Cyber risk is now very high on the threat matrix for many SMEs. More than just hacking, it involves internal and external risks, product risk, third-party risk and aggregate risk. We've put together the top 7 cyber threats for businesses.
Cyber risk is much more than just hacking, comprising internal and external risks, product risk, third-party risk and aggregate risk, such as service provider and supplier failure, human error, software obsolescence, and internet and network interruptions.
Cyber risk is commonly defined as an exposure to harm or loss caused by data breaches or cyber attacks.
On one hand, the pandemic has accelerated the use of digital channels to buy and sell goods, making businesses even more reliant on technology to run their operations and deliver their products. On the other hand, while this brings clear advantages, it also means they are increasingly exposed to systems failures, data losses and cyber attacks, and also offers cyber criminals the opportunity to develop new types of social engineering attacks by taking advantage of the emerging environment and the large numbers of organisations adopting home working policies.
In essence, the scale and sophistication of cyber crime continues to grow, and SMEs are a prime target for cyber criminals as they are seen as more resource-limited and generally with less technically-aware employees than larger enterprises.
According to the National Cyber Security Centre [NCSC], SMEs face a 1 in 2 chance of experiencing a security breach, and statistics from the UK Government’s 2020 Cyber Security Breaches Survey reveal that 46% of UK SMEs experienced a cyber breach in 2019 at an average cost of £3,230. Considering the number of SMEs operating in the UK (around 5.9 million), a simple calculation gives a financial loss of £8.8 billion for this entire sector.
The cyber risk ecosystem is pretty complex and involves many players and aspects. Organisations of all sizes and sectors have been or will be impacted by cyber risks, and whilst this threat is well publicised, it is not always well understood.
All businesses are now connected to the internet: emailing customers, searching the internet, or paying suppliers are just some of the ways businesses interact online.
At the same time, the cyber landscape is also evolving with cyber criminals looking for new ways of penetrating IT infrastructures and capturing sensitive data.
Vigilance is critical and this can seem particularly daunting to SMEs who typically do not have large IT departments and budgets. This is the reason why SMEs are becoming the prime target for hackers.
Building effective defences against emerging cyber risks would help businesses avoid the negative impact of reputational damage, business interruption losses, and fines and penalties due to a lack of GDPR compliance.
1. Phishing
Phishing activities are extremely common and used by hackers to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging, and often misleads users to enter details on a fake website, which looks very similar to the legitimate one. In most cases, the fake website requests personal information, such as login details or passwords, that will be used to access the individual's account on the real website. By gaining a victim's trust, phishing can be classified as a form of social engineering.
Many organisations are reporting a growing volume of sophisticated phishing scams and ransomware attacks using coronavirus references as a hook to encourage employees to click on email links or attachments infected with malware.
2. Ransomware
Ransomware is becoming increasingly sophisticated and impactful, increasing business interruption costs. Ransomware comprises a series of malware where the data on a victim's computer is locked, typically by encryption, and payment is required before there ansomed data is decrypted and access returned to the victim. Payment is often demanded in bitcoin to protect the cybercriminal's identity.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites.
Very often, the decision about whether or not to pay a ransom is heavily dependent on how well an organisation has backed up its data, and the potential business interruption that may result.
3. Malware and Malicious Software
Malware that can spread through communication networks is a long-established cyber threat. Recent events have shown that malware remains a powerful trigger for data and financial loss. Some widespread cases, such as WannaCry and NotPetya, showed that contagious malware is able to scale up and to cause systemic loss to thousands of companies connected to the affected system.
4. Wi-Fi Hotspots
It is very common to connect devices (tables, smartphones, PCs) to public Wi-Fi hotspots in bars, co-working offices, on public transport, etc. Unfortunately, data sent through public Wi-Fi networks can easily be intercepted, putting the security of your data at risk, as well as your digital identity and money. In addition, if there is no security or updated anti-malware software on your devices or computer, the risks are even higher. This is a type of social engineering attack, which starts at home or in public areas, but which people easily and naively bring to their workplace.
5. System Failure and Networks
The use of internet connections by businesses and their employees, suppliers and customers exposes the potential targets to cyber risks, such as the manipulation of IT systems, attacks on company websites, etc. Good housekeeping practices, such as regular updates of IT networks and computers, and a structured cyber security plan could really protect organisations from security risks or potential cyber attacks.
6. Data Breaches
Data breaches refer to security incidents where sensitive, protected or confidential information is seen, copied, stolen or used by unauthorised parties. Data breaches are becoming more frequent, and the size and cost of successful breaches is mounting. Generally, data breaches occur for 2 main reasons:
Hackers often target individuals responsible for sending payments and requesting money transfers, tax records and/or other sensitive data (e.g. passwords) or take aim at the content of the recipient’s inbox, harvesting client and employee information, including personal data. They may also target confidential corporate information motivated by monetary gain. Very often human error and behaviour is a significant driver for data breaches, for example, it is still very common for employees to use weak passwords or the same passwords across multiple applications.
7. Cloud Computing
Cloud computing is being adopted rapidly. The failure of a cloud service provider, while very unlikely, represents a potential cyber vulnerability. Failures of individual services or availability regions have the potential to cause losses to thousands of users.
So, what can SMEs do to reduce the risk of becoming victims of a cyber attack and prevent unauthorised access to the personal information they store online and access digitally?
Top Tips
Cyber Risk Management. Quick, intuitive and simple.
Unfortunately, many businesses are still unprepared when it comes to managing cyber risk and understanding their vulnerabilities. For example, not every organisation has dedicated resources and experts available for targeted monitoring and detection of cyber attacks.
But there are tools available on the market which are affordable, not invasive, and can help any organisation rapidly identify cyber risk vulnerabilities. In this age of digital disruption, there is a clear need for businesses to continuously be on the look-out for cyber threats, especially because it is possible to identify cyber risk before a cyber attack, data breach or business interruption actually happens.
By simply providing your domain, a cyber risk management tool can undertake immediate screening and instantly provide a report detailing the company’s cyber risk exposure.
As part of CRIF, a global tech company, we're always working to support our Credit Passport community by bring the best solutions to safeguard businesses. Within the CRIF group we have a great product focussed on protecting business like yours from cyber threats. Find out more here.
