By Sarah Knowles, cyber security consultant, Nexor
To focus on what the dangers are right now from a cyber security perspective, and to better equip small businesses and employees, we must acknowledge what the threats once were and how they have changed over time.
In 2016, the National Cyber Security Centre (NCSC) released its report titled Common Cyber Attacks: Reducing the Impact, while the UK Government’s Department for Digital, Culture, Media & Sport (DCMS) also released a paper titled The Cyber Security Breaches Survey 2016.
Both of the reports detailed what a common cyber attack looks like, gave recommendations on what to implement and how to prevent it, and listed the most common forms of attack experienced by UK businesses. At the time these were the top three:
• Viruses, spyware and malware
• Others impersonating an organisation in emails or online
• Denial of service attacks
The Cyber Security Breaches Survey is released annually and the latest threats as of 2020 are listed as:
• Fraudulent emails or being directed to fraudulent websites
• Others impersonating organisations in emails or online
• Viruses, spyware, and malware
It’s clear then that two forms of attack have long remained the same because they are successful and fruitful. With that considered, it’s no surprise then that between the two surveys, the number of businesses reporting a cyber breach had almost doubled to 46 per cent in 2020.
The threats outlined in 2020 can all be considered as one type of attack: a phishing attack. The reason a phishing attack can be so detrimental to a small business is that often the infrastructure is lacking to filter the attacks, and across the business different employees are much more accessible to attackers and unable to spot the signs due to lack of training.
A phishing attack is a type of social engineered attack where threat actors masquerade as a trusted entity. This means that the recipient of an email, telephone or text message is misled into providing sensitive information to someone who they think is a legitimate person.
This method of attack is usually accomplished by luring the victim into clicking a malicious link, which consequently can trigger the installation of malware, a ransomware attack or the revealing of sensitive data such as sensitive personal information, like passwords to banking and credit card details.
More often than not, it is the simplest attacks that can lead to the biggest destruction. For small businesses, a successful cyber attack could be detrimental and could potentially end a business.
It’s key then that small businesses refocus and master the basics of cyber security. We have seen that trends in attacks have remained the same as they continue to be successful, so all businesses should put provisions in place to prevent them. The Cyber Essentials scheme was released to guide businesses in their cyber security provisions. The scheme covers the following areas, which should be implemented:
• Firewalls – ensure you have adequate protection at your network perimeter. Make sure your firewall policies are effective and only allow network traffic required for your business
• Malware protection – ensure all your devices have malware protection installed and that this is kept up to date on a regular basis
• Patch management – patching your software to the latest version will prevent cyber attackers attempting to exploit known vulnerabilities and gain access to your information assets
• Secure configuration – ensure your devices have any unused functionality removed; this includes the removal of unused accounts and software
• Access control – ensure that all the user accounts on your network operate on the principle of ‘least privilege’. This means that your users only have enough permissions to carry out the duties they are assigned
Despite the last year being one of disruption and changing the course of many industries and trends, phishing attacks have only increased, developed and taken advantage. It’s likely they are here to stay and will continue to target small businesses across the globe.
Not every single attack is preventable and we may see our defences fail, but if we ensure that the basics are adhered to and mastered then businesses can make it much more difficult for attackers to succeed. This is more important than ever before as small businesses recover from the impact of the pandemic.