Cyber security and IT professionals of a sensitive disposition – look away now.
This month brings us a story where a healthcare giant overlooked basic security protocols with devastating consequences for patients. There’s also the all-too-familiar tale of highly concerning hacks swept under the carpet by organisations presumably fearing reputational damage.
Another day, another cyber security blunder…Hackers have been going for the big guns recently with – the MOD, the BBC and online ticketing giant Ticketmaster all being hit.
But you CAN protect your organisation no matter how big or small by following best practice tips. You’ll see some of those in our third story, which looks at avoiding business email compromise.
Stay safe out there.
Who hacked the MOD? Fingers point at China
There was a flurry of alarming headlines earlier this month about China hacking the MOD. Defence Secretary Grant Shapps confirmed that payroll details of 270,000 current and veteran military personnel from the Royal Army, Navy and Air Force had been hacked. He also added that “state involvement” from a hostile country could not be ruled out, but stopped short of officially naming China. The Chinese embassy denied any involvement in the hack.
Conservative MP Tobias Ellwood told Sky News that he believed China “was probably looking at the financially vulnerable with a view that they may be coerced in exchange for cash.”
Barely two months ago, the UK government openly accused Chinese ‘state-affiliated actors’ of orchestrating two ‘malicious’ cyber attack campaigns in the UK.
There’s also growing concern that the MOD’s IT contractor Shared Services Connected Ltd (SSCL) had been aware of the hack for months before reporting it. An official inquiry is now looking into why the supplier took so long to report it.
SSCL and its parent company French tech giant Sopra Steria are believed to have other cyber security contracts with the government. Whitehall insiders fear that there could have been a wider compromise of systems, so watch this space.
America’s worst-ever healthcare hack
The UnitedHealth Group hack has all the makings of a ‘how not to’ case study.
Here’s the scenario. America’s largest health insurance provider fails to protect its IT systems with basic multi-factor authentication (MFA), which leaves the doors open for hackers. Then it pays a $22 million ransom that does nothing to retrieve any data and, even worse, leads to double extortion from other ransom gangs. And, if reports are to be believed, it then attempts to rebuild infrastructure after the hack by – we can feel you wincing – reconnecting with compromised servers.
The fallout has been massive. UnitedHealth Group profits took a $872 million hit, with total losses estimated by some parties to climb to $1.6 billion if you factor in continued ransom demands. No doubt, they will survive. Their first-quarter revenue, despite the hit, was $99.8 billion.
The real story here is a human one. Patients were denied life-saving surgeries, which were cancelled at the last minute due to insurance payment freezes. Meanwhile, CEO Andrew Witty told Congress in his testimony that roughly a third of Americans have had their personal health information stolen.
It just goes to show that basic cyber security can’t be taken for granted. Not even by billion-dollar organisations. The fundamentals of data security such as implementing MFA, segmenting networks to minimise the blast radius of a breach, and refusing to pay ransom for data retrieval remain as important as ever.
Intersys’ Head of Security Jake Ives sums up our stance on paying ransoms to cyber gangs. “Pay these guys once and you demonstrate you’re desperate, so it’s no wonder the threat actors continue to cause headaches!”
Save the whale! How to protect senior execs from business email compromise (BEC)
Phishing emails are sadly all too common visitors in most work inboxes. An eye-watering 84% of UK businesses were hit by phishing scams last year. A growing trend is business email compromise, or BEC, where cyber criminals specifically target senior executives or those in finance roles. (This is sometimes known as whale phishing.) It’s why it’s even more important in today’s climate to ensure that senior staff in your organisation know not just how to spot BEC, but also that they know what to do if a link in a phishing email is accidentally clicked.
A typical BEC occurs when a criminal hacks a work email account and tricks staff into either moving money or parting with valuable or sensitive data.
Unlike phishing emails, which are indiscriminately sent in their millions, BEC emails are targeted to specific individuals within organisations. It could be an invoice from a third-party supplier you used last year, or an email that references a conversation from an already existing email chain.
Some may come from a legitimate employee account that has been hacked, and so would sail right through a standard email spam filter.
The NCSC’s guidance on protecting against BEC is comprehensive. Here’s a quick snapshot:
- If you think you’ve been scammed into making a fraud payment, ring your bank directly using the phone number on their official website. You should also contact your IT department and report it as soon as possible, and report the incident to Action Fraud on 0300 1234 2040.
- Always scrutinise any email that asks for payment to a specific account. Do you recognise the sender’s email address? If in doubt, always ring them to double-check.
- Never use the links, phone numbers or addresses in an email which asks you to make a payment or share sensitive data. Always check contact details on their official website.
- It’s really important that organisations encourage staff to report phishing emails and provide up-to-date cyber security training.
We’ve written several useful posts on phishing and similar attacks:
10 Phishing Email Examples And Why We Know They’re Fake
Other vulnerabilities
Securing against vulnerable Windows boot managers
New emergency security update for Chrome
GitLab patch for high-severity-flaw