What is cyber risk?
Cyber risk is much more than just hacking, comprising internal and external risks, product risk, third-party risk and aggregate risk, such as service provider and supplier failure, human error, software obsolescence, and internet and network interruptions.
Cyber risk is commonly defined as an exposure to harm or loss caused by data breaches or cyber attacks.
How has the pandemic impacted on cyber security?
On one hand, the pandemic has accelerated the use of digital channels to buy and sell goods, making businesses even more reliant on technology to run their operations and deliver their products. On the other hand, while this brings clear advantages, it also means they are increasingly exposed to systems failures, data losses and cyber attacks, and also offers cyber criminals the opportunity to develop new types of social engineering attacks by taking advantage of the emerging environment and the large numbers of organisations adopting home working policies.
In essence, the scale and sophistication of cyber crime continues to grow, and SMEs are a prime target for cyber criminals as they are seen as more resource-limited and generally with less technically-aware employees than larger enterprises.
According to the National Cyber Security Centre [NCSC], SMEs face a 1 in 2 chance of experiencing a security breach, and statistics from the UK Government’s 2020 Cyber Security Breaches Survey reveal that 46% of UK SMEs experienced a cyber breach in 2019 at an average cost of £3,230. Considering the number of SMEs operating in the UK (around 5.9 million), a simple calculation gives a financial loss of £8.8 billion for this entire sector.
Who can be involved in a cyber attack?
The cyber risk ecosystem is pretty complex and involves many players and aspects. Organisations of all sizes and sectors have been or will be impacted by cyber risks, and whilst this threat is well publicised, it is not always well understood.
All businesses are now connected to the internet: emailing customers, searching the internet, or paying suppliers are just some of the ways businesses interact online.
At the same time, the cyber landscape is also evolving with cyber criminals looking for new ways of penetrating IT infrastructures and capturing sensitive data.
Vigilance is critical and this can seem particularly daunting to SMEs who typically do not have large IT departments and budgets. This is the reason why SMEs are becoming the prime target for hackers.
Building effective defences against emerging cyber risks would help businesses avoid the negative impact of reputational damage, business interruption losses, and fines and penalties due to a lack of GDPR compliance.
What were the top 7 cyber threats in the last year?
Phishing activities are extremely common and used by hackers to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging, and often misleads users to enter details on a fake website, which looks very similar to the legitimate one. In most cases, the fake website requests personal information, such as login details or passwords, that will be used to access the individual's account on the real website. By gaining a victim's trust, phishing can be classified as a form of social engineering.
Many organisations are reporting a growing volume of sophisticated phishing scams and ransomware attacks using coronavirus references as a hook to encourage employees to click on email links or attachments infected with malware.
Ransomware is becoming increasingly sophisticated and impactful, increasing business interruption costs. Ransomware comprises a series of malware where the data on a victim's computer is locked, typically by encryption, and payment is required before there ansomed data is decrypted and access returned to the victim. Payment is often demanded in bitcoin to protect the cybercriminal's identity.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites.
Very often, the decision about whether or not to pay a ransom is heavily dependent on how well an organisation has backed up its data, and the potential business interruption that may result.
3. Malware and Malicious Software
Malware that can spread through communication networks is a long-established cyber threat. Recent events have shown that malware remains a powerful trigger for data and financial loss. Some widespread cases, such as WannaCry and NotPetya, showed that contagious malware is able to scale up and to cause systemic loss to thousands of companies connected to the affected system.
4. Wi-Fi Hotspots
It is very common to connect devices (tables, smartphones, PCs) to public Wi-Fi hotspots in bars, co-working offices, on public transport, etc. Unfortunately, data sent through public Wi-Fi networks can easily be intercepted, putting the security of your data at risk, as well as your digital identity and money. In addition, if there is no security or updated anti-malware software on your devices or computer, the risks are even higher. This is a type of social engineering attack, which starts at home or in public areas, but which people easily and naively bring to their workplace.
5. System Failure and Networks
The use of internet connections by businesses and their employees, suppliers and customers exposes the potential targets to cyber risks, such as the manipulation of IT systems, attacks on company websites, etc. Good housekeeping practices, such as regular updates of IT networks and computers, and a structured cyber security plan could really protect organisations from security risks or potential cyber attacks.
6. Data Breaches
Data breaches refer to security incidents where sensitive, protected or confidential information is seen, copied, stolen or used by unauthorised parties. Data breaches are becoming more frequent, and the size and cost of successful breaches is mounting. Generally, data breaches occur for 2 main reasons:
- Data breaches caused by employee negligence (e.g. sharing data with the wrong person)
- Data breaches instigated by hackers, taking advantage of vulnerabilities or through hacking activities.
Hackers often target individuals responsible for sending payments and requesting money transfers, tax records and/or other sensitive data (e.g. passwords) or take aim at the content of the recipient’s inbox, harvesting client and employee information, including personal data. They may also target confidential corporate information motivated by monetary gain. Very often human error and behaviour is a significant driver for data breaches, for example, it is still very common for employees to use weak passwords or the same passwords across multiple applications.
7. Cloud Computing
Cloud computing is being adopted rapidly. The failure of a cloud service provider, while very unlikely, represents a potential cyber vulnerability. Failures of individual services or availability regions have the potential to cause losses to thousands of users.
How to mitigate cyber risk.
So, what can SMEs do to reduce the risk of becoming victims of a cyber attack and prevent unauthorised access to the personal information they store online and access digitally?
- Back up your data
Back up your data and keep the back-up on a separate server, USB device or ideally in the cloud, which means it is stored in a completely separate location. Ransomware and other malware can automatically move to connected storage, and so keeping your back-up disconnected from your main server will help maintain its integrity. Make data back-ups part of your everyday business routine and ensure you limit access to the back-up data.
- Protect your business from malware and malicious software
Use antivirus software on all PCs, laptops, smartphones and tablets. Ensure staff do not download third-party apps from unknown vendors or sources.
- Use ‘patching’ to keep all your IT systems up-to-date
Make sure that the software and firmware on all your IT equipment is always kept up-to-date with the latest versions from software developers, hardware suppliers and vendors. Applying these updates is called ‘patching’ and is vital to improving security.
- Control how USB drives and memory cards can be used
To prevent your company from being exposed to unnecessary risks, implement a policy related to USB drives and memory cards which can easily be infected with malware and other viruses. Provide staff with alternative ways to share files, and only allow approved USB drives and memory cards to be used within the business and not externally.
- Activate your firewall
Most operating systems come with a built-in firewall which works as a buffer between your network and other networks like the internet
- Train your employees and promote cyber security education. Cyber attacks are often influenced by human error. Consequently, it is fundamental to train your staff, running regular internal awareness campaigns to ensure everyone is aware of the latest cyber threats and what to expect. This will also help keep the whole organisation alert and united in the fight against cyber criminals and hackers.
Cyber Risk Management. Quick, intuitive and simple.
Unfortunately, many businesses are still unprepared when it comes to managing cyber risk and understanding their vulnerabilities. For example, not every organisation has dedicated resources and experts available for targeted monitoring and detection of cyber attacks.
But there are tools available on the market which are affordable, not invasive, and can help any organisation rapidly identify cyber risk vulnerabilities. In this age of digital disruption, there is a clear need for businesses to continuously be on the look-out for cyber threats, especially because it is possible to identify cyber risk before a cyber attack, data breach or business interruption actually happens.
By simply providing your domain, a cyber risk management tool can undertake immediate screening and instantly provide a report detailing the company’s cyber risk exposure.
- Assess. Discover vulnerabilities and cyber risks thanks to an immediate and intuitive report.
- Monitor. Cyber risk alerts warn you of cyber risks as they arise.
- Act. Take immediate actions to stop cyber risk exposure and avoid any business interruption or actual attack.
Can CreditPassport help?
As part of CRIF, a global tech company, we're always working to support our Credit Passport community by bring the best solutions to safeguard businesses. Within the CRIF group we have a great product focussed on protecting business like yours from cyber threats. Find out more here.