The NCSC weekly threat report last week highlighted Business Email Compromise (BEC) as the leading cause of cyber insurance claims, according to insurer AIG. This is a type of scam targeting companies who conduct electronic bank transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with bank transfer payments are either spoofed or compromised through key loggers or using social engineering techniques, to do fraudulent financial transfers. The extent of this threat has pushed claims arising from ransomware and data breaches to second and third place respectively.
Another threat highlighted relates to a hacker collective which copied and reverse-engineered First Bus Manchester’s ticketing mobile app and discovered that the private encryption key used to secure QR codes was embedded in the app. Rather than disclosing the issue to the developer, the hackers released a ride-busses-for-free QR code. This breach was down to very poor coding practice. It is not difficult to avoid this type of vulnerability and the NCSC has issued guidance on 8 principles of secure development and deployment for software developers.
London Grid for Learning
In other news, NCSC teamed up with the London Grid for Learning to conduct cyber security ‘audit’ of 430 schools across the UK. Ninety seven percent of schools said loss of network-connected IT services would cause considerable disruption and eighty three percent of schools said they had experienced at least one cyber security incident yet, surprisingly, less than half of schools included core IT services in their risk register. Information security is a key risk area for most organisations and should always be considered in risk assessments.