In an increasingly digital world, there are an escalating number of cyber security risks for business to address. Criminal hackers are adept at spotting weaknesses, while organisations do themselves no favours when they fail to adequately protect their systems.
IT Governance identified more than 1,200 publicly disclosed data breaches in 2021, while another report found that security incidents cost almost £3 million on average.
These figures are on the rise, demonstrating the increasing importance of effective cyber security. The key to preventing attacks is to understand how they happen. In this blog, we look at the top five cyber security risks that businesses face, and explain how you can prevent them.
1. Poor patch management
Patch management is an essential part of cyber security. A patch is an update to an application or a piece of software that fixes vulnerabilities and bugs.
When a new patch is released, organisations must apply it promptly. That’s because the vulnerability is then made public, giving cyber criminals the opportunity to exploit the weaknesses.
To ensure that patches are applied straight away, organisations typically create a patch management programme. This process ensures that the person responsible for managing the application or software is notified when a patch is released.
When creating a patch management programme, organisations should follow the best practices outlined in Cyber Essentials or ISO 27001.
Cyber Essentials is a UK government scheme that outlines five key controls, including patch management, that can prevent up to 80% of cyber attacks.
Meanwhile, ISO 27001 is the international standard that describes best practices for information security management. Annex A.12.6.1 of the Standard addresses technical vulnerabilities and patching.
Phishing is the most cost-effective and low-tech way to compromise sensitive data. It’s a type of fraud, and it begins with a malicious email that looks like a genuine message from a trusted organisation.
The emails lure people in – often claiming that the recipient has won a prize or that there is a problem with their account that needs to be addressed. The message then encourages them to follow a link and provide their personal details.
Although email systems are increasingly adept at spotting malicious emails, cyber criminals’ tactics continue to evolve. As such, bogus messages regularly make their way into people’s inboxes.
When that happens, organisations must rely on people’s ability to spot the signs of a phishing email.
Organisations can also protect employees’ accounts by implementing MFA (multi-factor authentication). This is a security mechanism that requires people to enter a second piece of information in addition to a password in order to log on.
Typically, that will be a one-time code that’s sent to their phone, but more advanced authentication systems require people to provide biometric details such as a fingerprint or retinal scan.
MFA authentication can also be used to protect organisations from the next risk on our list.
3. Weak passwords
For all the advancements that organisations have made to secure their systems, password practices remain a huge problem. Most accounts are protected only with a username and a password, and if a malicious actor can compromise those details, they can wreak havoc.
Passwords are usually compromised in one of two ways. The first are phishing scams (which we explain above) and the second are brute-force attacks, in which cyber criminals guess people’s passwords through trial and error.
Sometimes brute-force attacks occur when people use a password that’s related to their personal life, such as the football team they support or their child’s name.
Attackers can guess these details if they know the victim personally or if they’re able to find the information online (for example, by searching for them on a social media site).
Even if this information isn’t readily available, cyber criminals know that these sorts of personal details are among the most common passwords. As such, they can keep guessing popular names, football teams and other similar details.
Thanks to automated password-cracking machines, fraudsters can guess thousands of passwords each second. This guarantees that any login credential that isn’t obscure or complex can be breached in a matter of minutes.
Cyber security experts have traditionally advised people to create passwords that combine letters, numbers and special characters. However, this typically results in standard passwords with a string of characters at the end, which reduces the effectiveness of this advice.
More recent guidance suggests that passwords can be strengthened simply by making them longer. The more letters there are in a password, the more potential combinations there are.
A series of three unrelated words of at least six letters is more secure than one word alongside numbers and special characters.
Ransomware is the fastest-growing threat that organisations face. It’s a type of malware that encrypts files, preventing the victim from accessing their systems. The attackers then send a ransom note demanding money – typically to be paid in bitcoin – for the return of the information.
These types of attack have been hugely popular among cyber criminal gangs, because the malware is cheap to purchase, and can be easily planted on organisations’ systems through phishing emails and exploiting system vulnerabilities.
Another benefit for cyber criminals is how willing most victims are to meet the ransom demand. You can see the victims’ reasoning: they need access to their files to operate, and if they’re locked out of those files, a payment is the simplest way to get back to work.
However, experts urge organisations against this. As they explain, there is no guarantee that the attackers will keep their word and return the data once they have been paid.
Moreover, paying up only solves one part of the problem. The organisation still faces days – if not weeks – of disruption as it restores its systems, and it is still subject to its data breach notification requirements.
To mitigate the risk of ransomware, organisations must address both preventative and responsive measures. By implementing controls to protect against phishing and system vulnerabilities (using the advice that we’ve covered in this blog), organisations can mitigate the risk of a ransomware infection.
No defences are foolproof, though. It’s why organisations should regularly back up their sensitive information and store it on an external server. This ensures that, in the event of a ransomware attack, the organisation can restore its information without having to deal with criminal hackers.
Although ransomware is the most talked-about form of malware, there are plenty of other types that organisations must be aware of.
Malware comes in many forms and does different nefarious things. Some forms are relatively benign. Adware, for example, displays pop-up adverts on the victim’s computer, while bots drain the resources of the infected device to perform automated tasks.
By contrast, spyware monitors a user’s Internet activity and gathers inputted information, such as usernames and passwords. The person responsible for planting the malware can then sell this information on the dark web, resulting in the user’s accounts being compromised.
Likewise, viruses copy themselves and spread undetected through a device. They attach themselves to programs, files and scripts with the intention of stealing information. Again, the criminal hacker can use this information to sell on the dark web.
Organisations must implement antimalware software and run regular scans to prevent malicious software from infecting their systems. Malware often makes its way onto people’s devices through poisoned attachments. As such, employees should receive staff awareness training to help them understand the risk of downloading files from untrusted sources.
Fighting back against cyber crime
The risks we’ve listed in this blog are only the starting point for cyber criminals. They have plenty of tricks up their sleeves to outsmart organisations, and their techniques continue to evolve.
If you want to fully protect yourself against cyber security risks, you need expert support. That’s where IT Governance’s new service, Cyber Safeguard, can help.
With a combination of consultancy support, vulnerability scanning and staff awareness training, our experts will ensure that your organisation stays one step ahead of criminal hackers.
The service also comes with cyber insurance coverage of up to £500,000. Policies provide organisations with essential support that aren’t included in standard business insurance, including help with public relations, forensic investigations and legal advice.