Prevention is the Best Defence
Cyber Crime is a major problem for business and is one of the fastest growing areas of crime in the world. The ‘WannaCry’ attack in 2017 is estimated to have cost the NHS over £93 Million. We all have a duty to help protect the NHS and its systems from attack. The following are some hints and tips, many of which have been provided by the South of England Regional Organised Crime Unit.
Short passwords of eight digits or less can be hacked in less than twenty minutes using software available on the dark web. A password should be at least thirteen digits long, ideally three random words, using a mixture of upper and lower case, using some symbols and numbers in the place of some letters. This would take over six-months to hack.
It is recommended that passwords should not be changed regularly as this encourages the use of short or easily remembered passwords. Passwords should only be changed if the user is alerted to a potential breach.
It is essential that a user uses a unique password for their email account, not shared with any other applications. This will ensure that if an application password is hacked, the user can reset the password easily. However, if an application password is hacked which is the same as the email password, the hacker can reset both passwords and lock the user out.
Social media awareness
Fraudsters will use social media to build a profile of an individual, especially those working in key positions in an organisation. They may ‘friend’ request the individual to try and gain greater access to personal information.
To reduce the risk, do not add ‘friends’ that you do not know. Avoid putting any information relating to your work on social media. Do not answer social media posts about your favourite band, first holiday etc. as these answers are often security password reset questions. Avoid clicking on Facebook quizzes, to find out ‘what kind of kitchen utensil you are’ or ‘what your Viking name might be’, as, in doing so, you give that app access to your personal data on Facebook and will probably provide a lot more when answering the quiz questions. Finally, regularly review and update your security settings and make sure you use the highest privacy options available.
CEO and Mandate Fraud
CEO and Mandate Fraud continue to pose a huge risk, with fraudsters frequently targeting Finance and Procurement teams impersonating directors or suppliers. Sometimes a private email account is set up in the name of the director being impersonated, or the director’s account may have been hacked.
An alternative is where the Payroll Department is contacted by someone impersonating an employee, requesting that bank details for salary payments are amended. Or an employee may respond to a phishing email, giving the criminal access to their ESR account enabling the criminal to change the bank details for salary payments.
These teams should remain vigilant against such attempts as emails are easily spoofed or hacked. They should never undertake a financial transaction on the basis of an email. All suspicious contacts should be checked with the apparent sender on an independently verified number.
A short video demonstrating ‘Mandate Fraud’, shared with kind permission of the NHS Counter Fraud Authority.
Check your own email account
Email addresses are often used as ‘logins’ for financial sites such as PayPal, eBay, iTunes, Amazon, etc. By entering your email address at the website www.haveibeenpwned.com it will show whether that email address has ever been associated with any kind of compromise or data breach. If it has, it will list the company that has lost the data. This data could end up for sale on the dark web, giving a criminal access to your personal information on that application and potentially any others that use the same login / password combination. You should immediately change your password on that application and any other application that uses the same login / password combination.
It was reported that the application ‘MyFitnessPal’ application suffered a data loss in February 2018 and this data was subsequently listed for sale on the dark web. If you used the application at that time this means that your email address / password combination may be in the hands of a criminal.
You should a) change your password for that application, and b) change the passwords for any other applications that use the same email/password combination.
Short Metropolitan Police awareness videos
The Metropolitan Police have released a series of five very short awareness videos, providing best advice on a number of key topics. Most last about 45 seconds, and are a great summary of the steps you can take to stay safe.
Test and trace
Working from home
Always follow best practice
Your organisation’s information governance rules are there for a purpose, ensure you follow them. Here is a quick list of some general best practice rules to be followed:
- Always lock your computer when you are away from your keyboard, even for a short time.
- Never share your password with anyone.
- Don’t follow links in emails, they often take you to dangerous cloned sites which harvest your personal information if you attempt to use them.
- Be cautious of attachments in emails, particularly from people that you don’t know or don’t routinely do business with. They could be ‘Malware’; malicious software which will install on your computer if the attachment is clicked.
- Any email that is threatening, alarmist or designed to make you panic should be viewed with extreme caution.
- Don’t plug non-NHS hardware (phones, memory sticks etc.) into your computer.
- Don’t leave a laptop, NHS phone or other equipment in your car. If it is unavoidable then lock it in the boot.
- Don’t use public Wi-Fi; as soon as you connect, your logins and passwords could be collected by a criminal using dark web software.
- Keep your computer and phone software upgrades up to date.
8,387 total views, 3 views today