Ransomware is becoming big business during the pandemic

Ransomware is becoming big business during the pandemic
New variations on the ransomware extortion technique have been emerging, targeting both large businesses and SMEs.
The latest is Egregor Ransomware.

It is a variant of Ransom. Sekhmet and not only does it demand a payment to unlock the systems it has attacked, but then it fails to decrypt, instead providing recommendations for securing the network that has been attacked.

It is thought to gain access via a remote Trojan and then search for system weaknesses.
Businesses need to protect themselves by:

1. Patching and updating their systems’ software and checking for and addressing any potential vulnerabilities.
2. Carrying out regular security audits of current IT infrastructure and security products.
3. Ensuring they have a comprehensive data backup plan, including secure offsite backup.
4. Using a third party mail security filter that can detect, block, and analyse malicious emails.
5. Ensuring Multifactor Authentication on all users to stop an intruder (even with a correct password).
6. Ensuring all employees are trained in cybersecurity best practices, especially regarding common access techniques such as email and compromised websites.

GDPR and remote working

GDPR and remote working

GDPR and remote working

Many businesses have been operating during the Coronavirus lockdown by asking their employees to work remotely from home.

It may be that if this has been successful and there is no need for them to be present in their former offices every day, that this way of working will become the new norm.

However, there are implications under the GDPR (General Data Protection Regulations) that require databases containing clients’ and customers’ personal details to be kept secure.

Remote workers are advised to:

  1. Ensure that security software installed at a device level is up to date. This includes not only company databases but also encryption, firewalls and web filtering.
  2. Install the latest anti-virus and anti-malware software.
  3. Keep mobiles and laptops safe, preferably locked away when not in use and never left in a vehicle that is unattended.
  4. Ensure that family members, especially children, do not use work-supplied devices.
  5. Install password protection, if it has not already been done.
  6. Ensure removable devices such as USBs are malware free and kept securely locked away when not in use.
  7. Lock away any personal data in a storage unit when not in use.
  8. Wherever possible avoid downloading sensitive data to a laptop, instead access it only via the company’s intranet when needed.

Call to report scam emails

According to the Governments GCHQ Cyber Crime security centre, there has been a significant rise in phishing scams since the onset of the pandemic lockdown and it is asking members of the public to report them here:

As more and more people are using tech alternatives to keep in touch with family and to work remotely the organisation has removed more than 2000 such online scams in the last month.

They include:

  • 471 fake online shops selling fraudulent coronavirus-related items
  • 555 malware distribution sites set up to cause significant damage to visitors
  • 200 phishing sites seeking personal information such as passwords and credit card details
  • 832 advance-fee frauds where a large sum of money is promised in return for a set-up payment

They also report a number of fake job solicitations and warn that users of videoconferencing software such as Zoom should beware of attacks by pranksters muscling on conversations.

Zoom has introduced new measures, including meeting urls, passwords and waiting rooms to help combat this.



Tips for productive video conferencing

As more and more people are working from home because of the Covid-19 pandemic, there will still be times when a company boss or manager needs to be in touch with their team.

Similarly, it can be important for keeping in touch with customers and clients.

However, such meetings can descend into chaos without some “rules of engagement”.

Firstly, preparation is essential. It can be helpful before the proposed meeting to email a clear agenda of the points to be discussed with some notes as to the main issues and to set a date for the conference that gives people time to prepare.

You should also tell people in advance which video conferencing platform will be used – usually Skype or Zoom, both of which are free to use, although there is a 40-minute time limit on the Zoom free option, but there are plenty of others.

Secondly, if several people are involved, there should be a chairman, to co-ordinate the discussion and to ensure everyone gets their turn to speak.  It is much more difficult to pick up visual and social clues in a video conference.

The chairman should ensure that everything is set up correctly, such as headphones and microphone and participants should message the chairman if they are having any technical issues.

Participants should focus on the call and do their best to eliminate distractions and background noise. Muting the line when you’re not speaking can be critical on video calls, particularly as most tools for group video conferencing prioritise the visual feed of the person speaking.

Video conferencing is a very useful alternative to having to physically travel to attend meetings and as such is more environmentally friendly as well as helping to keep business overheads under control, but it does require people to observe courtesy and disciplined behaviour to work at its best.


End of Support for Windows 7

End of Support for Windows 7 – what to do

In an ideal world when Microsoft ends its support for a piece of software, users should upgrade to a new version.

But for SMEs this can be a headache, especially if their current PC or laptop does not have the capacity to cope smoothly with Windows 10, which is much more space hungry than Windows 7.

Plus, if you buy a new machine there is the problem of transferring crucial documents and other data, especially if it is material that is being used all the time.

Obviously, it is important to have back-ups of data, preferably in more than one location such as in cloud storage and on an external hard drive.

It may be possible to increase the capacity of existing machines by having a SSD (Solid State Drive) installed to replace the current Hard Drive.

But if cash flow or time issues mean you either can’t spare the machine or replace it there are some ways to stay at least reasonably safe in the short term. It will still run.

However, without the regular Windows 7 security updates, cyber experts advise your machine will be more vulnerable to hackers.

They advise that you do not use internet banking or send emails on Windows 7 machines and try to use other, more secure devices.

Businesses with large numbers of computers can, however, buy Windows 7 Extended Security Updates (ESS), which will be available for Windows 7 Professional or Windows 7 Enterprise at £19 per device for the first year, doubling each year thereafter until the end date of 2023.

The ESS is not available to smaller businesses with only a few devices, however, so while you may be able to take the risk of continuing to use existing Windows 7 devices for a while ultimately upgrading is the only solution.


Are you considering using facial recognition technology in your business?

Are you considering using facial recognition technology in your business?

If the security of your site is an issue you may be considering installing facial recognition technology.

However, there are some issues to be considered before you go ahead.

The technology is relatively new and there have been questions about its use and its accuracy both in the UK and in the USA.

In the UK the Metropolitan Police invited the University of Essex to study the force’s trials of its facial recognition software and researchers concluded that only in 19% of the 42 cases studied could they be sure the force had identified the right person.

Then there are the privacy issues.

The ICO (Information Commissioners Office) announced this month that it would be studying the use of the technology following an outcry over its widespread use at King’s Cross Station in London.

It has already warned businesses that they needed to demonstrate its use was “strictly necessary and proportionate” and had a clear basis in law.

While there are those who argue that facial recognition technology is a useful law enforcement tool for helping keep public spaces safe from criminals and terrorists, others argue that its use is a gross invasion of privacy.

Since the introduction of GDPR (General Data Protection Regulations) businesses and organisations have a duty of care to protect any personal data they collect from users of their services, customers and clients.

In this context it would also apply to employees. It may be useful and more efficient if employees can gain easy access to their offices and IT equipment via facial recognition technology, but you should be very careful about how much information on them you store.

Under GDPR, as face recognition technology (or FRT) collects information of a person’s facial features, its classed under biometric data, which is labelled as “sensitive personal data”.

The regulations do include exemptions which allow the use of FRT in the following circumstances:

  • If the user has given his/her consent willingly
  • If biometric information is required for carrying out employment, social security, or social protection obligations
  • If biometric data is required to protect the vital interests of the individual and he/she is incapable of giving consent
  • If it’s required for legal issues
  • If biometric data is necessary to aid in public interest such as health

So if you are considering using FRT in your business the crucial thing to do is to make sure you have user consent, that it is a positive opt-in to allow it and that there has been no implicit or explicit coercion. You should also make clear what information will be collected and name any third parties with whom it will be shared.

Above all, you must have clear documentation of all this and it should be made clear that people can opt out whenever they wish.


How to make your business environmentally friendly

How can you make your office or business more environmentally friendly?

It is becoming ever more important that businesses are seen to be doing their bit to reduce their energy requirements and help the environment.

But it also makes sense as a means of reducing business overheads and for a business’ reputation.

Sustainable offices that meet a global set of sustainability criteria are LEED-certified (Leadership in Energy and Environmental Design).

This means they have energy-efficient walls, heat-efficient flooring and the latest in green lighting and fixtures. While the initial costs may be significant the savings in the long run will make up for it.

The benefits include lower maintenance costs and energy bills, and if you reduce your reliance on printers a reduction in the use of paper toner and ink. has a number of suggestions for becoming a “greener” office.

They include the reduction in printers, mentioned above, switching to paperless statements using e-signatures and ditching the fax machines.

You can also look closely at your supply chain and procurement habits.

For example, if your business sells products that require packaging you can source the least environmentally damaging goods.

If you have to use plastics or polythene you can try to keep it to a minimum and ensure that whatever you do use is biodegradable.

Can your business operate in a smaller space with your staff working remotely? This may be another way of reducing the business’ carbon footprint, not to mention the overheads.

Every business is different but all can employ some creative thinking toe become greener and more environmentally sustainable.


Are you drowning in emails?

Email overload is a common problem in business with many managers calculating that they get as many as 140 a day.

Part of the problem is that in a multi-location business communications can be copied into other people that the sender feels need to know about the contents.

Then there is the inevitable “spam” from other businesses and services that feel their offerings could benefit the recipient.

Not only is an over-stuffed inbox inefficient it can also damage people’s health, according to Cary Cooper, organisational psychology professor at Manchester University.

An overloaded inbox is a problem that can quickly get out of control, but there are ways of managing your inbox better according to Prof Cooper.

He says that there is little point in “sending someone an email on a Friday night saying you don’t have to deal with this until Monday, because people will then worry about it and do it that weekend.”

Some businesses have acted to control overflowing inboxes by banning the use of internal emails, using a messaging service, such as Slack, documents software from Google, and a project management system.  It has proved to be much more efficient according to those who have tried it.

Another way of managing your inbox is to make yourself do something with every email you receive, whether deleting, answering immediately or marking as a priority for later.

It means you have to be organised and efficient but being strict with yourself and setting aside specific times in the day to deal with emails rather than checking randomly when you are busy can be much more effective.

The trick is to get rid of the notion that you must be constantly in your inbox checking, deleting and sorting.


AI will not take over the world

AI will not take over the world

In a recent blog we discussed the reliability of AI and automation and the fact that these systems are devised by human beings, highly skilled human beings to be sure, but human beings make mistakes.

Wired has just published two further articles exploring the issue of AI.

In the first it explores whether it is possible to make AI technology completely unbiased and also asks how many businesses benefit as much as they could from AI technology.

It reports that the return on business investment in AI has declined by 27 per cent over the last five years.

The reason, it argues, is that “companies don’t know how to make the most of AI and data analytics, and how they can apply to business problems.”

It also suggests that businesses get things the wrong way wound when considering investing in AI, so that they under-use its potential. It advises that businesses should “start by drawing up a list of business challenges and prioritise them by whether or not they can be addressed by using AI and the expected return on investment”.

The second article, by Joi Ito, director or MIT’s Media Lab, questions the assumption that AI can and will supercede humans in almost every sphere of activity.

Ito calls this assumption singularity in which those people who have succeeded in mastering the power of AI capture all the wealth and power.

This, Ito argues is “reductionist” thinking and only works for a very narrow range of learning and thinking which can lead to over-simplified ways of “fixing” humanity’s problems.

However, Ito says, most of the challenges we face today, such as climate change, poverty, chronic disease or modern terrorism have actually been the result of this reductionist thinking and we need to respect that many human problems are actually much more complex.

Machines, and therefore AI, need to be adaptive and to augment, not replace, humans. “not artificial intelligence but extended intelligence”.


Password security

Too many people are still not taking password security seriously enough

The UK’s National Cyber Security Centre (NCSC) has just published the results of its first survey analysing public databases of breached accounts to see which words, phrases and strings people used.

One of its most alarming findings was that millions of users were still using easily-guessed passwords.

The most frequently found was 123456 followed by 123456789 and then 1111111.

Names were another favourite with Ashley, Michael, Jessica and Daniel top of the list.

It is astonishing given the steadily rising numbers of personal and business accounts that have been hacked and been defrauded of money that cyber security, particularly passwords, are still not taken seriously enough.

Security experts say that picking a good password is the “single biggest control” people had over their online security.

Keeping your business safe from cyber attack

Clearly password security is crucial to protect a business as hackers become ever more sophisticated.

There are some basic good habits that bear repeating and that businesses can adopt:

  1. Use a combination of numbers and letters that is not easy to guess.
  2. Change passwords regularly
  3. Restrict the information on passwords to only the key people who need access to those accounts, especially if they involve finances and payments.
  4. Ensure that all staff receive proper cyber-security training
  5. Ensure that they report suspected breaches, such as email requests for payment supposedly authorised by a named senior manager are checked and that NO links in emails are ever opened without checking with the “supposedly” authorising person.

No business can afford the financial losses associated with cyber fraud, which has been estimated to cost each victim in the region of £1,000 per case in 2018 and resulted in the loss of an estimated 50,000 jobs.