Cyber attacks can happen to any business at any time. It is a type of organised crime which is rife, and cyber criminals are getting ever-more prolific and ingenious in their endeavours. Data breaches can cost businesses millions of dollars in forensics, lawyer fees, data recovery costs, patching lapsed infrastructure, and last, but by no means least, reputational damage. Consumers can lose faith in brands immediately when they know that working with them could put them at risk. And rightly so. So it’s putting it rather mildly to say it’s something to be avoided at all costs. Yet worryingly, huge corporations are being successfully held to ransom by cyber crooks who demand millions for the safe return of data. The reason businesses might comply is the social repercussions. The worry that the cost of the attack being disclosed could harm the brand more.
A 2021 study by Cloudwards, revealed that 37% of all businesses and organisations were hit by ransomware and out of all, 32% paid the ransom but recovered only 65% of their data. (Source: Heimdalsecurity.) In January this year, luxury Italian fashion brand Moncler apologised to customers following a cyber attack which led to customer data being published on the dark web. The brand was ransomed but refused to pay. It claimed there was no impact on the group’s economic results but that a team of cybersecurity experts contained the attack and IT security measures were strengthened.
In 2019 banking group Capital One suffered a data breach involving over 100 million customers in the US and Canada. The company issued a statement confirming the likely costs to its business of dealing with the incident would be around US$100-US$150 million, to pay for “customer notifications, credit monitoring, technology costs, and legal support.” The immediate reputational damage was seen through the hit on the share price. The company’s share price slid by 6% in the immediate aftermath of the breach, with one analyst reported as saying: “This headline is not a good one for Capital One. We worry about longer term reputational damage and also the potential for political and regulatory actions, including penalties.” (Source: Aon).
CRM Company HubSpot was hit by a hacking attack reported on March 18, 2022, when a “bad actor” managed to hack into an employee account. Hackers managed to steal data from about 30 customers. The customers that were attacked are active in cryptocurrency (Hubspot, 2022).
Even having to be put in the position of apologising for something can generate bad press, a bad reputation, and is, frankly, bad for business. The risks of inaction are quite clear.
What constitutes a cyber attack?
A cyber attack is a set of actions to gain unauthorised access to a computer, confidential data, computing system or computer network with the intent to cause damage. Millions of organisations of every size across the globe experience attacks every day, from simple phishing emails to intricate, detailed operations masterminded by criminal gangs, and for every vulnerability fixed, another pops up, ripe for exploitation.
To be ahead of this threat, organisations need to stay ahead of the curve, and when these criminal masterminds are ultimately so clever, we appreciate that it is no easy task. Cyber security doesn’t have to cost vast amounts of money or take a short ice age to implement either. It is a more than worthwhile endevour as regardless of the size of your organisation, improving cyber security helps protect your data and that of your clients, improving business relations and opening the door to new opportunities, (Calder, 2020).
Cyber security risk
Being aware of what is a risk and what is a threat to your business is key. Risk arises from a combination of threats and vulnerabilities. Threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. It includes computer viruses, data breaches, Denial of Service (DoS) attacks, and other attack vectors. Vulnerabilities are the weaknesses or problems in the computer systems.
Essentially, examining where your own risks are and which ones are most likely to be under ‘threat’ of attack, is what all companies must consider. The stats below show how often organisations have reported breaches or attacks in the last 12 months, based on 654 businesses and 183 charities. (Source: Department for Digital, Culture, Media and Sport, 2021).
No matter the field your organisation operates in, there is a good chance your products or services rely on components or even whole products produced by third parties. No doubt you also share data – via email, perhaps, or through a dedicated vendor portal. This connectivity brings great benefits, but it also exposes you to greater risks. As such, the need for information security is vital so you can maintain confidentiality, integrity, and availability— three essential characteristics of information. This is defined as the CIA triangle, CIA triad, or security triad of information security, which is widely accepted as a model in information security (Gupta & Goyal, 2020).
- protect data from those who are not authorised to view it
- prevent data from being modified in an unauthorised or undesirable way
- sefely access data when needed.
Does size matter when it comes to cyber attacks?
You might think small companies are unlikely targets for cybercriminals, but you’d be wrong. The US National Cyber Security Alliance observed that 60% of organisations targeted are unable to sustain their business over half a year after a cyber attack. In Verizon’s 2020 Data Breach Investigations Report (DBIR) one in three businesses are small to midsize. (DBIR, 2020).
Cybercriminals prefer small companies over large corporations because small companies collect data that is easy to offload for a profit on the Dark Web, such as medical records, credit card information, social security numbers, bank account credentials or proprietary business information. And usually, they are easier to target and hack, simply because they don’t have any dedicated inhouse IT support, the infrastructure or even proper cyber security training. As a result, employees themselves often create vulnerabilities by making mistakes, or not securing information in systems safely enough, and cyber criminals can take their chance. Simply getting clued up on widely recognized hacking methods used in cyberattacks (an internet search is a good place to start, or your resident IT expert or team) and the fundamental strategies to combat them can help corporations avoid becoming the next target for a data breach.
What types of cyberattacks are out there?
Initially, attackers target people instead of computer systems by sending fake emails to trick an individual into clicking on a suspicious link or downloading a corrupt file. More than 95 percent of phishing arrives by email. Scammers often pretend to be a boss or colleague and use their targets’ real names to create a sense of security. Recently, one of my colleagues at SmallGiants received a phishing email. The attacker used our CEO’s name as the sender making it appear to be legitimate. Fortunately, we were given instructions and training on possible cyber attacks so we knew what to look out for and what action to take, or rather not take. Essentially, don’t click on the link.
Software vulnerabilities are becoming increasingly popular in the cybercrime sphere. This is when software defects could allow an attacker to gain control of your computer system from afar. Attackers find out the software’s vulnerabilities by scanning it. Once they get the scanning report, they get a better idea of what types of attacks to launch against the system. You will not even know they are doing it. Often, they can just watch what you are doing to glean valuable information. The most ideal way to manage this weakness is to prevent it from occurring in the first place.
This refers to viruses, worms, trojans and all other advanced persistent threats (APTs). Malware is anything that intends to live ‘in stealth’ and cause harm on a target network. If you know how to detect their existence on your computer that would save you from the irreversible damage.
Ransomware is the most dangerous form of malware now. Worm is a type of malware that can slowly spread to the entire network and replicates itself from computer to computer without any human interaction. A Virus is a type of malicious code that is activated alongside its host file and has similar capabilities to an installed worm. And Trojan horses look like legitimate software programs that execute malicious activities in the background, rather than perform the expected operations.
Based on 654 businesses that identified a breach or attack in the last 12 months 183 were charities. Among the organisations that have identified any breaches or attacks in the last 12 month, this figure shows the percentages of the types of attack: (Department for Digital, Culture, Media and Sport, 2021).
As well as these, other types of cyber attacks have risen over the years, such as:
- Denial-of-service attacks: flooding servers with traffic,
- SQL injection: inserting malicious code through SQL,
- Zero-day exploit: Targeting a disclosed vulnerability before a solution has been implemented,
- DNS tunnelling: sending HTTP and other protocol traffic over the domain.
Man-in-the-middle attacks are one of these recent developments (Jay & L, 2019). The name refers to those that intercept communications and change or replicate the content to both parties. What’s critical to the scenario is that the victim is not aware of the man-in-the-middle.
For example, let’s say you received an email that appeared to be from a marketing software company you are connected to, asking you to log in to your account or login with your Gmail. You click on a link in the email and are taken to what appears to be Gmail login screen, where you log in and hey presto, the attackers get hold of your confidential information. One does not has to be an expert in cybersecurity to minimise the risk of attacks and there are some simple steps that can be taken as precautions.
Two-step factor authentication
Also known as multi factor authentication. 2FA or MFA can reduce the cyber risk to just 1 percent. So, when you enable the 2FA, after successfully logging in with their username and password, a text message or notification is sent to another device assigned to the user, most likely their smartphone authenticator or text. The user will then be asked to enter the code sent to their device, thus granting them access per usual. To avoid any kind of unauthorised access, SmallGiants requires employees to activate 2FA in all SmallGiants accounts.
Think before you act
Always think before clicking a new link you receive by email or on the internet. They may pretend to be your email service, your boss, your spouse. The message may claim it needs your information because you have been a victim of cybercrime. Sometimes attackers design the page to look almost identical to legitimate pages which ask you to input your passwords or other sensitive information like social security number or credit card numbers. The quickest way to ensure if it’s genuine, is to check the URL on your browser. Around 90 percent of cyberattacks start with phishing links.
Create unique and strong passwords
We often use the same password across all websites or systems. Most of the time the passwords are quite predictable. The best practice is to use a long password, with a combination of lowercase and uppercase letters, as well as numbers and special characters. And always use unique passwords for each account. Using a weak password and using the same password across different apps is like locking your door but hanging the key on the doorknob or sending a copy of the key to everyone.
Use up-to-date software
Keep all operating systems, applications, and web activity updated. Leverage automatic updates for all devices, applications, and operating systems to ensure you are working off the newest versions possible. If you aren’t frequently patching your programs, you won’t be protected by the latest security measures, which will leave you very vulnerable to cyber attacks.
Based on 627 businesses discussing their most disruptive breach or attack in the last 12 months; 182 charities Unlabeled bar is 1% (Department for Digital, Culture, Media and Sport, 2021).
Securing your Wi-Fi networks and hiding them is one of the safest things you can do for your system’s security. Several users connecting under the same credentials can put your business at risk. Organisations should ensure employees have their own logins for every application and program. It’s also essential to control who has access to your computers. Interconnected mobile devices, tablets and laptops create easy access paths to security threats. So, turn on your network encryption and encrypt data when stored or sent online. This reduces the risk of theft, destruction, or tampering.
Cybersecurity should be one of the top priorities for every organisation. Nobody is safe from the threat of cybercrime – not large corporations, small businesses, startups, government agencies or even presidential candidates (Source: Miller, 2017). Aside from losing valuable data and information which you need to operate your business successfully, you will lose time and money and most likely your calm composure. Even if you aren’t ransomed for its return (which may never happen even if you pay up) or threatened with publication of the information or sale of it to the dark web, or simply ‘outed’ as having been breached, you stand to lose a lot more. If someone doesn’t have faith in your brand and their dealings with you, they simply won’t buy. Cyber security must therefore be considered one of the cornerstones of a business today. Especially for ones that claim to be at the forefront of their field and main players in the rapidly technologically advancing business world of today.
Calder, A., 2020. Cyber Security: Essential Principles to Secure Your Organization. 1st Edition ed. s.l.: IT Governance Ltd.
DBIR, 2020. Data breach investigation report, s.l.: Verizon.
Gupta, C. P. & Goyal, K. K., 2020. Cybersecurity: A Self-Teaching Introduction. 1st Edition ed. s.l.: Mercury Learning & Information.
Jay, J. & L, R., 2019. Cybersecurity: Current Writings on Threats and Protection. 3rd Edition ed. s.l.: McFarland.
Miller, G., 2017. 60% of small companies that suffer a cyber attack are out of business within six months., s.l.: The Denber Post.
Department for Digital, Culture, Media and Sport. (2021). Cyber Security Breaches Survey, 2021. [data collection]. UK Data Service. SN: 8825, DOI: 10.5255/UKDA-SN-8825-1
10 ways of preventing cyber attacks: https://leaf-it.com/10-ways-prevent-cyber attacks/
Must-Know Phishing Statistics: Updated 2022: https://www.tessian.com/blog/phishing-statistics-2020/
10 Killinga, 2022. effective steps for preventing cyberattacks on your business: https://www.itproportal.com/features/10-effective-steps-for-preventing-cyberattacks-on-your-business/
Information About HubSpot's March 18, 2022, Security Incident: https://www.hubspot.com/en-us/march-2022-security-incident