Only 9% of Companies Have Completed Their General Data Protection Regulation Preparations

A new study conducted by the Ponemon Institute has shown that General Data Protection Regulation preparations have only been made by a small minority of companies, with almost half of surveyed organizations unsure where to even start.

The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016. Companies have been given until May 25, 2018 to comply with GDPR. When the new regulation comes into force, any company discovered not to be in compliance can face a heavy fine. The maximum fine for non-compliance will be €20 million or 4% of global annual turnover, whichever is the highest.

Many companies started their General Data Protection Regulation preparations as soon as the new legislation was approved. According to the Ponemon Institute survey, only 9% of companies have made the necessary changes comply with GDPR. 59% of surveyed organizations haven’t even started their General Data Protection Regulation preparations and don’t even know how to comply.

Interestingly, the threat of fines and the difficulty complying with GDPR has put many companies off doing business in the EU. 34% of surveyed companies have said their General Data Protection Regulation preparations have involved shutting down their European operations. However, that does not mean they will not need to comply. Compliance with GDPR is mandatory for any company doing business in the European Union, even if they do not have a physical base in one of the European member states.

Even the threat of fines has not convinced many companies to start preparing. Only 38% of companies said their senior leadership viewed compliance as a priority.

The changes for many companies to ensure compliance will be considerable. 89% of respondents said GDPR will have a significant impact on their data breach protection practices. However, there is considerable doubt about how effective GDPR will be. Only 41% of companies believe the new regulation will improve privacy protection practices while 70% said they don’t believe the new regulation will benefit victims of a data breach.

If you have yet to start preparing and updating your policies and procedures you don’t have long. The compliance date may be months away, but for many companies, preparations will take some time. If you are keen to avoid a fine for non-compliance, now is the time to start your GDPR compliance preparations.

If you are unaware of what GDPR means for your business or whether you need to comply with the regulation, you can find out more on this link.

Internet Filtering Controls for Public WiFi Hotspots Promoted in New Friendly WiFi Campaign

The sharp rise in the use of smartphones by children and the increase Internet access points has prompted Friendly WiFi to launch a new campaign to promote the adoption of Internet filtering controls for public WiFi hotspots.

Businesses in the UK are being encouraged to implement web filtering controls to ensure children can connect their WiFi networks without being exposed to potentially harmful material.

Friendly WiFi is a government initiated scheme launched in 2014 to promote Internet filtering controls for public WiFi hotspots. Businesses that filter the Internet and block inappropriate content from being accessed via their WiFi networks can display the digital Friendly WiFi banner. This banner lets parents know their children can connect to the Internet safely.

Friendly WiFi is the only scheme of its kind in the world. The main aim of the initiative is to make the UK the safest place in the world for children to venture online. When the scheme was launched in 2014 there were 5.6 million WiFi hotspots in the UK; however, that number is estimated to triple by the end of next year.

A recent study has shown that nearly half the population of the UK uses public WiFi hotspots and research suggests more than 40% of children aged between 5 and 15 now have a smartphone and connect to the Internet. The growth in hotspots and smartphone usage among children makes it more important than ever for public WiFi hotspots to have harmful content filtered out.

Figures supplied by Friendly WiFi suggest the number of WiFi access points around the globe is likely to increase to 432.5 million by 2020, which represents a 700% increase from 2015. Even though many of these WiFi networks can be accessed by minors, fewer than half of those hotspots have internet filtering controls in place.

In the UK the use of Internet filtering controls for public WiFi hotspots is growing. Major high street names such as Starbucks and Tesco have already adopted Internet filtering controls, as have McDonalds and IKEA and many small businesses. The aim of the latest Friendly WiFi campaign is to accelerate adoption of Internet filtering controls.

To be able to display the Digital Friendly WiFi symbol, businesses must implement Internet filtering controls for public WiFi hotspots to block all websites and web pages that display pornographic content. Businesses must also block all webpages containing child pornography using the blacklist maintained by the Internet Watch Foundation. Organizations must also prevent advertisements or links to such content from being displayed.

Bev Smith, director of Friendly WiFi said “Now is the right time for all businesses which provide public WiFi to prove they take the same care for their customer’s online safety as they do for their physical wellbeing.”

New Report Shows Changing Trends in Phishing

The Anti-Phishing Working Group (APWG) has recently released a new report showing the changing trends in phishing in 2016. The report provides interesting insights into how cybercriminal activity is changing and the attack methods most commonly used by cybercriminals to fool end users into installing malware or revealing their login credentials.

The report uses data from more than 250,000 phishing attacks that were detected between 2015 and 2016; clearly showing some of the new trends in phishing and how phishers have been conducting their attacks. The report is focused on phishing rather than spear phishing, with the latter involving highly varied targeted attacks on specific individuals in an organization.

Phishing emails often contain malicious email attachments with scripts and macros used to silently download malware onto end users’ computers. However, the report shows there was a major increase in phishing domains in 2016 with criminals registering more domains than ever before. Phishing attacks also reached record levels last year. Phishing is now the number one cyber threat faced by organizations.

APWG says that almost half of new top-level domains that were available for open registration in 2016 were used for phishing. APWG suggests the increase in malicious domain registrations demonstrates that domain registrars are struggling to detect and take down malicious domains.

While it was previously thought that phishers registered domains for immediate use in phishing attacks, the study suggests domains are most commonly held for up to three weeks before they are used.

Phishing attacks were failry evenly split between domains registered by phishers and compromised websites. One in 20 attacks used a subdomain for phishing, with the number of attacks using subdomains continuing to fall. See here for phishing examples.

Brand spoofing is becoming increasingly common, with major brands are now experiencing thousands of phishing attacks a year. However, the number of targeted brands in 2016 fell to 679 from 783 the previous year. The most targeted brands – which experienced three quarters of attacks – were Apple, PayPal, Yahoo and Taobao.com. Each experienced more than 30,000 attacks each in 2016.

2016 saw a 10% increase in unique phishing attacks, rising from 230,280 in 2015 to 255,065 attacks in 2016. Those attacks were spread across 195,475 unique domain names – the most domains ever detected and almost three times the number used in 2015. While a variety of TLDs are used for phishing websites, 75% involved just four TLDs – .com; .cc, .pw and .tk. APWG says 90% of phishing domains are spread across just 16 TLDs.

Attacks in 2016 were spread across a wide range of industries although 92% of attacks affected four industries:  eCommerce & software/SaaS (30%), banking and finance (25%), social networking/email (19%) and money transfer firms (18%).

New Internet Crime Report Issued by FBI – Losses in 2016 Totaled $1.3 Billion

The U.S. Federal Bureau of Investigation has issued its annual Internet Crime Report, showing cybercriminals have netted at least $1.3 billion last year. The figures for the report were compiled by the FBI’s Internet Crime Complaint Center, or IC3 is it is also known. Those losses came from 298,728 complaints that had been filed with IC3 in 2016.

The Internet Crime Report provides some insight into the main methods used by cybercriminals to fraudulently obtain money. Last year, the three crime types that resulted in the biggest losses were Business Email Compromise (BEC) attacks, romance/confidence fraud and non-payment/non-delivery scams.

BEC scams resulted in losses of $360.5 million last year and the scams are becoming increasingly common. Confidence and romance fraud was second, resulting in losses of $219.8 million with corporate data breaches in third place causing losses of $95.9 million. Phishing, via the web, email, SMS messages and telephone resulted in losses of $31.7 million. Losses from extortion were $15.8 million with ransomware tracked separately and causing losses of $2.4 million. Tech support fraud netted cybercriminals $7.8 million with malware and scareware losses tracked as $3.9 million.

The FBI singled out four key criminal activities in its 2016 Internet Crime Report that have become major issues in 2016: BEC, ransomware, tech support fraud and extortion.

BEC scams involve the impersonation of foreign suppliers and other vendors that are usually paid by wire transfer. A similar type of scam, referred to as email account compromise (EAC), targets individuals in a company responsible for making wire transfers.

Both scams involve the impersonation of company executives with fraudulent wire transfer requests sent to accounts department employees. Since it is the CEO that is often impersonated the scams are commonly referred to as CEO fraud. Transfers are commonly for tens or hundreds of thousands of dollars. In some cases, companies have been conned out of millions. BEC scams topped the list of losses.

BEC scams have also been rife in 2017, with the start of the year seeing an increase in BEC scams with the aim of obtaining the tax information of employees, typically W-2 forms. In 2016, there were 12,005 reported BEC scams, although this is likely just a small percentage of the real total.

Ransomware has become a major threat for businesses with criminals targeting employees using phishing emails. The FBI says Remote Desktop Protocol was also a major attack vector in 2016. The FBI suggests that security awareness training for employees is now a critical preventative measure that should be provided by all organizations. In 2016, there were 2,673 reported ransomware incidents. Similarly, many businesses choose not to report ransomware attacks.

Another major threat comes from tech support scams where criminals impersonate security companies. The attackers claim an urgent security issue must be resolved for which payment is required. These scams can involve screen-locking malware, cold calls or pop up messages. Typosquatting is also commonly used. Criminals register URLs similar to major online brands to take advantage of careless typists.

Extortion continues to be a major problem and it takes many forms. There have been numerous cases of criminals impersonating government agencies, with threats of Denial of Service attacks similarly common. Hackers have been stealing data and demanding ransoms for its return, while sextortion, hitman schemes and loan schemes are also rife.

While the Internet Crime Report provides an indication of how rampant cybercrime has become, the reports hugely underestimate the true extent of the problem. Only a small percentage of victims of cybercrime report the incident to law enforcement. The Department of Justice estimates only 15% of Internet crime is reported, while the FBI suggests only one in seven cases of Internet crime are actually reported. It is not only individuals that fail to report crimes. Many businesses that experience cyberattacks or other Internet crime-related losses fail to report the incidents. The true figures from cybercrime are likely to be several orders of magnitude worse than the Internet Crime Report suggests.

Massive Global Cyberattack Uses EternalBlue Exploit and Installs Petya Ransomware

A massive global cyberattack is underway involving Petya ransomware. Ukraine has been hit particularly hard although companies all over Europe have reported that systems have been taken out of action and ransoms demanded. Social media websites are awash with reports of disruption to services across a wide range of industries and countries. The attacks appear to have started in Russia/Ukraine but spread rapidly across Europe, with reports emerging that companies in India have also been affected.

The attacks appear to involve a variant of Petya ransomware – a particularly nasty ransomware variant for which there is no kill switch or free decryptor. Petya ransomware takes the Master File Table (MFT) out of action rather than encrypting individual files. Consequently, the attacks occur faster than with other ransomware variants. Without access to the MFT, computers are unable to locate files stored on the hard drive. Those files remain unencrypted, but cannot be accessed.

The ransom demand to unlock the infection is understood to be approximately $300, although that figure will need to be multiplied by the number of devices affected.

Another WannaCry Style Global Ransomware Attack

The WannaCry ransomware attacks used exploits stolen from the NSA, which were published online by Shadow Brokers. Those exploits worked on unpatched systems, exploiting vulnerabilities to automatically download a network worm and WannaCry ransomware. The attacks spread rapidly – around the world and within organizations.

This wave of attacks appears to be similar. The attacks started happening this morning with the Russian cybersecurity firm Group-IB one of the first to suggest this was a WannaCry-style attack involving an NSA exploit. That has since been confirmed by other cybersecurity firms. Fabian Wosar of Emisoft said he has confirmed that the infection is spreading using the same EternalBlue exploit as WannaCry, as has MalwareHunterTeam.

Organizations that applied the patch issued by Microsoft in March were protected from WannaCry and will likely be protected from this Petya ransomware attack. Following WannaCry, Microsoft issued patches for unsupported operating systems to prevent further attacks from occurring. However, judging by the number of attacks that have already occurred, the WannaCry attacks did not spur some companies into action. Many have still not patched their systems.

Several well-known companies have reported they are under attack and have had servers and computers taken out of action, with companies in Russia, Ukraine, France, Spain, Denmark, India and the UK all understood to have been affected. Companies that have confirmed they have been attacked include:

Russia – Oil company Rosneft and metal maker Evraz

Ukraine – Boryspil Airport, aircraft manufacturer Antonov, two postal services, the Ukraine government, the Ukraine national bank. The Cernobyl nuclear powe plant has also been attacked, as have many other energy companies in the country.

Denmark – Shipping firm A.P. Moller-Maersk, including APM Terminals which runs shipping container ports around the world.

France – Construction firm Saint Gobain

International – Companies reportedly affected include the law firm DLA Piper, advertising firm WPP, food manufacturer Mondalez and U.S pharmaceutical firm Merck.

Time will tell whether this Petya ransomware attack will be on a similar scale to WannaCry. Since it is currently occurring it will likely be a few days before the true scale of the attack becomes known.