Last year was the busiest on record for corporate cyber attacks – as fraudsters took advantage of gaps in companies’ networks and the rapid introduction of new processes. So what are the biggest cyber risks facing your organisation – and how can you prevent them?
“Cyber crime is the greatest threat to every company in the world.” That was the damning verdict of former IBM Chairman, President and CEO Ginni Rometty in 2015. And that was a long time before the threats and disruption we have seen in recent years.
The world Rometty was referring to was a pre-Covid one. And, in the midst of the pandemic, 2020 was a record-breaking year in terms of cyber attacks on businesses, governments and individuals, according to Forbes.
The statistics are startling: organisations faced a 20% rise in security threats last year versus 2019. In 2020 alone, businesses in the UK faced an average of 686,961 attempts to violate their systems online, equating to an attempted attack every 46 seconds.
Four in 10 businesses, and a quarter of charities, have reported having cyber security breaches or attacks over the past 12 months.
According to Estelle Spiers, Group Head of Operations at Zedra, these shifts can largely be attributed to the speed at which companies had to move to work-from-home strategies.
“This will have inevitably meant some companies had to take risks to ensure they could still operate,” she says. “The pandemic exposed more areas of potential attack and, with remote and flexible working here to stay, it is vital that any vulnerabilities opened to accommodate home working are closed.”
Common trends and attacks
1. Ransomware is a form of malware, a catch-all term for any type of malicious software – and the fact the name contains the word ‘ransom’ tells you pretty much all you need to know. It is a form of software that will lock you out of your systems or data until a payment has been made.
“The banking sector has seen a 1,380% year-on-year increase in ransomware attacks just in the first half of 2021,” says Paul Acton, Chief Executive of Sure in Jersey. “And it’s not just an increasing challenge – these attacks are growing in complexity, too.”
2. Extortionware isn’t dissimilar from ransomware. In both cases, company data is accessed and infiltrated, usually with the ultimate goal of making money. With ransomware, businesses must either pay up or lose access to the stolen data. The difference is that extortionists will often also threaten to publicly release the collected data, putting added pressure on organisations to comply.
3. Denial of service (DoS) attacks are designed to render services inaccessible to legitimate users by overwhelming them with traffic and therefore taking them offline. HSBC suffered one back in 2016, which saw millions of customers unable to log into their accounts for several hours.
In a distributed denial of service (DDoS) attack, the incoming traffic flooding the victim originates from many different sources, making it effectively impossible to stop the attack by blocking a single source. According to a report by cyber security and network diagnostics firm NetScout, there were 5.4 million of these attacks in the first half of 2021 alone, an 11% increase on the same period last year.
4. Phishing, smishing, vishing and whaling These dark arts, all forms of social engineering, are carried out over the phone (vishing), email (phishing) or via text (smishing) to trick you into either providing sensitive information – such as passwords, bank or credit card details – or downloading malicious software.
Spear phishing is the most common form of these in corporations. This is where the attack is targeted and personalised in an attempt to steal account credentials or financial information from specific individuals (in the case of CEOs, this is known as whaling).
An employee, for example, could be fraudulently emailed by what they think is one of their colleagues or even their boss – close examination would unearth a nuanced difference in their email address – asking them to transfer money or make a payment.
5. Data leaks are where sensitive information is accidentally exposed, so that cyber criminals can gain unauthorised access without effort. There has been no shortage of these in the press in recent years, with Facebook, LinkedIn, BA, Hilton and Marriott all falling foul.
Data leaks are different to the other cyber risks listed above, as they don’t feature an attack per se. Instead, they stem from poor data security practices or accidental action or inaction by an individual.
How to prevent attacks
“People remain the weakest links of companies,” says Spiers. “Although direct attacks, denial of service and ransomware attacks remain some of the biggest threats, there has been an increase in the targeting of individual employees. One unfocused moment, one careless click of a malicious link or a weak password can have severe consequences.”
“The more training employees have, the greater their understanding,” says James Kelsh, Head of Information Security at Resolution IT. “The greater their understanding, the more involved they’ll be in the anti-cyber crime drive.”
Kelsh emphasises the need for tight work-from-home policies, as well as mobile device management and careful consideration when it comes to the cloud.
“Always make sure that when you’re moving infrastructure to the cloud, you’re putting in place the same security controls you would if you were storing data elsewhere. Don’t assume it’s safe.”
Spiers also stresses the need for simulated attacks in order to understand potential weaknesses.
“Internal IT teams can be too close to the systems to see what the risks might be. But third parties can take on the role of rooms full of cyber criminals and will use the same kind of tactics and software to expose weaknesses.
“It is also important to talk about potential attacks, near misses and even actual attacks. We have seen an increasing openness about this in the media.
"At first, companies that were unfortunate enough to be targeted by criminal activity tried to keep it quiet for reputational reasons, but we've recently seen high-profile attacks talked about more openly.
"Sharing experiences and learning from each other is of the upmost importance. Yes, security tools do a good job of stopping threats before they get to individuals, but this can lead to a false sense of security and complacency.”
Planning for an attack
Nichole Culverwell, Director at Black Vanilla, agrees. “If you have a cyber breach or a cyber security issue happens, you’re going to want to be honest and try and help those affected,” she says.
“And these discussions around how you are going to behave should happen in the planning stages. You want to be having these conversations at board level or with your exec team. Agreeing what you will do ahead of time will mean that if something does happen, you can simply focus on the job of managing the crisis.
“We’ve seen how damaging these attacks can be and often it’s just because they’re behind the curve on communicating.
“When a cyber breach happens, it’s all hands on deck,” Culverwell continues. “Things are taking place at great speed and people within the organisation are trying to deal with the problem itself. They’re running themselves ragged trying to see how far the breach has gone.
"These sorts of environments are incredibly stressful, and in situations like that we don’t always do everything brilliantly.”
However, much can be done in advance to prepare, she says. “Draft statements. You’ll tweak them, of course, but it’s great to have thoughts on paper ahead of time, and think about the channels you would want to use.
"Is your organisation based across many countries, meaning you have to think about cultural differences in your communication style? Are you dealing with different regulations and laws in those different jurisdictions? You’ll need a spokesperson – who will that be and are they already media trained?
“There’s a lot to think about, but this planning will be much easier if you’re doing it at a time of peace. That’s how I think of it – you’ve got peace time and time when you’re effectively at war.
"And when you’re fighting a crisis, you will have wanted to have done your difficult thinking and have had the difficult discussions when your backs aren’t up against the wall.”