We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers.

However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.

What is nation-state cyber warfare?

Nation-state cyber warfare is best defined as:

‘Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’

Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.

Did you know that 47% of UK SMEs feel more threatened by cybercrime since the cost of living crisis began? Find out more in our latest report.

Why are nation-state attacks launched?

There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.

Military operations

Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.

Sabotage

Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.

Espionage

Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.

For a very current example of this, check out the recent exposure of China’s ‘hackers for hire’ programme.

To influence operations 

Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.

Stealing funds

Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.

Why does this matter to you?

Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.

What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me. 

The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail. 

Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them. 

The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.

So while you might not be the direct target, the impact can be felt by everyone.

Nation-state attacks in the real world

We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare. 

Stuxnet (2010)

We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme. 

We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme. 

2016 American election (2016)

In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.

And one fresh off the press…

In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.

Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.

Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?

What should I do to protect myself?

Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be. 

What can we do as individuals? 

Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.

What should businesses do?

Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity. 

What should we expect from governments?

Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.

The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.

We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.

With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.

Want to know more about the threats facing small businesses? Check out our guide to how SMEs are handling cybersecurity during a cost of living crisis. 

Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated Cyber Security Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year.

But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know. 

1. Assessing supply chain risk is rare for small businesses

We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms.

However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment.

Why is this happening? Well, it’s possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need. 

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

2. A small number of businesses are taking cyber accreditations

The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation. 

According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).

Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023.

Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.

3. Formal incident response plans aren’t widespread

The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without.

Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.

4. The number of identified breaches has declined 

At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey.

What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report.

This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.

5. Cybersecurity is less of a priority for smaller businesses

It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year.

In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.

6. Is cyber hygiene going backwards? 

Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability. 

This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.

The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example: 

• use of password policies (79% in 2021, vs. 70% in 2023)
• use of network firewalls (78% in 2021 vs. 66% in 2023)
• restricting admin rights (75% in 2021, vs. 67% in 2023)
• policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.

What have we learned from the DCMS Cyber Security Breaches Survey 2023?

Time to draw some broad-brush conclusions from the DCMS’s findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs’ ability to protect themselves. Whether it’s the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it’s clear SMEs need real assistance to bolster their defences.

Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.

Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.

Want to know more about how to reduce cybersecurity costs responsibly? Check out our free guide to cybersecurity on a budget.

When you think about tools for improving your organisation’s cybersecurity, it’s likely things such as anti-virus software, firewalls and encryption that immediately spring to mind. And, if it appears at all, security training is probably some way down the list.

However, security training is one of the most effective ways to protect your business against cyber threats. Here’s everything you need to know. 

Why is training so important? 

According to research, 90% of cyber breaches can be put down to human error. Or, in simpler terms, if your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them. 

The best way to beat this is through training. Training can help your people better recognise and understand the threats they face. And, more importantly, learn how to counter them. 

90% of cyber breaches can be put down to human error

What does effective security training look like? 

Firstly, there’s no such thing as one-size-fits-all security training. Well, at least not if you want it to be effective. The sort of training your business requires will depend on your staff and their knowledge gaps. 

For some businesses, this means starting with the basics. Meanwhile, in others, training addressing specific weak spots in employee knowledge will prove the best route. To read more on tailoring security training to your business, check out this excellent piece from our UX Researcher Anete.

Whichever approach you choose, remember there’s such a thing as too much information. Learning about cybersecurity (especially for the first time) can feel overwhelming. 

There is a multitude of different threats and concepts to learn. So keep it simple. Your employees don’t need to know everything or become cybersecurity experts overnight. They just need the information that’s most relevant to your industry or business. 

Training should follow the little and often approach. Little, because no one learns best by bombardment. Often, so that your people get into the habit of thinking about cybersecurity regularly. 

Think short, sharp exercises that fit into a lunch break or the time between meetings. It’s important that the training doesn’t impact staff’s core work or become a chore they quickly disengage from. 

And, finally, make it engaging. Include a mix of text, videos and interactive tasks in your training. After all, few of us learn best when the method is boring or feels like a slog.  

How do you get started? 

By this point, you’re hopefully convinced by the merits of security training. You may even have a good idea of which knowledge gaps you need to address within your business. But where do you start?  

At CyberSmart, we’ve noticed a gap in the market for engaging, jargon-free training to help build cybersecurity awareness within SMEs. So, we’ve created CyberSmart Academy. CyberSmart Academy is a simple, do-it-yourself approach to security training. And it’s available to anyone who uses CyberSmart Active Protect. 

Through a series of bite-sized modules, CyberSmart Academy helps your people sharpen their knowledge of cyber threats and develop the skills needed to avoid them. Through videos, articles and interactive quizzes, your staff will quickly boost their knowledge. And, with each module designed to fit into a lunch break, it won’t impact their work or bore them to death. 

We’ve even included a little healthy competition into the process. Once training is complete, staff enter into a company-wide league table, so they can see how they perform against their peers. 

CyberSmart Academy is set to launch in just a few weeks, but if you’d like to know more get in touch, we’re happy to answer any questions.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.