The year 2020 put many businesses’ digital transformations into fast forward, and as a result many outgrew their existing information security policies and practices.
Cyber criminals were quick to take advantage and soon began to exploit the new opportunities associated with remote working, video conferencing and VPNs (virtual private networks).
Our cyber security survey of SMEs revealed that, as a result, 75.7% of respondents now feel that their business is more vulnerable to cyber-attack. Worryingly, a notable 10% also admitted that they had no confidence at all in being able to defend themselves from an attack.
So, what kinds of attacks should businesses anticipate?
Phishing attacks use social engineering tactics to manipulate victims into giving away passwords, financial information or other sensitive data. These attacks can be highly sophisticated and can take place over email, phone or text message.
Typical attacks can include criminals pretending to be from IT support, a well-known organisation or even from the victim’s CEO. According to data summarised by Comparitech, the number of phishing attacks doubled over the course of 2020 and there are no signs of this trend slowing down.
Worryingly, Comparitech also pointed out that one-third of those aged over 39 and almost half of those aged 18 to 39 do not understand the term ‘phishing’, which suggests that more education on the subject is required. This is a need that is not yet being met by all businesses. Indeed, our cyber security survey revealed that 54.3% of respondents had not yet received any kind of information security training.
Better training on what phishing attacks are, how to spot them, what should raise the alarm and how employees should report suspicious contact is therefore key for keeping businesses’ information safe in 2021. Businesses should also think about investing in anti-phishing software and running penetration testing. This is where the organisation sends out fake phishing attempts to see how employees respond.
Malware covers a whole range of different attacks ranging from viruses to spyware. As such, businesses should brace themselves for this kind of attack, particularly as there is a strong upward trend in this form of cyber-crime – according to Comparitech, there were more than 580,000 new malware variants discovered during the course of 2020.
The best way to protect against malware is to make sure antivirus and other key software updates are kept up to date. Our survey revealed that many businesses are doing well on this front, with 84% reporting that their company installs updates as soon as they become available. However, our survey also revealed that 10% of participants do not protect their mobile devices in any way, which means there are still loopholes that criminals can choose to exploit.
Ransomware is when a cyber criminal holds an organisation’s data to ransom by encrypting it or making it inaccessible until a ransom is paid. According to data reported by Comparitech, there were more than 300 million of these kinds of attacks in 2020. The majority of those occurring in the fourth quarter of 2020 (70%) involved threats to release stolen data. As a result, 60% of companies ended up paying the ransom.
This highlights the importance of backing up data so that you can retrieve information that may be destroyed or encrypted. Businesses may also want to think about using dedicated ransomware protection tools.
Vulnerable supply chains
Information security is not just important to address within an organisation. External third parties and suppliers can also introduce weakness and vulnerabilities.
Software providers are particularly vulnerable, as demonstrated by the recent Microsoft Exchange Hack, which resulted in an estimated 7,000 UK servers being compromised, according to The National Cyber Security Centre.
As a result, organisations should always carefully vet their suppliers, establish clear agreements about security and expected service delivery levels and ensure that any updates are applied quickly.
Information security isn’t just about protecting digital assets. The actual physical security of devices, equipment, servers and paperwork also needs to be considered. In our increasingly digital world, this aspect is often overlooked, but around 10% of malicious breaches are still caused by a physical security compromise. This could be anything from the theft of a laptop to arson.
As a result, businesses in 2021 should continue to think about backing-up data, enforcing the use of strong passwords, and ensure equipment is safely locked away when not in use. These measures should be communicated to remote workers, who should be encouraged to lock their computers while away from their desk and to keep paperwork and other mobile equipment safely hidden away.
This article has highlighted that businesses need to prepare from cyber-attacks from all angles.
If you would like to find out more about how businesses like yours are approaching cyber security in 2021, take a look at our in-depth cyber security survey results.