Category: Business

Almost nine in 10 UK businesses turning over more than £5 million annually have experienced a cyberattack, according to new research from Forbes Advisor.

The study questioned senior decision makers across a range of UK small and medium-sized enterprises (SMEs), finding that more than half (57%) had suffered an online attack.

However, firms with an annual turnover in excess of £5 million were far more likely to experience cyber-crimes against their company (88%).

These attacks have led to serious consequences in many cases, with more than a fifth of cyber security breaches leading to businesses being forced to pay a ransom (22%).

Personal details are also under threat as these attacks compromised client and staff information in 26% and 23% of cases respectively.

Top examples of misusing company IT

Rank

Outcome

1

Use the company printer for personal use

2

Use up space on a company device to store personal files

3

Apply for other jobs using a company device

4

Access inappropriate websites via a work device

5

Gaming on a company device
Source: Forbes Advisor

Of those admitting to using company devices to spend time on inappropriate sites, common destinations include the dark web and sites containing pornographic material (both 17%).

Kevin Pratt, financial expert at Forbes Advisor, says: “The nature of the modern workplace means more online devices are being used than ever. This inevitably means that there are more ways that a business could suffer a digital attack. Our research shows that cyber security issues are incredibly common in this country, particularly among firms with a turnover of £5 million or more.

“We’ve also found that a significant proportion of British businesses are without any form of protection against online assaults, and it’s important to address this shortfall by highlighting the consequences of a cyber attack, such as financial losses and breaches of sensitive information.

“Companies can take a number of measures to protect against cyber-attacks, including anti-virus software, firewalls and VPNs. Prevention really is better than cure”

The post Nine In 10 £5m+ Businesses Hit By Cyber Attacks appeared first on IT Security Guru.

New cloud platform strengthens organizations’ cyber resilience

by making real-world threat simulation easier and more accessible

San Francisco, US, 9th November 2022 – Picus Security, the pioneer of Breach and Attack Simulation (BAS), today announced the availability of its next-generation security validation technology. The new Picus Complete Security Validation Platform levels up the company’s attack simulation capabilities to remove barriers of entry for security teams. It enables any size organization to automatically validate the performance of security controls, discover high-risk attack paths to critical assets and optimize SOC effectiveness.  

“Picus helped create the attack simulation market, and now we’re taking it to the next level,” said H. Alper Memis, Picus Security CEO and Co-Founder. “By pushing the boundaries of automated security validation and making it simpler to perform, our new platform enables organizations even without large in-house security teams to identify and address security gaps continuously.” 

The all-new-and-improved Picus platform extends Picus’s capabilities beyond security control validation to provide a more holistic view of security risks inside and outside corporate networks. It consists of three individually licensable products:

  • Security Control Validation – simulates ransomware and other real-world cyber threats to help measure and optimize the effectiveness of security controls to prevent and detect attacks.
  • Attack Path Validation – assesses an organization’s security posture from an ‘assume breach’ perspective by performing lateral movement and other evasive actions to identify high-risk attack paths to critical systems and users.
  • Detection Rule Validation – analyzes the health and performance of SIEM detection rules to ensure that SOC teams are reliably alerted to threats and can eliminate false positives. 

A global cybersecurity workforce gap of 3.4 million professionals means automated security validation is now essential to reduce manual workloads and help security teams respond to threats sooner. Recently, the US’s Cybersecurity and Infrastructure Security Agency (CISA) and UK’s National Cyber Security Centre (NCSC) published a joint advisory recommending organizations test their defenses continually and at scale against the latest techniques used by attackers.

“Insights from point-in-time testing are quickly outdated and do not give security teams a complete view of their security posture,” said Volkan Erturk, Picus Security CTO and Co-Founder. “With the Picus platform, security teams benefit from actionable insights to optimize security effectiveness whenever new threats arise, not once a quarter. With our new capabilities, these insights are now deeper and cover even more aspects of organizations’ controls and critical infrastructure.”

On 15th November 2022, Picus Security is hosting Picus reLoaded, a free virtual event for security professionals that want to learn more about its platform and how to leverage automated security validation. Register to attend and hear from thought leaders from Gartner, Frost & Sullivan, Mastercard, and more.

H. Alper Memis has also published a blog to announce the release to Picus customers.

About Picus Security

Picus Security is the pioneer of Breach and Attack Simulation (BAS). The Picus Complete Security Validation Platform is trusted by leading organizations worldwide to continuously validate security effectiveness and deliver actionable insights to strengthen resilience 24/7.

Picus has offices in North America, Europe and APAC and is supported by a global network of channel and alliance partners.

Picus has been named a ‘Cool Vendor’ by Gartner and is cited by Frost & Sullivan as one of the most innovative players in the BAS market. 

 For more information, visit www.picussecurity.com

∗The (ISC)² Cybersecurity Workforce Study 2022

The post Picus Security brings automated security validation to businesses of all sizes appeared first on Cybersecurity Insiders.

Smart Phones have now become a necessity in our day-to-day lives and so companies like Google, Huawei, Infinix, Samsung, Motorola, Nokia, RealMe Oppo, Tecno, Vivo, Xiaomi, OnePlus seem to flourish.

Keeping aside devices used by individuals, let’s discuss a bit about those used in enterprise environments, where security and data privacy play a crucial role while using a handset.

To win the trust of those in business environments, Google, the technology giant that is now ruling the smart phones market, has come up with a certification called ‘Android Enterprise Recommended’. Any device that has gained this certification can be blindly trusted, for security and privacy……hmm, at least for now!

Recently, the Android OS giant has released a list of devices that are not only performance oriented, but are also easy to manage, will get security updates regularly and are eligible for bulk device enrollments.

Thus, those who have immense trustworthiness in the Apple breed of iOS devices are looking for an alternative to be used in enterprise environments can consider the devices in the list.

Samsung Galaxy S, Galaxy A5x, Galaxy A3x, Note, XCover, Z Flip 3, Z Fold 3 series are the models that are assured of getting security updates for the next 5 years and are certified with enterprise grade features such as Knox, if we take Samsung smart phones into account in this context.

As expected, Google Pixel 6 Series, and the newly released Pixel 7 series are also secure enough to be used in corporate environments and are company certified to be free from snooping.

Motorola has released a special edition of Enterprise Class Android Device labeled as Edge 30 Fusion and Ultra models that are secure and are being used in about 65 countries as they are committed to get 3 years of security updates and one major OS upgrade of Android. These days even the MOTO G and Edge Neo models are gaining popularity regarding security aspect in them.

Other companies also promote some of their products as Google Certified for enterprise environments. But we will discuss them in the next article, as the current one has already become too lengthy to read.

 

The post Best Android Smart Phones for Business Environments appeared first on Cybersecurity Insiders.

For the record, it should be acknowledged from the start that there is no question that the cybersecurity landscape has improved over time, mostly courtesy of persistent increases in cyber spending year after year. Gartner estimates that the U.S. and the rest of the world will invest $172 billion in cybersecurity this year, up from $150 […]… Read More

The post The State of Cybersecurity has improved but is hardly flawless appeared first on The State of Security.

In the world of modern business, companies must put extra effort into creating engaging visual content to stand out from the crowd. Social media marketing, for instance, was once deemed an easy way for companies to reach additional eyes but today, marketing is a lot more competitive than simply creating a post and hoping it […]… Read More

The post Are your visuals making businesses more vulnerable to cybercrime? appeared first on The State of Security.

Today, Outpost24 has released the results of its 2022 FTSE 100 Credential Theft Study outlining the number of breached credentials from the UK’s most profitable companies online and found up to 31,135 exposed user credentials belonging to FTSE 100 companies on the open, deep and dark web.

In fact, 75% of these credentials were stolen through data breaches and 25% were unknowingly obtained via malware infection/stealer.

Of this number, over 60% of the stolen user logins and passwords came from three of the highest regulated industries – IT/Telecom (23%), Energy and Utility (22%) and Finance (21%) amongst the world’s biggest companies.

Corporate credential theft is usually a targeted effort and make FTSE 100 companies especially vulnerable because many see them as “big game hunting”. “Once an unauthorised third party or initial access broker get hold of user logins and passwords, they can sell the credentials on the dark web to an aspiring hacker, or use them to compromise an organization’s network by bypassing security measures and moving laterally within to steal critical data and cause disruption,” said Victor Acin, Labs Manager at Blueliv, an Outpost24 company.

“Stolen credentials are dangerous because there is very little that can be done to identify and detect once an intruder is inside your system. Therefore, it’s important to proactively monitor stolen credentials and alert security to reset passwords upon discovery to reduce risk.”

The Financial Times Stock Exchange (FTSE) 100 Index is made up of the 100 biggest companies by market capitalisation on the London Stock Exchange. These companies represent some of the most influential and profitable enterprises on the market across various industry verticals. Within the FTSE 100 list, Outpost24 isolated the companies into eight key industries: Finance, IT/Telecom, Energy and Utilities, Healthcare, Transport, Retail, Construction, and Hospitality.

Ransomware groups from Conti to REvil are known to use stolen credentials to gain initial access, and the Colonial Pipeline take down was a prime example of the danger of even a single compromised password. Compromised credentials offer threat actors the fastest path into a company’s network and is a common issue that can go undetected if left un-monitored.

Further details of the study highlights:

  • The majority (81%) of the companies within the FTSE 100 had at least one credential compromised and exposed on the dark web
  • Nearly half (42%) of FTSE 100 companies have more than 500 unique, compromised user logins exposed on the dark web, putting them at risk of credential-based attacks
  • Up to 20% of the stolen credentials for FTSE 100 companies were stolen via malware infection and stealers
  • 11% of the breached credentials was disclosed in the last three months (21% in the last 6 month and over 68% has been exposed for over 12 month)
  • Industry breakdown
    • IT/Telecom is the most at risk. The sector has the highest amount (7303) and average stolen credential per company (730). They are also most affected by malware infection
    • On average, healthcare has the highest number of stolen credentials per company (485) from data breach as they have found themselves increasingly in the cybercriminals’ crosshairs since the pandemic.

 

The full Outpost24 2022 FTSE 100 Stolen and Leaked Credentials report can be accessed here.

The post Research finds over 31,000 stolen credentials from the FTSE 100 on the Dark Web appeared first on IT Security Guru.

Compliance is a key part of any organisation and in business terms, it is about ensuring companies of all sizes and their employees comply with existing national and international laws. In the UK the Companies Act 2006 is the main legislation that forms the primary source of company law and businesses of all sizes must ensure […]… Read More

The post Building a Strong Business Case for Security and Compliance appeared first on The State of Security.

Source

Cyber attackers, fraudsters, and hackers target both small-scale, midsized, and large online ecom enterprises. 

 

In fact, the frequency of small businesses fraud is at 28% compared to larger organizations at 22-26%. 

This portrays a grim picture for ecommerce businesses — filled with data breaches and irate customers. Again, if you  don’t secure your clients’ data, you can end up losing their trust, income, and maybe have your brand tarnished. 

Whenever it concerns protecting your company against frauds, though, there’s no shortage of activities to watch out for. 

However, the  multitude of cyber threats, along with a massive cost to address cyber-crimes, would be enough to scare you from quitting. 

To avoid being attacked, ensure that your workers are well-informed and trained on the most frequent kinds of attacks that could harm your company’s reputation. 

With this insight, your staff can take additional actions to guarantee that your clients’ personal information is protected to the best of their ability.

5 powerful approaches to protect your ecom business from online fraud

According to research, frauds and cyber attacks are among the top three threats weighing on the US business environment – with a weightage of 65%

As per our research, here are five tried-and-tested techniques to protect your ecommerce digital business from dangerous online frauds.

  1. Share your online store’s policies and run a test payment

To guarantee that both your business and your buyers will be in agreement right from the beginning, clearly publish your shipping terms, return guidelines, and service terms and conditions on your site before you begin accepting conversions and sales. 

 

By answering these questions, a return guideline can help manage client expectations:

  • What is the time limit for a customer to return items?

  • The process for returning or exchanging items.  How do clients get in touch with your team and how much time does it take?

  • Who is responsible for returning stuff to you?

  • Are any things, like discounted items or products which have been damaged or used, not returnable?

  • Is it possible to get a complete refund, an alternative, or a shop credit?

Again, make a trial payment to see what data you have access to. Prior to shipping out items, you should evaluate your user’s details to ensure that the transaction is genuine. 

Understanding where to look for refused eCommerce payments and client data ahead of time will help you speed up the review procedure.

  1. Create strong passwords

Although it is your firm’s obligation to keep user data secure at the back-end, there are several ways you can use to assist customers by mandating a minimal level of special characters, as well as the usage signs or numerals. 

 

The usage of complex passwords on a terminal network security can impede or even defeat different attack tactics. Short and easy passwords, for instance, are fairly effortless for hackers to ascertain, which might lead to your business becoming a target of fraud. 

 

Such attacks typically entail business, manufacturing, ecologic, or economic disciplines that drop beyond the standard bounds of a fraud. The following are some of the most popular techniques fraudsters use to find a victim’s passcodes:

 

  • Guessing – When an intruder attempts to log into a customer’s profile by predicting probable words or phrases frequently.

  • Online attacks — Automatic programs that try to log into the system over and over again, utilizing different terms from the word documents each time.

 

Internet scammers are cunning criminals. They take full advantage of folks who might not be aware of how to safeguard themselves using their tremendous computer skills. As already explained, user passwords are one of their preferred sources of data

 

Fraudsters have equipment that can break a 6-digit passcode in seconds. Try using  an 8-character or longer alphanumeric passcode with a minimum one uppercase character plus a special character to ensure that your password is as secure as possible.

  1. Use fraud prevention software

Source 

 

Bot traffic to mobile applications account for a huge chunk of all bot traffic worldwide. Bots and fraudsters will locate the weak points in your architecture.

 

Hence, protecting your firm from internet scams as well as bot attacks necessitates a coherent layer of safety across all of your end nodes — your mobile app, internet site, and APIs all need to be protected at the very same level.

 

eCommerce fraud prevention tools process information from clients and servers in real time. Each request into your mobile applications, webpages, and APIs is evaluated and forced to submit to a mix of AI and ML software to decide if access should really be allowed or not.

 

Scraping, identity fraud, vulnerability analysis, Layer 7 DDoS (Distributed Denial of Service), and other methods are used by fraud prevention software as well. 

 

They provide unrivaled visibility into all of these risks, with dedicated KPIs, the capacity to evaluate live traffic statistics, as well as real-time attack findings and alerts for all interested parties.

 

The false positive percentage for full-fledged fraud protection software is extremely low. This proportion is visible on the dashboards for each end – point: mobile apps, sites, and APIs, and it’s analyzed in real time. 

 

By nature, each endpoint’s responding approach and blocking plus challenging methods are customized. Your company is safe, and your genuine customers have a great time.

  1. Incorporate strong verification protocols

Although digital purchases do not necessitate a sign for verification, a good way to ensure that the transaction is genuine is to verify that the customer’s shipping and billing addresses are identical. 

 

In the case of a conflict, the card provider might also want to verify that the payment was finished by the appropriate account holder on your online platform. They may request evidence that the purchased product was delivered to the right billing address.

 

If you get an order with incorrect addresses, contact the client to find out why. It could be a practical cause, including a present being sent. 

 

Anything out of the ordinary, like a gifting order with multiple sets of the same product or a massive commercial order getting transported to a household, should be questioned. 

 

Consumers who request that a purchase be rushed should be approached with caution; it could imply that they are in a rush to wrap up the purchase prior to the stolen card details being reported.

 

You can choose how much risk you’re prepared to take. Some suppliers refuse foreign deliveries or odd orders, whereas others look at each transaction individually. 

 

Keep in mind that you’re fully responsible for all online payments made via your accounts, so double-checking orders ahead of time might save you money in the long run.

Verify that there are no software injection, encryption, and authentication attacks.

  1. Injection frauds

Injection frauds can result in loss of data, corruption of data, suspension of service, and even total host invasion. Injection issues are relatively straightforward for fraudsters to identify and occur often.

 

First, unverified data is entered into a web app and then it tricks that software into accepting commands. In this manner, the attacker gains access to your personal data. you ca address this issue by embedding an API software.

 

Also, regularly update your web applications since outdated software are specifically prone to injection threats.

  1. Encryption treats

To safeguard personal details from phishing scams, all information that passes between a firm’s web server and a site for consumers should always be encrypted. For e-com sites, Secure Sockets Layer (SSL) verification is a must-have. 

 

SSL encrypts personal data like credit card numbers and credentials and safeguards it while it moves across the internet. The SSL certificate protects the information from cyber-attacks and thieves by making it inaccessible to everyone except the intended receiver.

  1. Authentication frauds

Authentication frauds are common, and they can give hackers a legitimate user on whom to launch an attack.

 

To mimic users, fraudsters make use of unprotected user profiles, weak passcodes, or verification weaknesses. The password policy, logout, privacy, and account upgrade functions, among other things, all have issues.

 

To keep your sensitive data safe from hackers, you’ll need a solid combination of verification and administrative abilities. Furthermore, several services monitor your logs for unsuccessful login attempts and will restrict Ips with a high number of failed tries.

  1. Monitor paper trails and card declines

Keeping solid records is always a good idea in organizations, but it’s more important when products and/or services are traded on the internet. 

 

If a consumer files a complaint, your only option is to show documentation that the purchase was completed.

 

Prepare all supporting documentation for a questioned purchase so that you are able to fight the allegation with the recipient’s bank on their behalf. 

 

Keep records of your shipment and delivery data. Use built-in ecom tools to preserve shipping and fulfillment information for quick retrieval. Big orders should need a sign upon delivery. 

 

Keep any emails between your business and your buyer for 24 months and itemize your invoices to demonstrate conclusively what was bought.

 

Again, purchases that appear out of place, either spatially or thematically, versus other card activities are declined through credit card providers. 

 

You can look into your personal denied payment history to see whether there’s an issue.

 

When you obtain a new purchase request — especially if it’s a sizable payment — go to your sales history and check the status. Search for payments that have been denied for the same sum in a brief span of time.

 

Multiple declines could indicate that your credit card details have been hacked and are being utilized in a fraud. If you receive repeated rejections on separate cards, you should wait to mail the item until you can contact the buyer and confirm their identification.

Conclusion

Finally, make sure that you and whoever else is managing your website is following it up plus that you have a disaster strategy in place if things do not go as planned. 

To ensure that your website is correctly managed, perform regular backups or verify that your web host does so.

The post 5 Ways to Protect Your Ecommerce Business appeared first on Cybersecurity Insiders.