Trawling through archives can quickly turn bittersweet when it hits home how little has changed between past and present. Looking back through the posts on BHconsulting.ie, invoice redirect scams have featured regularly since 2015. Fast forward to 2019: An Garda Siochana warned that this fraud cost Irish businesses almost €4.5 million this year. The global costs are even more sobering – but more of that later. Back in 2015, we reported the Irish Central Bank was fleeced to the tune of €32,000. This fraud was a growing trend even then. Our blog quoted Brian Honan’s Twitter account: “Looks like ..read more

The Huawei controversy has raised fundamental questions around supply chain security, Brian Honan has told Infosecurity Magazine. In a video interview recorded at Infosecurity Europe 2019 conference in London, BH Consulting’s CEO said the issue of technology containing alleged backdoors to enable spying has led to “interesting conversations” in the security community. The question boils down to whether it’s possible to build secure systems if there’s no trust in the technology platform they’re built upon, Brian said. “Unless we actually build something ourselves from absolute scratch, we are r ..read more

There are two schools of thought when it comes to users and cybersecurity. Some people working in the industry think of users as the weakest link. We prefer to see them as the first line of defence. Cybersecurity training programmes can address staff shortcomings in knowledge, promote positive behaviour and equip non-experts with enough information to be able to spot potential threats or scams. In our previous post, we looked back through the BH Consulting blog archives to trace the evolution of ransomware. This time, we’ve gone digging for a less technical threat. Instead, it’s a constant cha ..read more

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere. Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world. Hoora ..read more

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros. Passwords: a good day to try hard No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list ..read more

We round up interesting research and reporting about security and privacy from around the web. This month: healthy GDPR, gender rebalance, cookie walls crumble, telecom threats and incident response par excellence. A healthy approach to data protection Ireland’s Department of Health is now considering amendments to the Health Research Regulations, with data protection as one of the areas under review. The Health Research Consent Declaration Committee, which was formed as part of the Health Research Regulations made under GDPR, confirmed the possible amendments in a statement on its webs ..read more

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point. At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, th ..read more

Email scams and social engineering attacks are a huge security risk. When we describe security incidents that involve criminals scamming individuals or businesses out of money, security professionals often use terms like “CEO fraud”, “fake boss scams”, or “impersonation fraud” and “business email compromise” interchangeably for convenience. But there’s a case for treating business email compromise as a specific threat that deserves special attention. Let’s put this into context. Phishing scams in general, and CEO fraud in particular, have the same goals: to convince you that the sender is ..read more

Part 5: Incident Response in AWS In the event your organisation suffers a data breach or a security incident, it’s crucial to be prepared and conduct timely investigations. Preparation involves having a plan or playbook at hand, along with pre-provisioned tools to effectively respond to and mitigate the potential impact of security incidents. These response measures are more effective when regularly tested, such as by running incident response simulation exercises. This post relates to incident response in the AWS Cloud. It’s the last in a five-part series that provides a checklist for p ..read more

We round up interesting research and reporting about security and privacy from around the web. This month: security as a global business risk, insured vs protected, a 12-step programme, subject access requests made real, French fine for Google, and an imperfect getaway. Risks getting riskier Some top ten lists are not the kind you want to appear on. Data theft and cyber attacks both featured in the World Economic Forum’s Global Risks Report 2019. Only threats relating to extreme weather, climate change and natural disasters ranked above both security risks. The report is based on a su ..read more