Around one in three (31%) people in the UK are not actively concerned about cybersecurity, according to a study by ESET.

In a survey of 2000 UK citizens, which looked at their cybersecurity habits, more than half (57%) do not believe they’ve been hacked and 46% claimed they have never noticed or fallen for an online scam or hack.

However, this is unlikely to reflect reality, with over a quarter (26%) of respondents admitting that they do not know the signs of a successful or attempted hack.

The research was conducted in order to grow awareness of the growing threats of scams to both individuals and businesses. Numerous reports have found that the number of scams have risen this year, largely linked to the health, economic and social effects of COVID-19. For instance, at the start of the crisis, there was a 667% increase in phishing emails recorded while it was revealed last month that the UK’s HMRC is currently investigating more than 10,000 email, SMS, social media and phone scams exploiting the pandemic.

Jake Moore, cybersecurity expert at ESET UK, commented: “Scams are growing in frequency and it is becoming much harder to spot a phishing email. Possible signs you may have been hacked are more difficult to recognize, too, as criminals become more sophisticated in their art of deception. While some may not be concerned about their cybersecurity, this European Cybersecurity Month, we urge individuals to stay alert as they may be even more vulnerable in this current climate and must take extra precautions.

“Recent research from The Myers-Briggs Company showed that 47% of respondents are concerned about their ability to manage stress during the crisis – and, when people are facing financial and health stressors, they may be even less likely to pick up on signs of a hack. Remember to stay vigilant with emails, search directly for legitimate websites rather than clicking through from the email itself, always check before handing over any information – especially when it involves personal or financial data – and regularly change your passwords or use a robust password manager.”

“You can never protect yourself 100 per cent. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.” So said Kevin Mitnick, arguably the world’s most famous hacker.

Indeed, the ever-presence of risk makes performing IT risk assessments critical for every business. An IT risk assessment is the process by which a company identifies its valuable data assets, establishes the business impact of having these data assets compromised, determines the threats that can likely cause a compromise, and analyses the vulnerabilities that an attack vector can exploit. Here’s a step-by-step outline of how to perform an effective IT risk assessment.

1. Identify all valuable data assets. Companies need to identify which data assets are valuable by first understanding the nature of their business. Many companies would consider things such as client contact information, product design files, trade secrets and roadmap documents their most important assets. Regardless of the type of data companies identify as critical, however, it’s necessary for them to understand how all of this critical data flows in their networks and identify which computers and servers are used to store this data. For smaller companies, this information is usually available with the top executives. For larger companies, this information may be available with each department’s head.
2. Estimate business impact due to loss. Risk and impact assessments have to go hand in hand. For each data asset, the corresponding negative financial impact of a compromise has to be estimated. Apart from direct costs, the negative impact can also include intangible costs such as reputational damage, and legal ramifications.
3. Determine threats to the business. A threat is anything that has the potential to cause harm to the valuable data assets of a business. The threats companies face include natural disasters, power failure, system failure, accidental insider actions, malicious insider actions and malicious outsider actions.
4. Analyse vulnerabilities. A vulnerability is a weakness or gap in a company’s network, systems, applications, or even processes which can be exploited. Vulnerabilities can be physical in nature, they can involve weak system configurations, or they can result from awareness issues (such as untrained staff). There are several scanning tools available for performing a thorough systems analysis. Penetration testing or ethical hacking techniques could also be used to delve deeper and find vulnerabilities that regular scanning might miss.
5. Establish a risk management framework. Risk is a business construct, but it can be represented by the following formula: Risk = Threat x Vulnerability x Business impact. To reduce risk, company IT teams need to minimise the threats they’re exposed to, the vulnerabilities that exist in their environments, or a combination of both. From the business side of things, management may also decide to evaluate the business impact of each data asset and take measures to reduce it. A value of high, medium, or low should be assigned for each of the variables in the formula above to calculate the risk. Using this process, a company can prioritise which data asset risks it needs to address. After this is done, a company should come up with solutions or redressal for each identified risk, and the associated cost for each solution.
6. Develop a risk appetite. Companies should now gauge themselves on what level of risk they’re comfortable taking. Do they want to address all the risks or do they only want to address risks identified as high? The answer to this question will vary from company to company.
7. Start mitigating risks. Finally, companies should invest in the right solutions and start mitigating the risks of data loss.

Making a good risk assessment better

It’s hard to identify what exactly has been stolen after a data breach. The affected company has to go through various data logs and reports to find out who accessed what, when, where and why. To put together a complete picture, the company needs to look at a host of reports from an effective security solution, and put its powers of deduction to use.

The way cybersecurity awareness training is conducted in organizations has a huge bearing on employees’ subsequent security outlook and behaviors, according to a new report from Osterman Research.

The researchers discovered that users who found security training “very interesting” were over 13-times more likely to make “fundamental changes” to how they think about security compared to those who considered the training “boring.”

The survey of 1000 US everyday employees, IT managers and decision makers also found that the quantity of security awareness training given makes a major difference, with the ability of staff to spot and deal with security threats such as phishing and business email compromise improving as more training is provided.

Encouragingly, it appears as though organizations are set to place much greater emphasis on security awareness training going forward, with around 45% of employees surveyed expecting to spend 15 minutes or more per month in training by mid-2021, a substantial rise from 26% in 2020. In addition, this type of training was regarded as just as important as technology in dealing with security threats by respondents.

Despite this, the authors said that although organizations generally want to establish a strong cybersecurity culture, IT, security and business leaders are not effectively conveying that idea to a large proportion of their employees, with senior IT and business management much more enthusiastic about security awareness training than non-management employees.

Overall, the report noted that “security and IT leaders, their staff members, and business leaders are largely onboard with the idea that developing a strong cybersecurity culture is important; everyday employees, however, are much less convinced about the importance of doing so, indicating that the goal of developing a robust security culture has not yet been achieved in most organizations.”

Lisa Plaggemier, chief strategist at MediaPRO, which co-sponsored the research, added: “Security awareness training doesn’t do anyone any good if they sleep through it. You can deliver the best security advice in the world, but if no one is listening, you might as well be talking to a brick wall.

“Good security awareness training should get and keep your attention. That’s what it means to be engaging.”

Academia has faced fresh warnings of cyber-attacks after a rise was recorded in August when students returned.

According to an alert issued by the National Cyber Security Centre (NCSC) there has been a recent spike in ransomware attacks against UK schools, colleges and universities. It claimed that, in recent incidents, it has observed remote desktop protocols and unpatched software and hardware being utilized, as well as attackers using phishing emails to deploy ransomware.

Attackers have also sabotaged backup or auditing devices to make recovery more difficult, encrypted entire virtual servers and used scripting environments (including PowerShell) to deploy tooling or ransomware.

Paul Chichester, director of operations at the NCSC, called the targeting of the education sector “utterly reprehensible” at such a challenging time.

“While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted,” he said. ““We are absolutely committed to ensuring UK academia is as safe as possible from cyber-threats, and will not hesitate to act when that threat evolves.”

David Corke, director of education and skills policy at the Association of Colleges, said: “As the last six months have shown us, it has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance.”

Corke called for a “whole college approach and for a focus wider than just systems” to include supporting leaders, teachers and students to recognize threats, mitigate against them and act decisively when something goes wrong.

The NCSC recommended a number of actions to better disrupt ransomware attacks, such as having effective vulnerability management and patching procedures, secure remote desktop protocols with multi-factor authentication, enabling anti-virus and phishing preventions.

Dr Jamie Collier, intelligence analyst at Mandiant Threat Intelligence, said the influx of attacks against universities at the beginning of term “is indicative of threat actors’ ultimate aim with ransomware attacks – to maximize leverage and increase the chance of being paid.”

Collier said the start of term is a critical time for universities trying to onboard students, and their IT infrastructure being held to ransom will cause major operational issues, especially this year. “The issue for universities is compounded by the fact that they have a large and complicated network – which has to account for many departments, students using their own devices and sophisticated computing systems for research – making it difficult to enforce blanket security controls,” he said.

“The attack surface is large and constantly evolving, which means there are more opportunities for attackers to exploit it. Moreover, the data universities hold, including valuable or sensitive research and intellectual property, as well as thousands of students’ personal information, means that there is a lot at stake.”

He echoed the NCSC’s recommendations on patching and authentication, and also recommended universities use threat intelligence to identify the most likely ransomware attacks they will face to put the correct protection measures in place.

Collier said: “Ransomware groups are increasing and diversifying, which is why we are seeing more attacks. Only by identifying the techniques and methods of the most likely ransomware families for their region or the types of data they hold can universities be better prepared for the attacks they may face.”

There are good reasons your IT security team may be looking a bit sleep-deprived. In addition to the stress of the Covid-19 pandemic everyone is facing, they’re also dealing with heightened risks to network firewall security, as new external assets (websites, web portals, mobile apps and more) are provisioned to enable customers and an expanding remote workforce.

First, enterprise networks have changed dramatically – and with dramatic speed. The pandemic has led organisations to urge their employees to work from home. For many businesses, that has turned the normal pattern of network connections upside down. Instead of most employees logging in securely from a wired office, most of them are logging in remotely. Up to half the workforce is now working from home.

IT teams have had to work overtime to accommodate this rapid revolution in network configuration. A survey of our customers revealed that enterprise infrastructure change is up by an astounding 300 per cent.

The pace and scope of these changes adds immeasurably to the challenges of keeping the network secure from inadvertent errors – especially given the complex hybrid networks that are the norm today. The pandemic has only added to that complexity by vastly expanding the need to access cloud services. Microsoft has reported an almost unbelievable 775 per cent increase is usage of cloud services due to the pandemic.

Finally, in the face of these rapid configuration changes – and in part because of them – security threats are increasing. Bad guys thrive on chaos, and the pandemic has created an opportunity they find irresistible. An FBI official reported that cyber-crime reports had quadrupled by mid-April compared to the months before the pandemic.

Moreover, the increase in malicious activity is not limited to just one or two types of attacks. Threats of all kinds are up:

• The regularity of DDoS attacks and other disruption risks targeting enterprise networks is up
• Bad bot traffic is up, along with all the threats that exploit bot networks
• Phishing attacks are up, and Google has detected a huge increase in active phishing sites
• Credit card skimming attacks are up, matching the increase in online shopping

We’ve created a compelling infographic that captures the specific and relevant risk data facing every networked business during this pandemic. It is a powerful summary of the challenges your IT security team is working to overcome every day.

Of course, threats are just threats unless they are somehow able to penetrate your network firewall security – which brings us to the biggest challenge facing IT teams.

With so much change to network and cloud security group configurations in such a short time, mistakes resulting from manual change processes are inevitable. Misconfiguration errors are responsible for a staggering percentage of security breaches. Gartner reports that 99 per cent of all firewall breaches over the next several years will be caused by misconfigurations, not flaws.

What is the answer? In the short term, it’s the unsustainable approach of checking and rechecking configurations with every change, paying particular attention to the most common misconfigurations that result in data breaches.

The real solution, however, is applying a disciplined and repeatable practice by automating the process of the configuration change. By minimising manual efforts and the inevitable errors they bring, IT teams can significantly reduce instances of misconfigurations that inadvertently expose vulnerabilities, leaving data – your company lifeblood – vulnerable.