Category Archives: Cybercrime

Hackers expand their repertoire as Trend Micro blocks 52 billion threats in 2019

By Ian Heritage

Variety is welcome in most walks of life, but not when it comes to the threat landscape. Yet that is unfortunately the reality facing modern cybersecurity professionals. As Trend Micro’s latest annual roundup report reveals, hackers have an unprecedented array of tools, techniques and procedures at their disposal today. With 52 billion unique threats detected by our filters alone, this is in danger of becoming an overwhelming challenge for many IT security departments.

In response, many CISOs are rightly re-examining how they approach threat defence. Rather than create potential security gaps and risk budget shortfalls through best-of-breedinvestments, they’re understanding that it may be better to consolidate on one provider that can do it all.

Continue reading

Supporting the Scottish public sector during Cyber Scotland Week 2020

by James Munroe

Some of the most important work we do at Trend Micro is with central governments and local authorities. These organisations are the custodians of highly sensitive citizen data and operate services critical to society. Cyber-attacks are a major threat to both.

That’s why we’ll be sponsoring Holyrood Connect’s Scottish Public Sector Cyber Security Conference later this month. Drop by to see how Trend Micro can help your organisation better manage cyber risk.

On the frontline
Public sector IT managers have a difficult job. On the one hand, they’re faced with escalating threats designed to steal sensitive citizen data and extort money through ransomware. Recent FOI data revealed that UK councils are hit with cyber-attacks numbering as many as 800 every hour. Yet they must tackle these threats with minimal budgets. Just 18% claim to have cyber insurance in place, for example.

All of this is happening against a backdrop of digitalisation, as public sector bodies like those in Scotland migrate more services to the cloud to improve efficiencies and reduce costs. Yet if not managed securely, this can widen the attack surface of these organisations.

At Trend Micro we advocate multi-layered defence, built around a blend of cross-generational techniques across the endpoint, network, and hybrid cloud. Sourcing these from a single vendor makes most sense, as you can close down visibility gaps, optimise performance and reduce costs.

Our Cloud App Security (CAS) offering is particularly popular with government agencies and authorities that are keen to add an extra security layer to their Office 365 and file sharing deployments.

We’re a proud sponsor of the Holyrood Connect Scottish Public Sector Cyber Security Conference later this month. To find out more, do drop by to our stand to see how Trend Micro can help your organisation drive digital transfomation whilst minimising cyber risk.

What: Holyrood Connect’s Scottish Public Sector Cyber Security Conference 
Where: Dynamic Earth, Edinburgh
When: 18-19 February

The Deepfake Threat: Why it’s Time to Update Your Security Policies

by Ian Heritage

Could this be the year that deepfakes break through into popular culture? One ominous sign of things to come has been the scrambling of social media companies over the past few weeks to develop a coherent set of policies on faked content. Their actions should help raise awareness and limit the impact of malicious audio and video online.

But let’s not forget that deepfakes are already being used by cyber-criminals today, specifically in CEO fraud attacks. This will require CISOs to update their risk management and security strategies, as attacks become more widespread and convincing.

Keeping it real
AI-powered deepfakes are spoofed audio or video clips which are hard to distinguish from the original. They quite literally put words in the mouth of the subject; whether it’s a famous politician, a celebrity or a CEO. While it sounds like a lot of fun, there’s a serious side. Doctored video clips could be used ahead of elections to discredit candidates, for example. The bad news is that psychologists believe that once we’ve viewed something like this, it tends to have a lasting impact on our perception of a person, even if we subsequently find out the video is a fake.

Social media companies are understandably nervous about the potential for misinformation on a whole new scale spreading via their platforms. Earlier this week Twitter revealed its policy on deepfakes, promising to label any content that has been “significantly and deceptively altered or fabricated” and that has been shared deceptively. It said it would remove any such content also deemed capable of causing harm. The firm joins Facebook, which last month said it would ban deepfakes outright from its site, and YouTube, which has banned such content in the run up to the 2020 US Presidential election.

Firms under pressure
In this context, deepfakes represent a major threat to democratic countries like ours, especially following previous attempts by nation states to interfere in elections and referendums. But there’s another angle more relevant to businesses. Deepfake audio clips are already being used in quasi-BEC attacks, designed to impersonate CEOs and trick employees into wiring funds to hacker-controlled bank accounts.

A UK energy company lost €220,000 (£187,000) after its CEO was tricked into making a fund transfer by someone he thought to be his German boss. In reality, the ‘person’ on the other end of the phone was simply a deepfake audio clip. This is just the beginning. In our 2020 predictions report, we argue that the C-suite will increasingly find themselves targeted by this kind of hi-tech fraud, as their public profile will make it easier for cyber-criminals to record and mimic their voice.

Spotting the fakers
We’re just at the start of a very long road. In time, the technology will get better, making it harder to spot the fakes. We may even reach a point when organisations or individuals are held to ransom with fake clips of a CEO doing something outrageous, which could cause the company share price to tank.

CISOs must therefore act now to build this threat into their security strategies, by updating their employee awareness training, and tightening company policies on large fund transfers. Fortunately, the majority of CEO fraud today still occurs via email. And for these occasions Trend Micro has its own AI-powered solution, Writing Style DNA, which “blueprints” the writing style of senior executives so that it can raise the alarm when hackers try to impersonate them. We recommend its use as part of a layered approach to email security that focus on domain reputation and other elements.

Also, be reassured that cybersecurity remains an arms race. The deepfakers might appear to have the upper hand at the moment, but realistic fakes are few and far between, and we’re working all the time on ways to foil them.

Data Privacy Day: the 2020s can be the decade of privacy-by-design everywhere

By Ian Heritage

Internet trends come and go. But one concept that has steadily gathered momentum over the past decade is that of dataprotection and privacy. It’s now enshrined in EU law thanks to the GDPR, and today consumers and businesses are far more aware than they’ve ever been about their rights and responsibilities online. That’s why the coming decade offers a fantastic opportunity to embed privacy-by-design principles into every single organisation. But there’s still much to do, to raise awareness and change behaviours, especially among corporates.

That’s why Trend Micro is a proud sponsor and champion of the annual Data Privacy Day initiative, which is celebratedaround the world on 28 January.

Back to the beginning
It was on this day way back in 1981 that the Council of Europe opened for signature Convention 108, the first legally binding international treaty dealing with privacy and data protection. The first European Data Protection Day was held in January 2007 to drive greater engagement with online privacy issues, and the rest is history. 

Over the past 13 years, countless organisations have come unstuck in a very public manner. From a now-infamous HMRC blunder in 2007 to 2018’s Cambridge Analytica scandal, each incident has highlighted the potentially catastrophic impact of negligent data protection programmes. Yet these incidents have also raised public awareness and galvanised lawmakers. Thanks to the GDPR, European citizens are more in control of their personal data than they have ever been, while businesses must clear a high bar to prove they are responsible custodians of that data.  

Still work to do
But there’s still much to do. Highly sensitive personal browsing data is still shared across the adtech digital supply chain billions of times a day without any consent from consumers. Social media companies continue to harvest vast troves of customer data, IoT devices and smart assistants listen to our most intimate conversations, and the growing pervasiveness of digital technology continues to raise concerns among worried parents. 

There are also concerns for businesses. GDPR compliance is no easy thing: its vague references to “state of the art” technology and focus on broad principles rather than prescriptive controls, mean there’s no simple tick-box solution here. For many, there’ll be no 100% way of knowing whether they’re compliant until an incident occurs and the company waits for an official verdict.

There have already been over 160,000 breach notificationsacross Europe since the regulation landed nearly two years ago, leading to fines of €114m (£94m). These will certainly ramp up, as regulators across the region sharpen their knives. The ICO has already stated its intent to fine Marriott International and BA a combined £282m for serious breaches at the companies.

What happens next?
For now, this means that organisations must ensure their data protection policies are aligned with the GDPR, even in post-Brexit Britain. They must focus on best practice approaches and frameworks like those produced by NIST, Cyber Essentials and ISO. And they must look to partner with the right security experts: vendors that can offer multi-layered protection across all parts of the IT infrastructure, from endpoint to servers, networks to web and email gateways. The end goal is privacy-by-design: a commitment to embedding data protection into everything an organisation does.

At Trend Micro, we sit on both sides of the data privacy debate. Our Internet Safety for Kids and Families (ISKF) programme has offered vital resources for concerned parents for over a decade. But we also provide expert advice and support for organisations struggling to navigate a complex regulatory landscape while ensuring they do right by their customers. 

As a Data Privacy Day Champion, we’re working hard on both fronts — to ensure consumers know their rights, and have the tools and knowledge to stay safe online, and that businesses have the right controls and processes in place to meet their data protection responsibilities. As we travel through a new decade, there’s still plenty of work to do.