When you sign in to an online account, you’re asked to prove your identity (a process we call authentication in the cyber world). Usually, you’ll do so via a username and password. The trouble is, it’s not a very safe way to do it. Usernames can be guessed and many of us use the same, simple passwords for everything.
So it’s been clear for some time we need something better. Enter Multi-factor authentication (MFA). But what is it? And why should you use it?
What is multi-factor authentication?
MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user.
You’ve probably already experienced this if you used online or signed into a Google account recently. In fact, it’s well on the way to being commonplace for most applications. The idea behind MFA is very simple. The more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and maybe some cameras for good measure to keep the bad guys out.
Why does your business need it?
Again, the why is delightfully simple. Using MFA can dramatically reduce the chances of a successful cyberattack on your business.
Passwords and user credentials are important, but they’re vulnerable to brute-force attacks and can be stolen by hackers. In contrast, an MFA method like a thumbprint or one-time PIN is very difficult for even the most dedicated cybercriminal to crack.
On top of the obvious security benefits, you’ll also need some form of MFA to complete Cyber Essentials certification. Under the new requirements, MFA should always be used for accounts that connect to cloud services.
What types of multi-factor authentication are there?
Broadly speaking, there are three neat categories of MFA:
Information you know, such as a password, security question, or PIN
Objects you possess, such as a smartphone – this is where one-time PINs come in
Things you are, think biometrics like thumbprints or voice recognition
2FA or MFA?
At this point, you could be forgiven for wondering whether using MFA is overkill. After all, you probably already use two-factor authentication (2FA) for things like your business banking or office suite (Microsoft 365 or Google Workspace). Do you need the extra authentication factors?
Remember the old maxim, beloved by school teachers and parents, ‘it’s better to be safe than sorry’? Well, it really does apply when it comes to cybersecurity. 2FA is hard for cybercriminals to crack and it’s far safer than using just a password. However, it’s a no-brainer to make the risk even smaller by adding extra layers of authentication. The harder it is for cybercriminals to breach your business, the less likely they are to succeed.
Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.
We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like ransomware or malware.
However, cybercriminals don’t always use the latest malware and cyberattacks don’t have to be highly technologically advanced. There’s a whole other class of threats that harness the most powerful weapon of all – our brains. These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself?
What is social engineering?
The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.
Now we know what a social engineering attack is, let’s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under.
1. Phishing
You’ve almost certainly heard of phishing attacks. They’re by far the most common form of social engineering, but that doesn’t make them less dangerous.
Most phishing attacks seek to do three things:
Steal personal information such as names, addresses and banking details
Redirect victims to malicious websites that contain phishing landing pages or malware
Use threats, fear or a sense of urgency to manipulate the victim into acting quickly
A lot of phishing attacks are poorly executed and easy to ignore. We’ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed. For example, in May 2021 US fuel supplier Colonial Pipeline was subject to one of the largest ransomware attacks in history, triggering a fuel crisis in the process. It’s believed the attack began with a simple email phishing scam that managed to extract an employee password.
So, even though they might be limited and often badly done, it’s unwise to underestimate the humble phishing scam.
2. Piggybacking
Also known as ‘tailgating’, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area.
Here’s an example of how it might work:
The attacker waits outside the company’s office, posing as a delivery driver or plumber.
An employee enters using their keycard or other security accreditation.
The attacker asks the employee to hold the door.
They do, and suddenly the attacker has access to the building.
Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business’s systems. This might sound a bit ‘low-budget spy thriller’ but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.
3. Pretexting
Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims.
A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack.
To give a real-world example, between 2013 and 2015 Facebook and Google were conned out of $100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.
Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants’ staff.
The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else.
4. Quid pro quo
Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service.
For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data.
The best way to counter this is through security training. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services.
As we’ve said before, where many social engineering attacks fail is attention to detail – there’s usually something that isn’t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.
Create clear cybersecurity policies
If your people don’t know which behaviours are harmful, they can’t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there’s little point in an important policy document that spends its life languishing in a corner of the shared company drive.
For more on why cybersecurity policies are so important and how CyberSmart can help, read this.
Foster a positive cybersecurity culture
If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes.
All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them.
Check your cybersecurity measures
Alongside training your staff, it’s also worth checking (or implementing) your technological cybersecurity measures. These include firewalls, antivirus and anti-malware, patching and access management policies. By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
Of all the cybersecurity threats we cover, ransomware is by far the most high-profile. It often seems as though barely a week passes without another story in the news about the latest blue-chip victim.
It’s not hard to see why the media devotes so much coverage to ransomware. It’s a rapidly growing threat. It usually includes a note of suspense as we all wonder whether the victim will pay the ransom. And, it’s claimed some of the biggest companies on the planet as its victims. But beyond the media headlines, ransomware is poorly understood. How does it work? Why is it so hard to stop? And, more importantly, what can you do to protect your business?
How does ransomware work?
Most ransomware uses a special kind of encryption, called ‘asymmetric encryption’. That might sound complex, but it’s actually very simple. Like standard encryption, it uses a pair of keys to encrypt and decrypt a file. However, unlike standard encryption, the attacker is the only person with access to the key to decrypt the file. It’s this key that cybercriminal uses to hold the victim’s files for ransom.
Or, to put it in simple terms, it’s a bit like leaving the office to find your car has been clamped and a ticket attached to the windscreen with a demand to pay £250 to have it freed. Unfortunately, that’s where the similarities end. While you might be able to remove a clamp with the help of a mechanic, it’s virtually impossible to decrypt an encrypted file without a key.
And it’s for this reason that in most successful ransomware attacks the victim is forced to quietly pay up to get their files back.
How does ransomware get in?
Much like its cousin malware, ransomware comes in many forms and can enter your system in a variety of ways. However, the most common route is through email spam campaigns or through a carefully targeted attack – think March’s attack on Acer or the infamous attack on the NHS in 2017.
Once it’s in, the ransomware drops off its malicious cargo and then searches for valuable files to encrypt. ‘Valuable’ files are usually things like Word documents, spreadsheets, images and databases. Ransomware can also exploit any system or network vulnerabilities you have and spread across your organisation and into your supply chain.
Why is ransomware so hard to stop?
If it poses such a huge threat, then why does ransomware continue to grow more common and payouts keep climbing? Surely someone has come up with a way to fight it?
Unfortunately, ransomware is very tricky to counter for a few reasons.
Easy to set up
Cybercriminals no longer need to be coding wizards to launch a ransomware attack. Malware marketplaces have sprung up in the shadier corners of the internet, meaning would-be crooks can essentially order ransomware on-demand. Often all its creator will ask for in return is a share in the profits.
Most people pay up
The success of ransomware rests on the same principle as any other type of ransom. Generally, if something is valuable to someone and they risk losing it forever, they’ll pay whatever is necessary to get it back. Cybercriminals know this, it’s what makes ransomware such a lucrative scheme.
It’s hard to track the perpetrators down
Remember the old adage ‘follow the money?’ Sadly, it’s nonsense when it comes to ransomware. Most cybercrime is paid for using cryptocurrency and planned in the darkest reaches of the internet, making it very hard to track.
There are endless targets
Wherever you are in the world, cybersecurity knowledge is low. It’s low among business leaders. It’s low among staff. And it’s low among the general public. This means potentially endless targets for cybercriminals. As we mentioned earlier, ransomware typically enters organisations through pretty unsophisticated methods. However, ransomware doesn’t need to be sophisticated when so few of us understand what an attack looks like.
How do you protect your business?
We’ve painted a pretty bleak picture so far, but don’t despair. There’s plenty you can do to protect your business against ransomware.
Training, training, training
According to research, 95% of cybersecurity breaches begin with human error. This is especially true when it comes to ransomware, with most attacks starting through a dodgy email being opened or malicious file downloaded.
But before we rush to condemn human failings, it’s worth asking whether your people have been trained to spot threats. After all, if your employees have no idea what a ransomware attack looks like, they’re far less likely to take the right action to protect themselves or your business.
The best way to beat this is through training. Training can help your people better recognise and understand the threats they face. And, more importantly, learn how to counter them.
The kind of training you need will be highly dependent on your business and the existing knowledge of your staff. But a great place to start is by reading our blog on all things cybersecurity training.
Backup your data
As we mentioned earlier, most victims end up paying out to ransomers but there’s a very simple way to avoid this. Always backup critical files and data, preferably in the cloud or on an external hard drive. That way, if you do get attacked, you can wipe your device(s) and reinstall everything from backup.
This won’t completely remove the threat of ransomware, but it will remove the need to pay your attacker to get your files back.
Patch your software
Updating software is a hassle, we get it. There never seems to be a convenient time to reboot your device and the endless passive-aggressive reminders from your operating system can get very grating.
However, it is important, particularly when it comes to protecting yourself against ransomware. Even the best software develops vulnerabilities over time. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged. Whatever the reason, software developers get around the problem by releasing security patches.
These updates fix the ‘holes’ in your software that can be exploited by ransomware. Without them, you risk giving cybercriminals a back door into your systems and data.
But the good news is all you have to do is regularly update any software or tools you use. It shouldn’t take more than a few minutes each week and it’s by far the most effective (and simple) way to protect yourself.
Whether it’s at your favourite local coffee spot or on the train to that important client meeting, using public Wi-Fi networks is a bad idea. Most public networks have poor or non-existent security and are the perfect place for cybercriminals to snoop on your internet usage and launch attacks.
If you need to connect to a public network for any reason, use a Virtual Private Network (VPN). A VPN allows you to connect to business systems securely and browse the internet safely, wherever you are. For everything you need to know about VPNs, check out our blog on the subject.
Put security policies in place
It’s one thing to improve staff awareness of the threats posed by ransomware, quite another to ensure everyone is following security best practices. This is where a clear, easy-to-understand cybersecurity policy can work wonders.
A well-crafted policy will help your people understand what they should and shouldn’t do and help them make the right decisions when faced with threats like ransomware.
Stay informed
Last, try and keep an eye on the latest ransomware threats. To be clear, we’re not suggesting you become a cybersecurity expert overnight (unless you want to). However, having even a basic knowledge of what ransomware looks like can help prevent the worst.
Despite the common perception, VPNs aren’t just a tool for surfing the shadowy underbelly of the internet. A VPN is a vital defence against cyber threats for anyone working remotely. Here’s why your staff need one.
What is a VPN?
In simple terms, a VPN (or virtual private network) allows you to connect to business systems securely while using a public network. A ‘public’ network could be the free connection you get on public transport, the WiFI at your favourite cafe, or even your home internet router.
How does a VPN work?
The best way to think of a VPN is as a ‘tunnel’, used only by you, between your workplace and wherever you’re working from.
Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. When you connect to the internet via a VPN, all your data is sent through this encrypted tunnel. This has a couple of key advantages over using a public network:
Greater privacy
VPNs obscure your internet activity from your provider and everyone else. This effectively makes you ‘anonymous’ on the internet. Not only is this great for privacy, but it also means your IP address and location are invisible, making it much harder for cybercriminals to intercept confidential company data.
Improved safety
An encrypted tunnel is very, very difficult to hack. VPN Mentor has produced some interesting research on the subject and concludes that the only way hackers can break VPN encryption is either through a known weakness or by stealing the encryption key (more on encryption keys here).
Essentially, a VPN is a pretty sure-fire way to ensure your business devices aren’t vulnerable to attacks coming from public networks.
Why should your business use a VPN for remote working?
We highly recommend using a VPN if you have employees working remotely, but why? You may be wondering whether it’s really necessary. After all, won’t the existing security on employees’ devices protect them?
Unfortunately, this simply isn’t the case. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware.
There’s also the human element to all this. Research shows that many employees, whether consciously or not, engage in riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. Without the added layer of security a VPN offers, this confidential data could easily fall into the wrong hands.
Why you need a VPN for hybrid working too
If you’re planning on adopting ‘hybrid working’as the norm post-pandemic, VPNs will be essential to keeping your business safe.
Picture the scenario, one of your sales team has dropped into a coffee shop on the way back from an important meeting. They like the ambience of the place, so they decide to sit and fire off some emails and run through their sales deck while they sip a latte and munch on a croissant. To do this they need to connect to the cafe’s WiFi, an unsecured public network.
Seems innocent enough, but on this particular day, a hacker is targeting the customers of this coffee shop. They see that your salesperson is working using the cafe WiFI, and that’s all it takes. In a few seconds, the sales deck and confidential data have been stolen. Your business is facing a choice between a PR nightmare or a hefty bill to get it back.
How do you set up a VPN?
The first step is to pick a provider. There are hundreds of VPN providers out there each offers slight variations on the same service. Many businesses stick with the major providers such as NordVPN and ExpressVPN and with good reason, both regularly win tech magazine ‘Editors choice’ awards.
However, if you’re looking for the highest level of anonymity, smaller providers such as Mullvad VPN that require no payment or contact details could be the way to go. If in doubt, check out Tech Radar’s Best VPN Service 2021 list, it compares most of the major providers.
Once you’ve picked, setting up a VPN is relatively easy. The set-up process is almost universal among VPN providers so it shouldn’t matter which you choose. We won’t go into exactly how you do it here, but this guide from The Verge covers everything you need to know.
Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Workhere.
Firewalls can appear complicated at first glance. However, in reality, they’re easy to set up and offer an important defence against cyber threats. So, to help you better understand firewalls and how to protect your business, here’s everything you need to know.
What is a firewall?
A ‘firewall’ is a tool that protects your home or office systems from malicious traffic on the internet.
Think of it as a well-armed bouncer, checking anything that enters your network for threats. It creates a barrier between a ‘trusted network’ (such as your office) and an ‘untrusted network’, like the internet.
Firewalls keep your devices operating reliably. But they also protect you from a variety of threats, such as DoS (Denial of Service) and malicious packet attacks.
Most modern devices contain a firewall of some kind. You’ll find one built into your laptop and internet router, although, crucially not on most smartphones. Many businesses also set up a separate hardware firewall in addition to the one built into devices for an extra layer of security.
Where does the term ‘firewall’ come from?
The term ‘firewall’ has an interesting history (no, really). The term originally refers to a wall built to contain a fire between adjacent buildings. Later, it was used to describe the metal sheet that separates the engine compartment from passengers on an aeroplane.
It wasn’t until the 1980s that ‘firewall’ first became synonymous with the internet. The term appeared in the 1983 computer-hacking movie WarGames to describe the act of filtering data coming through routers and possibly inspired its later use.
How does a firewall work?
Firewalls analyse all incoming traffic based on a set of pre-set rules. The rules are then used to filter out anything malicious or suspicious and prevent attacks.
The slightly more technical explanation is that firewalls filter traffic at a computer’s entry points or ‘ports’. These ports are where information is exchanged with external devices. For example, a rule might look something like this: “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22.”
A great analogy for understanding this is to think of an IP address (the unique number that identifies your device) as a house and port numbers as rooms within the house. Only trusted people (IP addresses) are allowed to enter the house at all. Then, once in the house, trusted people are only allowed to access certain rooms (destination ports).
It’s much like hosting a party at your house, in that you’d probably keep some rooms off-limits. Perhaps there are some rooms that could pose a threat to children or maybe you just like your privacy, either way, the same basic principle applies to firewalls. Trusted devices are only allowed access to certain places.
Why are firewalls important?
Simply put firewalls are a vital first line of defence. To return to our bouncer analogy from earlier, without a doorman anyone can enter the building. Without a firewall, anyone can get into your business.
It’s not difficult for even a relatively unsophisticated cybercriminal to probe your organisation’s devices in an attempt to break into your systems. Without a properly configured firewall, they’re much more likely to succeed.
What’s more, the consequences can be disastrous. Not only will hackers gain access to your data and potentially leak it or use it maliciously, but the financial hit can also be severe. According to insurer Hiscox, the average cost of a breach for an SME is £11,000, and that’s before we even consider reputational damage or fines from regulators.
A properly configured, maintained and monitored firewall will go a long way towards protecting your business.
But what do we mean by ‘properly’ configured? Well, for your firewall to work optimally, you need to ensure it has the power to manage normal and encrypted internet traffic without slowing down your devices or compromising security. A good IT support partner can help you do this or, alternatively, automated tools like CyberSmart can guide you through the process yourself.
Firewalls and Cyber Essentials
You might be reading this article because you’ve come across the firewalls section of the Cyber Essentials questionnaire. Or perhaps you’re considering completing Cyber Essentials certification for your business.
Either way, the section of Cyber Essentials dealing with firewalls can appear confusing. But, in reality, it’s very simple. You’ll be asked about which firewalls you have in place, whether they are password protected and ‘accessible’ services. The first two elements are self-explanatory. All you need do is list the firewalls you use and set up password protection for them if you don’t already have it (the questionnaire or one of our team will provide guidance on how to do this). However, ‘accessible services’ is a little more complicated.
What does ‘accessible services’ mean?
‘Accessible services’ is the traffic that is approved to pass through the firewall. In an office environment, your firewalls will usually be configured so that IT support can access anything they need to. However, most of us aren’t working in an office at the moment and home routers are often set up to block all services as default.
Sadly, working from home doesn’t mean the end of all IT troubles, so your remote workers may wish to allow external access to their personal router. If this is the case, then it’s best practice to allow a single, static IP address through the firewall. That way, you can be sure your IT support team, and only the IT support team, has access.
And that’s all there is to firewalls. Hopefully, this has answered most of your questions but, if there’s anything else you’d like to know, please get in touch with one of our team.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
What can the UK learn from the US cyber insurance market?
Why is the US streets ahead of the UK when it comes to businesses adopting cyber insurance? And what can we learn from our American cousins?
Why is cyber insurance important?
To illustrate why cyber insurance is important, let’s compare it to a business insurance policy. It’s widely accepted that any organisation operating without business insurance is at best foolhardy and at worst crazy. There are so many potential things that could go wrong.
You could be the victim of fraud, a workplace accident could lead to legal action against you, or an electrical fire could turn your hardware into a husk of melted plastic. The possibilities are endless and any one of them could seriously damage or even end your business. It’s vital for your business’s health (and a good night’s sleep) to know you’re covered should the worst happen.
The same is true of cyber insurance. We’re unused to thinking of it in the same way as business cover, but cyber insurance is becoming increasingly necessary. Up to 88% of UK companies have suffered breaches in the last 12 months, according to Carbon Black. Meanwhile, Hiscox reports that a UK SME is successfully hacked every 19 seconds.
Up to 88% of UK companies have suffered breaches in the last 12 months.
All this means that UK SMEs are experiencing double the number of cyber risks that they did in 2018 with the average cost of a breach also quadrupling. There’s a clear case for widespread cyber insurance adoption, so how are UK businesses doing?
What does the cyber insurance market look like in the UK?
Given the risks we’ve just outlined, you might think that British businesses are clamouring for cyber cover. But, unfortunately, cyber insurance adoption is relatively low in the UK.
There are a couple of reasons for this. The first is a simple case of awareness. As we mentioned earlier, getting business insurance is considered common sense by most organisations. However, awareness of the need for cyber insurance lags some way behind. We simply aren’t used to considering it as an everyday business cost. After all, if you’re lucky enough to have never been successfully attacked, why would you? The second reason is the cost. A Deloitte survey, looking at 504 middle-market commercial insurance buyers, found that 41% of businesses claimed insurance costs were too high. And 33% of organisations reported ‘dissatisfaction with the service.
41% of UK businesses claim insurance costs are too high.
However, it’s not all bad news. 41% of businesses still purchased cyber insurance after conducting a risk assessment.What’s more, a further 41% were prompted to buy a standalone insurance product by attacks on other industries.
Why is the US ahead?
There’s an old adage that ‘everything’s bigger in America’. It’s usually said sarcastically by embittered Europeans, but when it comes to cyber insurance it’s true.
Despite net premiums being low for an insurance market ($1.94b in 2018), the US market is growing fast. 40% of US businesses purchased cyber coverage in 2018, with a further 40% buying for the first time in 2019. During the same period, the average US cyber claim size shot up to around $181k for an SME and over $5.5m for a large business.
So why is the US market more advanced than what we’re currently seeing in the UK? It’s partly because the US is at the forefront of the fight against cybercrime. The US currently leads the world in data breaches with an average breach cost of $8.64 million and is the second most attacked country on earth after Germany. So for companies based in the US, cyber threats are seen as part and parcel of business.
The average cost of a data breach in the US is $8.64 million.
However, it’s also down to public perceptions of cybercrime. Many of the most high-profile cyberattacks have been on large American companies such as Twitter, Microsoft and Marriott, meaning cybercrime is given loud and regular media coverage. This makes the threat appear much more immediate than elsewhere.
What can the UK learn from the US?
Before we delve into what the UK can learn, it’s important to note that the US market has its limitations. As recently as 2017, 75% of SMEs in the US didn’t have cyber insurance, meaning adoption hasn’t always been as widespread as figures suggest. And there’s still some mistrust of the industry. For evidence, look no further than US Pharma Giant, Merck which found itself at the centre of a media storm after being denied a payout following a breach.
But for the time being, at least, the US remains ahead of the UK market. So what can we learn?
Close the expectation gap
First, UK insurers need to close the expectation gap between service and consumer within the industry. Many small businesses view themselves as not ‘valuable enough’ to be attacked. And insurers need to do more to convince SMEs that they’re being threatened because they’re ‘vulnerable rather than valuable’.
Update the industry model
One of the biggest barriers to greater adoption of cyber insurance is the perception among SMEs that it’s expensive.
The current cyber insurance model was created in the early 2000s, aimed at multinationals and large tech firms on the west coast of America. The world has changed a lot since then. In an age where even the smallest businesses are online, a new approach is needed. Insurance professionals need a better understanding of the financial limitations of their market and a pricing structure to suit.
Make it easier to address cybersecurity concerns
Perhaps the greatest difference between the US and the UK market is how proactive US insurers are. In the UK, we tend to focus on educating businesses on the importance of cybersecurity rather than helping them to get cyber secure.
Cybersecurity can be confusing and for a small business owner, the prospect of going it alone can be daunting. So more needs to be done to guide businesses along the path to better cyber hygiene. For example, recommending all clients get Cyber Essentials certified is a great start.
What does the future hold?
Although the UK is currently behind the US, things are unlikely to stay that way for long. The US market is slowing. Meanwhile, many insurance brokers in the City of London are targeting cyber insurance as a key area for growth post-covid.
So are we about to enter a future where cyber insurance becomes as commonplace as business or contents insurance? That depends on insurers adapting the current, dated model in favour of an approach that supports SMEs.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cyber hygiene.
.
Why supply chains pose the greatest cybersecurity risk to your business
What do you think of when you imagine a typical cyberattack? If you’re like most of us, then chances are you immediately thought of a high-profile attack on a single organisation, say, the Twitter or Mariott breaches in 2020.
In reality, cybercriminals rarely enter through the front door. Here’s why supply chains pose the greatest risk to your cybersecurity.
What do we mean by supply chains?
As a small business, you’re almost certainly part of a supply chain. Depending on what your company does, you could be a supplier, vendor, distributor or retailer. Your part in the supply chain isn’t the important thing. What’s important is the symbiotic relationship this gives you with other businesses in the chain.
Think of it as akin to the way different species exist in nature. This relationship can be mutually beneficial; bees need the pollen from flowers for food and energy, and flowers need bees for pollination. Or, the relationship can be destructive, as the increasing number of zoonotic diseases (such as COVID-19 and SARs) passed from animals to humans proves. The same is true of the ties between businesses.
When business leaders evaluate their cybersecurity, most know the first place to look is within their organisation – at their own people, systems and infrastructure. Unfortunately, that’s no longer enough.
According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. This makes SMEs a prime target for cybercriminals with an eye on big enterprises.
A great example of this is the recent SolarWinds attack. By breaching SolarWinds (an IT infrastructure provider), cybercriminals were able to gain access to some of the world’s largest tech companies, including Microsoft, Intel and Cisco.
How to protect your business
So, if supply chains pose such a risk to your cybersecurity, what can you do about it? Small suppliers can’t help being targeted by cybercriminals. And large enterprises can’t control what everyone in their supply chain is doing all of the time.
Fortunately, there are a few things you can do to reduce the risks.
Get your cybersecurity in order
Although you can’t always control what everybody else in your supply chain is doing, good cyber hygiene begins at home. This means that your priority should be ensuring your own cybersecurity is up to scratch. A great place to start is by getting Cyber Essentials certified. The government-backed certification scheme assesses your business against five key cybersecurity controls:
Is your internet connection secure?
Are the most secure settings switched on for every company device?
Do you have full control over who is accessing your data and services?
Do you have adequate protection against viruses and malware?
Are devices and software updated with the latest versions?
By ensuring these criteria are in place, you can protect your organisation against 98.5% of cybersecurity threats – including most of those that are likely to come through your supply chain.
But don’t stop at certification. Consider using encryption and two-factor authentication on all company devices and implement a strong password policy and enforce it.
Alongside this, put in place an easy-to-understand cybersecurity policy and make sure everyone within your business has access to it. More often than not, supply chain breaches come from staff acting in good faith. If your people don’t know which behaviours are harmful or how to spot a threat, then your business will always have a chink in its armour. Education really is the key.
Talk to your supplier and partners
The greatest defence against supply chain attacks is trust between partners. So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. This may sound like something from a business self-help book, but poor communication or reluctance to admit a breach has happened can often turn a minor attack into a disaster. By fostering trust and a willingness to communicate across the supply chain, you’re effectively creating an early-warning system for your business. This can be vital in halting or at least containing the breach.
Aim to work with businesses that are Cyber Essentials certified
Of course, building trust in any context takes time. And time isn’t always something you have when working with new partners or suppliers. So, an alternative is to insist on a minimum security standard for any business you work with.
Cyber Essentials certification is tailor-made for this. By choosing to work only with businesses that display the Cyber Essentials logo, you ensure everyone you rely on is working to the same security standards, minimising the likelihood of a breach. How you approach this is up to you. Some businesses include it as a standard contractual clause, while others have more informal agreements in place. What matters is the assurance that your partners and suppliers take their cybersecurity responsibilities as seriously as you do.
The top cybersecurity trends of 2020: how did we do?
The leaves have well and truly fallen, it’s bitterly cold, and Christmas is just around the corner. This can mean only one thing. It’s that very special time of year when every business releases a ‘things to look out for’ or ‘top ten trends’ post for the year ahead – cue jokes about identikit blog posts. So, we thought we would do something a little different this year. Rather than repeat last year’s guide to cybersecurity trends for SMEs, we thought we’d look back at how we did. Where were we right on the money? And what are we eating a hefty portion of festive humble pie over? Of course, the elephant in the room is the COVID-19 pandemic, an event virtually no one predicted. And its effects will keep cropping up throughout this blog.
1. Increased use of AI to launch and defend against attacks
First up, AI. Back in January, we discussed the likelihood of cybercriminals increasing their use of automated attacks in 2020. We cited cybersecurity and AI expert, Justin Fier of Darktrace who predicted “AI won’t just make attacks faster or smarter. We likely can’t even fathom the way that AI will transform attacks or be leveraged by malicious actors. What we do know is that with AI attacks on the horizon, AI defences will be critical as well.”
How we did
We’d like to think we were pretty spot on with this one. AI attacks continue to plague the nightmares of security professionals. A September 2020 study from Forrester found that 88% of security professionals expect AI-driven attacks will soon become mainstream.
88% of security professionals expect AI-driven attacks will soon become mainstream.
What’s more, there were several high-profile attacks using AI in 2020. The spear-phishing (more on that later) attack on COVID-19 vaccine supply chains is thought to have been carried out using an AI. Meanwhile, both the Vancouver Metro system and the Argentine government suffered highly coordinated ransomware attacks, thought to be backed by an AI.
While you don’t have to be Nostrodamus to predict that as AI technology becomes more widely available attacks will increase, it’s clear that it has become a rapidly growing threat. So much so that Europol issued a warning earlier this year that cybercriminals now have both the expertise and tools to use AI regularly.
It’s in this environment that we’re continuing our research into using AI and machine learning for cybersecurity defences.
2. Spear phishing: phishing attacks get personal
Spear phishing is the practice of sending out highly targeted, personalised emails to company employees and executives in a specific business, rather than a generic attack sent to thousands of random email addresses. Once clicked, these emails infect the user’s computer or device with malware.
We predicted this type of attack would become more common in 2020, as cybercriminals learned to target time-poor executives and undertrained employees.
How we did
While our instinct was good, we couldn’t have predicted just how prevalent spear-phishing attacks would become in 2020. There were many high profile attacks, including Twitter, but most alarming was, of course, the attack on COVID-19 vaccine supply chains we mentioned earlier.
And there were plenty more breaches that didn’t make the front pages. According to a report from the Anti Phishing Working Group, the average loss to organisations from business email compromise (or spear-phishing) attacks in the second quarter of 2020 was $80,183 (£59,353). Even more alarmingly, that figure represents a $54,000 (£39,972) on the first quarter of this year, almost perfectly mirroring the global switch to remote working due to the pandemic.
The average loss to organisations from spear-phishing attacks in the second quarter of 2020 was $80,183 (£59,353)
You can find out more about how to switch to remote working safely in our latest ebook.
3. Organisations are adopting more data encryption
At the beginning of 2020, we were confident this year would be encryption’s time to shine at last. We hoped that the tool would finally gain widespread adoption, helping businesses to shut down most cyberattacks before they start. And we based this prediction on the 2019 Global Encryption Trends Study which revealed its use grew from 41% to 47% of organisations last year.
How we did
Sadly, our hopes of encryption taking the business world by storm in 2020 proved unfounded. It’s not all bad. Adoption has increased: Entrust’s 2020 Global Encryption Trends Study lists 48% of businesses as having encryption strategy ‘applied consistently across their enterprise’. However, a 1% increase to 48% isn’t widespread adoption, nor is it nearly enough. Encryption is the simplest step a business can take towards protection from cyber threats. Improving the cyber health of our society depends on its adoption everywhere. Here’s hoping 2021 will be better.
Of all the things on this list, Robotic Process Automation (RPA) is the one most likely to spark the imagination. So, was 2020 the year that businesses started automating in earnest and transferring tasks to our new robot masters? How we did
In short, no. RPA did continue to grow in popularity, with its market revenues projected to have surpassed $2.9 billion worldwide this year. And it will probably continue to do so – Grand View Research predicts a 40.6% annual growth rate in adoption between now and 2027. However, the firms using RPA tend to be at that enterprise end of the scale. RPA is expensive and we’re a long way from it being affordable for smaller businesses. So, for the time being at least, the robots aren’t coming to an SME near you.
5. The next wave of GDPR fines is on its way
2019 was the year that regulators began to really flex their muscles on GDPR, doling out fines to some of the World’s largest corporations. So, naturally, we expected 2020 to deliver more of the same.
How we did
If anything, we underestimated this one. 2020 has been a bonanza of GDPR fines. First, Google was fined £44 million by French regulator CNIL for its breach of GDPR rules – by far the biggest fine we’ve seen yet. Then retailer H&M was hit with a £31.5 million fine by German regulators. These were just the two highest-profile cases. Over 220 fines were handed out for GDPR violations in the first ten months of 2020, totalling more than £158 million. On top of this, July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
So it’s clear that 2020 has been the year that regulators across Europe rolled up their sleeves and got tough on GDPR. Despite this, only 20% of US, UK, and EU companies are fully GDPR compliant. And, with all the uncertainty surrounding GDPR and Brexit, we expect 2021 to continue in the same vein.
6. Greater threats to cloud security
The cloud is relatively old news by now, with most businesses moving away from using physical servers sometime in the last decade. However, knowledge of how to properly secure data in a cloud has lagged far behind adoption for a while now. So we predicted 2020 would be the year that hackers began to exploit the cloud’s vulnerabilities.
How we did
Although cloud data breaches have been a feature of the technology since its inception, 2020 will go down as the year that businesses became much more conscious of the risks. A report from Ermetic, published in July 2020, revealed that 80% of firms surveyed have suffered some form of cloud data breach in the previous 18 months.
This is reflected in the number of high profile breaches we’ve seen this year, with Mariott, MGM and video conferencing software Zoom all suffering data hacks.
7. 5G and IoT devices on the rise
Everyone in the tech sector has been predicting the rise of 5G and IoT devices for a long time now. Were you to delve deep into your internet history, we’re confident you’d find it on many end-of-year predictions lists as far back as 2016. With that in mind, was this the year that 5G finally arrived on the scene?
How we did
Let’s tackle 5G first. Unlike previous years, 2020 really did see the rollout of 5G, at least partly. Despite the controversy and political power struggles caused by the UK deciding to ban Chinese firm Huawei, 5G networks are now available in some locations across the UK. We’re still a long way from a nationwide rollout and the technology comes with problems to be ironed out, but the first shoots of a 5G-backed nation are there and growing.
The Department for Digital Culture, Media and Sport (DCMS) defines the cybersecurity skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ And it’s been a growing problem in the UK and across much of the world ever since businesses began to move their operations online. We thought that it would become one of the defining trends of 2020. Were we right?
How we did
The cybersecurity gap is hard to assess in a period as limited as one year. The situation certainly didn’t improve much in 2020 but it’s hard to say whether it got any worse. The UK government did at least try to promote jobs in the sector, even if the execution was crass and very poorly judged. However, real change in this area is likely to take years, if not decades. So for the meantime, small businesses are best served by trying to find ways around the talent shortage. For more on that, check out our October blog on the subject.
10. Employee training for threat awareness
Last on our list, threat awareness training for employees. One of the biggest trends sweeping cybersecurity in the last few years has been a growing realisation that employees have an active role to play in keeping their workplaces safe. Let’s consider how that developed in 2020.
How we did
Like a lot of things on this list, employee awareness has been heavily influenced by the COVID-19 pandemic. As many businesses were forced to work remotely, with employees using their own networks and devices to access company data, good cyber hygiene has become more important than ever. As a result, we’ve seen more and more businesses taking staff training seriously. Meanwhile, we’ve been busy doing what we can to help. We’re all set to release a brand new set of interactive cybersecurity training modules, downloadable through the CyberSmart platform. It’s our hope this will help make 2021 a little more cyber secure than 2020.
All in all, we’re happy with our predictions for 2020. There was a lot we couldn’t have foreseen and some of the trends we predicted didn’t take off quite as expected. But, on the whole, 2020 saw some big steps towards increased cyber awareness and hygiene in the UK. Stay tuned for more of the same in 2021.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
9 signs your business has been hacked and what to do about them
It’s the stuff nightmares are made of. What started as another mundane Monday afternoon has suddenly morphed into one of your worst-case scenarios. Your business has been hacked. The scariest part is that you may not even notice. If you’re lucky, you may receive a ransomware notification or a good samaritan might inform you but often the telltale signs of a breach are more insidious. Here’s how to spot and tackle them.
9 warning signs you’ve been hacked – and what to do about them
Unexpected changes to files
Many modern businesses allow for organisation-wide access to documents and real-time editing. Think tools like Google Docs or your Microsoft 365 package. Telling the difference between colleagues’ tracked changes on that ten-page report you wrote and more nefarious activity can be tricky. But it’s not impossible.
Look for revisions outside of what you’d normally expect. For example, document name changes, or files that have been mysteriously deleted. Like fingerprints at a crime scene, all of these could point to a hacker’s presence.
What to do: To keep the hackers at bay, start by changing all company passwords, installing encryption software and double-checking everyone is following your security policy. If the problem persists, consider speaking to an expert.
Spam emails sent from company email accounts
No one likes spam. It’s annoying and nothing turns off a prospective customer more quickly than a deluge of unwanted emails. But if you suddenly start receiving complaints from customers or unsubscribe numbers start climbing, it’s also a sure sign you’ve been hacked.
What to do: Keep a close watch on your outgoing emails. It’s likely your marketing team are already tracking emails for key metrics, so ask them to keep an eye out for anything that looks out of place. On an individual level, regularly check the sent folder in your emails for messages that you don’t remember sending or look spammy.
If you do discover something’s wrong, follow the steps we outlined above for file changes.
It’s generally known that most hackers are out for one thing: money. So one of the most important places to regularly check is company bank accounts. Check business statements regularly for unusual withdrawals or payments from your account. If you do spot anything, there’s a very real chance you’ve been hacked. And, remember, cybercriminals won’t necessarily steal large amounts. One of the most successful small-scale hacks of recent years involved a cybercriminal stealing from multiple businesses, a few ill-gotten cents at a time.
What to do: If you do find irregularities, change passwords for all company accounts, turn on transaction alerts and contact your bank – most will reimburse any stolen funds. Unwelcome installations
It can be difficult to keep track of the various tools and software everyone within your business has installed. This is particularly true in the frenetic world of an SME or startup. Nevertheless, there’s a big difference between the tools your people need and unwanted software no one remembers installing. Sometimes this software is completely harmless. We all accidentally install a browser add-on now and then. However, there’s also a chance that if someone doesn’t remember installing something, it’s been added remotely by a cybercriminal. What to do: The fix for unwelcome installations is a simple, but time-consuming, one. Perform regular checks on the software and toolbars in use on all company devices. And, if you find any applications that look strange or aren’t in use, uninstall them.
Random pop-ups
Like it’s equally irritating cousin, spam, we all hate pop-ups. We hate them so much that more than 600 million devices (or 11% of all the devices in the world) are currently using an ad blocker. However, there might be something more to the pop-ups you’re seeing than an annoying sideshow. If you’re getting popups from websites that wouldn’t usually generate them – particularly, reputable ones – it could indicate your system has been compromised.
What to do: Unfortunately, there’s no quick fix for this problem. The best way to clean up your systems is to manually delete any software or toolbars you haven’t installed yourself (see above). At this point, it’s perfectly acceptable to let out a long sigh.
Company devices behaving strangely
When we talk about ‘devices behaving strangely’ it’s important to stress we don’t mean the ‘Wednesday afternoon go-slow’ your laptop experiences from time to time.
We mean really strange behaviour. For example, your mouse cursor moving of its own free will or random flickering on your monitor. Both of these things could indicate something much more serious is going on. What to do: If you do notice your device behaving strangely, it’s time to call in the experts. Disconnect your device from the internet, power it down and turn your router off. Although these steps won’t undo the breach, they will at least stop hackers inflicting any damage before you get expert help.
Internet searches being redirected
We mentioned earlier that most hackers are interested in making money, and stealing isn’t the only way to do it. An easier, far less risky, way for cybercriminals to make a fast buck is to redirect your browser searches somewhere you don’t want to go. By redirecting your searches to another website (often the site owner has no idea the site is being used this way) the hacker gets paid for your clicks.
What to do: If your internet searches are being redirected then there’s a high chance you’ve also got bogus toolbars and software installed on your device. Simply follow the same process we outlined earlier for software and that should fix things.
Changes to your security settings
Cybercriminals are clever, but that doesn’t mean they’re above crude tactics. And top of the list of ‘obvious but effective’ hacker tactics is turning firewalls, ad blockers and anti-virus tools off.
Keep a close eye on your security settings. If something is turned off that shouldn’t be, it’s most likely just down to human error. However, it’s well worth switching it back on and seeing what happens. If the same thing happens again, it could mean you’ve been hacked. What to do: By far the best thing to do is back up any files that aren’t already and do a complete system restore. There’s no telling what has happened without expert help, so the first step should always be a complete reset of any affected devices.
Confidential data has been leaked
Of all the warning signs on this list, discovering confidential company information has been found in an online data dump is the most obvious. Unfortunately, it’s also very tricky to fix. What to do: The information is already out there, so your actions need to be more about reputation management and preventing it from happening again, rather than addressing the immediate problem. If the worst should happen, it’s time for a full audit of your security procedures, policies and infrastructure.
Defence starts with prevention
It might sound cliched, but the best cure for being hacked really is prevention. Relying on anti-malware tools will only get you so far. The real gains are to be made in ensuring you have clear security protocols that prevent common mistakes, using tools like encryption and two-factor authentication, and checking company devices continually.
Don’t wait until one of these warning signs appears. Instead, think of cybersecurity as you would office security. The more often you check doors and windows are properly locked and know exactly who has access to the keys, the less likely you are to suffer a break-in. Why should your cybersecurity be any different?
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
New webinar: Staying cyber secure as the UK reopens
We’ve all read the headlines about ‘unprecedented times’ and how ‘things will never be the same again’ post-COVID-19. Some of the commentary on our post-pandemic world might seem a little overblown. However, for cybersecurity at least, a lot of it rings true.
As the UK begins to reopen and offices welcome staff back, businesses have emerged from the crisis into a hybrid world. The mix of remote and office working adopted by many organisations brings with it opportunity. But it also brings new security risks too
(more on that here).
A recent report from VMWare reveals that 91% of organisations have seen an increase in cyber attacks as a result home working. In this environment, online protection has become more important than ever before. But how can businesses, particularly SMEs without large security budgets, become more cyber secure?
Join CyberSmart CEO and cybersecurity supremo, Jamie Akhtar and Guy Waller, Partnerships Manager at Starling Bank as they tackle the following questions in a short webinar.
What are the new and existing cyber-threats for businesses?
As businesses reopen, and staff are working both from home and the office, what new challenges does this pose?
What are the best ways businesses can protect themselves and stay one step ahead?
To learn more, watch the full webinar, for free, here or below.
If changes in working practices have got you thinking about improving your cybersecurity, a great place to start is with Cyber Essentials certification. It’s a simple, 24-hour certification process that could improve your protection from cyber-attacks by 99%. Get started today here.
