NCSC Weekly Threat Report | 18/06/2019 | GenesisIT,Hull

NCSC Issues Weekly Threat Report

Genesis Business Systems Blog

Researched carried out by Rapid7 has highlighted that 88% of FTSE 250+ companies are not prepared for phishing attacks and have inadequate policies on place for the public email configuration of their primary email domains.

The report has also highlighted that;

  • on average 35 servers/devices have a public attack surface exposed with many of the companies having as many as 1000 systems/devices exposed.
  • 19% of FTSE 250+ organisations are not enforcing SSL/TLS on their primary websites.
  • Regardless of industry sector, many businesses are not managing patches/version updates of critical internet facing devices.

With the majority of UK companies employing, and relying on digital system to operate, good cyber security practice is essential. Management should understand this risk and implement a ‘best practice policy’ to mitigate risk to both physical and financial security.

The FBI have also warned against a growing rise of Phishing attacks that are imitating trustworthy websites. These attackers are using third party authenticators, in the form of website verification certificates, to reproduce the ‘S’ on the end of HTTP and the padlock symbol. These signs do not necessarily mean that the website is genuine.

The NCSC have published the following guideline for spotting suspicious email:

Here's some tips on spotting phishing emails

  • Many phishing emails have poor grammar, punctuation and spelling.
  • Is the design and overall quality what would you'd expect from the organisation the email is supposed to come from?
  • Is it addressed to you by name, or does it refer to 'valued customer', or 'friend', or 'colleague'? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
  • Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately'.
  • Look at the sender's name. Does it sound legitimate, or is it trying to mimic someone you know?
  • If it sounds too good to be true, it probably is. It's most unlikely that someone will want to give you money, or give you access to a secret part of the Internet.
  • Your bank, or any other official source, should never ask you to supply personal information from an email. 

Try to check any claims made in the email through some other channel. For example, by calling your bank to see if they actually sent you an email or doing a quick Google search on some of the wording used in the email.

Employees represent the single biggest threat to a companies Cyber Security, with phishing attacks representing 98% of social incidents and 93% of investigated breaches. Therefore it is essential to not only understand the risk of Phishing attacks, but to ensure there are adequate policies in place and that staff are educated.

To help protect your business speak to @GenesisIT about vulnerability tests. We can asses your current IT infrastructure and provide guidance on how to solve any weakness's in your CyberSecurity policy. We can be contacted on 01482 210999 or by email on [email protected]