Cyber Security, Governance, Risk, Security

The persistent threat of cyber attacks — and how businesses can fight back


If there’s one issue that businesses across all sectors should be concerned about in 2017, it’s the threat of cyber attacks. Cyber security-related stories have rarely made it out of the news this year, and this has in turn resulted in increased public awareness surrounding the topic.

The severity of cyber attacks on businesses was made clear in a report published by the UK Government in conjunction with Ipsos MORI and the University of Portsmouth. Research within the report found that just under half (46 per cent) of all businesses in the UK had detected at least one cyber attack of some sort within the last 12 months.

When zooming in on these findings and looking at medium-sized firms only, the figure rises to 66 per cent, while focusing exclusively on large-sized firms sees a further increase up to 68 per cent.

The findings become even more interesting when considering the frequency of these cyber attacks. Of those businesses that had admitted detecting an attack, 37 per cent said they typically experience an attack at least once a month, while well over one in ten (13 per cent) said they are coming under attack every single day.

Of course, cyber attacks are not universally identical. They come in many different shapes and sizes, and certain varieties can pose a much more serious risk to businesses than others.

Malware

One of the most common and serious cyber attack threats from a business point of view is malware. In its purest form, malware is a link or item that might appear to the victim as a curious-looking pop-up screen within an internet browser, or as an inconspicuous attachment within an email. These are designed to mislead the user into thinking the item is genuine, and once the user has been fooled and clicks on it the hacker can quickly gain access to their network to either seize data or damage the network itself in some way. It is not a particularly new form of cyber attack, but it remains dangerously effective.

It is also one of the most prolific. In its Internet Security Threat Report from last year, the security software company Symantec revealed it had discovered 357 million new variants of malware in 2016 alone. More specifically, it found that 1 in every 131 emails sent in 2016 contained malware of some kind.

Ransomware

Another popular form of attack —and one that has some cross-over with malware — is ransomware. This is a form of malicious software that is often unknowingly downloaded onto a computer by a user, perhaps once again through an email attachment or a counterfeit web page. Once the software has been downloaded, it blocks the user’s access to the computer, encrypts the files within and renders the system unusable until a ransom is paid.

Ransomware has been the cause of many successful and well-documented cyber attacks recently — most notably the global WannaCry attack back in May — and its impact is reflected in recent statistics. The same report from Symantec revealed a total of 463,841 ransomware detections in 2016 — a huge increase compared to the 340,665 detected in 2015. There was also a sharp spike in the average amount of money being requested through each ransomware case, rising from US$294 in 2015 to $1,077 in 2016.

DDoS attacks

Distributed denial of service (DDoS) attacks are primarily targeted towards businesses, and involve using botnets or other tools to flood servers with so much website traffic that they can no longer cope and crash under the strain. Following a successful DDoS attack, users will find they can no longer access the affected websites until the issue has been resolved — something that results in considerable downtime depending on the severity of the attack.

This method cannot result in a data breach or a hacker being able to access any networks, but it still holds serious consequences for the victim in terms of lost revenue and website traffic. It is also commonly used as a tactic to distract businesses while a more serious attack takes place.

One prominent example of how DDoS attacks can impact businesses is the Mirai botnet, a piece of malware created in 2016. Mirai worked by automatically infecting Internet of Things (IoT) devices and then conscripting them to a botnet. From here, all of these infected IoT devices could be used to launch huge DDoS attacks on companies across the globe. Mirai managed to wreak havoc on a global scale throughout 2016, taking 900,000 Deutsche Telekom customers offline and affecting almost 2,500 TalkTalk routers across the UK to name but a few instances.

What is the impact of cyber attacks on businesses?

Of course, there are many more variations of cyber attacks — phishing emails, targeted breaches and password attacks are just a few that we have not gone into detail on — but the three mentioned above are the most common faced by businesses, and the impact they can potentially cause is immense.  According to business internet service provider Beaming, cyber attacks in 2016 alone cost UK businesses as much as £30 billion, while Lloyds of London recently warned that a serious global cyber attack could cost the global economy up to £90 billion — the same amount caused by Hurricane Katrina in 2005.

But it isn’t just financial losses that are at stake through cyber attacks — businesses can also suffer crippling reputational damage. In April this year, the payday loan company Wonga was subjected to a significant online data breach that saw the personal information of around 270,000 customers compromised. Immediately after the attack, the brand’s ‘buzz score’ (a measurement used to determine the general public perception of brands) fell from minus 13 — a less than desirable score to begin with — to minus 24, its lowest score in years.

This indicates a serious dent in Wonga’s reputation following the attack, and that’s before you even start to consider how the seized customer data might be used by cyber criminals and hackers going forward.

Despite the increased public awareness around cyber security following a spate of major incidents, cyber attacks still remain scarily effective, and that’s largely due to the technological sophistication of hackers and cyber criminals. Let’s imagine that a business has recently suffered from a DDoS attack and has since implemented new security measures to protect themselves from the DDoS threat.

By the time those measures have been put in place, online criminals will have already adapted and evolved their methods, allowing them to work around the security measures and exploit some other vulnerability that has not been noticed yet. In some ways, the battle against the cyber threat will never be well and truly over.

Proactive, not reactive

This is not to say resistance is futile by any means. While the cyber threat will continue to mutate into new and unfamiliar forms, there are ways that businesses can mitigate the associated risks of any cyber attack properly and effectively.

However, there is one rule that absolutely must be followed before businesses begin with anything else: they must adopt a proactive approach towards cyber security. It wasn’t too long ago that many could afford to simply sit back and wait for an attack to present itself before considering the most appropriate way of dealing with it, but that simply isn’t possible now: the threat is too great and the consequences too severe. Instead, all businesses — no matter their size or sector — need to transition from an ‘if’ to a ‘when’ mindset, which involves proper preparation and comprehensive planning for all potential scenarios.

More specifically, a proactive approach to cyber security involves considering numerous areas of your business to ensure the appropriate measures are taken.

Fighting back

Technology tools

There are numerous software-based tools that can help to ensure comprehensive protection. Perhaps the most effective of these is a vulnerability management system that provides users with a centralised platform to monitor and identify all vulnerabilities in their IT infrastructure in real-time. One of the most common reasons that businesses suffer from cyber attacks is because they aren’t aware of the zero-day vulnerabilities existing within their infrastructure in the first place.

Therefore, being proactively aware of any vulnerabilities as soon as they arise, and then taking appropriate action to resolve them, is key to staying protected. These systems can also provide considerable cost saving benefits in the long-term — the operation and maintenance of a vulnerability management system is much cheaper than the cost of recovering from a major cyber attack.


For an additional layer of protection for files, drive encryption tools can be extremely helpful. Although this does not address the issue of hackers gaining access to your business’ systems, it makes it much harder for them to successfully seize any data or information thanks to the encryption of entire volumes within the network. There are also some more common methods of protection, such as virus scanners and firewalls, that still have an important role to play in strengthening lines of defence. Firewalls in particular can often be overlooked by hackers looking to quickly gain access to a system, while virus scanners can help to identify an issue at an early stage before it spreads and causes serious damage.

Processes and Governance

Without a doubt, the most effective way of ensuring a proactive approach, and consequently mitigating the cyber attack risk, is by adopting a cyber security strategy. This consists of a set of best practices that covers every eventuality and is distributed to all employees across the company — from the IT team right up to senior board members — raising awareness of potential issues and making it clear to each individual what their role is in the event of an attack.


However, for these strategies to be truly beneficial, each one needs to be specifically tailored to the nature and needs of the business it intends to protect; simply taking someone else’s strategy and swapping the names around will not yield any positive results.

Instead, businesses need to ask themselves several questions. Firstly, does the business have employees that are regularly working outside of the office, and if so, what security risks might this present?

Secondly, what back-up processes are in place and how could they be improved? Thirdly, how often is the business asking employees to change their passwords to prevent password-related attacks? There are obviously many more areas that should be covered as part of a full cyber security strategy, but answering these three questions alone could help to significantly strengthen existing defences.

It is also worth considering how the introduction of the General Data Protection Regulation (GDPR) in May 2018 might affect the security measures implemented by your business. Not only is GDPR set to focus attentions towards ensuring that systems are well looked after and compliant with legislation, but it also set to impose significant fines on any business that suffers from a data breach that could have been prevented. In some cases these fines could reach up to €20 million or 4% of annual global turnover — whichever is the greater amount.

Lastly, it is recommended that all businesses set up a ‘security team’ as part of its proactive approach to cyber security. Ideally, this team should consist of individuals from various departments across the business, not just IT, and should also include a senior board member for full transparency. This team should arrange regular meetings that are used to discuss any risks within the business before agreeing upon a solution to resolve them.

Conclusion

It is likely that the omnipresence of cyber attacks will forever cause headaches for businesses; a problem that is only exacerbated when you consider how many different forms these attacks can take.

However, by tackling the threat one step at a time, adopting a proactive approach and placing particular focus on the technology, governance and processes your business has in place, the risks associated with cyber attacks can be greatly mitigated. Whether these steps are taken independently or with the help of a trusted IT partner is up to the business itself, but one thing is certain: the cyber threat certainly will not disappear of its own accord.

0

Staff Productivity, Thought leadership

Summary

Remote working used to be limited to simply taking your documents in a briefcase home with you to review in the evening. Yet, as communication infrastructure has improved (with the amount of homes with superfast broadband connections topping 10.8 million last year), workers now desire an almost identical experience at home to working in the office.


This year is thought to be something of a tipping point when it comes to remote working, with more than half of businesses in the UK now offering remote working policies. It is a trend that is likely to continue too, as the same research by the Work Foundation at Lancaster University[1], predicts that by 2020 some 70 percent of organisations will have followed suit.


The popularity from both a business and worker perspective is not hard to see. For businesses, allowing home working can reduce bricks and mortar expenditure considerably, as less office space is required. From a worker’s point of view, they’re able to save money by reducing their commute, and able to work in a comfortable environment with less distractions.

Proceed with caution

However, it’s not simply a case of allowing any employee with a laptop, internet connection and desire to work in their pyjamas the option to work from home. You need to proceed with caution. Before this option is offered, there needs to be a certain amount of technology investment undertaken to ensure that they, and your business, are safe from the latest wave of cyber security threats.


To do this needs a range of technologies working seamlessly together to provide secure access while not impacting end user experience. The best form of authentication is currently two factor; which your users will be used to from when they bank online. It ensures that access is only provided when a user meets two separate authentication criteria, often a password and a unique, temporary code provided to their mobile handset via SMS.


Once your employee is connected, the data between their device (which could be anything from a traditional PC to a tablet or mobile phone) and your organisation’s servers must be encrypted. As older cryptography techniques have become easier to hack, connections should now be secured using IPSEC with DES or 3DES. This means should a hacker be able to intercept your data, it should be unintelligible.


While simple passwords to crack – such as 123456 or password1 – are never recommended, the advice around passwords has somewhat evolved. The National Institute of Standards and Technology now recommends[2] focusing on usability and practicality as opposed to an overly complex password that your staff will only have to write down in order to remember it!

Accessing data

The technologies used by remote workers to access the information they need to undertake their day-to-day operations from home has needed to evolve. Simply allowing your staff to access the file repositories on your network from home as they would in the office, could leave you open to being infected should their laptop or home PC be carrying a virus. It is just not practical to rely on the IT department to secure the myriad of bring your own device (BYOD) personal end-points that remote workers use; therefore, other solutions have become necessary.


Many organisations have started providing specific remote desktop solutions via the cloud. These send a live snapshot of your office desktop to a remote device. If a user clicks or types, these interactions are reflected on the server. This means no applications need to be installed on the remote device and it provides a barrier for viruses to traverse from the remote workers device back into the corporate network. However, if the user is offline or their connection drops it means they can’t work.


The third, and often better, solution is to provide access to all files via a web server through a browser. This will generally use the SSL (Secure Sockets Layer) protocol to establish an encrypted link. Because so many devices now support web browsing, this provides many more ways to work remotely.

The new 9-to-5

With the advancements of technology and the push for the ability to work remotely coming from both sides, the traditional work and life balance is becoming increasingly blended. Work emails can be sent straight to mobile devices, work can be completed anywhere thanks to laptops, and the days of a simple 9-to-5 existence are but a distant memory.


Seeking the right balance between usability and security remains a great challenge though. Mobile Device Management (MDM) technology has become a critical way for IT departments to manage all the additional endpoints brought on by the remote working trend, and provides a means to instruct devices to delete any sensitive data should the device be compromised.

 

[1] http://www.telegraph.co.uk/connect/small-business/scaling-up/staples/working-from-home/

[2] https://pages.nist.gov/800-63-3/

0