The latest news from SWCRC

Welcome to 2022!

Inevitably, our regular monthly bulletin will be competing with hundreds more in your inbox, because you’ve probably just had a bit of a break, and there’s a backlog. But make it your new year resolution to check over and share the information below, which might just save your business cash, time, reputation… or indeed, might just save your business. 2021 was a record breaking year in terms of cyber threat.

The good news is, you’re part of a community of over 500 regional businesses who are doing something about it. At least, you are if you read on.😀 

To get you off to a good start, we have a genuinely free offer from a new member who supports smaller businesses with cyber security. You’ll find more information and relevant links in the newsletter, but the offer will help you to understand and reduce your risk. Although we don’t directly recommend individual products, we’re of the view that more information is always useful, and we would encourage you to take a look at the no-cost offering which we’ve secured on your behalf. 

We hope that our threat assessment helps keep you safe through January, and marks the start of a successful and prosperous new year for you. 

Mark Moore, Director, SWCRC 
500 members

Monthly threat assessment

1)    Log4j

If you haven’t heard of log4j, you will soon: it’s shaping up to be one of the biggest cyber security vulnerabilities ever. It almost certainly affects you. It is a piece of coding used to track what software applications or online services are doing, and is embedded in a huge number of products and apps. Unfortunately, a vulnerability was discovered which lets attackers use it to break into systems, steal passwords and data, and infect networks. 

Every product which uses this bit of coding now needs to be updated, although the first task for many teams has been working out whether their own software is affected or not. We’d point you to three useful summaries from the National Cyber Security Centre:
the first  is a more detailed update for the general reader,
the second aimed at setting technical teams on the right path,
and the third to help board members ask the right questions internally. 

If you’re a small business and are thinking that this looks too technical and complicated, the advice is this. Check that you’re running on the latest version of everything you use. If you’re not, update it. If it’s an app that you use infrequently and that doesn’t seem to be updated, consider whether you really want it. And keep checking and updating regularly for the foreseeable future. Many smaller software companies will have had reduced staffing over Christmas too, and will be busy producing fixes in the coming weeks. 

If this feels like background noise, it’s not. It is expected to cause breaches for months and even years into the future. So don’t be running outdated software.
scam emails

2)  Scam Emails

Predictably, the emergence of the Omicron variant has spawned new malicious email opportunities. Often, email attacks (termed ‘phishing’) play on people’s fear, have a sense of urgency, or use official badges to make people trust them. We saw this at the start of the pandemic… now, as people become more worried again, scams are encouraging them to pay for delivery of home kits (… input credit card details here…) or to set up accounts with security questions and personal details. Make sure you are visiting only official sites, and be very wary of unsolicited emails containing links that send you elsewhere.   

These scam emails are also often used to make a user download malicious software onto their device, often by clicking on an attachment, and being asked to enable further action for the content to display. Last month we became aware of particularly unpleasant one that had been circulated, entitled ‘employee termination’ – advising the recipient that their services were no longer required, and that full detail could be found in the attached file. Just a question: would you click on this, or would one of your team? If the answer is ‘maybe’ then perhaps the team needs to be more aware of how phishing works. Do let us know if you need a hand.

3)    Managing your passwords

National Cyber Security centre advice continues to recommend password managers which remember every password that you use, so you don’t have to. LastPass is a widely-used example. 

Over the last month, several users have reportedly complained that their LastPass accounts were blocked as a result of login attempts from unfamiliar locations, using the right credentials. But LastPass say that there is no indication a breach has taken place. So how could anyone have had the correct login details?  Chances are, this is the same story of people recycling passwords on a number of different sites. It’s critically important that if you do use a password manager, it has a strong and unique password which only you know, and you should support this where you can with two factor authentication. 

4)    Apple HomeKit

HomeKit is Apple’s software for configuring and connecting smart home devices. Right now, it has a flaw. If one of your devices has a name of over half a million characters, your iphone / ipad will crash. Which sounds improbable: but what if I set up a device with a name like that and invited you to connect? The so-called ‘doorlock’ vulnerability does just this. Once you’ve connected, your device fails and goes into an indefinite cycle of crashes until you reset it from the recovery or device firmware update mode. And if you sign back into icloud, where the device name will be stored, you’ll crash again. Indefinitely. Apple are aiming to produce a fix in early 2022 but we thought it was worth flagging this one now. Be wary of which devices you connect to.  

5)    Y2K XXII

Not really a security issue: but we thought we’d give you this one as a freebie, if you’re experiencing an unusually quiet New Year. Many of you will remember when the millenium’s change of digits was supposed to create IT chaos. Apparently, the gremlins were actually waiting for the calendar to shift from 2021 to ’22… at which point they refused to send on any emails. A more detailed and mathematical explanation is found in the attached article. If like other companies you’ve found that the world seems to have gone a bit quiet, you’ll be reassured to know that a fix is at hand. Happy New Year.

Crossword Cybersecurity

Crossword Cybersecurity, a technology commercialisation company focused on cyber security and risk management, is delighted to join SWCRC membership. 
Crossword has helped over 400 organisations protect their IT Infrastructure, comply to national and international legislation, achieve IT security certifications, and protect their supply chain.

Crossword’s software development team write IT security and risk applications based on the latest cybersecurity threats and University research, and is offering a free version of its flagship platform, RIZIKON ASSURANCE, to all SWCRC members wishing to 1. self-assess against UK Cyber Essentials, and/or 2. also to assess against third party supply chain risk.

RIZIKON ASSURANCE is a secure, encrypted portal which puts an organisation in control of managing the financial, regulatory and reputational risks it indirectly carries when working with third parties.  RIZIKON contains standard questionnaires on subjects such as cyber security, GDPR, supplier on-boarding, modern slavery, and anti-bribery & corruption.  

Sign up here for your free RIZIKON account  

Dates for your diary

Feb 22 - 23 2022, London

Ransomware: To Pay or Not to Pay?

There are numerous examples of publicly recorded incidents showing the cost to rebuild as significantly more than the ransom requested. CEOs and business leaders therefore need to weigh up the cost of downtime and the impact on their business. But even if the ransom is paid, there is no guarantee that a decryptor will be forthcoming or that, if provided, it will even work.

Join Jen Ellis, VP of Community and Public Affairs at Rapid 7 & Working Group Co-Chair of the Ransomware Task Force, alongside Jennifer Daffron, Client Services and Technology Risk Lead at the Centre for Risk Studies, University of Cambridge as they debate for and against the motion of paying ransom. You will have the chance to join in on the debate, casting your vote on the outcome.

This February, CISO’s from across Europe will gather in London on the 22 – 23 February to share lessons learned and benchmark resilience and business continuity planning at the Ransomware Resilience Summit, enabling you to better protect your businesses from attack.

Will you be joining us? Secure your place now.

Check out our full agenda here: View agenda here.