Paragraph Formats
When it comes to protecting your organization from IT security threats and cyberattacks, your staff are one of your biggest vulnerabilities. For data protection and data privacy compliance, it is no different.
Importance of GDPR compliance
In recent weeks, we have seen an increase in the number of phishing attempts made to businesses as cybercriminals take advantage of the coronavirus (COVID-19) pandemic. It has become so prolific – and successful – that numerous IT security firms and law enforcement agencies, including the FBI, have released warnings.
The most common attack has been, as always, in the form of an email. Most are preying on users’ concern and thirst for information, as content posing as Coronavirus health advice, educational content or financial relief encourages them to click on links and download/open Word documents and PDFs. If these are clicked on or opened, malware or ransomware infects the device and compromises the network.
Despite the increase in security technology deployment – like anti-virus, malware, ransomware and SPAM – combined with strict processes, according to Accenture Security’s 2019 Cost of Cybercrime report, 85% of organizations still reported phishing and social engineering attacks in the last 12 months.
This is because a business’s biggest weakness to IT security, no matter what controls they have in place, is their employees. And during these bizarre times, the threat your workforce poses has never been greater.
Widespread and long-term working from home creates additional security threats that most businesses are unprepared for, making it a perfect hunting ground for phishing attempts.
Persistent and unavoidable reliance on unsecured home networks
Likely use of employees’ own devices
Greater difficulty of verifying email instructions in person
The difficulty of continuous reinforcement of the security threats
Natural human susceptibility
It’s a lethal combination.
The secret is to educate your team on how social engineering works, and what to be mindful of – not just in terms of the recent COVID-19 threats, but also more widely.
Social engineering – What does this mean?
Social engineering is the use of psychological manipulation to convince and trick people into providing confidential and/ or personal information. This tactic also involves sending links or documents in emails and text messages as well as across social media, that when clicked on could infect users devices or entire networks with malware or ransomware.
Types of Social Engineering:
Phishing:
Phishing attempts are one of the most common types of social engineering attacks. This is where cybercriminals use increasingly convincing communications such as an email or SMS message, and make it appear to come from an employee, a supplier, or even a financial institution.
These messages will require you to click a link to either an infected page or to a website impersonating a well-known brand requesting you to “log in” (see typosquatting below). They can also include malicious attachments such as Word, Excel or PDFs and encourage the user to download or open the files. Successful attacks often inject malware or ransomware into an organizations network, crippling business operations and financials.
For example, Travelex and Garmin, both suffered a ransomware attack earlier this year, and are still impacted by the attack. The impact of these attacks would have been minimal if proper IT security practices and processes were in place, as well as ongoing employee security awareness training. You can read more about these attacks, plus how to prevent them, here.
SMiShing:
SMiShing uses text messaging or messaging apps such as WhatsApp to send and encourage users to click on malicious links and to give away personal information. Recently there has been a rise in SMiShing attacks spoofing government agencies such as health care, and financial institutions offering to give away information regarding the COVID-19 pandemic.
However, SMiShing attempts can also like they have come from utility providers, online retail organizations and payment apps.
Whaling:
A whaling attack is a form of “phishing” and is communication designed to look like it has come from a senior member of an organization and targets high profile individuals or company executives and aims to steal sensitive information, gain access to the system or request a financial transaction. It can be in be emails, phone calls or text messages and is often referred to as CEO fraud.
Vishing:
Vishing is a voice-based phishing attack and is often someone posing as an executive of the organization or a contact from a known partner or supplier, requesting financial payments or information. The caller often sounds angry, irritated or panicked, which causes a stressful situation, often making the employee more likely to comply.
Baiting:
Baiting often pretends to offer something appealing such as free downloads, or for example, offering free healthcare advice about COVID-19. This is also known as “clickbait”.
Typosquatting:
Typosquatting is when a cybercriminal will obtain domains with URLs similar to well-known organizations and rely on users to make typos and errors when typing in the URL. Unfortunately, these fraudulent sites can look so authentic that they request login and payment details or install malware onto a device solely by just landing on the page.
Social Media:
Social Media is a tool that increasingly being used for up-to-date news and is providing cybercriminals with a platform to set up fake accounts to promote “click-bait” posts, often masquerading as news, health care and financial advice.
Additionally, with more people documenting their personal lives on social media such as Facebook, Instagram and Twitter and unknowingly giving away personal information, it becomes easy for hackers to use the platform to find answers for passwords and IT security passwords such as the names of peoples’ relatives and pets.
How do I protect myself and my business from social engineering?
Here are a few tips on how users can avoid and combat social engineering attacks:
Do not open any links or attachments in emails from untrusted sources.
Be vigilant when opening any attachments, even when the email appears to be from someone you know. If you’re unsure, ask them.
Hover above a URL to verify beforehand, check for typos or wrong domains, if you’re still unsure, do not click on it!
If an email looks like it’s coming from someone you know but is asking for valuable company information or for financial transactions, usually with urgency, double-check the email address and verify this with a phone call to the sender.
Do not be fooled by “clickbait” offers!
Be wary of social media – how much personal information are you giving away? Don’t be tempted to click on links offering discounts or advice and news.
Ensure you use trusted media outlets and official healthcare websites to look for the latest news, information and advice.
Always use strong passwords or passphrases.
Don’t be afraid to ask questions and report anything that looks suspicious.
How Calligo can help
Calligo’s award-winning IT Managed Services includes IT Security services that address all three pillars of IT security and keep your business continuously protected from all attack types.
Our IT Security Services include:
Strategic security consultancy
Anti-virus, anti-malware, anti-ransomware and anti-SPAM
Security audits
Patch management
Penetration testing
Employee cybersecurity awareness training
Back-up & disaster recovery
Multi-Factor Authentication
The key to a successful cloud migration is careful consideration and planning. The first stage of the journey is businesses’ defining their cloud migration strategy, deciding on a vendor and knowing what compliance frameworks the business needs to adhere to.
The 6Rs of Cloud Migration
As part of the strategy, it’s essential to review all applications and identify which migration option best suits each one. This is known as the Six Rs (6Rs) of cloud migration – the six potential courses of action for each application.
1 Rehost
This is the classic “lift and shift” approach of redeploying an application within the cloud. It is how many applications are approached as it often delivers ROI faster, but it only works if the application is suitable for cloud hosting in the first place.
2 Refactor aka Rearchitect
This is where the application is reimagined to add features, improve availability or performance or make it more scalable – all of which might be largely impossible on-premise.
This is often more time-consuming and expensive, but if the business objectives require it, it can also be the most beneficial.
3 Revise aka Re-platform
This is a middle ground between Rehost and Refactor. The application is moved to the cloud, then altered and modernized so it meets commercial objectives better, leaving the core nature of the application unchanged.
4 Replace aka Repurchase
This is where your in-house applications are replaced with SaaS tools with similar – often greater – functionality.
This option creates the least technical demands but does limit your ability to customize, and ongoing use and deep reliance will create vendor lock-in.
The 6Rs are based on Gartner’s original 5Rs of Cloud Migration, published in 2011, which also included “Rebuild”.
This is when the original application is dropped and a new application is developed from scratch on the new cloud environment. This gives businesses total freedom to build exactly what they need. However, the cost to maintain and hire the right skill set is often too high for most businesses.
Due to its rarity as a practical option, AWS therefore later rejected this option and replaced it with the two below – Retire and Retain.
5 Retire
Often, during the planning process, it becomes clear that there are applications that are no longer useful and can be retired. .This creates huge savings in both cost and resource to add to the migration business case.
6 Retain
The final option is to keep the application where it is. You may feel that some applications are best delivered from on-premise and do not need to be, or even cannot be, replaced for alternative versions.
Interested in migrating to the cloud?
Our team of experts will guide you through the most appropriate deployment of cloud technology for your business. We’ll design a bespoke cloud strategy for your organization, ensuring your security and accessibility needs are met plus any data privacy obligations. The team will also select the most suitable platform and ensure a quick and smooth loud migration.
Calligo’s Chief Information Security Officer, Mark Herridge, has written this blog to discuss why organizations need to adopt a “Zero Trust” approach when it comes to their data security and what steps they need to take to protect their data.
We all know working practices have changed as a result of COVID-19, lockdowns and a lingering – in some cases, permanent – reluctance to commute into major hubs.
Similarly, much has been reported on the rise of opportunistic COVID-19 security threats, ranging from social engineering tactics such as targeted phishing attacks that seek to prey on users’ ongoing worries about the pandemic to companies straining to quickly enable remote workers.
A data protection officer (DPO) is an employee or contractor hired to oversee a company’s data protection strategy and ensure compliance with the General Data Protection Regulation (GDPR). The role was introduced in 2018 to promote compliance with the new laws governing how the personal data of EU citizens is handled.
Calligo features in Raconteur’s latest special report on Digital Transformation, which was published in The Times.
The 16-page report contains insights from recognised experts and thought leaders on Digital Transformation strategy and execution and looks at how coronavirus has accelerated digital transformation in businesses and education. The report also explores the future of work and innovation, and why data-driven approaches are key to successful digital transformation projects.
“97 per cent of business decision-makers say that COVID-19 pandemic has sped up digital transformation at their company”
Raconteur
Calligo was asked to contribute on how best to design a Digital Transformation project, and how to ensure its immediate and ongoing success.
Our article, “Five steps to successful digital transformation”, featured on page 5 of the Raconteur report, provides a how-to guide to building a modern, data-first Digital transformation strategy that delivers.
The steps include:
Why you should not start with your business needs
The benefits of adopting a privacy-first mindset
How to build a strategy that earns your customers’ trust and makes them enjoy working with you
When and how to deploy technology
Why your Digital Transformation strategy has to keep evolving, and how to maintain it
“If you take a technology-first approach to Digital Transformation, it relies on identifying business problems and deploying the most suitable technology to fix them.
“In contrast, a data strategy starts by examining how data moves through the business, identifying areas of inefficiency, data governance weaknesses, overspend, security gaps and so on.
“It is a far more fundamental approach to Digital Transformation, improving businesses from their very foundations and bringing more value as a result.”
Adam Ryan, Chief Services Officer
For the blissfully unaware, ransomware is a type of cyberattack whereby the attacker encrypts the files on a victim’s machine or across the network and then demands a ransom before they will be decrypted and access is restored, or so they hope. Sometimes the hacker will even threaten to sell or disclose the stolen data unless a ransom is paid.
Today, we are launching the sixth version of our industry-renowned Data Privacy Periodic Table since its initial launch in September 2018.
Last year, we announced our top 8 data privacy influencers of 2019, who we believed anyone in the industry should be aware of to stay informed and updated with the latest thinking around privacy.
The initiative was a great success and it remains one of our most popular blogs. And as data privacy continues to be one of the most powerful and change-triggering conversations in the business world, especially as new laws and protections come into effect alongside new ways of working, we thought we should bring you a new list of the data privacy influencers who have already stamped their mark on 2020.
Last Thursday, the Court of Justice of the EU (CJEU), the European Union’s top court, struck down the EU-US data sharing agreement, Privacy Shield, technically known as the EU-US Data Protection Shield.
The case known as Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (also referred to as Schrems II) ruled that the data sharing agreement between the EU and the US, Privacy Shield, is not suitable as it does not provide adequate protection for EU citizens’ personal data when stored in the United States.
The speed that COVID-19 spread around the globe and the lockdown that followed has caught many companies off guard, and there’s a good chance that you may even be reading this in a hastily-assembled home office, in your kitchen or a spare bedroom.
For some, the ability to keep data secure has been torpedoed by unexpected, sudden volumes of employees working from home, relying on domestic networks and personal devices. Similarly, there has been widespread confusion over how to balance employees’ privacy and confidentiality with the broader obligation of staff protection and even civil responsibility.
Navigating these times is difficult but there is some comfort in knowing that even during this emergency situation, the normal rules still apply.
Our Data Privacy team has released new guidance on the Data Security and Data Privacy concerns of the ‘new normal’, in order to help businesses follow data privacy rules and security best practice, while protecting the health and preserving the productivity of their staff.