In 2019, a business will fall victim to a ransomware attack every 14 seconds according to the Official Annual Cybercrime Report, with predictions that cybercrime will cost the world in excess of $6 trillion annually by 2021.
Research by global insurer Hiscox, found 55 per cent of businesses have suffered a cyber-attack in 2019, a jump up from 40 per cent in the previous year. These figures are based on a survey of more than 5,400 small, medium and large businesses across seven countries, including the UK, Germany, the US, Belgium, France, the Netherlands and Spain.
While figures clearly prove the risk from a cyber-attack is increasing, UK businesses have been identified as having the lowest cyber security budgets, despite the rising financial impact. Many believe they are less at risk if their business isn’t large, however according to the Federation of Small Businesses (FSB) small businesses in the United Kingdom are the victims of repeated cyber-attacks with around 10,000 attacks occurring every day.
A recent government survey estimated that the average cost of a small business’s worst cyber-attack is between £65,000 and £115,000. The most common form of attack is through ransomware – a type of computer program that infiltrates your IT system then denies you access to your data until a sum of money is paid. Once the attacker receives their money, they claim they will release your data back to you – however this isn’t usually the case and they request a larger amount.
In the case of Norwegian aluminium giant Norsk Hydro, who suffered a ransomware attack in March 2019, the cost of recovery has totalled more than £50m as it halted production lines and locked staff out of their computers.
Research from business and financial adviser Grant Thornton UK LLP stated that businesses are not prepared to manage cyber risks. They surveyed over 500 UK mid-market companies which revealed only 36 per cent had provided cybersecurity training to their employees, and 59 per cent don’t have any plan in place should a cyber incident happen.
Keeping older versions of software packages on the internet can pose serious risks to organisational security. The key example of this was the WannaCry ransomware which cost the NHS £92m and exploited a vulnerability within Microsoft.
However, Microsoft had fixed the problem before the attack, and so the NHS was criticised for using outdated IT systems, including Windows XP, a 17-year-old operating system vulnerable to cyber-attacks due to no further security updates being provided after its retirement (by Microsoft) in 2014.
While keeping business-critical systems up to date should form a central part of any cyber security strategy, having the best technology does not address the human error element. Cyber criminals continue to use ransomware as a tool to compromise businesses which is typically delivered via phishing emails. When a user clicks on a document within an email, the attacking software downloads then encrypts all the data it can find to block access to vital computer systems until payment is made in order to regain access.
It is essential for businesses to create a strategy that allows them to prepare, prevent, detect and react should a cyber-attack take place.
Have you carried out an assessment of all the possible entry points to your computers or mobile devices – including information held by third-party vendors? Have you created a business security plan? Have your employees been trained to know how to spot a phishing email? Do you have anti-virus solutions on all your systems and are your software and web browsers up to date?
In terms of your data, what is your backup strategy? Do you have an offline copy (a backup that is not directly connected to your network)to recover with if ransomware strikes? What is the backup frequency? And are you including key PC units in this (such as the accounts package PC) in your backup?
How secure is your environment? Do you have Two Factor Authentication active for sensitive accounts? Do users have individual accounts and is the password policy for them sufficient?
You can also increase protection of your networks, including wireless networks, against external attacks using firewalls, proxies and access lists, for example. For home and mobile working, ensure that sensitive data is encrypted when stored or transmitted online so data can only be accessed by authorised users.
Finding the right cyber-security tools for your business will ultimately ensure the success of your cyber security strategy.