Have you read anything?

Only cross-border and cross-sector coordination will suffice to combat cybercrime.

What SMEs in Europe must do to ensure a cyber-secure future

Businesses are putting together a global response to cybersecurity threats.

The industry must solve the security issues raised by smart buildings. According to research, 57% of IoT devices are vulnerable to medium or high-severity assaults. Cyberattacks have already caused significant damage to a number of enterprises, including key infrastructure such as hospitals, data centers, and hotels.

Smart building enterprises should follow the seven principles outlined below to protect themselves from cybercrime.

There are seven approaches for businesses to ensure that their products contribute to smart buildings.  

1) Administration

Companies require proper security knowledge. They must be clear about roles and responsibilities in this area, as well as generate a clear set of security messaging on how occurrences should be handled. Each team should ensure that its product, solution, or service has enough built-in cybersecurity. Companies must assist consumers in maintaining cybersecurity throughout the product’s or building’s lifecycle.

2) A reliable supply network

Before entering into business agreements, companies should require partners along the supply chain to fulfill reasonable levels of security. They should incorporate security requirements into their terms and conditions and analyze vendors for potential security leaks. They also require a process for identifying and managing various security risks through the different externally sourced components. This can be accomplished by employing an automated tool to monitor and track vulnerabilities.

3) Cybersecurity in product development

Companies should incorporate cybersecurity into product design from the start. This strategy could begin with setting a cybersecurity target for each product based on market needs. It is less expensive to address security issues early in a product’s lifecycle than it is to resolve them afterwards.

Threat and risk assessments should be performed by security specialists throughout the product’s lifecycle in order to detect and mitigate any issues. This should begin early in the product development process and be repeated for each substantial upgrade. Companies should request that independent third-party organizations examine new products for potential vulnerabilities before releasing them.

4) Internal and external cybersecurity awareness

People are at the heart of a good and effective cybersecurity strategy. Investing in ongoing training and awareness will help to protect enterprises from cyberattacks. Employees working in security-related activities should be thoroughly trained, and there should be clear direction on who to contact with internal inquiries or difficulties.

Companies in the smart building sector must also share information and collaborate to keep each other informed of new dangers and best practices.

5) Vulnerability and incident management

Any suspected occurrence should be handled as real unless it is shown to be a false alarm. Every firm requires a handbook that outlines how security issues and online safety breaches should be dealt in a timely manner. They must guarantee that they have done all feasible to reduce the danger of a breach.

When vulnerabilities are discovered, organizations must be upfront about them, telling customers and other essential parties. In the event of an issue, corporate communications are just as crucial as addressing the technical flaw, because cyberattacks can harm a company’s brand and destroy customer trust.

As you can see the importance of cybersecurity is going to continue to grow and become more important with each passing year. It is essential that smart buildings take this into account and start implementing for the future.

The post Understanding The Importance Of Cyber Resilience In Smart Buildings appeared first on IT Security Guru.

The simple answer is yes! Even if the risks are lower, that doesn’t mean they don’t exist at all. Providing a safe work environment is not only beneficial for the employees’ wellbeing but also a legal obligation – and no business is an exception from the rule.

 More often than not, safety is an afterthought in the tech sector. However, it’s worth mentioning that individuals working in this industry are not invulnerable to injuries. Therefore, businesses operating in the tech sector should prioritise occupational health, just like any other company. Regardless of the industry, employees are an invaluable asset, and it is paramount to ensure they are healthy and fulfilled. 

What are the most common injuries in the tech sector?

While some jobs may be much more hazardous, the tech sector involves its own level of risk. Even if you spend most of your work time attending meetings or writing code, this doesn’t mean you are entirely safe. Injuries can occur unexpectedly – for instance, you could trip and get injured while going to the kitchen to get some coffee. The most common injuries in the tech sector are:

Slips, trips and falls

This type of injury is common in every work environment. While they may sound harmless, slips, trips and falls can lead to severe consequences. Even milder injuries, like bruising and sprains, can cause significant pain that will affect employees’ performance.   

Several factors lead to slips, including wet floors and obstacles such as cables. Other times, uneven flooring panels can be the reason why employees may end up tripping and injuring themselves. If employees sustain an injury resulting from a slip, trip or fall, they are entitled to make a claim and get compensation for the damage they’ve suffered. 

Nowadays, finding a personal injury expert on online platforms is very easy. Employees can get legal advice and file a claim against your company without much effort. However, if this happens, it will put your business operations at risk. Therefore, it’s crucial to avoid this scenario by taking the required steps to create a safer workplace. This means ensuring the floors are clean and dry and eliminating any other hazard that could result in this type of injury.

Musculoskeletal disorders

Programmers and other tech employees repeatedly use a specific body part for the same movement in a day, which can strain that particular body part. One significant concern is carpal tunnel syndrome – this condition can cause numbness, pain and tingling in the arm and wrist and may lead to a loss of strength and inability to grip. 

Business owners can help prevent these issues by implementing an ergonomic process. This is an efficient way to reduce costs and improve employee engagement and productivity. What’s more, ergonomics shows your business’s commitment to health and safety, which is paramount for employees that end up working for you. 

What can you do to reduce hazards?

So, now that we’ve made clear that the tech sector also involves risks, the question is, what can you do to reduce them? Perhaps the most important thing you can do is build a workplace safety program. This involves writing a plan on how you can identify and control workplace dangers, establish safety responsibilities and respond to emergencies that can occur in the workplace. You must encourage employees to maintain the workstation clean, keep a correct posture and take regular breaks. If you already have a workplace safety program in place, consider improving it to ensure it covers the aspects mentioned above. This shows that you care about your employees’ welfare above anything else, which can be highly beneficial for both onboarding and retaining top talent.  

Training and written safety policies are also critical elements of a workplace safety program. Beyond specific risks like slips, trips, and falls, you should also train employees on Emergency Preparedness and Fire Extinguisher Safety. Other ways you can create a healthier work environment include:  

• Rewarding workers for safe actions;
• Encouraging stretch breaks;
• Ensuring you get the adequate equipment and suitable tools for your business;
• Having frequent meetings to talk about workplace safety. 

Combining technology with safety to create a better work environment 

Nowadays, businesses have the chance to combine tech with safety and health. This can take a business to the next level, ensuring employees perform tasks at their fullest potential. Using tech allows employees to be more aware of the threats they may face. For instance, 3D visualisation technology enables workers to determine if there is any danger before entering a particular website. Real-time data technology can be revolutionary for employees working remotely, as it improves safety. 

Moreover, technology has also improved protective equipment, as workers can use safety glasses for increased protection while working on a computer. Tech companies are responsible for protecting employees and keeping them healthy, as new technologies enable workers to perform better. Considering that the workforce is becoming younger, training methods must also evolve. Innovative technologies like virtual reality, AI and 3D training can ease the working process, making it more appealing. Moreover, a safer workplace leads to higher productivity in terms of income. These are excellent tools that you can use to detect hazardous work situations and help employees learn and work efficiently and safely. 

Tech in the workplace doesn’t only mean advanced IT strategies – you can also use it to improve workers’ health and safety, enhancing productivity. Some technologies that can help lower workplace hazards include training, reporting and monitoring workers’ safety. Technology provides all these fantastic resources that will boost your business and ensure it will last for a long time without experiencing severe disruptions. Therefore, every company operating in the tech sector should embrace all these technological advancements and use them to their advantage to create a safe workplace culture.  

The post Why Should Tech Businesses Prioritise Occupational Health?     appeared first on IT Security Guru.

Authentication is one of the hottest topics in cybersecurity right now. As biometrics, MFA, and a range of other authentication methods continue to threaten the password’s supremacy, we thought it was worth finding out what industry professionals thought about it all.

So that’s what we did. At InfoSecurity Europe 2022, One Identity surveyed more than 100 security and IT professionals to get a picture of how businesses and their employees approach passwords and authentication.

When asked what they consider the biggest security threat to their business and 56 percent of respondents said they believed it to be users sharing passwords for admin tasks. If that isn’t an argument for passwordless authentication, we’re not sure what is. This was followed by 25 percent of respondents believing that the biggest security threat was users clicking on malicious links or opening rogue attachments. Collectively, this means that 80 percent of respondents believe that human error poses the largest threat to an organization’s security.

Interestingly, while the majority (62 percent) viewed educating staff as the most important factor in preventing cyber-attacks, a rapidly growing segment (30 percent) stated that adopting a zero-trust model was more important.

Moving on to multifactor authentication, we are met with some heartening statistics. 99 percent of respondents told us that their company had adopted MFA for remote access and 97 percent said that it was mandated. This confirms what we already knew – that the password as a standalone authentication method is obsolete.

When looking into users’ connections to passwords, we see some interesting results. While just over a quarter of respondents had an emotional connection to a password (28 percent), the majority said they had a favorite password (84 percent). We can infer from this that while most people don’t reuse passwords for sentimental reasons, they likely do for practical reasons. It is concerning that IT and security professionals, people who are more aware than anyone of the dangers of reusing passwords, persist in this bad habit.

This is yet another mark against the use of traditional passwords – if those in the know aren’t following best practices, how can we expect the layman to? The reality is modern users have so many accounts that it is no longer practical to create and remember a new password for everyone they set up. We’ll chalk this one up as another point in support of modern authentication methods, which eliminate these problems.

While it’s clear that users are reusing passwords, it turns out that most respondents are at least adding complexity to their passwords depending on a system’s importance (96 percent). Perhaps unsurprisingly, 76 percent saw banking or financial services as requiring a top tier password, but only 7 percent thought that work emails were deserving of the same protection. This may be an understandable perspective but doesn’t bode well for organizations that routinely share sensitive information through email.

Finally, we make it to how IT and security professionals are storing their passwords. Here, at least, we get some more heartening statistics:

• 65 percent of respondents said they used passwords managers, which is generally regarded as the safest and most convenient way to keep passwords
• 23 percent said they wrote their login details down somewhere, which, while not ideal, is safer than using one password across multiple accounts

We did, apparently, come across some cyber-savants claiming they could remember all their login details, but if anything, this suggests that they are reusing passwords for an alarming number of accounts.

The key takeaway here is that the password is on the way out. These results serve as further proof that traditional passwords by themselves are no longer fit for purpose – even leaders in the IT security space fail to follow best practices simply because it isn’t convenient. We’ve seen that businesses are implementing and mandating alternative authentication methods en masse, and it won’t be long before this trend trickles down to the rest of society.

The post Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey appeared first on IT Security Guru.

Small and medium sized enterprises caught in the cross hairs

The speed with which companies had to digitally transform their businesses during the pandemic has increased their cyber vulnerabilities. More companies are conducting their business online and cybercriminals are rubbing their hands in glee at the opportunity this presents.

Many SMEs underestimate the threat, believing they are too small to be a target. Attacks on big brands make the headlines and the jargon used to describe vulnerabilities and malware is complex, making it appear to be a big enterprise issue. It’s easy to see why smaller companies shy away from tackling an issue they hope will never happen.

The reality is that cybercriminals are organised and operate like a business with shop fronts on the dark web. They even have interactive customer support services to make it easier for victims to pay their ransom demands. Cybercrime operators know that going after large companies is risky and carries greater repercussions from law enforcement. All they want are quick and easy paydays and SMEs represent a fertile training ground for new operators to build up experience, tools and reputation. Attacking SMEs might be less lucrative, but there are more of them, and they are an easier target to hit. The devastation to livelihoods and human misery caused has no bearing on a hacker’s thinking, it’s business, not personal.

The anatomy of a simple attack

The majority of cyberattacks are not complex, they don’t need to be. The CEOs of big brands may speak of the ‘sophisticated and complex attacks’ on their systems when trying to justify to customers and suppliers why their data was breached. However, post-attack analysis doesn’t back this up.

The WannaCry attack that caused mayhem across the world in 2017 exploited a known software vulnerability that should have been patched years earlier. Companies that patched the software bug at the time it was issued remained unscathed. For the ones that didn’t, it was a tough year with costly remediation work to systems and significant brand damage.

To add insult to injury, WannaCry was initially spread through a phishing campaign. Spam emails containing infected links or attachments were sent to employees. The unknowing recipient, who probably had never received any training on how to spot a spam email, clicked the link. It only took one employee, clicking on one infected link and an entire company was infected. Who needs sophisticated attack methods when an email will do?

Cybersecurity is necessary but it doesn’t need to be complex

Cybersecurity is not a luxury, it’s a business necessity and it’s also a business enabler. If your company is secure, you can get on with the day job knowing you have done all you can to safeguard your business.

As the WannaCry attack showed, cybersecurity needs to become a habit within a company, or something will get missed. Having IT systems but no strategy to protect them is like going out and leaving your front door and all your windows wide open. You may get away with it once or twice but is it really a risk you want to take?

Keeping cybersecurity simple – where to start?

Starting on the path to securing your organisation can be hugely daunting. There are so many solutions on the market, with different features, benefits and price points that it can be difficult to know where to begin.

The National Cyber Security Centre, the technical authority in the UK, has created Cyber Essentials (CE), a simple but effective scheme to protect companies against a whole range of the most common cyberattacks.

Cyber Security Policy Manager (CSPM) helps you implement CE, delivering a clear path for SMEs to create a security strategy in easy-to-manage steps. The five fundamental controls are embedded within CSPM, providing you with a simple step-by-step process to developing security policies and procedures. Companies are given prompts and guidance at every stage, in jargon-free language. CSPM has been designed so that companies can guard against cyberattacks, without needing expensive security consultants. CSPM also provides educational videos so employees are made aware of how to defend themselves from cyber-attacks.

Companies can work their way to certification by evidencing they have implemented five fundamental controls. These controls can mitigate 80% of common cyber risks such as hacking, phishing, malware infections and social engineering attacks. The benefit of certification is it sends a clear message that cybersecurity is something your business takes seriously.

Certification can reassure customers and suppliers that you are working to secure your IT systems and safeguard their data against cyberattacks. It is a great way to demonstrate that cybersecurity is more than a tick box exercise to your existing customer and suppliers. It also opens the door to attracting new business and building your reputation as a trusted supply chain partner.

You don’t have to go it alone

There is no secret to mitigating a cyberattack, it’s the same process as protecting a house. Make yourself a harder target by blocking the obvious entry points and unless the attacker is very determined, they will move on to a softer target. If you don’t know where to start, Policy Monitor can help. We are attending International Cyber Expo at Olympia in September; you will find us on Stand B40 in the IASME Pavilion. Register for FREE tickets here: https://ice-2022.reg.buzz/website-header 

Written by: Nick Denning, CEO at Policy Monitor

The post Cybersecurity is complex – but it doesn’t need to be costly or complicated appeared first on IT Security Guru.

But that’s exactly what KnowBe4’s ‘The Inside Man’ is. For four seasons now, the show has been seamlessly interweaving, believe it or not, cybersecurity awareness training with genuinely entertaining drama.

Sceptical? What if I told you that the inbound fourth season includes air to air helicopter shots, a pipeline on the brink of explosion and original songs? Trust me, this is not your typical corporate training video.

The story so far…

Jim Shields, the series director, has a long history of crafting unconventional training videos. His company, Twist and Shout, has been “entertaining to inform” for nearly 20 years. He does this so well that after producing the first season of ‘The Inside Man’ for the cyber security awareness organisation KnowBe4, they responded by buying his company.

Three seasons and a serious cash injection later, the series has reached almost unimaginable heights. The staggering production value, disarming humour and hypertension-inducing drama all work in synergy to achieve Shield’s goal of “educating you without realising”.

The series follows Mark, a cyber-savant who has just landed a job as IT security analyst at a large corporation. Far from an ideal hire, Mark is in fact a double agent – planted by dark powers to bring down the company’s systems and compromise its data. Before long however, Mark develops an affection for his colleagues and suffers a crisis of faith, questioning who the good guys really are.

That brings us to season four. In a nod to the Colonial Pipeline ransomware attack in 2021, the series begins with a ransomware attack on a major energy provider, threatening gas supplies to a large part of the UK. Viewers, or rather, students, are kept on tenterhooks as Mark and his team work to uncover the vulnerability and regain control.

If you’re still struggling to envision how a series this dramatic can serve an educational purpose, take this scene as an example.

AJ, one of Mark’s colleagues, is attempting to convince the energy provider’s cyber-ignorant CEO of the importance of cybersecurity awareness training. It’s not going well. As the argument reaches a fever pitch, AJ takes a breath, calms down and explains to the CEO:

 “Links are meant to be clicked on. Emails are meant to be opened. Teaching people when not to use tools is hard. That’s what we’re here for.”

See what I mean? Sceptical or no, you would be hard pressed to deny the series’ ability to nestle profound, educational truths into moments of high drama.

The second half of the series provides fascinating insight into deep-fake technology. A social media influencer suffers a major blow as a fabricated video of her espousing unsavoury conspiracy theories emerges. The team work to appease the influencer’s disillusioned fan base by explaining deep-fake tech to them and explaining to the influencer how to avoid the situation in the future.

Interwoven with these plot paths is a tangled web of personal, romantic and familial relationships that never fail to complicate life for the characters and heighten drama for the viewer.

Education through emotion

At first glance, cybersecurity and excitement are disparate themes. Night and day, apples and oranges, chalk and cheese. Sit through just 12 bite-sized episodes of “The Inside Man”, and you will no longer see it that way.

That is the magic of the show. It is not a fantasy series, it doesn’t fearmonger, it doesn’t even have to work particularly hard to be exciting. What it does so well is tease out the real life drama of cybersecurity and plaster it on screen for all to see.

If season four is anything to go by, the news that “The Inside Man” has been picked up for a further three seasons promises a continuation of its success.

Shields is particularly excited for the oncoming seasons and the opportunity to further develop the series. “Three more seasons allows us to build the story. The more people fall in love with the characters, the more we are able to teach them,” he said.

John Just, Chief Learning Officer at KnowBe4 and a driving force behind “The Inside Man”, believes that meticulous research is key to walking the line between entertainment and information.

“In focus groups we sometimes get feedback that our ideas could be seen as fear mongering. That’s why we try to keep things realistic, in this season we were inspired by the Colonial Pipeline attack. We’re also not afraid to take on ideas from clients and reinforce ideas that we have already covered,” he said.

Just explained that while verifiable data is still not available, KnowBe4’s research team based in Oslo, Norway is working to quantify the real-world impact of the series. For now, we will just have to settle for the overwhelmingly positive anecdotal evidence of the series’ success. Based on this evidence, Just said that his “hypotheses would be that through engagement, through getting people interested who otherwise wouldn’t be interested, there’s some effect.”

It’s not just KnowBe4’s clients that are benefitting from the series. Abe Jarman, who plays AJ in the show, told press screening attendees that “every season [I] realise how little I know. I’ve done a corporate gig before but this doesn’t feel like one, it just feels like a TV show. The cast feel like my family”.

Kirsty Averton, who plays Violet, also says that she has learned a lot from working on the series. “The main thing I’ve taken from this is passwords! I’m not always as good as I should be but I am way more aware of my passwords and personal security now.”

Forging a new path…

The success of the series proves that cybersecurity’s image problem is far from terminal. Twist and Shout, KnowBe4 and the cast are a shining example of what can be achieved when a touch of creative flair is added to corporate training videos. Watching the series, you get the sense that it’s not just KnowBe4’s clients that will benefit, but the cybersecurity industry at large. Cyberattacks are more common than ever, and cybersecurity awareness is more important than ever. “The Inside Man” should give the industry hope, and with any luck signifies a change in how we approach cybersecurity awareness training.

You can watch the trailer for “The Inside Man” season four here.

The post The Inside Man Season 4: The Future of Cybersecurity Awareness Training appeared first on IT Security Guru.

So, what should consumers do to shop safely?

We asked cybersecurity experts what they thought of holiday shopping scams and what they thought were the most important signs to be on the lookout for, and what retailers can do to protect shoppers this holiday season.

Andy Renshaw, SVP of product management at Feedzai: 

As the economy becomes cashless and digitised, the rise in scams is to be expected, and not just around the holidays. In fact, purchase scams, where buyers pay for goods that are never delivered, were the number one fraud attempt in the third quarter of 2021, according to Feedzai’s financial crime report.  

Unfortunately, we can expect purchase scams to increase as consumers take advantage of Black Friday deals and do their holiday shopping online, and people are invited to exert caution. Consumers should make sure they stay on the lookout for socially engineered emails that promise deals too good to be true and create a sense of urgency around completing a purchase, as these are red flags that could indicate a scam. This is particularly true if consumers have never used these merchants before.

It’s particularly important to look out for the less tech-savvy shoppers, who might have started making purchases online during the pandemic. Consumers are advised to validate retailers’ credibility by searching for online reviews – more often than not, others will have already raised the alarm on fraudulent websites and dodgy sellers. Alternatively, the absence of any reviews or information (negative or positive) could be of concern too.

Jamie Boote, software security consultant, Synopsys Software Integrity Group:

The holidays are a chaotic time for many industries that depend on the retail surge to put their ledgers back in balance. Every year offers increased opportunities for businesses and scammers alike, but this year will be especially dangerous. The supply chain disruptions and high employee turnover rate means that there are new challenges to face and fewer experienced hands to fix them.

Supply chain disruptions create all kinds of opportunities for unscrupulous dealers to introduce risk into end products that might have been passed by in years where parts were easier to come by. Normal suppliers of chips and hardware may not be able to fill demand and desperate vendors may need to source parts with a less pedigreed provenance. These counterfeit chips and parts can degrade reliability and availability, or be vectors for malware and back doors. The remote nature of online store fronts makes it much easier for counterfeit goods to be sold as genuine. By passing on this risk, the burden is placed on the end consumer who has to perform extra diligence in terms of testing and validation or be faced with an attack vector or unreliable hardware.

Unfortunately, sourcing work hours to devote to security is difficult during the holidays, and extra difficult in the midst of the Great Resignation. This time of year is difficult for IT teams that are covering for time off during the holidays while supporting the increase in holiday operations. New hires can help with the issue, but they may lack the training and experience to properly diagnose and respond to security issues. Increasingly, IT departments are turning to outside help for assistance with their security issues.

All this holiday traffic is riding over brand new architectures such as cloud, microservice, and API driven applications. These new services are accompanied by a learning curve and unique tooling needs that, if neglected, can allow attackers to exploit these new systems during the most important time of the year for some industries. Companies need to be extra vigilant this year to secure their systems from attack to prevent malicious traffic from flying under the radar. Any incidents need to trigger a root cause analysis that feeds into a get-well plan to close the hole and any ones like it.

Hank Schless, Senior Manager, Security Solutions at Lookout:

“People are shopping on their smartphones and tablets more than ever before. Threat actors know that. We receive messages about new deals and shipping updates through SMS and social media platforms all the time. Phishing campaigns based on an event, such as Cyber Monday, are built to imitate those communications. We’re programmed to interact quickly with notifications on our mobile devices. It also doesn’t help that mobile devices have smaller screens and simplified user experience that makes it more difficult to spot many of the red flags that would usually warn us of a phishing attack.”

“To protect yourself from mobile phishing attacks, you should never tap a link from a number or person you don’t recognize. If possible, contact the sender and validate the communication before interacting with the link. If you do tap one of these links, read the full URL in the browser. Phishing sites often use URL spoofing to look like a retailers website, for example, but when you view the full URL it’s actually something very different. You should also protect your phone and your personal data by using a mobile security app that offers phishing protection. Not only will this keep your personal data safe, but it also helps protect any work data you access from your personal smartphone or tablet.”

George Papamargaritis, MSS director at Obrela Security Industries:

“Online retailers and e-commerce businesses are key targets of DDoS attacks, especially during the period of peak sales, such as Black Friday / Cyber Monday. It is very important that retailers invest in the security monitoring of their ecommerce infrastructure to protect against this rise in threats.

For instance, by monitoring the identity service which provides authentication services to end customers, this can provide early warnings and help ecommerce sites take proactive actions before an incident takes place.

Furthermore, e-retailers should invest in threat detection mechanisms that specialise in ecommerce threat monitoring. Such analytics may include specialised visualisation techniques, which establish real-time trends of activity on business-critical ecommerce APIs. These are used as baseline to allow monitoring on the collected data points to track traffic trends, helping operations teams to analyse and predict threats quickly, before the impact operations.”

Steven Hope, CEO and co-founder of Authlogics:

“Retailers and consumers alike face a plethora of threats over the course of cyber week and Black Friday. One particular danger is the use of breached or re-used passwords within an organisation and among its customers. In fact, our research has shown that over 100,000 breached passwords within our database belong to some of the UK’s and the world’s largest retailers. What’s worse is that individuals are also using breached credentials, making them an incredibly easy target for threat-actors who can use these to gain access and launch phishing or ransomware attacks. Considering the fact that most retailers hold sensitive customer data, including payment information, this can be extremely harmful and lead to monetary loss, damage to reputation and even identity theft.”

The post FBI warns consumers about Black Friday and holiday shopping scams appeared first on IT Security Guru.

Even if your business doesn’t physically require digital technology to undertake your services (physical trades, physical stores ect…), there’s always somewhere within your establishment that digital or security-based technology can be a worthwhile investment.

Small businesses can find themselves on the back foot very quickly when starting up. It often isn’t all sunshine and roses, lots of money and great success. There are often obstacles along the way and these can often lead to cut backs and very specific, calculated investments. Digital and physical security can often see a cutback in relation to this, with many companies opting for a “hope for the best mentality instead”.

If you have a customer base or hold vital information that your clients or customers would rather not be exposed, well invested, secure digital security is a necessity. However, many companies don’t realise the importance of securing brick-and-mortar buildings the same way they would their online customer database. By increasing security to a physical location, the company can benefit from visible security, asset theft prevention, theft deterrent and better job performance and satisfaction among its employees. Good, well performing employees often then translate to loyal customers. Luckily, there are a few specific steps any business can take to make itself more secure, digitally or physically, and here are three of our best suggestions.

1. Install Intruder Prevention

A business that has its premises on a commercial property is more often than not still using basic security. These are often just locks and bolts, padlocks and keys. Replacing them may seem like an unnecessary expense if your premises haven’t been broken in to but complex high-security locks are always a much-recommended investment.

Good locks, however, should only be step one. All businesses should invest in a proper, fully monitored alarm system. This may be in the form of automated police contact or remote access CCTV. In the event of a break-in, having the ability to immediately respond – or even better, have ab automated response- may mean the difference between major and minor damage or loses to the business. 

No effective commercial security system would be complete without an integrated CCTV system. In a great CCTV system, cameras can be programmed to record all data in real time but to also access all of that date remotely. In the case of a break-in, the cameras will also help to identify perpetrators and may be used as evidence or in prosecution.

2. Invest In Online Security 

Physically making your business secure is only the first step. Ensuring that its data systems are impenetrable, or at least extremely secure, is an entirely different matter. Smaller businesses are one of the most attractive targets for hackers and criminals since they’re often easier to break into than large corporations but can still yield big reward.

All a small business needs to secure its data is a cybersecurity system that makes it inordinately difficult for a malicious user to gain access.

Another way of securing your business online is investing in an SSL certificate. The SSL certificate on a website makes it secure from a customer point of view, building up trust with users. It will also help from a marketing point of view as Google favours and promotes SSL secure websites within its algorithms to form search engine rankings. This means your business SEO (Search Engine Optimisation) will benefit from having an SSL secure site. Michael Ryan, owner of MR SEO, a digital marketing agency in Essex states “There are many reasons why a business may not be ranking well or converting online traffic on their site. Having an SSL certificate can often be the difference between customers converting on a business site – especially within eCommerce websites.”

3. Safely Store Or Shred Unwanted Documents. 

Shredding documents may seem like a thing of the past, but it doesn’t just apply to physical documents anymore. Investing in a good program or software that ensures unwanted but potentially harmful digital data is erased correctly means that this data cannot be accessed remotely or if hardware is stolen or misplaced. This is great for invoices or personal, private emails for example. For any paper-based documents, there isn’t anything better than a shredder even in the modern office. 

A massive part of a business growing and staying successful is making sure they are secure both physically and digitally. Security is one thing that when effectively invested in can yield stability and success for years to come.

The post Staying Secure When Growing A Business appeared first on IT Security Guru.

Website: www.edgescan.com

Price: Based on assets

Scores

Performance 5/5

Features 5/5

Value for Money 4/5

Ease of Use 5/5

Overall 5/5

Verdict: Fullstack vulnerability management made easy – Edgescan does all the hard work so you don’t have to

The pandemic has undoubtedly led to a massive surge in cyber-attacks but even as restrictions start to ease, businesses can’t afford to relax as these threats will keep evolving and continue long into the future. Vulnerability assessment, management and mitigation are critical to survival in this harsh landscape but far too many businesses rely only on automated solutions which can leave gaping holes in their cyber defences.

One of the biggest problems with vulnerability assessment automation is assessment coverage and the number of inaccuracies, false positives and false negatives it can generate. Feeding these into a threat tracking system can be a complete waste of resources as security teams will spend valuable time chasing down false findings.

Edgescan takes an innovative approach to vulnerability assessment by combining machine-based analytics and automation with human intelligence. Coined ‘fullstack vulnerability intelligence’, Edgescan uses a two-fold approach allowing it to automate common, repetitive tasks but bring human decision making to more complex duties such as vulnerability validation, risk assessment and prioritization. It also covers both the web application layer and supporting host infrastructure.

Using dedicated teams of in-house security analysts combined with custom vulnerability automation, Edgescan sorts the wheat from the chaff and presents its findings to customers showing clearly where they should be directing their resources. It manually validates threat feeds ensuring only actionable data is being received allowing businesses to focus on the weaknesses and risks that matter.

Deployment

Easily deployed as a SaaS (security as a service) solution, Edgescan is completely agent-less and requires no on-premises scanners as everything is run from the cloud. Onboarding is equally pain-free as the customer fills in a form declaring the assets they want protected which can include network devices, applications, APIs and anything with an IP address or URL that could be exposed.

If internal network scanning is required, Edgescan deploys a production ready jump–box as a virtual machine (VM) that provides a secure connection to the customer network. An Amazon Machine Image (AMI) version is also available on AWS allowing Edgescan to assess a company’s cloud services.

Licensing options are extensive with Edgescan Essentials providing the tools for foundational assessments across an enterprise network to discover and determine a basic web app security posture. The Standard license expands services to include authenticated testing, the Advanced license adds on-demand logic and penetration testing for critical apps while the Host version provides vulnerability management services for hosts and servers.

The new web console

Having previous experience with Edgescan, we can safely say its new award-winning (Good Design Awards 2020) user interface is a significant improvement. The original dashboard was very informative but the revamped web interface places all the most important information at your fingertips and provides improved user navigation.

The new dashboard presents a simplified actionable data view that shows clearly what your security posture is. The score presented by the exposure factor graph is derived by taking the combined vulnerability score for all your public facing assets and dividing it by the number of exposed assets.

The risk over time graph is self-explanatory while the MTTR (mean time to remediate) graph shows how effective your teams are at closing vulnerabilities. Select any of these graphs and the main window to the right changes to reflect their values where you can apply filters to show all or specific assets over a custom time period.

The lower graph can be changed to show a range of valuable information such as the CVSS landscape, average patch performance for assets with CVE-related vulnerabilities, the top assets at risk and your score for remediation performance. The pie chart alongside can be set to show the top vulnerabilities grouped by threat, severity or risk and clicking on the chart transports you straight to the console’s vulnerabilities page with a filter already applied that is based on the section of the chart selected.

Assets, vulnerabilities and hosts

Many of the menus from the previous console have been tidied up and are now accessed from a simple navigation bar across the top with four options for viewing the dashboard, assets, vulnerabilities and hosts. You can see all your assets in one screen and apply a wide range of filters to fine-tune the information presented. Custom filters can be saved and easily recalled at the click of a link and everything in the GUI can also be accessed via the Edgescan API if required.

Click on an asset and it takes you to a deep-dive screen which reveals a wealth of information such as its priority, combined risk score, associated applications and networks, risk over time and a scanning schedule.

The view menu above the risk graph shows how smart Edgescan is as it’ll transport you directly to the relevant screen based on your selection. Choose the highest risk vulnerability view, for example, and with one click, the screen changes to show a critical listing for the selected asset.

APIs

API security assessment is a key strength of Edgescan as it builds out from external IP monitoring to pinpoint hosts that have APIs on them. It also handles APIs differently to other security vendors that treat them as no different to web apps and run the same tests on them all which rarely provide any useful information on API vulnerabilities.

Web apps are designed to interact with humans whereas APIs interact with machines so Edgescan runs different sets of tests on them. Using automated multi-layered checks and human verification, it probes endpoints to discover all known, unknown and shadow APIs, sends requests to see if and how they respond and determines their security posture.

You can view all API information in the console’s asset view and drill down into each one for more information. The resultant screen shows details such as the API’s priority, combined risk score plus affected applications and, unlike other solutions that charge per scan, the licenses allow you to submit retest requests to Edgescan’s security experts.

Conclusion

By delivering a smart combination of scan automation and human intelligence, Edgescan takes vulnerability assessment and management to the next level. Its security experts manually validate all feeds so customers can be assured accurate vulnerability data which can result in a massive time saving for any organisation.

Edgescan clearly shows all detected vulnerabilities accompanied by valuable advice on fixing them but if a customer has any issues understanding the threat, Edgescan support can guide them through the remediation process. It’s simple to deploy with flexible licensing schemes, the new web console is very well designed and Edgescan’s security teams make false positives a thing of the past.

The post PRODUCT REVIEW – Edgescan makes fullstack vulnerability management easy appeared first on IT Security Guru.

Whilst it certainly offers a somewhat biased, or one-sided take on the social media phenomenon, the film nevertheless raises a number of important concerns that are worth addressing.

As part of Eskenzi PR’s latest initiative, the Eskenzi Cyber Book & Film Club, cybersecurity and cyberpsychology experts were invited to take part in a Tweet Chat to discuss some of these very issues. Specifically, we were joined by Brian Higgins, Director at ARCO Cyber Security and Security Specialist at Comparitech; Anete Poriete, UX Researcher and Cyber Psychologist at CyberSmart; Madeline Howard, Director at Cyber Cheltenham (CyNam); and Neil Stinchcombe, co-founder of Eskenzi PR.

To read up on all of their insights, check out the Eskenzi Twitter or look under the hashtag #EskenziClubSD !

What is the biggest problem with social media?

In the same way the documentary began, the event kicked off with a rather broad question:

“What do you think is the biggest problem with social media today? Is there a problem?”

A general consensus suggested that a lack of regulation and ownership of responsibility has played a central role in the failings of social media.

Absolutely agree!! Facebook are launching Instagram for children and you can bet it’s not to safeguard them from online harms. What better way to know which Ads they’ll like when they finally get some independent spending power. pic.twitter.com/j7NMMfSc7g

— Brian Higgins (@brian_cyber) March 26, 2021

#EskenziClubSD A1: Social media gives us great freedom, but with great freedom comes great responsibility. The lack of regulation and communal irresponsibility are perhaps the biggest problems with it, although its effect on our collective cyber psychology is also important.

— CyberSmart (@CyberSmartUK) March 26, 2021

For Brian Higgins, part of the problem can be attributed to our ignorance. Indeed, if we are unaware that we are in the matrix, how can we then solve the issue, let alone recognise the problem in the first place?

A1. It’s definitely the Matrix problem and it’s generational. I was born in 1968 and remember life before tech. Younger people definitely can’t escape from the Matrix because they have no idea they’re in it! pic.twitter.com/bxv5XcK7Hs

— Brian Higgins (@brian_cyber) March 26, 2021

Social Media: Tool or Manipulation Instrument?

During the film, Tristan Harris, former design ethicist at Google and co-founder of Centre for Humane Technologies, suggested that we had “moved away from a tools based technology environment, to an addiction and manipulation used technology environment. Social media isn’t a tool waiting to be used. It has its own goals, and it has its own means of pursuing them by using your psychology against you.”

The argument suggests that algorithms and artificial intelligence are increasingly adept at understanding who we are, and are leveraging this knowledge to curate our reality as well as influence our thoughts and decisions.

A2 I think social is driving an agenda of addiction after all only two industries call their customers USERS, perhaps it did not start out as intentional, but if the platform is built on getting your attention to exert influence on you it is not surprising #EskenziClubSD pic.twitter.com/VnJgIevbnh

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

A2: In many ways social media is still a tool – to connect with individuals, do business, share thoughts, etc. BUT through algorithms which shape our individually tailored content and adverts our human psychology is being manipulated. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

In addition to algorithms, however, is the platform offered to ‘influencers’.

#EskenziClubSD A2: Besides this, one of the key psychological features that cyberspace presents is the loss of authority and equalised status, therefore anyone can be seen as an influencer as long as they have the skill and means to communicate to their target audience.

— CyberSmart (@CyberSmartUK) March 26, 2021

Unfortunately, it seems our habit of consuming bite-size information has also made us conducive to being manipulated as both our attention spans and critical thinking are negatively impacted.

If we decrease our attention span and constantly occupy our brains with content that distracts and seduces us, then we lose the ability to question if something is true or relevant, do not feed your demons #EskenziClubSD pic.twitter.com/AeEEv0ONT2

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

#EskenziClubSD A3: People take less than a minute to view the majority of their on-screen content and it takes less than 30 seconds for people to switch across different content as that is more exciting.

— CyberSmart (@CyberSmartUK) March 26, 2021

A3: The endless streams of communication & connection are changing the way we think and absorb information.

Dopamine is stimulated by unpredictability, by small bits of information, and by reward cues. This is pretty much the exact conditions of social media. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

Bite-size info has removed the ability to apply critical thinking to the things we read and see. Immediacy of information and expected response are the reasons why phenomena like Fake News have taken such a foothold. pic.twitter.com/5lZXeMkrZ8

— Brian Higgins (@brian_cyber) March 26, 2021

To Intervene or Not to Intervene

Recognising the imperfect nature of social media design then, we wondered if intervention by tech giants is required, particularly with regards to disinformation/misinformation.

A4: 100% intervention is required through fact checking teams / bots at the social media orgs. Newspapers are held accountable and penalised if they publish things that have negative repercussions…..social media platforms and users should be no different. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

Social Media needs rules and accountability to protect the truth, rather than fake news with is more popular and spreads faster, it is no longer a case of you cannot handle the truth, it is hard to know what is the truth #EskenziClubSD https://t.co/Xp1awMeGei pic.twitter.com/E3Dmw3nAFL

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

 

It’s fairly obvious that SM companies have a very set agenda and aren’t willing to self-regulate. Mark Z was in the film saying that the best way to combat all of the problems caused by their AD-spewing algorithms is to write more algorithms.#EskenziClubSD#Definitionofmadness pic.twitter.com/xp7eJG0TMG

— Brian Higgins (@brian_cyber) March 26, 2021

#EskenziClubSD A4:Uses and gratifications theory explains that what technology was designed vs how people use technology can be very different. I think the design and policies should be adjusted to the actual usage of social media and support the common good for us as a society.

— CyberSmart (@CyberSmartUK) March 26, 2021

Yet, the issue of misinformation is not always clear cut. In fact, a recent study conducted by Facebook suggests that it is not necessarily false information that creates problems but content that doesn’t “outright break the rules”.

The study sought to understand the spread of ideas on social media and how it was having an impact on Covid-19 vaccine hesitancy. Despite banning false and misleading statements about the vaccine, many statements including expressions of concern or doubt, are often too ambiguous to be removed but have been found to play a harmful, contributing role to hesitancy. This is especially true when the message is promoted by influencers and are concentrated within like-minded communities, acting as an echo chamber.

Anete Poriete explains this further:

#EskenziClubSD A5: Likewise, we’re often more inclined to favour opinions and information that comes from sources we identify with – the so-called ‘echo chamber effect’. The best way to address this is with critical thinking and fact-checking before sharing the content further.

— CyberSmart (@CyberSmartUK) March 26, 2021

To address the issue, Madeline Howard believes proactive engagement is necessary.

A5: (continued!)….Work needs to be done proactively engage with these communities and direct more authoritative information towards them. #EskenziClubSD pic.twitter.com/Ot2xLqPQBD

— Madeline (@MadzzHoward) March 26, 2021

This then led us to question whether it is ever okay to amplify a message.

A6. Given the fact (if it is a fact!) that it’s apparently impossible to discern between messages of truth and those that are in some way false, then allowing algorithms to propagate the information to billions of tech-addicted internet sheep is probably not the best idea. pic.twitter.com/BdLyCqyshp

— Brian Higgins (@brian_cyber) March 26, 2021

A6: I don’t think it is OK to amplify messages regardless of who you are or the organisation. It’s created a deceitful online environment where individuals, organisations & governments are playing the algorithm game to gain the most traction, engagement and ultimately influence.. pic.twitter.com/39FeXREAI1

— Madeline (@MadzzHoward) March 26, 2021

A6 Not MONEY It will depend on who/what defines the rules of the algorithm, good AI will have its ethics set by society so if the process used to decide, is similar to society influencing who a self driving car crashes into it could be fine #EskenziClubSD https://t.co/kRDjdLNbTp pic.twitter.com/70zHqBc4jv

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

The Privacy Paradox

The news is full of concern about privacy, we all think of it as very important, but the way we act in reality is often contradictory. There appears to be cognitive dissonance in that we claim to value our privacy, and yet we continue to engage in services such as Facebook, that undermines it. Moreover, we often choose to overshare details of ourselves and our lives on such platforms.

#EskenziClubSD A7: Unfortunately, this doesn’t always lead to according behaviours – a so called privacy paradox. There are multiple reasons why people would not act accordingly, firstly, they lack knowledge of how to manage their privacy settings as they are complicated….

— CyberSmart (@CyberSmartUK) March 26, 2021

#EskenziClubSD A7: In social media, ‘close circle illusion’ plays a role as people see their information and data as only being shared with their friends and acquaintances.

— CyberSmart (@CyberSmartUK) March 26, 2021

A7. The answer to this is dehumanisation. Online activity allows us to post and troll and bully and sextort and groom all alone at home. Add even one other human presence and all of these behaviours would either be altered dramatically or not happen in the first place pic.twitter.com/Hee5zfMqOL

— Brian Higgins (@brian_cyber) March 26, 2021

A7 Does privacy even exist anymore? And do people still care about it? The more you have to lose the more you care about it, in a social media world there is a trade-off between privacy and fame #EskenziClubSD https://t.co/9zuzRJtfeD pic.twitter.com/lCQeSfZRr2

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

A7: Work needs to be done to raise awareness more effectively to the lay person. When the news is talking about privacy & the issues surrounding it, why aren’t they ending with ‘and here are some ways to ensure you’re living and working securely online’…. #EskenziClubSD pic.twitter.com/MdOOov9Ta0

— Madeline (@MadzzHoward) March 26, 2021

Interestingly, our offline behaviours also make us susceptible to cybercrime.

Q8: Cybercriminals are leveraging the very nature of social media – barrier-less connectivity.

Enabling them to connect, share and rapidly amplify their scams across social media to exploit our already heightening emotions when on the platforms. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

A8. FUD.
Fear, Uncertainty and Doubt. Basically all of the things that the modern SM landscape has made impossible to avoid.
Hear all about when I joined the @TheBeerFarmers a while ago. Don’t watch it with your kids!!!https://t.co/iDqvogbL0C#EskenziClubSD

— Brian Higgins (@brian_cyber) March 26, 2021

A8 one of the biggest drivers for humans is being appreciated so that is one, greed is another, if something seems too good to be true then do not click that link #EskenziClubSD https://t.co/35dauSDseS pic.twitter.com/VwjGSolwNS

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

….which means that people are more open and judgement impaired online, much like being drunk. People can become more bold, confident and disclose a level of private and intimate information they would not necessarily disclose when offline. #EskenziClubSD

— CyberSmart (@CyberSmartUK) March 26, 2021

Recommendations and Solutions

To conclude the Tweet Chat, we asked the experts what they thought about the use of verified ID in helping to make us safer online and the concept of ethical-by-design.

In response to verified ID, the verdict was clear that it would encourage accountability. Nevertheless, as Anete points out, anonymity can also serve as a safety measure. As such, ID verification should be subject to choice. Neil added that the security of one’s identification should also be considered before ID verification is implemented on a wider scale.

A9: Yes. Individuals should be accountable for their comments and actions online. If you’re not prepared for your ID to be associated with an account…..why not…… #EskenziClubSD pic.twitter.com/M7I4uFdz5k

— Madeline (@MadzzHoward) March 26, 2021

A9. Absolutely it would. It would also severely restrict the user base of every SM platform and force them to be more accountable and less irresponsible. So I can’t see it happening any time soon.
EskenziClubSD pic.twitter.com/CttQA70FLz

— Brian Higgins (@brian_cyber) March 26, 2021

#EskenziClubSD A9: As cyberspace has introduced a lot of space for identity flexibility, complete anonymity in combination with disinhibition effects can help people to engage in more negative behaviours.

— CyberSmart (@CyberSmartUK) March 26, 2021

… cybercriminal groups.Therefore, I would agree that verification could make us safer online, but I believe these should be subject to choice. There are many instances where anonymity can be a safety measure. #EskenziClubSD

— CyberSmart (@CyberSmartUK) March 26, 2021

A9 Yes of course, as long as it is not used to identify where vulnerable people live or attack them, the process for identification needs to be secured and used ethically if you live in a totalitarian state you might have a different view #EskenziClubSD https://t.co/LYUwc0DmAu pic.twitter.com/uZ2rLjGZt8

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

In respect to the concept of ‘ethical-by-design’, it was agreed that ethics is ever-evolving and subjective; and should, therefore, be regularly evaluated. The key is in ensuring that technological design is working in the user’s best interest and operates with transparency.

A10: Platforms need to continue to evolve at pace to ensure they’re continually ethical in their design. Societal and industry trends, human behaviour, scientific research, political and economic issues all need to be considered and monitored so platforms can adapt #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

A10. Ethics are subjective, both socially and culturally. Since SM platforms are designed with a single, commercial purpose, ethics seem kind of defunct.#EskenziClubSD

— Brian Higgins (@brian_cyber) March 26, 2021

A10 Ethical by design is an interesting concept, the devil is in the detail and execution of course, who/what will decide what is and is not ethical, we have seen large groups in society develop polarised views and the center has almost disappeared #EskenziClubSD https://t.co/TiVPGEfJnH pic.twitter.com/2FnCM7z6kZ

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

#EskenziClubSD A10: Transparency is also an important element of ethical design. People need to fully understand what they are signing up for and this information should be easily accessible, digestible and understandable. Safety and security is the basis for ethical design.

— CyberSmart (@CyberSmartUK) March 26, 2021

A Concluding Note

While the Tweet Chat mainly focused on the negative consequences of social media, it is important to recognise that it has also brought us many benefits which cannot and should not be neglected. We just hoped this discussion provided you with some food for thought.

A10: The Social Dilemma was indeed an interesting watch but it was disappointing it didn’t share a balanced view.

Social media does bring benefits to our global society. It’s important to acknowledge the negatives & try to change them, but always remember the positives. pic.twitter.com/UZ7FdAIMEr

— Madeline (@MadzzHoward) March 26, 2021

The post Tweet Chat: The Social Dilemma appeared first on IT Security Guru.

Cryptocurrencies are a topic that touches many areas; not only finance and investing but technology and even political arenas. Although apolitical in itself, it is the structure behind these cryptocurrencies that make them a much talked about subject amongst political purists from across the political spectrum. This structure can be boiled down to the following; think of cryptocurrencies as a ‘big spreadsheet’, and when you ‘mine’ crypto you essentially fill in the spreadsheet, keeping the ledger up to date on who is transferring currency to another party.

It is perhaps this decentralised nature which has contributed to the meteoric rise of cryptocurrency value. Modern investors see the value in having an immutable ledger, meaning that external users or third-parties cannot tamper with previous transactions. This becomes more crucial when you consider the impact that quantitative easing has had on the economy over the past several decades. Cryptocurrencies, compared to their physical counterparts, are practically immune from quantitative easing as there is a predetermined number of coins in circulation at one time meaning that they are impervious to inflation. This has contributed to more individuals over the years turning to cryptocurrencies as a ‘safe-haven asset’ in the same way that investors would traditionally turn to gold. In my eyes, I see Bitcoin as better at being Gold than Gold itself, because of its ability to be infinitely divisible into micro units and decimal points of a Bitcoin rather than a single gold coin. It also inherits another important characteristic of Gold which has fuelled its rise in price, it is finite – there will only ever be 21 million of them in circulation (once all mined). Compare this to standard modern currency, on money printing and inflation consider this: a fifth of all US Dollars were created in 2020, and now in 2021 President Biden is considering a $1.9 Trillion stimulus plan. Indeed, it is this effort by central banks across the globe to print their way out of a pandemic/unstable economy that – in my opinion – has led to the exponential price increase in Bitcoin during 2020 rather than any other factor. As long as this continues (which it almost certainly will), faith in fiat currency will wane and interest in “unprintable” cryptocurrencies will only increase.

Are Cryptocurrencies a Bubble or a ‘Safe-haven’?

One key difference between cryptocurrencies and traditional safe-haven assets is that the former has not yet been subjected to a full recession. Even the 2008 financial crisis was imbued with substantial safety nets for many of the organisations that needed to be bailed out. Perhaps this is what contributed to the rise of cryptocurrency and a rejection of centralised or government owned banks.

As a cultural movement, cryptocurrencies represent a seismic cultural shift to a new form of radically decentralised currency, not controlled by ‘third-parties’ such as banks, governments, or hedge fund directors that use the stock market as a playground. One can compare the influence that cryptocurrencies have had on the current zeitgeist to the invention of the Internet or rail travel. Whenever there is a new technology, we see these ‘manias’ pop up as stakeholders race to cash in on the latest gold-rush. A key point here is that cryptocurrencies are not only a new technological innovation, but a technological monetary innovation, making it much easier for people to “buy in” to it when compared to previous less publicly accessible innovations. While it is important to note that with any gold-rush there will be winners and losers, all indications point to the notion that the traction this movement has gained recently indicates that it will not be a bubble, and as more and more big companies start making moves towards accepting cryptocurrencies the ‘network effect’ will really hit, and the price will respond accordingly such is the nature of pure supply/demand economics immune from the money printing.

Cybersecurity Concerns of Cryptocurrencies

The biggest security threat facing cryptocurrency investors is generally user facing and avoidable. The vast majority of the time, the proper security steps have not been taken when storing cryptocurrencies in coin wallets. Storing currency on an online exchange means that the security of your cryptos entirely in the hands of the website owner. One need look no further than the example of Mt. Gox, an online Bitcoin wallet based in Japan. In 2014 the wallet lost about 850,000 Bitcoin belonging to thousands of customers.

The best way to avoid this kind of financial fiasco is to store assets away from online connections in an offline “cold storage” wallet . This keeps your assets much safer as physical access to the device would be required to grant access to private keys needed to facilitate transactions. If you are using an online service for this purpose, then you must ensure that it is secured by at least two factor authentication (2FA). This will help reduce cybercriminal activity by limiting access in the event of breached credentials. Remember, if you don’t use an offline cold storage unit then you are putting your assets, and faith, in the hands of the website owners to maintain the security of their website. If you fail to secure your investments with a minimum of 2FA then you run the risk of unauthorised access to your wallet in only a matter of clicks. At this point it is also worth considering that acquiring a cold storage wallet is not entirely risk free in itself. A few months ago, cryptocurrency wallet manufacturer Ledger announced that it had suffered a breach via its website and leaked thousands of users’ data. Whilst the information itself didn’t contain passwords, it included details such as physical addresses, phone numbers and emails. Despite the victims in the breach being security conscious and buying such a device, their address (and most likely the physical location of a cryptocurrency wallet with potentially a large amount stored on it!) has now been compromised, and there are many horror stories of individuals being threatened with physical violence and home invasions if they do not relinquish their assets.

In the final three months of 2020, crypto-mining malware surged by 53% as sources correlate the increasing value of Bitcoin with the increased volume of crypto mining malware attacks. There is a very common confusion that a rise in coin-mining malware is intrinsically correlated to the price of Bitcoin. Coin mining malware will be mining Monero, not Bitcoin, and will require relatively light amount of processing power in comparison. To mine Bitcoin, you ideally need some real estate in the arctic circle and a mining rig linked to He-Man on a treadmill, rather than just infecting someone’s laptop with malware and utilising their GPU. Coins such as Monero are favoured over other smaller “alt-coins” amongst individuals looking to use their gains for illegal use as there is no tracking of transactions and the Blockchain is not transparent. However, the rising concern of this malware should make any cryptocurrency investor think double check their security controls.

Regulation

While there are regulatory controls around cryptocurrencies, they mostly encompass the financial earnings that must be reported through HMRC and official channels. Governments do have some control over the onboarding of crypto currencies, as most trading services require you to submit proof of identification with passport and phone numbers. While, as previously stated, all cryptocurrency transactions are tracked, they include no personally identifiable details, maintaining autonomy and anonymity.

One might suggest that the user-generated, decentralised notion of cryptocurrencies inherently rejects the concept of regulatory authority. Indeed, for any individual or collective to take control of Bitcoin, they would need at least 50% of all coins in circulation in what is handily dubbed a “majority attack” or “51% attack”. This would allow them to corrupt the blockchain and control the overall value. However, to do so would require them to take control of more than half of the current mining power of Bitcoin, which is completely unfeasible.

Even now, cryptocurrencies are becoming more commonplace in day-to-day transactions. Homeowners are accepting cryptocurrency payments on Rightmove, minimising the need for third-party involvement such as banks or mortgage approvals. Even ‘hipster hospitality’ is accepting crypto as a form of tender to buy the most expensive mac and cheese that Camden Market has to offer. Back in 2016 I remember paying for a £3.00 Tesco meal deal with Bitcoin. If I had held on to this, it would now have the value of around £200! While the market value of cryptocurrencies is subject to fluctuate, the increasing desire for a decentralised, international form of legal tender will only increase. As more investors turn to cryptocurrencies it is essential that they not only know how and why to invest, but perhaps more importantly, users must know how to secure their investments. As crypto-mining software rises, and the number of cryptocurrencies on the market increases, we will certainly be seeing more unfortunate headlines about stolen assets, house invasions, hard drives mistakenly buried in landfill sites and overpriced meal deals.

The post Decrypting Cryptocurrencies appeared first on IT Security Guru.