Targets for cyber-attacks
The number of cyber-attacks on businesses increased 40% in 2014 and this trend is set to continue.
As businesses migrate their data to the cloud, financial data, customer details, and other sensitive information have become targets for cyber criminals.
Attacks can hinder a business’s productivity, harm their reputation, cause them to lose their competitive advantage and impact their revenue.
Examples of recent cyber-attacks on business
United Airlines and American Airlines
In January 2015, nearly 10,000 frequent flyer accounts were possibly compromised when criminals used stolen usernames and passwords to access the accounts, book trips and redeem flight upgrades.
The bookmaker revealed in 2014 that a large-scale data breach in 2010 resulted in the theft of personal details of nearly 650,000 customers.
Staples confirmed that 1.16 million payment cards from their US stores were compromised by malware accessing transaction data between April and September 2014.
SMEs can underestimate the threat of cyber attacks and often don't believe they're at risk:
of SMEs did not prioritise improvement to online security for future business growth in 2014.
say they're not targets for attacks as they don't have anything worth stealing.
believe they won't suffer any lost revenue from a day's worth of downtime from an attack:
SMEs lack the resources or knowledge to defend against an attack.
don't have a plan of action for responding to IT security breaches.
of SMEs think that cyber security is too expensive to implement.
admit they "Don't know where to start"
Vulnerabilities occur as:
Flaws in the system which act as passageways for attackers to enter.
Nearly 8,000 software vulnerabilities were found in 2014.
Exploitation of legitimate functionalities by attackers.
User errors where the computer or IT system can be accidentally exposed to attackers.
Weak and common password often allow attackers to easily infiltrate systems without the need for more technical attack methods.
Various tactics are used to exploit these vulnerabilities:
Dupes users into opening an infected email attachment and injects malware to the computer system. Malware is software designed to damage or disrupt a system and can come in the form of a virus or Trojan horse.
of SMEs were targeted by spear phishing campaigns in 2014 compared to 30% in 2013.
Compromises legitimate websites by injecting malicious code to visitors passing by when they download the infected software.
were infected by viruses or malicious software.
Extorts victims for money or information in exchange for the decryption of data and removal of malicious software.
increase in ransomware reviewed by Intel Security compared with 2013, for a total of 250,000.
Botnet or Denial-
Attempts to flood a network to disrupt the service and prevent users from accessing it.
of SMEs have suffered a DDoS (Distributed Denial of Service) attack.
Cyber-attacks are highly lucrative with profits easily on the black market from selling stolen goods.
Symantec estimated the cost of stolen information on the black market in 2014:
1,000 stolen email addresses
Ready-made toolkits for attacks are also available for budding criminals with little technical knowledge required to run attacks on their own:
1 million verified email spam mail-outs
Drive-by download web toolkit (1-week rental)
Online banking malware
An attack can damage a business's financial health due to stolen money, and the recovery process which can be lengthy and costly. It's estimated that cyber-crimes cost SMEs around £800 million per year.
SMEs lost an average of £3,500 - £7,000 in 2014 (an increase from £300 - £600 in 2013).
£5,000 - £10,000 worth of assets were lost in 2014 (an increase from £150 - £450 in 2013).
Attacks resulting in a data breach and exposure of customers’ confidential information negatively impact customers’ view of the business:
Reputational damage is estimated to cost SMEs £1,600 - £8,000.
In addition to the time required to repair and recover from the attack, some businesses found they've lost their competitive advantage due to the loss of commercially sensitive information.
9% of SMEs suffered from intellectual property theft
14% suffered from loss or leakage of confidential information
Criminals may steal your employees' or customers' personal details and as it's your responsibility to safeguard this data it can be constituted as a breach of the Data Protection Act (DPA).
This could result in compensation to individuals who suffered damage from the breach or severe penalties from the ICO (Information Commissioner's Office) where you can be fined up to £500,000.
The DPA requires that businesses take "appropriate technical and organisational measures" to prevent unlawful use, theft, destruction or loss of personal data. If your company fails to do so, you could be liable.
Insurance company Staysure.co.uk were penalised by the ICO when attackers accessed customer records in February 2015.
The attackers accessed 100,000 live credit card details and customers' medical details.
More than 5,000 customers had their credit cards used by fraudsters after the attack.
The fine amounted to £175,000.
Educating employees on how to protect sensitive data using security best-practices is crucial to safeguarding your business.
It’s recommended that you consult a network security specialist to give a thorough assessment on protecting your company. Here are some steps you can take right now:
Encourage employees to use strong passwords, refrain from using the same password for multiple logins and change passwords every 90 days.
Always install the latest security updates for software and web applications which will close known vulnerabilities.
Encrypt sensitive data such as employee details and financial accounts.
Update your anti-virus software and firewall as soon as a new version is released to ensure they’re effective against new forms of viruses or malware.
Create “whitelists” that control all traffic through the network by granting access to certain IP and e-mail addresses to prevent employees from visiting compromised or receiving malicious email.
- Cyber Essentials is a scheme backed and supported by the UK Government and industries to help protect businesses of all sizes against common cyber threats.
- Businesses can also attain a Cyber Essentials badge to advertise the fact that they are following government-endorsed standards for cyber security. To obtain the badge, businesses can carry out a self-assessment to see if they meet the requirements - or they can be independently assessed by accrediting bodies.
- The scheme outlines 5 main procedures that should be implemented for basic protection against cyber-attacks.
Boundary firewalls and internet gateways
Unfortunately cyber-attacks may succeed despite taking preventative measures.
Having a plan in place in the event of a successful attack can limit damage and safeguarding data should be a priority especially if that data is crucial to the running of your business:
4 in 10 SMEs say they would struggle to recover from data loss.
1 in 4 SMEs admit they wouldn't be able to recover any data.
Logging and monitoring any suspicious activity can inform you as soon as a breach happen, giving you a chance to respond quickly and limit potential damage. This can be done in-house or outsourced to specialists.
Regularly backing up your data means it can be accessed easily to reduce downtime in the event of a breach. However, there is a risk that you may restore the same vulnerabilities which caused the breach in the first place so you should consult a specialist beforehand on how to mitigate this.
Consulting a security specialist for a thorough risk assessment and further advice is essential.
You can also:
Have procedures in place which identify and isolate infected systems to prevent further infection.
Establish an incident response team who are trained with the skills and expertise to address incidents.
If your customer database has been compromised, the customers should be directly informed of the breach and advice should be given on what actions they should take, such as changing passwords and checking bank statements.