One in three businesses was a victim of an attack or breach in the past 12 months, according to the government’s Cyber Security Breaches Survey 2019 which also reveals that attacks are becoming more costly and targeted.
However while around three in four businesses say cybersecurity is now a high priority for senior management, there is still a lot of confusion about what ‘cyber threats’ actually are.
Jon Abbott of ThreatAware outlines the key threats and what businesses can do to avoid becoming a victim:
Phishing
One of the oldest tricks in the book but one that is still successful, phishing is on the rise because it preys on human vulnerability. Typically these attacks involve malicious emails set up to trick the victim into either downloading malware or divulging data. The sender poses as a trusted source such as a colleague or supplier.
Phishing attacks have been behind some high-profile incidents. The hacks on Hillary Clinton’s 2016 presidential campaign were a type known as ‘spear phishing’. Campaign workers received emails supposedly from colleagues and containing links to a document named ‘hillary-clinton-favorable-rating.xlsx’. Staffers who opened it were directed to a site that stole their personal data.
‘Whaling’ is similar but instead of a colleague, the email appears to be from a senior figure like the CFO, usually with a request to make a payment or change payment details. Recently, a hacker group known as London Blue compiled a list of 35,000 CFOs and 50,000 targets, mainly their subordinates in accounting departments.
Staff training is the most effective way to prevent such attacks. The National Cyber Security Centre (NCSC) also recommends that recipients scrutinise the email address and check the spelling, as scammers often do not have a good command of English. Be cautious if it doesn’t address you by name but uses terms like ‘friend’ or ‘valued customer’, and pressurises you to act urgently.
Man in the middle attacks
With this scam, attackers plant themselves between two other parties – either by putting themselves between your device and an unsecured public WiFi; or, where your device has been breached through malware, by installing software to steal your data.
Man in the middle attacks can combine elements of phishing. So scammers can break into a CFO’s mailbox, intercept his or her emails, wait for a payment request to go out then send a message asking for achange in payment details.
Again, the key is prevention. Educate employees on the dangers of using unsecured WiFi. A virtual private network which encrypts and secures confidential data over links like WiFi could be one solution. Two-factor authentication, which for example requires a code sent to your phone in addition to a password, offers added protection.
SQL injection attacks (SQLi)
First uncovered in 1998, these attacks exploit Structured Query Language (SQL), which is used in database systems like Microsoft SQL Server. The attacker inserts malicious code into a server and forces it to reveal data. Sometimes this can be very easy to do but the impact can be severe.
Hackers used this method to access the information of millions of Sony’s customers in 2011, while LinkedIn lost 6.5 million passwords through an SQLi attack. The most effective solution is a technique called whitelisting, which involves checking each piece of user input against a list of permitted characters and limiting what they can search for.
Cross-site scripting (XSS)
Cross-site scripting is a type of vulnerability found in web applications and the plug-ins on which they rely. These attacks allow attackers to impersonate users, perform actions on behalf of them, and gain access to their sensitive data. The most infamous example is still Samy, which propagated across MySpace in 2005, affecting over a million users.
At its source, XSS can only be stopped by the website developers, but businesses can be proactive, run regular penetration testing to seek out weaknesses and patch them immediately.
Malware
Malware is software with malicious intentions. These programs can delete files, spy on users, and open the door for other malwares. Trojan horses, viruses and spyware are different types of malware, then there’s ransomware which blocks access to a computer system until a sum of money is paid.
Be careful what attachments you open, stay away from suspicious websites and ensure you have anti-virus software installed.
Denial-of-service (DoS)
A DoS attack is a brute force, targeted attack aimed at taking a website offline. Attackers might try to flood a network (which is known as a DDoS attack) or target a specific individual or device. There are various ways your IT team can protect against such attacks – by distributing servers geographically, using firewalls and DDoS-specific security or taking your servers into the cloud.
Whatever the type of attack, effective cybersecurity is built on three pillars: people, processes and technology. You can invest in the right tech, you can set up the correct processes – but, in our experience, it’s often the people side that’s neglected by businesses.
Nowadays more attacks result from human error than technology failures, so staff training is all-important. Companies need to build a ‘security culture’ and that starts at the top. The more you educate yourself and your staff about the risks, the better equipped you are to deal with them.
Jon Abbott is the CEO of ThreatAware, a new software platform which allows directors and IT managers to monitor the whole of their cybersecurity for the first time.
