Cyber attacks
and security threats

THE IMPACTS OF CYBER ATTACKS AND HOW SMEs CAN HELP PREVENT THEM

Article updated: 25/07/2020 | By Towergate

This article was put together in partnership with Mike Stephens, a respected senior industry professional and Fellow of the Chartered Insurance Institute (CII) with well over 40 years’ experience in the commercial insurance sector including advising businesses on cyber insurance and risk management to protect against cyber attacks.

What are cyber attacks?

A cyber attack is a deliberate exploitation of computer systems, technology dependent enterprises and networks. Cyber attacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.
Technopedia

Why should businesses worry?

an image representing a target

40% of businesses in the UK reported a cyber security breach from 2019-2020.

an image representing crosshairs on a cloud

Cyber security breaches cost UK businesses an average of £3,320 from 2019-2020.

an image representing a revenue crash

Attacks can hinder a business's productivity, harm its reputation and cause it to lose its competitive edge.

Recent cyber attacks

EasyJet logo.

EasyJet

The personal details of 9 million customers were accessed after EasyJet faced a cyber attack in May 2020, with 2,200 customer credit card details stolen by the hackers.

Marriott

Hotel group Marriott was fined £100m in July 2019 after hackers stole the records of 339 million guests, including credit card details, passport number and dates of birth.

Marriott logo.
Travelex logo.

Travelex

Currency service provider Travelex were forced to take its systems offline for almost a month after a ransomware attacked the firm’s website on New Year's Eve 2019, demanding the sum of £4.6m.

Why are SMEs targets for
cyber attacks?

Poor security and a lack of awareness and training can leave SMEs ill-prepared for attacks, making them easy targets for cyber criminals.

SMEs can underestimate the threat of cyber attacks and often don't believe they're at risk:

A padlock image, representing online security.

65% of SMEs suffered a cyber attack from 2019-20 compared to 46% of all businesses on average

A cross symbol.

24% of senior managers are updated less than once a year on cyber security

An unlocked padlock image.

18% of SME decision makers list cyber security as their least concern.

Small and micro businesses lack the resources or knowledge to defend against an attack:

A shield image.

81% do not receive any training on cyber security.

A dollar sign image.

68% have no formal policies for ensuring cyber security.

A question mark image.

26% have no cyber security measures at all.

How Attacks Happen

94% of malware is now delivered by email. This is what a common cyber attack now looks like:

An email is sent disguised as an invoice or bill.

The subject lines of emails containing malware often include words such as 'invoice', 'document' or 'order'.

The user is tricked into downloading an attachment.

This is typically a Javascript file or another scripting type, but it also could be an Office file.

The file triggers the installation of malicious software.

When the file is launched, it prompts the user to execute a macro or launches PowerShell to download and execute the final payload.

The user's device is typically infected with ransomware, which encrypts the user's private data.

Here are some tactics used to exploit cyber security vulnerabilities:

Phishing

Representation of phishing

Dupes users into supplying sensitive information by posing as a trustworthy source, such as a bank, commonly used retailer or a personal acquaintance.

37% of the cyber crimes affecting SMEs were spear phishing attacks.

malware

Representation of water-holing

Compromises legitimate websites by injecting malicious code to visitors passing by when they download the infected software.

29% of cyber crimes affecting SMEs were malware attacks.

Ransomware

Representation of ransomewear

Extorts victims for money or private information in exchange for the decryption of data and removal of malware.

Ransomware attacks have increased 195% during the first half of 2019

Distributed Denial of Service attack

Representation of Denial-of-service attack.

Attempts to flood a network to disrupt the service and prevent users from accessing it.

16% of SMEs have suffered a DDoS attack.

What's at risk?

SMEs tend to store confidential information such as client lists, customer databases or financial details which are highly prized assets for criminals.

Cyber criminals make money through identity theft, sale of stolen information, holding data to ransom or stealing funds from bank accounts.

Attackers can sell data, such as pricing information, product designs or manufacturing processes to competitors, which may give them a market advantage.

Cyber attacks are highly lucrative with profits easily made on the black market from selling stolen goods.

Here are estimates of the black market value of some commonly stolen credentials:

credit card
details
50p
£25

Ready-made toolkits for attacks are also available for budding criminals with little technical knowledge required to run attacks on their own:

basic banking
trojan kit
£80
password
stealing trojan
£20
£80
android banking
trojan
£155
ransomware kit
£10
£1390

An attack can damage a business’s financial health directly, and the recovery process can be lengthy and costly. It’s estimated that it costs the small business community £4.5 billion annually.

Attacks resulting in a data breach and exposure of customers’ confidential information negatively impact customers’ views of the business:

Criminals may steal your employees' or customers' personal details and as it's your responsibility to safeguard this data it can be constituted as a breach of the Data Protection Act (DPA) and General Data Protection Regulation (GDPR).

This could result in compensation to individuals who suffered damage from the breach or severe penalties from the ICO (Information Commissioner's Office) where you can be fined up to 20 million euros (or equivalent in sterling).

EU General Data Protection Regulations (GDPR) came into effect as of May 2018 and still apply to the UK.

Businesses must be able to prove that any data they hold is protected or face the risk of hefty fines.

As many as 9,000 Tesco Bank customers lost money from their accounts, following a data breach in November 2016.

£2.5 million was stolen from customer accounts in total.

Customers had up to £600 withdrawn from their accounts.

Tesco would face fines of over £1.9 billion if it occurred under the EU's GDPR.

Managing the Risks

95% of all security incidents involved human error and employees pose the biggest vulnerability to the IT system.

Vulnerabilities caused by human error include:

  • Using "unpatched" applications where software updates containing security fixes are not installed.
  • Using easy to guess or default passwords.
  • Opening an infected attachment or unsafe URL.
  • Falling victim to social engineering scams (such as phishing).
  • 'Bring your own device' comes with risks if employee-owned devices are infected, which can spread malware to the company’s IT system.

Although most human-related security incidents are caused accidentally, disgruntled employees can also be a risk.

Educating employees on how to protect sensitive data using security best-practices is crucial to safeguarding your business.

It’s recommended that you consult a network security specialist to give a thorough assessment on protecting your company. Here are some steps you can take right now:

Encourage employees to use strong passwords, refrain from using the same password for multiple logins and change passwords every 90 days.

Always Install the latest security updates for software and web applications which will Close known vulnerabilities.

Encrypt sensitive data such as employee details and financial accounts.

Update your anti-virus software and firewall as soon as a new version is released to ensure they’re effective against new forms of malware.

Protect mail servers with security software that scans emails to reduce the likelihood of falling victim to infected attachments.

Create "whitelists" that control all traffic through the network by granting access to certain IPs and e-mail addresses.

Ideally, administrative accounts should not be granted access to email or internet to prevent attackers entering the system through these channels. If administrators need web access then implement a two-factor authentication.

  • Cyber Essentials is a scheme backed and supported by the UK Government to help protect businesses of all sizes against common cyber threats.
  • Businesses can attain a Cyber Essentials badge to advertise the fact that they are following government endorsed standards for cyber security. To obtain the badge, businesses can carry out a self-assessment to see if they meet the requirements, or they can be independently assessed by accrediting bodies.
  • The scheme outlines five main procedures that should be implemented for basic protection against cyber attacks:

Boundary firewalls and internet gateways

Access control

Patch management

Secure configuration

Malware protection

In the event of an attack

Unfortunately cyber attacks may succeed despite taking preventative measures.

Having a plan in place in the event of a successful attack can limit damage. Safeguarding data should be a priority, especially if that data is crucial to the running of your business:

4 in 10 SMEs say they would struggle to recover from data loss.

1 in 4 SMEs admit they wouldn't be able to recover any data.

Logging and monitoring any suspicious activity can inform you as soon as a breach happens, giving you a chance to respond quickly and limit potential damage. This can be done in-house or outsourced to specialists.

Regularly backing up your data means it can be accessed easily to reduce downtime in the event of a breach. However, there is a risk that you may restore the same vulnerabilities which caused the breach in the first place so you should consult a specialist beforehand on how to mitigate this.

Consulting a security specialist for a thorough risk assessment and further advice is essential. You can also:

Have procedures in place which identify and isolate infected systems to prevent further infection.

Establish an incident response team trained with the skills and expertise to address threats.

If your customer database has been compromised, those customers should be directly informed of the breach and advice should be given on what actions they should take, such as changing passwords and checking bank statements.

Summary

The threat of cyber attacks is ever-present and isn’t going away. Methods are becoming more sophisticated and ever-increasing connectivity means there are more opportunities for cyber criminals than ever.

The risks to businesses are severe: a cyber attack can impact your bottom line, your reputation and even your ability to continue operating.

There’s plenty you can do to insulate yourself against the risk, and the most dangerous course of action would be to disregard the threat. Consult a professional, ensure your staff understand security best-practices, make sure that your company’s most important assets are safeguarded and have a plan in place for responding to any breaches.

Glossary

  • PowerShell

    A framework by Microsoft for automating batch processes and performing configuration management and administrative tasks.

  • Ransomware kit

    A type of malicious program that prevents victims from accessing their information and private files by encrypting them and demanding a some of money to return the original unencrypted files.

  • Android banking trojan

    A type of malicious program that disguises itself as legitimate application, affecting the android operating system on mobile devices. The android banking trojan is primarily used to steal and gain access to private information and finances.

  • Whitelists

    Allow only administrator-approved programs and users to gain system access, blocking anything that has not been approved.

  • SME

    A company with under 250 employees and an annual turnover under £50 million.

  • Micro Business

    A company with 10 or fewer employees and a turnover of less than €2million. Also known as a micro entity.