Naming and Shaming of Companies With Poor Cyber Security
A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested that the government could help combat high cyber-crime levels by naming (and shaming) companies with poor cyber-security.
Who?
The Cyber Security Research Group at King’s College London brings together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science in order to promote better research into cyber-security. The other research partner in this case, the Policy Institute at King’s College London is an independent research institute focusing on using evidence and expertise to tackle societal challenges.
Cyber-crime Levels
The report highlights the fact that government’s 2018 data breach survey showed that 4 in 10 businesses experienced a cyber-security breach or attack in 2017-18 should be grounds to enable the public to see what steps are being taken by companies (or not) to keep users safe online and to protect their data.
Championing The ACD Programme
The report also champions the government’s Active Cyber Defence (ACD) programme, which was developed by the National Cyber Security Centre (NCSC) for the public sector, as something that could bring benefits if rolled-out to the private sector too, and/or if at least the tools and techniques of ACD could be extended beyond the public sector.
The report points to the relative success that ACD has had in bringing about a fall in scam emails from fake government addresses, and in shutting down thousands of “phishing” sites that pose as government agencies in order to steal users’ personal information. Symantec figures, for example, show that phishing rates have increased across most industries and organisation sizes, and in this latest report, Tim Stevens, convenor of the Cyber Security Research Group at King’s College London notes that, according to his research findings, ACD could be rolled out beyond the public sector legally, cheaply and efficiently, with few obstacles, and could help to tackle phishing. The report, therefore, urges non-public sector organisations to engage more actively with the NCSC in order to deploy ACD as a tool to better tackle cyber-crime in the UK.
According to the National Cyber Security Centre (part of GCHQ), the ACD defence programme can be used to tackle cyber attacks in a relatively automated and scalable way. Last February, when the results of the NCSC’s Active Cyber Defence programme figures were published, they showed that UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), and that 121,479 phishing sites hosted in the UK had been removed, and 18,067 sites worldwide that were spoofing UK government sites had been removed as a result of the ACD programme.
What Does This Mean For Your Business?
Reputations are valuable and vitally important to businesses, as should be cyber-security defences, and making sure that strong data protection measures are in place is critical. With this in mind, the idea that there could be a public naming and shaming of companies with poor cyber-security could be one way to incentivise action to be taken to bring about improvements and contribute to the tackling of cyber-crime across the private as well as the public sector.
The NCSC, for example, has been working with companies for some time anyway with the ACD programme to help them protect their customers. For example, the NCSC launched a collaborative online platform where BT has been able to share its threat intelligence data with other UK ISPs, and the NCSC has offered support to BT to help strengthen its security and block malicious malware infections.
As acknowledged, however, in the Cyber Security Research Group and the Policy Institute at King’s College London report, ACD is not a finished product but a work in progress, and it is not a single entity, amenable to simple, one-off deployment. Also, a government programme that is extended to the private sector could face suspicion as being perhaps a way of the government scanning and collecting data about private organisations. For this reason, the CSRG and King’s College London Report recommends perhaps putting a buffer between the government’s intelligence community and third parties in the form of regulatory authorities in each sector e.g. the Charity Commission in the third sector.
In reality, effective cyber-security comes from a large number of factors working together, including education and training as well as deploying relevant technologies, but the figures from the success of the ACD programme so far, show that it, or tools based upon it, could have real value as part of a number of measures that could help reduce cyber-crime for private as well as public sector organisations.
Tech Tip – – Phishing Quiz
Identifying a phishing attempt may be harder than you think and being able to spot one is an important part of maintaining your cybersecurity defences in the modern business environment. Here’s a little phishing quiz from Google that can help you to spot the signs that can enable you to tell a real email from a phishing email.
Go to https://phishingquiz.withgoogle.com/
Click on ‘Take The Quiz’.
Tech Tip – Make Text Bigger !
Even though Windows 10 has scaling options that can make things generally easier to see, you may want to keep the screen resolution how you like it, but also have the ability to make fonts much bigger. The Windows 10 October added a separate control for scaling the size on fonts. Here’s where to find it:
– Go to Settings > Ease of Access > Display to make text bigger.
Over Half Of Us Will Buy Food Online By 2021
A study by Capgemini has found that more than half of UK consumers will order their groceries from online retailers by 2021.
40% Now
The study found that a massive 40% of customers already do their grocery shopping online, and that 43% of customers shop for food online at least once a week.
Big Issues Around Delivery
The study also revealed some big issues that customers had around the subject of delivery.
For example, even though 59% of customers said that they are not satisfied with current high delivery prices, only 1% of retailers are willing to cover full delivery costs for shopping.
Also, nearly half of the consumers surveyed said they would stop spending with a retailer if they had a bad delivery experience, but on the upside, 53% of customers who said that if they had a good delivery experience with a brand, they would be willing to pay for a membership if it meant that they could keep having good delivery experiences in the future.
The study also showed that 65% of customers are finding greater satisfaction in using delivery services other than traditional supermarket retailers e.g. Ocado and Google Express. In fact, 64% of those surveyed said they didn’t care whether their products were delivered by a brand or by a third party, and some of those surveyed said they’d even deliver products to their nearby neighbours in return for an incentive from the retailer.
The ‘Last-Mile’ Cost
One of the big problems that retailers face in delivery groceries is that the so-called ‘last-mile’. This is the movement of goods from a transportation hub to the final delivery destination (i.e. your home), and this part of the supply chain accounts for 41% of the overall delivery cost for retailers. This may explain the reluctance of retailers to cover full delivery costs for shopping, as shown by the survey.
Disconnect
The study also highlights a disconnect between the expectations of customers and retailers. For example, although customers appear to place a high value on low delivery costs, only 30% of retailers think this is important. Also, whereas a massive 73% of customers want to choose a convenient delivery time slot for goods, only 19% of retailers regard this as a priority.
What Does This Mean For Your Business?
There is no doubt that many of us are now used to (and prefer) online shopping for many things, including groceries, and if, as the study shows, even more of us are going to be doing our grocery shopping online going forward, grocery retailers are faced with several challenges in order to meet rising customer expectations and retain loyalty. For example, retailers will need to be able to provide last-mile delivery services that customers value, without damaging their own profitability. Also, retailers need to take more notice generally of issues around delivery that customers really value e.g. offering convenient delivery time slots/methods for goods, and minimising delivery costs to customers.
One thing the study has indicated is that customers may even be willing to try new delivery ideas, and even pay more if they can be assured of consistently better delivery experiences. With this in mind, and with customers rising, grocery retailers are likely to invest more in automating warehouse and product sorting to reduce costs and embrace new things such as machine learning and automation technology to make the supply chain more efficient.
Windows 7 Activation Errors A Coincidence Says Microsoft
Just after the January update on 8th January, Windows 7 users began to experience activation errors, but Microsoft put the issues down to coincidence, despite admitting that it had reverted changes made to activation servers in the update in order to fix the problem.
What Is An Activation Error?
Windows Activation Technologies are used by Microsoft to help confirm that the copy of Windows 7 that is a user is running on their computer is genuine. For example, the activation key is a 25-character code that is located on the Certificate of Authenticity label or on the proof of license label, and validation feature of Activation Technologies is the online process where users must verify that the copy of Windows 7 they’re running on their computer is activated correctly and is genuine.
An activation error, therefore, is when a user’s system wrongly notifies them that their copy of Windows is not genuine.
Which Update?
On 8th January, there was a monthly ‘Rollup’ security update for Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1. The update was designed to improve and fix certain issues with Windows 7 e.g. fixing a vulnerability known as ‘Speculative Store Bypass’, and adding security updates to Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.
Coincidence?
According to Microsoft, the fact that users received “Windows is not genuine”, and “Your computer might be running a counterfeit copy of Windows” notification at the same time as the January updates (KB4480960 and KB4480970) were introduced was simply a coincidence. Despite describing it as such, the problems were listed a table of “known issues in this update” on Microsoft’s support pages.
Reverted The Change
Microsoft announced on 9th January that it has fixed the issue by reverting the change that was made to Microsoft Activation and Validation servers.
What Does This Mean For Your Business?
For many Windows 7 users, the change meant a day of disruption on the Tuesday of the first full week back after the Christmas and New Year break. For many of these users however, this appears to be one more in a long line of incidents, nudges and pointers that look like they’re designed to encourage them to finally make the switch over to Microsoft’s Windows 10 and its SaaS model. Microsoft ended its mainstream support for Windows 7 on January 13th, 2015, and the extended support will only continue until January 14th, 2020, after which time Microsoft says on its website that users can “keep the good times rolling by moving to Windows 10”.
Reddit Locks Out Users Over Security Concerns
Online community Reddit shut some users out of their accounts and forced password resets due to “unusual activity” which may have been a ‘credential stuffing’ attempt by hackers.
California-based Reddit, founded in 2005, is a kind social network / online community. Reddit, which is the fifth most popular site in the United States (Alexa figures), is split into over a million communities called “subreddits,” each one covering a different topic. Reddit allows registered members to submit content to the site, and that content is voted up and down by other members.
What Happened With The Lockdown?
According to Reddit’s own reports, a large group of accounts had to be locked down due to a security concern which took the form of account activity that resembled someone using very simple passwords or the reuse of credentials across multiple websites or services – in other words, a credential-stuffing attempt.
Reddit’s admin known as “u/Sporkicide” reported that it appeared likely that a list of usernames and passwords, possibly taken from another compromised site, were being tried against other popular sites, including Reddit, to see if they work e.g. if a user had used the same username and password for multiple websites.
Reddit advised customers, those with locked accounts would be allowed to reset their passwords and thereby unlock and restore their accounts. Reddit said that the notification to do so would be a notification to the account (affected customers could still log in to get it) and/or an email to any support ticket raised by affected users.
Not The First Time
Back in August 2018 Reddit reported that between a June 14th and June 18, an attacker compromised some employee accounts through their cloud and source code hosting providers and was able to access some user data, including email addresses and a complete 2007 database backup containing old passwords and early Reddit user data from the site’s launch in 2005 through May 2007.
Advice
As well as announcing that it was conducting a “painstaking investigation” of the incident, Reddit advised users to make sure that they choose strong passwords that are unique to Reddit, update their email addresses to enable automated password resets, and add two-factor authentication their accounts to make them more secure.
What Does This Mean For Your Business?
This story highlights the importance of not using the same username and password across many websites. The danger is that, if hackers can steal login credentials in a hack on one website, they or other attackers who have purchased / acquired the stolen data may well try to use that login data on many other popular websites to try and gain access.
Also, where other security measures such as two-factor authentication are available, it is worth using it as an extra obstacle to the kind of simple, opportunistic credential-stuffing attempts that are all-too-frequent.
Businesses / organisations should always encourage users to use login details that are unique to their website, give visual guidance on password strength on set-up, and specify a certain number of required characters for passwords e.g. including a capital letter, numbers, other special characters, and making the password a certain length. As well as being a bit more secure, this can also help to stop people from using exactly the same password between multiple sites.