Cyber Security Issues
With 43% of British businesses reporting a cyber breach or attack in 2017/2018, these days it’s simply a case of when, not if, an organisation will have a cyber security issue.
Unfortunately, phishing emails along with other types of security threats to organisations’ IT networks are now just a part of everyday life and something that businesses have to learn to live with. Dealing with these quickly and efficiently, by having the correct process in place is vital to any organisation. This warning applies to education settings, charities and sports clubs alike, so it’s just as important for these organisations to be vigilant too. These threats are not going to go away.
What is phishing?
Phishing has been in existence for a number of years now – it’s not new. It’s a type of social engineering. Its purpose? To obtain information and manipulate individuals by using deception. The confidential information obtained can then be used for fraudulent purposes. Some common types of information acquired are: login credentials, bank details or payment information, personal information (such as names, email addresses, date of birth).
It can also be used to disperse malware/spyware software which can record keystrokes that are typed and will send these usernames and passwords back to the hacker. These can then be used to access accounts such as online banking and emails, or to steal the identity of someone or be used in some other fraudulent activity.
Phishing emails can fall into 4 main categories:
Spear Phishing Campaign: This method targets specific individuals instead of a wide group of people. Attackers often research their victims on social media and other websites. That way, they can customize their communication material and appear more authentic to the user. This is often the first step used to penetrate defences and carry out a targeted attack.
Deceptive Phishing Campaign: This method is the most common type of phishing. In this case, an attacker attempts to obtain confidential information from their victims. Attackers use the information to steal money or launch further attacks. A fake email from a recognised source such as your bank asking you to verify your account, re-enter information or make a payment are good examples of this.
Attachment Phishing Campaign: This method is deployed with attached files with in emails. Most common examples of these are failed delivery notes emails with subject lines with high importance or urgency that might be relevant to your role (e.g. Sales Figures). These emails could even appear to come from someone within your organisation (e.g. from your CEO or Headteacher) but the email address is likely to be spoofed to match that address. Once these attached files are clicked the software behind is activated which can then access your device and the information stored on it.
Whaling Phishing Campaign: This is when attackers go after a “big fish” like a Managing Director, it’s called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means of stealing login credentials. Whaling is of concern because high-level executives can access a great deal of company information.
How do I stop phishing emails?
The simple answer is you can’t. Your IT department or email provider will have automated processes and security measures in place to reduce the amount of phishing emails you receive. However, with the ever-changing phishing landscape, no automated process will work 100% of the time. The most reliable way to prevent phishing attacks is through staff training and awareness. You can ensure all staff in your organisation are geared up to spot a suspicious email and make sure they are aware of how they should report one if they suspect they have received a phishing email. Here are a few pointers that your staff should be aware of:
Tips on what to look out for
- Check the sender – are you expecting to receive the email? Even if the branding looks correct, if you have not requested the email then this could be a phishing email (e.g. if you have had an email from MyConcern asking you to reset your password – have you requested this? Or if you have had an email from Amazon about a parcel – are you expecting a delivery?).
- Check the links – by hovering your cursor over the link, where the link will take you (be careful not to click). Does it look like a genuine link? Just because the words in the email might say one thing, the link might say something completely different. Always check a link before you click on it.
- Look out for spelling mistakes – Often sender details might be similar to that of a company you know and trust, but they might replace M for RR which in lower case and at quick glance might look similar. Or there might be spelling mistakes in the body of the email which might give you a clue this is not genuine
- Password reset – if you have a request to reset your password or another security message, close the email and open a new browser completely afresh. Many banks say on their website they will never ask you for security details via email.
- Check if you’re not sure – if an email doesn’t look right, pick up the phone or check with the sender that they have sent something to you. Make sure to find their contact details on their website rather than through the email.
How we can help keep security tight?
Here at MyConcern, we take security incredibly seriously. As a safeguarding company and a business that deals with a huge amount of highly sensitive and personal information, we need to ensure that it is protected to the highest level. As well as complying with GDPR (and using Microsoft Azure, UK-based data centres), we also hold a Cyber Essentials Plus Accreditation which is an independently audited certification. ISO 27001 is another certificate we hold, which is internationally recognised and which means we strictly adhere to number a security principles and processes AND we are regularly independently penetration tested (we pay a company to try and hack us!) We do all this to ensure our networks and customer data is ultra-secure.
A further measure we have taken is to build 2 Factor Authentication (otherwise known as 2FA) into our software. We encourage all users of MyConcern to activate this (not just safeguarding leads, but anyone who has access to our safeguarding software).
What is 2FA?
This an additional level of security which adds an extra step when logging in. It enables users to have a physical device or second method of verifying themselves, such as a phone or a PIN generator/key.
Why should you use it?
If you are logged into MyConcern you can enable 2FA through the settings under the Admin tab. Once 2FA has been switched on, even if your user name and password is comprised, then no one can gain access to MyConcern without also having your mobile phone.
How to set 2FA up in MyConcern
In order to enable 2FA for an Establishment, the Account Admin must first download the MyConcern Mobile app and pair their mobile device to their MyConcern user account.
The help guide can be found inside the system under the help section, and you will need to follow all steps in the guide to activate 2FA.
If you have any questions about this, please call our support team on 0330 660 0767 who will be happy to help guide you through this.
Written By Paul Creedy (IT Manager, One Team Logic)