What is World Backup Day?

Tony MasonCyber Security, Data Backup, Data Protection, Microsoft 365 Security

World Backup Day, established in 2011 by a Reddit Group, is celebrated annually by the backup and tech industry all over the world.  It serves as a crucial reminder for both businesses and individuals to safeguard their data. Highlighting the importance of protecting data and keeping systems and computers secure. It encourages the creation and maintenance of backup copies to protect against potential data loss due to threats such as hackers or equipment malfunctions.

World Backup Day is 31st March, perfectly timed before April Fool’s Day. Reminding us that we’d be fools not to back up our data.

Since the pandemic and move to hybrid working, many companies feel that their data is less secure than pre-pandemic.  IT managers are worried that sensitive data is being saved on local machines, hard drives and cloud storage.  It’s no wonder that so many organisations have had at least one data breach.

Why is Data Backup so Important?

Having said this, more people are backing up their data year on year. However, many have still suffered a data loss.  Data can be lost via cyber threats such as ransomware & viruses but can also be device failure or simply human error.

Attackers are also known to specifically target backups, making it harder to recover your data. This leaves companies with no option but to pay ransoms.

Securing your data is vital to the survival of a business.  Not only from a business continuity point of view, but also from integrity and trust with customers & to maintain a business’s reputation. Therefore, companies need to create data backups as well as enforce data retention processes. 

Data Backup can protect you against cybercrime, ransomware and data loss.  It can also save you time and money from a management point of view as well as data recovery time after a data loss.  Plus, it can help you stay compliant.

Know Your Data

To start the process, it’s important to get a thorough understanding of your data.  What do you have, what’s critical and where is it stored?  It’s also important to understand your compliance requirements, policies that govern the data & its retention. Businesses should have a data protection strategy, put processes in place and communicate these to the business.  Then ensure these processes are adhered to.

Restoring Data

The primary goal for data recovery after a cyber attack or loss of data, is to restore all the data.  However, secondary to this is the speed at which this can be done.

Therefore, it’s well worth moving from traditional tape or disk based back ups to modern cloud storage, enabling you to get up and running with minimal impact. 

You’ll also want regular recent backups so you can take off where you left off with as little data loss as possible. 

Having an immutable storage means no changes can be made; no corruption, deletion, modification or encryption of your files, providing you with restored data as soon as possible. It also means hackers won’t have leverage over you by holding your data at ransom or encrypting it.

Data Backup

National Cyber Security Centre (NCSC) New Principles For Ransomware-Resistant Cloud BackUps & Suggested Implementations

Having assisted many organisations where their backups have been compromised, the NCSC have come up with a set of new procedures which lay out best practice to make sure cloud backups are more resistant to ransomware.

They describe the features a service should offer for backups to be resilient to ransomware actors.  Be a Harder Target

Principle 1 – Backups should be resilient to destructive actions

Ransomware attacks look to destroy backups, so organisations cannot recover without paying the ransom. Therefore, the backup service should be resilient to attempts to destroy backup data including malicious editing, overwriting, or deleting:

  • Block any deletion or alteration requests for a backup once it’s been created.
  • Offer soft-delete by default – but monitoring is needed during the allowed review period.
  • Delaying implementation of any deletion or alteration requests – alerts need to be set up in a monitoring schedule. However, system owner needs to be confident that alerts will be successfully delivered if their infrastructure is compromised.
  • Forbidding destructive requests from customer accounts – all exceptional destructive requests must be authorised out-of-band using a pre-agreed mechanism between the customer and the backup service.
Principle 2 – A Backup system should be configured so that it isn’t possible to deny all customer access
  • Allowing customer access to the backup service, even if all existing corporate IT systems and assets are unavailable. Agree a separate out of band mechanism.
  • Forbidding any IAM policy that restricts access to a single account within an attacker’s control.
Principle 3 – The service allows a customer to restore from a backup version, even if later versions become corrupted
  • Providing mechanisms so that system owners can test whether they can restore from the current backup state. Test regularly as part of a regular monitoring process.
  • Storing backup data according to a fixed time period.
  • Creating and retaining a version history – so you can restore from a previous healthy version.
  • Offering flexible storage policies
Principle 4 – Robust key management for data-at-rest protection is in use.
  • Offering an out-of-band key backup option – commit a master key to paper, maybe QR Code, & held in a safe.
Principle  5 – Alerts are triggered if significant changes are made, or privileged actions are tempted.
  • The service offers a wide range of customisable alerts – monitor activity that affects the backup system.
  • Significant changes to how the backup system behaves or is accessed require extra authorisation and should automatically initiate extra protective monitoring.

For the full report see here: https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-backups

For immutable cloud backup for M365, Azure AD, Salesforce, Google Workspace, Dynamics 365 check out Keepit: https://www.s3-uk.com/wp-content/uploads/2024/03/Keepit-for-Microsoft-365-Product-Sheet-S3-Ltd.pdf

How Essential is an Incident Response Plan?

Tony MasonCyber Security, Penetration Testing

What is an Incident Response Plan? 

An incident response plan is a comprehensive and structured approach to addressing and managing security incidents within an organisation. Particularly, it outlines the steps, roles, responsibilities, and procedures to follow in the event of a security breach or any other adverse event that may impact the organisation’s systems or data.

What’s the Purpose of an Incident Response Plan? 

The main purpose of an incident response plan is to minimise the damage caused by a security incident. It helps to ensure a swift and effective response, reducing the impact on business operations, reputation, and customer trust. Having an IR plan helps to ensure that everyone knows what to do in the event of a cyber attack. It includes the plan and procedures. This can help minimise the damage caused by an attack, as well as help you recover more quickly. Additionally, having a plan in place shows that you take security seriously to clients and suppliers. It shows you are prepared to deal with any cyber attacks that may pose a threat. This can also help to deter attackers. They are more likely to target businesses that do not have strong security measures in place.

Benefits of an IR Plan 

Specifically, having an incident response plan in place offers several key benefits for organisations. These include:

  • Minimising Downtime: An incident response plan helps to minimise the impact of a security incident on business operations. By having predefined steps and procedures to follow, organisations can quickly and effectively respond to incidents. They can reduce downtime and ensure that critical systems and services are restored as soon as possible.
  • Protecting Data and Systems: An IR plan helps to protect an organisation’s data and systems by outlining the necessary steps to contain and mitigate the impact of a security incident. This includes isolating affected systems, identifying the root cause of the incident, and implementing measures to prevent future incidents.
  • Maintaining Customer Trust: Prompt and effective incident response is crucial for maintaining customer trust and confidence in an organisation. By having an IR plan in place, organisations can demonstrate their commitment to protecting customer data and privacy. This can help reassure customers that their information is secure, leading to increased trust and loyalty.
  • Complying with Regulations: Many industries have specific regulations and compliance requirements regarding incident response. Having an IR plan that aligns with these regulations helps organisations meet their legal obligations and avoid costly penalties and fines.
Why do you Need an Incident Response Plan? 

When it comes to protecting your business, being prepared for the worst is essential. An incident response plan is a critical part of any business continuity strategy. Overall, it provides guidance on how to deal with unexpected events that could disrupt operations.

Further, an effective incident response plan will help you minimise the impact of a cyber incident and get your business back up and running as quickly as possible.

What’s Included in an Incident Response Package?

At our partners, Pentest People, their Incident Response Plans offer industry-leading techniques and protocols to help businesses in the case of a breach or cyber attack. Their IR service helps take the burden of reacting to such an attack, utilising their expertise to reduce the damage and downtime for your business. 

They offer three reactive service packages: Basic, Standard, and Premium. The basic package includes the following: 

  • Identify which systems have been compromised
  • Determine which IPs were targeted
  • Confirm the type of attack
  • Quarantine of infected host/network/system
  • Clone Devices if required
  • IOC Gathering – Determine the cause of the attack
  • Implement controls to prevent any re-occurrence of attack
  • Vulnerability Scan
  • 3 Weekly Dark Web Scans

With standard and premium, adding more features to make your business fully prepared to react in the case of an attack. Their standard and premium packages are the most popular, offering that full secure protection for businesses in the case of an emergency attack. Take a look here.

Whether you have an incident response plan and need that extra assurance, or have been attacked and need some immediate help, get in touch 01628 362 784 & we’ll put you in touch with the IR Team.

Benefits of Penetration Testing as a Service 

Tony MasonPenetration Testing

What is Penetration Testing as a Service?

Penetration Testing as a Service (PTaaS) advocates a continuous cycle of testing and remediation. It suggests that your security posture is always changing.  So in order to combat this moving target, there must be an on-going program of testing, remediation and management. The Penetration Testing Methodology understands that there is a need to test and check the entire platform stack. From the operating system to the SSL certificate. PTaaS is all about establishing a regime of automatic checks and monitoring so that even the smallest aspects of your eco-system are protected.

Why is it Important?

The importance of Penetration Testing lies in its ability to identify and address security vulnerabilities before they can be exploited. By identifying weaknesses early on, organisations can take the necessary steps to mitigate any potential risks and protect their systems from future attacks. This is why it’s essential for organisations of all sizes to have a comprehensive Penetration Testing strategy in place.

Why Choose PTaaS Over Traditional Pentesting?

PTaaS, or Penetration Testing as a Service, offers several advantages over traditional penetration testing. First, it is more cost-effective. This is because it eliminates the need to hire in-house experts or consultants and allows for a flexible subscription-based model. Secondly, PTaaS prioritises risks by continuously monitoring systems and identifying vulnerabilities in real-time. This allows businesses to focus on addressing the most critical issues. Additionally, the results mobilisation is far more efficient, with continuous testing and immediate feedback, leading to faster resolution of security gaps.

PTaaS differs from traditional pentesting in several ways. In terms of scoping, PTaaS provides continuous testing and monitoring, as opposed to one-time assessments in traditional penetration testing. Delivery is also quicker with PTaaS, which offers on-demand testing as opposed to scheduled assessments. Moreover, PTaaS may offer additional services such as security training and compliance support. Integration with existing security tools and systems is seamless, and reporting is more comprehensive and real-time. Furthermore, PTaaS offers a variety of pricing models to suit different business needs. Overall, PTaaS provides a more cost-effective, risk-focused, and efficient approach to penetration testing.

The Differences Between Pen Testing and Pen Testing as a Service

Traditional pen testing involves conducting a point-in-time assessment of an organisation’s security posture using manual and automated tools. This approach provides a snapshot of vulnerabilities at a specific point in time and may not capture ongoing security issues. On the other hand, PTaaS offers continuous, real-time testing using a combination of manual and automated tools to enhance an organisation’s security strategy. PTaaS revolutionises the traditional pen testing model by introducing a continuous approach to web application security testing, providing IT professionals with the resources they need to conduct point-in-time and continuous penetration tests.

Benefits of PTaaS

PTaaS offers numerous benefits for organisations looking to secure their digital assets and safeguard against potential cyber threats. By providing a continuous and comprehensive approach to penetration testing, PTaaS ensures that an organisation’s systems, networks, and applications are thoroughly tested for vulnerabilities. Allowing for proactive identification and remediation of potential security weaknesses.

This proactive approach not only helps to prevent potential data breaches and cyber attacks, but also saves time and resources by addressing security issues before they become major problems. Additionally, PTaaS provides organisations with access to a team of security experts who can offer valuable insights and recommendations for strengthening their overall security posture. Overall, PTaaS offers a cost-effective and efficient solution for maintaining a strong and resilient security infrastructure.

Early Feedback on Code Changes

PTaaS, seamlessly integrates into the software development lifecycle by providing ongoing vulnerability assessments and security testing. By continuously monitoring code changes and identifying potential vulnerabilities, PTaaS alerts developers to security risks before new code is deployed. This proactive approach keeps development teams ahead of potential threats by providing early feedback on code changes, allowing them to address vulnerabilities promptly and effectively.

Fast Remediation Support

Fast remediation support offered by PTaaS providers can greatly enhance the efficiency and effectiveness of vulnerability remediation. These providers offer detailed assistance, visual aids such as screenshots and videos, and expert guidance to help developers locate and address vulnerabilities quickly and effectively.

Utilising these resources is crucial for streamlining the process of vulnerability remediation. The detailed assistance provided by PTaaS providers can help developers understand the root cause of vulnerabilities and provide step-by-step guidance on how to fix them. Visual aids like screenshots and videos can make it easier for developers to grasp the specific areas that need attention and how to address them effectively. Additionally, expert guidance from PTaaS providers ensures that developers receive the most accurate and up-to-date information for addressing vulnerabilities.

Access to Security Engineers

PTaaS, allows organisations to access a team of experienced security engineers without exhausting in-house resources. By connecting with security experts through PTaaS, organisations can efficiently resolve security gaps and streamline their approach to penetration testing. This ensures their team can focus on strategic initiatives while leaving the technical aspects to the security engineers.

Reduced Downtime

Proactive penetration testing, including the use of PTaaS and SecurePortal, can significantly mitigate service interruption risks and prevent financial losses associated with downtime. By conducting regular proactive penetration tests, organisations can identify vulnerabilities and weaknesses in their systems before they can be exploited by attackers. This allows for the timely remediation of any potential risks, reducing the likelihood of service interruptions and the associated financial losses.

PTaaS and SecurePortal provide the benefit of continuous monitoring and detection of major risks, allowing for immediate alerting and remediation. This proactive approach to identifying and addressing potential security threats can significantly reduce the impact of potential attacks. It minimises the risk of service interruptions and the resulting financial losses.

Check out the PTaaS offering from our partners: Pentest People.  They provide a fully digital service that streamlines the approach to Penetration Testing for your team. This leads to an easier process for everyone involved and makes securing your business simple.

Penetration Testing Secure Portal

Email Security Risk Remains High

Tony MasonCyber Security, Data Protection, Email Security

Outbound Email Security

A recent email security survey by Egress highlighted that outbound email is a source of breaches for almost every organisation.

91% of the surveyed cybersecurity leaders stated that their organisaton had experienced security incidents by outbound email data loss within Microsoft 365 in the last 12 months.

Causes of Outbound Email Security Incidents

Overall, these incidents were the result of employees breaking the rules or making mistakes while simply trying to get their jobs done. The top 3 causes were:

  1. Exfiltration of data for work purposes (sending data to personal accounts)
  2. Accidentally sending emails and files to an incorrect recipient
  3. Exfiltrating data for personal gain (taking data to a new job)

This is similar to 2022, but the negative impact on an organisation has gone up 8%.

There also remains a significant risk of internal breaches of confidentiality within an organisation.  Of the 76% that enforce information barriers internally, half (51%) have had them breached. Over half had to cease operations while they investigated the incidents.

Cybersecurity leaders reported intentional rule breaking as the top cause of outbound incidents.  However, on analysis of data in the Egress platform, Egress can see that it’s actually human error.  The reason cybersecurity leaders don’t know this is because they don’t have visibility and these type of mistakes very often will go unreported and will pass under the radar.

In order to quantify an organisation’s risk, you need visibility into the human risk.

Microsoft’s Security Control

88% of respondents said they were concerned about Microsoft’s security controls, the top outbound concern was being ineffective at stopping employees from accidentally emailing the wrong person, or with the wrong file attached.

Outbound email security remains a manual process driven by administrators.  94% use static email DLP rules & 51% are reliant on reviewing audit logs to detect breaches. To make these rules work takes a lot of admin time & rules need to be altered to make them usable. Outlook Autocomplete is seen as the culprit for most misdirected emails, but only 20% have dared to turn it off.

Supply Chain & Customers

82% of Cybersecurity leaders enforce email security requirements with their supply chain, with anti-phishing technology as the most requested defence (64%). Data loss prevention, however, is hot on its heels, with 56% of Cybersecurity leaders enforcing this with suppliers.

On the other end, 69% of respondents advised that they have seen an increase in customers requesting email DLP to be enforced.

Visibility

In order to quantify and manage an organisation’s risk, Cybersecurity leaders and Data Protection Officers need to have better visibility into the human risk.

They need to know when someone is sending an email to the wrong person, or attaching confidential data to the wrong email or a personal email.  Plus, they need a solution that isn’t reliant on static rules, that are labour intensive to manage.

Check here for more information on Egress Prevent.

Read here for the full Email Security Risk report.

What is Penetration Testing?

Tony MasonPenetration Testing

Penetration testing, also known as ethical hacking, is a method of evaluating a computer system, network, or web application to identify potential vulnerabilities that could be exploited by cyber attackers. This process involves simulating real-world cyber attacks to uncover potential weaknesses in a system’s security defenses. Penetration testing aims to assess the security posture of an organisation’s IT infrastructure and provide recommendations for improving security measures. It helps organisations better understand their overall security posture and identify any potential vulnerabilities before they are exploited by malicious actors. This proactive approach to security testing is essential in today’s digital landscape, where cyber threats are constantly evolving. Also businesses need to be vigilant in safeguarding their sensitive data and systems.

Types of Testing 

Penetration testing involves simulating different attack scenarios to identify and exploit vulnerabilities in a system.

Black box testing is carried out with no prior knowledge of the system, simulating an external attacker. This type of testing helps in assessing the real-world security posture of an organisation.

White box testing, on the other hand, involves full knowledge and access to the system, often simulating an insider threat. This type of testing is useful for assessing internal security controls and the effectiveness of the organisation’s defenses.

Grey box testing falls between the two, with partial knowledge and access to the system. It simulates an attacker with limited knowledge of the internal workings of the system. The purpose of each type of testing is to assess the security posture of the organisation in different attack scenarios.

Black box testing evaluates the effectiveness of external defenses.

White box testing assesses internal security controls.

Grey box testing offers a balanced assessment of both.

Internal Network Penetration Testing

Internal network penetration testing involves simulating an attack on the organisation’s internal network. It aims to identify potential exploits, vulnerabilities, and misconfigurations that could lead to unauthorised access, data leaks, or other security breaches.

The testing process focuses on identifying potential exploits from both authenticated and non-authenticated user perspectives. This includes the exploitation of weak or default passwords, inadequate access controls, and privilege escalation. Vulnerability assessments identify and prioritise security weaknesses in accessible systems. Such as unpatched software, outdated protocols, and insecure network services.

Checks for misconfigurations are also performed to identify potential risks related to insecure network configurations, weak encryption, and improper access controls. Common exploits found in internal network tests may include leveraging unpatched software vulnerabilities, exploiting weak or default passwords, and bypassing inadequate access controls. Common misconfigurations that lead to data leaks may include insecure file permissions, unsecured network services, and inadequate data encryption.

External Network Penetration Testing

External network penetration testing involves several steps to identify vulnerabilities in the defined external infrastructure.

Firstly, assess the external network architecture to identify potential entry points for attackers. This includes scanning for open ports and services, identifying network devices, and mapping the external network.

Then, focus on checking the authentication processes. This involves testing weak or default credentials, verifying the strength of password policies, and assessing the effectiveness of multi-factor authentication.

Verify secure data transfer by analysing the encryption protocols used for transmitting sensitive information. This includes evaluating the configurations of SSL/TLS protocols and checking for potential weaknesses in data transfer processes.

Finally, check for misconfigurations in the external network infrastructure. This includes reviewing firewall rules, examining the configuration of network devices for security flaws, and ensuring that security controls are properly implemented.

Throughout the process, document all identified vulnerabilities and prioritise them based on severity to provide recommendations for remediation. The ultimate goal of external network penetration testing is to identify and address potential security risks before they can be exploited by malicious actors.

What Happens in the Aftermath of a Pentest?

Following a pen test, there are several important steps that are typically taken in the aftermath of the test.

These include analysing the results, identifying vulnerabilities, prioritising and addressing any critical issues that were uncovered. Followed by making necessary changes to the system or network to strengthen security. As well as potentially retesting to ensure that the vulnerabilities have been successfully patched. The aftermath of a pen test also often involves reporting the findings to relevant stakeholders. This is likely to include IT teams or management, and making recommendations for future security improvements. Overall, the aftermath of a pen test is a crucial phase in the process of strengthening the security of a network or system. Plus ensuring that vulnerabilities are effectively addressed.

Email Security Risk Remains High

Tony MasonCyber Security, Data Protection, Email Security, Microsoft 365 Security

Email Security Risk Report

Almost every organisation reports experiencing email security incidents. Unfortunately, legacy approaches to technology and training can’t keep pace with evolving threats.

A recent survey by Egress highlighted that cybersecurity leaders remain vulnerable to both inbound phishing attacks and outbound data loss and exfiltration.  This is making them question the effectiveness of traditional approaches to email security.

94% of the 500 respondents experienced email security incidents in their Microsoft 365 environment in the last 12 months. This is similar to the results in 2022.

94% of these fell victim to phishing attacks, and 91% experienced data loss and exfiltration. 

It’s no wonder then, that 95% of cyber security leaders are stressed about email security. 

Phishing attacks sent from compromised supply chain accounts are the top cause of stress. Followed by internal account takeover (from credential harvesting).

Compromised accounts continue to put organisations at risk

58% of organisations experienced an account takeover.  79% of these starting with a phishing email that harvests an employee’s credentials.  83% even had MFA that was bypassed for the attack to succeed. 51% also fell victim to phishing attacks sent from compromised supply chains.

AI

During 2023 it was impossible to talk about cybersecurity & phishing without talking about AI. Large language models (LLMS) and generative AI enable cybercriminals to easily create targeted and sophisticated phishing emails, as well as generate malware. Gone are the days of obvious spelling mistakes & bad grammar in phishing emails. Deepfakes & AI chatbots that can mimic natural human interaction, are now used to create phishing campaigns and at scale.

These more sophisticated phishing campaigns are now harder for both traditional perimeter defences and employees to detect. Cybersecurity leaders know they are becoming more vulnerable.

Such sophisticated phishing emails from compromised accounts can now get through reputation-based domain checks, carried out by traditional perimeter defences. 

With all of this, there is a sense of what we’ve been doing is no longer good enough.

Traditional Secure Email Gateways (SEGS)

Therefore, 87% of organisations advised that they were looking to move away from their traditional SEG. They are either considering or committing to replacing the SEG with Microsoft’s controls combined with an Integrated Cloud Email Security (ICES) Solution.

Organisations owe it to their employees to provide the right training and technology to detect advanced attacks.

Read the full report here

KnowBe4’s ‘Security Essentials for the UK’ Course is now NCSC Certified

Tony MasonCyber Security, Security Awareness & Phishing

KnowBe4 Security Essentials Training

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has announced that its Security Essentials for the United Kingdom course is now certified by the National Cyber Security Centre (NCSC). This coveted certification will lead to further security awareness training across the UK.

NCSC Certification

The NCSC’s certification programme is designed to assure high quality training courses delivered by experienced training providers. Courses submitted for certification are rigorously assessed against a set of benchmarks and evaluated at two levels:

  1. awareness for those new to cybersecurity to give a thorough foundation in the subject and
  2. application for anyone looking for in-depth courses for their professional development.
Cyber Attacks

Cybercrime is committed every 39 seconds according to a global study by the University of Maryland. However, in the UK, it is estimated that 4.55 cyber attacks are committed against businesses every minute according to twenty-four.it. Plus, the latest Verizon report says 74% of breaches involved the human element. These statistics are some of many making it clear that cybersecurity awareness is critical for everyone, not only at work, but also in their personal lives. It is important to understand what threats potentially loom in cyberspace. Equally, it is as important how to identify and avoid them and, in case of a cyber attack, how to swiftly and effectively deal with it.

Therefore, Cybersecurity training within organisations has never been as essential as it is now. Research from BDO found that 60% of mid-sized organisations in the UK have experienced fraud in 2023. Phishing and other forms of cyber attacks being the leading causes.

Cybersecurity Training

We are thrilled that our Security Essentials for the UK course was certified by the National Cyber Security Centre. It means that this course meets the highest standards for training courses in the country, which will go a long way in spreading more security awareness efforts to organisations in the UK,” commented Stu Sjouwerman, CEO, KnowBe4. 

The ‘Security Essentials for the United Kingdom’ course is a comprehensive journey through the world of information security.  It introduces users to various concepts to help prevent them and their organisations from becoming victims of cybercrime. On completion, they will understand the importance of incident reporting and response and learn strategies to reduce vulnerabilities and keep information safe. It will arm users with the ability to not only protect their organisations but also their households.

KnowBe4 are exclusively focused on human behaviour, as they believe that raising security awareness of your employees is essential to managing the risk associated with social engineering.

They are passionate about building a platform capable of changing insecure behaviours and reinforcing secure behaviours of individuals, to ultimately help organisations support end users to be a key cog in their Cyber Defences. #humanfirewall as they like to call it.

Particularly, this allows them to invest in ground breaking products designed to address the human element of security.  For more on information on KnowBe4, check out our webpage.



Password Manager – The Good, The Bad & The Truth.

Tony MasonCyber Security, Data Protection, Password Management, Security Awareness & Phishing

As part of any security awareness training we cover passwords. We teach users how to choose secure passwords, with the right length and characters, pass phrases etc. However, the average person has to log on to over 170+ sites/services and usually only have 3 to 19 passwords. That means there are a lot of weak/shared passwords in use & some of these will be by your staff.

Therefore, not only our partner, KnowBe4, but also the National Cyber Security Centre strongly recommend you use a Password Manager, take a look here to see why.

This is in order to effectively reduce password reuse and improve complexity. But you may be wondering if it’s really worth the risk. 

Is it safe to store all of your passwords in one place? Can cybercriminals hack them? Are password managers a single point of failure? Take a look at this on-demand webinar by Roger A. Grimes, KnowBe4’s Data-Driven Defence Evangelist, where he walks you through these questions and more. He also shares a new password manager hacking demo from Kevin Mitnick, KnowBe4’s Chief Hacking Officer, that will reveal the real risks of weak passwords.

Password hygiene should be part of your security culture, from the onboarding process right up to the board.  

Check out KnowBe4 for more information about effective, new school, security awareness training that successfully changes users’ behaviour.

Factors to Consider When Selecting a Reliable Password Manager

With many password managers available, finding the right solution can be quite challenging. Look out for some of these password manager features to know you’ve selected the right one.

1. Zero-Trust Security – enforces strict user authentication and least-privilege access.  It restricts user access to resources that are necessary for the successful completion of tasks in a given role.  This ensures that only legitimate users have access to your systems throughout the digital process to greatly reduce your organisational risk.

2. Regulation Compliance – Here are some standards your password manager should comply with:

  • Federal Risk and Authorization Management Program (FedRAMP). Although this is mainly for government, a password manager that complies with FedRAMP ensures more security controls. 
  • General Data Protection Regulation (GDPR).  A password manager in compliance with GDPR is likely handling your data appropriately.  
  • Payment Card Industry Data Security Standard (PCI DSS). This regulation sets requirements to guarantee the security of payment processors when handling your debit or credit cards.

3. Compatibility with Your Systems and Software

4. Encryption – A password vault is the part of a password manager that actually stores the passwords for multiple applications. Password managers must have encryption, which scrambles credentials and makes them unreadable by attackers. Also, providers must store your password in its encrypted form as this makes them unable to access your credentials as well.  

5. Automation (Browser Extensions Should Work Automatically)

6. Password Generators 

7. Multi-Factor Authentication (MFA) – According to research by Microsoft, MFA can prevent 99.9% of account compromise attacks. A reliable password manager should require 2FA or MFA in addition to your master password before providing access to your account.   

Need a Password Manager? Consider our partner Keeper. Keeper is an easy-to-use password manager that is built with a proprietary zero-trust architecture and end-to-end encryption to secure your credentials. 

Get in touch with us for a free trial sales@s3-uk.com, 01628 362 784.

5 Ways For Housing Associations to Level Up M365 Email Security

Tony MasonCyber Security, Data Protection, Email Security, Microsoft 365 Security, Security Awareness & Phishing

The newly published Email Security Risk Report reveals that 99% of Cybersecurity leaders are stressed about email security.  Plus 93% of organisations experiencing security incidents in the last 12 months.  It is easy to see why.

For housing associations, the risk email poses to sensitive data is pervasive. They operate a complex infrastructure environment, and need to ensure employees are appropriately and effectively protected.  This includes whether they are working in the office, in the field, or at home.

Housing associations are a prime target for phishing attacks, with this risk continuing to grow year on year. Cybercriminals not only want access to housing associations’ systems and data. They also want to use compromised mailboxes to launch further phishing attacks that target the wider supply chain.

Additionally, high volumes of emails are sent and received by a central core of employees who need to communicate with tenants and suppliers who are spread out across the region. This significantly increases the surface area for human error and accidental data loss.

In this blog, we look at five ways housing associations can reduce their email security risks. This includes detecting and preventing inbound threats and outbound data loss in Microsoft 365, while improving employees’ security behaviour.

1. Treat inbound and outbound email security as two parts of a single problem

71% of Cybersecurity leaders consider inbound and outbound email security to be a single problem they need to solve.

Credential harvesting is one of the primary motivations behind phishing attacks. Analysis of platform data provided by our partner Egress reveals that for a housing association of approximately 1,200 employees:

  • 18% of phishing emails contained malicious hyperlinks as their payloads, a common tactic to harvest credentials
  • 29% of attacks targeting the organisation were sent from compromised legitimate email addresses, including supply chain accounts

Research also shows that 85% of account takeover attacks start with a phishing email. Consequently, there is a perpetual cycle where an inbound phishing attack leads to compromised accounts used in outbound attacks.

Additionally, treating email security holistically by preventing inbound and outbound threats once and together enables housing associations to provide a streamlined experience for both employees and administrators. End-users benefit from one consistent experience. Plus they receive ongoing education across a broad spectrum of threats (see below for more on real-time teachable moments). At the same time, administrators can benefit from analytics insights from across their environment. Gathering all threats within a single console in a way that enables them to prioritise and manage their responses.

2. Understand the risks in your environment

As the Email Security Risk Report shows, despite implementing native security controls in Microsoft 365 and secure email gateways (SEGs), threats continue to get through.

Cybercriminals are aware that the signature-based detection used in these technologies is effective in identifying known threats.  So they continue to innovate. This includes zero-day and emerging attacks, that are not identified for the signature-based detection to pick up on. As well as increasing the use of social engineering so there is not a payload to detect. Additionally, attacks sent from legitimate but compromised accounts can also bypass this detection.

Platform data from Egress reveals that for the housing association of ca 1,200 employees, 38% of the phishing attacks targeting their organisation in a 40-day period got through their existing Microsoft 365 defences.

On the outbound, static rules cannot scale to accommodate the flexible way housing associations need to use email to communicate. Therefore, they have limitations in their effectiveness to prevent security incidents caused by human error. (E.g. adding the wrong recipient or attaching the wrong file, or forgetting to use Bcc). As well as intentional data exfiltration. (Which can happen both maliciously and with the best of intentions. For example, sending data to a personal device to work on or print at home).

Platform data from Egress analysing the emails sent from a housing association of approximately 600 employees highlighted that 94% of incidents detected were caused by human error and data loss prevention (DLP) policy violations.  While only 2% of incidents involved malicious exfiltration (data taken over a 60-day period).

As a result of these risks, housing associations need to examine and invest in technology that can fill the gaps in email security.

3. Understand the intelligent email security can detect advanced threats

The email security market has innovated to fill these gaps. New integrated cloud email security (ICES) solutions have come to market that use AI technologies to detect advanced email security threats.

The solutions use techniques such as natural language processing (NLP) and natural language understanding (NLU) combined with other detection methodologies.  They identify and neutralise advanced phishing attacks. These include business email compromise and impersonation attacks, invoice and payment fraud, attacks that rely on social engineering, and those sent from compromised supply chain accounts.

For outbound detection, solutions combine machine learning with social graph technology to deeply understand how each individual employee uses email and to identify abnormal behaviour. As a result, these solutions are highly scalable and reduce end-user friction by only prompting when a genuine risk is detected. Such as an incorrect recipient being added to an email or the wrong document being attached.

4. Use real-time teachable moments to ‘nudge’ employees away from risk and change behaviour for the long term

Newer, intelligent solutions can provide real-time warning to end-users at the moment when they need it most – as a risk is detected.

Phishing emails can be neutralised by the software and delivered with warning banners into the inbox. The employee cannot interact with dangerous content but is provided with clear explanations of the risk that has been detected using real phishing attacks as examples.  

On the outbound, only prompting end-users when genuine risk is detected and with a clear explanation of why they have made a mistake (rather than a static prompt that is triggered for every email without changing its message) adds value to their day-to-day lives, without creating friction.

This approach for both inbound and outbound real-time teachable moments is proven to be more effective than static, unchanging warnings.  Plus it augments security awareness and training (SA&T) programmes through ongoing education.

5. Reduce the burden on administrators

As mentioned above, a holistic approach to inbound and outbound email security enables administrators to gain a single view of the risks in their environment.  They can therefore act more effectively. Additionally, when introducing technologies to your organisation, ensure they do not create layers of administrative complexity. This includes reducing the number of solutions that quarantine emails for administrators to review.  While also use self-learning technology to prevent data loss versus maintaining sprawling libraries for static rules.

Ready to level up your email security?

The S3 team would be delighted to meet with you to discuss your current email environment and technology stack, and the risks to your organisation. Get in touch today to book your no-strings-attached discussion: 01628 362 784, sales@s3-uk.com.

Why you need Integrated Cloud Email Security (ICES)

Tony MasonEmail Security, Microsoft 365 Security, Security Awareness & Phishing

In their 2021 Market Guide for Email Security, industry analyst Gartner introduced the acronym ‘ICES’, which stands for integrated cloud email security. They also predicted that these platforms would make up 20% of anti-phishing solutions by 2025, up from 5% in 2021. You might also see the acronym ‘CAPES’ used to describe these platforms as well. This was coined by industry analysts Forrester. It stands for ‘cloud-native API-enabled email security’. Since their definition mostly agrees with Gartner’s, we’ll use ICES throughout this article to describe these solutions, explaining their origin, capabilities, and the reasons you need one.

The history of ICES

Earlier Gartner Market Guides referred to cloud email security supplements (CESS) and integrated email security services (IESS). In the 2021 guide, they merged these categories for three reasons:

  1. Proliferation of advanced phishing attacks. – Historically, phishing emails concealed malware in attachments, which was then downloaded from servers linked in the email. Today, however, cybercriminals have evolved their attacks. They are increasingly sending payload-less phishing emails and attacks containing URLs that link to seemingly innocent material. However, they are tailored to harvest credentials for future attacks. These emails are managing to get through existing email security and, therefore, a new solution was required.
  2. Intelligent detection capabilities were developed. Intelligent detection was brought to market as a result of advancements in machine learning, social graphs, and linguistic analysis. This then made it easier to identify advanced phishing attacks.
  3. Adoption of Microsoft 365. – Cloud email platforms make it possible to deploy email security solutions that conduct post-delivery inspection of emails and threat remediation.

Hence we are seeing an accelerating increase in the adoption of ICES solutions.

Easy deployment for an additional layer of security

ICES systems are not intended to replace current email security. Rather, they are meant to supplement it and address the use cases that it cannot address. As a result, they coexist with already available secure email gateways (SEG). Such as the built-in security offered by Microsoft 365.

ICES security can also be set up in a matter of minutes. There’s also no need to change the domain name services mail exchanger (DNS MX) record.

Deployment Techniques

There are two popular deployment techniques for ICES solutions, and both can be used with just a few clicks:

  1. Utilise Microsoft GraphAPI to retrieve emails from the inbox post-delivery. Then examine them. If a phishing email is discovered, either quarantine the email, or add a warning banner before returning it to the inbox. If no threat is detected, the email is sent back to the inbox in its original format.
  2. Use mail flow rules in Microsoft 365 to divert emails to the ICES platform for inspection. If a phishing email is detected, either quarantine it or add a warning banner before sending it to the inbox. Again, if no threat is detected, the email is sent to the inbox.

Regardless of how the solutions are deployed, both approaches allow for the use of GraphAPI to remediate emails that are delivered as legitimated emails but later discovered to be malicious.

It’s worth noting that some have criticised the first method for placing too much reliance on the Microsoft Graph API. This can throttle connections during periods of high volume. The effects of this are well-documented on Microsoft’s website. It can cause potentially harmful emails to stay in users’ inboxes for tens of seconds, if not minutes. During which time a user may fall victim to a phishing attack. A second limitation of this method is the ICES platform’s inability to recover emails that have been sent to devices that are using their default email clients rather than the Outlook app. Again, this causes the user to have access to potentially harmful emails on that device.

 Consolidating around Microsoft

Gartner states that 75% of enterprises are adopting a ‘vendor consolidation’ strategy. Organisations are realising that they are underutilising a large portion of the capabilities they have already paid for. In particular, with their Microsoft E3 or E5 license.

ICES solutions enable organisations to achieve these consolidation goals. By enhancing Microsoft’s native email security they open up the possibility of removing their SEG.

 ICES provide different functionality versus a SEG

As they use self-learning technologies, ICES vendors frequently describe their products as ‘intelligent’. This contrasts with SEGs’ usage of rules and signature-based policies. These require ongoing upkeep and upgrading by IT and security personnel.

 ICES platforms offer three crucial capabilities:

  1. Intelligent detection. – Three key detection technologies are used by the top ICES platforms.
    • Machine learning for behaviour-based security (understanding typical email behaviours and highlighting anomalies).
    • Social graph technology to learn the normal sender/recipient trust relationships and flag anomalies.
    • Linguistic analysis to detect social engineering attacks.
  2. User engagement. – ICES platforms are designed to handle the grunt work. They must identify advanced and complex threats that have eluded other security measures. They are the final line of defence before a recipient is faced with a phishing email. Platforms do not necessarily quarantine questionable emails. Instead, they add a warning banner that is often colour-coded to indicate the level of suspicion. Many banners additionally include contextual information about the threat’s nature. Some of them even give users the option to click through for more details or to mark an email as malicious or safe. These real-time teachable moments reduce risk for the long-term and augment an organisation’s security awareness and training (SA&T) programme.
  3. M-SOAR capabilities. A security analyst must act swiftly. They need to analyse, contain, and eliminate any threat when a user reports an email as malicious. Or when a suspicious email is found through other channels. Leading ICES platforms achieve this through search and destroy capabilities. This surfaces all emails along with warnings about potential hazards or indicators of compromise (IOC). They frequently provide a visual of the original email. Additionally, they enable one-click remediation of all matching emails.
Going beyond ICES

Many organisations are looking to remediate risks beyond the threats that ICES can identify. Intelligent detection technologies are revolutionising outbound threat protection in a similar way to how they have changed incoming threat protection. When Gartner established ICES in the 2021 Market Guide, they also coined the phrase ‘email data protection’ (EDP).

EDP increases security against data breaches caused by human error. Human error can result in emails being sent to the wrong recipients, having the wrong attachments, having too many people in the ‘To’ field, and sending emails with critical information without encryption. It makes use of the same intelligent technologies as those previously mentioned. It comprehends typical sender and receiver actions, and alerts the sender when an abnormality is detected. The intention is to nudge the user at the point of risk by interfering with their regular process, similar to how ICES added warning flags.

ICES providers are striving to include EDP to their portfolios as organisations start to quantify this human activated risk that leads to data breaches. Few, though, can offer both incoming and outbound protection in its entirety.

Get in touch to learn more about Integrated Cloud Email Security (ICES) and EDP platforms and selecting and justifying the best solution for your needs. Email: sales@s3-uk.com Tel: 01628 362 784