Infosec Cloud
Solutions. Services. Training.

Phillips Solicitors reinforces Cyber Attack Protection with Security Awareness Training and Testing

Phillips invests in end user IT Security Awareness Training and Testing, to protect both their own data and networks, and those of their clients.

Based in the heart of Basingstoke since 1986, the firm works towards achieving the best outcomes for their employees, clients and the local community However, by holding client confidential and sensitive information, including financial details, Phillips, like all Legal Firms, is an attractive target for cyber criminals.

Aware of their responsibility to their clients, Phillips was one of first law firms in Hampshire to be awarded Cyber Essentials Plus accreditation. The Cyber Essentials scheme identifies the security controls an organisation needs in place to help defend against Internet-borne threats.

A key element of the accreditation is to ensure all partners and staff understand security issues, applicable company policies and how to identify and terminate potential cyber attacks. To meet this need, Phillips initially planned to run their own security awareness training, but upon evaluating the market they choose the fully managed awareness training and testing service provided by Infosec Cloud.

Mike Worth, IT Manager, Phillips Solicitors commented: “ The Infosec Cloud service was extremely competitive, yet more importantly offered a good, helpful service and strong understanding around Security Awareness and the impact on regulated businesses.”

Impressed by the results, Phillips has just recently renewed to continue the service for a third year, confident that all partners and staff are informed, empowered and cyber security vigilant.

Training and Testing

Infosec Cloud provides an integrated programme of online training and bespoke, random test phishing emails. Vulnerable employees who fall for the emails after the initial training, are provided with immediate, remedial training.

This fully managed service has been designed by experts in cyber security and training. A dedicated team manages training delivery and tracking, and uses information in the public domain to build customised, test cyber-attacks.

Cyber Security Aware

Back in 2014, Philips Solicitors were already improving staff awareness around cyber and data security. However, the firm quickly appreciated the necessity and benefit in delivering a structured and continuously reinforced Security Awareness Programme.

The firm chose to work with Infosec Cloud as the combination of awareness training and customised cyber-attack testing guaranteed a change in employee behaviour.

Plus, being fully managed, there were no additional demands on the IT team.

“Our security awareness has significantly increased and continues to do so as a direct result of the service Infosec Cloud provides. Their methodical approach along with expertise ensures that we achieve a measurable return on investment,“ added  Mike Worth, IT Manager, Phillips Solicitors.

Since purchasing SATT from Infosec Cloud, Phillips has purchased other services and are looking to further strengthen the relationship. Phillips has been impressed by Infosec Cloud’s extensive cyber security expertise, industry knowledge and understanding of specific client requirements.

Infosec Cloud is an established IT Security reseller and managed services partner. The company offers a comprehensive portfolio of cloud-based, hybrid and on-premise IT security, productivity and compliance solutions, plus video-based, measurable employee security and GDPR awareness training.

Click Here for more information on our Security Awareness Training and Testing service >>

  • Employee GDPR Awareness Training

  •  Identity-as-a-Service (IDaaS) solution

  • Tokenless Strong Authentication (MFA)

  • Next Gen Endpoint Security

  • Enquiry LinkedIn Spiceworks

    Stay Cyber-Safe this Christmas

    Here’s a few tips to help you stay ‘cyber-safe’ at home over the holidays.

    Download the list here >>

    Watch out for fake websites

    It’s very easy for cyber-criminals to create a spoofed website that looks like an official retailer and then offer ‘unbelievable’ deals. Once a payment is made you may receive inferior products, and that’s if they arrive at all. Remember to always check the URL of the website and look out for domain names that end in .net or .org.

    Pay by credit card

    Credit cards provide protection if things go wrong with a purchase. If the goods don’t show up or are faulty, and cost more than £100, Section 75 of the Consumer Rights Act means you can claim the money back.  For goods under £100, or payments made by debit card, you can ask your bank to recover the money through “chargeback”. Always be suspicious if a website asks you to make a bank transfer instead of paying by card.

    Make sure the site is secure

    Check for ‘https’ at the start of the website URL. The ‘s’ stands for secure. Look for a padlock on the left of the browser. If the padlock is on the page itself this is probably a spoofed website.

    Beware of phishing emails

    Phishing messages are designed to appear from trusted organisations such as your bank or HMRC, or familiar retailers like Apple, Tesco and Argos. They aim to trick you into revealing personal details. The emails usually contain links which when clicked download malicious software or take you through to a spoofed website where your personal details are requested.

    Over the Christmas holidays, be very wary of emails from retailers offering deals or cash prizes. Check the email address and don’t click on any links embedded in the message. Even an “unsubscribe” link could be malicious.

    Don’t trust Whatsapp messages offering gift cards

    Whatsapp users have reported receiving messages offering Topshop and Sainsbury’s gift cards that appear to be sent from a phone contact. The link takes you through to an official looking site which requests personal details.

    Clicking on the link would also allow cyber-criminals to collect personal information from your device that could track you. Delete messages like these even if they look like they’ve come from someone you trust and install security software on your device.

    ‘Freebies’ on Facebook

    Free iPads, flights, shopping vouchers, Alton Tower tickets and cheap RayBan sunglasses all fall into the category of “if it looks too good to be true, it probably is”.

    Cyber-criminals create attractive looking deals which they post on Facebook asking users to “like” and “share” the advert to boost it to the top of news feeds and target a wider audience. If you click through you will be asked for personal details which can be used for fraudulent purposes. The posts may appear to be from legitimate companies – check if the Facebook account is verified with a blue tick.

    Avoid shopping on public Wi-Fi

    Internet hotspots offered by coffee shops, libraries and bars may be incredibly convenient but are extremely vulnerable. A cyber-criminal can easily hack into the network and access your user details or set up their own fake hotspot. If you’re shopping or banking online use your own 3G/4G network or wait until you get home.

    Don’t fall for the “Click and Receive” scam

    Be suspicious of emails that ask you to click on a link and enter your details to rearrange a delivery. It won’t tell you what the item is but over the holiday period thousands of people are likely to have ordered something online and may be tricked into handing over personal information.

    In some cases credit card details may be asked for to “verify” the delivery. Be suspicious if the email doesn’t tell you what the ordered goods are and if in doubt, retrace your order trail and make a call to the company you’re expecting a delivery from.

    When shopping on eBay stick to the rules

    There are various ways that eBay protects users – those who don’t stay within the guidelines will struggle to get their money back if they fall victim to a scam. Always pay by Paypal – most items will be protected by eBay’s Money Back Guarantee. Scammers will try and get you to pay by bank transfer or a service such as Moneygram. Do this and you forfeit your protection.

    Also be wary of sellers contacting you directly to offer you a better deal than the listed price. Be careful of those with little or no selling history.

    Watch out for fake customer reviews

    More than half of UK adults use online review websites such as Amazon, Tripadvisor, Expedia and Checkatrade to find the best bargains.

    But among the genuine reviews are millions of fakes. Be suspicious if too many of the reviews seem similar – it suggests they are being copied and pasted or written by the same person. It should raise a red flag if the reviews are all very new. If you are at all suspicious of the website avoid it.

    If you think you’ve been a victim of a scam – act fast

    If you’ve been conned call your bank immediately and ask them to try and stop the payment. The sooner you do this the more chance you have of getting your money back. Banks will only refund customers who have been defrauded on their credit card or debit card, or a transaction has been actioned without their authorisation. Call your bank yourself, not a phone number given to you in a possibly scam letter or email.

    Banks are not responsible for reimbursing customers who have been deceived into making payments.

    If action is taken swiftly and there are funds remaining in the cyber-criminal’s account your bank may be able to claw back it back if it requests an indemnity. If you feel your bank has not done enough to help you make a complaint and take it to the Financial Ombudsman to investigate. You should also report it to Action Fraud.

    Websites for more information:

    Get Safe Online:

    The UK’s leading awareness resource helping protect people, finances, devices and businesses from fraud, abuse and other issues encountered online.

    Action Fraud:

    The UK’s national fraud and cyber-crime reporting centre. The easiest way to report fraud and cyber-crime is by using the online reporting tool.

    Stay Vigilant and Stay Safe this Christmas Holiday Time!

    Keep your employees cyber security aware in 2018: See our Security Awareness Training and Testing program >>

    Cyber Security Awareness Training & Testing (SATT) shortlisted for British Legal Awards

    Infosec Cloud is delighted to have been shortlisted for this year’s British Legal Awards. The company’s Security Awareness Training and Testing (SATT) managed service has been recognised as a finalist for the Supplier of the Year (Technology) Award.

    Organised by ‘Legal Week’, the awards will be judged by an independent panel of judges made up of senior in-house lawyers, former managing and senior partners and other senior business figures.

    Infosec Cloud’s entry focuses on the company’s Legal Sector Security Awareness Training and Testing (SATT) managed service, developed to stop IT End Users causing security incidents.

    Holding high value information and financial details, Legal Practices and Partnerships are particular targets for cyber criminals. Plus Firms have a high proportion of senior staff members who may be reluctant to follow corporate security procedures, and staff are under increasing time and workload pressures, making them even more vulnerable to today’s sophisticated cyber-attacks.

    To help the legal sector protect their data, clients and reputation, and following an in-depth market evaluation, Infosec Cloud developed their own fully managed Security Awareness Training and Testing (SATT) service. The service was launched in 2014.

    Today, nearly 80,000 IT End Users, across the UK, are enrolled on the Infosec Cloud SATT service. Legal customers include many of the top 200 law firms and all grade the service as ‘meets or exceeds expectations’ (quarterly satisfaction survey). The SATT service is applicable to organisations of all sizes, whether national or regional, plus the company is working with both LEXCEL assessors and Law Firm Networks.

    Commenting on the awards, Infosec Cloud Managing Director, Pete Sherwood says: “Being shortlisted for this award is great recognition for the service we have developed and the value it is providing to the Legal Sector in terms of keeping Firms and Partnerships cyber safe”.

    Security awareness training is not new, however the way that it is delivered, tracked and kept front of mind by Infosec Cloud is new. The SATT service comprises both training and ongoing testing with focused remedial training. The company has invested in a dedicated SATT team that researches, builds and tracks the simulated cyber-attacks, with bespoke content created for each customer.

    The SATT service is fully managed so that there are no additional time requirements for the IT team. Plus as an ‘independent’ third party, Infosec Cloud ensures all staff, regardless of seniority, are included.

    Click here for more information on the SATT service >>

    The British Legal Awards serve as a showcase for the achievements of one of the country’s most successful sectors. Hosted by Legal Week in association with The City of London Law Society, the glittering awards ceremony is attended by 1,000 lawyers, representing the cream of the UK’s legal community. This year’s ceremony will take place on Thursday 30 November at Finsbury Square, London EC2.

    More information on the Awards >>

    Deloitte hacked by stealing admin password

    It was revealed last week that Deloitte was hit by a major cyber attack that compromised its email system and certain client records.

    The attack was achieved by knowing the password of a single system administrator.

    With that simple piece of information, the hackers were able to gain access to Deloitte’s email services and, according to some reports, extract several gigabytes of data containing the content and details of clients’ email messages and attachments.

    The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”

     Well-respected security journalist, Brian Krebs, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts.

    This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for ‘a long time’ and that the company still does not know exactly how much total data was taken.

    Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.

    For a key system to rely simply on user name and password for access is a fundamental failure of security, and one that could easily have been fixed by the addition of multi-factor authentication (MFA).

    MFA provides maximum flexibility and ease of use, and can be rapidly introduced – thereby ensuring that a lost password no longer offers hackers an easy way into your organisation. Read our guide to choosing the right MFA solution to meet your specific needs.

    Request the MFA Buyer’s Guide:

    Full Name (required)

    Business Email (required)

    Job Title

    Company Name (required)

    Phone Number

    Enter these characters below: captcha


    Implications of the Equifax Data Breach

    Credit-reporting company Equifax Inc. disclosed last Thursday that cyber criminals had gained access to some of its systems, compromising the personal data of up to 44 million British consumers.

    The information commissioner has said that it is investigating how the hack on Equifax, a US credit rating firm, affected UK customers, many of whom will be unaware their data is held by the company.

    Equifax and its UK subsidiary companies state on their websites that they represent British clients including BT, Capital One and British Gas.

    This latest data breach will lead to a spate of phishing emails with credit card related themes, which are sometimes very hard to resist because money is at stake. Training employees to correctly spot social engineering hooks is essential.

    How many of your employees would click on this email:

    Equifax Notification Email

    Everyone needs to look out for:

    *  Phishing emails like the example above that claim to be from Equifax
    *  Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
    *  Calls from scammers that claim they are from your bank or building society
    *  Fraudulent charges on any credit card because your identity was stolen

    ICO Deputy Commissioner James Dipple-Johnstone, said: “We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised. We will be advising Equifax to alert affected UK customers at the earliest opportunity.

    A spokesman for BT said: “We are aware of the developing story and are monitoring the situation closely. Like many companies in the UK, BT uses Equifax services. We are working on establishing whether this breach has any impact on those services.”

    Find out how to ensure your IT end user are cyber-security aware >>

    Infosec Cloud builds Staff Security Awareness at Poole Grammar School

    School achieves Top Marks for Staff Security Awareness Training & Testing.

    Infosec Cloud started working with Poole Grammar School (PGS) in early 2016, to train staff to spot fraudulent emails and websites, and to be alert to the full range of today’s potential cyber attacks.

    After a very succesful 12 months of providing Cyber Security Awareness Training & Testing (SATT), PGS has recently renewed the service for another year. All training materials and phish tests are continually updated to reflect current day threats, so continuing the service will ensure staff remain fully alert and vigilant.

    Having successfully completed 12 months of training and testing, PGS staff are pro-actively helping to protect the school plus its connected suppliers, partners and families.

    PGS is a selective, boys’ grammar school and academy in Poole, Dorset. The school has 1200 pupils, aged 11 to 18, with an appropriately sized teaching, support and leadership team. IT Network Manager, Jeff Hay, was acutely aware of the risk of potential cyber security attacks on the school. Attacks that could result in criminal access to confidential information or the launch of a costly ransomware attack.

    In fact in January 2017, Action Fraud, the UK’s fraud and cybercrime centre, reported that cyber criminals were targeting UK schools, demanding payments of up to £8,000 to unlock data they had encrypted with malware.

    With the increasing frequency and sophistication of cyber attacks, the biggest threat is actually people’s lack of information and naivety. It can take just one click to compromise an entire school’s networks and data.
    Jeff Hay, IT Network Manager, Poole Grammar School.

    However, working at one of the country’s top schools, Jeff understood that training alone is not enough. Day to day behaviour can only be changed by a combination of training and targeted testing. The very fact that staff know they will be tested makes sure they remain extra vigilant so as not to be ‘caught out’.

    That’s why PGS selected Infosec Cloud to provide their fully managed Cyber Security Awareness Training & Testing service.

    Fully Managed Service:

    Infosec Cloud provides PGS with cyber security awareness training and testing as a fully managed service. This ensures all staff, from the Head Teacher down, are included in the program. All PGS needed to do was to provide Infosec Cloud with an excel spreadsheet of staff names and email

    Integrated 12 month program:

    High quailty, bite-sized video training is delivered online at the desktop, with an integrated 12 month program of bespoke test phishing emails.

    Vulnerable staff who fall for the emails after the initial training, are provided with immediate, relevant remedial training.

    The training has heightened everyone’s awareness and hopefully staff will delete the threat before we have to fall back on PC security, Antivirus, or in the worst case, backups. Even better is that the staff now know how to respond if they have opened an attachment or followed a suspect link. This gives the IT Team a fighting chance of nullifying the threat!
    Jeff Hay, IT Network Manager, Poole Grammar School

    The 12 month program comprises:

    1. Initial baseline phishing email test
    2. 15 minute Video Training for all staff – delivered online
    3. 11 month program of random test phishing emails
    4. 40 minute remedial training for vulnerable staff members (those who still click after the training)
    5. Monthly reports and full program management

    Infosec Cloud also provided internal communications for school staff explaining the training and testing process, and why everyone needs to remain vigilant at all times, plus guidelines for Jeff to handle any staff concerns.

    Results and Reports

    All staff were trained within the first three months and after training the average click rate was reduced to 4%, down from the initial baseline of 55%.

    Jeff receives monthly updates detailing the staff training status and who has clicked on deceptive links, opened potentially malicious attachments and entered logon credentials to spoofed landing pages. All this information remains confidential and is only used to provide vulnerable staff members with additional training.

    Download a copy of the full case study >>

    Read more about Security Awareness Training & Testing >>

    2016 Research – Cyber Attacks on Law Firms Increasing

    73% of top 100 law firms targeted in 2016

    The 2016 PwC Law Firms Survey reports that an increasing number of security incidents are being experienced across the UK legal sector. The research found that 73% of the UK top 100 law firms were the target of attacks last year.

    Although larger firms are the greatest target, all law firms are targets for cyber-crime due to the confidential information held and the large volume of client funds retained. The very nature of law firms makes them an attractive target.

    Key findings:

    *  Information security is a significant area of risk to the legal industry with 73% of all law firms reporting they had suffered from a security incident.
    *  The most common incidents relate to phishing attacks (malicious emails) and infection by viruses/malicious software, with 84% and 55% of firms respectively stating they have suffered one such incident during the past 12 months.
    *  Whilst there is an increasing threat from outsiders, 41% of all law firms report that they have suffered incidents as a result of their own staff.

    Security awareness training and and simulated, random cyber-attack testing is proven to actually change staff behaviour and build a human firewall of vigilant, empowered employees.

    Download the Legal Sector Guide to Security Awareness Training and Testing (SATT) >>



    Are employees your greatest risk?

    The Business Debate: Can the greatest asset of a business also be one of its greatest risks?

    Interview with Paul Hopkins, Technical Director, Institute of Risk Management.

    The Business Debate – IRM’s vision for Risk Management
    The Debate Biz.

    Minimise ‘people risk’ with Security Awareness Training and Testing >>

    Defending Law Firms from Cyber-attack Conference 10 May: Manchester

    With the 2015 Information Security Breaches Survey estimating that 90% of corporations having experienced a cyber security breach in the last year, cybercrime is a national scale problem that requires immediate action.

    Cybercrime costs the UK around £27 billion every year and although some government action has been taken to stem this financial haemorrhage, it remains a growing threat.

    Law firms are particularly vulnerable to this criminal activity, as they often deal with the kind of sensitive information targeted by fraudsters.

    For this reason, businesses must take measures to protect themselves, safeguarding their digital infrastructure with appropriate software and staff training.

    Attend the Defending Law Firms from Cyber-attack Conference, where high level speakers from government, Law and cyber security will be presenting their views on how to defend law firms from cyber-attack. Topics covered shall include the threat cybercrime poses to law firms, why law firms are particularly at risk and how law firms can protect themselves from attack.

    Click Here for tickets >>

    In the meantime – find out why more and more law firms are choosing the Infosec Cloud fully managed End User Security Awareness Training service.

    Our guaranteed, web-based interactive security awareness training combined with frequent simulated phishing attacks, live demonstration videos and short tests makes sure employees understand the mechanisms of spam, phishing, spear phishing, website security, pop ups, adverts, malware, ransomware, social engineering and physical security.

    This is a full managed service which requires virtually nothing from you or your team – all you have to do once you have placed the order is provide us a list of your users email addresses.

    We create all the content, simulated attacks and track the results – all of which are reported on back to you. And all for less than £1/user/month.

    Request your no obligation quote here >>

    Risk Management Key to Cyber Security, says Bank of England CISO

    Security Experts at last week’s European Information Security Summit 2016, stressed the importance of  identifying and managing risks as an essential part of information security.

    Risk management is a key component of any cyber security strategy and having a strategy is important because cyber criminals have a strategy. A strategy of using all available means to achieve their aims.

    “But cyber risk is not about technology alone; it is also about people and processes, and therefore it is about leadership and management,” said Will Brandon, chief information security officer at the Bank of England.

    “It is important for business leaders to own the risk, but that means they need to understand the risk before they can manage it. Any cyber risk is combination of threats, vulnerabilities and assets – and all three have to be present for a risk to exist,” said Brandon.

    Apart from understanding what the most likely threats are, organisations need to identify the assets or data and systems that matter most, and the vulnerabilities.

    Organisations can most effectively address vulnerabilities by focusing on their people, processes and technologies, identifying weaknesses and mitigating those as much as possible.

    Brandon added: “Every organisation needs a range of mitigations and controls aimed at reducing the risk of the most likely threats.”

    This requires organisations to set-up and maintain a Risk Register to score and prioritise risks, and establish a risk governance process that includes the risk owners – who are responsible for business-critical data and systems – as well as representatives of IT security, information security, procurement, human resources (HR) and legal.

    See our automated 3rd party (supplier) automated Risk Manager with customisable surveys and collaboration tools >>