Here is our latest information security news and resources blog, providing some of the news items and interesting resources you may have missed over the summer period, together with links to 3rd party sites which provide more information.
UK College in targeted cyber-attack
Swindon College is the latest educational institution to suffer a targeted cyber-attack in recent months. This attack has led to unauthorised access to personal data of students and staff, past and present.
Earlier this month Staffordshire College was the victim of an’ ethical hacker’ that broke into the email system and doctored emails and in July, the University of Lancaster announced that it had been the victim of a cyber-attack, caused by a targeted phishing campaign which led to a data-breach of undergraduate applicants for 2019 and 2020. Data-stolen included names, addresses, telephone numbers and email addresses. The student records system was also breached and fake invoices were sent to some students.
The human factor in cyber-attacks is still one of the most successful ways for hackers to infiltrate a network and again highlights the need for frequent cyber-security awareness training.
Transport for London’s (TfL) Oyster card system hacked
In August, TfL had to take down its Oyster Card online payment system after customer accounts were hacked. It is thought that hackers used password and login data harvested from previous unrelated cyber-attacks compromising customers who use the same login details and passwords for multiple systems, a method used by hackers known as credential stuffing.
Again, this exposes the weakness in human nature. Remembering multiple passwords is a pain for all. People using the same details in their personal lives will undoubtedly be doing the same in their working lives as well. We encourage non-changing complex passwords and the use of a password manager with two factor authentication.
NHS vulnerable to Cyber-Attack
In the most recent coverage relating to cyber-security and the NHS, NATO’s Secretary General has announced that an attack similar to the wannacry attack in 2017 would trigger a full NATO response.
According to a white paper issued in July 2019 by Imperial College London’s Institute of Global Health Innovation (IGHI), the NHS remains vulnerable to Cyber-Attack. The report states that whilst the WannaCry attack caused widespread disruption to NHS services, it was relatively unsophisticated. A worrying remark considering the sensitivity of the data at stake. Not immediately obvious is the vulnerability of connected medical devices which are being more widely deployed.
The white paper recommends increasing the number of cyber-security professionals, creating security silos which could be locked to quarantine viruses when they occur, improving staff awareness and having clear communications plans in place so staff know where to get help and advice on cyber security when they need it.
Having previously worked with NHS trusts, in our experience the Information Security and Data Protection task is monumental considering the sheer size and fragmented structure of the NHS but it’s not impossible if the right resources are put in place.
Cyber Security Act comes into force
On the 27th June 2019, the much–anticipated EU Cyber Security Act (EU2019\881) came into force providing the EU Agency for Cyber Security (ENISA) with a permanent status and strong mandate. The aim of the act is to improve the EU’s cybersecurity preparedness and resilience. ENISA will receive more resources to enable it to improve information sharing between EU Members, co-ordinate pan European cyber security exercises through the network of Computer Security Incident Response Teams (CSIRTs) and help EU Member States to implement the Directive on the Security of Network and Information Systems (NIS Directive). There is more about NIS here.
ENISA will also have a central role in establishing and supporting the implementation of the EU cybersecurity certification framework which will cover ICT (Information Communications Technology) products, processes and services. There will be multiple programmes to cover different categories of ICT product, for example ETSI TS 103 645 is a standard for cybersecurity in the Internet of Things. For the time being, certification will be voluntary, however this will remain under review for specific products.
Targeted phishing attack leads to data-breach at Mobile phone company
Sure Telecom announced a data-breach in July, caused by a targeted phishing attack which has led to the loss of personal data of current and former staff based on the Isle of man, Jersey and Guernsey.
The lost data includes names, addresses, bank account numbers and sort codes. Sure reports that the number affected by the breach is less than 400 hundred and that so far, no customer details have been accessed.
The importance of staff awareness
The recurring theme in the above news stories is the human element. Training and awareness are key contributors to strong Cyber-Security, but it is clearly an area that needs attention for companies large and small. The NCSC have produced a helpful e-learning package particularly for SME’s.
Multi-layered approach to phishing
Also, from the NCSC is a useful guide to phishing, which explains how a multi-layered approach can help you protect your business.