Is the digital back door still unlocked?

High-profile cyber attacks make headlines on an almost daily basis in 2021. Cyber criminals have targeted organisations across every industry and sector, sometimes crippling victims’ IT systems and forcing them to pay out huge ransoms to get back online, or see their data returned.

Indeed, the threat is now considered so great that cyber security was listed as CEOs’ top concern in KPMG’s 2021 CEO Pulse survey – ahead of regulatory, tax and supply chain concerns. Given the coverage of such largescale attacks, you might be forgiven for thinking that cyber attacks or data breaches are things that only happen to larger companies.

However, both large and small organisations are just as much at risk of suffering a cyber attack. 

A perfect storm

There are several reasons for this. The disruption of the pandemic, combined with establishing the new remote workforce has resulted in a surge of sophisticated cyber attacks and breaches. New research shows that 86% of UK cyber security professionals said attacks have increased due to employees working remotely. Similarly, the rush to establish remote workforces has led to organisations inadvertently relaxing security or misconfiguring devices.

These gaps in traditional cyber defences, combined with changing working patterns and employee behaviour that make it more difficult to spot potential attacks, mean that Covid-19 created a perfect storm for cyber attacks. As such, two in five businesses and more than a quarter of charities report having cyber security breaches or attacks in the last 12 months, according to figures from the UK Department for Digital, Culture, Media and Sport (DCMS).

Elsewhere, a lack of expertise is having the greatest negative impact on cyber resilience within small businesses, according to a poll run by Infosecurity Europe. Almost half believe small companies bear responsibility for educating and supporting themselves in becoming cyber resilient.

But when asked how the pandemic has affected their spending on cyber resilience, a quarter of small businesses (24%) have spent less. Only 18% have spent significantly more, while 43% say that ‘little has changed’.

Easy target

“Smaller businesses must recognise that they are an easy target for cyber crime, because typically they are not well defended and are susceptible to the type of automated attacks that are now taking place,” says Damian Wasey, chief commercial officer at cyber security support firm, Mitigo.

“Many SMEs fall into the trap of assuming that their IT support is looking after their security, when in reality they are not, nor is it reasonable to assume they are. Cyber security and IT support are different jobs, with security now being a separate standalone discipline.

“Any business that holds either their own or their clients’ confidential data (see page 24 for more), that is involved in financial transactions, or relies on technology systems and platforms to operate on a daily basis, provides cyber criminals with an opportunity for payment diversions, data theft and ransom demands,” he adds. The result of this threat to smaller firms also means they are being squeezed out of supply chains because they cannot satisfy their contractor cyber security requirements. “This is hardly surprising,” says Wasey.

“Larger companies are becoming aware that in this connected world, the bad guys are using smaller suppliers to infiltrate their own defences.”

What can you do?

According to the Department for Culture, Media and Sport (DCMS), the most common breaches or attacks in the UK are phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware. Where a breach has resulted in a loss of data or assets, the average cost of a cyber attack on a business is £8,460.

This figure rises to £13,400 for medium and large businesses. In addition: “Statistics show that 60% of small organisations go out of business within six months of experiencing a cyber attack, so keeping your business secure is of utmost importance,” says Lisa Ventura, CEO and founder of the UK Cyber Security Association. She says there are a few steps you can take to help protect your business and reduce the risk of a cyber attack.

1. Back up your data

All businesses, no matter what their size, should take regular backups of their important data, and ensure that these backups are recent and can be restored quickly and easily. By doing this you ensure that your business can still function following the impact of flood, physical damage, fi re or theft.

2. Protect your business from malware

Malicious software is also known as malware and is software or web content that is designed to harm your business. Viruses are one of the most well-known forms of malware, which are self-copying programs that infect legitimate software. To help prevent malware from damaging your organisation, you should install and turn on your antivirus software, keep all your IT equipment up to date through patching, control how your staff use USB drives and memory cards, and switch on your firewall.

3. Keep your smartphones and other devices safe

Mobile technology is a critical part of today’s business operations, with more of our data being stored on tablets and smartphones. To help secure your tablets and smartphones, you should switch on password protection, ensure that lost and stolen devices can be tracked, locked, and wiped, keep your device and apps up to date and never connect your devices to unknown Wi-Fi hotspots.

4. Use strong passwords to protect your data

Passwords, if they are implemented correctly, are a free, easy, and effective way to prevent unauthorised users from accessing your devices. When implementing password policies, make sure you switch on password protection, use twofactor authentication, avoid using predictable passwords, and ensure that all default passwords are changed.

5. Prevent phishing attacks

In a typical phishing attack, scammers send fake emails to thousands of people asking for sensitive information such as bank details or containing links to malicious websites. These emails are designed to trick you into sending money, or to steal your details to sell on. There is a limit to what you can expect your users to do, but you can configure your accounts to reduce the impact of successful attacks, check for obvious signs of phishing, report all attacks to the NCSC via report@phishing.gov.uk and check your digital footprint regularly.

Christine Horton is a freelance journalist