The growing threat of cyber warfare

Cyber security expert explains how to bolster your defences

Worried about cyber warfare? You’re not alone. With the threat of imminent attack from overseas malware and state-sponsored hacks increasing, the National Cyber Security Centre (NCSC) is calling for UK businesses of all sizes to “strengthen their cyber resilience” in response to the ongoing situation in Ukraine.

But what does cyber resilience mean, and what actionable steps can businesses take to bolster their defences? Anthony Green, CTO and cyber security expert at FoxTech, discusses:

“Intelligence suggests that cyber warfare will target critical infrastructure such as hospitals, schools, and energy supply chains. However, the real risk for the majority of businesses is collateral damage, and it’s never been more necessary for UK services and businesses to make cyber resilience an urgent priority.

“The goal of cyber resiliency actions is to give your organisation the best chance of preventing an attack and making a quick recovery if it does happen. Many organisations don’t even have basic cyber hygiene controls in place, which means that cyber education is vital and could have a potentially huge impact on the UK’s overall resiliency to cyber threats.”

FoxTech has provided its guide to the practical steps that businesses can take from today to strengthen their cybersecurity defences:

Stay informed

Can your IT strategy be summed up with the phrase ‘ignorance is bliss’? Businesses who are not fully aware of the extent of the threat and the actions they need to take will be the most vulnerable to attack. So, it’s vital to get informed.

As part of the Government Communications Headquarters (GCHQ), the NCSC website is frequently updated with the latest guidance, making it one of the best resources for UK businesses to get accurate, up-to-date advice to protect their IT ecosystem from attack. Brief your wider team on the heightened threat to ensure that your whole organisation is on board with the further security actions you may need to take.

Protect your devices

It’s vital to protect all devices that connect to your network, including those that are used remotely.

  • Ideally, make sure your employees are using company devices. If you do not provide company devices, ensure that all personal devices that connect to your network are secured
  • Ask employees not to conduct personal business on their company device
  • Ensure that all users’ laptops, desktops, and mobile devices have been tested and patched (patching is a process that repairs security vulnerabilities)
  • Turn on automatic updates and always install new updates as soon as possible

Practise password security

User accounts are a common entry point for attackers – make sure yours are not an easy target.

  • Install two factor authentication
  • Disable frequent password updates that encourage employees to write down their password as a reminder
  • Protect against password spraying by ensuring users choose uncommon passwords. The NCSC guidance recommends disabling complexity requirements which encourage password re-use, and instead use three random words, such as phoneradiuswhile or yelljamdistance

Secure your third-party software

All your third-party software needs to be secured and any vulnerabilities should be patched. If you don’t have the expertise to do this in-house, it is highly recommended that you consult cyber security experts who can conduct vulnerability scanning and implement remedial measures for you.

  • Check that any third-party software such as browsers, office productivity suites, firmware and cloud-based services are patched
  • Make sure your firewall, endpoint security and anti-virus is properly installed and correctly configured (if it’s configured incorrectly then you may not be protected)

Review what you’re showing the internet

It’s essential to review all your internet-facing data, as you might be displaying more than you realise.

  • Get a low-cost or free attack surface map to discover what you have exposed to the internet
  • Get an expert to conduct vulnerability scanning on your internet-connected services and patch any vulnerabilities
  • Secure your domain registration data by implementing a strong password on your registry account

Protect against phishing

Phishing emails are by far the most common form of attack, with 83% of UK businesses experiencing a phishing attempt every week.

  • Take advantage of the NCSC’s free cyber security training which has a useful module on spotting and reporting phishing emails – remember that employees are the first line of defence against phishing attempts
  • Instil a ‘no blame’ culture to encourage employees to report when they suspect they have clicked a phishing email

Only allow necessary access

Restrict access to your systems to only those who need it and ensure that all access is secured.

  • Delete any inactive accounts
  • Check your administrative access and ensure that only those who need to are enabled to access the network to make changes
  • Anyone not authorised to make changes should be set to view-only
  • Implement strong multi-factor authentication to all administrative accounts
  • Get a handle on any third-party organisations who have access to your IT estate. Understand what they do, who is allowed access and what privileges they have. Remove any access that is no longer required

Create an incident response plan

If the worst does happen, you need to have a comprehensive incident response plan in place. Only 31% of companies have an agreed cyber attack response plan set up, so this step will be an urgent action for many businesses.

  • If you don’t have a cyber security incident response plan, see the NCSC’s guidance on creating one
  • If you do have a plan in place, ensure all information (especially contact details) are correct
  • Make sure that your plan details who has the authority to make decisions, and what will happen if the attack occurs out of office hours
  • Ensure your plan includes information on how you will communicate if your normal systems are down
  • Make sure data is regularly and securely backed up in a safe place that is unconnected to your network

Contact cybersecurity consultants

If you don’t have cyber security expertise in-house, then consulting a cybersecurity expert can help you implement the steps above. They can also carry out more advanced actions to find and fix any other vulnerabilities that are particular to your organisation.

  • Get an expert security assessment to scan for any remaining vulnerabilities in your network, programmes, and cloud-based services
  • Join a security operations centre, which can constantly monitor your system and analyse any abnormalities against the latest threat intelligence to identify and block breaches before the attacker is able to steal anything.
  • Undergo penetration testing (also known as ethical hacking) to understand how an attacker is likely to gain access
  • Get a free CyberRisk score from FoxTech (it operates like a credit score for your cyber security) to get an immediate indication of your security posture.

The consequences of falling victim to a cyber attack can be dire, so in the current threat landscape, cyber security should be at the forefront of any business’ strategy for 2022.

Companies interested in finding out their CyberRisk score can order this for free from FoxTech here: https://www.foxtrot-technologies.com/cyberrisk-score

Further NCSC resources can be found here: https://www.ncsc.gov.uk/

The top three ways businesses are putting their cybersecurity at risk – and how to fix them!

Cyber crime is on the increase. Since the onset of the COVID-19 pandemic, cyber attacks on businesses have surged, and a UK Government survey found that a shocking 39% of businesses came under attack in the first quarter of 2021.

Even more worryingly, attackers are starting to move away from large corporations to focus on small businesses, which are seen as softer targets, but in many cases find it more difficult to recover from an attack.

With cyber attacks on the rise, many executives ramped up their cybersecurity spending in 2021. However, research by cyber security specialists FoxTech has found that numerous industries are still at a significant risk of cyber attack.

CTO of FoxTech Anthony Green explains why: “Unfortunately, money spent on cybersecurity is not always spent in the right places, due to a lack of knowledge around the issue. This has left many companies who have invested in security measures, still vulnerable to attack.”

To help combat the problem, FoxTech has put together a guide to the top three cybersecurity problems they see in the companies they work with:

Buying products and forgetting the people to run them

Many business owners believe that the best ways to protect themselves against cyber attack is to buy and install the latest security products. However, far from offering infallible protection from cybercrime and malware, products such as endpoint detection, firewalls, and anti-virus software should be thought of as tools which can be utilised by your security team, rather than an end in themselves.

Anthony explains: “You can have the best cybersecurity and compliance products money can buy, but without the staff and expertise to run them you’re wasting your money.”

With Cyber Security specialists in high demand, it is not practical for the typical SME to have this expertise in-house – which is often why they are drawn to expensive cybersecurity products, when they could significantly improve their security using the basic products they already have, if only they had the skills and knowledge to configure them appropriately.

The UK DCMS 2021 report found that while 83% of UK Companies have up to date anti-malware software, only 29% have all the NCSC’s recommended “Cyber Essentials” in place to protect themselves from the attacks every organisation faces. Most commonly missing are simple things like installing software updates and securely configuring laptops.

Many UK small and medium sized businesses could make significant improvements to the security of their system by engaging a cybersecurity firm as a trusted advisor, rather than relying solely on expensive software. Getting an expert on side can help companies discover where their current security controls are lacking, and develop the tools and business processes to put them right.

Lack of education around email protection

Email is the number one initial attack point for malicious cyber activity. Every company uses email, and many do not have sufficient email security set up, meaning attackers can easily gain access and send phishing emails, with the intent to steal your company’s information and carry out further attacks via ransomware, trojan horse installation or credential theft.

Alarmingly, only a single employee has to fall for a phishing email for an attacker to gain access to your company’s email.

It is therefore essential for every business to take simple steps to reduce the risk of phishing and business email compromise:

Security Awareness Training for staff
Two Factor Authentication on email accounts
Secure configuration of your email service

Only 14% of UK companies perform security awareness training even though the NCSC provides free security awareness training available here: https://www.ncsc.gov.uk/training/top-tips-for-staff-scorm-v2/scormcontent/index.html

What if a malicious email still gets through? Anthony provides some reassurance: “If one of your employees falls for a phishing attempt, there is still time to avoid significant financial damage.

Email accounts are often compromised weeks or months before the damage is done – with compromised accounts being traded on the black markets to the highest bidder who can monetise your account through ransomware, or impersonate your CEO to redirect a large payment.

Careful monitoring by cyber security experts can stop the kill chain before the final payload is delivered – turning what could be a major disaster into just a minor incident.”

Not knowing your company’s vulnerabilities

Of all the threats to the cybersecurity of businesses, the biggest is a lack of knowledge about vulnerabilities in their systems. “It’s not that businesses don’t take their cybersecurity seriously” says Anthony, “but that they don’t realise their current strategy is inadequate, until it is too late.”

One of the only ways to learn exactly where the weaknesses are in your system (places where hackers could gain a foothold) is to get a cyber security assessment done by an independent cybersecurity specialist, who can scan for the same weaknesses that hackers are looking for.

Identifying where you are vulnerable, before implementing a strategy to secure your IT systems, process and procedures from attack is the most reliable way to protect your business as we go into 2022.

Companies interested in finding out their cyber risk score can order this for free from FoxTech by contacting them using this link Get in touch | FoxTech (foxtrot-technologies.com).

University team unveil data set to bolster research into ransomware detection

Newly-published paper details the creation of NapierOne

Cyber security experts at Edinburgh Napier have created a new data set which will support cutting-edge research into ransomware detection.

Ransomware – malware that encrypts files, giving the attacker scope to demand a ransom to restore access – has become a popular and potentially lucrative method of attack for cyber criminals.

However, newly-created NapierOne (www.napierone.com) is now available to help test and evaluate new detection methods, amid concerns that previous data sets used in digital forensics research have become outdated.

The new openly accessible ready-to-use data set will improve consistency by using standard formats allowing earlier studies to be replicated. As such it will improve the pace and direction of research into ransomware, and could help find robust solutions to the threats it poses.

NapierOne’s creators also believe it is generic enough to support many other fields of research that require a varied mix of common files.

Govdocs1

The most well-known publicly available data set used in malware analysis to date has been Govdocs1, now more than a decade old.

It was designed to help reproduce forensic research, but doubts have emerged about how well it reflects current usage, with some increasingly popular file types not being well represented.

And where there have been a lack of useful data sets available to researchers, they have often developed their own and have not distributed them when their work is complete.

In a new paper published in Forensic Science International: Digital Investigation, Edinburgh Napier PhD research student Simon Davies and senior computing academics Professor Bill Buchanan and Associate Professor Rich Macfarlane detail the creation of NapierOne as a complement to Govdocs1. 

Their research identified popular file formats for inclusion as they set about creating a data set containing more than 500,000 unique files distributed between 100 separate data sets and subsets.

The paper describes how specific file types were selected, how examples were sourced and how researchers are able to gain free, unlimited access to the data.

The authors see NapierOne as a starting point for an ongoing project which will grow and develop as other researchers provide additional data sets that can be incorporated into it.

Simon Davies said: “It is hoped that the adoption of the NapierOne data set into the implementation, development and testing lifecycles of new ransomware detection techniques will streamline and accelerate the development of more robust and effective detection techniques, allowing independent researchers to reproduce and validate proposed detection methods quickly.”

Portrait of Rich MacFarlane

Associate Professor Rich Macfarlane said: “Ransomware has been around for many years – encrypting and deleting users’ files and demanding a ransom from the victim. It has become increasingly common and its sophistication has increased significantly, leading to it currently being the biggest cyber security problem globally.

“This work aims to provide a research data set allowing scientific rigour in research towards fighting the ransomware problem. The data set has been created and successfully used in our ransomware detection research.

“Containing over half a million unique files representing real world file types, it is broad and diverse enough to be used in a range of cyber security and forensic research areas.

“We hope the data set will have the same global research impact as the Govdocs1 work.”

Professor Bill Buchanan said: “There are few areas of cyber security that need more of a scientific base than in digital investigations, and thus there exists a need to make sure investigators have appropriate tools that have been verified and properly evaluated. This data set provides a foundation for researchers to prove their new methods, and thus further support innovation in the area.

“The UK is becoming an international leader in the field of safe technology – which involves the development of tools to support digital investigations and threat detection – and this research showcases the development of a strong scientific base.”

The top cybersecurity threats for 2022: and what businesses can do to protect themselves

As we enter into a new year, cyber crime continues to threaten businesses. Cyber attacks cost the global economy an estimated $6 trillion USD in 2021, and the costs are predicted to increase for 2022.

Since the beginning of the pandemic, hackers have been quick to exploit the growth in home working practices. Small businesses also reported an increase in attacks, and with 60% closing within six months of falling victim to a data breach, establishing a comprehensive cybersecurity strategy has never been more important.

Anthony Green, CTO and cyber crime expert at FoxTech, discusses what businesses should watch out for in the coming year: “In 2022, with many organisations implementing flexible working policies, and bringing personal devices into the office, it’s important to understand how cyber attackers might continue to exploit our changing working practices.

“It is often easier for attackers to breach home network devices, so when personal devices are being used to access company data at home, or brought into the office and connected to company networks, it can expose their system to hackers searching for vulnerabilities to exploit. With hybrid working policies expanding companies’ cyber risk, it’s vital to be aware of what the threats are, and how to prevent attackers gaining access.” 

To help businesses plan their cybersecurity strategies, FoxTech has put together a guide to the top predicted cybersecurity threats for 2022, and what organisations can do to protect themselves:

Ransomware

Ransomware was the defining force of cyber attacks in 2021. Hackers infiltrate a system, steal sensitive data and demand a ransom for its return. Ransomware attacks surged by 144% in 2021 from the previous year, and the problem is only expected to develop in 2022.

Anthony comments: “A spate of high-profile ransomware attacks in 2021 has led many organisations to review their cyber risk controls and implement more effective strategies against data loss.

“While this might make it more difficult for cyber criminals to mount traditional ransomware attacks in the short term, attackers are incredibly agile, so we are expecting their strategies to shift in the coming year”

“To prevent your business from falling foul to a ransomware attack, there are two things to consider:

  • Preventing an attacker from gaining network access – investing in an external security assessment is the most reliable way to discover your vulnerabilities. Cybersecurity experts can then configure your security tools to protect you from the latest methods of attack.
  • Catching an attacker before it’s too late – it can take months for an attacker to gather the data they need to demand a ransom. Working with an external, specialised cybersecurity company that can monitor your system and quickly alert you to any suspicious activity can be the difference between a minor incident and devastating financial loss.

“Constant systems monitoring – by someone who is aware of developments in attackers’ tactics – will be more important than ever, as cyber criminals are looking for new ways to circumvent security operations. Currently, businesses are subject to 10,000 attempted attacks a day, but it often takes months for hackers to infiltrate an organisation’s most well-protected data. Catching a threat straight away, and acting quickly to mitigate the effects of a breach, will prevent attackers from stealing enough sensitive data to deliver a ransom.”

Phishing

Over 75% of cyber attacks start with someone opening a malicious email. These emails are designed to extract data from the recipient, usually a password, which is used to gain further access to an organisation’s network. Once an account takeover has been successful, hackers are able to mount more sophisticated attacks.

So how can businesses protect themselves from phishing scams?

Anthony comments: “Security awareness training is essential. Only 14% of UK companies perform cybersecurity awareness training, but educating employees on how to spot phishing scams is crucial.

“Things such as shortened links, an impersonal address, or anyone asking for private information, can all indicate that an email is not legitimate, even if it appears to come from a trusted source.”

The NCSC provides free security awareness training available here: 

https://www.ncsc.gov.uk/training/top-tips-for-staff-scorm-v2/scormcontent/index.html

It is also imperative to set up Two Factor Authentication on email accounts and ensure the secure configuration of your email service.

Business Email Compromise Attack

In 2022, when so much business will be conducted through online conversations between remote workers, organisations need to be aware of business email compromise attack – also known as ‘conversation hijacking.’ These attacks are well-researched, and highly personalised, making them difficult to detect and very effective.

This kind of attack usually comes once access has been gained through a phishing attempt. A hacker reads through breached emails to learn as much as they can about business practice and payment details.

Next, they will use this information to craft seemingly authentic messages which can be sent to both employees and customers, with the aim of tricking them to transfer money or update their payment information.

“A scam that we are seeing more and more frequently is when a hacker impersonates an organisation’s CEO to redirect large payments to their own accounts,” says Anthony.

“Once this money has been lost, it is almost impossible to retrieve, so it really is crucial to prevent hackers gaining access in the first place – and to have your accounts frequently and carefully monitored by cybersecurity experts who can spot an intruder before the final attack has been mounted.”

Companies interested in finding out their cyber risk score can order this for free from FoxTech here: Get in touch | FoxTech (foxtrot-technologies.com).

Why being hacked can be good for your business

Businesses are taking cybersecurity more seriously than ever. In 2021, executives ramped up their cybersecurity spending in response to the explosion of cyber-attacks exploiting lockdown remote working.

Despite this, the frequency and severity of security breaches has only increased, with small to medium businesses in the UK subject to an astonishing average of 10,000 attempted cyber-attacks a day.

Successful attacks breach sensitive data, and recovery can result in severe financial losses, sometimes millions of pounds, for affected businesses.

So, what is going wrong?

Cybersecurity experts agree that one of the biggest issues is that businesses are not spending their security budgets in the right places.

Anthony Green, CTO of cybersecurity consultants FoxTech, works to prevent cyber-attacks, and helps companies who have experienced a security breach: ““What we are seeing is that usually, IT strategies fail when businesses don’t actually know what their weaknesses are – or indeed don’t realise they have any at all.

“Many companies believe their networks are secure because they have outsourced their IT or installed an anti-virus package. Unfortunately, this is like going on holiday and locking your front door, but leaving all your windows wide open – traditional security methods are not comprehensive, and hackers can easily find and exploit your remaining vulnerabilities.”

This is where ethical hacking, also known as penetration testing, comes in. Ethical hacking is when an accredited cybersecurity consultancy carries out a simulated cyber-attack against your computer system.

Penetration testers can identify exploitable flaws in bespoke software, carry out scenario testing to discover how incidents, such as a compromised DMZ host, impact on your security, and test your businesses’ response capabilities to attack or temporary vulnerability.

Anthony comments: “It’s impossible to take the right cybersecurity actions without knowing what your problems are. This is why penetration testing really is crucial. 

“Subjecting your IT infrastructure to ethical hacking by someone who isn’t going to steal your data is one of the best things you can do to prevent a real hacker gaining access. Initially, companies can find it hard to believe that hacking could ever be ethical, let alone good for their business – but it is the best way to find out exactly how vulnerable your business is to an attack.”

Once penetration testing has shown you where your weak spots are, and what methods hackers could use to exploit them, the next step is to fix, secure and block these paths to access.

Most companies’ current IT protection plans focus only on the last step – blocking access – without necessarily knowing exactly where that access is.

Any kind of vulnerability assessment like penetration testing provides an exciting opportunity to find out if your business and your data is properly protected from attack, and should be seen as an essential aspect of any good cybersecurity strategy.

Public urged to protect themselves from online sales scams

The UK government has urged the public to protect themselves from online sales scams through five actionable steps.

The public must be vigilant in protecting themselves from the threat of online scammers during the Boxing Day sales, the Government has urged today (26 December) after a year which saw a record number of cyber attacks and online scams.

Reports to Action Fraud, the national reporting centre for fraud and cyber crime, reveal that almost 100,000 people in the UK have fallen victim to online shopping fraud in the past 13 months – with over £60 million being reported lost, leading to this call to action for the public to take five simple steps to protect themselves and their families from fraudsters.

Traditionally, Boxing Day marks one of the busiest days on the high street for retailers, however in recent years more people have been shopping online – with Barclaycard estimating £2.7 billion was spent online by UK shoppers on Boxing Day 2020, an average of £162 per shopper.

The National Cyber Security Centre (NCSC) is encouraging people to shop online securely by following five actionable steps:

  1. Keeping accounts secure – strong and separate passwords should be used for the most important online accounts, including email, banking or payment accounts (such as PayPal). The NCSC recommends using three random words to create a password. Turning on two-step verification can add an extra layer of protection.
  2. Be aware of emails, text messages or websites that look too good to be true or suspicious – many scammers set up fake messages designed to steal financial and personal information. Members of the public can report suspicious messages to the NCSC via text to 7726 and email to report@phishing.gov.uk.
  3. Choose online retailers carefully – research stores before buying to confirm they are legitimate through trustworthy consumer websites. Some emails or texts about amazing offers may contain links to fake websites. If unsure, don’t use the link.
  4. Use a credit card for online payments if possible – most major credit card providers protect online purchases, and are obliged to refund individuals in certain circumstances.
  5. Only provide enough details to complete a purchase – only fill in the mandatory details on a website when shopping online (often marked with an asterisk).

Chancellor of the Duchy of Lancaster and Minister for Cyber Crime Steve Barclay said: “With a record number of cyber attacks this year, it is crucial we all take some steps to keep ourselves and our families safe from scammers while shopping online, particularly in the Boxing Day sales which have become a firm favourite for fraudsters.

“In the past year, government and police action has seen numerous convictions on cyber fraud, and we should all play our part to stamp out this terrible crime that can ruin lives.”

Paul Maddinson, Director of National Resilience and Strategy at the NCSC said: “Scammers will use any opportunity to try and trick the public and businesses into parting with their money so it’s really important that we all know how to protect ourselves.

“Whilst scams can be convincing, there are practical steps you can take to avoid falling victim to cyber crime which can all be found on the NCSC’s website.”

This warning against online scams comes alongside growing concern about the vulnerability of people’s personal technology. Hackers are targeting individuals’ applications and email accounts, gaining access to personal and financial information and exposing individuals to considerable risk.

As people receive new laptops and smartphones over Christmas, the risks are magnified. The government is also encouraging individuals to ensure that any new devices are protected to keep personal and financial information secure from hackers.However, these dangers are easily avoidable by adopting two key Cyber Aware behaviours:

  • Turning on two-step verification
  • Using three random words to secure your email accounts

For further guidance on how to stay secure online, visit www.cyberaware.gov.uk

Deepfakes: What you should know

What parents need to know about Deepfakes

Edinburgh Police Scotland and The City of Edinburgh Council’s Christmas wish is to #KeepXmasSafe for young people whilst online & keep parents & carers more informed.

@Edinburgh_CC

@natonlinesafety

Make sure that Cyber Security is top of your Christmas list

To paraphrase the Christmas song “It’s the most vulnerable time of the year.” Cyber criminals don’t take a holiday, so your chances of being a victim of a cyber attack can increase.  

Christmas holidays are a prime time for criminals to take advantage of. At this time of year, organisations will start to close and will be running with a heavily reduced staff count which can make organisations vulnerable.

Last Christmas Eve, Scottish Environment Protection Agency’s digital systems were held under attack. It knocked several of their key systems offline causing major disruption to their staff and made it difficult for them to do their work.

Does your current security strategy include a plan for cyber attacks during the holidays?

The benefits of having a business community plan are undeniable. When disaster strikes, getting business operations back up and running quickly is crucial. No business is immune to potential threats, no matter how big or small your organisation is.

Make sure you have taken all the necessary steps to secure your IT unfractured ahead of time. From protecting your website, safeguarding your customer details to training your staff it’s time to take a closer look at your organisation’s cyber security.

Take the time now to review your business continuity plan and know where you can seek advice and support should you need it.

Developing a plan

A Cyber Incident Response Plan is a set of instructions that are designed to help you prepare, detect, respond and recover from cyber incidents. Having a plan will outline the recovery process, so that everyone knows what is required of them during an incident. Each department in your organisation should understand the incident response procedure.

Our Cyber Incident Response Pack is an easy-to-follow guide to setting up a cyber incident response plan for your business. It has checklists, action plans, and template documents that you can use today. This will help you identify and prioritise your company’s most valuable assets and links to advice to help you keep them secure.

Regular back-ups

Ransomware has been a growing cyber security threat, and one which could affect any organisation that does not have appropriate defences. Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.

You should perform a regular back-up of your systems and data, which will enable quick restoration of business functions. Importantly, having offline versions of your backups is your best defence, as you can wipe any encrypted devices and restore from your offline back up.

Read the NCSC’s blog on offline backups for more advice and how to defend your organisation from potential malware and ransomware attacks.

Keep all software up to date

All sorts of electronic devices can hold personal or financial data so it’s important to make sure you secure these devices with strong passwords and update the software regularly.

Companies fix any weaknesses by releasing updates. You should always make sure to install the latest software updates to protect your devices from vulnerabilities. Take some time to review your security settings on all your devices and make sure you’re protected against the latest threats.

Small Business Guide

The NCSC’s Small Business Guide and Small Charity Guide includes simple steps you can take to protect yourself and your business from cyber security risks. Doing these steps will significantly increase your protection from the most common types of cyber crime.

By proactively addressing the cyber security in your organisation, you can enjoy the holidays knowing you have minimized any potential risks.

Who to contact for support

Organisations looking for support and advice can call the free Cyber Incident Response Helpline. This helpline can support organisations that have been a victim of an attack and provide expert guidance to get back to secure operations.

Call the helpline on: 01786 437 472

You can report cyber crime to Police Scotland by phoning 101

Heartbreaking: Britons lose £204.5 million to dating scams, hacking and more in past 12 months

  • The UK reports losses of around £204.5M over the past 12 months due to personal, digitally driven crimes
  • Almost 23,000 cases of fraudulent activity relating to plastic cards and online bank accounts have been logged since September last year
  • Alarmingly, 49% of Brits don’t know if their smartphone has security software installed, or have none at all

Following last week’s Twitch data leaks on 4chan, a new study reveals that the UK’s public has lost as much as £204.5 million to personal, digitally driven crimes in the past 12 months. Additionally, as many as 26 million British adults – 49% of residents over the age of 16 – report either not knowing whether their smartphone has security software installed, or having none at all.

App development company Bacancy Technology analysed statistics drawn from the National Fraud Intelligence Bureau (NFIB), focusing on crimes more likely to befall members of the public – such as dating scams, personal and social media hacking, computer viruses and banking app fraud.

In total the UK has filed a total of 60,297 reports of criminal activity dating back to September of last year, culminating in a total loss of £204.5M to the personal finances of British citizens.

Across the selected categories, cyber-assisted crimes involving cheque, plastic card and online bank accounts have seen the highest number of incidents, at 22,981 reported cases, with an overall personal financial loss of £102.3M – an average of £4,451 per case.

Social media and email hacking ranks second highest in the list in terms of the number of reported incidents, standing at 12,225 reports over the last 12 months. However, the high volume of cases is offset by an average loss per case of £204 – amassing to an overall financial loss of a lesser £2.5M.

With Dating scams, it’s the opposite. A smaller number of reported cases (9,388 over 12 months) has resulted in Brits taking financial losses of £97,600,000 – with each individual case costing over £10,000 on average.

Ranking fourth and fifth on the list are reported crimes surrounding computer viruses/malware and personal hacking – which relates to hacked devices, rather than accounts. Despite a large number of reported incidents over the past 12 months (7,893 and 6,649 respectively), each of these crimes have resulted in smaller average losses per case, with figures under £100.

Top 5 personal digital crimes – UK, over 12 months (Oct 20 – Oct ’21)

Type of crimeNumber of reported crimesReported financial loss (in GBP)Average loss per case
Cheque, Plastic Card & Online Bank Accounts22,981£102,300,000£4,451
Hacking – Social Media & email12,225£2,500,000£204
Dating Scams9,388£97,600,000£10,396
Computer Virus/Malware/Spyware7,893£348,400£44
Hacking – Personal5,649£511,900£90

Despite the variety of security apps readily available on both the Apple and Android stores, around 26 million Brits – a total of 49% – may be at risk.

Further data drawn from an ONS survey shows that one in three Brits (32%) are unaware of whether their smartphones have security software installed, while almost one in five (17%, or nine million adults) reported not having security software of any kind – leaving them open to potential cyber-crime and fraudulent activity.

Do you have security software installed on your smartphone?

 All16-2425-3435-4445-5455-6465+
Automatically installed/provided with operating system40394636443738
Installed/subscribed118914131211
Do not have smartphone security1727181915911
Don’t know32262731294241

Commenting on the findings, a spokesperson for Bacancy Technology said: “Recent events in the news have highlighted the importance of maintaining security over our personal data and finances.

“Even so, it seems that while the British public are aware of the potential dangers of online activities, many are failing to take steps to adequately protect themselves and their loved ones. Digital security is of the utmost importance, and everyone with a smart device should take necessary precautions to ensure their safety.”

This research was conducted by app development company Bacancy Technology, an exclusive hub of top software developers, UI/UX designers, QA experts and more, offering development services aimed at the creation of high-end, enviable applications.

UK reports £5.7m in cyber crime financial loss so far this year

  • From the start of 2021, the UK has reported a total of 14,883 instances of cyber crime, with the total losses of £5.7m 
  • Despite 90% of offences being made against the public, UK businesses have reported £1.9M of losses – a third of the total figure 
  • Offences involving hacking, social media and email account for 6.3k of reported incidents 
  • Primary targets for cyber crime appear to be tech-savvy individuals under 40 

British people and businesses have suffered financial losses of £5.7m from a reported 14,883 cyber crime incidents since the start of the year. 

The new study from click fraud prevention experts PPC Shield indicates that malicious hacking, fraudulent use of social media accounts and email scams are the most common form of cyber crime so far this year – accounting for 43% of all reported incidents since 1st January. 

Also in the high-ranking categories are reports of malware/viruses, personal hacking and extortion. 

Data compiled from the National Fraud Intelligence Bureau indicates that those under 40 reported the most incidents this year, at a total of 5,000. This suggests that scammers and hackers are predominantly targeting younger, more tech-savvy generations; Those used to juggling multiple social media accounts, email addresses and banking apps. 

Though cyber crime against corporate bodies only accounts for 10% of the UK’s reported offenses, their financial losses of £1.9M accounts for a third of the total figure. 

Concerning the effects on victims of cyber crime – ONS data from the Crime Survey for England and Wales (CSEW) indicates that 72% of those affected by cyber crime expressed that they had been emotionally affected by their experiences, with almost a third stating a moderate to severe impact as a result of the offense – predominantly annoyance and anger. 

A further 1 in 10 individuals experienced emotions such as anxiety, depression, fear or difficulty sleeping. 

Despite the personal nature of the crimes, 81% of offences were committed by an individual person (as opposed to a group) that was not known to the victim.  

Concerning the tools used to commit cyber crime, malware (software designed to cause damage to a computer, server, client, or network) is at its lowest point since 2007, according to Google’s Transparency Report. In contrast, phishing websites – which seek to gain passwords, credit card numbers and other private information without the use of applications – have seen an increase of more than 750% since 2007.  

In all cases of cyber crime that resulted in financial loss, one in three individuals discovered the offence through communications from their bank, building society or other financial institution. 

Including non-cyber assisted fraud, the UK has logged 253,736 reports that equate to total financial losses of £1.2bn this year. Health minister Lord Bethell has previously commented on the rise of phishing scams conducted over the course of the COVID-19 pandemic, with an increase in fraudulent text and calls to mobile phones, with individuals posing as bank employees, HMRC and even the NHS charging for fake COVID tests and track & trace. 

A spokesperson for PPC Shield comments: “With the internet such an essential part of our daily lives, taking care online and using robust security measures are of utmost importance.

“Always be aware of what you are clicking on, and be especially wary of phishing sites and emails sent from companies or individuals that you are not familiar with.” 

The analysis was conducted by PPC Shield, which enables brands and businesses to optimize their online ad campaigns by filtering out and blocking fraudulent clicks to ensure an advertising budget is not wasted. 

www.ppcshield.io