The persistent threat of cyber attacks — and how businesses can fight back
If there’s one issue that businesses across all sectors should be concerned about in 2017, it’s the threat of cyber attacks. Cyber security-related stories have rarely made it out of the news this year, and this has in turn resulted in increased public awareness surrounding the topic.
The severity of cyber attacks on businesses was made clear in a report published by the UK Government in conjunction with Ipsos MORI and the University of Portsmouth. Research within the report found that just under half (46 per cent) of all businesses in the UK had detected at least one cyber attack of some sort within the last 12 months.
When zooming in on these findings and looking at medium-sized firms only, the figure rises to 66 per cent, while focusing exclusively on large-sized firms sees a further increase up to 68 per cent.
The findings become even more interesting when considering the frequency of these cyber attacks. Of those businesses that had admitted detecting an attack, 37 per cent said they typically experience an attack at least once a month, while well over one in ten (13 per cent) said they are coming under attack every single day.
Of course, cyber attacks are not universally identical. They come in many different shapes and sizes, and certain varieties can pose a much more serious risk to businesses than others.
One of the most common and serious cyber attack threats from a business point of view is malware. In its purest form, malware is a link or item that might appear to the victim as a curious-looking pop-up screen within an internet browser, or as an inconspicuous attachment within an email. These are designed to mislead the user into thinking the item is genuine, and once the user has been fooled and clicks on it the hacker can quickly gain access to their network to either seize data or damage the network itself in some way. It is not a particularly new form of cyber attack, but it remains dangerously effective.
It is also one of the most prolific. In its Internet Security Threat Report from last year, the security software company Symantec revealed it had discovered 357 million new variants of malware in 2016 alone. More specifically, it found that 1 in every 131 emails sent in 2016 contained malware of some kind.
Another popular form of attack —and one that has some cross-over with malware — is ransomware. This is a form of malicious software that is often unknowingly downloaded onto a computer by a user, perhaps once again through an email attachment or a counterfeit web page. Once the software has been downloaded, it blocks the user’s access to the computer, encrypts the files within and renders the system unusable until a ransom is paid.
Ransomware has been the cause of many successful and well-documented cyber attacks recently — most notably the global WannaCry attack back in May — and its impact is reflected in recent statistics. The same report from Symantec revealed a total of 463,841 ransomware detections in 2016 — a huge increase compared to the 340,665 detected in 2015. There was also a sharp spike in the average amount of money being requested through each ransomware case, rising from US$294 in 2015 to $1,077 in 2016.
Distributed denial of service (DDoS) attacks are primarily targeted towards businesses, and involve using botnets or other tools to flood servers with so much website traffic that they can no longer cope and crash under the strain. Following a successful DDoS attack, users will find they can no longer access the affected websites until the issue has been resolved — something that results in considerable downtime depending on the severity of the attack.
This method cannot result in a data breach or a hacker being able to access any networks, but it still holds serious consequences for the victim in terms of lost revenue and website traffic. It is also commonly used as a tactic to distract businesses while a more serious attack takes place.
One prominent example of how DDoS attacks can impact businesses is the Mirai botnet, a piece of malware created in 2016. Mirai worked by automatically infecting Internet of Things (IoT) devices and then conscripting them to a botnet. From here, all of these infected IoT devices could be used to launch huge DDoS attacks on companies across the globe. Mirai managed to wreak havoc on a global scale throughout 2016, taking 900,000 Deutsche Telekom customers offline and affecting almost 2,500 TalkTalk routers across the UK to name but a few instances.
What is the impact of cyber attacks on businesses?
Of course, there are many more variations of cyber attacks — phishing emails, targeted breaches and password attacks are just a few that we have not gone into detail on — but the three mentioned above are the most common faced by businesses, and the impact they can potentially cause is immense. According to business internet service provider Beaming, cyber attacks in 2016 alone cost UK businesses as much as £30 billion, while Lloyds of London recently warned that a serious global cyber attack could cost the global economy up to £90 billion — the same amount caused by Hurricane Katrina in 2005.
But it isn’t just financial losses that are at stake through cyber attacks — businesses can also suffer crippling reputational damage. In April this year, the payday loan company Wonga was subjected to a significant online data breach that saw the personal information of around 270,000 customers compromised. Immediately after the attack, the brand’s ‘buzz score’ (a measurement used to determine the general public perception of brands) fell from minus 13 — a less than desirable score to begin with — to minus 24, its lowest score in years.
This indicates a serious dent in Wonga’s reputation following the attack, and that’s before you even start to consider how the seized customer data might be used by cyber criminals and hackers going forward.
Despite the increased public awareness around cyber security following a spate of major incidents, cyber attacks still remain scarily effective, and that’s largely due to the technological sophistication of hackers and cyber criminals. Let’s imagine that a business has recently suffered from a DDoS attack and has since implemented new security measures to protect themselves from the DDoS threat.
By the time those measures have been put in place, online criminals will have already adapted and evolved their methods, allowing them to work around the security measures and exploit some other vulnerability that has not been noticed yet. In some ways, the battle against the cyber threat will never be well and truly over.
Proactive, not reactive
This is not to say resistance is futile by any means. While the cyber threat will continue to mutate into new and unfamiliar forms, there are ways that businesses can mitigate the associated risks of any cyber attack properly and effectively.
However, there is one rule that absolutely must be followed before businesses begin with anything else: they must adopt a proactive approach towards cyber security. It wasn’t too long ago that many could afford to simply sit back and wait for an attack to present itself before considering the most appropriate way of dealing with it, but that simply isn’t possible now: the threat is too great and the consequences too severe. Instead, all businesses — no matter their size or sector — need to transition from an ‘if’ to a ‘when’ mindset, which involves proper preparation and comprehensive planning for all potential scenarios.
More specifically, a proactive approach to cyber security involves considering numerous areas of your business to ensure the appropriate measures are taken.
There are numerous software-based tools that can help to ensure comprehensive protection. Perhaps the most effective of these is a vulnerability management system that provides users with a centralised platform to monitor and identify all vulnerabilities in their IT infrastructure in real-time. One of the most common reasons that businesses suffer from cyber attacks is because they aren’t aware of the zero-day vulnerabilities existing within their infrastructure in the first place.
Therefore, being proactively aware of any vulnerabilities as soon as they arise, and then taking appropriate action to resolve them, is key to staying protected. These systems can also provide considerable cost saving benefits in the long-term — the operation and maintenance of a vulnerability management system is much cheaper than the cost of recovering from a major cyber attack.
For an additional layer of protection for files, drive encryption tools can be extremely helpful. Although this does not address the issue of hackers gaining access to your business’ systems, it makes it much harder for them to successfully seize any data or information thanks to the encryption of entire volumes within the network. There are also some more common methods of protection, such as virus scanners and firewalls, that still have an important role to play in strengthening lines of defence. Firewalls in particular can often be overlooked by hackers looking to quickly gain access to a system, while virus scanners can help to identify an issue at an early stage before it spreads and causes serious damage.
Processes and Governance
Without a doubt, the most effective way of ensuring a proactive approach, and consequently mitigating the cyber attack risk, is by adopting a cyber security strategy. This consists of a set of best practices that covers every eventuality and is distributed to all employees across the company — from the IT team right up to senior board members — raising awareness of potential issues and making it clear to each individual what their role is in the event of an attack.
However, for these strategies to be truly beneficial, each one needs to be specifically tailored to the nature and needs of the business it intends to protect; simply taking someone else’s strategy and swapping the names around will not yield any positive results.
Instead, businesses need to ask themselves several questions. Firstly, does the business have employees that are regularly working outside of the office, and if so, what security risks might this present?
Secondly, what back-up processes are in place and how could they be improved? Thirdly, how often is the business asking employees to change their passwords to prevent password-related attacks? There are obviously many more areas that should be covered as part of a full cyber security strategy, but answering these three questions alone could help to significantly strengthen existing defences.
It is also worth considering how the introduction of the General Data Protection Regulation (GDPR) in May 2018 might affect the security measures implemented by your business. Not only is GDPR set to focus attentions towards ensuring that systems are well looked after and compliant with legislation, but it also set to impose significant fines on any business that suffers from a data breach that could have been prevented. In some cases these fines could reach up to €20 million or 4% of annual global turnover — whichever is the greater amount.
Lastly, it is recommended that all businesses set up a ‘security team’ as part of its proactive approach to cyber security. Ideally, this team should consist of individuals from various departments across the business, not just IT, and should also include a senior board member for full transparency. This team should arrange regular meetings that are used to discuss any risks within the business before agreeing upon a solution to resolve them.
It is likely that the omnipresence of cyber attacks will forever cause headaches for businesses; a problem that is only exacerbated when you consider how many different forms these attacks can take.
However, by tackling the threat one step at a time, adopting a proactive approach and placing particular focus on the technology, governance and processes your business has in place, the risks associated with cyber attacks can be greatly mitigated. Whether these steps are taken independently or with the help of a trusted IT partner is up to the business itself, but one thing is certain: the cyber threat certainly will not disappear of its own accord.