Welcome to the
Scottish Business Resilience Centre
We are a unique organisation comprising contributions and secondments from Police Scotland, Scottish Government, Scottish Fire and Rescue Service, major banks, industries, investors and private membership. We aim to provide our members with a wide ranging one stop shop for business security services and advice and to date have established ourselves as a hub of innovation and business improvement in support of our partners and the business community.
PwC announced as sponsors of the Scottish Cyber Awards
We are delighted to announce that PwC has this week, confirmed their sponsorship support for the first ever Scottish Cyber Awards. PwC joins Scottish Enterprise and the SBRC in sponsoring the awards and ensuring they are of the highest quality.
Colin Slater, cyber-security partner for PwC said: “Raising further awareness, not only of cyber security but also the excellent work being done by those working in the field, highlights the importance of good practice and vigilance in protecting Scottish business and consumers.
“Cyber security remains a tier 1 threat to the UK. In an age where cyber-attacks are becoming increasingly indiscriminate, everyone is a target, regardless of size or profile.
“The UK is one of the most heavily attacked nations in the world with the Office for National Statistics confirming over 2.5million cybercrime events in 2015. Yet, with a reported £1billion having been spent on cyber security over the last four years, cybercrime remains one of the most under-reported offences in the UK, with some attacks remaining undetected for days, months or even years.
“Cyber-security – and best practice in this field – will continue to be an ongoing issue and that’s one of the reasons we’re delighted to be associated with these awards as a sponsor.”
In this first year the take up for the sponsorship of the categories has been very swift, with all categories receiving sponsor support in just five days and already there have been a steady level of enquiries about the entry process.
“We are all delighted with the level of support and attention which the national Cyber Awards have generated already. The awards take place in November and in this first year we are thrilled that PwC and Scottish Enterprise are co-sponsors. To have support of this quality and for all the individual categories is a recognition of the importance that Scottish business is attaching to the whole safe cyber agenda. This has been an extremely important year for Scotland following the launch of the Cyber resilience Strategy by the Scottish Government and we are very pleased that just six months on we have been able to announce these.” Mandy Haeburn-Little, SBRC.
The awards recognise everything from Cyber Evangelist of the year, Outstanding Women in Cyber Cyber Resilient Community Impact through to best small to medium size defender of the year. They have been designed so as to be accessible to the smallest companies and you can nominate other people in each of these categories.
The deadline for nominations is mid-September so now is the time to make that nomination.
We are delighted to announce that we have achieved Cyber Essentials accreditation. Clicking on the image above will take you to our online certificate. This certificate indicates that the Scottish Business Resilience Centre has taken the essential steps recommended by the UK Government to mitigate our risk from common internet based threats. How Safe is your Business?
The Scottish Business Resilience Centre Hits the Road Again…with FREE RESILIENCE TRAINING for your Business.
The objective of the Scottish Business Resilience Centre is to create a secure Scotland for business to flourish in, regardless of size or sector. That’s why we are hitting the road again, offering FREE resilience advice and guidance to the SME business sector throughout Scotland with a series of training workshops and presentations. We know that your time is a valuable resource, that’s why this training will be delivered at your place of work, or a location of your choice - you don’t need to spend any time travelling to attend, the only time you have away from your day- to- day duties is spent learning something that will help you to improve or protect your business.
It doesn’t matter if your business is in Edinburgh or Orkney, as long as it is in Scotland we are happy to come to you to deliver training on any of the topics below:
Cyber Crime Awareness
This presentation explains the real risk all businesses face from cyber crime and the simple steps that businesses can take to minimise this risk.
10 Steps to a Safe, Secure and Resilient Business
Highlights key areas for businesses to proactively check their systems, procedures and premises for resilience against unexpected and disruptive events. Also provides an introduction to our new online ’10 steps’ self-assessment tool.
Project Griffin 2
Project Griffin 2 is the national counter terrorism awareness initiative produced by the National Counter Terrorism Security Office to protect UK cities and communities from the threat of terrorism. There are a number of different modules in Griffin 2, and depending on the nature of your business or on the composition of the audience, these modules can be tailored to suit your business requirements.
Employees, either intentionally or unintentionally, can be the biggest risk to your business. This presentation will provide guidance on how businesses can minimise the risk posed internally by rogue employees and the importance of key processes around the recruiting, retaining and dismissal of staff.
Lone Working and Personal Safety
This workshop will focus on advice for front line staff who work alone (how to stay safe, de-escalation strategies etc.) but can also be tailored to provide advice to employers ( addressing duty of care, the need for clear policies and practice etc.).
This presentation can be delivered on 2 levels with advice for front line staff that may come into contact with illegal drugs or may be vulnerable to substance abuse, and advice for employers on the obligations placed on them in terms of their duty of care, policies and prescription drugs.
This workshop will focus on how your company can respond to major incidents or events effectively and ensure that you return to business as usual as quickly as possible. Again this input workshop can be tailored to suit both employees and employers.
These events will be delivered between September 2016 and March 2017. If you would like to know more or to book FREE training, then please contact firstname.lastname@example.org or call 01786 447 441.
The SBRC 2016 Issue 4 Newsletter is out now!
Just click on the cover image below to learn about the upcoming Scottish Cyber Awards, how you can get free staff training on various topics and the launch of Best Bar None 'Good Night Out?' campaign.
What is Ransomware and how can you protect yourself from it?
Our Cyber Consultant Gerry explains what ransomware is, how it affects your files and how you can avoid falling victim to it in the video below.
What's this about Pokémon Go?
When Pokémon Go was first released it was discovered that the sign in with Google feature, on the iOS application, was requesting “full account access”. This purported full account access just to play Pokémon caused alarm among players and lead to headlines such as “Have you given Pokémon Go full access to everything in your Google account?“. Thankfully in this case the answer was no, the applications developers Niantic had erroneously used a deprecated login system which was defaulting the user interface to read “full account access”. In fact the application was only accessing basic account information, user ID and email address, no other account information was accessible and it was not possible for the application to access users Google email or calendar.
The second more pressing privacy concern is that the game is aware of your location while you are using it, now we grant many applications our location while using them so what makes this any different? Well nothing, if you are using an iPhone you can go to Settings > Privacy > Location Services and take a look at when your applications get access to your location. If you are using an Android device you can check when your applications have access to your location by going to Settings > Location. On iOS there are three location access levels: Never, While Using and Always. The highest level of access ‘Always’ should be reserved for only applications you trust or that your location being available to the app at all times is critical to its operation.
For some the alarming take away will be that a game requires your location to function but with Pokémon Go success we can be sure to see more location enabled smartphone games in the future. This, we believe, is a good time to take stock and examine the Privacy settings section and see what your applications know about you.
What's this in the news about Cyber Credentials Stuffing?
Should O2 customers be worried?
BBC news have revealed that O2 customers have had their personal details sold on the dark net. The many headlines surrounding this loss of data make it look like the fault lay at the door of O2. More detailed reading of these articles actually shows that the loss of these details was not as a result of hackers stealing the data directly from O2. In fact, the customers who have lost their data were the victims of a technique called “credential stuffing”. O2 have even issued a statement denying that they have been the victim of a data loss.
Credential stuffing is where hackers try the same stolen username and password combination on many different websites in the hope that users have reused passwords more than once. In this case, it is thought that the details that have been lost in this case have come from a security breach which happened in 2013 at a video game-streaming site called XSplit. This data breach resulted in approximately 2.9 million usernames, emails and passwords being stolen. Due to people reusing passwords on multiple sites it has been possible for hackers to obtain the details of O2 customers, including dates of birth, phone numbers and emails. These details can then be sold on to other criminals. O2 have reported the incident to the police.
What can you do?
There are a few things that you can do to protect yourself from becoming a victim of this type of attack.
• Stop using the same password on different sites. Each site you use should have a unique password.
• Start using longer, more complex passwords.
• Use a password manager. Password managers such as lastpass (https://lastpass.com/) or 1Password (https://1password.com/) allow you to create long and complex passwords for every log in you use and all you need to remember is one password.
• If available, make sure that you enable two factor authentication. This means that you need not only a password but some other form of verification, such as a code that the site will send, to log in to an account.
This is not an issue just for O2 customers but for anybody who has had their credentials stolen from a data breach before and has not changed their password. If you are unsure if you have lost your details, you can check on the website “have I been pwned?” (https://haveibeenpwned.com/). Although if your email address shows no breach, this is no guarantee that you are safe, especially if you have used the same password on more than one site.
How to Stay Cyber Secure
At the Scottish Business Resilience Centre, we provide a comprehensive range of integrated cyber security services that help you assess, build and manage your cyber security capabilities, and respond to incidents and crises. Our services are designed to help you build confidence, understand your threats and vulnerabilities, and secure your environment. Over the next few weeks we will be highlighting our range of services, with a spotlight on each.
Cyber Security Factsheets
This week the spotlight is on our Cyber Security Factsheets. Each week we will be unveiling 4 new Factsheets that cover a range of cyber related topics, that we are sure you will find useful and informative. These are free to download from the SBRC website. Check out the video below to find out more...
This week's Factsheets include:
Ransomware is a huge problem for everyone with companies of all sizes being attacked more and more often. Ransomware is a type of malware that encrypts the files and documents on your computer and makes them unusable unless you send a payment to the attacker (usually in bitcoins – an anonymous online currency). Our Ransomware Factsheet will help you understand and deal with this ever growing threat.
Tricks Used By Hackers to Upload Payloads
Did you know that hackers can hide dangerous code in harmless looking files? Hackers use a variety of tricks and methods to get their malicious payloads onto your devices or into locations where they can easily attack your devices. Our 'Tricks Used By Hackers To Upload Payloads' Factsheet will help you to understand how hackers go about this and the tricks they use every day to exploit your computer systems.
How to Identify Security Threats and What Action to Take
The 'Security Threats and their Solutions' Factsheet offers advice on countering the typical security threats you may encounter on the internet. Bearing these countermeasures in mind will help you recover
after being exposed to an online security threat.
Types of Cyber Threats
The 'Types of Cyber Threats' Factsheet has been developed to explain some of the most common and dangerous online threats for home users and small-medium sized businesses alike. It will describe in detail the techniques a malicious hacker may use to exploit your computer system. The Digital Economy: A House of Commons Report
The House of Commons Business, Innovation and Skills Select Committee has published its report on the digital economy. To read the report, which highlights the UK's position as a leader in the world of digital and highlights the need for the next Digital Strategy from the Government to take the repercussion of Brexit into account, please click here.
NCA report calls for stronger law enforcement and business partnership to fight cyber crime
The National Crime Agency has today published the Cyber Crime Assessment 2016, outlining the immediate threat to UK businesses from cyber crime. This is the first cyber crime assessment produced jointly by the NCA and industry partners. To read the report please click here.
Scottish Cyber Awards
Applications are now open for the First Scottish Cyber Awards!
This is your chance to shine and be recognised for all of the great work you do in the cyber field. Please click here for more information.
We are delighted to announce that all of the award sponsorship opportunities for the Scottish Cyber Awards sold out within a week! This is a great indicator of the excitement and anticipation surrounding Scotland's first Cyber Awards Ceremony. Award applications opened on Monday the 4th of July and all of the information you need to apply is available here.
Scottish Cyber Awards - Category Sponsors
Scottish firms asked to join terrorism awareness scheme
Scottish businesses and organisations are being urged to sign up for a scheme to keep their staff and the public safe in the event of a terrorist attack.
The scheme, called Project Griffin, is aimed at workers in busy or crowded places, including the hospitality industry and the health service.
Ch Insp Ronnie Megaughin, deputy director of the Scottish Business Resilience Centre, said: "This extension of Project Griffin, which will enable a greater number of businesses to ensure their staff are sufficiently aware and prepared for an act of terrorism, is most welcome.
"Whilst being prepared and knowing what to do is vital, it is equally important that as many people as possible who work in busy places are aware of the threat and are better equipped to recognise and report suspicious activity.
Overview of New EU Data Protection Legislation from PricewaterhouseCoopers
(Please click on the image below to read the full document)
Small Firms Struggle To Tackle Threat of Cyber Crime
Scotland’s small businesses are aware of the increasing threat of cyber crime but are still failing to act on the threat effectively, according to the most detailed cyber security survey of small businesses in the past year.
The survey highlights how firms are being overwhelmed and confused by the amount of advice around cyber crime. As a consequence they are choosing to take only the most minor “common knowledge” preventative measures, like using anti-virus software and firewalls, which leaves them unwittingly vulnerable.
The survey also shows that SMEs still do not regard the data they hold, whether their own or that of customers, as having value.
The study is the first of its kind to assess why Scotland’s SMEs are not doing more to protect themselves, despite the almost daily reports of companies being hacked, having personal data stolen or experiencing a loss of business.
The research, by the University of Glasgow, was commissioned by the Scottish Government and the Scottish Business Resilience Centre (SBRC) and funded by a Royal Academy of Engineering Industrial Secondment Grant.
SBRC Director Mandy Haeburn-Little said the survey provides crucial guidance on how small businesses, government and other agencies all need to change their thinking to counter the threat of cyber crime.
She said: “It’s vital we do everything we can to support smaller companies including the many, many companies who work from home. These findings will help us to do this. The findings show that SMEs do care and take cyber crime seriously, but they are hitting obstacles on what to do about it. However also particularly concerning is that many small businesses still do not recognise that there is a value attached to the data they hold .
“The fact that there is so much advice online – and also significant levels of conflicting advice - is leaving them confused, bewildered and overwhelmed. The survey also shows that the majority of people simply turn to Google for advice despite there being several dedicated websites and portals of guidance available.
“This all points to the need to establish clarity over recommended actions and a single source for advice and contact. This is very much in line with the concept of the creation of a cyber hub for Scotland which would act as one trusted source of advice and cyber security services at affordable cost. SBRC is taking forward the scoping of this concept with more news on this expected in the next six months.”
The SBRC is considering how small businesses can be more supported with their specific needs and for other simple measures to be introduced to keep cyber crime front of mind to help to drive behavioural change.
University of Glasgow senior lecturer Dr Karen Renaud, who was seconded to the SBRC and who conducted the survey, found that:
• 95% of businesses carried out security activities that showed they did care about security, but only 15% thought they were at significant risk of being the target of an attack.
• More than 50% said they consulted Google for cyber advice with less than 7% consulting Government websites. With 12 million results coming up on Google, firms feel unable to identify trustworthy advice and are left floundering.
The recent Cyber Breaches Security Survey, carried out by Ipsos Mori for the UK Government, found two-thirds of large British businesses have experienced a cyber attack or breach in the last 12 months – one in four of which were attacked at least once a month. More than half (53 per cent) of small businesses in Scotland think it is unlikely or very unlikely they would be a target for an attack and only 23 per cent feel completely prepared for one, with 19 per cent saying they have not taken any steps to protect their data.
The SBRC, whose partners include the Scottish Government is now proposing to highlight the survey recommendations in its ongoing discussions with the Scottish Government and Police Scotland as part of Scotland’s developing cyber strategy.
Cyber crime can take many forms, including theft, fraud, selling sensitive company data and sabotaging equipment.
In the past year, notable cyber attacks have included the TalkTalk scandal and the crashing of the BBC website; however, smaller firms are at an increased risk due to limited resources and lack of in-house IT capabilities.
As part of its cyber prevention guidance, the SBRC provides crucial, affordable services to protect companies by working with ethical hacking students - particularly vulnerable small firms - from e-criminals and scammers.
These assessments can vary from a cyber footprint review, which assesses what information is available online about a business or an individual and how that can be better managed, to a security test which looks to identify the risk of unauthorised intrusion from an external or internal source.
Other cyber assessments can be carried out including cyber attack rehearsal, simply business hygiene checks for small companies and phishing simulation.
Worried about Ransomware?
Thomas Stanford have produced a free guide on how to stay protected against this evolving threat. Find out more here. SWITCH IT OFF!
Why it's dangerous to leave your Wi Fi on as demonstrated by one of our superb speakers from the Trading Securely conference, Glenn Wilkinson.
Have you read the Little Book of Resilience?
It's author, Liggy Webb of The Learning Architect, has kindly made it available here for free. Click here or on the image above to start reading!
Cyber Security Advice videos from our Ethical Hacking Team
Our ethical hackers have recorded several videos which provide advice on different cyber security issues. The latest video is below and you can you can view the full range of videos by clicking here.