Welcome to another episode of Pentest People Tech Bites. Hacking is becoming more sophisticated over time. And as from recent headlines, scammers aren’t just targeting individuals, but large corporations too. Today, we will be covering the critical steps to stay safe online. Whether you’re in the office or browsing the internet from your phone, knowing what you can do to protect yourself against modern digital threats is key. But knowing where to start can be difficult. I’d like to welcome our consultants, Jasmine and Josh on today’s pentest people podcast, they will both be discussing the crucial steps stay safe online. Jasmine, shall we start with you? First thing so why do you think it is important now than it has ever been to stay safe online?

Hi there. So thanks for inviting me on the talk show. But in my opinion, while increasing technological advances are being made every single day, threat actors are also becoming crafty at what they do. And when cybercrime is on the rise every year and in particular phishing and ransomware. Compare this with the growth of mobile phones used throughout society, which is now the predominant platform for emails messaging and data storage. And you can see that protecting ourselves online has become a real threat. Losing personal data over the Internet poses a real risk in that malicious actors can exploit and abuse personal data, selling it to other parties for illicit purposes to commit identity fraud, extortion, bribery and steal money. Recently, some surveys were carried out which I found the results of quite shocking. Were five out of 10 UK smartphone users don’t regularly update their software and they don’t have any security measures installed.

Now, Josh, can you tell us how Hacking has evolved, say in the last five to 10 years?
Hi there. As Jasmine said during her answer there, we are living in a more interconnected society. Now in the last five to 10 years, we’ve seen an increase in an influx of devices being used by people out on a boat on within their home, on their personal networks. Know all of this has made our lives easier, and much more quicker, and life has become an easier and easier way of getting things done. However, this has also had the effect of making people an easier target due to the reliance of these devices. And so scams, for example, have become much more of a common theme within within our society.
Jasmine. Could you explain to us what the biggest cyber threats and scam is in today’s world?
I would say at the moment, there’s got to be phishing and ransomware phishing attacks accounted for around 60% of organisation breaches and they account for over 12 billion in losses every year, which is quite shocking really. Phishing attacks are also one of the main entry points for an organisation and it’s estimated that every day 3.4 billion phishing emails are sent. Phishing consists of malicious emails that are made to look legit, for example, an email from your director or organisation and they tend to prompt you to click a link download an attachment or provide personal information. Following on from this, I would say that malware and ransomware attacks are up there with it being the most concerning and there is equally as large a threat as phishing. Ransomware damages costs 20 billion in 2021, which was a 57 fold increase from the figure in 2058. So that shows it’s really taking off, and it’s predicted to cost over 260 billion by 2031. Quite a scary figure ransomware cripples computers, entire networks, putting businesses at a halt and then causing serious cost to the organisation. Also the top five industry industries that are targeted for ransomware education, government, healthcare, infrastructure and finance. You can really see the kind of things that they’re going for and the impact that that would have on education and healthcare.

So talking about malware, Josh, could you tell us a bit more about malware attacks.
So Jasmine mentioned that businesses and sectors often come under the threat of malware. However, as we’ve seen, within the past year, there is malware and ransomware strains which target individuals as well. So it is important to be wary of this as well, and instal it antivirus definitions within personal computers and are blockers when you’re browsing the internet to help detect and stop any of these viruses infecting personal devices?

I do think passwords as well are a big problem in today’s world as people with easy passwords and more likely to be hacked. Jasmine, how often do you think we should be changing our passwords?
I would say quite regularly, but then at the same time, we need to be careful with that kind of advice. Because some people would maybe create a password and then reuse that in different places. But then if you’re asking people to change their password on a regular basis, then all of a sudden those passwords are going to get easier and easier for that person to remember. So in my opinion, I would more lean towards recommending a password manager so that then you can kind of push people towards having a 15 character length password with alphanumeric characters and special characters. And ambiguous. So that doesn’t, you know, it’s not a word that makes sense to somebody on all of a sudden I get a creating quite a difficult password, then you would never remember it. But I suppose that’s the point behind it. So rather than that enforcing very regular password changes, I would say, you’d rather be looking at a password manager and putting in a really, really difficult password.

There is also evidence suggesting if you force people to change their passwords every three months, for example, like many companies do, then people will just add a number one to the end, or change that number one to a two, which doesn’t make anyone else any more secure. Josh, I’d like to mention when you get notifications on your phones or computers, is it important to update your systems straightaway?
Yes, so it is important to update your computer systems this will help mitigate vulnerabilities such as zero days, which are defined as new vulnerabilities which are just recently came out within the past 24 hours often. And these are often a priority for companies when they patch their systems. As these are the point of these updates, a lot of people see an update on their computer systems as a task. However, they need to appreciate that there is a reason for this being done. It’s also important to note, however, that this is not the only way in which and users should be keeping their systems secure. Whilst updates will close off a number of vulnerabilities through the patch and life cycle. Antivirus is also another way in which we can make sure that our computer systems are becoming safe and secure.

I agree with you that Josh & Jasmine, what do you have to say about updating your system straightaway? Because I know right now, I have a notification on my phone telling me to update. So I best get onto that straightaway.
Yeah, I would definitely suggest keeping all systems up to date and patched all the time, whether it be your phone or your computer, or just any devices that you’ve got. And then again, I suppose we spoke about the password management. But I suppose mobile phones like we spoke on earlier, everyone has a mobile phone and it’s your predominant thing to use. Whether it’s chatting to your friends, sending emails, saving photos, like nowadays, a personal computer at home might not be as disastrous if that was attacked. Whereas if your phone was attacked for a lot of people, I’m sure we could all agree it would be quite a catastrophe. So yeah, definitely keeping mobile phones up to date all the time. And even using a strong password on your phone as well as your biometrics like most phones, have facial recognition or fingerprint recognition. And then something we haven’t touched on, I would also mention that your phone, you should set it to wipe after so many incorrect passwords. So then if you ever do lose your phone, you’re not at risk of someone forcing the way through by brute forcing your password.
Definitely. And the last point I’d like to mention is clicking links. So for example, when you’re at work and you get a link sent to you on email, there is a lot of pressure of what you can click on and what you can’t click on. Is there anything staff can look out for?

Yeah, absolutely. So usually the layout of an email, a phishing email, they’ll try to make it look as genuine as they can. But there are things to spot where the emails come from, that’s always a big one. Look at what is the sender’s address. And then also even if you do think it could be genuine, it’s just always best practice to say if you know it’s a banking email, and they want you to visit something on their site, then you just take yourself to that site and navigate yourself there rather than following any links would always be one of my top recommendations. And then yeah, deleting and drinking any meals, any emails that you are suspicious of, but absolutely don’t ever download attachment, or click on suspicious links and just always make your own way to the website.

That’s great. Thank you both so much for talking about the crucial steps of Safety Online. Hopefully we have broken down this a little more and made sense on how you can defend yourselves online from cyber threats. Follow pentest people Spotify page to keep up to date with our Tech Bites. Join us next week where we will be talking to two other consultants about another cyber topic. Thank you.