News & Events
#017 – Be Cyber Security Savvy with Jake Moore
- 18th October 2017
- Posted by: Liz Gordon
- Category: Episodes
We’re very excited to have a guest speaker here with us today.
Hello everybody, Nicky here. So, welcome again, and welcome to Jake Moore who’s Cyber Protection Officer from Dorset Police.
Thank you! Hi everyone!
So, Jake, we know that you’re doing a lot of talks around the area now. What is your role and why was it set up?Download transcript 393kb
©The Marketing Menu 2017. All rights reserved.
Yes I’m the Cyber Crime Prevention Officer for Dorset Police, and so my role has been created for about a year and a half now, to get cyber security advice out to as many people as possible around the county, particularly small businesses because they tend not to have the cyber security training and advice in place and if we can help with that knowledge and advice to prevent cybercrimes from happening, we could effectively keep those businesses from being hit by cyber attacks.
So, are we saying that small businesses are particularly susceptible to cyber crime?
What small and medium businesses tend not to have the IT departments that might help them out later and, particularly, don’t have a security person who would look after their company in that respect. So, yes everyone’s targeted. The small and medium businesses tend not to have that prevention in place.
And presumably Dorset Police saw a need specifically for somebody in your sort of role?
Yes, well all the police forces in the country were offered money by the Home Office to fund this role and I think the large majority of the forces have taken on my role.
Okay, so even if listeners are listening in from another county then effectively they will be able to reach out to their local force.
Yes definitely, someone can go in and give a talk and give some training if they need it.
So, what’s your background? How did you get into cyber security?
Well, I did Maths and Computing at University, and then I went straight into the Police Force. I started off doing statistics, but then I soon went into the high-tech crime unit. That’s the unit where I would take computers apart and look for digital evidence on hard drives and in phones…
That’s the stuff of telly cop shows!
Absolutely! Not as quick as it is on the TV, but with a murder, for example, we’re going to take the computer apart and have look for just log on & log off times, Google history, and their emails can be found, anything that could help out as evidence in a court case would be huge, and it’s growing so much these days. I did that for about eight years and then I managed the team became Head of Digital Forensics for a couple of years in Dorset Police, and then I was asked to go and join the cyber crime team.
So I know you’re going to talk to us about different types of cyber crime. I had an email supposedly from HMRC. Now it looked really genuine. I’m used to them now, so I did double-check the email address that it came from, because it was telling me that I had a £411 refund. Are those the sort of things that are catching people out?
Yes, that’s a typical phishing email. Phishing emails are a huge problem but they’re always prevented by us knowing that they could be a phishing scam. And so the HMRC one… lots and lots of people are discussing them now so they tend to think twice and hope they see them come up. Also, if you do have an HMRC account, you’ll have what’s called a two-factor authentication in place, which means when you type in your username and password, it’ll then say ‘hey we’re going to text you a code’, and that code is one time password that works just for that one minute. And so that means the hacker if he had your password, he would also need that code and he hasn’t got your mobile phone. So, that’s a big telltale sign if you’re going to a site and it doesn’t ask you for that code, of course, therefore you’re probably looking at fake site like they’re trying to harvest your password. They do, however, send fake text messages as well. So, it’s not just fake emails that are coming through. It’s called SMS phishing or together that’s called smishing, that’s the newer term. They love these terms!. That will come to your phone it says ‘hey! you’re due two hundred pounds’. So, it’s not a ‘too good to be true’ scenario’, something that you might think you might be refunding with. By clicking on it will take you to a fake site. A big no-no! If you are ever sent anything like that, log in through the normal way as you normally would, maybe you’ve kept in your favourites.
Okay, good advice!
So, Jake, I’ve also heard the term banded around – ‘Ransomware’. So, can you tell me what we can do to help counter against that?
Ransomware is usually where someone sends an email with an attachment which they’re enticing the user the other end to click on. And simply say on a Windows or Mac laptop. If you open up that attachment, you’re going to set off the malware inside which will look at all of your files. That’s everything, that’s Word documents, Excel, your photos or videos, you name it! It will lock everything out and the screen comes up saying, everything’s locked and if you’d like to get your data back, you have to pay via Bitcoin which is a digital currency which is largely untraceable of anything from say £200 upwards, and I’ve seen ransoms around £5,000. One Bitcoin is currently around £3,500, but it could be anything. And if the hacker has done his homework, then he’ll set that ransom at the price where he thinks you’ll be able to pay it. So, the best bit of advice here is to train everyone in the company just to not go click heavy on these attachments. It might say, for example, invoice.pdf and I might want to click on it.
I get a lot of those actually. I’m thinking, you know “we attach your invoice following your transaction” and I’m thinking, hang on a minute….
So, you are aware you haven’t actually made that transaction, you shouldn’t be expecting an invoice, brilliant! That’s your verification that you know… But if you’ve got someone in the organisation that thinks I suppose that could be right, that’s an invoice. I’ll keep the boss happy. They’ll be chuffed to bits that I go click on this. While doing that anything attached to that Network, I’m assuming all your computers are on the same network, it will lock everything. If you keep a backup online, that will then kill the backup as well. I’ve seen companies go down, and so is their backup and so they just essentially from one click have lost everything. So, you must be keeping backups offline.
Yes, so even in our case, we use Dropbox so that we actually filter through to…
Dropbox is fantastic if you’re paying the top premium amount. The monthly subscription of the top one will do ransomware protection. That will keep a backup of, say 24 hours ago. So, if you got hit, you can go to Dropbox and say can I have the backup from 24 hours ago? If you’re just doing the free version.. that sadly will synchronise across all devices and lock them all out.
That’s so scary!
It’s so simple for them to do this. Anyone could make up this malware code and send it to anyone, and your antivirus is what you probably have, you probably put a lot of emphasis on the fact you’ve got that, it won’t always stop it, because antivirus can only stop viruses that are known, and ransomware changes its strands all the time. So, if you’ve got a hard drive, unplugged with your backup on, that’s the safest way because the Ransomware will not be able to jump into a hard drive this on a desk or under the desk or wherever you want to keep it. If you’re a slightly larger company, I would suggest having an off-site backup as well. Off-site backups are there also for fire, flood, theft, you name it! So, it’s not just Ransomware.
Okay, that is really scary. So, worst-case scenario then: I have been hacked and I now have one of these Ransomware things all over my screen, what can I do?
Well, sadly your head is now in two minds. Do you pay off the cyber criminals, with the ransom they’re offering, or do you turn to your backup which I hope you have? I would be suggesting if you haven’t got a backup, of what I say offline backup, so you’re not connected to the computer or network, then that is the only way. I don’t want people to have to pay out for this. That comes down to each individual circumstance. I have heard of people paying it and they do get their data back but I don’t want to get there. So, right now I would suggest everyone needs to look at their backup and also see how long it would take to restore that backup. In my last job, I used to have to go to old data and restore it. Notoriously, it would take a long long time to do. So, you could be out of business for a couple of days while still getting back to where you were just an hour before. So, that has a cost implication too.
Okay, but you do suggest that people do get their stuff back?
I’ve heard it’s 90%+ they tend to get the code to do that but I don’t want to have to say the rule is to pay it because we don’t want to be funding cybercrime.
I suppose they want people to know that they get their stuff back?
Exactly that’s the case but if all your listeners go and look at their backup now, then we can possibly even get rid of ransomware, because they could start sending it out, then you say you know what, I’ve got my backup, and also I’ve trained my staff not to click on attachments without verifying first.
Prevention is key!
So, it’s important to mention, listeners, that we will be doing a transcript of this podcast on our website themarketingmenu.com. So, you can go pop over there afterwards and download a copy and share with your team.
Great! Okay so Jake, are there any further tips that you would give small business owners?
I’ve talked about back up enough. So now I suggest that there’s this thing called two-factor authentication, that is absolutely vital ….
This annoys me a little bit.
Well, this is the problem. This is the offset people say to me. They find security an inconvenience but there has to be a level where security is there in place. It gives a functionality to keep you secure. If you don’t follow those procedures and adding those layers of security you are then vulnerable to getting hacked. So, a two-factor authentication, if you’re not aware of it, it’s a password with your username, so something that you know, coupled up with something that you have. So, for example, your mobile phone gets a text message like I said about the HMRC, you can do this with Twitter, Facebook, Gmail, you name it! Good quality accounts that are out there, the big ones, will allow it. So, you get a code there’s a one-time password, you know, only works for that 30 seconds or so and therefore, if I were to hack to your password, I then can’t get into your account. This is vital for your email account, so your email is the main one here.
So, we can set up a two-factor authentication on our own email?
Yes, we can. Sometimes it’s hidden away and people get funny with the fact they can’t find it very easily, this is the sad part of it. It’s not on by default, but please do go look in the security settings or it might be in settings. It might even be called multi-factor verification. I have a couple of different terms but does the same thing but definitely do it on your social media because I’ve seen companies that have had their social media hacked, because their password was too easy to guess, and then they’ve got in and sent all sorts of strange messages in the social media. It’s really brand damaging.
It happens a lot on Facebook, doesn’t it?
Yes, and a simple way around that is not only have a good password, but to have your phone set up, so if anyone wants to actually then go and post on a new device, your phone would get the code and say someone’s trying to get into your Facebook, you just click the button that says ‘no thanks, that wasn’t me’, and no one can then go and damage it.
And just as an aside, we mentioned Facebook there, I’ve heard about cloning of Facebook pages and things of that nature?
That’s very difficult to stop but if you do ever see that, you can click report and it’ll go over to Facebook and they will look into it and hopefully get rid of it. I see that happening in individuals as well when people might pretend to be someone who’s not on Facebook, and then add their friends and then in the end request money from them.
Is there an easy way to tell whether a website is fake or cloned?
Well, the safest way is to look for the padlock in the web address. If you’re on a website in a browser, look for that padlock in the top, that will tell you that it’s an encrypted site. So, whatever data you give them they can’t read. If it hasn’t got that padlock, if you type in a password or credit card information, they will just take that and put it straight into their spreadsheet. That’s a number one key if you’re dealing with a website that may be dealing with sensitive information.
Okay, right interesting.
Can I just go back to Facebook a minute, because I think this has happened a lot to me recently where I had these fake friend requests, where somebody has gone in and it actually comes up with the person’s profile photo and it’s saying friend requests and I did get caught by it once and I immediately changed my password, reported it to Facebook and told the person whose account it was. Why do they do it?
Okay, so they’re looking further down the line. So, if they go and choose to be someone and add you as a friend, then they might going to add all of that person’s friends on social media, you then believe it’s them, because every time someone posts on Facebook and it comes up with their profile picture and their status you just believe it’s them, and if they email you and say “hey I’m going on holiday” and you go great! ok whatever! and then a few days later you could then get an email that says “oh! I’ve just hurt myself” and you already think it is that person, and they’re saying “look! I’m asking 50 pounds of all my friends to help with my insurance operation, and can you just send it to me?” 50 pounds is not too much money to spend in that scenario. So, if you do see a name popping up on Facebook adding you, ring them person up.
No! Are you seriously expecting us to talk to people nowadays?! As opposed to email exchange?!
Totally! Well, I don’t trust any email that comes into me. If I get a link or an attachment, I’ll ring that person up because I want to verify, or it’d be pretty embarrassing if I got hacked. So, I want to make sure it is that person, especially the same with Facebook? It goes without saying, have you met that person, I speak to a lot of under 30-year-olds who will just add anyone to have lots of numbers on their friend’s requests
That’s how popularity’s gauged, isn’t it? By how many friends you’ve got on Facebook! Jake this has been absolutely fascinating. Is there anything else you’d like to add?
Yes! If you want to learn anymore, I’ve got a YouTube channel where you’ll find a lot of videos. I think I’ve made about 12 so far. I make those all the time on what I find that the current trends and what current threats we’ve got against us, and that is specifically for small businesses actually.
Do you have other social media accounts?
And do you post regular sort of security updates?
Twitter – every day! Facebook – at least once a week.
Brilliant! Thank you so much, Jake, for taking time out of your very busy schedule because I know you’re on the circuit now talking. Listeners if any of you see a talk by Jake do go along because you know we need to be learning all the time how to keep ourselves safe. So, that just leaves us to thank Jake so much for coming along today to talk to us, and to remind you to tune in on to our next podcast which is on the 1st of November where we’re going to be talking all about marketing on a budget.
Hey! Okay, so until then it’s goodbye from me, Nicky.
And from me, Liz.
Thanks very much.
Thank you! Goodbye!
©The Marketing Menu 2017. All rights reserved.