Cyber Threat Weekly

9 Cyber Security Risks

September 22, 2020 WMRCCU Season 1 Episode 18
Cyber Threat Weekly
9 Cyber Security Risks
Show Notes Transcript

This episode talks about 9 Common Cyber Security Risks and Cyber Essentials


After listening to this podcast please visit Action Fraud, Take Five, National Cyber Security Centre and the West Midlands Cyber Protect Websites for more guidance on all things relating to online Security.


Our host today is Patrick, a Detective and Cyber Protect officer for the Regional Cyber Team part of the Regional Organised Crime Unit for the West Midlands.


Also covering the West Midlands is Sean Long – WMPDigitalPCSO, Warwickshire and West Mercia is James Squire - cyberpcso and Staffordshire Police area is Mathew Hough-Clews and can be found at sp_digitalpcso.


To contact us please email us at

Hello and welcome, my name is Patrick and I'm a detective and cyber protect officer from the West Midlands Regional Cybercrime Unit. 

Today's date is Monday the 21st of September 2020. 

Today we're not going to talk about different news items, which is going to focus on nine common cybersecurity risks for businesses, which are social engineering, third party exposure, patch management, cloud vulnerabilities ransomware, mobile security threats, bring your own device BYOD policies, Internet of Things, and outdated hardware. 

Social engineering attacks use deception to exploit social interactions to gain access to valuable data. Criminals behind these attacks, manipulate employees or associates into disclosing sensitive information or bypassing security measures. Social engineering attacks are on the rise and unfortunately, even the best cyber security systems cannot reliably stop them. The best defence is to educate your employees on the importance of following laid out protocols, and to always be on the lookout for out of the ordinary conversations. 

Third Party exposure, many retailers use third parties for services such as payment processing. Unfortunately, using a third party vendor does not absolve you from responsibility of a data breach on the vendor. Even if an attack originates from a third party, you are still liable and are legally required to notify regulators and your clients. Fines and penalties can be very steep it is worth bearing in mind that all that can be done whenever possible should be done. 

Patch management, this is how many attacks start with outdated software. If you are not up to date with software patches, your company or an individual is severely vulnerable to any number of information security breaches. Attackers are actively looking for software vulnerabilities they can exploit. This goes as I say, for both the business small or large, and the individual. When you get that alert, if you haven't set up auto update, that there is an update ready, it is my advice that this is updated immediately. In terms of businesses, I'm fully aware, appreciate and understand the concerns of immediately just updating patches. However, there are other measures in place that can do this safely whilst also reacting sooner rather than later. But to update as soon as possible is definitely the advice because a lot of these updates include security vulnerabilities. 

Cloud vulnerabilities, cloud services, are now an essential tool for businesses of all sizes. However, this reliance on cloud services exposes businesses to a wide range of cyberattacks, including denial of service attacks, and account hijacking. No technology is completely safe. and a holistic approach is important in protecting organisations, including taking up insurance as part of a cyber risk management plan. It's worth bearing in mind at this point that companies and their networks when it's often heard in the media that they have had their networks hacked and their cloud storage. This is often because of two main reasons. One, their cloud storage unfortunately has the same password as important password to gain access within the network. And unfortunately, the access to the cloud storage is left open when it should be logged out of and then only logged into to carry out an update and or backup.

Ransomware. These attacks infect your network and hold your computer systems and data hostage until a ransom is paid. On top of the ransom, the business loses productivity and its brand image is often severely damaged. Although the minimum legal standards are essential. It is worth being aware of the need to maintain a highly robust technical infrastructure, which may often exceed the minimum legal standards. Take proactive steps towards protecting your data as pertains to your operations. Legal guidelines are not tailored to specific operations and thereby are not sufficient. It is also worth bearing in mind at this point the importance of good policies when dealing with malicious emails and or spam emails. It's worth bearing in mind that around 90% of ransomware attacks start with a spear phishing email.

Mobile security threats, although mobile technology is valuable technology, it can also To expose you to potential cyber security breaches. Many organisations are now facing such breaches, with most of them coming from malicious Wi Fi and malware. It would be our advice that without exception, public Wi Fi is only used whilst the additional security precautions of a Vrtual Private Network was present. 

Bring Your Own Device BYOD policies. Cloud services have allowed businesses to cut down on capital investments and to adopt solutions like bring your own device. While this has been shown to increase convenience, flexibility, productivity and even morale, it also leaves businesses exposed to cybersecurity breaches. This is because personal devices can be easier to hack than company devices, thereby giving attackers an opening to compromise data and reach networks. It is therefore important for you to review these policies and ensure that all your employees are adequately trained to minimise this risk. 

Internet of Things also known as IoT, IoT uses the internet to connect devices from all over the world. This allows for a network of devices that can send receive and store data, which gives individuals and businesses a lot of convenience. However, hackers can exploit this internet connectivity to steal data. A good example of this can be found anybody wants to Google fish tank in Las Vegas hacked, and you will find out that a Casino in Las Vegas was targeted by cyber criminals who couldn't hack into their network. However, shortly after repeatedly failing, they managed to hack into an internet enabled fish tank that was on the same network once they'd achieved that they used it as basically a backdoor into the network. It's just a good example of how vulnerable the Internet of Things, which is a very good thing can unfortunately be used against us.

Outdated hardware, not all cybersecurity threats result from software. As hardware becomes obsolete, it cannot support newer and more secure security measures, which puts company data at risk. Therefore, it is important to monitor your devices and replace or upgrade devices that are out of date as soon as possible. 

When I consider these nine security issues, risks, threats, whatever title we want to give them. The first thing that springs to mind, and I'd like to emphasise would be a brilliant port of call if you haven't already visited would be the Cyber Essentials website. Cyber essentials offers two services, the Cyber Essentials certification or mark and the Cyber Essentials Plus, the areas that are covered in both of these are basically no different from each other. However, the first one cyber essentials is free, and it's more of a self assessment. Whereas the same areas are covered on Cyber Essentials Plus, but there's a fee involved before the fee there will be more interaction from whoever's providing the service or Cyber Essentials Plus will, to some extent be more active in terms of checking and testing Cyber Essentials talks about five key controls, which I would again strongly advise you visit and consider if you don't already. 

For additional guidance, please visit the National Cyber Security Centre (NCSC), Action Fraud and the Take Five campaign websites. Also please dont ever hesitate to contact us for education, awareness and guidance on how to protect and prepare yourself or your business online. 

Thank you