Security researchers at Rapid7 have found that 88% of FTSE 250+ organisations, have insufficient anti-phishing defences (i.e. DMARC) in the public email configuration of their primary email domains.

The finding is part of their third Industry Cyber-Exposure Report (ICER) examining the overall exposure of the companies listed in the FTSE 250 index.

The report also found that FTSE250 companies:

  • are, on average, exposing a public attack surface of 35 servers/devices, with many companies exposing over 1,000 systems/devices
  • SSL/TLS security is not enforced on the primary websites of 19% of FTSE 250+ organisations
  • organisations in every sector have serious issues with patch/version management of business-critical internet-facing systems

The vast majority of organisations in the UK rely on digital technology to function. Good cyber security protects that ability to function and ensures organisations can exploit the opportunities that technology brings.

Boards must understand that cyber risk should be managed in the same way as any other business risk, such as physical security or financial risks.

The NCSC has published a Board Toolkit to encourage essential cyber security discussions between Boards and their technical experts.

FBI warns users to be wary of phishing sites abusing HTTPS

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a guarantee that a site is trustworthy.

The alert notes that phishing attackers are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.

People can carry out additional checks for trustworthiness, beyond looking for a padlock, such as checking for poor grammar, punctuation and spelling, or odd requests for information (such as your mother’s maiden name).

The NCSC has published guidance on how to spot and deal with phishing emails.

You may also want to read an NCSC blog post published last year about always using HTTPS – remember, using HTTPS doesn’t make you completely secure, but not using it does make you unsecure.

If members of the public think they have been a victim of online crime, they can report a cyber incident using Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040. For further information visit

Microsoft warns of email campaign exploiting an old bug

Microsoft’s Security Intelligence team has warned against an active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit.

The campaign exploits a vulnerability which the company fixed and issued a patch for back in 2017. The flaw reportedly affected all versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000.

The vulnerability allows attackers to automatically run malicious code without requiring user interaction.

Organisations and individuals should apply Microsoft’s security patches as soon as possible.