations can demonstrate their commitment to protecting customer data and privacy. This can help reassure customers that their information is secure, leading to increased trust and loyalty.
  • Complying with Regulations: Many industries have specific regulations and compliance requirements regarding incident response. Having an IR plan that aligns with these regulations helps organisations meet their legal obligations and avoid costly penalties and fines.
Why do you Need an Incident Response Plan? 

When it comes to protecting your business, being prepared for the worst is essential. An incident response plan is a critical part of any business continuity strategy. Overall, it provides guidance on how to deal with unexpected events that could disrupt operations.

Further, an effective incident response plan will help you minimise the impact of a cyber incident and get your business back up and running as quickly as possible.

What’s Included in an Incident Response Package?

At our partners, Pentest People, their Incident Response Plans offer industry-leading techniques and protocols to help businesses in the case of a breach or cyber attack. Their IR service helps take the burden of reacting to such an attack, utilising their expertise to reduce the damage and downtime for your business. 

They offer three reactive service packages: Basic, Standard, and Premium. The basic package includes the following: 

  • Identify which systems have been compromised
  • Determine which IPs were targeted
  • Confirm the type of attack
  • Quarantine of infected host/network/system
  • Clone Devices if required
  • IOC Gathering – Determine the cause of the attack
  • Implement controls to prevent any re-occurrence of attack
  • Vulnerability Scan
  • 3 Weekly Dark Web Scans

With standard and premium, adding more features to make your business fully prepared to react in the case of an attack. Their standard and premium packages are the most popular, offering that full secure protection for businesses in the case of an emergency attack. Take a look here.

Whether you have an incident response plan and need that extra assurance, or have been attacked and need some immediate help, get in touch 01628 362 784 & we’ll put you in touch with the IR Team.

Benefits of Penetration Testing as a Service 

Tony MasonPenetration Testing

What is Penetration Testing as a Service?

Penetration Testing as a Service (PTaaS) advocates a continuous cycle of testing and remediation. It suggests that your security posture is always changing.  So in order to combat this moving target, there must be an on-going program of testing, remediation and management. The Penetration Testing Methodology understands that there is a need to test and check the entire platform stack. From the operating system to the SSL certificate. PTaaS is all about establishing a regime of automatic checks and monitoring so that even the smallest aspects of your eco-system are protected.

Why is it Important?

The importance of Penetration Testing lies in its ability to identify and address security vulnerabilities before they can be exploited. By identifying weaknesses early on, organisations can take the necessary steps to mitigate any potential risks and protect their systems from future attacks. This is why it’s essential for organisations of all sizes to have a comprehensive Penetration Testing strategy in place.

Why Choose PTaaS Over Traditional Pentesting?

PTaaS, or Penetration Testing as a Service, offers several advantages over traditional penetration testing. First, it is more cost-effective. This is because it eliminates the need to hire in-house experts or consultants and allows for a flexible subscription-based model. Secondly, PTaaS prioritises risks by continuously monitoring systems and identifying vulnerabilities in real-time. This allows businesses to focus on addressing the most critical issues. Additionally, the results mobilisation is far more efficient, with continuous testing and immediate feedback, leading to faster resolution of security gaps.

PTaaS differs from traditional pentesting in several ways. In terms of scoping, PTaaS provides continuous testing and monitoring, as opposed to one-time assessments in traditional penetration testing. Delivery is also quicker with PTaaS, which offers on-demand testing as opposed to scheduled assessments. Moreover, PTaaS may offer additional services such as security training and compliance support. Integration with existing security tools and systems is seamless, and reporting is more comprehensive and real-time. Furthermore, PTaaS offers a variety of pricing models to suit different business needs. Overall, PTaaS provides a more cost-effective, risk-focused, and efficient approach to penetration testing.

The Differences Between Pen Testing and Pen Testing as a Service

Traditional pen testing involves conducting a point-in-time assessment of an organisation’s security posture using manual and automated tools. This approach provides a snapshot of vulnerabilities at a specific point in time and may not capture ongoing security issues. On the other hand, PTaaS offers continuous, real-time testing using a combination of manual and automated tools to enhance an organisation’s security strategy. PTaaS revolutionises the traditional pen testing model by introducing a continuous approach to web application security testing, providing IT professionals with the resources they need to conduct point-in-time and continuous penetration tests.

Benefits of PTaaS

PTaaS offers numerous benefits for organisations looking to secure their digital assets and safeguard against potential cyber threats. By providing a continuous and comprehensive approach to penetration testing, PTaaS ensures that an organisation’s systems, networks, and applications are thoroughly tested for vulnerabilities. Allowing for proactive identification and remediation of potential security weaknesses.

This proactive approach not only helps to prevent potential data breaches and cyber attacks, but also saves time and resources by addressing security issues before they become major problems. Additionally, PTaaS provides organisations with access to a team of security experts who can offer valuable insights and recommendations for strengthening their overall security posture. Overall, PTaaS offers a cost-effective and efficient solution for maintaining a strong and resilient security infrastructure.

Early Feedback on Code Changes

PTaaS, seamlessly integrates into the software development lifecycle by providing ongoing vulnerability assessments and security testing. By continuously monitoring code changes and identifying potential vulnerabilities, PTaaS alerts developers to security risks before new code is deployed. This proactive approach keeps development teams ahead of potential threats by providing early feedback on code changes, allowing them to address vulnerabilities promptly and effectively.

Fast Remediation Support

Fast remediation support offered by PTaaS providers can greatly enhance the efficiency and effectiveness of vulnerability remediation. These providers offer detailed assistance, visual aids such as screenshots and videos, and expert guidance to help developers locate and address vulnerabilities quickly and effectively.

Utilising these resources is crucial for streamlining the process of vulnerability remediation. The detailed assistance provided by PTaaS providers can help developers understand the root cause of vulnerabilities and provide step-by-step guidance on how to fix them. Visual aids like screenshots and videos can make it easier for developers to grasp the specific areas that need attention and how to address them effectively. Additionally, expert guidance from PTaaS providers ensures that developers receive the most accurate and up-to-date information for addressing vulnerabilities.

Access to Security Engineers

PTaaS, allows organisations to access a team of experienced security engineers without exhausting in-house resources. By connecting with security experts through PTaaS, organisations can efficiently resolve security gaps and streamline their approach to penetration testing. This ensures their team can focus on strategic initiatives while leaving the technical aspects to the security engineers.

Reduced Downtime

Proactive penetration testing, including the use of PTaaS and SecurePortal, can significantly mitigate service interruption risks and prevent financial losses associated with downtime. By conducting regular proactive penetration tests, organisations can identify vulnerabilities and weaknesses in their systems before they can be exploited by attackers. This allows for the timely remediation of any potential risks, reducing the likelihood of service interruptions and the associated financial losses.

PTaaS and SecurePortal provide the benefit of continuous monitoring and detection of major risks, allowing for immediate alerting and remediation. This proactive approach to identifying and addressing potential security threats can significantly reduce the impact of potential attacks. It minimises the risk of service interruptions and the resulting financial losses.

Check out the PTaaS offering from our partners: Pentest People.  They provide a fully digital service that streamlines the approach to Penetration Testing for your team. This leads to an easier process for everyone involved and makes securing your business simple.

Penetration Testing Secure Portal

Email Security Risk Remains High

Tony MasonCyber Security, Data Protection, Email Security

Outbound Email Security

A recent email security survey by Egress highlighted that outbound email is a source of breaches for almost every organisation.

91% of the surveyed cybersecurity leaders stated that their organisaton had experienced security incidents by outbound email data loss within Microsoft 365 in the last 12 months.

Causes of Outbound Email Security Incidents

Overall, these incidents were the result of employees breaking the rules or making mistakes while simply trying to get their jobs done. The top 3 causes were:

  1. Exfiltration of data for work purposes (sending data to personal accounts)
  2. Accidentally sending emails and files to an incorrect recipient
  3. Exfiltrating data for personal gain (taking data to a new job)

This is similar to 2022, but the negative impact on an organisation has gone up 8%.

There also remains a significant risk of internal breaches of confidentiality within an organisation.  Of the 76% that enforce information barriers internally, half (51%) have had them breached. Over half had to cease operations while they investigated the incidents.

Cybersecurity leaders reported intentional rule breaking as the top cause of outbound incidents.  However, on analysis of data in the Egress platform, Egress can see that it’s actually human error.  The reason cybersecurity leaders don’t know this is because they don’t have visibility and these type of mistakes very often will go unreported and will pass under the radar.

In order to quantify an organisation’s risk, you need visibility into the human risk.

Microsoft’s Security Control

88% of respondents said they were concerned about Microsoft’s security controls, the top outbound concern was being ineffective at stopping employees from accidentally emailing the wrong person, or with the wrong file attached.

Outbound email security remains a manual process driven by administrators.  94% use static email DLP rules & 51% are reliant on reviewing audit logs to detect breaches. To make these rules work takes a lot of admin time & rules need to be altered to make them usable. Outlook Autocomplete is seen as the culprit for most misdirected emails, but only 20% have dared to turn it off.

Supply Chain & Customers

82% of Cybersecurity leaders enforce email security requirements with their supply chain, with anti-phishing technology as the most requested defence (64%). Data loss prevention, however, is hot on its heels, with 56% of Cybersecurity leaders enforcing this with suppliers.

On the other end, 69% of respondents advised that they have seen an increase in customers requesting email DLP to be enforced.


In order to quantify and manage an organisation’s risk, Cybersecurity leaders and Data Protection Officers need to have better visibility into the human risk.

They need to know when someone is sending an email to the wrong person, or attaching confidential data to the wrong email or a personal email.  Plus, they need a solution that isn’t reliant on static rules, that are labour intensive to manage.

Check here for more information on Egress Prevent.

Read here for the full Email Security Risk report.

What is Penetration Testing?

Tony MasonPenetration Testing

Penetration testing, also known as ethical hacking, is a method of evaluating a computer system, network, or web application to identify potential vulnerabilities that could be exploited by cyber attackers. This process involves simulating real-world cyber attacks to uncover potential weaknesses in a system’s security defenses. Penetration testing aims to assess the security posture of an organisation’s IT infrastructure and provide recommendations for improving security measures. It helps organisations better understand their overall security posture and identify any potential vulnerabilities before they are exploited by malicious actors. This proactive approach to security testing is essential in today’s digital landscape, where cyber threats are constantly evolving. Also businesses need to be vigilant in safeguarding their sensitive data and systems.

Types of Testing 

Penetration testing involves simulating different attack scenarios to identify and exploit vulnerabilities in a system.

Black box testing is carried out with no prior knowledge of the system, simulating an external attacker. This type of testing helps in assessing the real-world security posture of an organisation.

White box testing, on the other hand, involves full knowledge and access to the system, often simulating an insider threat. This type of testing is useful for assessing internal security controls and the effectiveness of the organisation’s defenses.

Grey box testing falls between the two, with partial knowledge and access to the system. It simulates an attacker with limited knowledge of the internal workings of the system. The purpose of each type of testing is to assess the security posture of the organisation in different attack scenarios.

Black box testing evaluates the effectiveness of external defenses.

White box testing assesses internal security controls.

Grey box testing offers a balanced assessment of both.

Internal Network Penetration Testing

Internal network penetration testing involves simulating an attack on the organisation’s internal network. It aims to identify potential exploits, vulnerabilities, and misconfigurations that could lead to unauthorised access, data leaks, or other security breaches.

The testing process focuses on identifying potential exploits from both authenticated and non-authenticated user perspectives. This includes the exploitation of weak or default passwords, inadequate access controls, and privilege escalation. Vulnerability assessments identify and prioritise security weaknesses in accessible systems. Such as unpatched software, outdated protocols, and insecure network services.

Checks for misconfigurations are also performed to identify potential risks related to insecure network configurations, weak encryption, and improper access controls. Common exploits found in internal network tests may include leveraging unpatched software vulnerabilities, exploiting weak or default passwords, and bypassing inadequate access controls. Common misconfigurations that lead to data leaks may include insecure file permissions, unsecured network services, and inadequate data encryption.

External Network Penetration Testing

External network penetration testing involves several steps to identify vulnerabilities in the defined external infrastructure.

Firstly, assess the external network architecture to identify potential entry points for attackers. This includes scanning for open ports and services, identifying network devices, and mapping the external network.

Then, focus on checking the authentication processes. This involves testing weak or default credentials, verifying the strength of password policies, and assessing the effectiveness of multi-factor authentication.

Verify secure data transfer by analysing the encryption protocols used for transmitting sensitive information. This includes evaluating the configurations of SSL/TLS protocols and checking for potential weaknesses in data transfer processes.

Finally, check for misconfigurations in the external network infrastructure. This includes reviewing firewall rules, examining the configuration of network devices for security flaws, and ensuring that security controls are properly implemented.

Throughout the process, document all identified vulnerabilities and prioritise them based on severity to provide recommendations for remediation. The ultimate goal of external network penetration testing is to identify and address potential security risks before they can be exploited by malicious actors.

What Happens in the Aftermath of a Pentest?

Following a pen test, there are several important steps that are typically taken in the aftermath of the test.

These include analysing the results, identifying vulnerabilities, prioritising and addressing any critical issues that were uncovered. Followed by making necessary changes to the system or network to strengthen security. As well as potentially retesting to ensure that the vulnerabilities have been successfully patched. The aftermath of a pen test also often involves reporting the findings to relevant stakeholders. This is likely to include IT teams or management, and making recommendations for future security improvements. Overall, the aftermath of a pen test is a crucial phase in the process of strengthening the security of a network or system. Plus ensuring that vulnerabilities are effectively addressed.

Email Security Risk Remains High

Tony MasonCyber Security, Data Protection, Email Security, Microsoft 365 Security

Email Security Risk Report

Almost every organisation reports experiencing email security incidents. Unfortunately, legacy approaches to technology and training can’t keep pace with evolving threats.

A recent survey by Egress highlighted that cybersecurity leaders remain vulnerable to both inbound phishing attacks and outbound data loss and exfiltration.  This is making them question the effectiveness of traditional approaches to email security.

94% of the 500 respondents experienced email security incidents in their Microsoft 365 environment in the last 12 months. This is similar to the results in 2022.

94% of these fell victim to phishing attacks, and 91% experienced data loss and exfiltration. 

It’s no wonder then, that 95% of cyber security leaders are stressed about email security. 

Phishing attacks sent from compromised supply chain accounts are the top cause of stress. Followed by internal account takeover (from credential harvesting).

Compromised accounts continue to put organisations at risk

58% of organisations experienced an account takeover.  79% of these starting with a phishing email that harvests an employee’s credentials.  83% even had MFA that was bypassed for the attack to succeed. 51% also fell victim to phishing attacks sent from compromised supply chains.


During 2023 it was impossible to talk about cybersecurity & phishing without talking about AI. Large language models (LLMS) and generative AI enable cybercriminals to easily create targeted and sophisticated phishing emails, as well as generate malware. Gone are the days of obvious spelling mistakes & bad grammar in phishing emails. Deepfakes & AI chatbots that can mimic natural human interaction, are now used to create phishing campaigns and at scale.

These more sophisticated phishing campaigns are now harder for both traditional perimeter defences and employees to detect. Cybersecurity leaders know they are becoming more vulnerable.

Such sophisticated phishing emails from compromised accounts can now get through reputation-based domain checks, carried out by traditional perimeter defences. 

With all of this, there is a sense of what we’ve been doing is no longer good enough.

Traditional Secure Email Gateways (SEGS)

Therefore, 87% of organisations advised that they were looking to move away from their traditional SEG. They are either considering or committing to replacing the SEG with Microsoft’s controls combined with an Integrated Cloud Email Security (ICES) Solution.

Organisations owe it to their employees to provide the right training and technology to detect advanced attacks.

Read the full report here

KnowBe4’s ‘Security Essentials for the UK’ Course is now NCSC Certified

Tony MasonCyber Security, Security Awareness & Phishing

KnowBe4 Security Essentials Training

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has announced that its Security Essentials for the United Kingdom course is now certified by the National Cyber Security Centre (NCSC). This coveted certification will lead to further security awareness training across the UK.

NCSC Certification

The NCSC’s certification programme is designed to assure high quality training courses delivered by experienced training providers. Courses submitted for certification are rigorously assessed against a set of benchmarks and evaluated at two levels:

  1. awareness for those new to cybersecurity to give a thorough foundation in the subject and
  2. application for anyone looking for in-depth courses for their professional development.
Cyber Attacks

Cybercrime is committed every 39 seconds according to a global study by the University of Maryland. However, in the UK, it is estimated that 4.55 cyber attacks are committed against businesses every minute according to twenty-four.it. Plus, the latest Verizon report says 74% of breaches involved the human element. These statistics are some of many making it clear that cybersecurity awareness is critical for everyone, not only at work, but also in their personal lives. It is important to understand what threats potentially loom in cyberspace. Equally, it is as important how to identify and avoid them and, in case of a cyber attack, how to swiftly and effectively deal with it.

Therefore, Cybersecurity training within organisations has never been as essential as it is now. Research from BDO found that 60% of mid-sized organisations in the UK have experienced fraud in 2023. Phishing and other forms of cyber attacks being the leading causes.

Cybersecurity Training

We are thrilled that our Security Essentials for the UK course was certified by the National Cyber Security Centre. It means that this course meets the highest standards for training courses in the country, which will go a long way in spreading more security awareness efforts to organisations in the UK,” commented Stu Sjouwerman, CEO, KnowBe4. 

The ‘Security Essentials for the United Kingdom’ course is a comprehensive journey through the world of information security.  It introduces users to various concepts to help prevent them and their organisations from becoming victims of cybercrime. On completion, they will understand the importance of incident reporting and response and learn strategies to reduce vulnerabilities and keep information safe. It will arm users with the ability to not only protect their organisations but also their households.

KnowBe4 are exclusively focused on human behaviour, as they believe that raising security awareness of your employees is essential to managing the risk associated with social engineering.

They are passionate about building a platform capable of changing insecure behaviours and reinforcing secure behaviours of individuals, to ultimately help organisations support end users to be a key cog in their Cyber Defences. #humanfirewall as they like to call it.

Particularly, this allows them to invest in ground breaking products designed to address the human element of security.  For more on information on KnowBe4, check out our webpage.

Password Manager – The Good, The Bad & The Truth.

Tony MasonCyber Security, Data Protection, Password Management, Security Awareness & Phishing

As part of any security awareness training we cover passwords. We teach users how to choose secure passwords, with the right length and characters, pass phrases etc. However, the average person has to log on to over 170+ sites/services and usually only have 3 to 19 passwords. That means there are a lot of weak/shared passwords in use & some of these will be by your staff.

Therefore, not only our partner, KnowBe4, but also the National Cyber Security Centre strongly recommend you use a Password Manager, take a look here to see why.

This is in order to effectively reduce password reuse and improve complexity. But you may be wondering if it’s really worth the risk. 

Is it safe to store all of your passwords in one place? Can cybercriminals hack them? Are password managers a single point of failure? Take a look at this on-demand webinar by Roger A. Grimes, KnowBe4’s Data-Driven Defence Evangelist, where he walks you through these questions and more. He also shares a new password manager hacking demo from Kevin Mitnick, KnowBe4’s Chief Hacking Officer, that will reveal the real risks of weak passwords.

Password hygiene should be part of your security culture, from the onboarding process right up to the board.  

Check out KnowBe4 for more information about effective, new school, security awareness training that successfully changes users’ behaviour.

Factors to Consider When Selecting a Reliable Password Manager

With many password managers available, finding the right solution can be quite challenging. Look out for some of these password manager features to know you’ve selected the right one.

1. Zero-Trust Security – enforces strict user authentication and least-privilege access.  It restricts user access to resources that are necessary for the successful completion of tasks in a given role.  This ensures that only legitimate users have access to your systems throughout the digital process to greatly reduce your organisational risk.

2. Regulation Compliance – Here are some standards your password manager should comply with:

  • Federal Risk and Authorization Management Program (FedRAMP). Although this is mainly for government, a password manager that complies with FedRAMP ensures more security controls. 
  • General Data Protection Regulation (GDPR).  A password manager in compliance with GDPR is likely handling your data appropriately.  
  • Payment Card Industry Data Security Standard (PCI DSS). This regulation sets requirements to guarantee the security of payment processors when handling your debit or credit cards.

3. Compatibility with Your Systems and Software

4. Encryption – A password vault is the part of a password manager that actually stores the passwords for multiple applications. Password managers must have encryption, which scrambles credentials and makes them unreadable by attackers. Also, providers must store your password in its encrypted form as this makes them unable to access your credentials as well.  

5. Automation (Browser Extensions Should Work Automatically)

6. Password Generators 

7. Multi-Factor Authentication (MFA) – According to research by Microsoft, MFA can prevent 99.9% of account compromise attacks. A reliable password manager should require 2FA or MFA in addition to your master password before providing access to your account.   

Need a Password Manager? Consider our partner Keeper. Keeper is an easy-to-use password manager that is built with a proprietary zero-trust architecture and end-to-end encryption to secure your credentials. 

Get in touch with us for a free trial sales@s3-uk.com, 01628 362 784.