Briefing: The rise in reports of cyberattacks on business

28 Feb 2023

Some businesses do not fully appreciate that cyberattacks could be a risk to their survival, or do not think they are big enough targets for hackers. But, says rradar Head of Data Paul Buckle in this briefing, it is this type of misconception that leaves you vulnerable.

You only have to look at the National Cyber Strategy Survey to understand the true risk of cyberattack and the effect it can have on businesses. There are several steps that can be taken to mitigate the risks; a programme of actions based on good planning, awareness and commitment will pay for itself.

A matter of priorities and why it matters
Unless a small- or medium-sized business owner has been affected by cybercrime, it is unlikely that cybersecurity has been prioritised. If so, the question remains; what would happen to your business if you were locked out of your computer, systems and business data?

Just as you lock your front door, car and mobile phone to protect your property, your friends, family and yourself, you need to consider the same for your business.

You have a duty under the Data Protection Act 2018 to protect any personal data you hold for business purposes (employees, customers and suppliers). Do you know if these are secure or how to secure them against an attack?

Have you considered the value of your business data, customer records, product profiles, invoices, emails? These are data assets and they need to be protected so you can operate your business effectively.

But what do you need to be protected from?
Damage to your business, reputation, revenue loss or loss through extortion or theft by criminals intent on generating revenue through theft, ransoms or for ideological reasons.

Hacking – When someone gains access to your computer or business networks, social media account, website or bank accounts in order to steal, cause damage or lock you out from the system or platform.
Phishing – where a criminal uses sometimes carefully crafted emails, phone calls or texts to trick an employee into handing over confidential information, such as passwords or bank account details.
Emails – whilst these are used in phishing, they are also a source of risk by way of outbound misdirection, unintended disclosures of data or attachments and inbound emails that bring in malicious software or links to scams.
Malicious software, a type of malware – can be used to corrupt your systems or stop you from accessing your data, sometimes purely to cause damage or as a vehicle to obtain a ransom payment.

Who to be aware of
Direct Denial of Service (DDoS) – an attack that overwhelms and/or shuts down a company’s systems so it cannot operate. The response depends on the motive, but it is mostly criminal activity aimed at obtaining a payment.

Malicious insiders – attacks caused by malicious employees, contractors or former employees who have access to your system and sensitive data and cause damage, steal or introduce malware.

Remote working – Consider how secure your remote worker’s Wi-Fi and home networks are. Who else can access their computers? Are their portable systems encrypted? Why does the remote worker become more vulnerable to phishing than the office worker and what can you do to reduce these risks?

Practical steps
There are several practical steps that can be taken by businesses of all sizes to protect against cybercrime. Think about your passwords and how you enforce those on your employees to be more secure:

Use special characters and block the use of known words or words that link to your business.
Block or avoid using common passwords such as 1234 or passwords that have been leaked from website breaches.
Enforce a minimum length but do not place a limit on length.
Change at regular and reasonable intervals (not too frequently).
Password management software can help users store their passwords and generate new secure ones.
A password policy or a section on passwords in another policy, will help you communicate the rules around passwords and the reasons for them.

Further guidance on passwords can be found here.

Training and awareness
A simple approach to regular training and awareness can yield huge benefits in terms of security:

Everyone is responsible for cyber security.
Everyone needs to be aware of the risks and consequences.
Everyone is included in cyclical training to ensure the knowledge and mindset remains to protect the business.

A mindset that gets people to think:

When I send an email:
- - Is the address to which I am sending the email correct?
- - Have I attached the correct file?
- - Can I disclose this data to the email recipients?
When I receive an email:
- - Is this from a legitimate source?
- - Is there something unusual about the email?
- - Could attachments have viruses?
- - Is this spam or phishing?

General behaviours
Ensure that all employees:

Lock their computers (e.g. Windows + L) and work phones when not in use;
Do not use business networks or devices for personal use;
Do not download software without permission from the IT manager;
Do not create accounts for third-party services without permission from the IT manager;
Do not interfere with computer security software, such as antivirus software; and
Avoid connecting to a public Wi-Fi network unless a private connection can be created.

Technical tools
Encryption is a way to make information more secure by requiring a key or code to access it.

It is good to encrypt all drives that contain business sensitive or personal data.
Mobile devices should be encrypted and backed up with strong passwords.
When transferring data on a memory stick or via the internet, encrypt it before transferring it. Send the decryption password through a different means - text / social media.

Network and Wi-Fi protection is becoming more and more important, and many of these now exist as cost-effective managed services:

Prevent your users from accessing the business network (or VPN) using public Wi-Fi networks.
Do not allow private devices to connect to your Wi-Fi network. Instead use a separate ‘guest Wi-Fi’ with a gate keeper if possible.
Introduce managed Wi-Fi in your offices with the appropriate firewalls.
Maintain and update effective firewalls.
Create back-ups of all your systems at regular intervals.

Policy and process
Having the correct processes and training in place will help employees practise good cyber security. Implement and disseminate a policy that helps employees have the confidence to deal with, report and respond to issues such as:

A computer performing unusually;
An unauthorised / suspicious device or person at work;
A breach of the guidelines contained within the policy; or
A suspicious message or email.

If in doubt, do not click - report. No one will be challenged for a false alarm.

Cyber insurance policies
Many – if not all – businesses will have an insurance policy such as a management liability policy, which offers cover in the event of an unexpected crisis or problem. However, not all cover is comprehensive and up to date. Some insurers work hand in glove with both legal and cyber experts to ensure that their policies are future-proofed and adaptable to change. It is worth seeking these kinds of policies out to ensure your business has the level of protection it needs – not just today but in months and years to come.

If you wish to know more, please contact rradar at contactus@rradar.com or visit Cyber Aware and The National Cyber Security Centre websites for more information.