A study by security firm ‘Proofpoint’ has revealed that 82 per cent of UK organisations whose systems were infected by ransomware in 2021 opted to pay the ransom.

Much Higher Than The Global Average 

Despite cybersecurity and government agencies warning against paying, Proofpoint’s ‘2022 State of the Phish’ report states that this UK figure for 2021 is the highest in any region surveyed and is 40 per cent higher than the global average.

Phishing Attacks & Ransomware 

Phishing attacks are one of the main ways that criminals deliver ransomware (and other malware) or direct victims to a site where they download the ramsomware that allows criminals to access their networks. Proofpoint’s report showed that more than three-quarters of organisations (78 per cent) saw email-based ransomware attacks in 2021 and 91 per cent of UK organisations reported facing bulk phishing attacks in 2021. In fact, In the first three quarters of 2021, 15 million phishing messages with malware payloads were linked to later stage ransomware. For example, these malware families included Dridex, The Trick, Emotet, Qbot, and Bazaloader.

Why Not Pay? 

The National Cyber Security Centre (NCSC) states that “even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files” and that “occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted. This is known as wiper malware.” 

Also, organisations that pay the ransom will still have infected computers, will be paying criminal groups allowing them to continue and bring suffering to others, and it makes organisations that are known to pay to be more likely to be targeted in the future.

What Does The Survey Say Happened To Those Who Paid? 

As the Proofpoint study showed, 60 per cent of organisations chose to at least negotiate with the attackers, and 82 per cent paid.  However, despite advice against paying, only 4 per cent of those organisations who paid a ransom were unable to retrieve their data. This is likely to be either because the key didn’t work properly, or the attackers had simply made off with the money.

Is No Backup A Reason To Pay The Ransom? 

It would seem logical that a lack of an effective back up may be a reason why organisations would pay a ransom. A report by cyber security company Emsisoft (2020), however, showed that some victims of attacks have been capable of restoring their networks from backups but have still opted to pay the ransom.

It should also be noted that one tactic that ransomware attackers often use is to threaten to publish an organisation’s data if the ransom isn’t paid.

Protecting Your Business From Ransomware Attacks 

Ways in which businesses can protect themselves from falling victim to ransomware attacks include:

– Educating staff about the risk of phishing emails and emails carrying malware, how to spot phishing/suspicious emails, and to never open emails that appear suspicious.

– Make regular backups of the most important files, keep them off-site (e.g., the cloud) and make multiple copies of files using different backup solutions.

– Make sure that the devices containing the backup are not permanently connected to the network, scan backups for malware before files are restored, and regularly patch products used for backup.

– Stop malicious content reaching company devices – e.g. by filtering to only allow file types you would expect to receive, blocking websites known to be malicious, actively inspecting content, and using signatures to block known malicious code.

– Prevent attacks via Remote Desktop Protocol (RDP), or unpatched remote access devices by disabling RDP if it’s not needed, enabling MFA at all remote access points into the network, using a VPN, and patching known vulnerabilities in all remote access and external facing devices.

– Prevent malware running on devices – e.g. by centrally managing devices to only allow trusted apps and disabling or constraining scripting environments and macros.

– Plug vulnerabilities in devices – e.g. by installing security updates as soon they are available and enabling automatic updates for operating systems, applications and firmware.

What Does This Mean For Your Business? 

Making sure there are strong security measures in place (particularly where email is concerned) and checking data is definitely being backed up securely on a regular basis (and that it is accessible when needed) can help towards effective ransomware protection. Attackers can pressurise businesses into paying (e.g. by threatening to destroy and/or publish data), and an attack may simply come at a bad time for a business where a long disruption could seem less costly than paying. The fact is, however, that paying may not guarantee the return of data and may make a business more likely to be attacked again because they paid. Ultimately, businesses will, as the stats show, make their own decisions, but by their very nature, attackers can’t be trusted and paying now could lead to even bigger problems later, and will fuel the continuing cycle of attacks for others too.

With reports that Microsoft Edge is about to beat Safari to become the second most-popular browser, we take a brief look at what different browsers have to offer.

Google Chrome  

The most popular browser with a 65.38 per cent share of the market, Google Chrome is supported by Windows, macOS, Linux, Android, iOS. Its popularity may be closely linked to Google’s long-running effectiveness in terms of the quality of its search engine results.  Some of its best features include the extensions and add-ons, the autofill features, cross-platform support and sync, and live captions. It also has some powerful security features – blocking dangerous mixed content (scripts an images) and warning if email has been compromised. Some tech commentators point to its main downside being that it can be resource (memory) hungry.

Microsoft Edge

Edge is supported by Windows, macOS, Android, iOS, (with Linux coming soon), and bundled as part of Windows. With Chromium at its core, it is fast, has good privacy and security measures, some useful add-ons (e.g. password manager) and plenty of customisation options. It also has an “Install this site as an App” feature to allow a site to be installed as an app on the desktop with a shortcut so it can work as an app, and not a browser tab or window. One of the main criticisms of Edge is that it keeps asking to be the default.

Safari  

Safari, now almost the second most popular browser (already the most popular for iPhone and iPad) is fast, works well with Apple devices, and has a clean look that users like. Also, its Handoff feature allows users to continue a browsing session between different Apple devices and it offers some good privacy protection features, such as  Privacy Browsing mode and a Privacy Report tool that uses machine learning. Some of the more popularly voiced disadvantages include the fact that it’s only for Apple now, it has limited synchronisation options and a limited choice of extensions, customisation options are limited, there are few software updates, and some security measures may be lacking, e.g. notifying users whenever they access unencrypted web pages.

Opera  

Supported by Windows, macOS, Linux, Android, and iOS it is Chromium-based so it is fast and allows add-ons from the Chrome library. Opera also has built-in ad blocker, a built-in VPN, a crypto wallet, and supports integrated apps like WhatsApp and Facebook Messenger. Disadvantages may be that it’s not as fast as Chrome, it’s not as clean and uncluttered as Chrome or Edge, and it may be lacking some features like social media sharing tools.

Firefox  

Mozilla Firefox is fast (just behind Chrome) and has good built-in security tools such as Google safe browsing, a native pop-up blocker, excellent levels of support and warnings about whether there is SSL or TLS encryption on a website. Firefox also offers add-ons or browser extensions. Its disadvantages may include its system requirement requires a lot of resources, plus it has experienced a decline in recent years which may lead some to question its longevity.

Some Privacy-Focused Browsers….  

DuckDuckGo  

DuckDuckGo is a privacy-centred search engine / privacy browsing app, which is available as a download for mobile devices and as a Chrome extension. DuckDuckGo retains a user’s privacy by not saving the user’s browser history, forcing sites to use encrypted connections, blocking cookies and trackers (including ‘hidden trackers’ before they load), and by stopping a user’s searches being sold to third parties for profiling and advertising. It also uses Smarter Encryption which utilises a list of millions of HTTPS-encrypted websites, which has been generated by continuous crawling the of the web instead of crowdsourcing, thereby keeping it current.

Epic

This is another privacy and security focused browser gaining in popularity that blocks ads, trackers, fingerprinting, crypto mining, ultrasound, signalling, and offers free VPN (with servers in 8 countries).

Tor  

Tor (short for ‘the onion router’) is a browser that uses a distributed network (randomly selected nodes) to anonymise the user’s IP address. Tor encrypts traffic and makes it very difficult for a user’s web traffic to be traced or for users to be tracked unless they reveal their IP address by enabling some browser plugins, downloading torrents, or opening documents downloaded using. Although it’s good for avoiding censorship (among other things), Tor is, however, used to access the Dark Web.

Brave  

Brave is another privacy-focused browser that is fee, open-source, and based on Chromium. It blocks ads and trackers and allows users to use a Tor in a tab to hide history, and masks location from the sites a user visits by routing a user’s browsing through several servers before it reaches its destination.

What Does This Mean For Your Business?  

Chrome is still by far the most popular browser and how it links up with Google’s other suite of useful tools (e.g. analytics and AdWords), means that it’s likely to be widely used by most UK businesses and organisations. Edge has adopted Chromium and, as such, is a big improvement on Explorer, but Safari seems to be gaining in popularity, fuelled by the popularity of Apple devices. At a time when privacy and online protection is valued more than ever, some organisations may be looking at the value of more privacy-focused browsers for certain tasks and situations e.g., DuckDuckGo, just as they value the encryption privacy of apps like WhatsApp. The browser battle is always ongoing and although Google’s Chrome is far ahead, there is closer competition behind which gives today’s users more choice.

If the Online Safety Bill is passed in its current form, it could mean that the main social networks will be forced to filter out any unverified accounts.

One Of Two New Duties Added To The Bill 

Last Friday, the government published details on its website of two new duties to its Online Safety Bill that are designed to strengthen the law against anonymous online abuse and protect people from online trolls. The first of the two new duties will force large, popular social media sites (‘category one’ companies with the largest number of users and highest reach) to give adult users the ability to block people who have not verified their identity on a platform.  The large social media companies have been singled out because the government says they pose “the greatest risk”.  The government says that the big social media platforms must now offer ways for their users to verify their identities and control who can interact with them.

How? 

The government’s suggestions for how this could be done include:

– Users ticking a box in their settings to receive direct messages and replies only from verified accounts.

– The platform providing users with an option to verify their profile picture to ensure it is a true likeness.

– The use of two-factor authentication where the platform sends a prompt to a user’s mobile number for them to verify.

– People using a government-issued ID such as a passport to create or update an account.

Why? 

The government says that too many people currently experience online abuse, and that anonymity may be fuelling this, with offenders having little to no fear of recrimination from either the platforms or law enforcement.

Examples include England’s Euro 2020 footballers suffering racist abuse, female politicians receiving death and rape threats, and ethnic minorities and LGBTQ+ people being subject to coordinated harassment and trolling.

The Responsibility Of Tech Firms 

Digital Secretary Nadine Dorries said of the new duties in the Bill:

“Tech firms have a responsibility to stop anonymous trolls polluting their platforms” and “people will now have more control over who can contact them and be able to stop the tidal wave of hate served up to them by rogue algorithms.” 

The Second New Duty 

The second of the two new duties added to the bill will require platforms to provide users with options to opt out of seeing harmful content. This duty has really been introduced to the bill to help tackle a growing list of toxic content and behaviour on social media which falls below the threshold of a criminal offence, but which still causes significant harm. This includes, for example, racist abuse, the promotion of self-harm and eating disorders, and dangerous anti-vaccine disinformation.

The government has suggested that this could be achieved by the larger social media platforms making available settings and functions where users can choose whether they want to be exposed to any legal but harmful content where it is tolerated on a platform.

What Does This Mean For Your Business? 

With the government hoping to introduce the (draft) bill as law soon, and with social media platforms very much in their sights, the ‘category one’ companies are unlikely to be surprised by these extra responsibilities that it would be hard to argue against, in theory.  It has not yet been decided, however, which methods the household-name platforms will provide to be compliant (e.g., settings tick boxes and filtering tools). Also, the Bill would not stop people making anonymous accounts and posting abuse but would force the social media platforms to give users the option to opt out of not seeing material posted using unverified accounts. The sanctions that come with the bill (i.e. imposing criminal sanctions on named tech executives) also look unlikely to actually be imposed for another 2 years ‘grace period’. All in all, measures that reduce the ability of online trolls and those spreading hate to reach their victims must be a good idea in principle and it now remains to be seen what else may be added to or removed from the bill before it comes into force in the next few months.

If you need to use the “Remove everything” option to reset a Windows device, and don’t want to leave any data behind (a known current issue), here’s the latest workaround from Microsoft:

In this article, we look at what the ‘quantum apocalypse’ is, and what businesses are doing to prepare for this threat.

What Is The Quantum Apocalypse? 

The so-called ‘quantum apocalypse’ refers to the unspecified point in the future where someone (e.g., threat actors or a foreign power) has a functioning quantum computer that can break the kind of encryption that we trust to secure our data, transactions, and communications. This vision is apocalyptic because it would mean that this quantum computer could be used to shut down government defence systems, clear bank accounts, clear Bitcoin wallets, create financial chaos, and access all manner data and communications systems. In terms of national, enterprise, and personal security, this scenario (which is a real possibility) could really be apocalyptic and especially for those agencies, businesses, and organisations that have a legal responsibility to hold and store our data.

What Is A Quantum Computer? 

A Quantum computer can carry out complex calculations at high speed. Whereas traditional computers store data in binary ‘bits’ (ones and zeros) and work by creating and storing long strings of these ‘bits’, quantum computing’s ‘qubits’ (quantum bits) can do both at once. This is because a qubit can hold a zero, a one, or any proportion of both zero and one at the same time, and an array of qubits can use something called ‘superposition’ to represent all 2^64 possible values at the same time. This means that information can be processed much more quickly than with a traditional computer.

Dramatically Speed Up Complex Tasks 

The fact that Quantum computers can store so much more data in fewer bits, means that in addition to being able to solve extraordinarily complex problems, they can do so at high speed. Quantum computers can be used, for example, to dramatically speed up tasks that have traditionally taken a long time, such as finding new drug molecules.

The results can be astounding, where crunching numbers that would take a classical computer a week, could take a quantum computer less than a second. For more information (and examples like this), there are some interesting take-aways from IBM at: https://www.ibm.com/quantum-computing/what-is-quantum-computing/ .

The Risk And The Fear 

The fear is, however, that although the rate of improvement in quantum computing has slowed in recent years, over time they are still likely to become many times faster than today’s machines. This raises the possibility that the world could be caught off guard by someone developing a quantum computer that could render most known methods of encryption useless. This risk has been taken very seriously for several years now. For example:

– In 2015 in the US, the National Security Agency (NSA) warned that progress in quantum computing was at such a point that organisations should deploy encryption algorithms that can withstand such attacks from quantum computers.

– In November 2018, security architect for Benelux at IBM, Christiane Peters, warned of the possible threat of commercially available quantum computers being used by criminals to try and crack encrypted business data.

How Are Businesses Preparing To Mitigate The Threat? 

Having known about this threat for some time, many global businesses in the financial and tech sectors have been taking ‘quantum-proofing’ measures to protect themselves and their stakeholders. Examples of how businesses have been preparing include:

– Former IBM engineer, now head of the Future Lab for Applied Research and Engineering (FLARE) at JPMorgan Chase, Marco Pistoia, has been helping the financial giant to develop quantum key distribution (QKD) that works effectively over distances. This hybrid technology can boost security for financial transactions and guard against quantum hacks. JPMorgan Chase is also working with the US National Institute of Standards and Technology NIST to provide recommendations about the algorithms to use.

– NIST is itself working to develop a standardised defence strategy that would be able to protect industry, government and academia as well as America’s critical national infrastructure.

– Google, Microsoft, Intel, and IBM are reported to be working on solutions. These companies are well-placed to develop solutions that could provide security against the known quantum threats. For example, IBM has been involved in quantum computing for some time and has opened a Quantum Computation Centre in New York bringing online (and making accessible via the cloud) the world’s largest fleet of quantum computing systems for commercial and research activity that exist outside of experimental lab environments. It also appears (from a paper briefly published to a NASA website) that Google has already achieved ‘quantum supremacy’ by making a quantum processor that can complete a task in 200 seconds, which would take a regular state-of-the-art supercomputer approximately 10,000 years to perform.

– Specialist companies like Quantinuum and Post-Quantum are already offering solutions. For example, Post-Quantum, which describes itself as “the only source of usable quantum-safe solutions” offers software products to guard against the risk and says it “began solving the post-quantum encryption challenge back in 2009”. The company also authored the Internet Engineering Taskforce (IETF) standards for a post quantum Virtual Private Network, which is being trialled by NATO.

What Does This Mean For Your Business? 

Quantum computers offer so much promise in enabling governments, businesses, and organisations to solve complex problems in a mere fraction of the time that normal computers can. It is a very real risk, however, that this power, in the wrong hands could be weaponised and used to crack the encryption that the world trusts and relies upon. The race is on, therefore, to create powerful algorithms that can stand up to attacks from quantum computers. With grand names like post-quantum cryptography / quantum-proof cryptography, and quantum-safe / quantum-resistant cryptographic (usually public-key) algorithms, these are the next generation of protection for businesses everywhere. Although it seems a long way off, the evidence is that the threat is real and the development of these algorithms and other solutions yet to come are likely to play a vital role in protecting us all from the threat of the so-called ‘quantum apocalypse.’

Insurer Aviva has highlighted how accidental damage caused by VR headset-wearing gamers caused a 31% jump in home contents claims in 2021.

Average of £650  

Aviva reports that the average VR-related claim for accidental damage in 2021 was about £650, for example for TVs that have been broken in the real world after gamers, immersed online (e.g. within the Metaverse), became overenthusiastic. Although there has been a 31 per cent jump in claims last year in VR headset-related home breakages, Aviva reports that there has been a 68 per cent overall increase since 2016.

More Expected This Year 

Aviva has also said that with many people in the UK having acquired VR headsets for Christmas, it is likely that there will be even more such claims in 2022.

What Kind Of Damage? 

On Aviva’s twitter account, the company highlighted punched ceiling fans, broken furniture and smashed lighting as the kind of household damage caused by people wearing VR headsets. Aviva’s tweet on the subject, which linked to a Guardian article, came with the advice “If you have a VR headset, take care.” 

Injuries Too 

Some specific examples of real-life injuries caused when people are wearing VR headsets can be found on the Reddit feed (subreddit) https://www.reddit.com/r/VRtoER/ where people have shared their painful (video and photo) experiences. These include injured hands from hitting a desk, children getting accidentally hit, and accidentally falling and headbutting the TV.

In the recent Guardian article linked from Aviva’s tweet, Aviva’s UK property claims director, Kelly Whittington, explained that as new games and gadgets become more popular, this tends to be reflected by a rising number of claims relating those gadgets, as happened with handsets, fitness games and rogue fidget spinners. Whittington is quoted as saying that “These devices can be a great source of fun, but we’d encourage people to be mindful of their surroundings and take a look at their home insurance to make sure it suits their needs,” and recommends that users should consider adding accidental damage cover to their home insurance plan.

What Does This Mean For Your Business? 

With VR headsets increasing in popularity and Meta’s (Facebook’s) ‘Metaverse’ on the way, Aviva’s figures have highlighted both a risk to health and property, and a financial risk to home and business users of VR headsets. For businesses where VR headsets are used (e.g., tech and entertainment/experience businesses), it highlights an area for legal concerns as well as the need for additional insurance cover e.g., damage and/or injuries resulting from staff or customers having a VR headset-related accident. For insurance companies, the VR headset trend will mean the need for policy reviews to address the situation and could mean additional revenue from more people taking out accidental damage cover. Also, insurance companies may have to investigate and perhaps pay out more on such claims. VR headset manufacturers may also need to add more warnings and may introduce product safety innovations to help prevent injury and breakages from occurring.