Think before clicking on that Link!

The team here at MJD are becoming increasingly aware of instances of links in emails which appear to “do nothing” when clicked on. This is not something to be ignored and needs to be report to your MSP immediately. If nothing appears on your screen or nothing seems to have happened as a result of clicking on a link, this does not mean that nothing has ACTUALLY happened. Unfortunately, this more than likely means that information has been gleaned from the registry of your device to enable access to emails, to form an incredibly clever socially engineered attack.

As we all are now more aware of the classic SPAM emails which try to entice the recipient to respond and generate dialogue to encourage the transfer of funds to ensure an some threat is not carried out, the cyber criminals are increasing the ante, and we now have to be aware of social engineering. Cyber criminals are leaning towards social engineering due to it being easier to gain the crucial information they need through our human nature to trust, rather than try to hack your network or password. It’s a lot easier to enter the correct password first time, than to have to work with their tools to figure out the correct password. As it is for us in business, time is money to cyber criminals too.

You may be asking what exactly is social engineering then. This is the process of manipulating an individual and the situation to encourage them to give up confidential information and therefore potential access to your network and devices. These are all based on the way we think and act as human beings and using this to their advantage. We have shared this video before, but we think it is a great example of demonstrating their ability to manipulate the situation to achieve their desired outcome. It really is worth spending 11 minutes of your life watching this video and encouraging all your colleagues to watch this too!

The current example we are responding to and working to resolve with clients is whereby the information stolen from the PC registry when the link is clicked gives them the login credentials for the email account on the PC.  This then allows them to setup rules within Outlook, to send copies or completely forward certain emails to another email address.  Most commonly, invoices are targeted.  All the emails are then monitored for a period of time until they identify their best target, and a simple email is sent from within the account to explain bank details have changed.  And they now hope that the process on the other side will allow for this to slip through.  These attacks are highlighting how important it is that IT security doesn’t stop at your firewall or anti-virus scanner.  IT security encompasses your people and your processes too.

If after reading this you’d like more information on training for your business or to discuss and review your security policies the team here at MJD would be more than happy to help.  Let’s make your IT work for YOU!

Currently, with many of us working from home and varying shift patterns or hours of work due to furlough, client requirements or childcare requirements the frequency of use of our Out of Office notifications has increased dramatically.   It is worth considering the potential impact that these notifications can have on the security of the company.

Have you ever considered the information that you freely give to any recipient of your Out of Office?  By saying we are on annual leave or away from the office until a set date/time, you are giving specific detail to the fact you won’t be in the office and are on holiday for this set period of time.  If you work within a small office/premise, does this mean there is more time where you premise may be unoccupied?  Or is your business based at home, which provides details that you are potentially away from your home on holiday?

Using an out of office can be useful to allow senders to know who to contact in your absence, however, providing detailed contacts and email addresses to everyone opens your business up to potential spear phishing attacks.  Cyber criminals are able to use the names and details provided within an out of office, especially if details of projects or departments these contacts work within are given, to create trust and a genuine feel to their requests for more information or other more sinister actions.

When drafting your out of office, it is best to use the option to set separate messages for internal and external contacts.  This way, you can provide the detail required for your colleagues to continue their daily activities during your absence.  While also minimizing the information provided to potential cyber criminals.

So, the top tips for your Out of Office are as follows:

  • do not specify a date and time for when you will return
  • use a generic email address for people to forward their request onto (such as an office@ or sales@ address) and a main telephone number for the business
  • do not advise where you are or what you are doing
  • avoid providing specific details of projects/departments you are working within

An example of how to build your out of office could include some of the following phrases:

  • “I am currently unable to respond to my emails…”
  • “For urgent enquiries please contact the main office on ….”
  • “For all other requests I will respond as soon as possible.”

If you want further advice on your Out of Office or help to set this feature up, please don’t hesitate to get in touch with the Team here at MJD.

Here at MJD, we understand that the volume of passwords and the complexity required in the present day can be overwhelming and a difficult task to manage in secure manner.  Internally we here at MJD use a password manager to keep track of all our passwords and ensure we can use highly complex and unique passwords for all our online accounts that we use on a daily basis.  Password managers are not expensive and can be synced across all devices such as laptops, tablets, phones etc so that you are NEVER without your passwords.  If this sounds like something that would be useful get in touch with us here at MJD.

However, we also want to help our clients generate their own secure passwords, so we have created a top tips list below with some helpful suggestions and recommendations for creating passwords.

To create a strong password consider the following advice:

  • Choose three random words to make a pass phrase
  • Use numbers and symbols as well as upper and lower case letters.
  • Consider the line of a song other people would not associate with you
  • Take the first letters from a phrase known to you, for example “Making your IT work for you” would be “myiwfy”

Avoid the following:

  • Anything from your username, individual or business name.
  • Family members and pet names.
  • Birthdays
  • Favourite sports teams or hobbies.
  • “password” itself.
  • Sequences of numbers or letters i.e 1234 or ABCD
  • A single word with no numbers or special characters, lower or uppercase.  These are very easy for hacking programmes to guess.
  • Duplicated characters i.e 999 or AAA
  • Easily recognisable keypad patterns i.e 36987 or 159

General password advice:

  • Never disclose your passwords to anyone else.
  • If you think someone knows your password change it immediately.
  • Use a different password for every account that requires one.
  • Don’t reuse a password with differing numerical sequences i.e Winter1, Winter2
  • Try to avoid writing passwords down, instead consider an online password vault or safe.
  • Do not send your password by email.
  • When working in public, consider your surroundings, who can look over your shoulder or in the window and see your password being entered?

Please find below a link to our Business Breakfast, the perfect opportunity to get the real information about Cyber Essentials and GDPR in plain English, at the moment there are still places left and we would love to see you there, don’t worry if you’re not a chamber member, non-members can attend.

http://www.moraychamber.co.uk/chamber-news/exciting-new-addition-to-business-breakfast/

“MJD systems are delighted to announce that they are also being joined at the business breakfast by Kirk Tudhope, Partner with Ledingham Chalmers one of Scotland’s leading law firms,  Kirk heads the firm’s Employment Law Team and has a particular interest in GDPR.  Kirk will explain how data protection operates and translate some of the GDPR’s most torturous terminology into plain English. If we understand what the legislation says then we can have a meaningful discussion about the practical implications for our businesses. This will dovetail with Mark Dunscombe’s Cyber Security information which covers an essential  part of GDPR compliance.

 Data Protection affects every business as it governs how all of us should handle individuals’ personal details including those relating to staff, clients, customers, suppliers and contacts.  The duties to protect these details already places significant obligations on us all but the new GDPR regime,  which will come into force in May 2018,  will significantly increase the demands we have to meet. It also increases the penalties if we are in breach.  

 Handling personal details is something we do every day of our working lives. All businesses now need to understand and embrace the duties in relation to the vast amount of personal data we all hold and start preparing for the GDPR. A failure to do so means we are creating real risks for ourselves and the future of our businesses.

 The Moray Chamber of Commerce Business Breakfast will showcase a joint presentation and Q&A with the speakers from both MJD Systems and Ledingham Chambers. As always there will be networking time which will allow the opportunity to speak to the presenters individually afterwards and, will be the perfect opportunity to have your Cyber Security and GDPR questions answered from trusted, knowledgeable advisers.

 There are still spaces available and Moray Chamber look forward to seeing you all there to learn from this essential informative presentation and network over a delicious breakfast provided by the team at The Eight Acres Hotel.

 Thursday 26th October
8am – 10am

Eight Acres Hotel Elgin

Contact Georgia on gdunk@moraychamber.co.uk or 01343 543344 for tickets”