UK Government and ICO Cryptojacked
When it Comes to Information Security, Pobody’s Nerfect
When we think about security and vulnerability, it’s tempting to sometimes believe there is a ‘fix’ to security issues; that with enough energy and funding it is possible to banish even the possibility of an information security ‘incident’. Though there is certainly something to be said for proper funding, and indeed an energetic determination, we need only look around us to see how imperfect any effort will inevitably be.
A perfect example of this occurred early last year when it was discovered thousands of websites had been hijacked by a nasty bit of crypto-mining code, known as a "Cryptojacking" attack. Amongst them several UK government websites, including the Information Commissioner’s Office (ICO).
Hidden Cryptojacking Script
For the uninitiated, ‘cryptojacking’ in this case involved the insertion of script into a website via a plugin designed to help blind or partially sighted users. Once activated, the script essentially highjacks the user’s CPU power to ‘mine’ (perform complex mathematical computations) anonymous cryptocurrency.
This opportunistic piece of malware is thought to have affected over 5,000 websites; Student Loans Company, NHS services, councils and more, all website infected and used to execute perhaps the biggest attack of this kind ever seen.
Of all the potential targets of this fiendish plan, the ICO website is not the obvious choice, nor is it the kind of organisation that you would imagine to be susceptible to any sort of digital shenanigans. And though this particular exploit has been patched, just like every company, organisation or website – the UK’s data protection watchdog has weaknesses that can be discovered and exploited.
Though not exactly the ‘fault’ of the ICO, this incident of malicious cryptojacking is an opportunity to consider the role that humility plays when it comes to information security and how we choose to defend ourselves from the persistent threat of digital criminality and exploitation.
Having engaged with information security, is not to say that an organisation is beyond the possibility of a security incident; though it is one of the best steps that can be taken to help mitigate the risk that faces us all.
An integrated view of cybersecurity is one that doesn’t merely view this threat as an issue of compliance, or even an occasional training session, but as an ongoing effort to continuously empower employees to propagate an information secure culture themselves.
No Longer Profitable
It’s clear that in 2019, a lax attitude towards information and data security is neither reasonable, nor sustainable. The viability of a company that neglects this integral element of security strategy will likely find themselves in hot water, not only from a GDPR perspective, but also with regards to their internal confidential information.
“Your organisation relies upon its intellectual property, reputation and finances to remain competitive”
Simon Fraser, Managing Director, Hut Six
With an estimated 77% of all UK employees not having received an form of information security training from their employer, a shocking proportion of UK organisations are taking a big risk in failing to minimise careless or negligent behaviour.
Given the prevalence and effectiveness of phishing attacks, as well as their increased potential impact, the avoidance of phishing emails, at very least, should be considered a basic by all UK organisations. With around 32% of all breaches still involving phishing, this kind of information security awareness training must be considered foundational for an organisation wishing to instil a secure culture mindset.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.
Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.
All businesses know it's a threat, but how can you spot a spear-phishing email? Blog by Information Security awareness training provider Hut Six.
Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six
HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.
How is a spear-phishing email created? Cybersecurity blog from information security awareness training provider Hut Six Security.
How is it that information security and cyber security differ, and why is it that people frequently use these terms interchangeably?
Facebook ICO fine and the cost of poor information security. Blog from information security awareness training provider Hut Six Security.
Cyber security Awareness month creates a problem in focus for companies. Blog from information security awareness training provider Hut Six Security.
Cybersecurity training modules that give the user the ability to test their skills. Blog from information security awareness training provider Hut Six.