All posts by Paul Stradling

News

Sustainability : 97% Cost Reduction For Lithium Batteries

With a recent study finding that the costs of producing lithium-ion battery technologies have fallen by about 97 per cent since their commercialisation three decades ago, we look at the reasons why, and the possible implications.

What Is A Lithium-Ion Battery?

A lithium-ion battery is a type of rechargeable battery. The lithium ions in it move from the negative electrode through an electrolyte to the positive electrode during discharge, and back again when charging. Lithium-ion batteries have the advantages of being made small and yet having a relatively high ‘energy density’, a lower self-discharge rate than other battery types and are a low-maintenance battery. This makes them ideal for providing portable electricity and powering many of our favourite electronic business gadgets (e.g. mobile phones, laptops, and tablets). They are also now helping to enable the electrification of cars and buses and are beginning to support the integration of renewable energy resources into the electricity grid.

Cost Decline – Study In March

A previous study in March this year found that since their introduction in 1991, the cost of lithium-ion batteries had fallen at a comparable rate to that of solar photovoltaic panels. This rate of cost decrease for solar panels was thought to be exceptional, but the story of lithium-ion batteries has proved this to be wrong.

New Study – The Reasons For The Rapid Decline in Costs

The latest study, the results of which are published in the Journal Energy and Environmental Science (Micah Ziegler, Juhyun Song PhD, Jessika Trancik) show a 97 per cent reduction in the cost of lithium-ion technologies over the last three decades. The authors of the report suggest that the main reasons for the substantial cost reduction include:

– Greater efforts to increase charge density between the late 1990s and early 2010s (38 per cent cost reduction).

– Reductions in cathode materials prices (18 per cent of the cost reduction).

– Changes in non-material costs (14 per cent of the cost decline).

– A large reduction in costly public and private research and development, which accounted for the majority of the observed cost reduction. Most of the R&D contribution can be attributed to advancements in chemistry and materials science.

– Learning-by-doing, and economies of scale.

What Does This Mean For Your Organisation?

This massive reduction in the cost of lithium-ion battery technologies, mainly brought about by a reduction in R&D costs, has certainly benefitted organisations in terms of powering the various, ever-more compact devices used daily for work on the go. The cost reduction has also helped the growth of sales of electric vehicles and the general ongoing electrification of transportation.

In terms of the environment, reduced costs associated with electrochemical energy storage technologies may be helping to reduce greenhouse gas emissions by increasing lithium-ion battery usage in stationary applications, helping to compensate for the intermittent supply of clean energy like solar and wind. This is enabling the growth of renewable energy technologies.  Cheaper electrochemical energy storage technologies (like lithium-ion batteries), therefore, is a factor that’s playing an increasingly important role in helping to tackle climate-change and move other green technologies forward.

News

Tech News : Teams App Blocked Emergency Call

It was recently discovered that a bug in the Pixel 3 phone meant that users who had the Teams app installed (even though they weren’t logged in) couldn’t call the US emergency 911 number.

What Happened?

A Reddit user reported that they had needed to call an ambulance for their grandmother who appeared to be having a stroke. The user dialled 911 just by typing and calling on their pixel 3 phone, only to find that the phone “got stuck” after one ring. The user reported that they were unable to do anything other than click through apps with an emergency phone call running in the background. Consequently, they were unable to tell the person on the other end which apartment they were in, or what the emergency was. The user also reported that the fault meant that there was no response from emergency vehicles, no evidence that 911 had been called (from a phone log perspective) and the user’s Verizon phone log showed no evidence that a 911 call had been made.

Google Confirmed The Fault Was Related To Teams App

Google later answered the user’s post on Reddit, saying that it had determined that the issue was caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system, specifically for those running Android 10 or above. Google said that it expected a Microsoft Teams app update to be rolled out soon, and that it would also be providing an Android platform update on January 4. Google has also advised Pixel phone users to keep an eye out for Teams app updates and to ensure they are running the latest version.

What To Do

Google suggests that in order to avoid falling victim to the fault in the meantime, users with Microsoft Teams installed on any Android device running Android 10 and above could take the following steps:

– Check whether you are running Android 10 or above. Those not running Android 10 or above will not be impacted by the issue.

– Check to make sure that you are signed-in to your Teams app because the issue only occurs if the user is not signed in.

– Those who have the Microsoft Teams app downloaded, but are not signed in, should uninstall, and reinstall the app. This will address the problem in the interim, however a Microsoft Teams app update will also be required to fully resolve the issue.

– Keep an eye out for an update to the Microsoft Teams app, and ensure it is applied as soon as available.

What Does This Mean For Your Business?

This story illustrates how the simple act of being able to make a phone call (on what is primarily a phone) can be prevented by aspects of the other tech and apps that are installed. It raises particular concerns because it relates to stopping an important 911 call. The positive aspects of the story are that the fault was brought to light and has been taken very seriously and acted upon quickly by both Microsoft and Google. This is good news for users and created a positive angle for what was potentially a very damaging story for Google and Microsoft. It also shows the value of thoroughly testing apps and the value of maintaining updates.

News

Featured Article : What’s All the Fuss About Julian Assange?

In this article, we take a look at some of the main details of the case of WikiLeaks and Julian Assange, and what can be learned from this ongoing battle between Assange and the US government, whose secrets his website shared.

Who Is Julian Assange?

Julian Assange is 50-year-old Australian editor, publisher and activist who founded WikiLeaks in 2006.

He was born Julian Hawkins in 1971 in Townsville, Queensland, to Christine Hawkins a visual artist, and John Shipton, described as an anti-war activist and builder. The couple separated before his birth, his mum married actor Brett Assange, with whom she ran a small theatre company and who Julian regards as his father. After their divorce in 1979, and his mum’s involvement with a man Assange described as “a member of an Australian cult” (‘The Family’) Assange’s young life was nomadic, living in more than 30 Australian towns and cities by the time he reached his mid-teens and attending many different schools.

Despite what appears to be quite an unsettled childhood, Assange attended Central Queensland University (1994) where he studied programming, mathematics and physics, at the University of Melbourne. He is also reported to have used his computing skills to help the Victoria Police Child Exploitation Unit to catch and prosecute those involved in publishing and distributing child pornography.

Hacking

There are reports of Assange also using his computing skills as part of various hacking groups before he was charged in 1994 with 31 counts of hacking and related crimes, 24 of which he pleaded guilty to. He was only given a light penalty due to the absence of malicious or mercenary intent and his disrupted childhood.

What Is WikiLeaks?

WikiLeaks is an international non-profit organisation that publishes news leaks and classified media provided by anonymous sources on its whistleblower website wikileaks.org. Founded by Assange, WikiLeaks lists a large number of co-publishers, research partners and funders on its website, including The Guardian, The Telegraph, The New York Times, and the Wall Street Journal.

What Happened With Julian Assange and WikiLeaks?

In 2010 WikiLeaks published a series of leaks provided by U.S. Army intelligence analyst Chelsea Manning. A former US soldier, Chelsea Manning disclosed to WikiLeaks nearly 750,000 classified (or unclassified but sensitive) military, and diplomatic documents. Consequently, Manning was convicted by court-martial in July 2013 of violations of the Espionage Act and other offenses.

What Leaks?

The ‘leaks’ given by Manning and published by Julian Assange via WikiLeaks included:

– The Baghdad airstrike Collateral Murder video (April 2010). This is 39 minutes of classified gunsight footage from air-to-ground attacks conducted by a team of two U.S. Apache helicopters in New Baghdad, just after the Iraq war.

– The Afghanistan war logs (July 2010) is a collection of over 91,000 classified Afghan War documents, covering the period between January 2004 and December 2009. 75,000 of these documents were made available to newspapers first and then released to the public via WikiLeaks.

– The Iraq war logs (October 2010) is the biggest leak in the military history of the United States. It consists of 391,832 United States Army field reports relating to the Iraq war from 2004 to 2009 and shows 66,081 civilian deaths out of 109,000 recorded deaths. These logs were published on Wikileaks.

– Details of Cablegate (November 2010). Cablegate refers to WikiLeaks releasing classified cables that had been sent to the U.S. State Department by 274 of its consulates, embassies, and diplomatic missions around the world. Chelsea Manning was convicted for theft of these cables and violations of the Espionage Act and given a thirty-five-year prison sentence although was released in 2017, after serving seven years confinement.

What Was Julian Assange Initially Charged With?

In 2010, Julian Assange was issued an international arrest warrant over allegations of sexual misconduct. The allegations were that he had raped one woman and sexually molested and coerced another while on a visit to Stockholm to give a lecture. Assange denied the accusations and argued that the encounters were consensual. In 2019, Prosecutors in Sweden dropped the investigation.

London/Ecuador

Julian Assange claimed that the sexual misconduct allegation was a pretext that would enable the US to extradite him because of his role in the publication of secret American documents. After initially losing his battle with Sweden to avoid extradition, and while in London in 2012, Assange breached bail and took refuge in the Embassy of Ecuador in London where he was granted asylum on the grounds of political persecution.

After Ecuador’s President Correa, who was a known advocate of Wikileaks, was succeeded in office by Lenín Moreno, in April 2019, Ecuador withdrew Assange’s asylum status, and he was arrested at the embassy. It later emerged that Assange had fathered two children to a South African-born lawyer (and now his fiancée), Stella Morris, while he was still living in the Ecuadorean embassy. Stella Morris is reported to have been in a relationship with the Wikileaks founder since 2015.

Belmarsh

Following his arrest at the Embassy, in May 29019, Julian Assange was found guilty of breaching the Bail Act and sentenced to 50 weeks in prison. He was sent to Belmarsh maximum-security prison in London where he still resides.

Charges

In May 2019, the US justice department filed 17 new charges against him for violating the Espionage Act, relating to the publication of classified documents in 2010.

During his time spent in the Ecuadorian Embassy (which he could not leave) and his incarceration since, Assange’s health has suffered considerably. In January this year, District Judge Vanessa Baraitser ruled against the United States’ request to extradite him, saying it would be “oppressive” given his mental health, but on 10 December 2021, Britain’s Court of Appeal ruled that Assange can be extradited to the US to face charges.

Mini-Stroke

It has also just been reported by Assange’s fiancée and mother of his two young children Stella Morris, that he suffered a mini-stroke on the first day of his High Court appeal hearing on October 27th, due to stress in his battle to avoid extradition from Britain to the United States.

What Does This Mean For Your Business?

The long-running (and often complicated) legal story of Julian Assange and WikiLeaks has many aspects to it. Although he has faced various accusations and smear campaigns that may have influenced how he is viewed by some people, this is essentially a story of whistleblowing online and its consequences. However, because the leaks related to classified US government military secrets, and Mr Assange has publicly evaded attempts by the US government to more directly punish him and bring him to face charges in the US, the saga has proved damaging to both the US government and Assange. Another important, less dramatic example of tech-related whistleblowing in the news recently is Frances Hauge’s allegations against Facebook (Meta). Although Assange’s and Hauge’s stories are very different, one common thread is the power of the Internet as a public publishing platform and an influencer in global matters. Businesses and organisations now have to know how to operate offline and online in ways that are ethical and compliant to give the right messages to their stakeholders.

News

Tech Insight : What Is A Password Manager?

In this tech insight, we look at challenges to using passwords, what password managers are, and why they are still so important.

The Limitations and Challenge of Passwords

Passwords have long provided a practical way to log in to websites, platforms, apps and other access gateways yet using passwords comes with many limitations and challenges, most of which are around security. These include:

Human Limitations and Human Error

People can typically only successfully remember shorter, more uniform, or more memorable strings of characters, and consequently these often end up being partly words, names, dates, or a combination thereof, which can make them easier to crack. Also, trying to remember longer groups of unrelated characters is unduly onerous for most people.

Password sharing (i.e., using the same password for multiple platforms/websites) is a security issue because if one site is compromised and password details are stolen, criminals can quickly attempt these in many other locations( which could result in financial loss and multiple accounts for one person being taken over.

The use of default passwords (e.g. with IoT devices and gadgets) or using very easy to guess/crack passwords are highly risky and expose users open to hacks, data-theft and financial loss. For example, the top 5 passwords in the (Nordpass) list of the 200 most commonly used passwords for 2021 are 123456, 123456789, 12345, qwerty, and password.

Criminal Activity

Cybercriminals have found passwords easier to beat in recent years due to factors such as:

– The massive leak of 2.6 billion rows of personal data from 12,000 files dubbed Collection #1, plus the many other collections of personal data and passwords now available to buy/swap/download on the dark web and other places.

– Password brute-forcing tools are now widely available online, e.g., Cain and Abel, Hashcat, John the Ripper, and Ophcrack.

Cyber-criminals can use the stolen/purchased password details for:

– Credential stuffing attacks. This is where cyber-criminals use software to automate the process of trying breached username/password pairs on many other websites to see if they can gain access.

– Phishing attacks.  The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.

– Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.

Password Managers

Password managers are typically installed as browser plug-ins.  They are used to handle password capture and replay, and when logging into a secure site, they offer to save login credentials. On returning to that site, they can automatically fill in those credentials.

Password managers can also generate new passwords when needed and automatically paste them into the right places, as well as being able to sync passwords across all devices.

Popular Password Managers

Examples of popular password managers include Google Password Manager, Microsoft Authenticator, Dashline, LastPass, Sticky Password, Password Boss, Keeper (good for cross-platform uses), 1Password, and LogMeOnce.  There are also password vaults in other programs and CRMs that act as password managers, such as Zoho Vault, and Digital Vault.

Google Password Manager and Microsoft Authenticator

Google’s Chrome browser has a password manager to help to stop people from using weak passwords by suggesting combinations of characters that may be more secure. Microsoft’s Authenticator app can manage passwords for both Edge and Chrome.

Benefits of Password Managers

The main benefits of password managers include:

– Convenience and saving time. Having the password available in a secure browser extension is very helpful where, for example, the password has been forgotten or the password is too difficult to remember. Password managers are also particularly helpful for businesses, most of which have a large number of passwords to remember/store, and for businesses that may need to store a number of logins for their customers’ apps and platforms (e.g. digital marketing companies).

– Added security. Most password managers use 256-bit, military-grade AES encryption, thereby ensuring password security while keeping passwords close to hand for when they’re needed.

What Does This Mean For Your Business?

Even though big tech businesses are now offering users ways to log in that don’t use passwords (Microsoft announced in September that it is getting rid of all password logins and encouraging the use of an authenticator app or other solution) many businesses still need to use multiple passwords in a secure and convenient way. Password managers, therefore, serve a useful purpose in tackling the challenges of human limitations and human error, helping with work on the go and remote or hybrid working (syncronising passwords across devices), and the ongoing effort of cyber-criminals. The increased strength and convenience, however, mean that that the days of passwords now appear to be numbered but, in the meantime, there are many different password managers for businesses to choose from.

News

Tech News : A Peek at ‘Metaverse’

Meta (Facebook) has released a social VR experience called ‘Horizon Worlds’, giving users the first real look at the ‘Metaverse’ described by Mark Zuckerberg in the company’s recent re-brand announcements.

What Is Horizon Worlds?

Horizon Worlds (which launched via invite-only in beta last year) is a free, virtual space app that has been built with the Horizon creation tools. Users (over 18 and in the US and Canada) can create their own avatar, explore, work with others, and build and play their own games and activities as well as playing Meta’s base game. The user’s legless, floating avatar can fly around the virtual world and assemble a custom digital environment from building blocks and use pre-made code snippet scripts to set the rules for the games they create.

Explore Favourites

Meta says that a community has already begun to form around Horizon Worlds. Some of the community’s favourite games and activities that users can try out and experience include:

– A retro, arcade-style multiplayer platform battle royale with a vapor-wave theme called ‘Pixel Plummet’.

– A game called Wand & Broom where users can fly above ‘Townscity’ on a magic broom.

– A relaxing virtual ride on a river aboard a triple-decker riverboat, called ‘Mark’s Riverboat’.

Why?

The Metaverse is Facebook’s re-invention of its platform for the future and some critics have said it’s a way for the company to escape some of its problems and bad publicity in recent times (e.g., allegations by the whistleblower Frances Haugen). The vision for Horizon Worlds is “to develop a VR space with best-in-class tools for creators to build words and explore together.”

Criticism

Although an enthusiastic community has already built-up around Horizon Worlds and many people are excited about trying the experience, it’s still early days and this has brought inevitable criticism. For example, some have described Horizon Worlds as a lesser version of Minecraft.

Funding and Prizes

To help improve the experience and provide motivation for users to create, Meta announced a $10 million Creator Fund in October and has launched a Creator Competition with cash prizes.

What Does This Mean For Your Business?

For developers and those interested in creating games, Horizon Worlds provides new opportunities which could lead to new collaborative relationships, a way to showcase their talent, and perhaps develop potentially commercial game ideas, and win cash prizes. For Facebook, it’s a way to move more quickly towards their vision for the future of the platform, escape recent woes and bad publicity, harness the interest of younger users, and discover new product ideas and opportunities. For other social and developer platforms, it’s certainly something to watch closely (and experiment with), and it is potentially an area where they may wish to compete and stop Meta from gaining too much of an early advantage, should it prove to be very popular.

News

Security Stop-Press : Apache Log4j Security Vulnerabilities

The Apache Foundation has released an emergency update for a critical zero-day vulnerability in Log4j. This is a widely used logging tool included in almost every Java application. The problem that the update has been issued to address is that a bug in the Log4j library could allow an attacker to execute arbitrary code on a system that is using Log4j to write out log messages. The update can be found here: https://logging.apache.org/log4j/2.x/security.html

News

Tech Tip – A Fast Way To Open Items From Your Taskbar

If you’d like super-fast and easy way to open the items/programs that are pinned to your Taskbar in Windows 10, here’s how:

– Look at the Taskbar and note which number order (left to right) the item/program is that you’d like to open.

– Use the keyboard shortcut Windows key + [Number key], with the number key corresponding to the position of the pinned program on the Taskbar. For example, Windows key + 2 will open the second pinned item on the Taskbar.

News

Tech News : World’s First “Living Robots” Can Now Reproduce

US-based scientists have reported creating “living robots” that can now re-produce.

Next Step From Last Year

Last year, a team of US scientists reported creating ‘living robots’ which were actually bundles of stem cells from African clawed frogs. The researchers discovered that they could ‘program’ these cells to accomplish certain tasks, hence the robot comparison. The cells were dubbed ‘robots’ because they could act on their own (on behalf of people).

In the research, the cells, about the size of grain of sand and dubbed ‘xenobots’, could move microscopic objects, move quickly round Petri dishes and even heal themselves.

Latest Research Reveals Reproduction

The latest research from the same team, published in the Proceedings of the National Academy of Sciences (US), revealed that the ‘robots’ (synthetic multicellular assemblies) could spontaneously (i.e. over a couple of days) reproduce by replicating kinematically through moving around and compressing other dissociated cells in their environment together to make functional self-copies.

Never Observed Before

Whereas (known) reproduction in life forms involves growth within or on the body of an organism, followed by splitting, budding, or birth, what is amazing about the xenobot ‘robots’ is that they could perform non-growth based kinematic replication. This means that they could make copies of themselves by gathering cells from around them with their ‘mouths’ and assembling them into baby blob-like bots. Based on this, the researchers claim that this kind of kinematic replication has never been observed before, nor was it known whether multicellular systems were even capable of it. Some scientists suggest that although it has not been observed before, it may have been essential in the origin of life.

AI Used To Design

Not only did the researchers make ‘robots’ that could assemble copies of themselves, but they also used artificial intelligence (AI) and a supercomputer to try and discover the best body shapes and configurations for xenobots that could most effectively build new baby bots. The AI work concluded that a C-shaped bot was most effective at gathering cells to make baby bots, and this program influenced how the xenobots behaved in doing so.

What Does This Mean For Your Business?

In addition to being an incredible discovery in itself, the research suggests that, with more development, xenobots could create new opportunities such as their use in medicine (e.g., to help deliver drugs within the body), or in other valuable ways such as cleaning up environmental contaminants. The research has also challenged traditional machine self-replication knowledge and assumptions and highlighted how reconfigurable organisms and kinematic (rather than growth-based) replication could lead to many more discoveries that could help in many different sectors. Given the speed of the move to the development of robots that can re-produce, many may also feel that, as with AI, regulation will need to keep up in order to prevent this science moving too quickly into areas of real danger.

News

Featured Article : A Business Continuity Plan : The Essentials

In this article, we take a look at what a Business Continuity Plan is, what it should contain, and why it’s such an important document.

Preparing

Accepting that the unexpected and disasters will happen (and that you can plan how to maintain business continuity while you deal with them) is an important step in safeguarding your business. Maintaining the ability to ensure that core functions and critical systems remain in place in the event of such a situation involves planning, an important part of which is the business continuity plan (BCP).

What Kind Of Events?

The kind of events that create the need to have a BCP in place and ready to go include:

– Hardware failures/server failures.

– Outages and/or file corruption.

– The effects of cyber-attacks.  For example, 53% of senior managers believe that a cyber-attack is the most likely thing to disrupt their business (Sungard) and the effects could include damage to / locking out of systems (malware and ransomware), fraud and extortion, data breaches (which could also attract fines under GDPR, damaging publicity and loss of customers).

– Important 3rd supplier failure or the loss of key employees.

– Failures of part / a component of a network.

– Environmental/natural disasters (e.g. fire and flood).

– Theft or loss of equipment holding company data.

– Financial and cashflow issues.

The Business Continuity Plan

The goal of a BCP is to ensure that resources are available to ensure continuous operation and disaster recovery following an emergency. A BCP, therefore, is the plan/document that contains all the details of just how a business will continue operating during any kind of unplanned disruption in service.

Not The Same As A Disaster Recovery Plan

A disaster recovery plan (DRP) is part of the BCP. The DRP is the part that focuses mainly on the restoration of IT infrastructure and operations following a crisis rather than focusing on the entire organisation which is the job of the BCP.

How To Make A BCP

There are several stages to making a workable BCP. These are:

Create the team to develop the plan.

This stage will ensure that the plan actually gets made and updated and is able to take into account the main issues.  This involves getting support from top management, assigning a person to manage the process, and putting together a team consisting of key people from each business department who can feed into the plan. The team should also decide upon the scope of the plan.

Start documenting the details of the BCP from the outset.

Everything decided in the making of the plan should be documented. This is something that should be set up at the beginning so that each new element can be added and checked and so that at least something is available if anything happens during the planning process. The plan should be securely stored off-site (e.g., in the Cloud) and each relevant person given access.

Conduct a full risk assessment.

This involves generating a list of all the known possible man-made, natural, and environmental risks and threats that could disrupt the continuity of the business and prioritising this list in terms of how serious the impact could be. This prioritisation of risk and threats will indicate which areas of the BCP should be tackled first.  The kinds of risks and potential threats that could be taken into account include:

– Natural and environmental risks related to geographic location weather patterns. These could include floods, storms (esp. lightning), earthquakes, landslides and more.

– Technology-related issues, such as human error and the effects of cyber-attack, loss of telecommunications, vital equipment/hardware failures, data outages and corrupted data, power failures, loss of Local Network Services, and prolonged technology outages.

– Market and financial-related risks and threats. These could include trends and movements in the market, cashflow issues, and stakeholder issues.

– Facility-related issues and internal hazards e.g., fire, electrical failures, water leaks, HVAC failure, chemical spills/leaks, strikes and more.

Create recovery plans for each function.

With the risks and threats identified and prioritised, the next stage is to:

– Generate a list of the critical functions of the business/organisation.

– Look closely at how each risk could affect each critical function of the business/organisation.

– Create individual recovery/continuity plans for each situation where you have identified how a risk could adversely affect that function. These mini-plans could include details such as creating data backups or maintaining a secondary location.

Define who does what.

Where each of the smaller plans has been created to tackle risks and threats to critical functions, the next stage is to assign responsibility to staff members who will be needed to undertake and co-ordinate the plans and to detail protocols they need to follow. This should mean that key staff know what to do and have a plan to refer to in the event of incidents and emergencies.

Test and update the plan.

The plan should be viewed as a living document and not a one-off exercise. Your BCP should be regularly reviewed and updated, e.g. if there are changes/additions to the risks and threats, or changes to key staff members.  Also, the plan and its key elements should be tested to ensure relevance and effectiveness.

What Does This Mean For Your Business?

The survival of a business depends upon not just accepting that bad things do happen, but on making the effort to prepare for at least what can be reasonably foreseen. Downtime and disruption can very quickly have a serious and costly effect on a business in terms of lost revenue, lost customers, reputational damage and more. Businesses also have a responsibility to stakeholders to ensure that risks and threats are identified and planned for where possible. Creating and maintaining a BCP, therefore, should be given a high priority as it can protect the life of the business itself.

News

Tech Insight : Email Security

In this tech insight, we take a look at the many threats to email security that businesses face and what businesses can do to mitigate them, together with what help is available to help tackle those threats effectively.

Email Accounts For Most Security Breaches

Prioritising email security is important because most cyber-security breaches involve email, with social engineering a strongly favoured tactic favoured by cyber-criminals and 99 per cent of email attacks relying on victims clicking links (Proofpoint Annual Human Factor Report).

Types of Email-Based Attacks

The many different types of email attack threats that businesses face include targeted phishing schemes, business email compromises, and ransomware attacks. For example:

– The Check Points mid-year security report in August this year showed that ransomware attacks (for extortion) have increased dramatically over the past year, with 93 per cent more attacks carried out in the first half of 2021, and with ransomware now appearing in 10 per cent of breaches (Verizon).

– Phishing. This cheap, easy, and highly effective tactic uses emails purporting to be from reputable sources containing links that (if clicked-on) direct the victim to pages where payment and other personal data is stolen or malware is downloaded. For example, at the end of 2019, Thomas Cook customers were targeted by phishing attacks in the wake of the travel company going into receivership. Verizon’s 2021 Data Breach Investigations Report shows that phishing increased by 11 per cent from Aug 2020 to Aug 2021 and that phishing is present in 36 per cent of breaches. The National Cyber Security Centre offers advice on how to protect your business/organisation from phishing attacks here: https://www.ncsc.gov.uk/guidance/phishing.

– Malware attachments to emails. It is estimated that a business is targeted by a ransomware attack every 11 seconds (Kaspersky) and Between 2019 and 2020, ransomware attacks rose by 62 percent. Malware is now involved in over 70 per cent of system intrusion (Verizon). Common forms of malware include viruses, worms, Trojan Horses, spyware, adware, and ransomware. Remote Access Trojans (RATs), for example, are malicious programs that can arrive as email attachments and provide a ‘back door’ for administrative control over the target computer, and can be adapted to avoid detection and to carry other types of attack tactics including disabling anti-malware solutions and enabling man-in-the-middle attacks.

– BEC and VEC. Whereas Business Email Compromise (BEC) attacks have been successful at using email fraud combined with social engineering to bait one staff member at-a-time to extract money from a targeted organisation, security experts say that this kind of attack is morphing into a much wider threat of ‘VEC’ (Vendor Email Compromise). This is a larger and more sophisticated version which, using email as a key component, seeks to leverage organisations against their own suppliers.

– AI-based threats.  Many technology and security experts agree that AI is likely to be used in cyberattacks in the near future and its ability to learn and to keep trying to reach its target (e.g. in the form of malware) make it a formidable threat. Email is the most likely means by which malware can reach and attack networks and systems, so there has never been a better time to step up email security, train and educate staff about malicious email threats, how to spot them and how to deal with them. The addition of AI to the mix may make it more difficult for malicious emails to be spotted. The good news for businesses, however, is that AI and machine learning is already used in some anti-virus software (e.g. Avast) and this trend of using AI in security solutions to counter AI security threats is a trend that is likely to continue.

Protecting Your Email From Common Threats

Ways to protect your email from common security threats include:

– Always keeping anti-virus and patching up to date.

– Staff education and training; e.g. how to spot suspicious emails and what to do/what not to do, such as not clicking on links from unknown sources.

– Disabling HTML emails if possible (text-only emails can’t launch malware directly).

– Encrypting sensitive data and communications as an added layer of protection.

– Getting into the routine of checking your bank account’s activity for suspicious charges.

– Making sure important and sensitive company data is backed up and including business email compromise (BEC) in business continuity planning and disaster recovery planning.

– Preventing email archives from being publicly exposed; e.g. by making sure that archive storage drives are configured correctly.

– Monitoring for any exposed credentials (particularly those of finance department emails).

– Using two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

– Not using the same password for multiple platforms and websites (password sharing). This is because credentials stolen in one breach are likely to be tried on many other websites by other cyber-criminals (credential stuffing) who have purchased/acquired them (e.g. on the dark web).

Broad Methods and New Approaches

Other broader methods that companies can use to protect their email security include:

– Adopting a ‘zero-trust’, “never trust, always verify” approach to company cyber security. The control that administrators have, and the monitoring and alerting can help dramatically reduce risk, including with company emails.

– Moving from perimeter to pervasive email security, e.g. as suggested by Mimecast’s CEO Peter Bauer.  This involves dealing with threats to the perimeter, from inside the perimeter, and from beyond the perimeter, plus an API-led approach to help deliver pervasive security throughout all zones.

Tech Company Help

Ways offered by tech companies to help businesses and organisations keep their email secure include:

Microsoft

Outlook’s Junk Email Filter, and the Report Message add-in for Outlook.

– Office 365’s Advanced Threat Protection (ATP) plans.

– Secure Score for Office 365 / Microsoft 365 Defender portal – a way to measure and get suggestions about how to protect your business from threats, all through a centralised dashboard – find out more here: Microsoft Secure Score | Microsoft Docs

– The “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

– Offering online advice for protecting Outlook email accounts – see Help protect your Outlook.com email account (microsoft.com).

– Microsoft is making its plus addressing (disposable email address), custom email feature available to all Office 365 users by adding it to Exchange Online.

Google

Google also offers a number of tools and suggestions, including:

– Advanced Gmail security for phishing and malware for G Suite administrators  – see Advanced phishing and malware protection – Google Workspace Admin Help.

– Offering steps to identify compromised accounts – see Identify and secure compromised accounts – Google Workspace Admin Help.

– Advice on Firewall settings.

–  Blocking malicious emails before they reach email boxes.  For example, on its Cloud blog on 16 April 2020, Google reported that Gmail blocks more than 100 million phishing emails each day.

What Does This Mean For Your Business?

With so many types of attacks relying upon email as a way in (e.g. phishing), effective email security is vital. Businesses and organisations need to make sure that they are prepared to not just effectively defend against the whole range of email attacks but are be able to spot and eliminate threats as they arrive, and ensure that staff are aware of email threats and know what to do when faced with suspicious emails and links. Also, attackers adapt their campaigns and methods very quickly, and use methods that can evade the more common protection solutions (i.e. ‘polymorphic’ attacks) so businesses and organisations must find ways to get a fuller picture of the email threats they face and find solutions that can focus effectively on zero-day and targeted attacks in addition to known vectors. With the threat of AI-based attacks now on the horizon too, there has never been a more important time for businesses to take a very close look at what more they could be doing to maximise their email security.