Antivirus and anti-malware are the basic building blocks for any small and medium enterprise’s (SME) cybersecurity strategy. They’re the most well-known cybersecurity tools, and it’s rare to find a business that doesn’t use one.
But do you know what they protect you from, the difference between an antivirus and an anti-malware, and whether you need both? Let’s explore these key talking points.
Malware vs viruses
Before discussing the merits of the two types of software, we must tackle the difference between viruses and malware. Most people assume that the two things are synonymous. Isn’t ‘virus’ just a slightly dated way to say ‘malware’?
That’s almost correct. However, this is the world of cybersecurity, so things are always a little more complicated than they first appear.
The term ‘virus’ describes malicious code that can reproduce repeatedly – just like a biological virus. The code damages your device by corrupting your system or destroying data. Viruses are also usually considered legacy threats that have existed for a long time, and today’s cybercriminals rarely use them.
On the other hand, malware is an umbrella term that refers to many different threats. These range from ransomware to spyware and even some newer viruses (confusing, we know). The key difference is its novelty.
The threats under the term malware are new, constantly evolving, and very much in use among modern cybercriminals. So, antivirus software providers have upped their game to protect customers.
Antivirus vs anti-malware: the key differences explained
As you might expect, antivirus usually deals with older, more established cyber threats. To illustrate, think of warnings from the noughties – endless error pop-ups, trojan horses, and worm viruses. These attacks typically enter your business through tried and tested routes such as email attachments, corrupted USBs, and other standard cyber threat delivery methods.
These cyber nasties are generally very predictable and easy to counter. However, they can still do plenty of damage if left unchecked.
Anti-malware
Anti-malware software focuses on defending against the latest threats. A good anti-malware protects your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Anti-malware usually updates its rules faster than an antivirus, making it the best protection against any new threats you might encounter.
Antivirus vs. anti-malware: which should you choose?
At this point, you might be wondering why you need an antivirus if anti-malware can protect your devices against the most common types of cybercrime.
Although this is a valid question, it’s a risky way to approach cybersecurity. Sure, most of the threats covered by antivirus might be dated and rarely used by the bad guys. However, that doesn’t mean they no longer exist or that they can’t still give you a significant cybersecurity headache.
Doing without antivirus is a bit like a state deciding to focus exclusively on protection from nuclear threats while neglecting the potential for invasion by land. It’s a flawed approach that leaves your business open to attack.Instead, it’s better to take a layered approach to your cybersecurity – by which we mean installing antivirus and anti-malware software to protect your business against new and old threats.
Choosing cybersecurity solutions isn’t an either/or dilemma
Antivirus and anti-malware aren’t mutually exclusive. A truly effective cybersecurity strategy includes tools, training, and measures to counter any threat. Something as simple as a Cyber Essentials certification ensures your business complies with the basic requirements to deter cyber threats. This is because the steps to get qualified include:
Data encryption
Firewalls
User access management
Software and operating system updates
You get support and clear step-by-step instructions for mitigating malware in your business so you don’t overlook any vulnerabilities. Learn how easy it is to get certified today.
For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different. According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?
How a spear phishing attack works
Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting. A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.
Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access.
We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:
1. Goal setting
The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.
2. Picking the target(s)
This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?
These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.
3. Building a profile of the victim(s)
By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims.
Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.
4. Initiate contact and use social engineering techniques
Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.
The most expensive spear phishing attacks of all time
1. Google and Facebook
This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms.
Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum.
2. Ubiquiti Networks
In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack.
3. Colonial Pipeline
Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat.
The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network. Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting. We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.
Spear phishing affects small businesses too
Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth. According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise.
Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target. SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence. Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.
How to protect your business
There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected. 1. Use a VPN
A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter.
Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).
2. Staff training
As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.
3. Patch all software
Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.
4. Deploy MFA
Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
5. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
Install a network firewall to filter network traffic
Use a VPN to encrypt network traffic
Segment your network to eliminate single points of failure
Regularly update your router’s firmware
6. Always use back-ups
If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.
7. Limit user access
Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.
8. Tie it all together
If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence. However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help. Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.
Zeus, SpyEye, Emotet. What do those names mean to you? As much as they sound like Marvel supervillains, they’re all examples of high-profile banking trojans.
Emerging in the mid-noughties, banking trojans have morphed into one of the most dangerous SME cybersecurity threats. But what are banking trojans? And how can you protect your business from them?
What is a banking trojan?
A banking trojan is a particularly nasty form of trojan horse malware that aims to give cybercriminals access to networks and confidential information stored in online banking systems.
Banking trojans typically come in two forms:
Backdoor trojans: Use backdoors in your system to circumvent security measures and gain access to your computer.
Spoofers: Steal user credentials by creating a fake version of a financial institution’s login page.
How do banking trojans work?
A banking trojan works in much the same way as the mythological wooden horse from which it draws its name. A typical banking trojan looks and behaves like legitimate software until you install it. Once it’s on your device, it shows its true colours.
Banking trojans are a particularly hazardous form of malware for several reasons. Firstly, they’re usually well disguised as legitimate software, which makes them difficult to detect for anyone who isn’t a cybersecurity expert.
Secondly, they cause significant damage. In a worst-case scenario, a banking trojan can give cybercriminals total access to your bank accounts, which could spell financial ruin.
How do you know when you’ve been hit?
Although it can be challenging to spot a banking trojan, it’s not impossible. Like any malware attack, there are a few telltale signs to look out for:
New or unexpected forms appearing in your bank accounts
It’s important to note that none of these are conclusive proof that someone’s successfully hacked your system. Think of them as signs that suggest something isn’t quite right. So, if you’re in any doubt, it’s time to call the professionals.
What can you do to protect your business?
Thankfully, protecting your business against banking trojans and similar forms of malware is relatively straightforward. Beyond investing in reliable threat monitoring software, we recommend following these six simple steps.
Use multi-factor authentication
Multi-factor authentication (MFA) is a security measure that requires you to provide two or more verification methods to sign into an application. Instead of asking for your username and password, MFA demands additional information such as:
A randomly generated PIN code sent by SMS
A piece of memorable information known only to you
Your thumbprint
The idea behind MFA is simple: the more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and some cameras to keep the bad guys out.
Train staff how to spot the signs
Human error is responsible for as much as 90% of cyber breaches, and it’s easy to see why. Few of us are cybersecurity experts, and if you aren’t aware of what a cyber threat looks like, you’re much more likely to find yourself on the receiving end.
Cybersecurity training can bridge this knowledge gap. Training helps staff recognise, understand, and mitigate the threats they face. What this training looks like depends on your business and the knowledge within it. For some, it’s a case of starting from scratch and covering the basics; for others, it’s about addressing specific weak spots.
Patch software regularly
Patching your software is the simplest way to improve your business’s cybersecurity. Even the best software can develop vulnerabilities, suffer a breach, or become outdated. Software developers release security patches to ensure cybercriminals don’t have an easy route into their clients’ systems.
It’s easy to install these patches. You can check your system for updates every few days or activate the auto-update setting on all company devices.
Use a password manager
Many banking trojans use keyloggers – programs that record your keystrokes so cybercriminals can steal your PIN or password. Using a password manager, which doesn’t require you to type anything, instantly overcomes the threat of keyloggers.
Only download files from trusted sources
This might seem obvious, but if you’re unsure about the origin of a file or piece of software, don’t download it. Set clear rules throughout your business to ensure people only download software from trusted sources, such as Microsoft, Google, or Apple stores. This helps to minimise your exposure to compromised software and malware.
Use all the security features offered by your bank
Banks offer a range of security features. Use them! If your bank provides MFA for sign-in (virtually all of them do), use it. Many business-oriented banks also have app stores full of free or low-cost cybersecurity features. Use them, too. These little extras are often the difference between cyber safety and falling victim to a banking trojan.
Banking trojan examples to watch out for
Zeus
Active since 2007, cybercriminals use Zeus to target Microsoft Windows and steal financial data. It quickly became one of the most successful pieces of malicious software in its class, affecting millions of systems worldwide and giving rise to a host of similar threats. After a brief lull in 2010, when the creator reportedly retired, we’ve seen an uptick in Zeus variants since the source code went public.
SpyEye
Once touted as the successor to Zeus, SpyEye established itself as one of the most dangerous banking trojans in the early 2010s. SpyEye enabled its creators to steal sensitive information from its victims’ bank accounts, including account credentials, credit card information, and PIN numbers. Its Russian creator was sentenced to nine-and-a-half years in prison in 2016.
Emotet
Emotet is a banking trojan that spreads primarily through email. These emails often use familiar branding and convincing wording to trick the victim into clicking on a malicious link. Emotet has gone through a few iterations since emerging in 2014, in an attempt to circumvent modern detection methods.
Don’t suffer the same fate as Troy
Understanding the threat banking trojans pose and adopting appropriate countermeasures are integral to safeguarding your financial information in today’s digital landscape.
Simple, inexpensive malware prevention tips – like updating your software regularly, using a password manager, and educating staff – help protect your business against banking trojans and other malware strains, too.
We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers. However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.
What is nation-state cyber warfare?
Nation-state cyber warfare is best defined as:
‘Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’
Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.
There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.
Military operations
Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.
Sabotage
Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.
Espionage
Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.
Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.
Stealing funds
Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.
Why does this matter to you?
Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.
What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me.
The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail.
Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them.
The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.
So while you might not be the direct target, the impact can be felt by everyone.
Nation-state attacks in the real world
We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare.
Stuxnet (2010)
We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme.
We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme.
2016 American election (2016)
In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.
And one fresh off the press…
In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.
Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.
Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?
What should I do to protect myself?
Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be.
What can we do as individuals?
Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.
What should businesses do?
Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity.
What should we expect from governments?
Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.
The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.
We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.
With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.
Malware is almost as old as the first personal computers. And like anything that’s existed for a long time, it’s easy to become complacent about it.
However, if your business has ever fallen victim to a malware attack, you’ll know how damaging it can be. The repair costs alone can set you back thousands; then, there’s the indirect financial impact of prolonged business disruption, data loss, and reputational damage.
Yet, it’s not all doom and gloom. Armed with a little understanding, you can prepare your prepare your business and stay safe online. To help you do this, we’ve put together this short guide to help you get your head around the stages of a malware attack and how they work.
But first…
What is malware?
Malware is the umbrella term for malicious software that damages, disrupts, or gives cybercriminals access to a computer system.
Cybercriminals typically disguise malware as legitimate files, links, or attachments on a web page or email. The goal is to trick the victim into downloading the malicious program onto their device, where it can:
Steal corporate information or sensitive customer data
Delete or encrypt data
Disrupt business operations
In some cases, malware can exploit vulnerabilities in your cybersecurity to spread to other connected systems in your network.
Malware is a pervasive threat. The AV-TEST Institute registers 450,000 new types of malware every day, contributing to the estimated 1.5 billion malicious software programs and potentially unwanted applications (PUA) in the world today.
Cybercriminals and threat groups are responsible for billions of malware attacks every year – there were 5.5 billion in 2022 alone. Cybercrime, including malware, costs UK businesses an estimated £21 billion every year.
UK businesses are on the frontlines of the malware threat. 84% of UK Chief Information Security Officers (CISOs) say UK organisations are at the highest risk of material cyberattacks, with ransomware among the most common. For example, 66% of businesses fell victim to one or more ransomware attacks in 2023, marking a 44% increase from 2020.
Meanwhile, public administration experiences more malware attacks than any other sector. Public sector bodies reported 488 separate incidents between November 2021 and October 2022.
The 5 stages of a malware attack
Infected websites, email attachments, and removable media are the most common means of malware attack. But whatever the approach, they all follow a similar five-stage pattern.
Stage 1: Entry
The victim inadvertently visits a compromised website by:
Visiting a trusted website that a cybercriminal has hijacked
Clicking on a link (often embedded in an email) that redirects the victim to the compromised website
Cybercriminals can compromise a trusted website by exploiting vulnerabilities in its servers or content management system (CMS) or using stolen credentials to inject malicious code. When the victim visits the compromised web page, the malware automatically downloads the code onto their systems.
Stage 2: Distribution
After bypassing the victim’s cyber defences, the malware redirects to an exploit kit hosting site. Cybercriminals typically use hacked traffic distribution systems (TDS) to create multiple redirections, which help to conceal their activities and the identity of their exploit kit hosting site.
Traffic distribution systems use a combination of traffic filtering and fast-flux networks to hide the host site from search engines and security scans, making them harder to track down and blocklist.
Stage 3: Exploitation
The hosting site installs an exploit kit onto the victim’s system, which loads it with malicious files, including:
HTML
Java
Flash
PDF
These files probe the victim’s system, looking for vulnerabilities they can exploit to gain access to or control of the target computer. And the worst part? The technical barriers to entry for launching malware attacks get lower each year. Cybercriminals can create homemade exploit kits or, if they don’t have the coding skills, they can purchase them cheaply on the dark web.
Stage 4: Infection
Having successfully infiltrated the victim’s system, the malware delivers its harmful payload. This could be anything from ransomware to trojan horses or worms that operate silently in the background.
Stage 5: Execution
Now, the malware gets to its dirty work. Depending on the cybercriminal’s goals, this could be stealing or encrypting sensitive data to ransom back to the victim, disrupting business operations, or infiltrating other connected systems.
Malware attack examples
Malware affects everyone. Even global brands and government organisations with robust cybersecurity tools, practices, and policies have fallen prey to malware over the years.
These examples of recent high-profile attacks illustrate the extent of the threat.
LockBit (ransomware)
One of the most active ransomware strains, LockBit has affected over 1,500 businesses at a total cost of over £72 million since emerging in 2019. The Royal Mail is among its most high-profile victims. At the start of 2023, LockBit caused severe disruption to Royal Mail’s overseas delivery service after it affected one of its back-office systems. The attack lasted two months and cost over £10 million to rectify.
Conficker (worm)
One of the largest and most notorious worms in history, Conficker has infected tens of millions of computers in over 190 countries since its discovery in 2008. Its long list of victims includes government agencies (including the UK parliament), businesses, and home computers, and remains an ongoing threat. To date, it’s caused £7 billion in damages.
Emotet (trojan horse)
First discovered in 2014, the Emotet trojan has wreaked havoc on businesses and government organisations, especially in the United States. According to the Department of Justice, the trojan has infiltrated over 1.6 million computers and caused £2.5 billion in damages.
Prevention is the first step to protection
It’s not always easy to spot a malware attack. Cybercriminals use sophisticated tools and techniques to conceal their activity from victims, so it could be days, weeks, or even months before you realise something’s wrong.
Preparation is the key to protecting your business, suppliers, and customers from malware. At the very least, we recommend regularly updating your systems and software, installing a network firewall, and teaching staff cybersecurity best practices.
If you want to go one step further, consider getting a cybersecurity certification. Schemes like the government-backed Cyber Essentials are quick, easy, affordable, and effective.
Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023 with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers. In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.
How does a remote access scam work?
A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials. Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams. Typically, a remote access takeover works in one of two ways: 1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access. 2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s).
In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated.
As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023.
This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023.
So the problem is real, which begs the question, what can you do to protect your business?
How can you protect your business?
The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.
Don’t give out digital banking details
This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam.
Never install any remote access software as a result of a call
Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately. Verify telephone numbers
If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.
However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.
Just hang up
Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up. Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.
Put processes in place
Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier. Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point. Educate your staff
Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training. What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket. Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.
Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated CyberSecurity Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year. But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know.
1. Assessing supply chain risk is rare for small businesses
We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms. However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment. Why is this happening? Well, it’s possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need.
2. A small number of businesses are taking cyber accreditations
The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation.
According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).
Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023. Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.
The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without. Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.
4. The number of identified breaches has declined
At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey. What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report. This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.
5. Cybersecurity is less of a priority for smaller businesses
It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year. In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.
6. Is cyber hygiene going backwards?
Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability.
This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.
The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example:
use of password policies (79% in 2021, vs. 70% in 2023)
use of network firewalls (78% in 2021 vs. 66% in 2023)
restricting admin rights (75% in 2021, vs. 67% in 2023)
policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).
DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.
What have we learned from the DCMS Cyber Security Breaches Survey 2023?
Time to draw some broad-brush conclusions from the DCMS’s findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs’ ability to protect themselves. Whether it’s the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it’s clear SMEs need real assistance to bolster their defences.
Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.
Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.
As attendees of our event CyberSmart Live! will know, one of the hottest topics within the cybersecurity industry at the moment is the proposed regulatory changes for managed service providers. The Department for Science, Innovation and Technology (DSIT) is planning changes to the scope of its Network & Information Systems (NIS) regulations to include MSPS.
So, to help you understand whether your business is affected and what you need to do, here’s a quick summary of the potential changes.
What are the changes?
Under the proposed framework, some MSPs (more on that later) will have a legal duty to:
Register with the Information Commissioner’s Office (ICO)
Take steps to secure their networks and information systems
Minimise the impact of incidents on their networks and information systems
Report incidents to the ICO
Why does this only apply to some MSPs?
The regulations don’t apply to small and micro providers. To qualify, your business must:
Employ more than 50 staff
Have a turnover of more than €10 million per year
On top of this, only MSPs who meet the criteria of a digital service provider (DSP) under NIS regulations need to register with the ICO. NIS defines a DSP as “providing online marketplace services, cloud computing services, online search engine services or managed services.”
What are the changes to NIS regulations for?
Cybercriminals are targeting MSPs with increasing regularity. The risk has grown so severe that security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – felt moved to issue an official warning in 2022.
MSPs are so attractive to hackers because they’re usually part of a supply chain and have access to clients’ networks and IT environments. And, to add the icing on the cake for any cybercriminal, MSPs typically have access to large amounts of sensitive data – everything from financial information to breakdowns of customers’ security.
We’ve seen countless examples of attacks on MSPs that lead to a huge breach across their entire client base. The NIS regulations are an answer to this. The proposed changes represent a real attempt by DSIT better to protect MSPs and their customers from the growing threat.
When are the regulations due to come into force?
As of 13th April 2023, the Government has confirmed that it will go ahead with the proposed reforms to amend the NIS Regulations. So, we’re expecting to see the changes come into force sometime in 2024. Although, it should be noted that this is subject to the government finding “a suitable legislative vehicle”.
Is there anything else you should know?
At this point, you’ve likely got some further questions about the proposed changes. Unfortunately, we don’t have space to cover everything in this blog. But, for more information, we recommend checking out our handy set of FAQs on the regulations. You should find everything you need to know to prepare you for the changes.
Times are tough for SMEs, with many facing tough financial decisions. So, to help out, we’ve put together a step-by-step guide to cybersecurity on a budget. Read it here.
Press release: Heightened risk of insider threats during cost-of-living crisis, according to SME study
Our latest research (to be released as a report) reveals fear among UK SMEs about insider threats. Some key findings include:
Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the cost-of-living crisis.
38% believe this is due to increased malicious insider threats, and 35% believe it is due to negligent insider threats.
1 in 4 believe staff are overwhelmed or concerned about meeting their financial commitments.
20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
17% believe employees will seek to harm the company’s reputation due to resentment over salary cuts/stagnation and/or layoffs.
London, UK (15th June 2023) – Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the onset of the cost-of-living crisis. Of these respondents, 38% believe this is due to increased malicious insider threats (i.e., disgruntled employees making decisions that are not in the best interest of the company) and 35% believe it is due to negligent insider threats (i.e., overworked or distracted employees making mistakes). This is according to a survey of a thousand SME senior leaders across the UK, commissioned byCyberSmart, the category leader in simple and accessible automated cybersecurity technology for small and medium-sized enterprises (SMEs), and conducted byCensuswide.
In light of the economic uncertainty, almost 1 in 3 employers (29%) admit that employee salaries have stayed the same: in effect, resulting in a decline of real wages to accommodate for inflation. A further 11% have even gone so far as to reduce salaries. What’s more, nearly a quarter (24%) of SMEs have hit pause on recruitment, while 16% have laid off employees for budgetary reasons.
It is no coincidence then that 1 in 4 employers (24%) are finding that their staff are overwhelmed or concerned about meeting their financial commitments, while nearly a fifth (18%) find they are feeling overworked. Moreover, 16% believe their staff are less engaged or productive due to the stress, 14% think they are more disgruntled and 11% have noticed an increased rift between senior leadership and employees.
Remarkably, employers expect their employees might engage in the following activities whilst in this unhappy state.
22% believe employees will take on a second or third job during contractual hours.
22% believe employees will be more likely to make mistakes such as clicking on a phishing link.
20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
17% believe employees will seek to harm company reputation due to resentment over salary cuts/stagnation and/or layoffs.
14% believe employees will use AI such as ChatGPT to do their job for them.
14% believe employees will steal money from the company or commit financial fraud.
“Not all businesses are experiencing a negative company culture as a result of the crisis. In fact, 20% believe the cost-of-living crisis has brought the company closer together and 16% of employees are becoming more motivated to impress senior leaders. Nevertheless, in times like these, it is crucial that employers are mindful of how their staff are coping,” said Jamie Akhtar, CEO and Co-Founder of CyberSmart. “It only takes one disgruntled or overworked member of staff to make a decision that could put the entire business at risk.This research highlights the importance of conducting regular security awareness training, but alsothe need to show up for employees with empathy and support.”
It should be noted that SME business leaders also consider external forces to be responsible for the growing risk of cyberattacks, with 32% attributing it to higher rates of supply chain fraud and 31% expressing concern about nation-state interference from hostile countries such as Russia and China.
Cyber insurance is fast becoming a necessity for modern business. In the last 12 months alone, 39% of UK businesses identified a cyberattack. And, as cyberattacks increase in number, the need for small businesses to access reasonably priced cover is only going to grow starker. However, cyber insurance is not without its problems. As the number of businesses being breached continues to grow, the industry is struggling to keep premiums at a level that’s affordable for smaller businesses. In turn, this is pushing traditional ‘standalone’ cyber insurance (without monitoring or extra protection) out of reach financially for many SMEs.
But cyber insurance isn’t the only game in town. Some software providers and cybersecurity companies are beginning to offer a complementary option – cyber warranties. Let’s dive into the what, the why and the how.
What is a cyber warranty and how does it work?
A cyber warranty is a relatively simple concept. Essentially, a cybersecurity company or software developer guarantees that they will pay out if their customers suffer a breach.
The conditions of the warranty can vary. For example, it could be that the customer has to prove they were using the company’s product when they were breached. Or, alternatively, some providers will expect the customer to adhere to a set of security standards – say the five basic controls that make up Cyber Essentials certification.
Again, the losses the warranty will cover vary from provider to provider but it’s typically a fixed amount, for example, £1m.
This is useful to SMEs for two key reasons. First, and most obviously, if something goes wrong and your business gets breached, you’ll get some money to cover the damages. Second, it should theoretically provide vendors with a huge incentive to ensure their products are totally watertight.
However, it’s not just SMEs who benefit. A cyber warranty can also give managed service providers a cost-effective method of remediating breaches for clients. Most providers allow any company doing remediation work to bill for it to the warranty, covering the costs.
Cyber warranties come with a number of benefits, both for small businesses and the cybersecurity sector. As we’ve mentioned, they provide any business offering one with a gigantic incentive to produce very secure products – which can only be good for users and the sector as a whole. Alongside this, they give customers an extra layer of protection they otherwise wouldn’t have, simply for buying software or a cybersecurity tool. What’s more, some cyber warranties ‘fill in the gaps’ in instances that insurers won’t always pay out for. For example, when a breach occurs due to a failure in a vendor’s product.
Is a cyber warranty an alternative to insurance?
While cyber warranties can function well with cyber insurance as a complementary product, they aren’t an outright alternative. This is down to some of the limitations cyber warranties have. A cyber warranty will only cover you in the conditions outlined by the vendor. For example, the warranty might not cover ransomware or business email compromise attacks. This isn’t necessarily a big problem, after all, even cyber insurance coverage is limited. However, this could leave you exposed if you don’t have alternative coverage, such as insurance.
In short, the safest approach is to view cyber warranties as a useful safeguard that works in tandem with traditional cyber insurance.
Confused about whether cyber insurance is right for your business? Check out our new guide, covering all the basics you need to make an informed decision.
