CYBERMANIACS CYBER SECURITY AWARENESS Serious Security Awareness through Laughter. Sat, 04 Jan 2020 17:56:19 +0000 en-US hourly 1 CYBERMANIACS CYBER SECURITY AWARENESS 32 32 Ransomware 3: Protecting Yourself From Ransomware Thu, 05 Dec 2019 18:01:15 +0000

5 Steps to Prevent Ransomware Attacks

When should you start worrying about ransomware? Well, we recommend before that moment where the ransom demand pops up on your computer. Ransomware attacks can be expensive, time consuming, frustrating, and we have found that stress eating during a cyber attack can really pack on the pounds… the good news is that malware is preventable if you do the right things and take the time needed to implement them (for you and your organization!) 


These five, relatively easy steps, can help dramatically decrease your vulnerability to attack.


1. Educate Employees About Ransomware

As most ransomware infections begin as a phishing email or a visit to a sketchy website- making sure the humans who use the computers in your office have the skills and awareness of risk around malware is a critical first step. Most people want to do the right thing, so showing how, reminding of threats in a positive and encouraging way, and finding creative ways to share information and news of ransomware can go a long way. A structured training program can help you organise learning and measure progress.

Only 25% of small businesses today train employees on cyber awareness.

61% reported being attacked by ransomware in 2018.

We clearly have a long way to go in this area. (Also, we recommend puppets, but that’s for later.)

2. Deploy Cyber Defenses

Cyber security is a hotbed of research and development.  There is more technology out there than any company could possibly afford, need, or use (shhhhh don’t tell the vendors we told you that they will get mad at us!!)  In many cases, these miracle solutions don’t actually solve all of your problems (dang it, we did it again!) 

There are basic cyber security defenses which are critical to maintaining a secure company. 

For instance, if you don’t have a firewall protecting the company network and antivirus running on every computer, you’re not merely ‘leaving the door open’…  You’re hanging a sign out saying “Easy Target Here!” as cybercrimals scan the web looking for low hanging fruit. Get the bare basics in place, research the particular solutions that you need for your unique use case (email scanning, web application firewalls, etc.), and you’ll be much less vulnerable to ransomware.

3. Keep Systems Up-to-Date

Outdated systems are a hacker’s best friend.  Many of the biggest cyber incidents in history have started with some company failing to patch the latest vulnerability.  Remember Wannacry? The patch for the vulnerability that it exploited was available in March 2017. The Wannacry outbreak happened in May…  Oops.

Updates don’t just apply to your computer programs.  Your antivirus is useless if you’re not keeping it up-to-date and running it frequently.  The data that your AV downloads in updates is what it needs to identify the latest malware found in the wild. 

The threats are moving faster than ever. If your AV “definitions” are even a week out of date, that’s alot of time for organised crime and weaponised malware to get at your systems.


4. Use an Automated Backup System

Ransomware totally counts on the fact that, once you’re infected, your only choice would be to pay the ransom.  In many cases, this may be correct if the value of the lost data exceeds the hackers’ asking price.

An automated backup system with offline storage is such a powerful tool for protecting against ransomware. 

With regular backups, you may only lose an hour’s worth of data, which is probably a lot less than the hacker’s asking price. Magic. 


5. Restrict Privileges on Computers

The principle of least privilege is a common one in cyber security.  This means that users or programs shouldn’t have any more privilege on a computer than what is necessary to do their jobs.  In plain English: you shouldn’t be using an account with administrator privileges right now. 

Ransomware often needs elevated privileges (Administrator/root) to do it’s job on your computer. 

If you’re browsing the web on an account with these privileges, you’re just making life easier for the hackers.  Create a user account with only the privileges that you need to do your job (browsing Facebook and writing Word documents don’t take many permissions) and use that unless a particular task requires Administrator level access.


Fighting Against Ransomware

Practicing good cyber hygiene can make all the difference. 

Knowing your cyber do’s and dont’s and taking a few easy steps can mean the difference between a costly ransomware attack and a cyber non-event. If you need some more help on what to do next, or recommendations on partners we use that can help small and midsize underdogs everywhere get some simple, easy to understand advice, give us a shout. And if you would like to see how our puppets can help you keep your staff engaged enough to not click on spammy links, we’re all ears.

Further Reading

Ransomware 1

How Ransomware Gets In! 

Ransomware 2

Anatomy of a Ransomware Attack!

SME Cybersecurity

Why Small Businesses Should Pay Attention to Cyber Security Now, More Than Ever. 

Ransomware 2: Anatomy of a Ransomware Attack Thu, 05 Dec 2019 18:01:06 +0000

Anatomy of a Ransomware Attack

It begins with a screen. Perhaps plain, maybe embellished with a skull and crossbones. Appearing before you in a flash-  “Whoa” you say “Hang on, this isn’t right”. The first line reads “You have been infected with ransomware. To get your data back you must follow these steps”. And then the payment info, and the tears, the frustration, the fear. Once you’ve seen the screen, chances are the ransomware virus has already been on the system for a while and has done the damage it was designed to do. 

We’d like to hope you never see this happen for real on any of your devices, but this is how a ransomware attack usually goes:

The Initial Compromise

The first stage in a ransomware attack is where the virus actually gets onto your system. (See our first article in the series here where we cover this in more detail). 

However, if you didn’t bother reading that, here’s the cliff notes: the initial compromise stage usually comes down to phishing emails or malicious websites.  You click on something that you shouldn’t, and, BAM RANSOMWARE!


Consolidating Access

After the ransomware gets onto your system, it typically takes some time to make sure that it has the permissions and abilities necessary to do its thing.  In order to really mess up a computer, it’s usually necessary to have Administrator-level access (on Windows) or root access (on Linux systems)- this means getting deeper into the operation system and to the files and configurations that control the whole device.  If the user whose account was originally compromised doesn’t have that level of power, the malware might try to get access to it.

File Encryption

This is the stage where the ransomware really has fun and feels at home. So the whole point of it is to deny access to a computer or its files by encrypting every one of them. Which means, unless you have the specific encryption key, you won’t be able to read the files after encryption. And since backup habits are somewhat lacking for most of the general population… this means you can’t access anything you were just working on, financial records, pitch proposals, research projects, or even 10 years of pictures of your kids …. And then you are desperate to pay the ransom.

Some ransomware variants are especially cruel and take additional steps to ensure you will never get your files back.  All ransomware variants will delete the original files from memory, but some will try to make sure that they’re really gone (since deleted files can often be recovered if you act fast).


Command and Control

What’s funny, (not funny ha ha but funny/interesting/strange) is that the whole business model for ransomware is based on trust between the cybercriminal and the target (that’s you).  You are somewhat “incentivized” to pay the ransom because you have a shred of hope and believe that the hacker will most likely give you the encryption key in return. TBH, most of the time you’d be right. ( But you will notice that doesn’t say all the time.) It’s a gamble. 

For this exchange to be possible, the hacker needs to know the particular encryption key used to encrypt your family photos.  This is typically accomplished by the malware sending the key to the hacker in Command and Control (C2) communications.

What’s worse is that the malware, if its the extra-bad kind, can do things beyond locking up your files, such as…. stealing all your passwords. And then send all your data back to the cybercriminal using that C2 channel.  C2 can occur throughout the process, but ransomware often waits until the end. Many cybersecurity solutions operate on the network, and, if you notice a computer being oddly chatty, you may investigate and shut down the malware before it’s encrypted all of your files.  Staying quiet until it’s too late is a better bet for the malware.


Ransom Demand

If you’ve been hit by ransomware before, this stage needs no explanation.  There’s the horrified shock while reading the message, followed by manic clicking to verify that your files are in fact lost, and finally acceptance and the hard decision between losing the data or paying the ransom.

If you decide to pay, then you’ll probably, maybe, might just get the encryption key in return.  The key can be used to decrypt your data, leaving you sadder, poorer, and wiser about ransomware. But it doesn’t always work, and your passwords might be gone too.

Stopping the Cycle

The longer that you wait before detecting and responding to a ransomware attack, the worse it’s going to be.  Most stages execute pretty quickly, so the best way to protect yourself is to ensure that the initial infection never happens.  With good cybersecurity hygiene and behaviors, the chances of clicking on a bad link or opening up a malware laden attachment are greatly reduced. Nothing is foolproof in this world (which is why coffee mugs are labelled with warnings of hot beverages inside), but building awareness and care into your security culture helps drive the habits that can keep most ransomware at bay.

Next In The Series

Ransomware 3: 5 Things You Can Do to Protect Yourself from Ransomware


Ransomware 1: How Ransomware Gets In

Ransomware 1: How Ransomware Gets In Thu, 05 Dec 2019 09:53:18 +0000

Ransomware Attack Vectors

Just like an ex breaking your heart, before ransomware can lock up your computer, it needs to get inside.  While ransomware attacks seem to appear out of nowhere, they really aren’t that exciting, using the same old techniques as traditional malware to infect your network.  

Just how do they do it? Phishing emails and compromised networks are the two main culprits that spread ransomware.


Phishing Emails

Everyone has heard of phishing emails to the point where we aren’t even listening anymore. We know, it’s brutal.  But they are in the news and we talk about them ad nauseum because they cybercriminals trick you into giving away your bank password (or allowing hackers to watch Netflix on your account!).  But they are also a common means of sneaking malware onto your computer.

Phishing emails are designed to be tricky in a number of ways because they want you (the recipient) to do something in order to release their evil payload. But the top two tricks are  attachments and malicious links.



Email attachments come in all shapes and sizes.  Most of us have emailed at least one (or a zillion) MS Office documents, PDF’s or a few family photos to a friend or colleague (or ourselves). 

Why do phishers love to use email attachments? Human nature. We are so curious, our instinct is to always open the attachment (especially if it says something juicy like ‘ticket refund’ or ‘package delivery’ or ‘test results’).  Most people “know” not to open and run an executable (or .exe for short), we’re so used to seeing docs and xls and jpg… we often don’t bat an eyelash at opening them. Hackers have discovered a number of ways to abuse features of these types of files to run malicious code, allowing them to download and run ransomware on your computer. It says PDF on the icon… but lurking underneath is malware like gum on a shoe.

Malicious Links

Just like witches in the Wizard of Oz, there are good links and bad links. Good links help us zip around and get to a specific page or location on the web faster (Thanks Glenda!). But hac hackers make use of links as well, and can route you somewhere not so pleasant. Think flying evil monkeys. So they figure, if they can make a fake link look legit, you will think “Glenda” and click, but then it really goes to a malicious phishing fake-out website.  And, as we’ll see in a second, malicious websites are a great way to deliver ransomware.

Compromised Websites

The Internet is a wonderful place with a wide variety of different websites, but it does remind us of cloud cuckoo land as well. We’d love it to be all rainbows and unicorns, but the ability to stand up a website and register a domain is easy and cheap, so cybercriminals have used a host of means to create, well, a lot of grey space between good sites and bad sites. Even a legitimate webpage that’s been compromised can give you a nasty ransomware infection just by stopping by to browse for chotchkies.

Phishing Sites

The worst of the lot are full on phishing websites. These sites are set up by hackers in the hope of compromising innocent bystanders who happen to surf on by when on the web. They are often cleverly designed, and look high end like a legitimate website. Why set up a phishing site? Well, they can be used for a variety of purposes.

And one of these purposes, unfortunately, is delivering ransomware.  Black Hat baddie hackers take advantage of a variety of different means to deliver ransomware from a malicious website, and many don’t require you to do a thing.  A website may run a malicious script that drops malware on your machine or exploit a vulnerability in your browser to run some malicious code. Regardless of the method used, ransomware on your machine can cause a very bad day.



And just when you thought, “Stop OK, I get it, I’ve had enough.” There is one more. 

Web threats aren’t limited to legitimate websites. Hey, are you sick of ads on websites? Us too! (and they are getting creepier and creepier, we have some theories on this (like, is my smartphone listening to me? Hmmm, might be another blog post, stay tuned… ) Ads can in fact be a threat on the web. 

Malvertising is malicious advertising.  The same ability to run executable code in your browser that hackers use to infect your machine with malware is used by legitimate advertisements for animations.  As a result, hackers who manage to slip malware into advertisements can get them accepted and happily distributed by legitimate advertising networks to legitimate websites.

Stopping Ransomware at the Door

Like most malware attacks, ransomware exploits user behavior to get its foot in the door.  Knowing what to watch out for in a phishing email or a suspicious website is half the battle when dealing with ransomware. 

And now for the shameless plug: creating cyber secure humans is a critical first step, as email filters and network security can only solve part of the ransomware problem. Build up your human firewall through continual, positive employee learning. Remind your staff with these tips to stay safe on email, safe online, and just please, don’t click on ads. Ever.


Continue Reading....

Ransomware 2: Anatomy of a Ransomware Attack

How to stay safe on Black Friday and Cyber Monday Mon, 18 Nov 2019 09:24:00 +0000 Stay Safe on Black Friday and Cyber Monday

Black Friday, the day after Thanksgiving, when retailers take advantage of still woozy and stuffed people with ridiculously low prices and unbelievable sales (for a limited time only!). What a way to kick off that festive (read:panicked) season.

Did you know that Black Hat hackers love the holiday season too! And, for a lot of the same reasons that retailers love it.

So while you are digesting, recovering, and shopping online on Black Friday and Cyber Monday, All of us here at the Cybermaniacs urge you to stay safe, slow down on the clicking, and follow these tips.

Be Especially Wary of Ads on Black Friday and Cyber Monday

Everyone knows that an ad offering some absurd deal is probably a scam or at least clickbait full of cookies on the other 363 days of the year (364 on leap years). But on Black Friday and Cyber Monday, the claim for a great one-time only deal may actually be true, but even thermal socks at 75% off doesn’t mean that you should click on it. (We love fuzzy socks!)

An ad on a website works by running code on your computer. In an ideal world, this code would be safe and helpful. However, hackers take advantage of online ads to run malicious code or trick you into doing things that can hurt your computer.

If you want to take advantage of a deal offered by an ad, go the the company’s site directly and claim it there rather than clicking on an ad and getting something that you didn’t actually want (like, you know, malware).

Don’t Get Clicky on Black Friday and Cyber Monday

On and before Black Friday and Cyber Monday, companies send out tons of emails letting you know about all of the best sales, door-busters, and killer deals and incredible giveaways to ensure that you come to their store or website when the day comes.

These emails will be littered with pictures and links trying to get you to visit their site in advance to see the deals and maybe buy a couple of things pre-sale.

Hackers know that the holiday season is a great time for a phishing attack. People trying to find that “last gift” or get in on that “limited time offer” will often click on a link without thinking twice.

Putting in a few minutes to set up a real-looking website and crafting a plausible phishing email means that they definitely get the better end of the deal when the passwords and billing information start rolling in.

Double-Check Those URLs on Black Friday and Cyber Monday

Black Friday and Cyber Monday are all about moving quickly. In our Social Engineering courses, we talk about how one of the ways that hackers influence people is by making them think that they’re getting a “limited time offer” or something “with only X in stock”. Sound familiar? Yep, marketers are expert social engineers…

The rush to get in on Black Friday and Cyber Monday deals means that you need to move quickly. Before entering any sensitive information, be sure to double-check the address bar on the site.

You want to make sure that the address looks right (correct business, correct spelling, etc.) and that you see the lock icon and https:// at the beginning of the address. If not, don’t enter any information.

If you do, there is a good chance you’ll never get what you ordered. And when the hackers start ringing up charges on your credit card, well, it will cost ya a lot more than you thought.

Only Shop Online from Home on Black Friday and Cyber Monday

While out and about on Black Friday, you may decide that you need a break from the crowds and drop into a local coffee shop or restaurant. If you’re taking a break, actually take a break. Strike up a conversation with the person sitting next to you. Compliment the barista on her reindeer antler headband.

But remember that online shopping from public WiFi can be a major mistake.

When you connect to a WiFi network, your traffic to and from the router is encrypted, but everyone uses the safe password. Anyone with the password can intercept your traffic and, if the site you’re on isn’t using HTTPS, may be able to read and/or modify it.

If you’re entering personal information while out and about, anyone can read your password, billing information, etc. over your shoulder. When doing online shopping, do it on a trusted WiFi network somewhere private, not at the local cafe.

Safely Using Social Media on Black Friday and Cyber Monday

It seems like everyone is constantly on social media and this includes businesses. In the days leading up to Black Friday, retailers take to social media channels to promote their big sales. It’s important to play it safe while checking out advertisements on social media.

One of the main threats of social media is the fact that there is little or no verification associated with setting up an account. Hackers take advantage of this by creating accounts that look like legitimate businesses and using them in a variety of scams and attacks. To make things worse, shortened links, which conceal their target address, are common on social media due to message length limits.

While on social media, never click on a link. Visit the retailer’s website directly and find the sale that way.

Staying Safe on Black Friday and Cyber Monday

Black Friday and Cyber Monday are great opportunities to get deals on things that may be unaffordable the rest of the year. However, both retailers and hackers take advantage of the excitement and urgency of shoppers. While shopping online, take the extra second to ensure that you and your family is cyber safe.

If you’ve got parents, aunts, uncles, cousins, friends, or co-workers you know are excited about all the hot deals coming their way next week- send them a copy of this blog. We love a bargain, but giving away your personal information to a hacker is not part of that “great deal”. Stay safe & Happy Hunting!

If your company needs help with cyber awareness why not request a free Cybermaniacs demo.

]]> 0
9 Ideas for Cyber Security Awareness Month Wed, 14 Aug 2019 08:21:00 +0000 9 Ideas for Small and Medium Sized Business to use during Cyber Security Awareness Month 

If you own, run, or work at a small to medium sized business- with the threat landscape in 2019, you should be thinking about the companies’ cyber security strategy. Just because you’re not a giant multinational behemoth, doesn’t mean hackers aren’t interested in your information assets, bank account info, or customer credit card data.

If you have a strategy, or haven’t gotten that far yet, think about making a plan for Cyber Security Awareness Month to get everyone on the same page.

  • 2018 Data Breach Investigations Report, Verizon found that 58% of all cyberattacks target small businesses.
  • According to the U.S. National Cyber Security Alliance, 60% of small companies are unable to sustain their business more than six months following a cyberattack.
  • According to the Ponemon Institute, the average cost for small businesses to clean up after being hacked is about $690,000 and, for middle market companies, it is over $1 million

National Cyber Security Awareness Month takes place every year in October (and is coordinated across the UK, EU, and USA). If you’re not yet training your employees around cyber skills, good digital habits, and how to stay safe online- October is a great way to start your program.

Use our quick and easy ideas below to put a plan in place to build cyber awareness at your company.

Cyber Security Awareness Month

These guys are not cyber aware!

Make a Plan for Cyber Security Awareness Month

Use the Themes of National Cyber Security Awareness Month to Focus your Communications.


Own IT. Secure IT. Protect IT

Find out more.

Or, Pick Your Own Cyber Security Awareness Month Themes.

Here are a few to consider…

Social Engineering
Malware and Ransomware
Data Privacy
Information Protection
Staying Safe Online
Safe Email
Mobile Device Safety
Working in Public
Securing your Home

9 Ways to Make your Cyber Security Awareness Month a Success!

1. Thread in Continual Learning
October is a great way to get started with a Cyber Awareness Program, however with the amount of cyber threat, digital transformation of business, and technology change in our working environments today- it might not be enough to train your teams on all the behaviours that need to change. Continual learning practices show that streams of reinforcement, encouragement, coaching, nudges, and other techniques are the things that actually move the needle on skills development, knowledge building, and cultural change. Which is what we’re all about. Where could you add in a nudge?

2. Make it an Event
Host weekly meetings or lunch & learn sessions. Bring in a speaker or watch a webinar as a team. There will be many free learning opportunities this month, if you put the calendar invite out now, you’ll stand a better chance of blocking out time for learning and discussion on your colleagues’ calendars!

Cyber Security Awareness Month

3. Reinforce with Visual Information
Can you print out a few posters or find some online to purchase at a reasonable cost? Changing the decor can get some additional attention and reinforce key learning points around recognising phishing attacks or staying safe on social media. Think about hanging them in key traffic areas, or use more stealthy approaches and hang them where people might least expect to see them!

4. Play a Game
Phish yourself (with the help of someone from IT!) and award prizes for those who recognise the phishing attempt and ‘do the right thing’ (whatever the policy is at your company). Put together short quizzes or surveys with free online survey tools- award badges and prizes, and publicise widely.

Our entertaining and educational content has something for business and budget: posters, videos, training modules, infographics, memes, and more. It’s different, attention getting, and builds awareness.

5. Social Engineer Yourself
Drop a few usb sticks (make sure they are new and clean to use!) in the parking lot with different labels (our favorite all have HR themes like ‘bonus scheme 2018’), put a file on it with learning points around social engineering tactics and the correct use of portable file devices.

Cyber Security Awareness Month

6. Make it Personal
Tie in the reasons that people should change digital habits for themselves, not only the company. Protecting ourselves online includes topics such as identity theft, phishing scams, social engineering as well. Helping your staff keep themselves and their own families safe is a great benefit to employees, and helps them tune into your program.

7. Use Videos
Videos are the way everyone wants to learn these days- not that reading is gone, but to convey lots of information in the shortest time possible, videos the way to go. There are free training videos to be found on the usual video platforms (of varying quality and effectiveness, true) but if you’re really in a pinch, they can at least help you start the conversation at your company of the importance of cybersecurity in today’s business environment. Follow the themes above and send out links to your team. If you’re looking for some ideas, check out our pages here: cyber awareness month SME page.

8. Make it Fun
Try to make messages around cyber awareness month positive and motivational (rather than scary, dour, and guilt-inducing). People will tune-out very quickly to un-interesting, dull, or fear-driven content, so keep it snappy if you want to gain your employee’s attention. We prefer a bit of humor (if you couldn’t tell!) to get the messages across, but you can use whatever approach you think fits best for your organisation.

9. Report on Progress
Sending out a report on all the activities you did during you October Cyber Awareness Program showing all the progress made can reinforce learning and the value of the activity.

For more information on how you can get cyber awareness training that is continual, bite-sized, funny and effective for your SME for less than the cost of a coffee per employee, click here.

Follow our twitter feed for tips, tricks, reminders, and shareable content.

And Finally a word from our leader..

]]> 0
Cyber Security podcasts Fri, 17 May 2019 10:23:09 +0000 Check out some of the top cybersecurity podcast we have been guest on.

Who doesn’t love a podcast? We certainly do. From crime to business we devour podcast like the cookie monster devours his favorite biscuit.

One day while tuned into Gary Vaynerchuk’s we thought “Hey the Cybermaniacs grand Fromage loves a chat and has a tonne of useful information in her head why don’t we find her some podcasts to appear on”.

So we did. Here is our list of podcasts about cybersecurity and infosec that Kate has been a guest on. There is a double bonus too. We love all these shows so they are well worth a listen, not just our bit but the whole show. You might even find one you like so much that press that little subscribe button.

cyber security podcast

Defeat the Drama Podcast

The Defeat the Drama podcast is hosted, Kirsten E. Ross. The podcast is dedicated to making life at work stress-free by identifying flashpoints and taking the drama out of the situation before it happens.

Which is why we got the call to appear on the podcast and talk about how educating people in your organisation about cyber threats will reduce the risk of a drama about a data breach or ransomware attack unfolding.

The Cyber Warrior Princess Podcast

Bec and Vic host this amusing podcast that pokes fun at cybersecurity.

As we are into making fun of infosec stuff while making people cyber aware, is it any wonder we got invited along to a recording.

Sergey Ross – Growth Podcast

The growth podcast with Sergey Ross dives into the mind of people whose goal in life is to improve themselves and who are driven to solving problems that exist in the modern world.

In episode 14, Sergey sits down with our CEO Kate to discuss what lead her to set up The Cybermaniacs and how a different approach to marketing cybersecurity to employees can help rais there awareness.

We have been inundated with request to appear on a variety of podcast so keep an ear out for our next appearance.

]]> 0
The Two Sides of Security: An RSA Conference 2019 Retrospective Mon, 08 Apr 2019 06:00:08 +0000 A look back at RSA Conference 2019

The 2019 RSA Conference was held in San Francisco on March 4-8.  This is one of the best-known security conferences in the world, with researchers and vendors coming from all over to learn about the latest and greatest in security and sell their products.

This year, I attended the conference and hosted a session on how to do cybersecurity awareness training without the FUD (fear uncertainty and doubt) and gave a talk about the overlaps in Cybersecurity and Hospital Infection Control with Mariam Salas of the University of New Mexico.

The rest of the week, I attended several different sessions on a variety of topics and explored the Expo floor of the conference.

This year’s RSA conference seemed like the meeting of two completely different worlds.  On the Expo floor (and in some of the talks), you had the technical side of security. In many of the talks that I attended, the focus was on human security.  With both in one place, it was obvious to see how different they are.

The Technical Side of Security

On the Expo floor of the RSA Conference, there was a carnival atmosphere.  Vendors with booths handed out free drinks and swag. There were even buskers with microphones proclaiming the virtues of their product and how it could solve all of your cybersecurity problems.  

Many booths offered demos and some even had arcade games to lure visitors over. The goal was always to scan your badge so that they could add your email or phone number to their contact list for future sales calls.

“On the technical side, it seemed like cybersecurity was a solved problem based upon a visit to the Expo floor.”  

With half an hour and a sufficient security budget, you could have your pick of the vendors in every field, building up a cybersecurity strategy and purchasing the necessary tools, technologies, and services from nothing with little or no effort.

The Human Side of Security

Attending the human-focused talks at the RSA Conference gave a very different perspective.  None of the speakers or facilitators believed that they had the security problem “solved”. In fact, some of the sessions began with the facilitator saying just that: if you’re coming here looking for a solution, you’re going to be disappointed.

The hard part of security is the fact that it’s not just technology.  With technology, fixes are pretty easy. You find the problem, build a solution, and deploy it across the organization in a matter of hours.

With humans, you need to coax, nudge, and outright bribe them into doing the “right thing” because being secure is generally hard and humans are lazy.  Most social engineering awareness training can be summarized as “slow down and think it through”.

With the tens or hundreds of emails that you receive every day, thinking it through can be a significant time investment.  The perceived payoff is less than the cost, so people keep on doing what they’re doing and remain insecure.

The Human Problem

Improving the Human Side of Security

The obvious answer to an organization’s human threat surface is cybersecurity awareness training.  Logically, if we provide someone with all of the necessary data, and they make purely logical decisions, the problem is solved.  Training following these principles has been around for ages. The problem with traditional cybersecurity awareness training is that it’s awful.

Studies have shown that people make bad decisions when scared and try to avoid thinking of scary things.  So what do we do? Scare them with cyber.

Research also tells us that humans can only retain about 7 pieces of new information in one sitting.  And the suggested solution is to give hour-long powerpoints with tens or hundreds of new facts and figures for the employee to memorize.

“Traditional cybersecurity awareness training doesn’t work.”

Until training aligns with best practice, taking advantage of what we know about the human brain to optimize retention, it will continue to fail.

This is a core message here at the Cybermaniacs and was echoed throughout the human security sessions at RSAC 2019.  

However, until this theory stops being “cutting edge” and becomes commonplace, the human side will remain enterprises’ biggest security weakness.

You can get just a slice of our cybersecurity training for $10 per member of staff… Find out more.

Cybermaniacs 2018 Overview from The Cybermaniacs on Vimeo.


]]> 0
Cyber Security 2019 Predictions Fri, 25 Jan 2019 10:06:45 +0000 Cyber Security: Looking back at 2018 and Predictions for 2019

Last May, I wrote a blog post detailing some of the 2018 predictions from across the cybersecurity industry and how they’d fared in the first five months of 2018.  

Now that the dust has settled, let’s take a look at how well cybersecurity vendors predicted the threat landscape of 2018 and have a look at what will happen in 2019? 

The 2018 Predictions

In 2018, four predictions were echoed across the cybersecurity industry.  Let’s see how well artificial intelligence, privacy regulations, the Internet of Things, and ransomware lived up to the hype.

Rise of the Machine

Machine learning and artificial intelligence are in right now, with multiple companies predicting their use both by cyber defenders and hackers.

 In our review of 2018 predictions, most organizations felt that hackers would be making heavy use of AI for reconnaissance and the automation of phishing and social engineering attacks.

 On the defensive side, machine learning was predicted to be used to help move away from signature-based detection, allowing more zero-day attacks to be detected and prevented.

In reality, the predictions were half right.  Machine learning is definitely in use in cybersecurity, but it’s primarily on the defender’s side, with many companies providing AI-based malware scanners and other defensive solutions.

 In 2018, we haven’t seen any attacks that take advantages of the capabilities of AI in the ways or at the scale predicted a year ago.

Laying Down the Law

In May 2018, the European Union’s General Data Privacy Regulation went into effect.  This regulation detailed how organizations should use and protect the personal data of EU citizens.  

With the new regulation, it was predicted that most companies would not be prepared to handle their compliance needs and that new GDPR-focused solutions and services would be available.  

Also, many of the predictions expected to see a push by consumers for similar privacy laws for those not protected by GDPR.

Like the previous prediction, this one is half right.  Organizations were largely unprepared for GDPR (as demonstrated by several major data breaches in 2018), and some companies have begun offering GDPR compliance-as-a-service solutions.  

However, the prediction that the GDPR regulation would spur consumers to demand similar regulations in the US did no bear fruit.

Safe at Home

In 2018, attacks on Internet of Things devices were predicted to continue and even increase.  IoT devices are known to have laughably poor security and are commonly deployed by consumers with limited security know-how.  

As a result, they are easy targets for hackers who want to use their computing power for nefarious purposes.

Predicting attacks on IoT devices was a safe bet for cybersecurity vendors.  IoT devices were a chronic security problem before 2018, and there has been little or no movement among the IoT industry to fix this problem.  

Attacks on IoT devices rose in 2018 and will probably continue to do so in 2019 unless something major changes.

Lock It Up

The final 2018 prediction that we explored in May regarded the ransomware threat.  In 2018, ransomware was expected to continue growing and become more sophisticated and targeted, attacking critical infrastructure and the Internet of Things.

Surprisingly, 2018 was the Year of Cryptomining rather than stealing 2017’s title as the Year of Ransomware.  In 2018, many cybercriminals realized that you only make money with ransomware if users pay the ransom, while cryptominers can turn a profit as long as they’re allowed to run.  

While ransomware did become more sophisticated in 2018, it paled in comparison to cryptominer’s 4,000% growth in 2018.

How’d They Do?

In 2018, we reviewed four of the most common predictions made by cybersecurity vendors for the coming year.  Of these predictions, two were half right, one was totally right, and one was completely wrong. 

What’s Ahead

When analyzing cybersecurity predictions, there are a lot of crazy ideas and a few things that are consistent across the industry.  After reviewing multiple articles, there are six 2019 cybersecurity predictions that stand out from the rest:

  1. Increased usage of artificial intelligence for reconnaissance and social engineering
  2. Targeting of IoT devices for use in botnets and more sophisticated attacks
  3. First company hit with maximum GDPR penalty (4% of global turnover)
  4. New privacy regulations driven by consumer demands (especially in the US)
  5. Attackers will target the supply chain using malicious updates to legitimate software
  6. Cryptojacking malware will rise or fall (we’re not sure which but it’ll certainly do something)

Deja vu, right?  Last year, we reported on cyber security predictions about the use of AI in social engineering, targeting the Internet of Things, and privacy regulations (especially around GDPR).

 In 2019, the predictions landscape looks a lot like 2018 except that we’ve traded ransomware for supply chain and cryptojacking attacks.

What Do We Know Anyway?

Predictions about the cybersecurity threat landscape for the coming year should always be taken with a grain of salt.  

There are always a few perennial problems that show up predictions year after year and there will be something that happens that no-one sees coming.

Despite everything, phishing and social engineering remain the top threats that we see year after year.

Focusing your cybersecurity efforts on providing good cybersecurity training to your employees is always a winner and decreases the chances that your name will show up in out 2019 Year in Review post.

]]> 0
The S in HTTPS Means Safe (Not!) Tue, 11 Dec 2018 13:20:27 +0000 Do you know what the S in HTTPS means?

You’ve probably heard all about HTTPS.  You know not to enter your credit card information into an HTTP website and to look for the lock icon before you type in a username or password.

But is HTTPS really as safe as you think it is? In this post, we talk about what HTTPS does for you and what it doesn’t.

What’s the Difference Between HTTP and HTTPS?

Before getting into some of the common misconceptions about HTTPS, it’s good to understand the main differences between HTTP and HTTPS.

HTTP is an Internet protocol for transferring web content from a server to a client (that’s you) It’s mainly designed to ensure that you get the data that you’ve asked for and handles all of the formattings, downloading images and videos, etc.

To understand the difference between HTTPS and HTTPS, let’s use an example from the postal system. Consider the differences between mailing a postcard and a letter. With a postcard, everyone can see what you’ve written and who it’s going to, so there isn’t much privacy. That’s HTTP.

HTTPS is more like sending a letter. Just like letters and postcards use the same format for conveying information (writing), HTTPS uses the HTTP protocol to ensure that you get what you ask for. However, it adds an extra level of security (like an envelope) to make sure that no-one knows exactly what you’re writing.

With HTTPS, someone can see who you’re talking to (just like an address on a letter) but that can’t see the data being transmitted.

Common Misconceptions About HTTPS

From cybersecurity training, many people have gotten the impression that any site with HTTPS is 100% safe.

Unfortunately, that’s not the case. In this section, we’ll talk about some of the most common misconceptions that people have about HTTPS.

Any Website Using HTTPS is Legitimate

One of the biggest threats associated with phishing attacks is that you’ll go to a website that looks legitimate but isn’t. Going to back to our mail example, this would be like someone putting a fake return address on a letter so that you think it’s from someone that you know.

One of the benefits of HTTPS is that it includes address verification. If you see a lock icon in the URL bar, it means that the website that you’re seeing is the real thing. Only the true owner of that URL could include the certificate that your browser checks for before showing the lock.

What HTTPS doesn’t promise is that the site that you’re looking at is the one that you expect. Phishers can and do get valid certificates for URLs that look very similar to the real thing

(i.e. instead of In fact, about a quarter of phishing sites use HTTPS to trick you into giving away your personal information.

Everything is Private with HTTPS

Many people believe that HTTPS protects all of your information. If you’re using HTTPS, then no-one knows what site you’re visiting, what information is being sent, etc. Unfortunately, this isn’t 100% true for two main reasons.

To understand the first, we need to dive into something called DNS. When you visit a website, you’re probably typing in a URL like However, your computer uses IP addresses to talk to other computers. So how does your computer get from a URL to an IP address?

Just like you (used to) use a phonebook to look up a phone number from someone’s name, your computer uses DNS to look up an IP address from a name. If your computer doesn’t already know the answer, it asks one or more DNS servers if they do.

Someone snooping on your Internet traffic can learn where you’re browsing based off of the DNS questions that your computer asks.

Even if the snooper doesn’t see your DNS traffic, they can still find out where you are browsing. Every time you use HTTPS to communicate, the IP address of the server that you’re talking to is visible to allow it to be properly routed through the Internet.

Anyone who sees that IP address could find out what webpages are hosted on that computer and get a decent guess at what you’re looking at.

But why do you care if they know where you’re browsing? What if the website is only about an embarrassing medical condition? Or what if you’re on your bank’s website? Any information that a hacker can gather can be used to build a profile for a spear phishing attack.

How to Browse Securely

The only way to be completely safe on the Internet is not to use it. However, that isn’t really an option in the modern world. By following these tips, you can dramatically decrease your chances of falling prey to a phishing scheme.

Double-Check URLs

As we discussed previously, a favorite tactic of hackers is to use a URL that looks like the site you want in order to steal your sensitive data. Before you enter any data into a website (passwords, credit card information, etc.), please double-check the URL to make sure that you’re actually on the site that you think you’re on. If you’re unsure if it’s the “right” URL, Google is your friend.

Look for that Lock Icon

HTTPS has its flaws, but it’s still better than HTTP. When you’re using the Internet, always check to see if a site uses HTTPS. If not, consider whether or not you really want to use and trust it. Setting up HTTPS takes less than half an hour and is completely free. If a site owner can’t be bothered to do that, are you sure they’ve bothered to do the rest of their job (verifying the accuracy of the data on their site) properly?

Think Twice Before Entering Sensitive Information

Data breaches are in the news, and it’s obvious that a lot of organizations don’t really care about properly protecting your personal information. Before entering any data into a website (even if it’s the correct URL and using HTTPS), think about whether or not that organization really needs the information that they’re asking for. If not, maybe you should think twice about giving it to them.

VPNs May Be a Good Idea

The main issue with HTTPS is that it doesn’t provide complete privacy. Virtual Private Networks (VPNs) are a potential solution to this. By hiding all of your traffic within an encrypted tunnel between you and the VPN endpoint, they ensure that eavesdroppers can learn nothing about your browsing from watching that connection. VPNs should always be used for remote connections to corporate networks and have many personal uses as well.

Is HTTPS Worth Using?

Definitely yes. Despite its shortcomings, HTTPS is much better that plain HTTP. However, it’s important to take that extra second to double-check everything before giving away your personal information to a hacker.

]]> 0
Our ethos behind cyber security awareness Fri, 09 Nov 2018 11:44:02 +0000 Our goal is serious cyber security awareness through laughter

We know that cyber threats are growing as fast as the apathy individuals have towards cybersecurity awareness and the training they are given.

There is so much information and entertainment people are overloaded and you now have to cut through that to engage your staff.

A great way to win their attention is through humour. Here is how we make people laugh…

Why are employees difficult to reach during cyber security training?

Now the science bit. There are loads of things that we need to understand when creating engaging content to sell ideas to people.

First, we need to understand why staff are hard to reach.

Using Storytelling and Characters in training

But to be funny about something serious you need to understand the subject and the challenges of delivering that knowledge.

Everything we have observed and learnt has lead us to believe the current approach most Small and Medium-sized business are using is not hitting the spot with their staff.

This is why we believe that storytelling and characters need to play a bigger part of the process of learning and engagement.

Why we don’t use fear in cyber awareness training

Using fear to educate about cyber threats has been the go-to approach for many businesses.

But humans have many more emotions that can be tapped into to deliver a message.

We have found that delivering a message in a more positive way is more effective in creating behaviour change.

Unique Creation and Delivery

Cyber security threats are changing rapidly, what might have been relevant yesterday may not be a threat today… when was the last time you changed your fax machine password?

So the message you deliver about staying safe in a cyber world needs to be adapted, updated and delivered constantly and consistently.

This all needs to be distributed in a way that informs and has positive behavioural change on your workforce.

Getting Beyond a Tick-box Exercise

We have seen stats that tell us that if people can skip to the end, cheat or tick an “I agree” box without taking in the information they will.

This is a major hurdle for any e-Learning experience. Our research has shown that the solution is to create better engagement with better content.

In many ways, cyber security awareness is Russell Crowe in Gladiator… “Are you not entertained?”

What to measure creating a cyber security strategy

For us, the human firewall is the most important line of defence.

So we need to look at the baseline of your organization’s implementation and working knowledge then monitor metrics that will demonstrate behavioural change and individual approaches to cyber safety.

And now a funny poem about passwords.


]]> 0