SASIG warns cyber security profession to meet growing social media threat

The Security Awareness Special Interest Group (SASIG) is calling on cyber security professionals to strengthen procedures surrounding the use of social media. The warning about the growing threat posed by social media to the integrity of data and network security emerged during this week’s conference entitled ‘Cyber Security: The Implications of Social Media’ that was organised by SASIG in conjunction with The University of Surrey.

The audience of cyber security specialists explored the implications of the far-reaching change brought about by social media and how people interact on different platforms such as Facebook, Instagram, YouTube, Twitter, WeChat and others, highlighting the consequences of casual Internet surfing and posting.

Martin Smith MBE, founder and chairman of SASIG, informed upwards of 200 delegates that social media networks have become one of the biggest gateways for cyber criminals targeting individuals and businesses to gain access to sensitive information and data networks.

Smith stated: “Social media activity has boomed during the last decade and is now an integral part of communications for commercial and personal users. It creates many challenges for both business and personal use and can expose users to unintended risks.”

He continued: “Social media and Internet users often give up a considerable amount of personal data. However, if such information falls into cyber criminals’ hands, they can easily build a profile that gives them the capability to access sensitive personal and financial information.”

Further, Smith observed: “The new Online Safety Bill could prove to be a vital tool in the challenge to tackle the criminal gangs who target unsuspecting individuals and businesses. We strongly recommend that all organisations should take steps to strengthen their cyber security systems against attacks via social channels. Using a combination of education about threats and introducing stringent protocols can protect against misuse.”

Cyber Security Skills Festival

Career opportunities, skills and resources that protect commerce, industry and public services from cyber attacks will feature at the third annual Cyber Security Skills Festival being organised by SASIG in partnership with the UK Cyber Security Council. The event runs on Tuesday 22 February. 

Established back in 2004, SASIG is a peer networking forum for cyber security professionals who represent hundreds of organisations of all sizes here in the UK and emanate from both the public and private sectors.

SASIG boasts more than 6,000 members including Chief Information Security Officers and other decision-makers and influencers with responsibility for information security, as well as academics and Government agencies.

Annually, SASIG curates more than 150 information webinars and in-person events covering topical cyber security issues impacting business, commerce, Government agencies and other public sector organisations.

*Further information is available online at www.thesasig.com 

UK and US businesses call for improvement as employee education pinpointed to be biggest cyber security weakness during lockdown

Hardware-encrypted USB drives developer Apricorn has announced the findings from a Twitter poll designed to explore the data security and business preparedness aspects around remote working during the pandemic. More than 30% of respondents singled out employee education as being the biggest area where companies need to make changes to improve cyber security.

The poll ran across six days and targeted employees in both the UK and the US. In addition to concerns about employee education, respondents also flagged updates to hardware (29%), endpoint control (21%) and enforcing encryption (19%) as areas of weakness where organisations need to make changes to strengthen their cyber security posture.

Given that almost 30% of respondents admitted to using unencrypted devices during the pandemic this raises many concerns, and particularly so at a time when we’re seeing a dramatic increase in the volume of data being downloaded along with the potential for more data on the move.

Kurt Markley, director of sales at Apricorn, commented: “Employees have a critical role to play in cyber security processes, from recognising the tools required through to understanding and enacting the policies in place to protect sensitive data. Whether it be through the delivery of awareness programmes or ongoing training, establishing a culture of security within the workforce is now absolutely essential.”

Markley added: “Endpoint security is critical. Deploying removable storage devices with built-in hardware encryption, for example, will ensure that all data can be stored or moved around safely offline. Even if a given device is lost or stolen, the information contained will be unintelligible to anyone not authorised to access it.” 

Not fully prepared

In addition, more than 40% of respondents admitted that, as an individual, they were not fully prepared to work at home securely and productively. Almost a fifth (18%) said they lacked the right technology to do so, 16% were not sure how to and just over 20% stated that they were still not able to work remotely.  

“Many businesses will now have witnessed the positive productivity and financial impact of a remote workforce, but without the right tools, processes and security in place, this can very easily backfire,” continued Markley. 

With the poll results showing that more than 60% of respondents are planning to work remotely either all or some of the time following the pandemic, the threat to corporate data is only going to burgeon. Almost 20% admitted that the experience of working from home has duly highlighted major gaps in their employer’s cyber security strategy/policies.

When questioned as to whether their company had experienced a data breach as a result of remote working during the pandemic, over 20% replied in the afformative, but a further 22% said they didn’t know if they had suffered a breach.

Scrambling to respond

Jon Fielding (managing director for the EMEA at Apricorn) commented: “IT and security teams had to scramble to respond to this crisis and, in doing so, left a lot of companies wide open to breaches. Nine months into employees working remotely, some already know that they’ve been attacked. Others think they may have been, but cannot be certain.”

Fielding concluded: “In the same way that we had to learn how to protect ourselves from illness and modify our behaviour, we also had to learn how to protect our data outside of the firewall and, more importantly, to remain vigilant about it.”

The Apricorn Twitter poll comprised six question and answer options and realised 23,537 responses.

Criminals target UK’s youth as cases of identity fraud increase

Cifas, the UK’s leading fraud prevention service, has released new figures showing a 52% rise in young identity fraud victims in the UK. In 2015, just under 24,000 (23,959) people aged 30 and under were victims of identity fraud. This is up from 15,766 in 2014, and more than double the 11,000 victims in this age bracket in 2010.

The figures have been published on the same day as a new short film, entitled ‘Data to Go’, is launched online to raise awareness of this type of fraud. Shot in a London coffee shop in March this year, the film uses hidden cameras to capture baffled reactions from people caught in a stunt where their personal data, all found on public websites, is revealed to them live on a coffee cup.

Identity fraud happens when a fraudster pretends to be an innocent individual to buy a product or take out a loan in their name. Often, victims don’t even realise that they’ve been targeted until a bill arrives for something they didn’t buy or they experience problems with their credit rating.

To carry out this kind of fraud successfully, fraudsters usually have access to their victim’s personal information such as name, date of birth, address, their bank details and information on who they hold accounts with. Fraudsters gain such detail in a variety of ways, including through hacking and data loss, as well as using social media to put the pieces of someone’s identity together. 86% of all identity frauds in 2015 were perpetrated online.

People of all ages can be at risk of identity fraud, but with growing numbers of young people falling victim, Cifas is calling for better education around fraud and financial crime.

Fraudsters are opportunists

Simon Dukes, CEO of Cifas, said: “Fraudsters are opportunists. As banks and lenders have become more adept at detecting false identities, so the fraudsters have instead focused on stealing and using genuine people’s details. Society, Government and industry all have a role to play in preventing fraud. However, our concern is that the lack of awareness about identity fraud is making it even easier for fraudsters to obtain the information they need.”

Dukes continued: “The likes of Facebook, Twitter, LinkedIn and other online platforms are much more than just social media sites – they’re now a hunting ground for identity thieves. We’re urging people to check their privacy settings today and think twice about what information they share. Social media is fantastic, and the way we live our lives online gives us huge opportunities. Taking a few simple steps will help us to enjoy the benefits while reducing the risks. To a fraudster, the information we put online is a goldmine.”

Commander Chris Greany, the City of London Police’s national co-ordinator for economic crime, added: “We’ve known for some time that identity fraud has become the engine that drives much of today’s criminality, and so it’s vitally important that people keep their personal information safe and secure. In the fight against fraud, education is key and it’s great that Cifas and its members are taking identity fraud seriously and working together to raise awareness of how the issue is now increasingly affecting young people through the launch of this film.”

As part of the campaign, Cifas commissioned a survey with Britain Thinks to find out more about 18-24 year olds’ attitudes towards personal data and identity fraud. The survey found that young people are alarmingly unaware that they’re at risk:

• Only 34% of 18-24 year olds say they learned about online security when they were at school
• 50% of the 18-24 year olds surveyed believe they would never fall for an online scam (compared to the national average of 37%)
• Only 57% of 18-24 year olds report thinking about how secure their personal details are online (compared to 73% for the population as a whole)

They’re also less likely to install anti-virus software on their mobile phone than the national average (27% compared to 37%).

Organisations such as the City of London Police, Action Fraud, Get Safe Online, Her Majesty’s Government’s Cyber Streetwise campaign, Financial Fraud Action UK and Cifas members including Coventry Building Society, BT and Secure Trust Bank are all supporting the campaign and sharing the new film across their social media networks.

Cifas is also appealing to youth organisations, schools and universities to share the film so it reaches as many young people as possible.

Cheshire Fire and Rescue Service keeps public informed thanks to CrowdControlHQ’s social media platform

Cheshire Fire and Rescue Service is using a social media risk management and compliance platform from CrowdControlHQ to monitor and govern its corporate social media accounts including Twitter and Facebook. More than 30 users across the Cheshire Fire and Rescue Service access corporate social media accounts via the platform’s central dashboard.

There has been an increase in engagement witnessed across all accounts in the last two years which has seen the number of Twitter followers double to over 17,000.

Cheshire Fire and Rescue Service uses social media for two-way communication with residents and county stakeholders, including other Fire and Rescue Services and local Government officials businesses as well as schools in the area.

CrowdControlHQ was selected for the central management of the Fire and Rescue Service’s social media activity following research and a presentation from the company.

Caroline Jones, digital and media services manager at Cheshire Fire and Rescue, explained: “We chose CrowdControlHQ for the level of control and analytics that the company’s solution provides. We wanted a platform where we could allow multiple people to post to corporate accounts. CrowdControlHQ does that safely and securely and it gives a history of all activity, for example who has posted to what and where. Information like that is important for audit purposes.”

Management from a single point

Using CrowdControlHQ makes it possible to manage corporate social media accounts from a single point. Cheshire Fire and Rescue Service chose to have just one account for each social media channel rather than each fire station or areas of the service posting to individual accounts. This means it’s easier for the public and other stakeholders to receive updates by finding, following and commenting on corporate accounts rather than multiple social media accounts for different fire stations across the region.

Jones continued: “Social media is a great way to communicate with the public. Where there are incidents throughout the day it’s really easy, thanks to the central control in CrowdControlHQ, to publish a Tweet or post a message on Facebook and to then plan Tweets for the weekend. Recently, in just 28 days we had 437,000 impressions and posted 168 Tweets. The management team takes social media very seriously and fully supports it as a communications channel.”

Cheshire Fire and Rescue Service also promotes other Fire and Rescue Services’ campaigns and champions national safety initiatives such as the annual road safety campaign using Twitter and Facebook, with links to a web page. CrowdControlHQ is used to plan Tweets and posts in advance and then measure the success of campaigns using the analytics generated.

James Leavesley, CEO at CrowdControlHQ, commented: “We have seen a variety of social media strategies emerging across Emergency Services providers tasked to drive communications objectives. For some, the emphasis is on single channel or multi-responders while others may adopt a multi-channel or in some cases a partnership-style approach.  However, what consistently underpins all the strategies we see is the need for more brand representatives to become involved in delivering messages to the public, raising the reputation risks associated with delivering complex public engagement. Using a risk and compliance platform gives organisations the confidence that they can manage and respond to social media communications effectively, consistently and in a timely manner.”

About Cheshire Fire and Rescue Service

The Cheshire Fire and Rescue Service is led by the Chief Fire Officer and the Service Management Team.  It has 25 fire stations, four community safety centres, three community fire protection offices and a headquarters based in Winsford.

The Fire and Rescue Service responds to emergency incidents – known as Emergency Response (ER)  – across the four unitary council areas of Halton, Warrington, Cheshire East and Cheshire West and Chester.

*For more information visit: www.cheshirefire.gov.uk

About CrowdControlHQ

CrowdControlHQ is one of the UK’s leading social media risk management and compliance platforms built for enterprise. It’s web-based software used by public and commercial organisations to support employees wishing to optimise their social media engagement delivery.

CrowdControlHQ provides tiered access and specialist control features to help manage the reputation risk associated with the delivery of social media in complex, multi-user, multi-campaign and generally busy customer service environments.

It’s a venture capital-backed British business servicing over 125 clients with over 10,000 users. Clients include Experian, Serco, Welsh Water, the Greater Manchester Police and Arriva.

*Additional information is available at: www.crowdcontrolhq.com

Office of Surveillance Commissioners issues warning over social media snooping

The Office of Surveillance Commissioners (OSC), led by Chief Surveillance Commissioner The Rt Hon Sir Christopher Rose, has published its Annual Report for 2013-2014. Emma Carr (director of Big Brother Watch) highlights some of the main points.

*Intrusive surveillance authorisations have increased from 362 to 392
*Directed surveillance by law enforcement agencies (LEAs) has increased from 9,515 to 9,664
*Directed surveillance by public authorities (PAs) has decreased from 5,827 to 4,412
*Active LEA covert human intelligence sources: 4,377 were authorised, 3,025 remain authorised
*Active covert human intelligence sources (non-LEA): 53 were authorised

The Commissioner notes that the information included in the 2013-2014 Annual Report is for 100% of LEAs and 96.6% of all other PAs. However, Sir Christopher Rose notes: “I am once again slightly disappointed that a few public authorities appear to treat my request for statistical returns as an option” and that: “I have therefore decided that, as from next year, those public authorities which have failed to respond within the set deadline will be named in my Annual Report.”

The Commissioner also raises the fact that there have been a number of occasions where senior officers have failed to meet with inspectors. These comments would therefore indicate that among some LEA and PAs there’s a potential problem of the OSC not being taken seriously.

The Commissioner also notes that, since the Protection of Freedoms Act 2012 was introduced, there has been a “downward trend” in the number of applications made and authorisations granted which “may or may not be attributable to this enactment.”

Emma Carr: director of Big Brother Watch

The Commissioner raises concerns about the lack of a common approach from councils towards the authorising process now that it’s controlled by Magistrates. He goes on to warn that “the knowledge and understanding of RIPA among magistrates and their staff varies widely.” The Commissioner notes that there’s certainly a need for “adequate training or magistrates” and their colleagues.

Worryingly, the Commissioner cites two examples of inappropriate authorisations: one having granted approval for activity retrospectively, and another having signed a formal notice despite it having been erroneously completed by the applicant with details of a different case altogether.

Social media and covert investigations

One of the most interesting sections of the report relates to the use of social media for covert investigations by PAs. The Commissioner states that he “strongly” advises all public bodies to put in place proper policies designed to deal with social media investigations due to a lack of demonstrable understanding of the law from some workers involved in investigations.

The report states that: “In cash-strapped public authorities, it might be tempting to conduct online investigations from a desktop as this saves time and money and often provides far more detail about someone’s personal lifestyle, employment and associates, etc, but just because one can does not mean one should.”

While long overdue, the Commissioner is absolutely right to acknowledge that many PAs around the country may well be covertly gathering intelligence from social media sites on an illegal basis.

RIPA 2000 was created while Google was still in its infancy and social media sites like Facebook and Twitter didn’t exist. It would therefore be ridiculous to expect that the legislation would allow the use of the Internet to proportionately investigate crimes while ensuring that safeguards are in place to protect the public’s privacy.

A far more open discussion about what data should be monitored – as well as whether the legal framework is truly fit for the digital age – is now required.