So you’re a small or medium organisation that is sustainability oriented? Great to meet you! At Practical InfoSec, we aim to be of assistance for organisations that are leaving a positive footprint in their respected industry.
You may be forgiven for not having Cyber Security at the helm of your organisation, and we empathise. The UK’s 2022 Cyber security breaches survey concluded that It is more common for medium and large businesses to class Cyber security as high priority (at 95% for large businesses and 92% for medium businesses, vs. 82% overall).
We get it, Cyber security on face value sounds like a scary operation that should be left to the tech-minded, however, we want to challenge this notion. This article should provide you with an education on the common security threats your organisation may face, and what steps you can implement to overcome them.
The construction of this blog post is mainly built in reference to the UK’s 2022 Cyber security breaches survey. In addition, other industry reports, such as Verizon’s 2021 Data Breach Investigation Report (DBIR), will also be referenced to create an overall picture. Both of which we have summarised and simplified here and here.
The UK’s 2022 Cyber breaches survey is an appropriate place to start, as it’s full of recent key figures that are worth noting. Firstly, it was reported that 39% of the businesses surveyed had identified a cyber attack in the past 12 months. Worryingly, within this group, it was highlighted that 31% estimate they were attacked at least once a week. It’s fair to say that this is a high proportion of UK businesses identifying attacks - these are likely larger organisations with mature security teams and processes in place - and furthermore, the frequency of the attacks is very high.
You may think that as a small business you’re less likely to be susceptible to a cyber attacker, what could they possibly seek to gain when they could instead target larger firms? However, Verizon's 2021 DBIR estimates that businesses with up to 50 employees have between 75% - 100% probability of receiving a malicious URL. It is essentially a myth that small businesses are not a target for a cyber attacker, let's break down some of the threats:
One of the biggest and most common cyber threats is Phishing. The NCSC defines Phishing as “when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website”. These attempts are usually sent to individuals through a deceptive email, thus allowing a cyber criminal to steal personal information or “phish”. The UK Cyber breaches survey reported that of the 39% of UK businesses who identified an attack, the most frequent attack type was phishing attempts (83%).
The reason why Phishing is the most common attack type is due to it being the most frequent method pursued by cyber criminals. Cisco reported that 86% of organisations had at least one user try to connect to a phishing site. This is alarmingly high however, there are vast resources available for mitigation, check out the NCSC’s guidance here. Furthermore, initiatives such as Google’s Phishing Quiz provide an interactive way of engaging and educating employees on phishing attacks..
Another threat that needs to be highlighted is Ransomware. The UK Cyber Breaches defines Ransomware as “a type of malicious software designed to block access to a computer system until a sum of money is paid”. It’s frequent too, Verizon’s DBIR states “The novel fact is that 10% of all breaches now involve Ransomware”. This is a similar case in the UK as the NCSC reported on a recent study that found Ransomware attacks have increased by 100% between 2020 to 2021, rising from 326 to 654 incidents. The sectors impacted included finance, education and insurance among others.
However, not all attacks are the result of highly sophisticated and calculated methods or attackers. We cannot discount the ability to make mistakes (defined as error breaches by Verizon) that pose a security threat. Figure 36 on Verizon’s 2021 DBIR showcases that the most common data types in an error breach are personal, medical and credentials. These are useful for financial fraud down the line, whilst also having resale value.
The Risks as a result:
The risk of sensitive data ending up in unauthorised hands can be colossal for your business. Confidential data leaking can result in significant financial loss and reputational damage. As mentioned above, stolen data has significant monetary value. Many underground marketplaces exist where such data is sold and exchanged. One example of this, although recently shut down, was the popular platform Raidforums, which boasted more than 530,000 registered members. This forum offered access to multiple high-profile database leaks, leading to many potential crimes such as fraud.
Verizon’s 2021 DBIR highlighted that data breaches are mostly financially motivated, so we can see that cyber criminals are usually looking to steal sensitive data for financial gain. This would make sense given the immense popularity of a marketplace like Raidforums.
Now let's move onto the financial risks for businesses. The UK 2022 Cyber breaches survey stated that the average cost of all cyber attacks in the last 12 months was £4,200. This figure rises to £19,400 when factoring just medium and large businesses.
When breaking down the financial risks, one layer to be aware of is the fines/penalties a business can receive in wake of a data breach. The Information Commissioner’s Office (ICO) is an example of a regulatory body operating within the UK, who can impose fines on an organisation that fails to adhere to GDPR. The ICO usually requires an organisation to report a data breach within 72 hours of discovery. They state that “the higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher”. Fines are rare and unlikely for smaller organisations, but they do occur. An example of this was seen when the ICO fined the charity Mermaids £25,000 for exposing sensitive personal information. A list of monetary penalties conducted by the ICO can be found here.
Another risk businesses tend to face due to a cyber attack is reputational damage. UK telecommunications firm TalkTalk saw this when they suffered a cyber breach in 2015, which resulted in a cost of £60m and loss of 101,000 customers. TalkTalk’s poor management of the situation, refusing to let people terminate without incurring costs along with many other poor decisions, were also factors into the loss of customers. This case study is a prime example of the reputational risk a business can face due to a cyber attack; The initial attack, the management of the situation and the aftermath all require vital decision making in order to suppress the damage.
So what can you do?
So hopefully this article gave an insight into what security threats exist for small organisations. However, you may be left wondering what steps can you implement to bolster your cyber security. Unfortunately, being 100% secure (if such a thing exists) is unattainable and risks can differ depending on the context of your organisation, however, we can still provide you with some recommendations to take away.
Firstly, we would recommend you document the five most important digital assets your organisation needs to operate. An organisation is best placed to have effective security when it first identifies what it needs to protect. We created a simple exercise to help you do this at the end of this article.
Secondly, conduct (or engage an expert to conduct) a Cyber Risk Assessment against those assets. This step will allow your organisation to calculate key cyber risks, and, if you are not comfortable with them, the best approach in reducing the likelihood and impact of these risks. If this is something your organisation would like advice on, you can contact us here.
We also recommend having established preparation for a cyber attack, in order to ensure effective decision making during an incident. This can be done by creating guidance such as an incident response plan. The NCSC provides guidance on how to create an incident response plan, which can be found here.
Mini Exercise: Define your organisation's key assets
An exercise we propose for you to undertake is to identify the key assets within your business and prioritise by them:
Firstly, look at all assets within the digital space of your business and create a basic inventory.
Categorise what you identify as your top 5 digital assets (by value, functionality, importance to the business etc.) The context of your organisation will matter here. Whatever industry your organisation sits within, you will always have a bank account, employee data and a website to protect. More specifically, businesses in renewable energies may have a lot of intellectual property, a business in manufacturing may class key machinery as their assets and an eco cosmetics company may class their website as a critical asset.
Following this exercise will enable you to identify which assets need the utmost cyber security protection in your organisation.
Take this list to your technical team or IT provider and seek to understand how protected the assets are against security risks, starting with those we discussed in this article.