7 Key takeaways from DSIT’s Cyber Security Breaches Survey 2024

Cyber Security Breaches Survey 2024

Every spring the Department for Science Innovation & Technology (DSIT) releases its Cyber Security Breaches Survey. Always hotly anticipated throughout the cybersecurity sector, it acts as a ‘temperature check’ of security and resilience within UK cyberspace. 

Although the report primarily intends to inform UK government policy, that doesn’t mean it isn’t useful to small businesses. In fact, the report is a bit of a lodestar for anyone interested in cybersecurity. It gives us an idea of the threats we face, how businesses are dealing with them, and what we can do to improve our collective security. 

With that in mind, here are our key takeaways from the Cyber Security Breaches Survey 2024.

1. Breaches remain common 

    This won’t be particularly surprising to anyone but successful cybersecurity breaches remained commonplace in the last 12 months. According to DSIT’s research, half of businesses (50%) and just under a third of charities (32%) reported experiencing some form of breach.

    These figures are highest for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). However, this isn’t to say small (10-49 employees) and micro (1-9) businesses are immune. 47% of micro-businesses and 58% of small businesses were hit with a breach in the last year. 

    2. The cost of a breach remains low, but constant 

      This one is a mixed bag. One positive is that DSIT reports the average cost of a single breach across all businesses surveyed was £1,205. That’s considerably lower than figures released in reports like IBM’s Cost of a Data Breach 2023, even when we consider that the average rises to £10,830 for large and medium businesses.

      Unfortunately, this isn’t the whole story. Although the headline figure for the cost of a breach is low, companies are being attacked with frightening regularity. Over half of businesses (53%) and just under half of charities (45%) reported that this happens once a month or more often. Grimmer still, a third of businesses and a fifth of charities say that they were attacked at least once a week.

      This means that even if the cost of a single breach is low, many businesses are being hit multiple times a year, making the cumulative impact of attacks far higher. What’s more, while larger organisations may be able to swallow these recurring costs, their impact could be ruinous for SMEs. 

      3. Phishing scams are still the number one threat

        By this point, most of us have first-hand experience of a phishing scam. They come in many forms, from speculative email campaigns to more targeted attacks through social media platforms like Facebook Messenger and spear phishing.

        So it’s no surprise to see phishing scams at the top of DSIT’s list of most common threats. 84% of businesses and 83% of charities reported being targeted by one in the last 12 months. 

        However, more interesting is that the second most common threat was ‘others 

        impersonating organisations in emails or online’ (35% of businesses and 37% of charities). This demonstrates that cybercriminals are leaning on social engineering techniques to launch attacks, rather than more technological approaches like malware and ransomware.

        There are a couple of possible reasons for this. Firstly, social engineering attacks use our human nature against us, making them more difficult to defend against. Second, social engineering doesn’t require any specialist tools or tech knowledge, just a familiarity with the techniques, meaning the barrier to entry is lower for would-be scammers.

        4. Does Cyber Essentials certification have an awareness problem? 

          Cyber Essentials certification turns ten this June. And, although the scheme has helped thousands of businesses improve their cybersecurity, it appears to have an awareness problem. 

          Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. These figures are roughly consistent with 2023 but represent a decline over the last 2-3 years. This decline is also more pronounced among smaller businesses with medium businesses (43%) and large businesses (59%) more aware.

          More worrying still, only 3% of businesses and charities report adhering to Cyber Essentials. However, this does come with a caveat that a higher proportion of them (22% of businesses and 14% of charities) report having technical controls in all five areas covered by Cyber Essentials.

          5. Businesses aren’t prepared for supply chain risks

            Although the report reveals organisations have broadly improved when it comes to cyber risk management, there’s still one glaring omission – supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). Given that supply chain attacks are predicted to cost the global economy $138 billion by 2031 this is an area that needs urgent attention in the coming years. 

            6. Formal incident response plans aren’t widespread

              Despite many businesses stating that they’d take action following a cyber incident, very few have anything concrete in place to establish what those steps are. Just 22% of businesses and 19% of charities have a formal incident response plan. Once again, these figures are largely being driven by SMEs; 73% of large businesses have one. 

              What this suggests is that small businesses are ill-prepared for the worst-case scenario. Creating an incident response plan or security policy can be time-consuming and tricky if you don’t know where to start. SMEs need help, through tools like templates and policy management to better prepare themselves. 

              Alongside this, when a breach does happen, external reporting of it is uncommon. Just over a third of businesses (34%) and charities (37%) reported a breach outside their organisation. Even then, this wasn’t usually to the National Cyber Security Centre (NCSC) or Information Commissioners Office (ICO), but to their managed service provider or IT supplier. This indicates that vast swathes of cybercrime are still going unreported.

              7. Basic cyber hygiene is improving 

                Finally, let’s end with a real positive. Cyber hygiene – by which we mean basic cyber controls – is on the up across all businesses. Most cyber threats are relatively unsophisticated so organisations can go a long way towards protecting themselves by simply adopting some simple measures. 

                The good news is that a majority of businesses and charities have a broad range of these measures in place. These include: 

                • using up-to-date malware protection (up from 76% to 83%)
                • restricting admin rights (up from 67% to 73%)
                • network firewalls (up from 66% to 75%)
                • agreed processes for phishing emails (up from 48% to 54%)

                And, even more promising, these trends are a reversal of the decline in cyber hygiene we’ve seen over the past few years. This shift is being driven by micro and small businesses, demonstrating that despite the worrying trends in awareness surrounding Cyber Essentials, basic security recommendations are having some cut through. 

                Want to know more about the threats facing small businesses? Download our latest report on SMEs and the cost of living crisis

                SME cost of living crisis report

                CyberSmart announces expansion into the Australian market with HAT Distribution partnership

                HAT Distribution partnership

                The move will streamline and simplify Essential Eight assessment for Australian SMEs and MSPs

                Wednesday 08 May 2024 – London, UK: CyberSmart, the UK’s leading provider of complete cyber confidence to UK SMEs is excited to announce its partnership with Australian technology distributor, HAT Distribution. The partnership will provide businesses in Australia with fast, hassle-free Essential Eight assessment and year-round assurance.

                CyberSmart is the world’s first complete SME solution, offering all-in-one cybersecurity monitoring, optimisation and training, proven to defend against cyber threats. With its user-friendly platform, simplified progression framework, year-round protection and unlimited support, implementing Essential Eight controls has never been easier for Australian businesses.

                As cybercrime escalates in Australia, with 94,000 incidents reported in 2023* alone (equivalent to one report every 6 minutes!), completing Essential Eight – the recognised Australian government standard for cybersecurity – is not just advantageous but also crucial in certain industries. CyberSmart’s solutions are specifically designed to help businesses implement these strategies effectively so they can attain and maintain a government-approved standard of cybersecurity, reducing cyber risk.

                The platform is tailored for MSPs and SMEs, who represent a critical segment in the economy but often face challenges with maintaining robust cyber defences due to limited resources and expertise. With CyberSmart, MSPs can enhance their service offerings by delivering comprehensive and cost-effective solutions to their clients, while SMBs gain access to straightforward Essential Eight assessment, without the need for extensive resources. 

                Australian SMEs will also gain access to CyberSmart Active Protect,  a powerful on-device agent that delivers comprehensive endpoint monitoring, risk management, policy enforcement, and cybersecurity awareness training. Active Protect regularly monitors and reports the status of a device by running through a series of security controls, identifying any vulnerabilities and providing simple step-by-step walkthroughs on how to fix them. 

                Jamie Ahktar, CEO at CyberSmart said, “We’re excited to expand into the Australian market with HAT Distribution. Cybercrime is a worldwide business, and the interconnected nature of global commerce in 2024 means that the more geographies we are able to offer SMBs complete cyber confidence in, the better. Almost half of Australians reported experiencing cybercrime in 2023, and we believe that the comprehensive protection we’re bringing to the Australian market will be able to limit both the success and impact of these incidents moving forward.

                Josh Gammer, General Manager of HAT Distribution said, “Amidst the ever-evolving cyber threat landscape, we are thrilled to partner with CyberSmart, a leader in cybersecurity innovation, to help more Australian businesses comply with the government’s endorsed Essential Eight framework. 

                With CyberSmart, even smaller players gain access to the tools required for assessment, and for MSPs, the partnership is a consultative business opportunity to guide their clients on a transformative journey toward stronger cyber defences.”

                For more information about CyberSmart’s cybersecurity solution for Australia, please visit https://www.cybersmart.com/au

                SME cost of living crisis

                What is the MITRE ATT&CK framework and how can it help your business?

                mitre att&ck framework

                Hackers sit somewhere between masterminds and master criminals, depending on who you ask. There’s a fascination and frustration that surrounds them and how they do their dirty work. 

                Ever wanted to get inside the mind of a hacker to help protect your business from threats like malware? The MITRE ATT&CK framework is the perfect place to start. 

                What is the MITRE ATT&CK framework?

                The MITRE ATT&CK framework is a detailed knowledge base of the tactics cybercriminals use to target victims. Using real-world examples, it shows you how hackers prepare, launch, and execute attacks. 

                The framework matrix is split into tactics and techniques. A tactic is a goal the cybercriminal wants to achieve, such as accessing credentials. A technique is the action or actions that achieve the tactical goal, such as brute force. 

                It exists to help businesses understand how cybercriminals behave in the preparation and execution of an attack. This helps raise awareness of common threats and how you can detect them in action.

                Did you know 47% of SME leaders feel more at risk of cyberattack since the start of the cost of living crisis? Find out why in our latest report.

                What does ATT&CK stand for?

                ATT&CK is an acronym for adversarial tactics, techniques, and common knowledge. 

                A deeper look at the MITRE ATT&CK framework

                The framework covers 14 tactics:

                1. Reconnaissance – finding information to plan an attack
                2. Resource development – building resources to support operations
                3. Initial access – entering a network
                4. Execution – running malicious code
                5. Persistence – maintaining network access
                6. Privilege escalation – gaining advanced access permissions
                7. Defence evasion – avoiding detection
                8. Credential access – stealing account information
                9. Discovery – gathering system and network intelligence
                10. Lateral movement – controlling remote systems
                11. Collection – gathering relevant, goal-related information
                12. Command and control – communicating with systems without detection
                13. Exfiltration – stealing network data gathered at the collection stage
                14. Impact – disrupting service availability and data integrity 

                Each tactic includes a list of techniques that explain how a hacker achieves their goal, alongside mitigation information, detection tips, and references for further reading. These are updated twice a year from public threat intelligence and incident reporting, so the information stays relevant. 

                It’s suitable for any organisation using:

                • Windows, macOS, or Linux IT systems
                • Network infrastructure devices
                • Container technologies
                • Cloud services such as IaaS, SaaS, Office 365
                • Android and iOS mobile devices

                Keeping your organisation secure

                The framework is a great resource to include in your cybersecurity strategy. 

                It encourages collaboration and information sharing, is easy-to-follow, and helps you improve your knowledge and cybersecurity posture. And, it’s free. 

                Use it alongside other cyber defence methods to give you broad coverage against common threats, including: 

                Active monitoring

                Investing in an outsourced security operation centre for 24/7 protection from cyber threats on all devices that access company data.


                Using robust antivirus or anti-malware software to prevent, detect, and remove malicious software.

                Training and qualifications

                Mandatory security training for all employees and qualifications like Cyber Essentials, Cyber Essentials Plus, and ISO 27001

                Get started with the MITRE ATT&CK framework

                With such a powerful resource at your fingertips, you’re only going to benefit by including the MITRE ATT&CK framework in your cybersecurity strategy. Share it with your colleagues so you can all play an active role in protecting your organisation from attacks. 

                SME cost of living crisis

                Social media savvy: privacy settings and security on social platforms

                security on social platforms

                Social media platforms connect us with friends, family, and colleagues but can also be a goldmine for attackers. This blog post looks at the world of social media privacy and security, exploring the potential threats and steps you can take to protect yourself (and your business) from them.

                Social media at home and work

                Social media plays a big role in both our personal and professional lives. In our personal lives, we use platforms like Facebook, Instagram, and Twitter to stay connected with loved ones, share updates, and follow our interests.

                In our work lives, LinkedIn is a go-to for professional networking, while companies use platforms like Twitter and Facebook for marketing and customer service.No matter how we use social media, it’s crucial to understand the potential risks.

                The threats you face when using social media

                Sharing information online comes with inherent risks. Common threats include:

                • Social engineering: Attackers might try to manipulate you into revealing personal information or clicking on malicious links.
                • Malware: Links or downloads shared on social media can infect your device with malware that steals data or disrupts your system.
                • Phishing scams: Fake accounts or posts might try to trick you into sending money or sharing personal details. In addition, spear phishers will often use social media to gather background information on targets. 
                • Privacy violations: Without carefully calibrated settings, your personal information and online activity could be exposed to unintended audiences.

                Social media scams in practice

                Operation Dreamjob

                In 2023 cybercriminals from the Lazarus group, an alleged North Korean state-sponsored hacking organisation, targeted employees at a Spanish-based aerospace company.

                Under the campaign ‘Operation Dreamjob’, the cybercriminals identified employees on LinkedIn, introduced themself as a recruiter from Meta and commenced a fake recruitment process.

                As the victim progressed through the rounds of the ‘recruitment process’, they were asked to demonstrate their competency by downloading and completing a quiz.

                In this case, the victim downloaded the quiz using a work computer. Unfortunately, the download contained more than a quiz and the attackers used this to access the company’s critical systems. 

                This followed a similar attack by the same group in 2022 which used fake LinkedIn job offers to steal $625 million from the Ronin Network, a blockchain network that powers the popular crypto games Axie Infinity and Axie DAO.

                Below is an example of what these attacks typically look like.

                A bad romance

                In my previous life as a cyber detective, I saw firsthand how cybercriminals frequently harness social media. This ranged from using social media platforms to execute their attacks, like above, or obtaining information from them. 

                In a previous blog post, I wrote about the case of a business owner who lost thousands of pounds after falling victim to social engineering. In this attack, the cybercriminal used open-source research to find out information about their target – the business owner. The business owners’ use of social media to advertise their business enabled the cybercriminal to locate a business website, mobile number and key information about the business owner that enabled the attacker to go on and effectively build a relationship with the victim.

                You can read more about this attack here.

                What can you do to protect yourself?

                Here are some key steps to take control of your social media privacy and security.

                1. Review and adjust privacy settings

                Every social media platform offers privacy settings that allow you to control who sees your posts and profile information. Where possible, set everything to ‘private’ or ‘followers only’.

                2. Be mindful of what you share

                Think twice before sharing personal details like your birthday, address, or phone number. Could this information be used against you?

                Don’t click on links or download attachments from unknown senders.

                4. Use strong passwords and enable multi-factor authentication

                These measures add an extra layer of security to your accounts and prevent you from being the low-hanging fruit cybercriminals target.

                6. Be cautious about location-sharing

                Consider disabling location sharing on your posts or using it selectively. Also consider what location information is in the backgrounds of your photos, as this too can be used by cybercriminals. 

                7. Limit third-party app access

                Review and restrict third-party apps’ access to your social media accounts, including add-ons and plug-ins. And, if you need to use these tools, ensure they’re reputable first.

                The founding fathers of social media created it with a utopian vision of connectivity. And, although social media has fallen a long way from those halcyon days, that doesn’t mean you can’t use it safely.

                By understanding the risks and taking proactive measures, you can create a safer and more secure social media experience. Remember, privacy and security are ongoing processes, so regularly review your settings and stay informed about evolving threats.

                Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them.

                SME cost of living crisis

                What is quishing and how can you protect your business?

                what is quishing

                Quishing or QRishing is a brand of phishing scam that uses QR codes to trick victims into downloading malware or sharing personal data. Despite its unthreatening name, quishing poses a real risk to businesses. However, with the right knowledge, you can stop your business from falling prey to these attacks, read on for everything you need to know. 

                Why QR codes? 

                Read most media and you’ll see plenty of stories about the security threat posed by AI or the latest nation-state attack. However, cybercrime doesn’t have to involve the latest tech or be the height of nefarious sophistication. In fact, it’s often simple scams that get you. 

                QR codes have been around for almost three decades. Very few people think of them as on the bleeding edge of technology, more something you use to attend an event or scan for a marketing gimmick. Yet, since they’ve seen a resurgence in their use post-pandemic, they’ve stirred up a hornet’s nest of security problems. 

                The most prominent of these problems is quishing. QR code technology might not be sophisticated by today’s standards, but it does lend itself well to phishing scams.

                Why? Unlike a URL or email address, QR codes are hard to evaluate for legitimacy. A QR code is opaque to the human eye, making it indecipherable without a scanner. This means that by the time the victim has realised the QR code is bogus, it’s often too late. 

                Did you know that 47% of SME leaders believe cybercrime has increased during the cost of living crisis? Read our report to find out why.

                How big is the threat?

                Phishing is by far the most common form of cyberattack. According to the DCMS Cyber Security Breaches Survey 2024, 84% of businesses in the UK experienced a phishing attack in 2023. 

                When it comes to quishing specifically, the scant figures available are equally ominous. Research from cybersecurity company Vade detected over 20,600 quishing attacks in one seven-day period in 2023.

                What’s more, it isn’t just the spectre of falling victim that threatens businesses. If your business uses QR codes, cybercriminals could hijack them to target your customers. 

                What does a quishing attack look like?

                Quishing attacks are versatile and can take any number of forms. We’ve seen examples of them conducted in person, with a scammer approaching the victim and asking them to scan a QR code for some sort of benefit. However, the most common approach is to send an email, much like a typical phishing scam, with a QR code included.

                This approach was exemplified by the Microsoft 365 quishing attack in 2023. The attack began with a phishing email asking users to reactivate their multi-factor authentication (MFA). The email used the Microsoft Authenticator logo giving it a veneer of legitimacy. Once the victim scanned the code and clicked the embedded link they were sent to a webpage that infected their device with malware.

                Microsoft eventually managed to get the situation under control and issued these instructions for detecting a scam, but not before thousands of users had been attacked. 

                The most obvious fallout from a successful quishing scam is financial harm. Research from BDO found that among the six in ten organisations in the UK hit by phishing scams the average loss was around £245,000.

                What are the consequences of a breach?

                However, the potential consequences can hit more than your pocket. If the scammers manage to steal customer’s personal data, you could also be looking at serious reputational damage and regulatory fines. What’s more, your standing among partners and suppliers could take a hit too. 

                How can you protect your business? 

                Like all phishing attacks, quishing relies on social engineering to trick victims. This means it can be tricky to recognise a bogus QR code, particularly when it’s attached to a seemingly legitimate message. But that doesn’t mean it’s impossible. Here are a few things you can do to protect your business.

                1. Provide cyber awareness training for staff

                Staff security training is the most important tool for protecting your business from quishing attacks. The rationale behind this is simple. If your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them.

                Cyber awareness training can go a long way towards resolving this problem. It can give them the basic cyber skills to spot and avoid a potential threat. And, it needn’t be extensive or time-consuming, just a few hours a month on the basics and regular updates on new threats can make all the difference. 

                2. Deploy MFA

                Multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.

                3. Use an Anti-malware tool 

                Anti-malware software focuses on defending against the latest threats. An effective tool should protect your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Most anti-malware tools constantly update their rules, meaning you’ll be protected swiftly against any new threats, including the malware injected by quishing scams. 

                4. Protect your network

                Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:

                • Install a network firewall to filter network traffic
                • Use a VPN to encrypt network traffic
                • Segment your network to eliminate single points of failure
                • Regularly update your router’s firmware

                5. Follow software providers’ advice 

                As we saw in the example earlier, cybercriminals will often try to imitate software providers when launching a quishing attack. Software providers such as Microsoft are all too aware of the threat and many have released guidance on how to counter a scam. 

                6. Limit user access

                Limit who has access to what within your business. Staff should only have admin rights within a system or application if it’s critical for their role. It might sound a bit draconian, but the reasoning behind it is sound. If a cybercriminal compromises a user account through a phishing campaign, the fewer permissions that account has the less damage a hacker can do.

                7. Tie it all together 

                Don’t be put off by the length of the list above. If you’re unsure about where to start, complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. 

                These certifications can help you adopt good cybersecurity practices (including all of the above) and build your cyber confidence.

                However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where continuous cybersecurity monitoring tools like CyberSmart Active Protect can help by giving you an ‘always-on’ view of your business’s defences.

                Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them. 

                SME cost of living crisis

                Antivirus vs anti-malware: what’s the difference?

                Antivirus vs anti-malware

                Antivirus and anti-malware are the basic building blocks for any small and medium enterprise’s (SME) cybersecurity strategy. They’re the most well-known cybersecurity tools, and it’s rare to find a business that doesn’t use one.

                But do you know what they protect you from, the difference between an antivirus and an anti-malware, and whether you need both? Let’s explore these key talking points.

                Malware vs viruses

                Before discussing the merits of the two types of software, we must tackle the difference between viruses and malware. Most people assume that the two things are synonymous. Isn’t ‘virus’ just a slightly dated way to say ‘malware’?

                That’s almost correct. However, this is the world of cybersecurity, so things are always a little more complicated than they first appear.

                The term ‘virus’ describes malicious code that can reproduce repeatedly – just like a biological virus. The code damages your device by corrupting your system or destroying data. Viruses are also usually considered legacy threats that have existed for a long time, and today’s cybercriminals rarely use them.

                On the other hand, malware is an umbrella term that refers to many different threats. These range from ransomware to spyware and even some newer viruses (confusing, we know). The key difference is its novelty. 

                The threats under the term malware are new, constantly evolving, and very much in use among modern cybercriminals. So, antivirus software providers have upped their game to protect customers.

                Considering cybersecurity certification but not sure where to start? Check out our guide to certifications in the UK.

                Antivirus vs anti-malware: the key differences explained

                As you might expect, antivirus usually deals with older, more established cyber threats. To illustrate, think of warnings from the noughties – endless error pop-ups, trojan horses, and worm viruses. These attacks typically enter your business through tried and tested routes such as email attachments, corrupted USBs, and other standard cyber threat delivery methods.

                These cyber nasties are generally very predictable and easy to counter. However, they can still do plenty of damage if left unchecked. 


                Anti-malware software focuses on defending against the latest threats. A good anti-malware protects your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Anti-malware usually updates its rules faster than an antivirus, making it the best protection against any new threats you might encounter. 

                Antivirus vs. anti-malware: which should you choose?

                At this point, you might be wondering why you need an antivirus if anti-malware can protect your devices against the most common types of cybercrime

                Although this is a valid question, it’s a risky way to approach cybersecurity. Sure, most of the threats covered by antivirus might be dated and rarely used by the bad guys. However, that doesn’t mean they no longer exist or that they can’t still give you a significant cybersecurity headache.

                Doing without antivirus is a bit like a state deciding to focus exclusively on protection from nuclear threats while neglecting the potential for invasion by land. It’s a flawed approach that leaves your business open to attack.Instead, it’s better to take a layered approach to your cybersecurity – by which we mean installing antivirus and anti-malware software to protect your business against new and old threats. 

                Choosing cybersecurity solutions isn’t an either/or dilemma

                Antivirus and anti-malware aren’t mutually exclusive. A truly effective cybersecurity strategy includes tools, training, and measures to counter any threat. Something as simple as a Cyber Essentials certification ensures your business complies with the basic requirements to deter cyber threats. This is because the steps to get qualified include:

                • Data encryption
                • Firewalls
                • User access management
                • Software and operating system updates

                You get support and clear step-by-step instructions for mitigating malware in your business so you don’t overlook any vulnerabilities. Learn how easy it is to get certified today.

                Cybersecurity certifications

                Malware-as-a-Service and the rise of DIY cybercrime

                malware as a service

                Cybercriminals are always looking for the next sophisticated method to target businesses. And as a small business owner, it can sometimes feel impossible to keep up with the latest developments. However, knowledge is power, which is why we bring you regular updates. Let’s explore the latest trends in DIY cybercrime and Malware-as-a-Service, and how to mitigate them. 

                What is Malware-as-a-Service?

                Malware-as-a-Service (MaaS) is a business model used by cybercriminals known as MaaS operators. MaaS operators lease their software, hardware, and related infrastructure to others for a fee. This enables malicious criminals to distribute pre-made malware, even with minimal coding skills. 

                You might’ve heard of similar terms like a Software-as-a-Service model, where an end-user purchases a pre-made software solution for their business or personal use. MaaS is the same concept but with malicious software. MaaS operators distribute the software on the dark web and sometimes even provide customer support to nefarious clientele.

                Did you know that 47% of SME leaders feel more at risk of a cyberattack since the beginning of the cost of living crisis? Find out why in our latest report.

                What is DIY cybercrime?

                DIY cybercrime, or do-it-yourself cybercrime, is where a cybercriminal uses a pre-made solution to execute malicious activity. For example, they purchase ready-to-use Malware-as-a-Service, quickly get it up and running, and then use it to distribute malware to their target.

                The worrying thing about DIY cybercrime is that anyone can purchase and use an off-the-shelf tool. It has never been easier for criminals to distribute malware, engage in phishing, and more. 

                At this point, you might be shaking your head and thinking, ‘D-I-WHY?!’ But don’t worry, all is not lost. You can dramatically reduce the threat to your business by putting the correct cybersecurity solutions in place.

                Malware-as-a-Service examples


                ZeuS, or ZBOT, is a MaaS package that runs on Microsoft Windows. It was designed to steal sensitive information like banking credentials. First detected in 2007, it has successfully targeted large organizations like Amazon, Bank of America, and NASA.


                SpyEye is a computer program that infects victims’ devices and steals sensitive data. In a rare case of justice, the creator of SpyEye was caught and sentenced to nine and half years in US federal prison. However, this hasn’t stopped the presence of SpyEye across the internet.

                Blackhole Exploit Kit

                Released on an underground Russian hacking platform, Blackhole Exploit Kit made up 29% of all web threats in 2012, making it a significant threat. Since then, the exploit kit model has continued to transform and is still widely used by cybercriminals.  

                How to prevent Malware-as-a-Service attacks 

                Like all criminal activity, MaaS isn’t a threat that’ll soon disappear. But there are several simple steps to protect your business. Here’s what we think you should prioritise.

                Educate employees

                Most people don’t have in-depth knowledge of malware and DIY cybercrime. Due to the ever-changing nature of cybercrime, your employees must play a part in protecting your business. Make sure people know how to spot a malware attack in your business and provide them with training and resources so they stay informed.

                Complete a cybersecurity certification

                A cybersecurity certification, like Cyber Essentials, is an excellent way to quickly implement robust security measures in your business. This is because the steps to qualify help you attain certification status and proactively mitigate against malware. 

                Additionally, many companies find that the steps help them identify overlooked vulnerabilities in their business that they might otherwise be unaware of. It covers a broad range of factors like:

                • Implementing data encryption
                • Using firewalls
                • Managing user access
                • Updating software and operating systems

                For more information on accreditations, we recommend reading our guide to cybersecurity certifications in the UK.

                Monitor your security round-the-clock

                Certification is a great starting point for putting in place the right defences and building your cyber confidence. However, cybercriminals won’t only attack on certification day, so you need a way of monitoring your defences year-round. You could approach this manually, but beware it’ll be time-consuming and require familiarity with cybersecurity best practices.

                An alternative is to use a cybersecurity monitoring service, like CyberSmart Active Protect, which checks for vulnerabilities around the clock and ensures everyone in your business is working safely. Likewise, a vulnerability management tool can help you get ahead of the latest developments in cybercrime.

                Want to know more about the threats facing small businesses like yours? Then have a read of our SME cost of living crisis report. It’s packed full of insight into how small businesses are defending themselves during an economic downturn.

                SME cost of living crisis

                What is spear phishing?

                What is spear phishing?

                For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different.

                According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?

                How a spear phishing attack works

                Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting.

                A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.

                Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access. 

                Let’s delve a little deeper into how it works.

                Trying to protect your business on a budget? Start by reading our guide.

                Anatomy of a spear phishing attack

                We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:

                1. Goal setting 

                The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.

                2. Picking the target(s)

                This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?

                These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.

                3. Building a profile of the victim(s)

                By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims. 

                Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.

                4. Initiate contact and use social engineering techniques

                Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.

                The most expensive spear phishing attacks of all time

                1. Google and Facebook 

                This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms. 

                Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum. 

                2. Ubiquiti Networks 

                In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack. 

                3. Colonial Pipeline 

                Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat. 

                The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network.

                Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting.

                We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.

                Spear phishing affects small businesses too 

                Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth.
                According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise. 

                Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target.

                SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence.

                Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.

                How to protect your business 

                There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected.

                1. Use a VPN 

                A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter. 

                Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).

                2. Staff training 

                As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.

                3. Patch all software

                Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.

                4. Deploy MFA

                Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.

                5. Protect your network 

                Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:

                • Install a network firewall to filter network traffic
                • Use a VPN to encrypt network traffic
                • Segment your network to eliminate single points of failure
                • Regularly update your router’s firmware

                6. Always use back-ups 

                If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.

                7. Limit user access

                Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.

                8. Tie it all together 

                If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence.

                However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help.

                Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.

                Cost of living CTA 2

                What is a banking trojan and how do you stop one?

                banking trojan

                Zeus, SpyEye, Emotet. What do those names mean to you? As much as they sound like Marvel supervillains, they’re all examples of high-profile banking trojans.

                Emerging in the mid-noughties, banking trojans have morphed into one of the most dangerous SME cybersecurity threats. But what are banking trojans? And how can you protect your business from them?

                What is a banking trojan?

                A banking trojan is a particularly nasty form of trojan horse malware that aims to give cybercriminals access to networks and confidential information stored in online banking systems.

                Banking trojans typically come in two forms:

                1. Backdoor trojans: Use backdoors in your system to circumvent security measures and gain access to your computer.
                2. Spoofers: Steal user credentials by creating a fake version of a financial institution’s login page.

                How do banking trojans work?

                A banking trojan works in much the same way as the mythological wooden horse from which it draws its name. A typical banking trojan looks and behaves like legitimate software until you install it. Once it’s on your device, it shows its true colours.

                Cybercriminals use banking trojans to:

                • Steal banking credentials
                • Make unauthorised transactions
                • Siphon funds to the attacker’s account

                Did you know that 47% of UK SMEs feel more threatened by cybercrime since the cost of living crisis began? Find out more in our latest report.

                Why are banking Trojans so dangerous? 

                Banking trojans are a particularly hazardous form of malware for several reasons. Firstly, they’re usually well disguised as legitimate software, which makes them difficult to detect for anyone who isn’t a cybersecurity expert.

                Secondly, they cause significant damage. In a worst-case scenario, a banking trojan can give cybercriminals total access to your bank accounts, which could spell financial ruin.

                How do you know when you’ve been hit? 

                Although it can be challenging to spot a banking trojan, it’s not impossible. Like any malware attack, there are a few telltale signs to look out for:

                • New or unexpected forms appearing in your bank accounts
                • Poor device performance
                • Slow or broken applications
                • Missing files
                • Unexpected pop-up windows 
                • Tasks running independently
                • Spam originating from your email accounts
                • Your anti-virus or anti-malware software stops working

                It’s important to note that none of these are conclusive proof that someone’s successfully hacked your system. Think of them as signs that suggest something isn’t quite right. So, if you’re in any doubt, it’s time to call the professionals.

                What can you do to protect your business?

                Thankfully, protecting your business against banking trojans and similar forms of malware is relatively straightforward. Beyond investing in reliable threat monitoring software, we recommend following these six simple steps.

                Use multi-factor authentication 

                Multi-factor authentication (MFA) is a security measure that requires you to provide two or more verification methods to sign into an application. Instead of asking for your username and password, MFA demands additional information such as:

                • A randomly generated PIN code sent by SMS
                • A piece of memorable information known only to you 
                • Your thumbprint

                The idea behind MFA is simple: the more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and some cameras to keep the bad guys out.

                Train staff how to spot the signs

                Human error is responsible for as much as 90% of cyber breaches, and it’s easy to see why. Few of us are cybersecurity experts, and if you aren’t aware of what a cyber threat looks like, you’re much more likely to find yourself on the receiving end.

                Cybersecurity training can bridge this knowledge gap. Training helps staff recognise, understand, and mitigate the threats they face. What this training looks like depends on your business and the knowledge within it. For some, it’s a case of starting from scratch and covering the basics; for others, it’s about addressing specific weak spots.

                Patch software regularly 

                Patching your software is the simplest way to improve your business’s cybersecurity. Even the best software can develop vulnerabilities, suffer a breach, or become outdated. Software developers release security patches to ensure cybercriminals don’t have an easy route into their clients’ systems.

                It’s easy to install these patches. You can check your system for updates every few days or activate the auto-update setting on all company devices.

                Use a password manager 

                Many banking trojans use keyloggers – programs that record your keystrokes so cybercriminals can steal your PIN or password. Using a password manager, which doesn’t require you to type anything, instantly overcomes the threat of keyloggers.

                Only download files from trusted sources

                This might seem obvious, but if you’re unsure about the origin of a file or piece of software, don’t download it. Set clear rules throughout your business to ensure people only download software from trusted sources, such as Microsoft, Google, or Apple stores. This helps to minimise your exposure to compromised software and malware.

                Use all the security features offered by your bank

                Banks offer a range of security features. Use them! If your bank provides MFA for sign-in (virtually all of them do), use it. Many business-oriented banks also have app stores full of free or low-cost cybersecurity features. Use them, too. These little extras are often the difference between cyber safety and falling victim to a banking trojan.

                Banking trojan examples to watch out for


                Active since 2007, cybercriminals use Zeus to target Microsoft Windows and steal financial data. It quickly became one of the most successful pieces of malicious software in its class, affecting millions of systems worldwide and giving rise to a host of similar threats. After a brief lull in 2010, when the creator reportedly retired, we’ve seen an uptick in Zeus variants since the source code went public. 


                Once touted as the successor to Zeus, SpyEye established itself as one of the most dangerous banking trojans in the early 2010s. SpyEye enabled its creators to steal sensitive information from its victims’ bank accounts, including account credentials, credit card information, and PIN numbers. Its Russian creator was sentenced to nine-and-a-half years in prison in 2016.


                Emotet is a banking trojan that spreads primarily through email. These emails often use familiar branding and convincing wording to trick the victim into clicking on a malicious link. Emotet has gone through a few iterations since emerging in 2014, in an attempt to circumvent modern detection methods.

                Don’t suffer the same fate as Troy

                Understanding the threat banking trojans pose and adopting appropriate countermeasures are integral to safeguarding your financial information in today’s digital landscape.

                Simple, inexpensive malware prevention tips – like updating your software regularly, using a password manager, and educating staff – help protect your business against banking trojans and other malware strains, too.

                Want to know more about the threats facing small businesses? Check out our new research report on SMEs and the cost of living crisis.

                SME cost of living crisis

                How nation-state cyber warfare affects you

                Nation-state cyber warfare

                We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers.

                However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.

                What is nation-state cyber warfare?

                Nation-state cyber warfare is best defined as:

                Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’

                Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.

                Did you know that 47% of UK SMEs feel more threatened by cybercrime since the cost of living crisis began? Find out more in our latest report.

                Why are nation-state attacks launched?

                There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.

                Military operations

                Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.


                Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.


                Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.

                For a very current example of this, check out the recent exposure of China’s ‘hackers for hire’ programme.

                To influence operations 

                Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.

                Stealing funds

                Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.

                Why does this matter to you?

                Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.

                What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me. 

                The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail. 

                Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them

                The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.

                So while you might not be the direct target, the impact can be felt by everyone.

                Nation-state attacks in the real world

                We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare. 

                Stuxnet (2010)

                We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme. 

                We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme. 

                2016 American election (2016)

                In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.

                And one fresh off the press…

                In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.

                Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.

                Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?

                What should I do to protect myself?

                Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be. 

                What can we do as individuals? 

                Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.

                What should businesses do?

                Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity. 

                What should we expect from governments?

                Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.

                The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.

                We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.

                With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.

                Want to know more about the threats facing small businesses? Check out our guide to how SMEs are handling cybersecurity during a cost of living crisis

                SME cost of living crisis