Police statistics show that more than £190,000 is stolen from victims in the UK every day as a result of cybercrime. New statistics from the Department for Digital, Culture, Media and Sport (DCMS) show that the average cost of a cyber attack on a business has increased by £1,000 since 2018 to £4,180. They also found that over 4 in 10 businesses experienced a cyber security breach or attack in 2018.
It is becoming imperative that business leaders do more to protect themselves against cybercrime. But what is cybercrime?
There are several ways in which your cyber security can be breached; see below for some of the most common forms of cyber-attacks.
This is the process of a cyber criminal sending an email that claims to be from a legitimate company, asking the recipient to provide sensitive information. The email will typically contain a link that takes you to the company’s website, however the website is a fake. Any information you provide on this website will go straight to the criminals.
A recent victim of email phishing is Jerry Tack from Hampshire. Jerry received an email claiming his TV license needed paying. He thought that the website he was taken to looked legitimate and so he filled in the online form and updated his phone and bank details. Jerry became the victim of a cyber-attack and the criminals on the other end proceeded to steal a total of £9,900; unfortunately, Jerry and his wife Carole were then informed by their building society that the stolen money would not be refunded. This is because Jerry willingly handed over his personal information, the criminal then received this information, gaining access to Jerry’s bank account. Campaign group Action Fraud said it had received more than 5,000 complaints about the scam which is being described as “particularly nasty”.
Here are some ways to avoid becoming a victim yourself:
- Think Before you Click!
It is always best practice to hover your cursor over links that you are unsure of before clicking on them. Check that they lead to the place you expect and not a fraudulent website designed to look like a source you trust. Most phishing emails start with ‘Dear Customer’ so make sure to be alert if you receive this email; rather than clicking a potentially dangerous link, go directly to the company’s website through your browser.
- Verify a Site’s Security
To verify that a website is secure, make sure that the sites URL starts with ‘https’ and has the small lock symbol shown next to it. As shown in the image to the right.
If you click on the small lock icon, you can then see which company applied for the secure authentication certificate; if the name does not match up with company you know and trust, be very suspicious. HTTPS makes sure that the data travelling between your browser and the web server is secure; this means that users cannot intercept traffic. This protects your site from the Man in the Middle attack.
- Be Wary of Pop-Ups
Most browsers offer the option of a pop-up blocker. However, if one does manage to slip through, do not click on the ‘close’ or ‘cancel’ button as this can often lead you to a phishing site. It can often be safer to open the Task Manager, select the browser programme (pop-up) and selecting End Task.
If you have a pop-up that is offering you a free antivirus scan from a company that you do not recognize, it may well be a scam. If you accept the offer of a free scan, these apps will then proceed to scare you into believing your computer is at risk, offering to clean up problems that do not exist in return for money. These pop-ups are often referred to as ‘Scareware’.
Vishing is the same as phishing however is achieved through voice. A victim will be contacted by criminals who are looking for details such as PIN number, passwords etc. These criminals quite often already have some sort of information on their victims and are looking for extra details to finish their scam. The criminal will most commonly contact you pretending to be from a bank, trying to discuss an unauthorised transaction with you. They will claim they can stop the transaction, however, need you to confirm your bank details or PIN number to do this.
Unfortunately, Vishing tends to target the vulnerable and elderly, this is because they tend to have a bigger pot of life savings. Like phishing, due to the way the crime is carried out it is unlikely the victim will get their money back; the victim is voluntarily handing over their details and authorising someone to take activity on their bank account. If you are ever unsure about the legitimacy of the person you are speaking to on the phone, it is always best practice to hang up and call the company they claimed to be from directly. If the call is legitimate, the person on the other end would be completely fine with this.
Ransomware is a type of malware that prevents a user from accessing their computer or personal files in return for a ransom. Criminals deliver ransomware in different ways, the most common of which are:
The recipient is enticed into clicking the emails various attachments such as PDF’s or Word Documents. The malicious software could also be hidden in the form of a link in the email.
- Malicious Websites
Websites that contain numerous pop-ups. If you click the ‘cancel’ button or ‘close’ button on the pop-up, the ransomware software can start to be installed on to your computer.
In the US, the FBI reported that more than $1 billion was paid to ransomware hackers in 2016; at the time it was the fastest growing cyber threat. Companies can help protect themselves from the effects of a ransomware attack by regularly backing up their data. This means the company will also have a copy of/access to their up to date data.
Another step companies can take to reduce the risk of a ransomware attack is to filter/block malicious websites that may be harbouring the viruses. During a study conducted by beaming.co.uk, they found that 2.9 million companies were hit by some sort of cyber crime in 2016, at a total cost of £29.1 billion. Ransomware ranked 1st in terms of financial loss for a business (£7,356,060,699) however it also ranked last in terms of the number of organisations affected (388,858). This shows that although ransomware is not seen as the most common threat among cyber-attacks, it is almost definitely the costliest and most damaging to a business.
Businesses will quite often hang on to old technology and prolong its life to keep costs down. The cost of upgrading their systems is often infeasible, especially for smaller businesses. In the UK, the public sector quite often relies on outdated computer systems.
In May of 2017, the world was hit by a ransomware attack that is estimated to have affected over 300,000 computers across 150 countries. The NHS was the most heavily affected organisation in the UK due to there being many outdated desktop PC’s still in use. The attack was made possible because of 15-year-old Windows XP operating systems; Microsoft stopped support for XP in 2014. A patch was released in March 2017 when Microsoft heard about WannaCry, but customers using unsupported versions of XP were still open to attack. Over 19,000 appointments had to be cancelled as a result of the attack, costing the NHS £92m in the resulting clean-up and upgrades. The government has since committed £150m to upgrading its technology systems over the next three years.
How to protect against cyber attacks
The 3 Pillars of Cyber Security
The first step to take towards defending your business from the threat of a cyber-attack is educating the people within your business. People tend to be the weakest area in cyber security; all employees need to be aware of how to handle sensitive data and what they can do to reduce the risk of cyber threats. For example, simple practices like using strong passwords, being careful when opening email attachments and backing up data. Awareness can stop threats such as email phishing and prevent people from clicking dangerous links. Business owners should also make sure to provide their cyber security team with staff training to make sure they are up to date with the latest technologies and practices to fight the latest cyber threats.
Processes are put in place to limit the threat of cyber security but also to make sure that a cyber-attack/threat is reported to the right team as quickly as possible, allowing them to eradicate the threat. These processes only work if people follow them as intended. Company processes often need reviewing to allow the ever changing and evolving landscape of cyber-attacks to be dealt with as efficiently and effectively as possible.
If you lost your company laptop or mobile phone, how would you go about wiping the data from the device? Do you have the technology and the processes in place to remotely wipe the device? Much of the technology we use every day is connected to the internet. This means that our data is constantly being collected and passed around servers. This is something to be considered by a business owner when setting up their cyber security.
Firewalls are designed to protect from attacks over the internet by hackers, viruses and worms. Both large enterprises and home networks are affected by these threats. Firewalls increase your networks security by giving control over the way employees use the internet; this is usually used to block websites that could put the cyber security at risk. Firewalls should always be backed up by antivirus software, you should never rely solely on your firewall. Antivirus software and hardware monitors all incoming and outgoing traffic for viruses and then destroys and warns of a possible threat to the system. A virus can be extremely damaging as they can spread to any machine on a computer network; this would be catastrophic for a business network. The following are just a few ways in which viruses can be damaging: –
- Make a computer run slowly
- Prevent computers booting up
- Be used to steal personal information
Having no antivirus protection on your system is essentially the same as inviting a criminal into your home.
Encrypt and Backup Data
Businesses risk losing crucial data every day; whether it be from damaged hardware, employee sabotage or acts of god such as a fire or flood at your business premises. Paper copies of data simply do not meet modern day data protection standards. If losing certain data is going to interfere with your business activities, then that data needs backing up. The time taken to backup your data is marginal compared to the weeks or possibly even months that will be needed to recover from a serious loss.
Business owners need to make sure their data is backed up regularly and if possible, in an off-site location for added security.
There is now the possibility of cloud storage to back up your data. Cloud storage is a convenient way to backup your data and can be more economical than keeping physical drives and tapes. It can also help you save on cost as there is no need for expensive on-site hardware, maintenance and IT staff.
As with anything, there are also downsides to cloud based storage. An example of this is the Indianapolis-based American College of Education who fired their head of IT in 2016. Unfortunately for the College, their former employee had changed the administrative password for the google account that stored course material and emails for 2,000 students. A lawsuit ensued eventually meaning Williams (former head of IT) was ordered to pay $248,350 in damages.
With the ever-changing landscape of cybercrime, the worry is not what criminals might target today, it is what they will target in the future. The threat to businesses is increasing every year. According to Hiscox, 55% of UK Businesses faced a cyber attack in 2019; up from 40% last year. Thinking that your business is immune is no doubt the first step towards disaster.
Contact The ICC Group to discuss your IT infrastructure security requirements such as secure storage, back up, updates, EOSL support, disaster recovery and secure data destruction to keep your business as safe as possible from cyber crime now and in the future.