Having a digital presence exposes every business of all sizes and in every sector to multiple cyber threats. More than just hacking, it involves internal and external risks, product risk, third-party risk, and aggregate risk. The more we move towards digitalisation and technology, the more vulnerable we become to cyber threats.
Cyber risks continue to grow in complexity, but understanding them is the best way to better defend your networks and systems, and your business as a whole. As scary as it sounds, there are plenty of common security risks which are both identifiable and preventable.
That's why our partner, credit solutions provider CRIF Realtime* - the creator of Credit Passport® - have helped put together this guide, detailing the top 10 cyber threats for SMEs to keep you informed and prepared.
What is Cyber Risk?
Cyber risk is much more than just hacking, comprising internal and external risks, product risk, third-party risk and aggregate risk, such as service provider and supplier failure, human error, software obsolescence, and internet and network interruptions.
Cyber risk is commonly defined as an exposure to harm or loss caused by data breaches or cyber attacks.
How has the pandemic impacted cyber security?
On one hand, the pandemic has accelerated the use of digital channels to buy and sell goods, making businesses even more reliant on technology to run their operations and deliver their products. On the other hand, while this brings clear advantages, it means businesses are increasingly exposed to system failures, data losses and cyber attacks, and also offers cyber criminals the opportunity to develop new types of social engineering attacks by taking advantage of the emerging environment and the large number of organisations adopting work from home policies.
In essence, the scale and sophistication of cyber crime continues to grow, and SMEs are a prime target for cyber criminals as they are seen as resource-limited, with less technologically-aware employees than larger enterprises.
According to the National Cyber Security Centre [NCSC], SMEs face a 1 in 2 chance of experiencing a security breach, and statistics from the UK Government’s 2020 Cyber Security Breaches Survey reveal that 46% of UK SMEs experienced a cyber breach in 2019 at an average cost of £3,230. Considering the number of SMEs operating in the UK (around 5.9 million), a simple calculation gives a financial loss of £8.8 billion for this entire sector.
Who is involved in a cyber attack?
The cyber risk ecosystem is pretty complex and involves many players and aspects. Organisations of all sizes and sectors have been, or will be, impacted by cyber risks, and whilst this threat is well publicised, it is not always well understood. All businesses are now connected to the internet: emailing customers, searching the internet, or paying suppliers, are just some of the ways businesses interact online.
At the same time, the cyber landscape is also evolving with cyber criminals looking for new ways of penetrating IT infrastructures and capturing sensitive data. Vigilance is critical and this can seem particularly daunting to SMEs who typically do not have large IT departments and budgets. This is the reason why SMEs are becoming the prime target for hackers. Building effective defences against emerging cyber risks helps businesses avoid the negative impact of reputational damage, business interruption losses, and fines and penalties due to a lack of GDPR compliance.
How does GDPR affect cyber risk management?
The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, was developed to give people control of their personal data and create a high level of data protection across the EU that is ‘fit for today’s digital age’. Combined with the backdrop of the GDPR regulatory environment, the cyber landscape is also rapidly evolving, with cyber criminals becoming ever more sophisticated in identifying new ways of penetrating IT infrastructures.
How severe are the penalties for GDPR non-compliance?
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million (or equivalent in sterling) for organisations that infringe its requirements. Nevertheless, not all GDPR infringements lead to data protection fines. Supervisory authorities, such as the UK’s ICO (Information Commissioner’s Office), can take a range of other actions, including warnings, reprimands, temporary or permanent ban on data processing, etc.
(SMEs are a prime target for cyber criminals as they are seen as resource-limited, with less technologically-aware employees than larger enterprises.)
What Are the Top 10 Cyber Threats?
Phishing activities are extremely common and used by hackers to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging, and often misleads users to enter details on a fake website, which looks very similar to the legitimate one.
In most cases, the fake website requests personal information, such as login details or passwords, that will be used to access the individual’s account on the real website. By gaining a victim’s trust, phishing can be classified as a form of social engineering. Many organisations are reporting a growing volume of sophisticated phishing scams and ransomware attacks using coronavirus references as a hook to encourage employees to click on email links or attachments infected with malware.
Ransomware is becoming increasingly sophisticated and impactful, increasing business interruption costs. Ransomware comprises of a series of malware, where the data on a victim’s computer is locked, typically by encryption, and payment is required before the data is decrypted and access returned to the victim. Payment is often demanded in bitcoin to protect the cyber criminal’s identity.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites.
Very often, the decision about whether or not to pay a ransom is heavily dependent on how well an organisation has backed up its data, and the potential business interruption that may result.
3. Malware and Malicious Software
Malware that can spread through communication networks is a long-established cyber threat. Recent events have shown that malware remains a powerful trigger for data and financial loss. Some widespread cases, such as WannaCry and NotPetya, showed that contagious malware is able to scale-up and cause systemic loss to thousands of companies connected to the affected system.
4. Wi-Fi Hotspots
It is very common to connect devices (laptop, tablets, smartphones) to Wi-Fi hotspots in bars, co-working offices, on public transport, etc. Unfortunately, data sent through public Wi-Fi networks can easily be intercepted, putting the security of your data at risk, as well as your digital identity and money. In addition, if there is no security or updated anti-malware software on your devices or computer, the risks are even higher. This is a type of social engineering attack, which starts at home or in public areas, by which people easily and naively bring to their workplace.
5. System Failure and Networks
The use of internet connections by businesses and their employees, suppliers and customers, exposes the potential targets to cyber risks, such as the manipulation of IT systems or attacks on company websites. Good housekeeping practices, such as regular updates of IT networks and computers, and a structured cyber security plan, could really protect organisations from security risks or potential cyber attacks.
6. Data Breaches
Data breaches refer to security incident where sensitive, protected or confidential information is seen, copied, stolen or used by unauthorised parties. Data breaches are becoming more frequent, and the size and cost of successful breaches is mounting. Generally, data breaches occur for two main reasons:
- Data breaches caused by employee negligence (e.g. sharing data with the wrong person); or
- Data breaches instigated by hackers, taking advantage of vulnerabilities or through hacking activities.
Hackers often target individuals responsible for sending payments and requesting money transfers, tax records and/or other sensitive data (e.g. passwords) or take aim at the content of the recipient’s inbox, harvesting client and employee information, including personal data. They may also target confidential corporate information motivated by monetary gain. Very often human error and behaviour is a significant driver for data breaches. For example, it is still very common for employees to use weak passwords or the same passwords across multiple applications.
7. Cloud Computing
Cloud computing is being adopted rapidly. The failure of a cloud service provider, while very unlikely, represents a potential cyber vulnerability. Failures of individual services or regions have the potential to cause losses to thousands of users.
8. Distributed Denial of Service (DDos)
Distributed Denial of Service attacks continue to be a major component in the cyber risk landscape. A third of all organisations have reportedly experienced DDoS attacks - this growing probability of attack is likely to continue across sectors and geographies as attackers’ techniques evolve and they seek out new targets.
Smishing stands for SMS Phishing. Like phishing, an urgent message is sent to the user asking for something specific. The text message usually asks the user to call a telephone number or go to a website to perform an immediate action. The telephone number often answers through an automated response system. The user is asked to provide personal information such as passwords or credit card information.
10. Internet of Things (IoT)
The IoT poses emerging security challenges. Between 50bn and 100bn devices are expected to be connected to the internet by 2020 according to an Oliver Wyman report. Many of these devices will be smart devices, which lack strong security features and often do not have regular product support or updates, making them vulnerable to attack. The new connectivity that comes with smart devices can see an organisation exposed to new threats that have not been considered or mitigated
(Be careful of emails or texts that ask you to supply sensitive information, as is it could be a cyber criminal's way of gaining access to business logins and passwords.)
How to Mitigate Cyber Risk
So, what can SMEs do to reduce the risk of becoming victims of a cyber attack and prevent unauthorised access to the personal information they store online?
- Back up your data: Back up your data and keep the back-up on a separate server, USB device or ideally in the cloud, which means it is stored in a completely separate location. Ransomware and other malware can automatically move to connected storage, and so keeping your back-up disconnected from your main server will help maintain its integrity. Make data back-ups part of your everyday business routine and ensure you limit access to the back-up data.
- Protect your business from malware and malicious software: Use antivirus software on all PCs, laptops, smartphones and tablets. Ensure staff do not download third-party apps from unknown vendors or sources.
- Use ‘patching’ to keep all your IT systems up-to-date: Make sure the software and firmware on all your IT equipment is always kept up-to-date with the latest versions from software developers, hardware suppliers and vendors. Applying these updates is called ‘patching’ and is vital to improving security.
- Control how USB drives and memory cards are used: To prevent your company from being exposed to unnecessary risks, implement a policy related to USB drives and memory cards which can easily be infected with malware and other viruses. Provide staff with alternative ways to share files, and only allow approved USB drives and memory cards to be used within the business and not externally.
- Activate your firewall: Most operating systems come with a built-in firewall which works as a buffer between your network and other networks like the internet.
- Train your employees and promote cyber security education: Cyber attacks are often influenced by human error. Consequently, it is fundamental to train your staff, running regular internal awareness campaigns to ensure everyone is aware of the latest cyber threats and what to expect. This will also help keep the whole organisation alert and united in the fight against cyber criminals and hackers.
Cyber Risk Management
Unfortunately, many businesses are still unprepared when it comes to managing cyber risk and understanding their vulnerabilities. For example, not every organisation has dedicated resources and experts available for targeted monitoring and detection of cyber attacks. But there are tools available on the market which are affordable, not invasive, and can help any organisation rapidly identify cyber risk vulnerabilities.
In this age of digital disruption, there is a clear need for businesses to continuously be on the look-out for cyber threats, especially because it is possible to identify cyber risk before a cyber attack, data breach or business interruption actually happens.
By simply providing your domain, a cyber risk management tool can undertake immediate screening and provide a report detailing the company’s cyber risk exposure.
- Assess. Discover vulnerabilities and cyber risks thanks to an immediate and intuitive report.
- Monitor. Cyber risk alerts warn you of cyber risks as they arise.
- Act. Take immediate actions to stop cyber risk exposure and avoid any business interruption or actual attack.
Want to know more? Discover our cyber security offer. Get protected now.
*CRIF Realtime Ltd., a London-based Fintech regulated by the Financial Conduct Authority, has created Credit Passport®, the Business Credit Score for SMEs.
CRIF Realtime Ltd. is part of CRIF, a global company specialising in the development of credit bureau services, business information systems and credit solutions, which operates in more than 35 countries in four continents Europe, America, Africa and Asia). With over 10,500 banks, 1,000 insurance companies and 82,000 business clients in 50 countries, CRIF constantly innovates to harness the power of data and solutions, enabling its clients to streamline decision making and accelerate digital innovation.