Consult MB Ltd

Mike Brett of Consult MB Ltd was asked to write an article for the Somerset Chamber of Commerce’s magazine, Somerset Voice. The article is reproduced below. Phishing is a relatively old topic but it remains very relevant, and should feature at, or near, the top of any list of topics for staff awareness training.

The Article

I sometimes come across customers who have a security policy for absolutely everything. They spend significant sums of money on advanced technical controls and are supported by dedicated IT professionals. Yet, somehow, these organisations still get hacked, and invariably it starts with an indiscriminate, untargeted phishing attack.

Phishing used to be defined as an attempt to trick someone into giving information away over the Internet or by email. That still holds true, but these days phishing emails frequently contain attachments or website links that are intended to lure the recipient into inadvertently installing malware onto their computer. Typically, that initial malware is just a foot in the door, and more advanced malware will follow.

The lure of phishing emails deliberately exploits both the best and worst features of human nature. People can be trusting, willing to help others and inquisitive. They can also be greedy, lazy, intimidated or coerced into making rash decisions. Phishing may exploit any of those characteristics to achieve the desired aim, to get your employee to open the attachment or click on the link.

Indiscriminate phishing may, for example, send an email to 100,000 random recipients demanding immediate payment of the invoice attached. If only 1 in 100,000 recipients is pressurised into opening the attachment, the phisher may have succeeded. If that recipient works in your company, let’s hope your technical controls are good enough to counter what happens next.

Often the greatest illegal gains are achieved via targeted phishing, known as ‘spear-phishing’. This is when a mail is cleverly crafted to bamboozle a specific individual. If that person is very senior in the organisation, this is known as ‘whale-phishing’.

You can buy software to analyse incoming email, but it may not provide perfect phishing detection. Instead, I suggest the focus should be on the potential victims, i.e. your staff. As such, I recommend that you conduct frequent and interesting staff awareness training. In April 2019 the National Cyber Security Centre introduced ‘Exercise in a Box’ a free online awareness training tool that includes a phishing attack exercise. Please check it out…but not if it arrives as a link in an email from a stranger.

Mike Brett CISSP, works as a Cyber Security Consultant for Consult MB Ltd.

Consult MB Ltd is pleased to announce that we have secured a new contract to provide enterprise architecture services to our oldest customer. Since our company formation in 2003 we have enjoyed a sixteen year relationship with this government department. Repeat custom gone mad, we love it!

Consult MB Ltd, in association with the Somerset Chamber of Commerce, held a half day ‘Cyber Security Workshop’ at the Somerset Chamber Office in Taunton. The workshop provided an opportunity for small to medium size businesses to understand common cyber security threats. It provided insights into the current threats which are targeting businesses and examined cost effective and achievable methods to counter those threats. No previous cyber security knowledge was assumed. As ever, the workshop delegates were delightful to meet, and represented some local businesses with interesting IT solutions and challenges.

A good discussion around WiFi security, Man-in-the-Middle attacks, and VPNs followed a refreshment break look at a clever cyber security video from the Security Awareness Company.

If you’re interested in cyber security awareness training, please contact Consult MB Ltd and we can discuss a bespoke programme that will meet your specific needs.

The Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2019 is an interesting read…not only if you’re into Cyber Security 🙂

A key message is that fewer companies have identified breaches or attacks than before, perhaps because the introduction of GDPR has had a positive impact on their cyber security posture. The report does say that where organisations have lost data or assets through security breaches, the resulting costs have consistently risen since 2017. The survey continues to disappoint in the sense that most organisations, particularly smaller ones, are not aware of Government initiatives such as Cyber Aware, 10 Steps to Cyber Security, and Cyber Essentials.

Help is at hand, Consult MB Ltd in Weston-super-Mare, North Somerset conducts much of its cyber security work based on ’10 Steps’ and Cyber Essentials. Check out our services options for more details.

UK charities play a make a major contribution in supporting their chosen groups throughout the UK. For many people, the support from charities is literally a lifeline. Their work, however, also necessitates that they hold personal, commercial and financial information which has a clear value to cyber-criminals. Coupled with a reliance on IT, this sadly means charities are as vulnerable to cyber-attacks as any other business

Addressing resilience within charitable organisations can be a challenge. Many do not perceive themselves as open to the cyber-threat; a threat which, in reality, is unbiased as to an organisation’s size or sector. Whilst targeted attacks are still commonplace, so too are attacks which target a vulnerability rather than a specific person or organisation. Be it targeted or not, the consequences of a cyber-breach can be devastating.

The IASME Consortium, a leading Accreditation Body for the government backed Cyber Essentials certification scheme, is launching a week-long campaign aimed at encouraging registered charities to improve their resilience to on-line threats. Together with participating certification bodies, IASME is offering discounted certifications on schemes which demonstrate charities have recognised best practice protections in place. IASME’s support for the third sector will take place between 29 April and 3 May 2019.

The IASME Consortium package includes the widely recognised Cyber Essentials scheme. This scheme assesses against 5 core technical controls which, had they been in place, would have prevented the majority of successful attacks in recent years. The 5 technical controls are anti-malware, access control, patching, secure configuration and firewalls.

IASME will also be offering its own award-winning governance standard as part of the promotion. IASME Governance, which includes a Cyber Essentials assessment and a GDPR check, is an information security management standard which is more practical for SMEs than the traditional ISO27001. Taken simultaneously with Cyber Essentials, IASME governance covers additional protections such as physical security, data back-ups and staff awareness.

Dr Emma Philpott, Chief Executive of The IASME Consortium stated, “Charities work tirelessly to secure donations for fantastic causes. Having the right safeguards against unscrupulous cyber activity can help protect the donations and also any sensitive information that a charity might hold.”

The IASME Consortium licenses a network of certification bodies including Consult MB Ltd, based in North Somerset. Consult MB Ltd owner, Mike Brett , stated, “We had no hesitation in participating in this campaign. Charities do so much to help society and we want to help ensure that every available penny goes to where it can make a real difference.”

Interested charities can find further information and apply via Consult MB Ltd.

Campaign discounts. Cyber Essentials usual price £300, campaign price £225. IASME Governance usual price £400, campaign price £250. All prices are quoted exc. VAT.

Attended an interesting seminar, arranged by Lloyds Bank hosted at Weston College, on Fraud and Cyber threats. Lots of useful tips and advice for small businesses. Also, lots of alarming statistics around fraud and cyber-crime.

Lloyds say a financial fraud is committed once every 17s (yes seconds!).

The ‘Meet the Fraudstars’ video by Get Safe Online and Lloyds looks at impersonation fraud.

Pleased to have joined the Weston-Super-Mare Chamber of Commerce. Enjoyed the first networking event, which included a fun presentation by Sophie Richards from The Laughter Show.

Consult MB Ltd is pleased to announce that we’ve joined the Somerset Chamber of Commerce.
Looking forward to the Chamber’s events and networking with other members!

Consult MB Ltd, based in Somerset, has successfully completed the exacting process to become a licensed Certification Body for the National Cyber Security Centre (part of GCHQ) Cyber Essentials and Cyber Essentials Plus schemes. Consult MB Ltd also gained licensed Certification Body status for IASME Governance, an affordable information assurance management scheme.

With cyber threats increasing in both volume and sophistication, Cyber Essentials and IASME Governance validate that a business has introduced proven cyber security and information assurance controls in line with recommended good practice. The Information Commissioners Office (ICO) includes Cyber Essentials on its security check list for GDPR compliance.

The Government’s Cyber Security Breaches Survey 2018 states, “Over four in ten businesses (43%) and two in ten charities (19%) experienced a cyber-security breach or attack in the last 12 months”. The Government recognise the challenge from the current cyber threat and have the ambition to tackle it head on. Cyber Essentials is very much at the heart of their National Cyber Security Strategy.

Previously, our focus was on the design and implementation of cyber defences for large enterprises. We’re delighted to have achieved licensed Cyber Essentials Certification Body status, and can assist the local business community in implementing and validating their own cost effective security measures.