Be aware of scammers while using email…

Many businesses have had to adapt to new working practices because of the coronavirus (COVID-19) situation. This has often meant an increase in emails and more frequent calls with suppliers, customers, banks and other organisations.
Scammers have been taking advantage of this. Cases are on the increase where fraudsters are calling businesses pretending to be from their phone or internet provider, their bank or even a retailer. They’ll ask for payments, or for staff to download software that then gives them control of that staff member’s device. Some have even taken control of genuine email addresses and used them to request payments, making it more difficult to spot the signs of a scam.
With this in mind, it’s now even more important to have strong, clear processes in place for keeping data safe.

Can you spot a scam?
Even if you know all the hallmarks and what to look out for, with ever-more sophisticated ways to access your data, scams are getting harder to spot. If a fraudster called or emailed you or a member of staff pretending to be a known supplier, would you know it was a scam?
They might even contact a staff member pretending to be you. For example, how can you tell if this email’s genuine?

Put checks and processes in place
To help you and your staff spot fraudulent attempts, here are some tips on the checks and processes you should have in place. Remember – it’s good to have a healthy level of suspicion.

  • If you get an email out of the blue that asks you to click on a link or attachment, don’t do it – even if the sender seems familiar – and even if it appears to be coming from a known email address. Instead, contact the apparent sender using different details that you already know and trust to verify the request.
  • When someone calls unexpectedly, don’t give them any information like personal details, bank details or pins.
  • Never download any software onto your device if you’re asked to – fraudsters can use this to access your personal information, even your bank account. Instead, call them back on a known number to check they’re genuine.
  • You can also search for a number to see if a listed number you’ve been asked to call is genuine. Have a payment-checking process in place. For example, if you receive a request to update the bank details you have on file or get new bank details for a payment, confirm this by calling that person or organisation using details you already have, and not those provided in the request. You should also do this with requests from anyone within your own organisation.
  • Have security policies in place, such as having strong passwords, using an encrypted VPN (virtual private network) when working from home, and using an extra layer of authentication for email and payment processes (such as a unique code texted to your mobile) – and test these processes often.
  • Make sure you and all your staff, regardless of their role, are made aware of the checks and processes regularly.

Cyber-Security 101 for Business Owners

Running a business require skill with multiple things happening simultaneously that require your attention. One of those critical things is cyber-security – critical today to have your focus on.

In the digital world today, all businesses have a dependency on the Internet in one way or the other… For SMEs (Small Medium Enterprise) that uses the Internet exclusively as their sales channel the Internet is not only a source of opportunity but the lifeblood of the organisation. An enterprise has the ability, through the Internet, to operate 24×7 with digitally an enabled workforce bringing unprecedented business value.

Like any opportunity though, this also comes with a level of risk that must be mitigated and continuously governed, not just by the board but also by every member within the team. Some of these risks can have a seriously detrimental impact to the business, ranging from financial and data loss to downtime and reputational damage. It is therefore your duty ensuring your IT network is fully protected and secure to protect your business.

Statistics show that cybercrime is exponentially rising. This is mainly due to enhancements in technology enabling and giving access to inexpensive but sophisticated tools. Used by experienced and inexperienced cyber criminals alike, this is causing havoc across networks resulting in business downtime that costs the economy millions every year.

If your business is not trading for 100 hours, what is the financial and reputational impact? That could be the downtime caused by, for example, a ransomware attack – yes, that’s almost 5 days of no business, costly for any business!

Understanding the threat

Cyber threats take many forms and is an academic subject on it’s own. So where do you start?

First you need to understand the threat before you can take preventative action.

Definition: Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.

A good start is to understand the following cyber threats:

  • Malware
  • Worms
  • Trojans
  • IoT (Internet of Things)
  • Crypto-jacking


Definition:Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network.

During 2nd Q’18, the VPNFilter malware reportedly infected more than half a million small business routers and NAS devices and malware is still one of the top risks for SMEs. With the ability of data exfiltration back to the attackers, businesses are at risk of the loss of sensitive information such as usernames and passwords.

Potentially these attacks can remain hidden and undetected. Businesses can overcome these styles of attacks by employing an advanced threat prevention solution for their endpoints (i.e. user PCs). A layered approach with multiple detection techniques will give businesses full attack chain protection as well as reducing the complexity and costs associated with the deployment of multiple individual solutions.


Definition:A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it.

Recent attacks, including WannaCry and Trickbot, used worm functionality to spread malware. The worm approach tends to make more noise and can be detected faster, but it has the ability to affect a large number of victims very quickly.For businesses, this may mean your entire team can be impacted (spreading to every endpoint in the network) before the attack can be stopped.

Approximately 20% of UK businesses that had been infected with malware had to cease business operations immediately resulting in lost revenue.

Internet of Things (IoT)

Definition:The Internet of things (IoT) is the network of devices such as vehicles, and home appliances that contain electronics, software, actuators, and connectivity.

More devices are able to connect directly to the web, which has a number of benefits, including greater connectivity, meaning better data and analytics. However, various threats and business risks are lurking in the use of these devices, including data loss, data manipulation and unauthorised access to devices leading to access to the network, etc.

To mitigate this threat, devices should have strict authentication, limited access and heavily monitored device-to-device communications. Crucially, these devices will need to be encrypted – a responsibility that is likely to be driven by third-party security providers but should to be enforced by businesses as part of their cyber-security policies and standard operating procedures.


Definition:Cryptojacking is defined as the secret use of your computing device to mine cryptocurrency. Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency.

With the introduction and rise in popularity and value of crypto currencies, cryptojacking emerged as a cyber-security threat. On the surface, cryptomining may not seem particularly malicious or damaging, however, the costs that it can incur are. If the cryptomining script gets into servers, it can send energy bills through the roof or, if you find it has reached your cloud servers, can hike up usage bills (the biggest commercial concern for IT operations utilising cloud computing). It can also pose a potential threat to your computer hardware from overloading CPUs.

A recent survey, 1 in 3 of all UK businesses were hit by cryptojacking with statistics rising.

Mitigating the risk 

With these few simple and easy steps you can make a good start in protecting your business:

  • Education: At the core of any cyber-security protection plan, there needs to be an education campaign for all in the business. They must understand the gravity of the threat posed – regular training sessions can help here. And this shouldn’t be viewed as a one-off box-ticking exercise then forgotten about. Having rolling, regularly updated training sessions will ensure that staff members are aware of the changing threats and how they can best be avoided.
  • Endpoint protection: Adopt a layered approach to cyber security and deploy endpoint protection that monitor processes in real-time and seek out suspicious patterns, enhancing threat hunting capabilities that eliminate threats (quarantine or delete), and reducing the downtime and impact of attacks.
  • Lead by example: Cyber-security awareness should come from the top down. The time is long gone where cyber-security has been the domain of IT teams. If you are a business stakeholder, you need to lead by example by promoting and practicing a security-first mindset.


SPHERE invests in knowledge training…

This course is specifically designed to improve your skills as an information security manager. Using O-ISM3 as a framework, you will master process management, and you will be able to:

  • Prioritize security efforts using business significant criteria
  • Communicate the value that Information Security Department brings to the organization
  • Design, implement and use information security metrics proven in the field, enabling short cycle continuous improvement
  • Simplify ISO27001 compliance
  • Complement ITIL security
  • Manage outsourced security services with SLA’s
  • Implement TOGAF and SABSA architectures.

O-ISM3 is an information security management maturity standard published by The Open Group, a leader in the development of open, vendor-neutral IT standards and certifications.

SPHERE, and other organizations like the Swiss Armed Forces, the National Bank of Panama and Bankia use O-ISM3. Our student, Pedro Valcárcel, a professional with 15 years’ experience in security said about the course: “This course opened my eyes. I wish I had taken it sooner”

Trainer Profile
Vicente Aceituno is the Senior Information Security Manager of SPHERE. He is leader of the standard Open Information Security Management Maturity Model; he has broad experience in outsourcing of security services and research. His focus is information security outsourcing, management and related fields like metrics and certification of ISMS.

Mark your calendar

London Course – Monday 12th to Wednesday 14th December 2016

What you will learn:

  • Deep understanding of complex security and management concepts
  • Alignment of security objectives with an organization’s mission
  • Classifying and setting requirements for information systems that satisfy security objectives
  • Communication of the value of information security
  • Access control management concepts
  • Implementation of security processes
  • Process management activities
  • Design, implementation and use of information security metrics
  • Understanding of the relationship between metrics, management practices, capability and maturity
  • Techniques for visualization of security metrics
  • Understanding of distribution of responsibilities concepts
  • ISM3-RA Risk Assessment
  • Management of Outsourced Security processes.

Course Outline

Day 1 – 9:00 – 17:00

  • Concepts: You will gain a deeper understanding of complex security concepts.
  • Assets & Goals: You will be able to set security objectives aligned with your organization’s mission, and you will be able to communicate what is the value that the information security department brings to the organization.
  • Security Objectives: You will be able to set requirements for information systems that satisfy security objectives.
  • Access Control: You will gain an understanding of the management ramifications of access control.
  • Classification of Systems: You will be able to prioritize efforts using business significant criteria for systems classification.
  • Activities & Deliverables: You will gain an understanding of the relationship between activity and achievement of goals.
  • Bottom-up Process Implementation: You will learn how to apply O-ISM3 to processes under your own responsibility.
  • Top-down Security Program: You will learn how to apply O-ISM3 when you have support from top IT management.

Day 2 – 9:00 – 17:00

  • General Processes: You will familiarize yourself with auxiliary but essential processes.
  • Strategic Processes: You will familiarize yourself with processes related to goals definition and provision of resources.
  • Tactical Processes: You will familiarize yourself with processes related to continuous improvement and resource distribution.
  • Operational Processes: You will familiarize yourself with technical hands-on processes.
  • Management Practices: You will learn the basics about process management activities.
  • Metrics: You will learn in detail how to design, implement and use information security metrics.
  • Maturity: You will become familiar with the relationship between metrics, management practices, capability and maturity.
  • Reports, Dashboards & Visualization: You will learn how to make the best of metrics, enabling interpretation and communication.

Day 3 – 9:00 – 17:00

  • Security Organization: You will understand how the distribution of responsibilities make processes tick, and how to avoid related risks.
  • Security Modelling: You will gain a working knowledge of advanced security models.
  • O-ISM3-RA: You will learn to perform a simple yet meaningful Risk Assessment.
  • ISO27001: You will learn how to make O-ISM3 help you with ISO27001 compliance.
  • IT Architecture: You will learn how to use O-ISM3 effectively with SABSA and TOGAF.
  • ITIL & SLA’s: You will learn how to complement ITIL with O-ISM3, and how to design SLA in order to manage outsourced security processes.
  • Certification: You will peek at O-ISM3’s certification process.
  • Techniques & References: You will learn general security techniques in order to treat security threats.
  • Recapitulation: You will look back at the last three days highlighting the most important ideas and concepts.

Who should attend
This course is designed for security professionals who are or have the goal to acquire management level responsibilities in their organizations.

Student/Instructor ratio
The maximum number of students is 10.

Book now
Contact for details.