Now more than ever, businesses both large and small must proactively maintain their cyber security, to prevent data breaches and the high cost that comes with it. In 2021, there were three times as many ransomware attacks in the first quarter alone, than there were in the whole of 2019, according to UK National Cyber Security Centre.
With the cost of cybercrime hitting a jaw-dropping $6 trillion in the global economies in 2021, prevention has become a key theme in 2022.
Gartner predicts that by 2025, 60% of organisations will use cybersecurity risk as a "primary determinant” when choosing who to conduct business with. So, not only will your cyber defences affect your internal security but also your future growth plans.
So, what attacks should you be aware of and what defences can you toughen up to deter those hackers and keep your data safe?
1. Social engineering
Social engineering uses your personal information to attack.
The attack: The attacker will research you and use information you have provided online such as on social media, Personal identifiable information (PII), contacts, location data, billing info, education and employment.
The defence: You need to be in control of your data.
- Providing regular cyber security training to ALL your employees will keep them aware of social engineering indicators such as an unusual sender address, poor language in emails, and requests for sensitive information.
- Check permission and privacy settings of any software or apps you use by disabling the location data and by not providing any PII.
2. Phishing, vishing, smishing
These are delivery methods for an attack, which use time pressure and emotions in an email or message. This causes us to react and will trigger a fight or flight response.
The attack: They want you to share personal details such as passwords and bank details, open malicious links, or send money to them.
- Phishing: This usually happens in emails or messages impersonating big names. It often includes a link for you to click. 95% of all cyber-attacks include phishing.
- Spear phishing: This is a message curated just for you as a targeted and researched attack.
- Vishing: This is voice imitation via voice messages or phone calls that try to steal identities.
- Smishing: This happens via text message with a link, and it harvests your data.
The defence: Firstly, take 5 minutes to STOP fraud before actioning anything. Make sure you have an email security solution like Mimecast to stop business emails being compromised.
- Always use the official contact details from the sender or company, if you need to contact them.
- Always check the full sender's address, ask yourself were you expecting it and was the request out of the ordinary?
- Think before you click links or open attachments that look unfamiliar
- Use a search engine to see whether someone has previously flagged the message or text as malicious.
- Use an 'I will never' list. For example, never ask for a pin code by this device.
- Report any spam or anything suspicious-looking emails to your IT team or email security provider
3. Account security
Passwords. They might be simple to you but 59% of people reuse the same password, according to Spycloud. These are easy to remember, but also exceptionally easy for hackers to hack.
The attack: Bad passwords are the easiest way to compromise a system.
The defence:
- Use a password manager where you can store, generate and recall all your passwords. Trusted password managers include Google password manager, Apple Keychain, NordPass and Bitwarden.
- Use Multi-Factor Authentication (MFA) for the things you care about the most. Microsoft can vouch that 99.9% of attacks can be prevented with MFA. Even if your account is compromised, criminals cannot access your account.
Keep 3 passwords outside of password manager (email, password manager, MFA account) in order that you don’t lose complete access!
4. Secure connections
You are most at risk when using public Wi-Fi and insecure websites; in fact, 1 in 4 Wi-Fi hotspots are insecure.
The attack:
- Some tampered Wi-Fi boxes can listen in to your phone calls and look the same as free Wi-Fi names.
- Don’t enter data in websites that do not use HTTPS in the address.
The defence:
- Use a secure VPN, which acts as an encrypted tunnel across your network.
- Use your cellular data when out and about as opposed to free Wi-Fi.
- Use HTTPS websites, they have an added layer of security.
5. Malware
Malware interferes with the normal function of software and hardware; it typically includes viruses and can infect any device.
The attack: The most common attack is ransomware where hackers cease control of computer systems using code. Often hackers will demand you pay a ransom to get your data back.
The defence: Keep devices updated.
- Only install apps from official app stores
- Turn on automatic updates so you are always running the latest software version
- Back up important data in the cloud.
6. Internet of things (IoT)
This applies on a more individual level. We all have smart devices in our homes – whether it is an Alexa, smart fridge or coffee machine. The number of connected devices (IoT) is forecast to hit 18 billion by 2022, so the opportunity for hackers is enormous.
The attack: Smart devices can be infected with bots (malware).
The defence:
- Always read security reviews before buying a device and only buy from trusted companies.
- Change default passwords on your device and router, to make that first line of defence very tough.
- Ensure you have a firewall or that it is switched on to secure your network.
- Use MFA on your devices.
- Take work calls in a secure location where no prying devices could be listening.
Prevention is the key to reducing the risk of a cyber breach. By investing in cybersecurity software, using a VPN, and being aware of the common attack methods, businesses can continue to operate without interruption, whilst having strong defences in place to reduce any risk. If you are a victim of any fraud, please report it to Action Fraud.
There are lots of actions to take in order to ensure your business is fully equipped with the best defences in place. Review your strategy and invest in protection and security before it is too late. Get the experts in and achieve the government recognised Cyber Essentials Plus certification. Performing email phishing assessments, internal and external penetration testing, and web app testing will give you insights into how strong your protection is, and areas for improvement. Train your people using simulations and email security awareness training so they are prepared if a breach was to occur.
We can help you with all of this. Get started today.
___________
Resources
Action Fraud. https://www.actionfraud.police.uk/
UK National Cyber Security Centre. https://www.ncsc.gov.uk/
NCSC advice: Mitigating malware & ransomware attacks: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks#stepsifinfected
Report a phishing email to: report@phishing.gov.uk
Report a smishing Text message: forward the message, phone number or company name to 7726. This is a free service.
Password strength check: https://howsecureismypassword.net/
Password breach check: https://haveibeenpwned.com/
Government Code of Practise for Internet of Things (IoT) devices: https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security