Mike Wills

Are you Cyber Resilient?
Are you sure?
How do you know?
What should you do about it?

Cyber, cyber, cyber…. Blah, blah, boring…  We all know about it.  We have all heard about the risks and the attacks that happen to other businesses and people.  We know it’s a threat.  You may even have experienced or know someone who has experienced some form of an attack?

Cyber-attacks are a modern-day plague on society.  It impacts businesses, people, and us all in one way or another.  Frighteningly, it also funds international crime and global terrorism.  Cyber-crime causes significant impact and distress to you and others, either knowingly or unknowingly.

The sad thing is cyber-attacks and criminals are here to stay and can no longer be something to be ignored.  Not being attacked and being lucky to date, does not mean you will be lucky in the future.

Technology and artificial intelligence continue to evolve at an alarming rate, and shows no signs of slowing down.  This evolution coupled with the reduction in component prices and the prospect of greater connectivity and data transfer rates promised by 5G technology will result in more “things” becoming “smart”, digital and automated and joining the realm of the Internet of Things.  Smart things require connectivity to a network to enable them to be controlled remotely by devices. Any network connection presents an access point for a cyber-attack.

Cyber Criminals target the weakest prey.  They are motivated by two things: money and freedom aka: “not getting caught.”  Unless you have something that a cyber-criminal wants at all costs, the harder you are to hack the more likely they are going to go elsewhere.  Their business plan is simple: minimum effort for maximum reward from as many people or businesses as possible.

So, at a basic level, simply being harder to hack than the next business and/or person is a sensible approach.  But what does hard to hack look like and how do you know how effective it is for your situation?

You may consider that your business is doing all the right things. But are you sure?  How do you know?  Who is providing your advice?  Is your advisor a qualified cyber expert?  Or as is often the case through necessity, are they someone who has been double or triple hatted?  Are you tracking up-to-the-minute cyber threats?  Do you know what is unfolding this very minute and may be affecting your networks, mobile applications, web portals and collaboration tools?

All too often we hear “yes we have addressed cyber security, we have anti-malware, firewalls, VPNs and have conducted a penetration test 3 years ago and a 45-minute training package.”  All of this is positive, but relative to modern threat it is probably only at the absolute minimum level that must be considered, and it most probably will not make you sufficiently hard to hack for a criminal to go elsewhere.

But what is enough? What does good look like?

The best approach to achieving the greatest resilience is a comprehensive approach to all cyber threats, obviously…  But what does comprehensive look like in cyber security and who decides?

A comprehensive approach involves mitigating appropriately each type of cyber threat, of which there are many.  To enable the threats posed by cyber-attack to be easier to understand and aid management, the subject has been broken down into several threat areas.  The threat areas are presented as a framework that businesses can use to ensure a comprehensive approach.

There are several international organisations across the globe that have established frameworks for managing cyber resilience.  These frameworks have evolved over time and in response to emerging threats, market experiences, academia, and industry best practice.

To truly understand your resilience, it is highly advisable to contract the services of a specialist information security company who are experts at gauging the resilience of your business.  They will be able to tell you what you are doing well, what needs development and where you are holding significant risk – which may even identify you are presently in breach of data protection and/or other regulation or are not fulfilling the terms of your insurance.  A good company will then provide you with a roadmap for developing resilience, understanding that this will take time and planning and not every business has immediate budget available.  CSS Platinum can assist with this.

Finally, it is important to understand that this is an ongoing commitment.  Just as today’s cyber security framework evolved over time and in response to events, cyber threats continue to evolve, and new threats emerge every hour.  The impact of this is that cyber security must become a cultural consideration in business and people in their private lives.  Just as one considers the health and resilience of their body to lead a full and fulfilling life, so now must that business/individual take constant consideration in their interaction with the digital and cyber domains.

Cyber security and resilience is now and forevermore a life skill and one that everyone should take some time to learn.  As the adage goes, prevention is always better than cure.  Act now, rather than experiencing regret later.”

Be Disciplined, Be Hard to Hack, Be Safe.

Michael Wills is co-founder and chief data officer for CSS Platinum.  For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email support@cssplatinum.com.

Gibraltar business’ are at a heightened risk of cyber attack security expert warns

Governments, defence and security experts and this author have warned for weeks that Britain, the US and the EU should brace for a wave of crippling malware attacks. In the UK the Home Office, GCHQ and the National Cyber Security Centre have all issued warnings and guidance to businesses to “bolster their online defences.” Furthermore, in an announcement on 21 March the US President Joe Biden warned the United States of the risks posed by cyber-attacks and that they would be “consequential” and were “one of the tools [Putin] is most likely to use.” He urged business leaders to strengthen their companies’ defence systems immediately as a cyber war was “coming.”

But why would a war between Russia and Ukraine result in cyber-attacks on the UK, US & EU?

 From a strategic perspective, there is a significant risk that Russia will continue to create instability in the “West” and specifically the UK to distract focus and attention away from the situation in Ukraine and onto closer, acute problems at home. Today this is easier to achieve virtually by means of cyber-attacks.

Critical National Infrastructure should be relatively hardened to attacks, and they will, more than ever, be at a heightened state of vigilance. The cyber attackers know this and thus will be looking to find less obvious routes to target critical infrastructure potentially through businesses that are suppliers to the critical infrastructure and easier to hack. No business will want the association or ignominy of being the weakest link. 

Businesses should make themselves as hard to hack as possible at all times, but more so now than ever. A security programme cannot be established overnight, but the best time to start is today. CSS Platinum can help. In the interim, heightened vigilance and discipline is critical to defending against a cyber-attack.

At minimum, business and individuals should consider the following:

• Communicate with your staff and families so they understand the risk and practice increased vigilance.

• Resetting passwords in case they may have already been breached in historic breaches and are enabling cyber-criminal access to your web portals and email accounts – this is the single greatest defence tool and should not be overlooked.

• Think twice before opening or clicking links in any suspicious, or even non-suspicious emails.

• Implementing Multi-Factor Authentication wherever possible.

• Ensuring that software upgrades and patches are up to date.

• Dusting off, reviewing and rehearsing incident response plans – so you know how to respond swiftly to any attack and can minimise their potential scope and scale.

• Ensuring that all critical information is backed up, off-network in case of a ransomware attack.

Cyber security and resilience is now and forevermore a life skill and one that everyone should take some time to learn. As the adage goes, prevention is always better than cure. Act now, rather than experiencing regret later.”

Be Disciplined, Be Hard to Hack, Be Safe.

Michael Wills is co-founder and chief data officer for CSS Platinum.  For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email support@cssplatinum.com.

Half-term holidaymakers sharing highlights from their travels with friends and family on social media are putting themselves at risk – an expert from cyber security firm CSS Platinum has warned.

With international travel starting to look like it once did pre-pandemic, thousands of families are set to travel abroad this February half-term. However, cyber criminals will be looking to exploit holidaymakers during the break, Mike Wills, Co-Founder at cyber and data security firm CSS Platinum, has warned.

Mike said: “The threat of Covid-19 and rules around testing and self-isolation have meant that holidays abroad have been off the cards for many families for almost two years. The relaxation of testing rules will have provided a huge boost for half-term breaks – as well as cyber criminals.

“Whether staying at home or heading abroad this February, people tend to put themselves at risk while they are on holiday without even realising it. Social media is a great way to connect and share with people, but unless it is used sensibly and cautiously, your friends and family may not be the only ones viewing your posts.

You would hope that for whatever social media platform you choose to use, the privacy settings are turned on by default.  Unfortunately, they rarely are, and this can mean that anything you post – be it thoughts, photos, videos or locations – could be seen by anybody with an account for the platform.

Cyber criminals actively use social media for opportunity and intelligence gathering – whether to find individuals to target or bolster information to enable them to successfully socially-engineer an attack.

If your privacy settings are not set, they could be able to see the information you are posting.  While information in isolation does not amount to much, if you combine it with other pieces of data, it becomes intelligence and can be used to develop a strategy to target someone.

People post all kinds of information on social media: email addresses, mobile numbers, address and more. But it is not always about what is written – it is also the information that pictures, and videos can present, such as jewellery, expensive cars or other luxury assets, as well as the fact you are away from your home and it could be unoccupied.

How to protect yourself

Start by turning on privacy settings for all your social media accounts. The information for how to do this for each platform is readily available on Google and doing so can ensure only those people you are connected with can see what you post.

Of course, this only controls what you post, so it is worth setting boundaries with friends and family over what they post regarding you – particularly if their privacy settings aren’t up to scratch.

Next, avoid tagging your location in real-time. If someone is watching, they can easily see you are not at home or that you are in a particular place wearing an expensive piece of jewellery, for example.

Using strong passwords is a critical cyber resilience practice.  Doing so means cyber criminals are unlikely to gain unauthorised access to your account, which could enable them to change your privacy settings or gather information for social engineering purposes.

It is also important to never use the same password across multiple accounts.  If one site is breached and your credentials are exposed, your risk is amplified exponentially if you use that same password across multiple other accounts.

Finally, turn on two-factor authentication.  This will enable you to know whether someone is trying to access your account and take appropriate action.

Safe social media use is now a life skill and one that everyone should take some time to learn. As the old adage goes, prevention is always better than cure.  Act now, rather than experiencing regret later.

Michael Wills is co-founder and chief data officer for CSS Platinum.  For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email support@cssplatinum.com.

Happy New Year!  This time last year, we outlined 3 further steps that you can take to make you, your family, your business, and Gibraltar more secure and #hardtohack.  These simple but effective steps are timeless and so important to your personal cyber resilience that they are worth reinforcing again.  Why not make becoming #hardtohack one of your New Year resolutions?

STEP 4

Change your online banking password.

While banking security continues to become more secure, as we have already discussed changing passwords breaks the chain if your personal data has been breached.  So, as an additional precaution change your online banking password regularly.  Yes it’s a faff.  Yes, it’s easy to find something else to do.  Yes, you are going to have to choose and then remember a new password.  However, ask yourself this.  Are you absolutely, 100% confident that your bank password is not compromised?  Is there a chance that you may have used the same password for another login elsewhere?  Could that service have been breached and the data compromised and made available to cyber-criminals?  How concerned would you be if a criminal could access your bank account and take money from you?  If your answer is, I am not 100% sure that I have not used the password elsewhere, and that they have not been breached, and/or I would be devasted if a criminal could access my bank account, then change your password!!!  It should take you no more than five minutes, and by doing so will mitigate that gut wrenching, vomit inducing risk of discovering your bank account or savings have been cleared out.  Invest time in your security. Be #hardtohack.

STEP 5

Change your Fi-Fi router admin password

Does your Wi-Fi router have a password for you to access your Wi-Fi?  I suspect so; however, what you may not know is that your Wi-Fi router also has an admin password to enable you to manage settings within your router, including the ability to change your Wi-Fi access password.  While not true of all routers, often the admin password to access your router is a standard factory password.  So what?  Well consider it this way.  How many times have you gone to access a Wi-Fi network and you have been given the option to join the network of the house or business next door?  If a device can pick up a Wi-Fi network next door, this also means that a cyber-criminal could access your Wi-Fi network from outside/nearby your home or business.  Most Wi-Fi providers identify themselves by their brand names in order for you to recognise and join them.  This means that a cyber-criminal can identify what internet service provider you are using, Google what web address is required to access the web-based admin portal and also Google the factory standard password.  Ok, but so what…?  Well, if you have not changed the admin password, a cyber-criminal can gain access to your router, change the router password so you cannot access the admin area, identify all the devices on the network for further exploitation and, if they wanted to, change your Wi-Fi access password – just to be annoying.  To prevent this, change your Wi-Fi router password!  And make note of it!  To do this find the instructions for your router and the process to login into the admin area.  Alternatively do as the cyber-criminal would do and google the IP address for your router’s admin portal, and while you are at it the factory standard password.

STEP 6

Activate multi-factor authentication

After ensuring a robust, non-repeated password, Multi-Factor Authentication (MFA) is the next strongest weapon in your arsenal to make you #HardtoHack.  MFA is the process of using an additional confirmation method to verify that you are the individual requesting an action.  This could be logging into an account or making a payment.  Chances are you are already using MFA.  If you use Amazon, or LinkedIn, you will recognise the process of receiving a number code to your mobile device via text or automated voice call.  If a criminal has access to your email and password combination having purchased your data on the dark web – as we highlighted in our Christmas article – they could gain access to your online account.  If, however, you have MFA activated, an authentication request would be sent to your mobile or other nominated authentication method.  Unless your mobile device has been stolen, chances are the criminal does not have access to this and you will have thwarted the criminal’s ability to access your account.  Usefully, it will also act as an indicator to you that there may be some form of unauthorised activity on your account and that you may wish to change your password to “break” the breached data risk.  Some online accounts will as part of account set up ask whether you want to activate MFA, others will have MFA function, but you will need to navigate into the settings area to activate – annoying but worthwhile.  Be disciplined and where possible check and activate MFA settings to be #HardtoHack.

Christmas is almost us upon us, again! This time last year, we outlined 3 simple steps that you can take to make you, your family, your business, and Gibraltar more secure and #hardtohack. These simple but effective steps are timeless and so important to your personal cyber resilience that they are worth reinforcing again at this time of year.

Cyber criminals will actively be exploiting shoppers in the lead up to Christmas.

People are planning to spend an estimated £32.25bn online on their Christmas purchases this year, according to research and insight company Statista.

Mike Wills, Co Founder at CSS Platinum, said shoppers rushing to secure the perfect present at the best price are at greater risk of malicious threats.

He added: “In the run-up to Christmas, many outlets will run promotional offers to encourage spending. This is a potentially lucrative time of year for cyber criminals as they know shoppers are less vigilant as they rush to snap up the best deals.

“Cyber criminals will no doubt be looking to take advantage of the vast number of transactions taking place and the financial information being shared as a result. There is also an increase in promotional email traffic, which makes it hard to differentiate the real bargains from scams – presenting a heightened risk of phishing attacks.

“With this in mind, it is critical consumers take steps to protect themselves and their families.”

STEP 1 Password Management

“Firstly, shoppers should change their passwords right away. While this is a faff, it is the single greatest defence you can make to protect yourself against a cyber-attack and will instantly make you much safer online.

“Currently, there are millions of emails and passwords for sale on the dark web, which have been breached by companies that have not protected people’s personal data sufficiently. Cyber criminals can buy this data for minimal amounts of money and could use it to gain access to your emails.

“They will look for social media accounts and online high street accounts and test your combination to gain access. From this, they can gather more personal data until they have enough to take our credit in your name or use your saved payment cards to make online purchases, for example.”

STEP 2 Personal data breach identification

“It is a good idea to understand whether your data has been breached so you can put in place other necessary measures to protect yourself. To do this you can use a free service provided by Have I Been Pwned. All you need to do is enter your email address and the site will tell you whether it is associated with a breach and if so, what other data has been stolen.

“If you have been breached, it is even more important that you change your password to break the chain. Next, you need to understand whether you have been entered into any spambots – as the name suggests, these are bots that send spam to you.

“While some spam is laughable, others are highly credible. If you’re rushing, there’s a higher chance you will click a link in a spam email, which could execute malware or ransomware on your device.

“Unfortunately, the only way to rectify and avoid your exposure to spam – and, in turn, the chances of clicking on a malicious link – is by changing your email address. This is best done by transitioning email address information on websites over a period time. While this is an arduous task, it is vital for protecting yourself.”

STEP3 Check your Anti-visrus

“Finally, make sure your anti-virus protection is installed, activated with a valid licence and updated. While free anti-virus software is available, it won’t protect you sufficiently. Competition to provide the best anti-virus changes year on year between the main vendors as they achieve technology breakthroughs in response to the evolution in cyber threats.

“The best thing to do is check reputable tech websites for reviews of the best current anti-virus software. We recommend buying a one-year licence, and then when it comes to renew, assess which company has moved to the forefront of anti-malware protection. There will always be new customer deals to be had.”

Be resilient and have a very Merry Christmas from all at CSS Platinum.

Michael Wills is co-founder and chief data officer for CSS Platinum. For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email support@cssplatinum.com.

For most, cyber security is dull. It’s also technical and unless you “understando / speako de lingo” it can be intimidating and perceived as too hard.  Conversely, cyber security is now an essential life skill, whether that be in business or in one’s personal life.

We live amidst an unseen cyber war that is here to stay and unlikely to end.  The advent of greater data transfer speeds; the ever-decreasing size of microchips and sensors; the associated explosion of smart devices as part of the Internet of Things (IoT) revolution; and the incorporation of all these technological advances into our businesses and homes; the prospect and opportunity for cyber-attack is exponentially increasing.

Why should I do something about cyber security?

Asides from the shock, inconvenience, distraction, embarrassment, and distress of being hacked, what you may not have considered are the other indirect losses and costs that could occur should you fall foul of a cyber-attack.  Bottom line up front (BLUF): prevention is always better than cure.

Privacy regulation has teeth.  

Internationally, there are an increasing number of compliance regulations whereby it is a requirement to protect against cyber-attack.  Widely known and leading the pack is the EU / UK General Data Protection Regulation.  This regulation requires that appropriate “organisational and technical” controls are implemented to protect personal data – by this, in the main, they mean cyber security.  EU / UK GDPR are both extra-territorial, meaning regardless of the actual registration of your business, if you hold and/or processes the data of an EU or UK citizens, you must cyber-protect the data.  Failure to do so could result in enforcement fines up to £17.5M / €20M or 4% or global turnover – whichever is greater.  A great number of other nations are updating their privacy laws and using GDPR as a benchmark.  While small to medium businesses are unlikely to receive a top end fine, proportionately any fine is likely to have major impact.

Management distraction.  

When cyber-attacks occur, they are all consuming, particularly if it is a ransomware attack and you have lost all digital access – no computer/device access, no website access, no management systems access.  Nothing.  All those tasks you were already juggling in your busy work life have just got interrupted, cancelled, or postponed while you concentrate on responding to the incident; communicating with shareholders, regulators, and insurers; and possibly having to inform and apologise to clients and suppliers.  What would the cost of this be to you?  Furthermore, if you are subject to UK / EU GDPR, and a cyber breach meets the threshold for reporting to a regulator, investigation is highly likely to follow.  This can be all consuming and comprises very detailed questions regarding what happened, how it happened and why it was able to happen.

Reputation damage and loss of trust.  

When your clients provide their personal data to you there is an unwritten trust contract.  They trust you to respect and preserve their privacy.  Businesses spend huge amounts to recruit customers, but market analysis shows that an equitable amount is not invested in then protecting these clients.  What would the impact be on your client’s trust and your business reputation if you had to contact your clients to inform them that you had lost their personal data?  Would you lose that client?  How would that affect your cash-flow forecasts and plans?

Damages claims.  

Cyber criminals are clever and cunning, an attack on your business may simply be a tactic to attack one of your clients or suppliers, or depending on the type of attack, may intentionally or inadvertently impact them through onward transmission.  If after analysis your business is found to have transmitted a cyber-attack to a client or supplier due to insufficient or inadequate organisational or technological controls, and it has had a profound impact on strategic reputation, operational delivery, loss of intellectual property and/or personal data, you could probably expect to be sued for damages and the associated legal costs of defending your business.  How would that affect your business?

Most personal data stolen during a cyber-attack ends up for sale on the dark web for other cyber criminals to purchase and further target individuals. A single hack on your business, could lead to an individual being targeted multiple times over.  How would you feel if it was your data?  Would you want your business to be responsible?  There are a growing number of law firms offering group litigation action for damages to individuals who have had their data breached.  Damages precedent is still being established, but currently are averaging at ~£2000 per individual.  If you lost 10,000 data records that could amount to £20m.

So, in summary, while cyber security can feel like another compliance costs, the cost of a cyber-attack is likely to far exceed the implementation cost.  Cyber security resilience is simply a baseline cost of doing business.

Michael Wills is co-founder and chief data officer for CSS Platinum.  For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email support@cssplatinum.com.

Summer is here.  Whether you are staying at home or heading abroad this year, it is sensible to take a moment to consider how your actions on holiday could make you vulnerable to cyber criminals or other issues.

Most people enjoy going on holiday.  It is your opportunity to unplug, disconnect, kick back and relax.  What contributes to the fun is sharing those wonderful memories with family, friends and loved ones via social media.

Social media is a great way to connect and share with people, but it is also important to realise that unless it is used sensibly and cautiously your friends and family may not be the only ones that are viewing your posts.

“The internet rarely forgets!”

You would hope that for whatever social media platform you choose to use that the privacy settings are turned on by default.  Unfortunately, they rarely are, and this can mean that anything you post, be it thought, photo, video or location could be seen by anybody with an account for the platform.

Cyber criminals actively use social media for opportunity and intelligence gathering.  Whether this is to find individuals to target, or to bolster information to enable them to successfully socially-engineer an individual.  If your privacy settings are not set, they could be able to see the information you are posting.  Information by itself is just a piece of information, but information combined with other information becomes intelligence and can be used to develop a strategy to target someone.  People post all kinds of information on social media: email addresses, mobile numbers, addresses and more, but it is not always about what is written, it is also the information that pictures, and videos can present – jewellery, expensive cars, or other luxury assets.  The fact that you are away from your home and that it could be unoccupied.  More sinisterly, what information are you exposing about your children or other family members?

Cyber criminality and social engineering aside, another aspect to consider is that businesses are increasingly conducting online background checks on their staff to mitigate possible security and reputational risk.  Recruitment is an expensive and highly competitive process and businesses want to make sure they are making shrewd investments in the people they hire and that they will represent the company in the manner expected.  An il-considered comment on a post, or inappropriate picture or video available for all to see could sway an employment decision.

Private lives should be private, but they are only private if privacy settings are turned on and the information is available freely on the internet.

So, what should you do to protect your social media?

• Turn on privacy settings for all your social media accounts.  The information on how to do it is available.  Google: “How to turn on privacy settings for {insert social media platform}.”

• Think very carefully what you post?  Who might see it?  Would you be happy for it to be seen?  How would you feel about your employer or a later potential employer seeing your posts?  If in doubt, do not post.

• Conduct a social media audit.  What have you previously posted and forgotten about?  Are you happy for it to still be accessible?  If you find posts that could be construed as inappropriate perhaps consider removing it.  Alternatively, you may choose to delete an account and start a new one from scratch to ensure you have control of your social profile.

• Set boundaries with friends and family over what they post regarding you.  Be prepared to ask people to remove a post where required?

• Avoid tagging your location in real time.  If you have tagged yourself, then to someone who may be watching it means you are not at home and your home may be unoccupied, or you are in a particular place wearing that expensive jewellery or watch…

• Use strong passwords.  This is sensible cyber resilience practices, but you would not want someone to gain unauthorised access to your account and change the privacy settings, or post inappropriately, or use the information in the account for social engineering purposes.  Do NOT used the password across multiple accounts.  If one site is breached and your credentials are exposed, that exposure risk amplifies exponentially if you use that password across multiple other accounts.

• Turn on Multi-Factor / 2 Factor Authentication to prevent cyber criminal.  This will enable you to know whether someone is trying to access your account and take appropriate action.

Safe social media use is now a life skill and one that everyone should take some time to learn. As the old adage goes, prevention is always better than cure.  Act now, rather than experiencing regret later.

Michael Wills is co-founder and chief data officer for CSS Platinum.  For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email support@cssplatinum.com.

Ransomware My New Service Line

Ahhh hello again.  Cyber McNasty here.  I appreciate I haven’t written in a while – apologies for that.  To be honest I have been that busy being nasty and making friends (hacking) with new clients that I simply haven’t had time to write.

In case you were wondering, life has been good to me lately.  Covid has really impacted my line of work.  In a good way – all those people remote working, using their own devices and not being disciplined in updating the operating software and applications.  Similarly, people have been living their lives so much more on social media.  I love it!  This makes it much easier to find people and then social engineer them to my advantage.  It truly amazes me that they either have not worked out how to implement their privacy settings, or that they simply cannot be bothered.  Either way, as always, I am very grateful.

What else…?  Oh, you may be interested to know, I have moved.  Gibraltar has proven to be such a lucrative income stream that it made sense for me to relocated here.  Expensive?  Well yes, but the pay days I have enjoyed just recently, thanks to you, means that I can afford it.

Just recently, I have expanded the services my business offers to my friends (well victims).  I still spend a lot of time intercepting emails and diverting payments, but my team (well bots) are so well programmed that it just runs itself these days.  To tell you the truth, I had become a little bored and fancied a new challenge.

So, to keep you up to date, I now offer ransomware attacks to my ill-prepared business friends.  What’s ransomware I hear you ask?  Well, to put it simply its where I gain access to your devices and networks; lock you out of it; encrypt all your data; and stop you from being able to operate.  I then contact you and demand a ransom in recompense for allowing you back in.  No payment, no access.  Simple.

I love the chaos this creates.  People simply do not realise how access to devices and online information and systems dominate their lives; how much we expect and rely on this access; and the impact that occurs when this access is removed.  It is crippling.  Imagine what would happen if you lost access to your laptop.  How would you cope without access to your emails, your client and contacts data, your online files, access to your website and its data?  And that’s only your information technology.  What about your operational technology?

So how do I do it?  Two ways really.  Firstly, I make friends – as always.  I really am a social animal.  Gibraltar is such a great place to grab a beer, people watch, listen and make friends.  Identifying specific individuals, who work at a place of opportunity and then social engineering them by gathering information from social media and the dark web, will always be the first step in my criminal line of work – call it reconnaissance to use military terminology.  But I covered this in my last letter, so I do not want to cover old ground.

The second way is to set up a WIFI network for you to connect to.  By doing so, you give me direct access to your devices and network.  How do people fall for this?  Well, as we have already discussed people expect access to WIFI.  Speed and ease of access is their motivation, not necessarily the security of that access or who is providing it.  They really are willing to connect to anything to get their data fix.

What surprises and delights me is the lack of preparation to prevent ransomware attacks or processes to deal with an attack should it happen.  I mean, the fact is that ransomware attacks are not new.  There are hundreds of stories online detailing my, and my comrades previous exploits.  Is it the most likely form of cyber attack?  Well, no.  Email interception and invoice/payment tinkering will always be more prolific; however, ransomware is not difficult and with smart devices and the internet of things will only increase.

There really is no excuse not to be prepared.  “But it’s hard and expensive,” I hear you say.  Not relative to the crypto ransom I am going to demand from you; the disruption and loss of revenue I am going to cause; and then the cost of fixing the problem so it does not occur again.  As the saying goes: prevention really is better than cure.

The reality is that I and ransomware attacks are not going to go away.  So, if I am being honest, for my sake and my bank account’s I really would rather you continued to ignore the problem so I can hack you and hold you to ransom.  I look forward to seeing you soon.

Michael Wills is co-founder and chief data officer for CSS Platinum. For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit
https://cssplatinum.com and/or email support@cssplatinum.com.

Cyber criminals are as the name suggests criminals. Criminal activity by its very nature just happens to be illegal, and if the perpetrator is caught is likely to result in prosecution and detainment at the pleasure of a government somewhere.

Clearly this is not an attractive option for a criminal. So, to avoid this cyber-criminals are extremely careful not to get caught. The anonymity that the internet provides is one aspect that can assist the “not getting caught.” The other, more effective method is to avoid detection altogether, cover your tracks and leave no trace, so that you have no idea that you or your business may have been attacked and may have something stolen. 

But if a cyber-criminal steals something of ours, we will know. Right? Will you? In the good old days, before computers and devices, our world was dominated by tangible, physical things. It was there, present, in our hands, at our fingertips. You would know whether a thing was present or missing. We now live in an increasing digital environment, with more things becoming virtual. We used to buy music on vinyl and CDs, now we stream music. We used to hold paper files in filing cabinets, now they are digital files stored on hard-drives and servers. These former tangible assets are now virtual, digital data files. If a cyber-criminal has the access, data files can be copied and stolen, and unless you are looking for it, chances are you will never know.

So what? How does this affect me? Well, if you happen to be reading this and are sitting there thinking: we are ok, we have not been attacked, I would know. Ask yourself, are you sure? How do you know? Do you have systems and processes for detecting the theft of information? Remember anti-malware looks for malware and viruses, not unfettered access. If your network has inherent design flaws, a cyber-criminal can quite literally digitally “waltz in” have a good look around and take any information that is not secured.

How often, if at all, are your log files analysed to identified: who has accessed your network, or what information has left? Would you know? Are you resourced to do this? Do you keep log files? At what point to they get overwritten? Do you even know what log files are? If not, I would suggest you ask these questions to your IT support, or get some support. To be helpful, log files are simply a log of events that have occurred, which can be analysed to understand activity or an incident. They can also be erased and amended.

Businesses are targeted by multiple cyber criminals every day. Each criminal will have their own motivations and level of competency. Some will want an instant payday perhaps through the diversion of a financial payment as part of a phishing or man-in-the-middle scam. Others, the “All-Stars” of cyber criminals may just view you as an access point, the soft underbelly as part of an elaborate strategy to target a bigger, more valuable fish – your owners; your clients; a bigger, more prominent business you supply to. Cyber criminals are interested in the personal data you hold on individuals, or the “trusted” digital connections you have with their “next” intended target, or access point. They can use information/connections to unlock the next part of the puzzle or move onto the next phase. All of this can happen unwittingly, and you can provide the information and connections they need without even realising or detecting that it is happening.

As a business, we often hear: “We don’t see this as a problem;” “We have not experienced a cyber-attack;” “We just don’t hear about this happening.” The reason for this could be because you are one of the fortunate ones that has not be targeted or suffered an attacked. Or it could be because the cyber-criminal is extremely proficient at their trade, and while you may not have experienced a direct cyber-attack, you may have unknowingly breached information or facilitated an attack that has occurred elsewhere.

All businesses must remember that under UK / EU GDPR and similar international data protection regulation, you are obligated under the Confidentiality and Integrity (Security) principle to implement appropriate organisational and technical controls to protect the personal data that you hold. When the true end goal of the cyber criminal’s strategy reveals itself and forensic analysis of the attack is conducted, could it reveal that your business breached the information that enable the attack to occur because of insufficient organisational and technical controls. Would you be willing to accept this risk and consequences for your business?

So even though you may not believe you have suffered a direct cyber-attack, are you certain that you may not have been a victim of a cyber-attack? Good to trust, better to check.

Michael Wills is co-founder and chief data officer for CSS Platinum. For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit
https://cssplatinum.com and/or email support@cssplatinum.com.

Prevention is always better than cure.  In previous articles we have provided our 6 steps to make your #HardtoHack.  Hopefully you have been following the tips we have made and you and/or your business are indeed “Hard to Hack.”  Unfortunately, “Hard to Hack” does not mean “impossible to hack.”  Regretfully there will probably come a time when you do suffer a cyber-attack.  Human errors occur, technical vulnerabilities are not addressed, or cyber-criminals simply decided that they will achieve a hack on you at all costs.  Any of these situations can lead to a cyber-attack.

In the unfortunate event that you do suffer a cyber-attack you need to consider incident response and incident recovery.  Incident response concerns minimising the scope and scale of an attack.  Incident recovery is about getting back to normal as quickly as possible – how can I get my laptop working again, or how can I get my business network operational again?  If you are a business, these plans should be formalised and rehearsed.

So, what should you do?

Pause, breath, think.  Use the response and recovery plans you have pre-prepared to help guide you through the incident.  Pre-prepared plans are critical to ensuring an effective response.  They provide a handrail to follow when immersed in stress, chaos and uncertainty, and assist you in doing the right things in the right order to ensure you do not miss or forget to do something.  If it is your personal device that has been hacked, chances are you have not prepared a written plan; however, if your home lost electricity, I suspect you have the number of a trusted electrician on speed-dial.  Who would you call, if your device had been hacked and was riddled with malware?

Cut the head off the snake.  Do what you can, as quickly as you can to stop the attack.  The quicker you act, the greater the likelihood that you can minimise the scope and scale of a cyber-attack.  For example, if a cyber-criminal has been able to gain access to your password and has access to your emails or bank account, the simple act of changing your password could break the chain and remove the cyber-criminal’s access.  If you are a business speak with your cyber security department / provider as quickly as possible so they can assist in responding to the incident and minimising its impact.

Who do you need to inform?  If you are an individual, you may want to protect family and friends from being affected.  You would feel awful if someone close to you experienced loss or hardship as a result of a cyber-attack transmitted by you.  If you suspect an attack, a simple warning to be vigilant could be a good option.  If you are business, you have a great many more obligations, which if you fail to act swiftly and decisively, could result in enforcement action or damages being levied against your business.  You have an obligation, both morally and from a regulatory perspective to protect your staff, your customers and your suppliers.  This means investing in cyber security in the first place, but also protecting individuals if a cyber-attack results in a loss of personal data.  Where this is a high risk of danger or distress, a business must inform the individual as quickly as possible.  Furthermore, if you are subject to either the UK or EU General Data Protection Regulation, you are required to report any personal data breach within 72-hours.  You should also understand whether and how quickly you may need to inform you insurance company.

Hopefully you have been sensible and prepared for the eventuality that you may lose access to all your data.  If you are an individual, you should hold an off-device back-up of anything you hold dear and/or would not wish to lose: photos, important documents etc.  If you are business, you need to make sure that you have back-ups of your data offline and/or off network so that a full system restore can be conducted and you are safe in the knowledge that a cyber-criminal has not locked you out of or erased your back-ups.

Once a cyber-attack has been discovered and fixed, it can be very difficult to understand fully what data could have been stolen, and whether “back-doors” may have been established to enable later access.  As an individual, you should consider informing your bank and monitoring your bank accounts and credit ratings to check for any indicators of unusual activity.  The same advice is equally applicable for a business, but you should also monitor the internet for any indications of adverse publicity or comments that may indicate corporate identity theft.  This will enable the business to react swiftly, address any issues and control the narrative and in so doing minimise any further damage to strategic reputation.

Michael Wills is co-founder and chief data officer for CSS Platinum.  For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com or email support@cssplatinum.com.