Companies of all sizes are
changing the nature of their business
and how they engage with their customers by increasingly
embracing digital technology and data. This can result in a company’s digital assets becoming the most valuable assets of the business. The risk of those assets being lost, stolen or destroyed then becomes an important business issue. The company’s cyber risk profile also changes profoundly.
The cyber threat landscape is constantly changing. In fact, change and the spread of new threats are the only constants. Malicious attacks are increasing but accidental disclosure and human error risk cannot be forgotten either. Each year, several reports are produced by the UK Government, and by various companies and industry bodies, about cyber risk and cyber losses suffered by UK industry.
Certain trends in the main sources of cyber threat are usually evident in these reports. One useful source of information is the cyber insurance industry. Below, we provide our thoughts on 5 common cyber threats to SMBs and a brief explanation of each.
1. RANSOMWARE / EXTORTION
Because of the high dependency of businesses on systems and data, cybercriminals can successfully extort money by threatening to encrypt, delete, or release data or to disable a network or website that they have already compromised with ransomware.
Ransomware is a form of malicious software (malware), that encrypts your data. The attacker then holds your company to ransom for the release of the data. Most ransomware is delivered via email. Extortion, in the form of ransomware, has been one of the fastest-growing forms of cybercrime in recent years and 2017 saw two worldwide ransomware attacks, ‘WannaCry’ and ‘NotPetya’.
Some victims have chosen to pay the ransom rather than risk losing their IT infrastructure and/or data. Even then, the victim has no guarantee that the ransom payment will be effective and, even if it is, they will still incur costs to fix their systems and data and protect their digital assets.
Social Engineering is a term for techniques attackers use to manipulate someone into providing confidential information or taking other actions that bypass normal security and assist the attacker in committing theft or fraud. It is sometimes referred to as 'hacking the human'. Social Engineering scams have increased dramatically in recent years. The primary means are by phone and by email.
2. DATA BREACH
Data breaches received many headlines in 2018 because of a spate of high-profile mega data breach events involving hundreds of millions of records. A data breach can be caused by hackers, for example, using virus or malware infections or using phishing techniques. Phishing is a form of social engineering in which the attacker, posing as a trusted party, sends an email designed to induce the recipient to share sensitive information such as a username and password, to download malware, or to visit an infected site.
A data breach caused by hackers usually involves the theft of data which has value to the criminal and is therefore worth stealing. However, a data breach can just as easily result from employee negligence.
The incidence of notified data breaches has increased, following the introduction of the GDPR on May 25th, 2018 and its mandatory reporting requirements. This trend is expected to continue as people become more sensitive about the use of their data and more likely to exercise their rights under GDPR.
GDPR fines for non-compliance can be up to €20 million or 4% of global turnover, if higher. The fines, enforcement actions and lawsuits that have been seen so far are regarded as being just the start of a longer-term change in expectations around data privacy and data security.
3. THEFT OF FUNDS
Technology has made it easy for companies to conduct electronic banking. However, this ease has attracted criminals who try to steal money from the company’s bank account. Hackers hack into the target network to gain access to online accounting or banking platforms. If successful, they transfer money from the victim’s account. Some customers have discovered that Banks may not reimburse the money if the company has been negligent in the operation of the bank account.
There has been a sharp increase in the number of sophisticated social engineering attacks since 2017, often taking the form of ‘Business Email Compromise’. Here, a cybercriminal uses compromised email credentials to induce an employee to make an electronic payment to a bank account controlled by the cybercriminal or to transfer sensitive data.
So-called ‘CEO Fraud’ has been a very successful tactic against UK businesses. Here, fraudsters impersonate the CEO or another senior executive and send email instructions to finance department staff asking for the transfer of funds to the criminals’ bank account.
Payroll diversion is a fraud where a cybercriminal phishes for email credentials and changes an employee’s deposit instructions to redirect the employee’s salary to an account controlled by the cybercriminal.
4. VIRUS / MALWARE
Malware is a malicious piece of software or code intended to steal data or credentials, log keystrokes on a keyboard, enable unauthorised access, or otherwise create a risk to the confidentiality, integrity, or availability of data, a network or other computer resources.
Virus and Malware infections have been a threat to SMBs for a long time, but they are still amongst the most frequent reasons why SMBs suffer cyber losses. New Viruses and malware are constantly being released and no anti-malware or anti-virus programmes will give completely effective protection against a brand-new threat that has never been seen before (zero-day threat).
5. NETWORK INTERRUPTION / SYSTEM FAILURE
Network interruption is the term often used to describe an interruption to the business caused by a cyber incident. Often, when a cyber incident happens, it is not immediately clear what the impact will be on the business because of lack of access to data or the systems being offline.
An expert forensic team may be required to thoroughly investigate the incident and establish what business interruption loss is likely. The severity of network interruption losses varies significantly with the company size, industry and duration. The availability of backups is often a key consideration in mitigating the loss that the company will suffer.
CONSEQUENCES OF CYBER ATTACKS
Responding to the incident can be the most difficult and most expensive part of a cyber event. If an attack has compromised a company’s computer network, then IT specialists will be needed to stop the attack, protect against further immediate threats, and establish what has been stolen. The cost of these IT specialists to rebuild systems or data may only be clear after the work is completed.
Limiting reputational damage, notifying clients or customers whose data has been stolen, and offering them identity theft protection solutions, will carry a financial cost. Regulators may also need to be informed and this needs to happen within tight deadlines.
Organisations operating in an increasingly digital and interconnected world have never been more likely to suffer an attack and to incur potentially severe financial consequences. Cyber resilient organisations prepare for the inevitability that their systems and networks will be breached at some time and implement a robust cyber risk strategy.If you are a small business owner and interested to learn how you can create your pathway to peace of mind from cyber risk, check out our pilot educational course, Surviving Cyber – the small business owner’s Pathway to Peace of Mind from cyber risk.
You can register for the course here. If seats on the pilot course are not available at that time, you can join the Surviving Cyber email list to receive ongoing communication from me. I look forward to getting to know you.