A revealing report from the National Cyber Security Centre (NCSC) last month revealed that the number of cyber incidents encountered by UK businesses has not slowed, despite concerted efforts by bodies such as the NCSC to protect them from cyber threats. Criminals are becoming more inventive, regularly finding new ways to harm or defraud businesses, which is leading to the need for a more proactive approach to cyber security.
The annual 'Cyber Threat to UK business' report 1 details the significant incidents encountered throughout the 2017/18 financial year and provides case studies where the actions of a business have resulted in successful mitigation.
Top 3 Cyber Threats of 2017/18
Ransomware and Distributed Denial of Service (DDoS) Attacks
Ransomware is a particular type of program, often downloaded by unwitting employees, that encrypts important files and prevents access without the corresponding encryption key. Depending on the level of access the employee has, this type of attack could encrypt files on their computer as well as those held on the company network.
A DDoS attack is where a web service is bombarded with traffic, preventing normal function. Targeted companies are usually those that rely on the web for their business, such as those running online games, website hosting suppliers or Software-as-a-Service (SaaS) providers.
Both of these tactics rely on denying access in order to extort the companies affected. With DDoS, the access is denied to the customer, Ransomware denies access to the company. It is usually easier to recover from a DDoS attack because all you have to do is divert the problematic traffic in order for service to resume. Ransomware is more problematic because the files are typically unrecoverable without the encryption key and even if the ransom is paid, this key may not be provided.
The number and scale of data breaches increased again last year with more high-profile companies and their customers targeted - Yahoo alone admitted all 3 billion of its customers were affected.
A data breach is not a form of attack but the consequences of many different techniques, some of which may not be particularly advanced to be effective. Some of the most common techniques used were the targeting of out-of-date software (exploiting unpatched vulnerabilities), or using emails to trick users into giving their passwords away (phishing).
Damage control was also a problem, with sensitive data being stored in an unencrypted way - allowing the theft to be more lucrative than if the data had been stored properly.
Attacks like this are specifically after sensitive data such as email addresses, passwords and banking information. Usually this data is then used to commit fraud, sold to others, or used to send more phishing emails.
Compromised supply chains
Cyber threats don't just come from external sources, they can also come from inside your organisation or through the businesses you work with. Third parties can be used as stepping stones to infiltrate businesses with stronger security measures, resulting in attacks coming from internal sources or commercially sensitive information being stolen.
These type of attacks are particularly problematic as they can be difficult to detect.
A number of businesses fell foul of this kind of attack during 2017/18 when several managed service providers (MSPs), providing outsourced IT, HR and business services, were compromised.
Cyber threats such as these can be prevented, or at least have their impact reduced, by adopting basic cyber security measures. The NCSC provides tips and guides for businesses to improve their security, such as the 10 Steps to Cyber Security guide 2 and the Cyber Security for Small Businesses guide 3.
For the three attacks mentioned above, the NCSC advises businesses to:
- Ensure critical security patches are installed as soon as possible
- Keep software, drivers and operating systems up-to-date
- Use an always-on antivirus program
- Use a whitelist for your programs to prevent unrecognised programs from running
- Set the lowest level of access by default for all devices and services
- Use firewalls and make sure to separate your networks
- Conduct regular vulnerability scans, ensuring that critical results are actioned
- Require your staff to use multi-factor authentication to log in to services
- Use password managers to discourage insecure passwords and password re-use
- Work with businesses that can demonstrate they employ the same security precautions as you do
Many of these processes and activities can be implemented through the ISO 27001, Information Security Management System Standard which provides structured guidance for implementing internationally recognised, best-practice information security procedures. Protecting your business from internal and external threats while helping to ensure employees are aware of their own responsibilities for the security of your company systems.
To find out more or to speak with one of our experienced Certification Development Consultants, please call 0333 344 3646 or email firstname.lastname@example.org.