Antivirus and anti-malware are the basic building blocks for any small and medium enterprise’s (SME) cybersecurity strategy. They’re the most well-known cybersecurity tools, and it’s rare to find a business that doesn’t use one.

But do you know what they protect you from, the difference between an antivirus and an anti-malware, and whether you need both? Let’s explore these key talking points.

Malware vs viruses

Before discussing the merits of the two types of software, we must tackle the difference between viruses and malware. Most people assume that the two things are synonymous. Isn’t ‘virus’ just a slightly dated way to say ‘malware’?

That’s almost correct. However, this is the world of cybersecurity, so things are always a little more complicated than they first appear.

The term ‘virus’ describes malicious code that can reproduce repeatedly – just like a biological virus. The code damages your device by corrupting your system or destroying data. Viruses are also usually considered legacy threats that have existed for a long time, and today’s cybercriminals rarely use them.

On the other hand, malware is an umbrella term that refers to many different threats. These range from ransomware to spyware and even some newer viruses (confusing, we know). The key difference is its novelty. 

The threats under the term malware are new, constantly evolving, and very much in use among modern cybercriminals. So, antivirus software providers have upped their game to protect customers.

Considering cybersecurity certification but not sure where to start? Check out our guide to certifications in the UK.

Antivirus vs anti-malware: the key differences explained

As you might expect, antivirus usually deals with older, more established cyber threats. To illustrate, think of warnings from the noughties – endless error pop-ups, trojan horses, and worm viruses. These attacks typically enter your business through tried and tested routes such as email attachments, corrupted USBs, and other standard cyber threat delivery methods.

These cyber nasties are generally very predictable and easy to counter. However, they can still do plenty of damage if left unchecked. 

Anti-malware

Anti-malware software focuses on defending against the latest threats. A good anti-malware protects your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Anti-malware usually updates its rules faster than an antivirus, making it the best protection against any new threats you might encounter. 

Antivirus vs. anti-malware: which should you choose?

At this point, you might be wondering why you need an antivirus if anti-malware can protect your devices against the most common types of cybercrime. 

Although this is a valid question, it’s a risky way to approach cybersecurity. Sure, most of the threats covered by antivirus might be dated and rarely used by the bad guys. However, that doesn’t mean they no longer exist or that they can’t still give you a significant cybersecurity headache.

Doing without antivirus is a bit like a state deciding to focus exclusively on protection from nuclear threats while neglecting the potential for invasion by land. It’s a flawed approach that leaves your business open to attack.Instead, it’s better to take a layered approach to your cybersecurity – by which we mean installing antivirus and anti-malware software to protect your business against new and old threats. 

Choosing cybersecurity solutions isn’t an either/or dilemma

Antivirus and anti-malware aren’t mutually exclusive. A truly effective cybersecurity strategy includes tools, training, and measures to counter any threat. Something as simple as a Cyber Essentials certification ensures your business complies with the basic requirements to deter cyber threats. This is because the steps to get qualified include:

• Data encryption
• Firewalls
• User access management
• Software and operating system updates

You get support and clear step-by-step instructions for mitigating malware in your business so you don’t overlook any vulnerabilities. Learn how easy it is to get certified today.

Zeus, SpyEye, Emotet. What do those names mean to you? As much as they sound like Marvel supervillains, they’re all examples of high-profile banking trojans.

Emerging in the mid-noughties, banking trojans have morphed into one of the most dangerous SME cybersecurity threats. But what are banking trojans? And how can you protect your business from them?

What is a banking trojan?

A banking trojan is a particularly nasty form of trojan horse malware that aims to give cybercriminals access to networks and confidential information stored in online banking systems.

Banking trojans typically come in two forms:

1. Backdoor trojans: Use backdoors in your system to circumvent security measures and gain access to your computer.
   
2. Spoofers: Steal user credentials by creating a fake version of a financial institution’s login page.

How do banking trojans work?

A banking trojan works in much the same way as the mythological wooden horse from which it draws its name. A typical banking trojan looks and behaves like legitimate software until you install it. Once it’s on your device, it shows its true colours.

Cybercriminals use banking trojans to:

• Steal banking credentials
• Make unauthorised transactions
• Siphon funds to the attacker’s account

Did you know that 47% of UK SMEs feel more threatened by cybercrime since the cost of living crisis began? Find out more in our latest report.

Why are banking Trojans so dangerous? 

Banking trojans are a particularly hazardous form of malware for several reasons. Firstly, they’re usually well disguised as legitimate software, which makes them difficult to detect for anyone who isn’t a cybersecurity expert.

Secondly, they cause significant damage. In a worst-case scenario, a banking trojan can give cybercriminals total access to your bank accounts, which could spell financial ruin.

How do you know when you’ve been hit? 

Although it can be challenging to spot a banking trojan, it’s not impossible. Like any malware attack, there are a few telltale signs to look out for:

• New or unexpected forms appearing in your bank accounts
• Poor device performance
• Slow or broken applications
• Missing files
• Unexpected pop-up windows 
• Tasks running independently
• Spam originating from your email accounts
• Your anti-virus or anti-malware software stops working

It’s important to note that none of these are conclusive proof that someone’s successfully hacked your system. Think of them as signs that suggest something isn’t quite right. So, if you’re in any doubt, it’s time to call the professionals.

What can you do to protect your business?

Thankfully, protecting your business against banking trojans and similar forms of malware is relatively straightforward. Beyond investing in reliable threat monitoring software, we recommend following these six simple steps.

Use multi-factor authentication 

Multi-factor authentication (MFA) is a security measure that requires you to provide two or more verification methods to sign into an application. Instead of asking for your username and password, MFA demands additional information such as:

• A randomly generated PIN code sent by SMS
• A piece of memorable information known only to you 
• Your thumbprint

The idea behind MFA is simple: the more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and some cameras to keep the bad guys out.

Train staff how to spot the signs

Human error is responsible for as much as 90% of cyber breaches, and it’s easy to see why. Few of us are cybersecurity experts, and if you aren’t aware of what a cyber threat looks like, you’re much more likely to find yourself on the receiving end.

Cybersecurity training can bridge this knowledge gap. Training helps staff recognise, understand, and mitigate the threats they face. What this training looks like depends on your business and the knowledge within it. For some, it’s a case of starting from scratch and covering the basics; for others, it’s about addressing specific weak spots.

Patch software regularly 

Patching your software is the simplest way to improve your business’s cybersecurity. Even the best software can develop vulnerabilities, suffer a breach, or become outdated. Software developers release security patches to ensure cybercriminals don’t have an easy route into their clients’ systems.

It’s easy to install these patches. You can check your system for updates every few days or activate the auto-update setting on all company devices.

Use a password manager 

Many banking trojans use keyloggers – programs that record your keystrokes so cybercriminals can steal your PIN or password. Using a password manager, which doesn’t require you to type anything, instantly overcomes the threat of keyloggers.

Only download files from trusted sources

This might seem obvious, but if you’re unsure about the origin of a file or piece of software, don’t download it. Set clear rules throughout your business to ensure people only download software from trusted sources, such as Microsoft, Google, or Apple stores. This helps to minimise your exposure to compromised software and malware.

Use all the security features offered by your bank

Banks offer a range of security features. Use them! If your bank provides MFA for sign-in (virtually all of them do), use it. Many business-oriented banks also have app stores full of free or low-cost cybersecurity features. Use them, too. These little extras are often the difference between cyber safety and falling victim to a banking trojan.

Banking trojan examples to watch out for

Zeus

Active since 2007, cybercriminals use Zeus to target Microsoft Windows and steal financial data. It quickly became one of the most successful pieces of malicious software in its class, affecting millions of systems worldwide and giving rise to a host of similar threats. After a brief lull in 2010, when the creator reportedly retired, we’ve seen an uptick in Zeus variants since the source code went public. 

SpyEye

Once touted as the successor to Zeus, SpyEye established itself as one of the most dangerous banking trojans in the early 2010s. SpyEye enabled its creators to steal sensitive information from its victims’ bank accounts, including account credentials, credit card information, and PIN numbers. Its Russian creator was sentenced to nine-and-a-half years in prison in 2016.

Emotet

Emotet is a banking trojan that spreads primarily through email. These emails often use familiar branding and convincing wording to trick the victim into clicking on a malicious link. Emotet has gone through a few iterations since emerging in 2014, in an attempt to circumvent modern detection methods.

Don’t suffer the same fate as Troy

Understanding the threat banking trojans pose and adopting appropriate countermeasures are integral to safeguarding your financial information in today’s digital landscape.

Simple, inexpensive malware prevention tips – like updating your software regularly, using a password manager, and educating staff – help protect your business against banking trojans and other malware strains, too.

Want to know more about the threats facing small businesses? Check out our new research report on SMEs and the cost of living crisis.

Almost since its birth, Facebook has been an important tool for small businesses. It’s a low-cost way to sell your services, interact with customers and build a community around your business.

However, wherever small businesses gather in any number, so too do cybercriminals, like predators at a Savanna watering hole. Facebook for Business is no different. Over the past few years, the social media app’s messaging service has become a regular launchpad for phishing campaigns. And, unfortunately, the problem is only getting worse, with social media account takeovers increasing by over 1,000% in the past year

However, this doesn’t mean you need to avoid the app altogether (as we said, it’s a useful tool). With the right knowledge, you can get back to communicating confidently. So, here’s everything you need to know about Facebook Messenger scams – what they look like, the consequences of a breach, and how to combat them.

What does a Facebook Messenger phishing scam look like?

Like most phishing attacks, Facebook Messenger scams typically rely on social engineering. But, there are a few different approaches out there.

Complete cyber confidence doesn’t have to break the bank. Download our guide to protecting your business on a budget to find out more.

The classic Facebook scam

First of all, there is what we call the ‘classic’ Facebook messenger scam. This is a well-worn approach but don’t let that fool you. ‘Well worn’ doesn’t mean ineffective even if it lacks sophistication. A surprising number of businesses still get caught out by this tactic.

Scammers will usually pretend to be potential potential customers or partners and try to trick you into giving them sensitive information. It could be a prospective ‘partner’ who just needs some financial data before they can commit or it could be a customer who’s seemingly desperate for you to check out their website (don’t click the link!). 

The Facebook support team scam

Recently, we’ve seen a far more insidious scam on the platform. Scammers have begun posing as Facebook support or security teams.

This scam typically starts with a message claiming your business page is at risk of being banned or disabled due to violations. The message will seem urgent and official, often using Facebook branding and logos. There will be a link provided to supposedly “verify your account” or appeal violations. Unsurprisingly, this link doesn’t unlock your account or clear your business’s name, it’ll usually lead straight to a bogus site that’ll infect your device with malware.

Another potential avenue for this kind of scam is to claim your business needs to ‘top up’ the funds paid for ant on-site advertising you might be running. Once again, this will lead you to a spoofed Facebook page where you’ll be requested to enter sensitive financial details. If you’re unfortunate, like us, you might have received a flood of these messages in recent months, they usually look something like this:

What are the consequences of a successful scam?

The consequences of falling prey to one of these scams vary, depending on what the cybercriminals managed to persuade the victim to do. However, some of the most common outcomes include:

– Losing control of your business’s social media page to hackers who then use it to post malicious content or launch further scams

– Financial loss, either through the initial scam or a subsequent ransomware attack

– Compromised sensitive personal or proprietary data 

– Reputational damage from all of the above

All in all, being hit with a successful Facebook Messenger scam is something your business desperately needs to avoid. Let’s look at how…

How can you avoid falling victim?

Although the method of attack might be new, Facebook Messenger scams are still a form of phishing. This means that many of the principles that can be used to combat other types of phishing scams can be applied here.

1. Keep Facebook’s policies in mind

Remember that Facebook will never message you proactively about account issues. Any unexpected warnings about your page being banned are very likely scams.

2. Check the URL

Verify that any links come from an official facebook.com or facebookmail.com domain. If you’re unsure, you can hover over links to preview the URL before clicking.

3. Look for errors

Watch for poor grammar, spelling errors, and other typos. Scammers are rarely gifted writers and you’ll often find telltale slip-ups in their messages.

4. Verify who the sender is

Check out who a potential partner or customer is claiming to be before you engage with them or share any information over Messenger. A quick search of their name on LinkedIn and a check of the company website or its Facebook Business page should be enough to raise any red flags. And, if in doubt, don’t engage. 

5. Use MFA

Turn on multi-factor authentication (MFA) for your Facebook and Facebook Business accounts. This will make it much harder for a cybercriminal to gain access to your account even if they do steal your login credentials.

6. Don’t trust unusual requests 

Don’t trust any request for your login credentials, password, or MFA code that comes through Messenger. Facebook will never ask for that information through chat.

7. Prioritise privacy 

Keep your Facebook Business page set to the highest privacy and security settings. This alone should help keep you off most scammers’ radar.

8. Report anything fishy

Finally, report any suspicious activity to Facebook. Any examples you can provide are crucial to improving the platform’s security and rooting out malicious users.

As with all phishing attempts, Facebook Messenger for Business scams aren’t particularly sophisticated and can be avoided with a little vigilance. Follow the steps laid out above and you’ll be able to do business using Facebook safely and securely. 

Want to know more about the threats facing small businesses and how to guard against them? Check out our guide to protecting your business on a budget.

Like an unwanted guest causing friction at a party, malware can disguise itself, trick your employees, and cause problems for your business. Here are some tell-tale signs of malware attacks to help you detect threats and show them the way out. 

What is malware?

Malware is an umbrella term for malicious software that will harm your business systems. It’s designed to disrupt computers, networks, devices, and operations. 

5 signs of a malware attack

1. Your device’s performance will suffer

If you notice your device running slowly, crashing, or freezing, and it’s not a sluggish internet connection or because you’re next in line for a new machine from IT, then it might be malware knocking at your door. 

It’s difficult to define how obvious and extreme the disruption will be, as this depends on the type of malware. Some types will use up most of your computer memory, making it extremely frustrating to use your machine or run standard programs and apps like Microsoft Excel or web browsers.

2. Your interface will look different

If you notice your search engine wearing fancy dress, beware. We don’t mean a change like Google Doodles – look out for your default browser changing or redirecting you to another site, and new, unfamiliar browser extensions. This is known as browser hijacking – a malware that makes your browser malicious to compromise your systems.

Malware can also change or delete files, folders, or desktop icons, so if something looks odd or out of place, exercise caution. 

Want to improve your cybersecurity but not sure where to start? Check out our free guide to protecting your business on a budget.

3. Mysterious communications

Like someone sending a party invite on your behalf, malware can allow hackers to send emails, messages, or post on social media without your knowledge or consent. Keep an eye on any company or personal accounts you access from work devices to make sure all posts are legitimate. Check your email sent box, too. 

4. Unusual activity

Hackers may use malware to access your accounts, steal passwords, disable your security software to avoid being noticed, or connect to networks to compromise them. You might also notice unusual financial activity. Hackers achieve this using keyloggers – a type of malware that monitors your keystrokes, allowing cybercriminals to duplicate sensitive information like payment details and passcodes. 

If you notice any inexplicable traffic or activity on your accounts and security systems, flag the problem with your IT department or cybersecurity support provider. 

5. Ransom demands

More like a loud intruder than a discreet party crasher, you can’t miss a ransom demand. A hacker will use ransomware to encrypt files, or even your entire computer, to stop you from accessing what you need. The hacker will then demand you pay a ransom for decryption, but there’s no guarantee paying will result in success – 92% of companies that pay ransom don’t get their data back, so be wary of trusting the word of a cybercriminal. 

Mighty malware attacks

NotPetya

In 2017, NotPetya, a Russian ransomworm, went global and caused widespread damage and disruption to businesses. It encrypted files and the hackers behind it demanded ransom for decryption. The attack, which cost $10 billion in total damages, according to a White House assessment, affected behemoths like Maersk, Reckitt Benckiser, and Mondelēz.

MyDoom

The worm – malware that can replicate and spread quicky – first emerged in 2004, but is still active today, and has costed an eye-watering $38 billion in damages. It works by sending an email with a malicious attachment. Once opened, the attachment downloads software that mines for email addresses and sends the virus to all your contacts, perpetuating the problem. MyDoom has also been used to take control of users’ computers and launch distributed denial of service (DDoS) attacks. In 2004, it took down Google for an entire day.

Show malware the door

Now you know the signs of a malware attack, what should you do if you experience one of them? Here are some quick actions that will help to slow or stop the spread of malware, like a bouncer protecting a venue from getting overcrowded with revellers:

• Communicate the issue, following your business’ cybersecurity procedures
• Disconnect from the internet
• Don’t log in to anything 
• Put your computer in safe mode
• Run anti-malware software
• Check and verify your web browser
• Remove suspicious browser extensions
• Clear your web browser cache

It’s vital that you communicate the incident to the colleague, department, or company that looks after your cybersecurity. If you have access to a 24/7 cybersecurity monitoring, check with your provider, they may already be aware of the problem and working to solve it. Either way, working together and communicating effectively will help you to keep the malware at bay and limit damage to your company data.

As Black Friday and Cyber Monday approach, anticipation is growing for this year’s snips, steals and deals on Internet of Things (IoT) devices. However, amid the thrill of Black Friday bargains, it is crucial to exercise caution and consider the potential security implications associated with purchasing and deploying IoT devices. 

What is IoT?

The Internet of Things, commonly referred to as IoT, is essentially a web of gadgets that share information and the cloud.

The concept first came about in 1982 when Carnegie Mellon University students linked the department vending machine to their computer, allowing them to check if drinks were in stock and chilled.

However, this wasn’t the first true IoT device, as Tim Berners-Lee’s World Wide Web was still seven years in the future. That honour goes to a toaster created in 1990 by John Romkey. This bizarre device was equipped with a crane system for inserting the bread.

IoT has continued to expand from here and, based on the most recent data, around 15 billion IoT devices are currently connected. It’s anticipated that this number will nearly double, reaching 29.42 billion by 2030.

Want to protect your business but not sure where to start? Check out our free guide to protecting your business on a budget.

Where is IoT used  – The good, the bad and the bizarre

IoT is used in our homes, offices, manufacturing machinery, agriculture and more. More specifically, this includes smart home devices such as fridges and dishwashers, wearable technology like smartwatches, and medical devices, with pacemakers being a great example.

IoT has the potential to enhance our lives. For example, by facilitating independent living for the elderly with conditions like dementia. This is achieved through IoT technology that gathers atmospheric data linked to residents’ movements within their homes. Should the activity drop below a certain threshold, a device will immediately notify family members or carers of a potential emergency.

Whilst working as a detective in the police, I saw IoT employed for malicious purposes on many occasions. One such occasion was when following a recent relationship separation, the one-time couple had to maintain contact due to their young child. However, whilst Mum was out with her baby she would frequently bump into the child’s father. 

After months of this and other strange activities occurring, it was discovered that a tracking device had been placed in the child’s pushchair. This shared real-time location updates and allowed impromptu meets between father and child.

As you might expect, there are also many bizarre IoT devices out there, including smart egg storage devices that can track the age of eggs and send alerts when your egg stock is running low. Although some may say that is a cracking idea!

IoT security vulnerabilities

A security vulnerability within an IoT device could be several things, from insecure default settings to a lack of physical security. This could allow anybody to log into the device by not requiring authentication. Or, where there are log-in details required, using default credentials such as a username and password of ‘admin’.

Many of us will have IP (Internet Protocol) CCTV both in our homes and places of work. Vulnerabilities may exist in these too. Failing to ensure updates are applied to our CCTV could leave known vulnerabilities unaddressed, making it susceptible to exploitation. I have seen many cases of IP CCTV being hacked and people’s personal lives being streamed live on the internet for the world to watch.

What can we do to protect ourselves?

The first thing that we can all do before we click buy on that new device, is to ensure that we are buying it from a reputable company. There are so many devices available to us for comparatively little cost. But buyer beware, often a low price can mean poor security. 

Although we can’t all be expected to comprehend the intricate technical workings of our devices, we can develop a basic understanding of security best practices. This should help ensure that the IoT devices we bring into our homes or workplaces are safe.

So, what are some of the things you can do? In no particular order, here are some of the basic requirements for cybersecurity.

1. Change default passwords

Ensure that you’re using strong and unique passwords to access devices. If in doubt, use the NCSC’s ‘three random words’ approach.

2. Apply patches and updates

Security updates and patches are extremely important in fixing any vulnerabilities in the operating system or firmware installed on your devices. Without these patches, cybercriminals could easily exploit vulnerabilities to hack into your device. 

3. Configure your routers and firewalls to block external traffic

To keep IoT devices within your home safe, you must ensure that nothing outside your home network can connect to your device. By configuring routers and firewalls to block all external traffic you’ll prevent hacks.

4. Only purchase devices with high-level security protocols

Try and stick to devices with a connectivity protocol that is secure by design and uses a low data throughput such as LoRaWAN (long-range wide-area network). You should find these details in the specs of any reputable products.

5. Check your privacy settings

We’ve already mentioned passwords, but there are a few other things you can do to improve your privacy and security. First of all, set up multi-factor authentication (MFA) on all IoT devices, whether that’s biometric authentication (such as fingerprint or facial recognition), a one-time passcode, or security questions. 

MFA makes it much, much harder for any would-be hacker to gain access to your device even if they manage to find it on a network.  

Finally, the single most important thing that we can all do when it comes to security is to keep ourselves updated and aware of new and emerging threats. So, if you’ve read this far, well done.

If a thief wants to enter a house, it’s unlikely they’ll choose to ring the doorbell. They’re going to climb through a half-opened window around the back. And if they’re careful enough, the homeowner is none the wiser.

The same principle applies in the cybersecurity landscape. Supply chain attacks have existed for some time, and are an infamous method of finding cybersecurity vulnerabilities to target seemingly secure businesses. Gartner predicts that by 2025, 45% of organisations globally will experience an attack on their software supply chain. Here’s how they work and what you need to know about them.

What is a supply chain attack?

A supply chain attack is when a cyber criminal exploits a vulnerability in a supply chain. Many businesses today are cybersecurity-savvy. The best prepared will have well-intentioned cybersecurity policies and regulations in place to manage their cybersecurity and keep problems at bay. 

But most businesses don’t operate within silos. Your organisation probably relies on other businesses as part of your supply chain, or you form a part of another supply chain. This creates complexity when managing security credentials. Can you be assured that every business within your supply chain, from a payment processing provider to a manufacturer, is completely secure? 

Most organisations will manage compliance across their people, software, and processes, but this is difficult to extend to other points in the supply chain. This is the exact vulnerability criminals can exploit. 

Want to know more about the risks posed by supply chains? Check out our guide.

Examples of supply chain attacks

1. SolarWinds

No supply chain attack discussion can ignore the SolarWinds supply chain attack. SolarWinds is a major software company that specialises in network and infrastructure monitoring tools. In 2019, threat actors gained unauthorised access to SolarWind’s networks, and in the following months injected malicious code into their software, Orion. Later in 2020, SolarWinds unknowingly sent out hacked code via software updates – installing malicious code onto customer devices that could be used to spy. This infected many significant organisations, from small businesses to government bodies. 

2. Target 

Known as one of the earlier supply chain attacks, Target, a U.S. superstore retailer, was impacted in 2013. Cybercriminals exploited vulnerabilities in the retailer’s point of sale (POS) systems to retrieve 40 million customer credit and debit card information. The cost of this data breach has since cost the business nearly $300 million. 

3. British Airways

In 2018, British Airways was unknowingly impacted by a code that harvested customer payment data using their website payment page. The code routed credit card information to an external domain. This is known as skimming, when payment data is unknowingly collected during the online purchase checkout process. Magecart is suspected to be responsible for this skimming attack, and approximately 380,000 customers had their personal and financial data stolen. 

SMEs and supply chain attacks

Cybercriminals target large organisations due to the sheer volume of data they can exploit. But small and medium businesses are equally susceptible targets.

More than half (54%) of all U.K.-based SMEs experienced some form of cyber attack in 2022. Cybercriminals know that SMEs are more vulnerable as they might not have rigorous security credentials. Additionally, SMEs are often part of a larger supply chain, making them a great target. 

How to protect your SME from supply chain attacks

Manage your cybersecurity first

Consider your cybersecurity status first. A basic cybersecurity certification, such as Cyber Essentials, will cover everything your business should do to protect itself from cyberattacks. Being certified can reduce cyber risk by up to 98.5%, and can help you with important steps like staff training and long-term cybersecurity support. 

Check your suppliers

Request that your suppliers show evidence of cybersecurity management. A certification can be all they need to remain secure. More high-risk suppliers should have equally risk-resilient cybersecurity measures in place. If they don’t, this should raise your alarm bells.

You should collaborate with every business in your supply chain, and the supply chains you are within, to emphasise the importance of cybersecurity credentials. You can even make cybersecurity part of your contractual agreements, so there’s less chance of a vulnerability in your supply chain.

Implement an early warning system

A supply chain early warning system (EWS) can identify security threats in a supply chain using data. It analyses data and notifies the system administrator to suggest methods of mitigating the threat. An EWS reduces your reliance on human knowledge alone, and instead can autonomously detect threats. As types of attacks become increasingly more complex, this is a great method of covering all bases if it’s an attack you might not have encountered before. 

A supply chain attack could happen to you

But it doesn’t have to be that way. By ensuring your organisation is as secure as possible, and obligating your suppliers to do the same, you’re more likely to deter and mitigate the risk of a supply chain attack against your SME. This way, your business’s figurative back windows are firmly locked, so no burglars can get in – through the front door or the back.

It’s not an exaggeration to say that supply chains pose one of the greatest cybersecurity risks to any business. In recent years, there’s been a huge increase in attacks stemming from supply-chain vulnerabilities. According to IBM’s 2023 X-Force Threat Intelligence Index, more than half of security breaches are attributed to supply chain and third-party suppliers, at a high average cost of over $4 million. 

It’s a serious problem. And, like most small businesses, you’re probably asking what you can do about it. After all, looking after your own cybersecurity is tricky enough; how on earth do you start addressing gaps in your suppliers’ defences? 

To help you get started, we’ve put together 5 supply chain security best practices to strengthen your digital defences.

1. Protect your own business first 

This almost goes without saying, but before you delve into your supply chain, it’s worth considering your own cybersecurity status first. Is your business Cyber Essentials certified? Do you have security controls in place? Do you provide regular training for staff on cyber threats and best practices?

If you’ve answered no to any of the above, then these are great first steps in securing your business. And there’s a bonus to taking these measures first. By reviewing your own security, you’ll get a good idea of your business’s crown jewels – those critical aspects of your organisation that need the strongest protection.

2. Talk to your suppliers 

Progress begins with dialogue. So talk to your suppliers and partners about their cybersecurity. You may find that your business faces many of the same difficulties and threats. 

This can help you work together to ensure everyone in your supply chain works to the same security standards. And keeping dialogue open makes it much more likely that suppliers and partners will let you know faster if something goes wrong – protecting your business in the long run.

3. Make cybersecurity part of your contractual agreements 

Behavioural change often requires incentives. Once you’ve established what good cybersecurity looks like for your business, apply those principles to your partner and supplier contracts. 

How these agreements look will depend on your organisation. Requiring your partners to have a complete Cyber Essentials certification will be enough for some businesses. Others may need something more comprehensive, like ISO 27001 certification. 

The important thing is that you make good cyber hygiene an expectation (rather than a nice to have) for anyone working with your business. By doing so, you not only incentivise good cybersecurity behaviours across your supply chain but also protect your business. 

4. Keep improving

Building a strong cybersecurity culture across your network takes time. It requires trust between businesses, and you can’t build that overnight. So persevere if your supply chain doesn’t immediately transform from leaky to locked down.

 Cybersecurity is all about learning. As cyber threats evolve, so too do the methods for thwarting them. Stay updated with new threats and tweak and adapt your practices accordingly. You can then use this knowledge to update partners and suppliers and strengthen your supply chain.

5. Follow the NCSC’s new guidance 

Finally, if you’re looking for a framework to tie everything together, you could do a lot worse than the National Cyber Security Centre’s (NCSC) supply chain cybersecurity guidance.

The NCSC’s guidance breaks tackling supply chain security down into five basic steps ( in case you were wondering where we got the idea from):

1. Understand why your organisation should care about supply chain cybersecurity
2. Develop an approach to assess supply chain cybersecurity
3. Apply the approach to new supplier relationships
4. Integrate the approach into existing supplier contracts
5. Continuously improve

It’s a great place to start if you’re serious about tackling cybersecurity across your supply chain.

It’s a journey, not a destination

And remember, securing your supply chain is an ongoing process, but starting now is one of the biggest single investments you can make in protecting your business. Want to know more? Check out our new guide to protecting your business.

You’re a hacker ready to launch an attack. What do you target? 

• A: A single person or company that’ll get you a sizeable reward, if the attack is successful?
• B: A supply chain that could get you access to hundreds, if not thousands, of companies and their data, if the attack is successful?

Supply chain attacks increased 633%, by 88,000 instances, in 2022. And it’s easy to see why.

With this increased risk, it’s good to understand what supply chain hacks are, why they happen, and how to protect your business from them as much as possible. 

What are supply chain hacks?

A supply chain hack is a type of cyberattack that targets organisations by exploiting weak links in third-party software, hardware, or services. In these cases, you could have very strong cybersecurity defences but suffer an attack because a supplier’s software has a vulnerability they weren’t aware of. Hackers use this to access your networks and data undetected and cause damage. 

Because these attacks are through legitimate supplier software/hardware, they can be more difficult to spot and stop. In the high-profile SolarWinds attack, it took months for professionals to understand how cyber criminals were gaining unauthorised access to networks and data.  

Why hackers attack supply chains

1. Collateral damage

By accessing a company that provides software or services to other companies, hackers can harm multiple targets in one hit. Instead of putting effort into attacking one company, they could potentially impact hundreds, if not thousands. Take the recent Otka attack as an example. Otka has 14,000 customers, and in one five-day attack, hackers impacted 366 of them. 

This kind of attack doesn’t just cause immediate damage like data loss. It also causes long-term reputational challenges for suppliers. As supply chains rely on trust, customers lose confidence in their suppliers’ abilities to protect themselves, and therefore their customers, from cyber threats. 

2. Kudos 

Hacking is a skill – albeit a dangerous one in the wrong hands. And hackers have egos. If one can successfully infiltrate supply chains, access customer data, install malware, etc., on a large scale and cause widespread damage, they can brag about it. The bigger the attack, the better. 

3. Financial gain

A supply chain is a perfect place for a hacker to compromise cash flow and payment systems between multiple companies to gain access to sensitive financial information. They can divert payments, demand ransom, and leak/sell sensitive data on a large scale. The more money they can make, the more worthwhile the hack is.

4. Disruption and theft

As is the case with other types of cyberattacks, supply chain hacks cause a lot of disruption. Because so much data is available for exploitation in supply chains, cybercriminals attack them to get hold of vast amounts of personal data, intellectual property, and confidential business information. This…

• severely disrupts and even stops operations
• causes financial losses
• damages trust
• injures brand reputation

Safeguard your business against supply chain hacks

Few companies take steps to formally review risks in their supply chains – around one in ten businesses review the risks posed by their immediate (13%) and wider suppliers (7%). 

You need to work with suppliers and feel confident that they work to the same high standards as you. Supply chain attacks pose a very real threat, but don’t let it get to you. 

There are some simple and affordable ways to give yourself (and make sure your suppliers have) a good amount of protection against threats. 

One way is to get a Cyber Essentials certification. This is a government-backed scheme to help businesses protect themselves in five core areas:

• Secure configuration
• Malware protection
• Network firewalls
• User access controls
• Security update management

Applying the five principles to how you work can reduce your cyber risk by 98.5% and give you the confidence and understanding you need to speak to your suppliers about their security practices.

Want to know more about the threat posed by supply chain attacks and learn how to protect your business? Check out our new guide for everything you need to know.

Over 1 in five UK SMEs (21%) are worried that their business will not survive the current economic uncertainty or expect they will have to make a significant business pivot. This is according to a survey of a thousand SME senior leaders and decision-makers across the UK, commissioned by CyberSmart (and conducted by Censuswide).

The UK government estimates that the country is home to at least 5.5 million SMEs. If we were to extrapolate the findings, it could mean 1.155 million businesses are in a precarious position and risk collapse.

Remarkably, the survey also revealed that some SME senior leaders would go to great lengths to ensure the business’s survival. These behaviours range from engaging in cybercriminal activity and committing accounting fraud to neglecting compliance requirements.

Activities that SME senior leaders would consider engaging in include:

• 15% would commit accounting fraud and lie to bankers/investors to secure funding or commit tax fraud/evasion (potentially equivalent to 825,000 SMEs)
• 14% would cut employee salaries or benefits (potentially equivalent to 770,000 SMEs)
• 11% would leverage proprietary information from partners/clients such as selling off the data (potentially equivalent to 605,000 SMEs)
• 11% would neglect compliance requirements due to the additional costs they incur (potentially equivalent to 605,000 SMEs)
• 10% would engage in cybercriminal activity such as hitting a rival company with a cyberattack (potentially equivalent to 550,000 SMEs)
• 9% would mortgage their house (potentially equivalent to 495,000 SMEs)

SMEs decrease cybersecurity spending

Additionally, a third of SMEs have decreased cybersecurity spending due to the economic uncertainty. Or, more worryingly, admitted to never really investing in it.

In fact, as many as 42% of SME senior leaders do not believe it is worth investing in cybersecurity, with over 1 in 5 (21%) believing they are not a target. A further 16% claim it is not worth it because they have cyber insurance and 10% assert it is not a priority. Only 25% realised it was worth investing in cybersecurity because they could not afford to be breached.

CyberSmart CEO, Jamie Akhtar reacted with the following:

“As a business owner myself, I can understand the pressure many SME decision-makers are currently facing to keep their companies running and ensure their employees are taken care of, all while budgets tighten. It is during these times that emotions run high, and people might make irrational decisions that go against their own, and their company’s, best interest. It goes without saying that we would never condone criminal behaviour. Moreover, we would strongly recommend that businesses invest in cybersecurity and compliance.”

 “The business ecosystem has become highly intertwined, so no business is immune from cyberattacks. In fact, SMEs could prove to be an easy entry point for cybercriminals looking to hit others within their supply chain, if they have weak cybersecurity postures. While cyber insurance is important for risk transfer, it should not be relied on either. A comprehensive and continuous cybersecurity and compliance strategy is needed to avoid a breach’s financial, reputational and even physical repercussions. Fortunately, there are solutions today that can help in doing so, without breaking the bank.”

Want to know more? Read the report in full here.

In 2018, the Cambodian Ministry of Defence and several Vietnamese news outlets fell victim to a sophisticated cyberattack targeting multiple high-profile websites across Southeast Asia.

The attack went undetected for months, during which time anyone who visited the compromised sites was redirected to a page controlled by the hackers. From there, the hackers were free to distribute malware to the unfortunate victims. The notorious OceanLotus threat group claimed responsibility.

Known as a watering hole attack, OceanLotus was by no means the first group to target places people visit rather than the individuals themselves. In this article, we explain what a watering hole attack is, how they work, and how you can protect your business against them.

What is a watering hole attack?

Watering hole attacks are a type of third-party or supply chain attack. The hacker aims to install malicious software on the victim’s computer or gain access to their network by compromising websites they visit frequently. The consequences can be severe, ranging from theft of sensitive customer information to making the victim’s computer part of a botnet.

The name “watering hole attack” derives from nature. Over the aeons, lions and other predators have adapted their hunting strategies to conserve energy. Instead of chasing prey across the scorching African savanna, they simply wait for the zebra or gazelle to visit a watering hole and pounce while it’s busy drinking. 

Cybercriminals typically use watering hole attacks to target large, well-protected organisations. Either by compromising an employee’s computer or a partner business further up the supply chain. 

Watering hole attacks are difficult to detect because they harness the implicit trust people place in well-known organisations and institutions. And, because many successful attacks target exploits in browsers or systems, they have a high success rate. 

Worried about the threat posed by supply chain attacks. Check out our guide to protecting your business.

How do watering hole attacks work?

The average watering hole attack unfolds over three stages. 

1. Reconnaissance

The hacker gathers intelligence about the target’s browsing habits. This can include a mix of publicly available information and illegally obtained private data. They can then use this information to create a shortlist of suitable sites to host the attack. Usually, these are sites with lower-than-average security.

2. Planning

Once the hacker identifies the most suitable hosting domains, it’s time to decide how to launch the attack. The two most common options are to:

1. Probe the shortlisted hosting domains for any potential weaknesses the criminals can exploit to compromise the legitimate website.
2. Create a spoofed version or clone of a shortlisted hosting site that contains malware.

Some cybercriminals may combine the two approaches to increase their odds of success. In this scenario, the hacker compromises a legitimate website and inserts a redirect code that sends victims to the fake site where the payload is delivered.

3. Design and execution

The hacker exploits any weaknesses to insert malicious code into the watering hole site or cloned website. Typically, this involves manipulating web technologies like HTML and JavaScript or using exploit kits that target specific IP addresses. When someone visits the compromised domain, their browser automatically downloads the malicious software. 

In the case of drive-by attacks, the hacker capitalises on the implicit trust users have in well-known websites by hiding malware in download buttons or links. When the victim clicks on the link, they inadvertently download the malicious software – often without even realising it. 

Remote access trojans (RATs) are a popular choice of malware among cybercriminals, as this grants access to the victim’s computer or systems.

*Image: Supply chain security guidance, National Cybersecurity Centre

How to prevent watering hole attacks

The first step is to familiarise yourself with cybersecurity best practices. Simple measures, like installing reliable antivirus software and upgrading your browser protection, can significantly reduce your cyber risk.

We recommend adopting these four measures, as a minimum.

Stay on top of system updates

Many cyberattacks work by exploiting unpatched vulnerabilities in operating systems, browsers, and software. And watering hole attacks are no different. By installing the latest security updates as soon as they become available, you can plug these gaps before cybercriminals have a chance to use them.

Regularly review and test your security

Many cybercriminals bank on the fact that most people think their antivirus software tackles threats for them. We recommend that you review your security tools, processes, and policies at least once a year to ensure you’re protected against the latest threats.

Educate and train your staff

The cybersecurity landscape is dynamic. Cybercriminals are constantly evolving their tactics and new threats emerge all the time. Then, there’s the human factor. According to Stanford University research, human error causes 85% of data breaches. Run regular training workshops to teach staff to identify suspicious activity, spot potential threats, and respond to cyber-attacks.

Get Cyber Essentials certified

Cyber Essentials is a government-backed scheme that provides a simple framework to help businesses protect against cyber-attacks. It’s separated into five technical controls:

• Secure configuration
• Malware protection
• Network firewalls
• User access controls
• Security update management

Cyber Essentials is a more affordable option than advanced certifications, like ISO 27001. It’s also faster and less intensive, so it’s a good place to start. With the right guidance and support, you can become certified in just three days. This makes it the perfect solution for SMEs.

For more advanced recommendations, read the National Cybersecurity Centre’s (NCSC) 12 principles of supply chain security.

It’s a jungle out there

Watering hole attacks are no longer a niche threat. Forbes named them as one of the top ten cybersecurity threats of 2022, reflecting the increase in supply chain attacks in recent years. 

The key thing to remember is that you’re not powerless. By adopting the measures we’ve recommended here, you can minimise your cyber risks and ensure you don’t fall prey to digital predators.