Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023 with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers. In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.
How does a remote access scam work?
A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials. Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams. Typically, a remote access takeover works in one of two ways: 1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access. 2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s).
In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated.
As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023.
This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023.
So the problem is real, which begs the question, what can you do to protect your business?
How can you protect your business?
The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.
Don’t give out digital banking details
This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam.
Never install any remote access software as a result of a call
Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately. Verify telephone numbers
If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.
However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.
Just hang up
Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up. Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.
Put processes in place
Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier. Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point. Educate your staff
Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training. What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket. Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.
The most elusive of all malware; fileless malware is a threat you can’t afford to let slip off your radar. It accounts for 40% of global malware, according to research from Arctic Wolf Labs. And attacks increased by an eye-watering 1,400% between 2022 and 2023.
The next time you’re assessing cybersecurity priorities, keep protecting your business from these furtive attacks front of mind.
What is fileless malware?
Fileless malware is malicious code that’s written to your RAM or legitimate system tools rather than your disk (SSD or hard drive). Essentially, it uses your system’s software, applications, or protocols to launch an attack. Technically, it’s not actually fileless, but the name comes from where the code is stored and the fact it uses what already exists in the system.
The hacker will use the malicious code to gain access to your systems, execute the code by piggybacking on legitimate script, and steal credentials, encrypt files etc. – whatever they’ve set out to do as part of the attack. Because code is stored in memory, it generally disappears when you reboot your system (unless the hacker uses more advanced tactics to make the malware stick around on restart). This makes the virus incredibly difficult to spot, meaning security teams and antivirus software may not notice or find out what caused the problem.
LoLBins primarily refer to pre-installed Windows binary tools used for default system operations. PowerShell, a Windows scripting language, is an example of this. However, hackers can take advantage of them to launch attacks and avoid detection.
Memory code injection
A memory code injection inserts malicious code into a computer’s memory.
Fileless malware examples
Operation Cobalt Kitty
OceanLotus Group, who also go by APT32, targeted an international company based in Asia. The long-term attack compromised more than 40 computers and multiple servers.
They used the Windows PowerShell configuration management tool as an entry point for malicious code. It manipulated network management services so it would stay on systems rather than getting deleted on start-up. The group managed to penetrate the organisation via spear-phishing emails to senior employees that encouraged them to click on malicious links or download weaponized documents.
Fritz Frog
Fritz Frog is a fileless and serverless peer-to-peer botnet and worm that uses brute force to access secure shell (SSH) servers.
In January 2020, the cybercriminals behind it launched an attack that lasted for eight months, affecting 24,000 SSH servers from government, education, healthcare, and private enterprises.
Once the malware had successfully compromised a server, it would replicate and spawn threads to achieve different goals, e.g. one would use brute force to access more targets while another deployed the payload. It did this so it could run a cryptocurrency miner to process and steal cryptocurrency transactions from Monero.
Code Red
Identified as the first-ever fileless attack, Code Red spread worldwide in 2001 and affected more than 300,000 servers.
The worm exploited a Windows vulnerability and affected users of Windows NT, Windows 2000, and Microsoft IIS web server software. It caused websites using the webserver to display incorrectly.
According to a Sophos threat researcher, Microsoft released a patch to protect against the vulnerability just a month before the attack, showcasing the importance of updating software as soon as patches are available.
How to protect your business
Fileless malware is particularly tricky to detect because it’s written into memory or trusted, legitimate code. That means standard antivirus software doesn’t always detect a problem. And, in cases where the code is written to memory and wiped on restart, there’s no trace of the malicious code to work from.
However, there are some steps you can take to look after your cyber hygiene and give your business the best defence against malware in general, including fileless malware.
Patch your systems
Just like Code Red, unpatched vulnerabilities in operating systems, browsers, and software are a breeding ground for cyber threats. To counter this, install patches and security updates as soon as they’re available to give your business the best protection.
Continuous logging and monitoring
It’s important to stay on top of any security incidents so you have a full understanding of your IT infrastructure. It’s also important to monitor your systems for any unusual activity so you can respond to potential threats quickly and limit the damage. This can be difficult to do in-house unless you’re a very big business with lots of cybersecurity experience, but there are many options for third parties to monitor your security for 24/7 protection.
Education
To avoid threats, your people need to understand them. And the same is true for fileless malware. So, make cybersecurity training regular, bitesize, and as fun as possible. It’s not about fearmongering, it’s about arming your teams with knowledge.
Endpoint protection
An endpoint is a device that connects to and exchanges information with a computer network. Endpoint protection includes measures such as device encryption, perimeter security on cloud storage, network access control, anti-malware, and more.
Get Cyber Essentials certified
Cyber Essentials is a government-backed scheme with a simple framework based on five technical controls. Many of these controls include actions that overlap with our other tips in this section, so you can tick more off your to-do list in one go.
Secure configuration
Malware protection
Network firewalls
User access controls
Security update management
It’s a great starting point for businesses looking to improve their cybersecurity credentials before moving on to more complex and costly certifications like ISO 27001. And, if you’re unsure which option is best for you, start by reading our free guide to certifications in the UK.
The fight against fileless malware
Hopefully, these tips help you to feel more confident about protecting your business against fileless malware.
However, as with all threats, fileless malware is ever-evolving. One way to ensure you stay cyber confident is to keep updated with information on new threats. Our report on SMEs and the cost of living crisis tells you everything you need to know about how small businesses are tackling cybersecurity during an economic downturn. Read it here.
New: CyberSmart’s SME cost of living crisis report
At CyberSmart, we recognise that the cost of living crisis not only affects our personal lives, but the way small and medium businesses (SMEs) manage their priorities, too.
Uncertainty is never the best feeling for any business leader. A dampened economic outlook can result in SMEs becoming more cost-conscious and less growth-minded. And we’re concerned about the impact on cybersecurity.
That’s why our latest insight, the SME cost of living crisis report, explores its impact on SMEs, leadership, the workforce, and business cybersecurity.
What’s in the report?
We tasked Censuswide with surveying 1,000 UK SMEs to reveal the current state of the cybersecurity landscape for SMEs.
The report is full of helpful statistics, figures, and insights that reveal the behaviours of decision-makers during the cost of living crisis.
In the report, you’ll learn about:
What’s driving decision-making in the cost of living crisis?
The impact on cybersecurity investments
Leadership behaviours and mistrust of employees
Cybersecurity policy and governance factors
How should SMEs approach cybersecurity in the cost of living crisis?
Discover CyberSmart’s SME cost of living crisis report. Learn more about the impact on cybersecurity, people, and more. Read it today.
Discover key insights about the cybersecurity landscape
At CyberSmart, we work to make cybersecurity simple and accessible to everyone. We aim to provide every business, no matter how small, the tools to protect themselves against cybersecurity threats easily and effectively.
That’s why we’ve incorporated our expert insight into the report, too. We deep-dive into the reasoning behind the report’s findings to support the facts and figures. This provides you with a better understanding of the current SME cybersecurity landscape.
For example, the report reveals that nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost-of-living crisis. Why? External threats, insider threats, employee mistrust, and employee negligence are all driving this behaviour, and we explore this in the report. Read it for free today to get the latest insights into SME cybersecurity during the cost of living crisis.
It’s not an exaggeration to say that supply chains pose one of the greatest cybersecurity risks to any business. In recent years, there’s been a huge increase in attacks stemming from supply-chain vulnerabilities. According to IBM’s 2023 X-Force Threat Intelligence Index, more than half of security breaches are attributed to supply chain and third-party suppliers, at a high average cost of over $4 million.
It’s a serious problem. And, like most small businesses, you’re probably asking what you can do about it. After all, looking after your own cybersecurity is tricky enough; how on earth do you start addressing gaps in your suppliers’ defences?
To help you get started, we’ve put together 5 supply chain security best practices to strengthen your digital defences.
1. Protect your own business first
This almost goes without saying, but before you delve into your supply chain, it’s worth considering your own cybersecurity status first. Is your business Cyber Essentials certified? Do you have security controls in place? Do you provide regular training for staff on cyber threats and best practices?
If you’ve answered no to any of the above, then these are great first steps in securing your business. And there’s a bonus to taking these measures first. By reviewing your own security, you’ll get a good idea of your business’s crown jewels – those critical aspects of your organisation that need the strongest protection.
2. Talk to your suppliers
Progress begins with dialogue. So talk to your suppliers and partners about their cybersecurity. You may find that your business faces many of the same difficulties and threats.
This can help you work together to ensure everyone in your supply chain works to the same security standards. And keeping dialogue open makes it much more likely that suppliers and partners will let you know faster if something goes wrong – protecting your business in the long run.
3. Make cybersecurity part of your contractual agreements
Behavioural change often requires incentives. Once you’ve established what good cybersecurity looks like for your business, apply those principles to your partner and supplier contracts.
How these agreements look will depend on your organisation. Requiring your partners to have a complete Cyber Essentials certification will be enough for some businesses. Others may need something more comprehensive, like ISO 27001 certification.
The important thing is that you make good cyber hygiene an expectation (rather than a nice to have) for anyone working with your business. By doing so, you not only incentivise good cybersecurity behaviours across your supply chain but also protect your business.
4. Keep improving
Building a strong cybersecurity culture across your network takes time. It requires trust between businesses, and you can’t build that overnight. So persevere if your supply chain doesn’t immediately transform from leaky to locked down.
Cybersecurity is all about learning. As cyber threats evolve, so too do the methods for thwarting them. Stay updated with new threats and tweak and adapt your practices accordingly. You can then use this knowledge to update partners and suppliers and strengthen your supply chain.
5. Follow the NCSC’s new guidance
Finally, if you’re looking for a framework to tie everything together, you could do a lot worse than the National Cyber Security Centre’s (NCSC) supply chain cybersecurity guidance.
The NCSC’s guidance breaks tackling supply chain security down into five basic steps ( in case you were wondering where we got the idea from):
Understand why your organisation should care about supply chain cybersecurity
Develop an approach to assess supply chain cybersecurity
Apply the approach to new supplier relationships
Integrate the approach into existing supplier contracts
Continuously improve
It’s a great place to start if you’re serious about tackling cybersecurity across your supply chain.
It’s a journey, not a destination
And remember, securing your supply chain is an ongoing process, but starting now is one of the biggest single investments you can make in protecting your business. Want to know more? Check out our new guide to protecting your business.
Press release: Over 1.1 million UK SMEs at risk of collapse during current economic uncertainty
Over 1 in five UK SMEs (21%) are worried that their business will not survive the current economic uncertainty or expect they will have to make a significant business pivot. This is according to a survey of a thousand SME senior leaders and decision-makers across the UK, commissioned byCyberSmart (and conducted by Censuswide).
The UK governmentestimates that the country is home to at least 5.5 million SMEs. If we were to extrapolate the findings, it could mean 1.155 million businesses are in a precarious position and risk collapse.
Remarkably, the survey also revealed that some SME senior leaders would go to great lengths to ensure the business’s survival. These behaviours range from engaging in cybercriminal activity and committing accounting fraud to neglecting compliance requirements.
Activities that SME senior leaders would consider engaging in include:
15% would commit accounting fraud and lie to bankers/investors to secure funding or commit tax fraud/evasion (potentially equivalent to 825,000 SMEs)
14% would cut employee salaries or benefits (potentially equivalent to 770,000 SMEs)
11% would leverage proprietary information from partners/clients such as selling off the data (potentially equivalent to 605,000 SMEs)
11% would neglect compliance requirements due to the additional costs they incur (potentially equivalent to 605,000 SMEs)
10% would engage in cybercriminal activity such as hitting a rival company with a cyberattack (potentially equivalent to 550,000 SMEs)
9% would mortgage their house (potentially equivalent to 495,000 SMEs)
SMEs decrease cybersecurity spending
Additionally, a third of SMEs have decreased cybersecurity spending due to the economic uncertainty. Or, more worryingly, admitted to never really investing in it.
In fact, as many as 42% of SME senior leaders do not believe it is worth investing in cybersecurity, with over 1 in 5 (21%) believing they are not a target. A further 16% claim it is not worth it because they have cyber insurance and 10% assert it is not a priority. Only 25% realised it was worth investing in cybersecurity because they could not afford to be breached.
CyberSmart CEO, Jamie Akhtar reacted with the following:
“As a business owner myself, I can understand the pressure many SME decision-makers are currently facing to keep their companies running and ensure their employees are taken care of, all while budgets tighten. It is during these times that emotions run high, and people might make irrational decisions that go against their own, and their company’s, best interest.It goes without saying that we would never condone criminal behaviour. Moreover, we would strongly recommend that businesses invest in cybersecurity and compliance.”
“The business ecosystem has become highly intertwined, so no business is immune from cyberattacks. In fact, SMEs could prove to be an easy entry point for cybercriminals looking to hit others within their supply chain, if they have weak cybersecurity postures. While cyber insurance is important for risk transfer, it should not be relied on either. A comprehensive and continuous cybersecurity and compliance strategy is needed to avoid a breach’s financial, reputational and even physical repercussions. Fortunately, there are solutions today that can help in doing so, without breaking the bank.”
With cyberattacks rife and rising all the time, cybersecurity is essential, but so too is cyber insurance. Although many businesses have been slow to adopt such cover, the world is beginning to wake up to the substantial benefits of cyber insurance for safeguarding an organisation. Here we look at the significant advantages it offers.
Why choose cyber insurance?
Businesses are increasingly at risk of falling foul of cyber-related incidents. Recent data shows that global cyberattacks increased by 38% in 2022, compared to 2021. And the UK saw a massive 77% rise. The fact is, cybersecurity is never 100% effective.
Should the worst happen, having cyber insurance could be the difference in ensuring your business gets up and running again quickly. Some 60% of small businesses close within six months of suffering a cyberattack. So having some sort of back-up plan is crucial.
But why do you specifically need cyber insurance, rather than just standard business insurance? Well, cyber insurance is a specialist product that protects you from cyber risks and those related to IT infrastructure. The fundamental benefit of cyber insurance is that it covers risks that aren’t generally included in standard commercial liability policies, which tend to just cover costs related to technical issues, such as corrupted hard drives and lost devices.
Managing a cyber incident, such as a data breach or ransomware attack, requires detailed technical knowledge, which specialist cyber insurance can offer. Cyber insurance policies provide you with the means to implement incident response measures, such as legal assistance, public relations support and forensic investigation.
As well as minimising any business disruption and supplying financial protection during an incident, a big benefit of cyber insurance is that it could help with any legal and regulatory actions after an incident. Although it won’t solve all your cybersecurity challenges or prevent a cyberattack from happening, cyber insurance can help your organisation get back on its feet.
As with other types of insurance, the benefits your cyber insurance includes will depend on the cover you choose. Opting for first-party cover will protect you against the direct results of a cyberattack. Alternatively, third-party cover is more comprehensive and will include the indirect consequences of a cyberattack. This provides protection for managed service providers (MSPs) that supply professional services to other companies. It’s key to covering your liability should a cyberattack on you lead to losses from a partner or customer.
Online threats are multiplying all the time, and cyber insurance will cover you for a wide variety of these risks, such as data privacy breaches, phishing attacks, distributed denial of service (DDoS) attacks, and malware, including the dreaded ransomware attack.
Depending on the exact policy you choose, it should cover:
Loss of business income
Legal action and fines, like GDPR charges
Ransom costs, if your data is held hostage
PR support to regain damaged trust
Possible repair costs
Data breach measures, such as investigative proceedings
Access to expert advice and support
A key benefit of cyber insurance is that it gives you access to expert advice and support. Expertise on threat management is an important part of cyber insurance, and some insurers supply businesses with threat monitoring and management services. For example, according to the UK government’s Cyber Security Breaches Survey 2022, one organisation said that their insurance enabled them to monitor the dark web and flag if any of their accounts were being sold there.
Access to expertise on breach recovery was also named in the survey as a key reason organisations take out an insurance policy. This benefit can help companies ensure business continuity after a disruptive breach. Some policies also include access to expert forensic analysis of what caused the breach. This is important to help a business rectify the problem and implement preventative measures to make sure it doesn’t happen again.
Enhanced cybersecurity
Another valuable benefit is that a cyber insurance policy can help you build a strong cybersecurity framework. Insurers will require you to have a good level of security to be eligible for a policy. They usually carry out a risk assessment as part of the underwriting process to ensure your business isn’t a high risk. This can involve just completing a straightforward questionnaire or may go as far as involving an in-depth analysis of your security. However, like other kinds of insurance, your premium will decrease if you are judged to be a lower risk.
The eligibility criteria for cyber insurance cover can act as a framework to ensure good cyber hygiene. But, a simple way to boost your level of cybersecurity is to gain Cyber Essentials certification. Some insurers will offer discounts on insurance premiums if you have this, and simply by being certified, you can reduce your cyber risk by 98.5%. Cyber Essentials is a UK government-backed scheme covering everything your business should do to protect against cyberattacks, demonstrating that you take cybersecurity seriously.
Peace of mind
A big benefit of cyber insurance, which shouldn’t be overlooked, is that it provides considerable peace of mind. You can have all the strong cybersecurity possible to protect your business. However, with the ever-evolving threat landscape, you can’t be 100% sure you won’t still suffer from a cyberattack. With cyber insurance, you have the final safety net in place to ensure that you won’t have to worry about recovery costs if the worst happens and disaster strikes.
While cyber insurance doesn’t prevent an attack, it’s designed to stop a bad situation from getting worse. So, if you’re concerned about a cyberattack destroying your business, cyber insurance gives you complete peace of mind. You will have an extra layer of protection in addition to your cybersecurity, to cushion the blow.
Firewalls can appear complicated at first glance. However, in reality, they’re easy to set up and offer an important defence against cyber threats. So, to help you better understand firewalls and how to protect your business, here’s everything you need to know.
What is a firewall?
A ‘firewall’ is a tool that protects your home or office systems from malicious traffic on the internet.
Think of it as a well-armed bouncer, checking anything that enters your network for threats. It creates a barrier between a ‘trusted network’ (such as your office) and an ‘untrusted network’, like the internet.
Firewalls keep your devices operating reliably. But they also protect you from a variety of threats, such as DoS (Denial of Service) and malicious packet attacks.
Most modern devices contain a firewall of some kind. You’ll find one built into your laptop and internet router, although, crucially not on most smartphones. Many businesses also set up a separate hardware firewall in addition to the one built into devices for an extra layer of security.
Where does the term ‘firewall’ come from?
The term ‘firewall’ has an interesting history (no, really). The term originally refers to a wall built to contain a fire between adjacent buildings. Later, it was used to describe the metal sheet that separates the engine compartment from passengers on an aeroplane.
It wasn’t until the 1980s that ‘firewall’ first became synonymous with the internet. The term appeared in the 1983 computer-hacking movie WarGames to describe the act of filtering data coming through routers and possibly inspired its later use.
How does a firewall work?
Firewalls analyse all incoming traffic based on a set of pre-set rules. The rules are then used to filter out anything malicious or suspicious and prevent attacks.
The slightly more technical explanation is that firewalls filter traffic at a computer’s entry points or ‘ports’. These ports are where information is exchanged with external devices. For example, a rule might look something like this: “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22.”
A great analogy for understanding this is to think of an IP address (the unique number that identifies your device) as a house and port numbers as rooms within the house. Only trusted people (IP addresses) are allowed to enter the house at all. Then, once in the house, trusted people are only allowed to access certain rooms (destination ports).
It’s much like hosting a party at your house, in that you’d probably keep some rooms off-limits. Perhaps there are some rooms that could pose a threat to children or maybe you just like your privacy, either way, the same basic principle applies to firewalls. Trusted devices are only allowed access to certain places.
Why are firewalls important?
Simply put firewalls are a vital first line of defence. To return to our bouncer analogy from earlier, without a doorman anyone can enter the building. Without a firewall, anyone can get into your business.
It’s not difficult for even a relatively unsophisticated cybercriminal to probe your organisation’s devices in an attempt to break into your systems. Without a properly configured firewall, they’re much more likely to succeed.
What’s more, the consequences can be disastrous. Not only will hackers gain access to your data and potentially leak it or use it maliciously, but the financial hit can also be severe. According to insurer Hiscox, the average cost of a breach for an SME is £11,000, and that’s before we even consider reputational damage or fines from regulators.
A properly configured, maintained and monitored firewall will go a long way towards protecting your business.
But what do we mean by ‘properly’ configured? Well, for your firewall to work optimally, you need to ensure it has the power to manage normal and encrypted internet traffic without slowing down your devices or compromising security. A good IT support partner can help you do this or, alternatively, automated tools like CyberSmart can guide you through the process yourself.
Firewalls and Cyber Essentials
You might be reading this article because you’ve come across the firewalls section of the Cyber Essentials questionnaire. Or perhaps you’re considering completing Cyber Essentials certification for your business.
Either way, the section of Cyber Essentials dealing with firewalls can appear confusing. But, in reality, it’s very simple. You’ll be asked about which firewalls you have in place, whether they are password protected and ‘accessible’ services. The first two elements are self-explanatory. All you need do is list the firewalls you use and set up password protection for them if you don’t already have it (the questionnaire or one of our team will provide guidance on how to do this). However, ‘accessible services’ is a little more complicated.
What does ‘accessible services’ mean?
‘Accessible services’ is the traffic that is approved to pass through the firewall. In an office environment, your firewalls will usually be configured so that IT support can access anything they need to. However, most of us aren’t working in an office at the moment and home routers are often set up to block all services as default.
Sadly, working from home doesn’t mean the end of all IT troubles, so your remote workers may wish to allow external access to their personal router. If this is the case, then it’s best practice to allow a single, static IP address through the firewall. That way, you can be sure your IT support team, and only the IT support team, has access.
And that’s all there is to firewalls. Hopefully, this has answered most of your questions but, if there’s anything else you’d like to know, please get in touch with one of our team.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
UK SMEs have faced a turbulent few years. The COVID-19 pandemic altered the way many of us work forever. The conflict between Russia and the international community has raised the spectre of cyber attacks on UK businesses. And cyber threats for SMEs continue to rise. So with all these factors in play, how are the UK’s SMEs managing? Has the rise in remote working led to a change in cybersecurity practices? How often are SMEs facing cyber threats? Most importantly, what can they do to better protect themselves? To answer some of these questions, Gartner-owned Software Advice – a company that provides advisory services, research, and user reviews on software applications – surveyed 500 managers at UK SMEs. And we’ve teamed up with Software Advice to bring you the results.
What’s in the guide?
Using the data provided by Software Advice, we tackle:
How often SMEs are being attacked
The impact of COVID-19 on SME cybersecurity
The biggest threats facing SMEs
The consequences of a breach on SMEs
What SMEs are most worried about
How effective SMEs’ defences are
What SMEs can do to better protect themselves
And much, much more.
Where can you get a copy?
As this is such important data for the entire cybersecurity industry, we’re offering our guide free to anyone who finds it useful. All you need to do to get your copy is download it here or hit the button below.
Why supply chains pose the greatest cybersecurity risk to your business
What do you think of when you imagine a typical cyberattack? If you’re like most of us, then chances are you immediately thought of a high-profile attack on a single organisation, say, the Twitter or Mariott breaches in 2020.
In reality, cybercriminals rarely enter through the front door. Here’s why supply chains pose the greatest risk to your cybersecurity.
What do we mean by supply chains?
As a small business, you’re almost certainly part of a supply chain. Depending on what your company does, you could be a supplier, vendor, distributor or retailer. Your part in the supply chain isn’t the important thing. What’s important is the symbiotic relationship this gives you with other businesses in the chain.
Think of it as akin to the way different species exist in nature. This relationship can be mutually beneficial; bees need the pollen from flowers for food and energy, and flowers need bees for pollination. Or, the relationship can be destructive, as the increasing number of zoonotic diseases (such as COVID-19 and SARs) passed from animals to humans proves. The same is true of the ties between businesses.
When business leaders evaluate their cybersecurity, most know the first place to look is within their organisation – at their own people, systems and infrastructure. Unfortunately, that’s no longer enough.
According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. This makes SMEs a prime target for cybercriminals with an eye on big enterprises.
A great example of this is the recent SolarWinds attack. By breaching SolarWinds (an IT infrastructure provider), cybercriminals were able to gain access to some of the world’s largest tech companies, including Microsoft, Intel and Cisco.
How to protect your business
So, if supply chains pose such a risk to your cybersecurity, what can you do about it? Small suppliers can’t help being targeted by cybercriminals. And large enterprises can’t control what everyone in their supply chain is doing all of the time.
Fortunately, there are a few things you can do to reduce the risks.
Get your cybersecurity in order
Although you can’t always control what everybody else in your supply chain is doing, good cyber hygiene begins at home. This means that your priority should be ensuring your own cybersecurity is up to scratch. A great place to start is by getting Cyber Essentials certified. The government-backed certification scheme assesses your business against five key cybersecurity controls:
Is your internet connection secure?
Are the most secure settings switched on for every company device?
Do you have full control over who is accessing your data and services?
Do you have adequate protection against viruses and malware?
Are devices and software updated with the latest versions?
By ensuring these criteria are in place, you can protect your organisation against 98.5% of cybersecurity threats – including most of those that are likely to come through your supply chain.
But don’t stop at certification. Consider using encryption and two-factor authentication on all company devices and implement a strong password policy and enforce it.
Alongside this, put in place an easy-to-understand cybersecurity policy and make sure everyone within your business has access to it. More often than not, supply chain breaches come from staff acting in good faith. If your people don’t know which behaviours are harmful or how to spot a threat, then your business will always have a chink in its armour. Education really is the key.
Talk to your supplier and partners
The greatest defence against supply chain attacks is trust between partners. So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. This may sound like something from a business self-help book, but poor communication or reluctance to admit a breach has happened can often turn a minor attack into a disaster. By fostering trust and a willingness to communicate across the supply chain, you’re effectively creating an early-warning system for your business. This can be vital in halting or at least containing the breach.
Aim to work with businesses that are Cyber Essentials certified
Of course, building trust in any context takes time. And time isn’t always something you have when working with new partners or suppliers. So, an alternative is to insist on a minimum security standard for any business you work with.
Cyber Essentials certification is tailor-made for this. By choosing to work only with businesses that display the Cyber Essentials logo, you ensure everyone you rely on is working to the same security standards, minimising the likelihood of a breach. How you approach this is up to you. Some businesses include it as a standard contractual clause, while others have more informal agreements in place. What matters is the assurance that your partners and suppliers take their cybersecurity responsibilities as seriously as you do.
The top cybersecurity trends of 2020: how did we do?
The leaves have well and truly fallen, it’s bitterly cold, and Christmas is just around the corner. This can mean only one thing. It’s that very special time of year when every business releases a ‘things to look out for’ or ‘top ten trends’ post for the year ahead – cue jokes about identikit blog posts. So, we thought we would do something a little different this year. Rather than repeat last year’s guide to cybersecurity trends for SMEs, we thought we’d look back at how we did. Where were we right on the money? And what are we eating a hefty portion of festive humble pie over? Of course, the elephant in the room is the COVID-19 pandemic, an event virtually no one predicted. And its effects will keep cropping up throughout this blog.
1. Increased use of AI to launch and defend against attacks
First up, AI. Back in January, we discussed the likelihood of cybercriminals increasing their use of automated attacks in 2020. We cited cybersecurity and AI expert, Justin Fier of Darktrace who predicted “AI won’t just make attacks faster or smarter. We likely can’t even fathom the way that AI will transform attacks or be leveraged by malicious actors. What we do know is that with AI attacks on the horizon, AI defences will be critical as well.”
How we did
We’d like to think we were pretty spot on with this one. AI attacks continue to plague the nightmares of security professionals. A September 2020 study from Forrester found that 88% of security professionals expect AI-driven attacks will soon become mainstream.
88% of security professionals expect AI-driven attacks will soon become mainstream.
What’s more, there were several high-profile attacks using AI in 2020. The spear-phishing (more on that later) attack on COVID-19 vaccine supply chains is thought to have been carried out using an AI. Meanwhile, both the Vancouver Metro system and the Argentine government suffered highly coordinated ransomware attacks, thought to be backed by an AI.
While you don’t have to be Nostrodamus to predict that as AI technology becomes more widely available attacks will increase, it’s clear that it has become a rapidly growing threat. So much so that Europol issued a warning earlier this year that cybercriminals now have both the expertise and tools to use AI regularly.
It’s in this environment that we’re continuing our research into using AI and machine learning for cybersecurity defences.
2. Spear phishing: phishing attacks get personal
Spear phishing is the practice of sending out highly targeted, personalised emails to company employees and executives in a specific business, rather than a generic attack sent to thousands of random email addresses. Once clicked, these emails infect the user’s computer or device with malware.
We predicted this type of attack would become more common in 2020, as cybercriminals learned to target time-poor executives and undertrained employees.
How we did
While our instinct was good, we couldn’t have predicted just how prevalent spear-phishing attacks would become in 2020. There were many high profile attacks, including Twitter, but most alarming was, of course, the attack on COVID-19 vaccine supply chains we mentioned earlier.
And there were plenty more breaches that didn’t make the front pages. According to a report from the Anti Phishing Working Group, the average loss to organisations from business email compromise (or spear-phishing) attacks in the second quarter of 2020 was $80,183 (£59,353). Even more alarmingly, that figure represents a $54,000 (£39,972) on the first quarter of this year, almost perfectly mirroring the global switch to remote working due to the pandemic.
The average loss to organisations from spear-phishing attacks in the second quarter of 2020 was $80,183 (£59,353)
You can find out more about how to switch to remote working safely in our latest ebook.
3. Organisations are adopting more data encryption
At the beginning of 2020, we were confident this year would be encryption’s time to shine at last. We hoped that the tool would finally gain widespread adoption, helping businesses to shut down most cyberattacks before they start. And we based this prediction on the 2019 Global Encryption Trends Study which revealed its use grew from 41% to 47% of organisations last year.
How we did
Sadly, our hopes of encryption taking the business world by storm in 2020 proved unfounded. It’s not all bad. Adoption has increased: Entrust’s 2020 Global Encryption Trends Study lists 48% of businesses as having encryption strategy ‘applied consistently across their enterprise’. However, a 1% increase to 48% isn’t widespread adoption, nor is it nearly enough. Encryption is the simplest step a business can take towards protection from cyber threats. Improving the cyber health of our society depends on its adoption everywhere. Here’s hoping 2021 will be better.
Of all the things on this list, Robotic Process Automation (RPA) is the one most likely to spark the imagination. So, was 2020 the year that businesses started automating in earnest and transferring tasks to our new robot masters? How we did
In short, no. RPA did continue to grow in popularity, with its market revenues projected to have surpassed $2.9 billion worldwide this year. And it will probably continue to do so – Grand View Research predicts a 40.6% annual growth rate in adoption between now and 2027. However, the firms using RPA tend to be at that enterprise end of the scale. RPA is expensive and we’re a long way from it being affordable for smaller businesses. So, for the time being at least, the robots aren’t coming to an SME near you.
5. The next wave of GDPR fines is on its way
2019 was the year that regulators began to really flex their muscles on GDPR, doling out fines to some of the World’s largest corporations. So, naturally, we expected 2020 to deliver more of the same.
How we did
If anything, we underestimated this one. 2020 has been a bonanza of GDPR fines. First, Google was fined £44 million by French regulator CNIL for its breach of GDPR rules – by far the biggest fine we’ve seen yet. Then retailer H&M was hit with a £31.5 million fine by German regulators. These were just the two highest-profile cases. Over 220 fines were handed out for GDPR violations in the first ten months of 2020, totalling more than £158 million. On top of this, July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
So it’s clear that 2020 has been the year that regulators across Europe rolled up their sleeves and got tough on GDPR. Despite this, only 20% of US, UK, and EU companies are fully GDPR compliant. And, with all the uncertainty surrounding GDPR and Brexit, we expect 2021 to continue in the same vein.
6. Greater threats to cloud security
The cloud is relatively old news by now, with most businesses moving away from using physical servers sometime in the last decade. However, knowledge of how to properly secure data in a cloud has lagged far behind adoption for a while now. So we predicted 2020 would be the year that hackers began to exploit the cloud’s vulnerabilities.
How we did
Although cloud data breaches have been a feature of the technology since its inception, 2020 will go down as the year that businesses became much more conscious of the risks. A report from Ermetic, published in July 2020, revealed that 80% of firms surveyed have suffered some form of cloud data breach in the previous 18 months.
This is reflected in the number of high profile breaches we’ve seen this year, with Mariott, MGM and video conferencing software Zoom all suffering data hacks.
7. 5G and IoT devices on the rise
Everyone in the tech sector has been predicting the rise of 5G and IoT devices for a long time now. Were you to delve deep into your internet history, we’re confident you’d find it on many end-of-year predictions lists as far back as 2016. With that in mind, was this the year that 5G finally arrived on the scene?
How we did
Let’s tackle 5G first. Unlike previous years, 2020 really did see the rollout of 5G, at least partly. Despite the controversy and political power struggles caused by the UK deciding to ban Chinese firm Huawei, 5G networks are now available in some locations across the UK. We’re still a long way from a nationwide rollout and the technology comes with problems to be ironed out, but the first shoots of a 5G-backed nation are there and growing.
The Department for Digital Culture, Media and Sport (DCMS) defines the cybersecurity skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ And it’s been a growing problem in the UK and across much of the world ever since businesses began to move their operations online. We thought that it would become one of the defining trends of 2020. Were we right?
How we did
The cybersecurity gap is hard to assess in a period as limited as one year. The situation certainly didn’t improve much in 2020 but it’s hard to say whether it got any worse. The UK government did at least try to promote jobs in the sector, even if the execution was crass and very poorly judged. However, real change in this area is likely to take years, if not decades. So for the meantime, small businesses are best served by trying to find ways around the talent shortage. For more on that, check out our October blog on the subject.
10. Employee training for threat awareness
Last on our list, threat awareness training for employees. One of the biggest trends sweeping cybersecurity in the last few years has been a growing realisation that employees have an active role to play in keeping their workplaces safe. Let’s consider how that developed in 2020.
How we did
Like a lot of things on this list, employee awareness has been heavily influenced by the COVID-19 pandemic. As many businesses were forced to work remotely, with employees using their own networks and devices to access company data, good cyber hygiene has become more important than ever. As a result, we’ve seen more and more businesses taking staff training seriously. Meanwhile, we’ve been busy doing what we can to help. We’re all set to release a brand new set of interactive cybersecurity training modules, downloadable through the CyberSmart platform. It’s our hope this will help make 2021 a little more cyber secure than 2020.
All in all, we’re happy with our predictions for 2020. There was a lot we couldn’t have foreseen and some of the trends we predicted didn’t take off quite as expected. But, on the whole, 2020 saw some big steps towards increased cyber awareness and hygiene in the UK. Stay tuned for more of the same in 2021.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
