Test and Trace privacy – your new obligations

8th July 2020

A whole heap of businesses have just been upgraded – in data terms – from collecting and holding only limited amounts of data, probably about staff and suppliers, to holding information about members of the public.

With this upgrade comes a levelling-up of risk and additional scrutiny. If small businesses such as hairdressers and pubs hadn’t thought of themselves as Data Controllers before, they very much need to now.

How have data-handling obligations changed due to Test and Trace?

The Government has asked that businesses like barbers, hairdressers, pubs and other venues keep data about customers to help with its Test and Trace efforts.

This means that these businesses are now Data Controllers and need to be registered with the Information Commissioner’s Office - ICO (if they weren’t already). Any business collecting data will also need to have a privacy policy and to explain to customers how and why it is collecting data, and what it will do with it.

The Government requires only a lead name, contact phone number and the time of arrival to be collected. No other information should be collected for the purposes of assisting the Test and Trace system. The information needs holding for 21 days, after which it’s pretty certain that the risk of needing it is over and it needs appropriately destroying.

How can businesses use the Test and Trace data?

If you’re only collecting the data for the purposes of tracing anyone potentially exposed to the virus you cannot use it for any other purpose. You can’t subscribe people to your marketing emails or use their contact details for any other reason. The ICO could fine your business if it is used for any other purpose.

How you intend to use the data should be explained when it is collected.

How should Test and Trace information be collected?

As with all data it’s important that it is collected and stored securely.

Booking systems are an acceptable way of holding data, so if you already collect people’s information to make appointments then you could use this to report if you needed to.

Using an online system is likely to be the quickest and most secure way to collect data if you don’t already have a booking system. An app or system created by a company holding a Cyber Essentials Certification – is most likely to be dependable and able to keep your customers’ data safe.

Record Customer is an app built by our sister company, Askew Brook, specifically for collecting only the necessary data quickly and easily, and keeping it safe until it’s needed, then destroying it if it isn’t. Try it free for seven days, then pay just £40+VAT/month to keep your customers’ data safe and secure. This is a 20% discount for 3 months using the coupon code SERVERTASTIC.

You could use pen and paper, but you’d need robust systems to ensure the data was always stored securely, accessible by only people who need to see it, and that it was properly destroyed after 21 days.

Creating all of these data-secure systems is something many small businesses will never have had to deal with before

When might you need to hand over the data?

If someone who has been to your business tests positive for Covid-19 you might get a request from the Government’s Test and Trace team to release the data to them. They will only ask for data for customers who could have come into contact with the person who has tested positive, so you won’t need to release all of the data you hold.

The system has already been used. In the first week after reopening at least three pubs had already closed after customers or people closely related to staff members reported testing positive for coronavirus.

Data and cyber security risks with the new Track & Trace system

16th June 2020

Coronavirus Track and Trace Cyber Security

There’s been a lot of emphasis placed on the effectiveness of a track and trace system in the fight against Covid-19. It’s hard to disagree that a system which will help stop the virus is a good thing, but there are already signs that the companies behind the system aren’t doing the best job with personal data.

So what steps do you need to take to keep yourself safe? What do you need to watch out for? Is taking part in the system really a good idea at all? Here’s our considered advice about how best to protect yourself.

What is the new NHS test and trace system?
The Government needs a way to keep Covid-19 under control and one of the most effective ways to do that – as demonstrated by the experience of other countries – is an effective track and trace programme. Having information about who has the virus and where they are should allow a broader lifting of lockdown, with more localised restrictions imposed to control local outbreaks.

The idea is that when someone tests positive, a team of tracers tracks down people they have been in contact with during the time they were infectious and those people are also asked to isolate to stop the virus spreading further.

The UK’s track and trace system was launched in England and Scotland last week. It’s different to the app being developed to identify if a person has been in close proximity to someone later diagnosed with Covid-19, which is still being trialled on the Isle of White.

There have been a few hiccups along the way, not least the breach of data protection rules when one of the companies recruiting tracers shared their email addresses with others being recruited, leading to an apology.

If we can’t trust the companies involved with the system to look after their own employees’ data, can we really trust them to look after the personal and sometimes sensitive data of the general public? It’s not off to a good start, and public confidence is an absolute necessity if a track and trace system is to work.

What data and cyber security issues does the track and trace system present?
If you have a positive Covid-19 test you will be asked for lots of personal data, as well as data and contact information for people you have been in contact with.

If you have been in close contact with someone who later has a positive test for Covid-19 you may be contacted by phone, email or text message to ask you to self-isolate and you may need to give the NHS Test and Trace system your personal details.

But how would you know a call asking you to self-isolate was genuine? Dr Jenny Harries, the Deputy Chief Medical Officer for England, did little to allay fears about how people would know the contact was legitimate when the only reason she gave for someone to believe a call from the Test and Trace operation was genuine was that it would be very evident the callers are “professionally trained individuals”. So scammers can’t sound professional then? Not much of a reassurance.

The NHS website states: “Text messages will come from the NHS. Calls with come from 0300 0135000.” But we know it’s not too difficult to make texts look like they come from a certain organisation, and unless you save the number in your phone, a call from a similar number could be misconstrued as genuine.

Another security issue is in the length of time people’s data will be kept. Data of people with a positive Covid-19 test will be stored for 20 years. If you do not have a positive Covid-19 test your data will be stored for five years. A range of companies are involved in the storage of the data, so we’re relying on them to have the right processes and procedures in place to keep it safe.

Our best advice about engaging with NHS Test and Trace
The usual message about scam calls, texts and emails applies here. Be on your guard. Do not click through to any links in emails or texts. Do not give out personal data over the phone.

If you are asked to provide data, go directly to the official Test and Trace website rather than following links you are given.

Here’s what the official guidelines about the service say will happen:

call you from 0300 013 5000 (But this can be spoofed)
send you text messages from ‘NHS’ (But this can be spoofed)
ask for your full name and date of birth to confirm your identity, and postcode to offer support while self-isolating
ask if you are experiencing any coronavirus symptoms
provide advice on what you must do as you have been in contact with someone who has tested positive for coronavirus

And here’s what the guidelines say contact tracers will never:

ask you to dial a premium rate number to speak to us (for example, those starting 09 or 087)
ask you to make any form of payment or purchase a product of any kind
ask for any details about your bank account
ask for your social media identities or login details, or those of your contacts
ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone
disclose any of your personal or medical information to your contacts
provide medical advice on the treatment of any potential coronavirus symptoms
ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else
ask you to access any website that does not belong to the government or NHS

Be suspicious if anyone asks you for this kind of information. If you aren’t sure, use the principles of the Take 5 initiative, and stop to think before acting or giving out any information.

Ultimately, it’s your decision about whether you engage with the NHS Test and Trace programme. There are some very real risks, but many – although not all – can be managed if you take sensible precautions.

Staying safe from fraud – Covid19

13th May 2020

Covid19 prompts cyber security warning

Staying vigilant during the current pandemic doesn’t stop at washing your hands. Criminals are using Covid19 as a way to disguise their attempts to steal data and money, stealing £1.6m so far according to the National Fraud Intelligence Bureau, so staying vigilant needs to extend to the way you look after yourself and your information online too.

The National Cyber Security Centre says that it has detected more UK government-branded scams relating to COVID-19 than any other subject. Levels of cyber crime haven’t necessarily increased, but it looks like the would-be criminals are using government and HMRC branding as a new route to try to obtain information.

What types of attacks are being attempted?

The types of attacks you could be vulnerable to include both phishing scams – where you receive an email purporting to be from an official body – and text messages (also referred to as smishing) made to look like they are from government, or particularly HMRC.

Emails can contain links which, if clicked, can download malicious software to your computer. This could leave you open to future ransom demands or could be recording the passwords you use to log in to services such as online banking.

Another option is the link might direct you to a website which looks like it’s official and ask you to enter details such as bank account information and/or personal data such as your name, address, date of birth and National Insurance Number.

Text messages can contain links to similar websites, or could encourage someone to call a phone number with astronomical charges.

Why attempt cyber crime now?

There’s a double-whammy at the moment which gives the fraudsters even more opportunities to pose as official bodies – the government support for business during the pandemic has led a lot of people to apply for various schemes online, so contact looking like it is from government or HMRC are more likely to be actioned. It’s also the time of year that people start to submit self-assessment tax returns, with reminders landing on doormats all over the UK. This gives another potentially legitimate cover for attempted cyber attacks.

What can you do to protect yourself?

Having appropriate cyber security in place is a good start, but the biggest risk in cyber crime is the actions of people. Some simple training can help you and your team to spot the risks and take steps to secure your business and systems from cyber attacks.

Take 5 is a campaign to raise awareness of the need to think before acting in order to stop online fraud. Their website contains lots of resources you can use in your company to raise awareness about the impact of personal actions on whether or not fraudsters are successful.

For a more comprehensive training package, CybSafe is the GCHQ-accredited online training package which takes your team through a series of modules and tests their knowledge, giving you a dashboard with insight about how they perform. It will even send fake phishing emails and report on who falls for them.

Cyber Essentials is a package of technical support and training which gives you a certification (needed for some tenders and contracts). It will give you insight into your cyber security risks and runs scans and vulnerability checks to catch weaknesses in your website before criminals do.

What can you do if you’re a victim of cyber crime?

You are likely to need the support of a cyber security expert to help recover what you can and protect against a similar attack in the future. Chat to us about how we can support you with this.

If you need a crime number, perhaps for insurance purposes if you’re insured against cyber crime, you’ll need to report the incident to Action Fraud, the UK’s National Fraud and Cyber Crime Reporting Centre.

If you need support to defend against Covid19-related or any other type of cyber attacks, get in touch to find out how we can support you and your business.

Is your desk photo giving away important data?

21st April 2020

With many of us making a hurried move to working from home due to the current Covid19 situation, social media has been flooded with people proudly posing on Zoom calls or showing off their new home office set-up. But what data risks do those pictures pose and what can you do to mitigate them?

As cyber security experts it’s unlikely you see a picture of our desks on LinkedIn, but as the trend for showing off how well you are working at home shows no signs of abating, here’s what we recommend you look out for in particular.

The risks of taking pictures at your desk - passwords

Is your wifi password stuck on your monitor or laptop? Do you keep the handy little card supplied with your router by your desk for ease of sharing with guests? Make sure it’s not in the picture or you risk exposing your home network to hacking.

And while we’re talking about home networks and hacking, best practise for working from home and keeping your data secure would require a separate network for your work laptop or PC to connect to. As this is largely impractical we recommend using a Virtual Private Network (a VPN) so that your data is kept on a separate, more secure network. It’s inexpensive, easy to set up and requires no advanced IT ability, but it will help keep your data secure.

What’s on your screen?

Open files, emails in your inbox or other things pinned to your desktop can all be visible when you take a quick snap of your desk.

The cameras in the current generation of smart phones allow a serious amount of zooming in without losing quality, so anything that’s open on your laptop or PC becomes readable if you try, even though it looks small on your original picture. The same goes for family photos in the background, passwords or account details written on post-its on your desk, business cards or other information that you could have lying around.

In particular, apps that you use could have backdoors within them that hackers are aware of. Seeing them on your desktop could open you up to a targeted attack using known security flaws.

Another risk is showing the ID of the Zoom call you were on – you’ll find it in the top left-hand corner. If your meeting is a recurring one the ID will stay the same and as Zoom bombing is an increasing risk, letting others know your meeting IDs isn’t the best idea.

Zoom bombing

Say what?! Yep, Zoom bombing is the new name for people dropping into your Zoom calls uninvited. It tends to happen when the call ID has been publicised, often within an event listing as so many people are trying to switch their in-person business models to online.

The result is someone taking over your Zoom call, potentially putting pornographic or other offensive material on the screen – even if you’ve turned off the option for others to screenshare – and malicious links being shared in the chat function which allow hackers to browse people’s systems while they pay attention to your training/meeting.

This kind of tactic tends to be more of a risk when there are many people on a call, not just a few colleagues who know one another, and Zoom has quickly rolled out some security changes to try to mitigate concerns. These include passwords now being required to join calls and a waiting room where people have to stay until the call host invites them into the call. These features were already available but have now been enabled as standard.

Zoom was designed as a consumer, not business, platform first and foremost, so ease of use is at its heart. Platforms designed this way tend to have to run to catch up on security issues, so consider using other options such as Microsoft Teams if you need a more secure environment.

Potential consequences of losing data by posting desk pictures

The risks you’re opening yourself up to range from having your data stolen up to allowing your clients’ data to be stolen – and the resulting issue of having to report this to the Information Commissioner’s Office, the embarrassment of letting your clients know and potentially facing a fine.

Your system could be hacked and used as a backdoor to get into your clients’ systems, or your data could be used to hold you to ransom.

Any of the potential consequences of losing data by posting a picture of your desk online could lead to a serious amount of costs being incurred to set things right. So the next time you want to show off your swish new desk/laptop/latest Zoom call, make sure you clear up the surrounding area to get rid of any risks – or better still, don’t post the picture!

Got a cyber security question? Get in touch and we’ll get back to you ASAP.

Cyber security when working from home – stay safe online

23rd March 2020

The current Coronavirus pandemic means the majority of the UK, and the world, could be entering a prolonged period of social distancing. For those able to do so that means working from home. But what about the cyber security impact of working from home? Is it intrinsically less safe?

The world is highly connected, and thankfully technology makes it much easier to transition to the "home office". However, our homes are often a much more relaxed place. We feel safe in our homes which can lead to complacency and a drop in cyber security standards.

As experts in cyber security, here’s our advice about the most important things you can do to make working from home as secure as possible.

Secure your home Wi-Fi

Routers are targets for hacking, but there are some simple steps you can take to secure yours. Make sure your network is using WPA2 or WPA3 for wireless encryption. If it is using WEP or WPA the network is open to hacking. To check this you need to log in to your router. This is usually done via your browser and isn’t as technical as it sounds. Check your router’s manual or ISP help pages for how to log in to your particular type of router.

If WPA2 or WPA3 are not available you must upgrade your Wi-Fi router as soon as possible. Your internet service provider (ISP) may provide an updated version at no cost. Any router provided in the last two years should be using WPA2 or WPA3 encryption by default.

Really you need a separate network for your work and personal devices as things like TVs and internet-enabled thermostats can be less secure and more prone to hacking.

To do this you will need two routers. It can be complex to configure such a set-up securely. The simpler alternative is to use a VPN.

Set-up a VPN

A VPN is a "Virtual Private Network". This effectively creates a secure encrypted tunnel between your device, be that a phone, a tablet, a computer or laptop, and the internet. It can prevent anything on your home network from being able to intercept or read communications from your work device. Your employer may provide a VPN to securely connect to the office network. But for smaller businesses and individuals, setting up a VPN can seem complex or difficult.

To simplify this, Servertastic has partnered with NordVPN. With the installation of a simple program on your phone, tablet and/or computer you can enable a VPN connection with a simple click. There is a small cost which we have currently discounted by 70%. If you pay for three years in advance it works out at less than £3.00 per month for one person and you can add it to up to six devices. Click here for more information. You can also contact us if you have a VPN query.

Tidy desk policy

I am going to confess my desk is often not the tidiest. However, working from home significantly increases the risk of leaving confidential or sensitive materials on your desk.

We all still have to comply with GDPR legislation. Handwritten notes may contain personal information of customers or suppliers. Letters you open and leave on your desk could be used to build a profile of you and create an opportunity to steal your data.. Information could be easily misplaced or accidentally lost. Consider having a lockable drawer or filing cabinet to keep paper records secure and shred your paperwork as soon as it is not needed.

Consider using apps like ScanBot, HubDoc and ReceiptBank to quickly scan paperwork and then immediately dispose of it.

Window spying

If you’re working from home you may want to position yourself somewhere with a nice view. Or you might simply just cram yourself into a corner where you can fit. Make sure it is not possible to see your device screen from outside or from perhaps a neighbour’s upstairs window. You might think the chances of your neighbours spying on you are remote, but it’s better to remove the risk than suffer as a result of it later.

Keep work and personal devices separate

Keep your work device – tablet , laptop or computer – as solely your work device. Do not share it with other family members. It may be tempting to let one of the younger ones play online games, but they can easily introduce vulnerabilities without realising. You don’t want to admit to your boss that you can no longer work from home because your laptop got a virus from Roblox. Or worse, have your IT team point that out once they’ve fixed it.

Enable your auto lock screen

Make sure you set your screen to auto-lock. This should be as short as you find you can practically manage but never any longer than five minutes. This means if you accidentally wander away from your desk and leave your laptop open it will lock the screen after a period of inactivity. Get into the habit of manually locking your screen when you walk away too. This is just as pertinent in the office as at home. The auto-lock is just a back-up for this habit.

Communicate securely

To save ending up with a bulging inbox you are likely to want to chat with other members of the team or customers/suppliers via messaging platforms. Consider using end-to-end encrypted messaging services such as Telegram, WhatsApp, Signal, Slack, or Microsoft Teams.

Facebook Messenger is NOT encrypted by default and could leave your messages open to being read.

Better still, use the phone or video call. You can do this through Zoom, Skype, Teams or WhatsApp. It’s a bit of social contact as well as a way to get work done. We all still need to stay in touch, but ensuring our communications are secure is still important.

If you have any queries about working from home securely, speak to us today and find out how we can help.

Preventing Ransomware

19th July 2019

Image by Tumisu from Pixabay

Ransomware is a growing concern for many businesses. According to Europol research, ransomware was the biggest cyber threat in 2018. In 2017 the now infamous WannaCry and NotPetya attacks affected around 300,000 victims worldwide.

Ransomware encrypts all of the files on your system and holds them to ransom. The attackers will demand a payment, usually in bitcoins, in exchange for the key to decrypt your files. Ransomware also comes with the risk that the data affected will be leaked online.

Why You Shouldn’t Pay Ransomware Demands

If you become victim of ransomware and are desperate to get your data back, it can be tempting just to give into their demands. However, this is usually a bad idea.

There’s no guarantee that you’ll get your files back. The attackers are under no obligation to uphold their end of the bargain. Even if the attacker does give you the decryption key, they're not likely to care or offer help solving the problem.

You may be targeted for future attacks. If the attacker believes your business will easily give into their demands, then they may attempt to double dip. You may become the target of other types of attack, or other cyber crime groups may target your business.

Decryptors that can reverse some strains of ransomware are available.

As with all cyber security matters, prevention is better than remediation. Fortunately, there are many tools and techniques you can access to protect your business.

Backups

The most important step you can take to protect your business from ransomware is to put in place a plan for backing up your data. Backing up data protects your business from data loss, and prevents such incidents from leaving you unable to operate. You can use the backups to to perform a wipe and restore of your system, removing the ransomware without paying.

Online backups are the easiest and most accessible option for most businesses. These can back up your data automatically on a regular schedule, and they make restoring data faster and easier than other methods.

Fully featured backup services, such as CodeGuard, also allow you manage your backups and track changes made. With this you can ensure that no one is tampering with your backups.

Physical backups, using portable hard drives or USB sticks, are also effectively. However, these need to be updated manually.

Keeping backups in multiple formats is the ideal, with both cloud and physical storage.

Phishing Detection

Phishing, usually executed through emails, is the most common vector for malware attacks, including ransomware. There are common signs that can give away a fake email, including poor spelling and grammar, suspiciously long links hidden behind anchor texts.

Educating your employees on how to spot fraudulent emails can cut the risk of cyber attacks significantly.

Our CybSafe and Cyber Essentials packages can give your business the tools needed to stay informed.

Patch and Update

Outdated technology and legacy software are vulnerable to exploitation from ransomware and other cyber attacks. Make sure that you use technology that is supported by its creator and regularly updated.

It can be difficult to keep track of what needs updating, especially if you’re using software with many plugins or extras.

Our Vulnerability Scans for example can look over your CMS are inform you if any plugins are out of date or susceptible to attack.

If you are vigilant and take the proper measures, you can prevent ransomware from infecting your system, or at least mitigate the worst damage.

How Servertastic Can Help You Maintain GDPR Compliance

31st May 2019

Failing to maintain GDPR compliance can land your business with severe penalties. But security breaches can happen to even the most cautious businesses. Nowadays it seems only a matter of time. Is punishment therefore inevitable?

Fortunately, your business can stay on the right side of the law even if you suffer an attack.

GDPR legally requires that you implement security measures that are appropriate to the risks presented by the data you're processing. This means you can avoid fines so long as you put measures in place and can demonstrate that you've made them. Besides complying with the law, these steps can build trust with your customers.

At Servertastic, we offer many services that help you maintain GDPR compliance.

HTTPS Encryption

The simplest step to improving your business’s security is enabling encryption. This means running your website over HTTPS instead of HTTP. This requires a valid SSL/TLS certificate.

When data is transmitted over HTTP, it’s done in plain text, which means that anyone hacking into the communication has access to the information. However, HTTPS scrambles the data in transmission, preventing hackers from reading it.

HTTPS is considered standard, and browsers like Google Chrome warn users against using sites without it. This should be seen as a minimum measure.

You can find out more about SSL certificates and a view a range of options.

Cyber Essentials

Putting in place basic technical controls, such as those established by Cyber Essentials, demonstrates your commitment to cyber security. It also educates your employees on how to identify cyber threats and protect themselves.

These controls include securing your internet connection and devices, controlling access to your data, and updating software. These controls prevent 80% of cyber threats to your business.

Our Cyber Essentials package gives you the advice to guarantee that your business becomes certified.

You can find out more about Cyber Essentials here. Our Cyber Essentials package also provides other security benefits alongside certification.

Regular Assessments

Cyber threats are constantly evolving and changing tactics. Protections add today can become outdated quickly. This means you can't just forget about security.

Regular vulnerability assessments can inform you when you are susceptible to new threats. They tell you when software needs updating, and discover loopholes in your system that could be exploited.

Regular testing shows that you take security and GDPR compliance seriously. It also keeps your business alert to the changing landscape of cyber security. However, these tests are only valuable if you act on them and make the necessary changes.

Our Cyber Security package makes the task of assessing vulnerabilities easier. We perform scans each month and compile digestible reports, helping you understand where security improvements can be made.

You can find more details on our Cyber Security package here.

Making your business GDPR compliant is not optional. But our services can reduce the headache of playing catch up and keep your business on track.

Preventing BEC Attacks

22nd February 2019

Photo by rawpixel on Unsplash

Business Email Compromise (BEC) attacks have increased by almost 500% over the previous year. They are the most common cyber threat to businesses today, and can result in losses to finances and reputation.

BECs are social engineering attacks made against employees of a business. The criminal attempts to impersonate a contact of the employee, whether that be a higher up in the business or an external supplier. Unlike regular phishing, where a criminal may send out many emails, BEC attacks tend to focus on one employee, who is groomed into trusting the attacker.

Once the victim has been deceived the attacker will request a transaction. The victim will believe it to be legitimate, but in fact the criminal is siphoning the money for themselves. In worse case scenarios the criminal might pull of multiple cons.

BEC attacks are also vectors for malware and ransomware attacks. These can be very damaging to a business.

How Can I Protect My Business From BEC Attacks?

The key to keeping your business secure is to educate your employees on the risks and how to keep safe. Employees should be taught how to spot and evade fraudulent emails. Up to date technology and procedures can also reduce the risks of BEC attacks.

Avoiding Opening Emails From Unknown Parties

The safest way to avoid risk is to not click the email in the first place. Employees should check the address of the sender carefully for any differences that might be a sign of a spoofed address. This could include "l" with "1" or a subtle misspelling that could easily be overlooked.

Check Links

Links in emails can be disguised using anchor text. You can reveal the true destination by hovering over the link. A box next to the cursor or in the bottom corner of the browser will display the real address the link leads to. Investigate these carefully. Fraudulent links may try to mimic a real address.

Avoid Attachments

Attachments are one of the most common methods criminals use to distribute malware. Unknown attachments must never be opened. Even attachments you are expecting should be scanned by up to date anti malware before being accepted.

Use a Company Domain

Using free web-based emails accounts for your business makes it easier for criminals to spoof your addresses. You should create a company domain and use it for your email accounts instead. Criminals may still try to mimic the address, but diligent employees will be able to spot the inconsistencies.

As well as protecting your business, customers are more likely to trust an email if it comes from a branded email address.

Verify Money Transfers

Creating a procedure for money and data transfers can prevent careless losses. Any transfers should be verified with another member of staff through face to face or telephone call, using previously established numbers. You should not rely on any contact methods suggested by the email, especially if they differ from the norm.

Consider What Information Your Are Putting Online

Cyber criminals can use the information you put online to enhance their facades. They use this data to build profiles of employees in preparation for grooming them as part of their phishing attempts. This can include names, addresses, job titles and descriptions.

Posting details about holidays can clue criminals to when key figures will be out of the office. This can present them with the best opportunities to attack. Keep the holiday photos for when you return.

Keeping social media accounts private can prevent criminals from trawling them for data.

Keep Anti-Malware Updated

Using the latest anti-virus and malware technology can catch harmful payloads often distributed by email. Malware is constantly evolving, so it is vital to regularly updated your software to keep up.

Email Authentication

Using email authentication, such as SPF, DKIM, and DMARC, can protect you from email spoofing.

Email authentication gives the sender a way of proving that an email comes from who it claims to be from. Without it, a criminal can more easily pretend to be someone from the company when sending out their fake emails.

Emails that fail the authentication process should end up in the spam folder or outright rejected. With DMARC you can even get reports whenever there has been an attempt at abusing your domain.

Not only does email authentication protect your employees, but it prevents criminals from scamming your customers, as messages that fail validation will be sent to the spam folder or rejected.

Keeping your emails secure takes time and effort, but is a necessary step in ensuring the safety of your business and its customers.

Recommended Services

Take a look at our DMARC management service and let us provide you with insight into the security of your email domain.

Increase the cyber resilience of your staff with our Cyber Security Training platform.

Guide to Safe Online Shopping for Christmas

21st November 2018

As the holiday season fast approaches you will be on a race to do all your shopping in time. Online shopping makes the hassle of getting prepared for Christmas easier than ever before. No more shifting through shelves or waiting in queues. Now you can shop in the comfort of your own home. However, this comes at risk because the rising trend of cyber crime. Over the past years there has been a 45% increase of reported shopping fraud(1).

The huge number of shoppers, combined with Black Friday and Cyber Monday rushes, provide cyber criminals the perfect chance to set a scam into action on a wide range of people. They can harvest large amounts of personal information or credit card details from unsuspecting victims.

Fortunately, there are ways to keep yourself safe online and prevent any nasty surprises this Christmas. Here you can find the advice you need to keep your money and personal details safe when shopping online.

Shopping Safely

While you will be looking to find the best deals, you should be wary of crooks trying to lure you in. In 2016 there was an estimated £10 billion loss to individuals as a result of cyber fraud(2), and it is estimated that £16 million was lost due to shopping fraud at Christmas(3).

The most common items used in online fraud at Christmas include popular brands of clothing and makeup, as well as gadgets like iPhones and watches. The newer and more desirable an item is the easier it is for criminals to entice their victims with the promise of a huge discount.

When shopping online you can protect yourself from potential cons by keeping the following advice in mind:

Only purchase from websites with HTTPS in the address. Websites using regular HTTP cannot secure your personal or bank details. HTTPS will encrypt your details when you send them through the website, meaning hackers will not be able to read them. Most browsers, including Chrome and Firefox, will alert you if a website is not secured with a warning in the URL bar. A closed padlock symbol in the URL signifies the website is using HTTPS. Check before making a purchase.

Example of Google Chrome's warning.

Make sure your computer has trusted antivirus software which is constantly updated. These tools can warn you if a website contains security threats. Over 360,000 new malware threats are detected each day(4), so keeping your antivirus updated is vital to staying on top.

If a deal looks too good to be true, it probably is. It is easy for criminals to create authentic looking product images and webpages to make their offers seem more legit. Apply some scepticism when faced with a dream offer. If a website is giving a bigger discount than every other outlet, especially on the latest products, then consider that all is not as it seems.

Buy from trusted retailers as much as possible. If you come across an unfamiliar site, then you should always do research before making any purchases. If you cannot find any information on the seller, then avoid them. When purchasing tickets, always buy them from official sources and not resellers.

Online auctions can net you some bargains, but you should exercise caution. Goods can arrive late or not at all, or the seller might not be truthful about the product they are offering.

Before placing a bid, you should inspect the item and its description carefully. You should also look up the seller’s history and the reviews of previous buyers. If the seller has little history or if people are leaving complaints, then it is best to avoid them.

One way of protecting yourself is to use secure payment methods, such as Paypal. Avoid paying by money transfers as these are not secure. Do not send any confidential or financial information to seller using email.

Avoid Phishing Scams

Phishing scams are ever present online, but extra care should be taken when Christmas shopping, because it is easy for scams to get mixed in with real messages. For example, you may receive emails claiming to be from Amazon, saying that you need to log into your account for whatever reason, with a link included in the email. If you have been making many purchases, then you can expect confirmation and shipping messages. It is easy for phishing emails to hide among the real messages, and you might be more susceptible to trusting them.

Phishing scams prey on your fears to you act without thinking. At Christmas time this might include an important gift getting lost in delivery, or that your account has been compromised.

Phishing scams can be avoided by applying some common sense rules when dealing with emails:

Avoid visiting websites via emailed links as these can be lead to spoofed webpages designed to steal your login details. Instead, visit the actual website from your URL bar or bookmarks to ensure you land on the real site. If your are seriously curious about the message, you can check the links by hovering over them without clicking. A box will appear next to your cursor or in the corner of the browser displaying the true URL address. Do not trust what the link says in the email as these can be faked. For example, an email may claim to link to amazon.com, but hovering over it reveals a seemly unrelated, misspelt, or nonsensical URL.

Check the spelling and grammar of the emails. Any mistakes are a certain sign of fraud. Also beware of vague language. For example, if a message addresses you impersonally, then it is likely a spam email sent out to millions.

Do not interact with any attachments included within the email. These can contain malware that can infect your computer. It can take as much as just clicking on the attachment to become infected.

Some online retailers, such as Amazon, offer package tracking which you can use to view the progress delivery. These should be used over trusting an email warning.

Another common form of phishing is through SMS messages, or smishing. These messages will request you visit a link or calling back on a premium number. The same kind of precautions can protect you. Do not call the numbers or follow the links. If you think the message could be real then visit the website directly and check. Do not trust unsolicited messages in general, even if they appear to come from an official source at first glance.

Browser Plugins and Phone Apps

Browser plugins can potentially be used to find discounts on products online. These plugins inform you of other better prices online whenever you are looking at a product. However, these plugins can also contain unexpected features, such as tracking your movement online.

When looking for plugins, only install them from the official web store of whatever device or browser you are using. Do not download from third party sites. Never follow a pop up advertising a plugin, even if it is advertising what looks like an official plugin. If a website is trying to force you into downloading a plugin then leave immediately.

Plugins and extensions will often ask you to grant them permissions. It is a good idea to check what these permissions are before installing to make sure they are in line with the services the extension claims to offer. If you see anything unusual or unnecessary, then consider avoiding the extension.

By keeping these precautions in mind, you can avoid getting scammed this Christmas and help ensure everything runs smoothly during the festive season.

Refs

1.https://www.moneywise.co.uk/news/2017-12-05/scam-watch-christmas-shopping-fraud-rises-quarter

2.https://www.nao.org.uk/wp-content/uploads/2017/06/Online-Fraud.pdf

3.https://www.bbc.co.uk/news/uk-42085557

4.https://www.infosecurity-magazine.com/news/360k-new-malware-samples-every-day/

Comodo CA Rebrands as Sectigo

1st November 2018

From the first of November Comodo CA will officially be rebranding as Sectigo. The goal of these changes is to emphasise their expansion beyond simply offering SSL certificates into a full blown web security services. They are also intended to distinguish them from Comodo cyber security and reduce market confusion. These changes come with a brand new website and imagery.

Many of their products will also be changing their names in line this rebranding. For example, ComodoSSL will become SectigoSSL. There will also be a new trust seal featuring the Sectigo logo.

Sectigo trust seal

The good news for customers is that nothing about their service will change for the worse. Any certificates bought under Comodo CA will still be valid and will not require any changes. Their prices will not be affected by the rebranding, and you will still receive the same level of support as you were before. Here at Servertastic, the cost of Sectigo certificates will not be changing from the Comodo CA versions.

All account manager phone numbers will remain the same, though customers should be on the lookout for notifications of their new email addresses.

With this rebranding, Sectigo are looking to build upon their past successes and grow their company even further.

New logos for PositiveSSL and EnterpriseSSL

You can find out more information on the Sectigo rebranding on their new website.

You can find our range of Sectigo SSL certificates in our new Sectigo section.