At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Effective Security Is Non-Punitive

    Companies need to stop blaming employees who fall for scams and instead focus on proper training and security controls, says Chris Taylor at Trend Micro. Taylor cites the case of a Scottish media company, Peebles Media Group, which is currently suing a former employee who fell victim to a business email compromise attack.

    Peebles recovered 85K from its bank, but is suing the employee for the remaining 108K.

    Taylor says this is a poor approach to the issue, particularly because the employee in question says she never received training to identify scams. “Like many employees, when an email request appears to come from an executive, the recipient is often so focused on appearing responsive, that they do not realise the email is an impersonation,” writes Taylor. “It’s important to make sure your employees are aware of these attacks and can look for signs that the email is a fraud.

    Train them not to respond, open an attachment, or click on a link when an email is suspicious or unexpected.” Organisations should ensure that their employees know what to look for when it comes to social engineering attacks. A company that doesn’t train its employees and doesn’t have the proper security controls in place to monitor transactions can’t act blameless when an employee falls for a scam. We could not agree more with Trend Micro.

    To find out how to help your organisation cost-effectively avoid cyber attacks, click here…www.tidorg.com (you can cut and past the link in to your browser) or drop us a mail at info@tidorg.com


    The NoRelationship Attack Bypasses Office 365 Email Attachment Security

    Attackers are bypassing Office 365 email attachment security by editing the relationship files that are included with Office documents, according to Yoav Nathaniel at Avanan.

    A relationship file is an XML file that contains a list of essential components in the document, such as font tables, settings, and external links. A number of popular email filters, including Microsoft’s Exchange Online Protection (EOP), only scan the links contained in the relationship file, rather than scanning the entire document.

    Attackers can remove the links from a document’s relationship file, but they will still be active in the actual document. Nathaniel compares the relationship file to the index of a book. “Sometimes, key terms might not be included in the index, but they are still in the book,” he says. “In this attack, hackers deleted the external links from the relationship file to bypass link parsers that only read the index rather than the ‘book.’”

    When a user opens the document after it’s passed the security scan, the Office application will recreate all the hyperlinks that were deleted from the relationship file, making them clickable again.

    To find out how to help your organisation cost-effectively avoid cyber attacks, click here…www.tidorg.com (you can cut and past the link in to your browser) or drop us a mail at info@tidorg.com


    Cyber Espionage Warning: The Most Advanced Hacking Groups Are Getting More Ambitious

    Once attackers might have needed the latest zero-day vulnerability to gain access to corporate networks, but now it’s spear-phishing emails using social engineering tactics that are most likely to provide attackers with the initial entry they need.

    The Top 20 most notorious cyber-espionage operations have increased their activity by a third in recent years – and are looking to conduct more attacks, according to Symantec.

    The most advanced hacking groups are becoming bolder when conducting campaigns, with the number of organisations targeted by the biggest campaigns rising by almost a third.

    A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organisations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.

    The figures detailed in Symantec’s annual Internet Security Threat Report suggest that the Top 20 most prolific hacking groups are targeting more organisations as the attackers gain more confidence in their activities.

    Groups like Chafer, DragonFly, Gallmaker and others are all conducting highly targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information.

    The United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec’s report suggests the indictment might disrupt some targeted operations, but it’s unlikely that cyber espionage campaigns will be disappearing anytime soon

    To find out how to help your organisation cost-effectively avoid cyber attacks, click here…www.tidorg.com (you can cut and past the link in to your browser) or drop us a mail at info@tidorg.com


    The Identity Organisation launch further on line training services.

    TIO are pleased to announce the launch of further Cyber Security Awareness Training modules along with our free Baseline Phishing Test. In addition, TIO have now added a full suite of Compliance and Policy training modules for your employees.

    The Employee Training service helps to ensure the cyber security of organisational systems and data and avoid phishing attack success, ransomware installation, hacking and data breaches. In addition, the compliance and policy training helps to ensure adherence to legislation and regulations.

    • 65% of internal data breaches (GDPR/NIS key elements) are employee led. Educate your employee base via:
    • The Phishing Test Approach: Send employees a simulated phishing attack, and train them if they fail.
    • The Human Firewall Approach: Train all employees online and send frequent phishing attacks.

    Ensure your employees are fully aware of and compliant to core organisation policies via e-learning

    • GDPR and data protection
    • FCA & AML Compliance
    • Fraud Prevention
    • Fully Auditable System

    To find out more and to access the full suite of services, contact TIO on +44 (0) 1628 308038, e-mail them at info@tidorg.com with EducateID as the subject or contact them via their website here


    7 Urgent Reasons For Creating a Human Firewall

    It was a security event in San Francisco a while back, and apart from the usual meetings with customers, VCs and the Press, there was a large amount of relevant security news. Out of the fire-hose of RSA data, it was clear there are 7 urgent reasons why you need to create your “human firewall” as soon as you possibly can. Employees are your last line of defence and need to become an additional security layer when (not if) attacks make it through all your technical filters.

    1. Ransomware heads the list of deadly attacks
      SANS’ Ed Skoudis said the rise in ransomware was the top threat. “We’ve seen this can bring down a whole network of file servers and we expect many more attacks”. His advice is that companies practice network security “hygiene” and limit permission for network shares to only those jobs that require it. And of course train your users within an inch of their lives.
    2. Phishing leads the IRS dirty dozen of scams
      The Internal Revenue Service rounded up some of the usual suspects in its annual look at the Dirty Dozen scams you need to watch out for this year. It should come as no surprise that the IRS saw a big spike in phishing and malware incidents during the 2016 tax season because the agency has been very public about its battle with this scourge.
    3. CEO Fraud / W-2 Scams is their close second
      Just this month the IRS issued another warning about what it called dangerous, evolving and very early W-2 scams that are targeting a widening swath of corporations, school districts and other public and private concerns. High-risk users in Accounting and HR need to be frequently exposed to simulated attacks using email, phone and text to inoculate them against these attacks.
    4. Phone Scams
      Your users need to be trained that when they pick up the phone, the person on the other end might be a criminal hacker that tries to manipulate them into getting access to the network. They impersonate “Tech Support” and ask for a password, or pretend to solve technical problems and compromise the workstation.
    5. Your Anti virus is getting less and less effective
      We all had the nagging suspicion that antivirus is not cutting it any more, but the new Virus Bulletin numbers confirm your intuition. Virus Bulletin (VB) is the AV industry’s premier “insider site”, and shows how good/bad endpoint detection rates are, but VB also covers spam filters, and tests them on a regular basis. Both antivirus (aka endpoint protection) and spam filter tests are published in quadrants graphing the results. What most people do not know, is that participants in this industry all share the same samples, and it’s often just a matter of who gets the definition out first, because soon enough everyone else has that malware sample and blocks the hash. The problem? Proactive detection rates have dropped from about 80% down to 67-70% over approx 9 months. Now you might think that if AV does not catch it, your spam filter will. Think again. One in 200 emails with malicious attachments makes it through. That puts the potential for malware making it in your users’ inbox into the millions… every day.
    6. The Internet Of Things
      Your users need to understand the nature of connectedness. Both consumer and commercial devices are using wireless protocols to connect to each other and the internet, with vendors rushing products to market without proper security features. Your employees need to be trained to change the default passwords and disable remote access. If your organization has anything to do with critical infrastructure, users need to be aware of the risks and do fire drills so they are prepared for any kind of attacks against the IoT.
    7. Over-reliance On Web Services
      This breaks down in two different flavours. First, shadow-IT where employees completely bypass the IT department and create their own storage and services: an invitation to a host of vulnerabilities and data breaches that IT cannot control. Employees need to be enlightened about the dangers of shadow-IT and understand the risks.

    Second, web-apps and mobile apps are increasingly vulnerable to attacks while talking to third-party services. There’s no actual certainty that apps are connecting to the expected entity, or if a man-in-the-middle stepped in, stealing data, and possibly returning false information. This is a problem that developers need to solve with industry-strength handshaking and encryption protocols.

    I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don’t, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

    Don’t be a victim of ransomware, educate your employees now!

    To find out how to help your organisation cost-effectively avoid cyber attacks, click here…www.tidorg.com (you can cut and past the link in to your browser) or drop us a mail at info@tidorg.com

    Identity & Cyber News

    Back To Top