Why should businesses worry?
of businesses in the UK suffered a cyber attack or breach in 2016, double the number in 2015.
Cyber attacks and breaches cost UK businesses an average of £1,570 per attack in 2016.
Attacks can hinder a business's productivity, harm its reputation and cause it to lose its competitive edge.
Cyber criminals compromised the information of 210,200 Three Mobile customers, using stolen login details from Three employees to access the firm's customer upgrade database in 2016.
Attacks on the telecom company's website in October 2015 caused losses of £42 million. Hackers attacked the site 14,000 times, after a vulnerability was exposed by a teenage boy.
United Airlines and American Airlines
In January 2015, nearly 10,000 frequent flyer accounts were possibly compromised when criminals used stolen usernames and passwords to access the accounts, book trips and redeem
SMEs can underestimate the threat of cyber attacks and often don't believe they're at risk:
of small businesses in the UK suffered a cyber security breach or attack in 2016.
of businesses hit by cyber attacks see cyber security as a low priority.
of small business managers still do not agree that cyber security is a high priority.
Small and micro businesses lack the resources or knowledge to defend against an attack:
do not receive any training on cyber security.
have no formal policies for ensuring cyber security.
have no cyber security measures at all.
Website attacks fell by almost a third in 2016 as cyber attackers turned
increasingly to email. This is what a common cyber attack now looks like:
An email is sent disguised as an invoice or bill.
The subject lines of emails containing malware often include words such as 'invoice', 'document' or 'order'.
The user is tricked into downloading an attachment.
The file triggers the installation of malicious software.
When the file is launched, it prompts the user to execute a macro or launches PowerShell to download and execute the final payload.
The user's device is typically infected with ransomware, which encrypts the user's private data.
Here are some tactics used to exploit cyber security vulnerabilities:
Dupes users into supplying sensitive information by posing as a trustworthy source, such as a bank, commonly used retailer or a personal acquaintance.
of the cyber crimes affecting SMEs were spear phishing attacks.
Compromises legitimate websites by injecting malicious code to visitors passing by when they download the infected software.
of cyber crimes affecting SMEs were malware attacks.
Extorts victims for money or private information in exchange for the decryption of data and removal of malware.
$1,077 (approx £830) was the average ransom demand in 2016, up from $294 (approx £226) in 2015.
Attempts to flood a network to disrupt the service and prevent users from accessing it.
of SMEs have suffered a DDoS attack.
Cyber attacks are highly lucrative with profits easily made on the black market from selling stolen goods.
Here are estimates of the black market value of some commonly stolen credentials:
10,000 AIR MILES
Ready-made toolkits for attacks are also available for budding criminals with little technical knowledge required to run attacks on their own:
An attack can damage a business’s financial health directly, and the recovery process can be lengthy and costly. It’s estimated that cyber crimes costs SMEs around £800
million per year.
Small businesses in the UK lost an average of £740 in direct costs in 2016.
Small businesses in the UK incurred losses of £330 in recovery costs in 2016.
Attacks resulting in a data breach and exposure of customers’ confidential information negatively impact customers’ views of the business:
Reputational damage is estimated to cost SMEs £1,600 to £8,000.
In addition to the time required to repair and recover from the attack, some businesses found they had lost their competitive advantage due to the loss of commercially sensitive information:
of SMEs suffered intellectual property theft.
suffered loss or leakage of confidential information.
Criminals may steal your employees' or customers' personal details and as it's your responsibility to safeguard this data it can be constituted as a breach of the Data Protection Act (DPA).
This could result in compensation to individuals who suffered damage from the breach or severe penalties from the ICO (Information Commissioner's Office) where you can be fined up to £500,000.
The DPA requires that businesses take "appropriate technical and organisational measures" to prevent unlawful use, theft, destruction or loss of personal data. If your company fails to do so, you could be liable.
The EU will enforce General Data Protection Regulations (GDPR) in May 2018, notwithstanding Brexit.
Businesses must be able to prove that any data they hold is protected or face the risk of hefty fines.
As many as 9,000 Tesco Bank customers lost money from their accounts, following a data breach in November 2016.
£2.5 million was stolen from customer accounts in total.
Customers had up to £600 withdrawn from their accounts.
Tesco would face fines of over £1.9 billion if it occurred under the EU's GDPR.
Educating employees on how to protect sensitive data using security best-practices is crucial to safeguarding your business.
It’s recommended that you consult a network security specialist to give a thorough assessment on protecting your company. Here are some steps you can take right now:
Encourage employees to use strong passwords, refrain from using the same password for multiple logins and change passwords every 90 days.
Always Install the latest security updates for software and web applications which will Close known vulnerabilities.
Encrypt sensitive data such as employee details and financial accounts.
Update your anti-virus software and firewall as soon as a new version is released to ensure they’re effective against new forms of malware.
Create "whitelists" that control all traffic through the network by granting access to certain IPs and e-mail addresses.
- Cyber Essentials is a scheme backed and supported by the UK Government to help protect businesses of all sizes against common cyber threats.
- Businesses can attain a Cyber Essentials badge to advertise the fact that they are following government endorsed standards for cyber security. To obtain the badge, businesses can carry out a self-assessment to see if they meet the requirements, or they can be independently assessed by accrediting bodies.
- The scheme outlines five main procedures that should be implemented for basic protection against cyber attacks:
Boundary firewalls and internet gateways
Unfortunately cyber attacks may succeed despite taking preventative measures.
Having a plan in place in the event of a successful attack can limit damage. Safeguarding data should be a priority, especially if that data is crucial to the running of your business:
4 in 10 SMEs say they would struggle to recover from data loss.
1 in 4 SMEs admit they wouldn't be able to recover any data.
Logging and monitoring any suspicious activity can inform you as soon as a breach happens, giving you a chance to respond quickly and limit potential damage. This can be done in-house or outsourced to specialists.
Regularly backing up your data means it can be accessed easily to reduce downtime in the event of a breach. However, there is a risk that you may restore the same vulnerabilities which caused the breach in the first place so you should consult a specialist beforehand on how to mitigate this.
Consulting a security specialist for a thorough risk assessment and further advice is essential. You can also:
Have procedures in place which identify and isolate infected systems to prevent further infection.
Establish an incident response team trained with the skills and expertise to address threats.
If your customer database has been compromised, those customers should be directly informed of the breach and advice should be given on what actions they should take, such as changing passwords and checking bank statements.