Since the early days of the pandemic, experts warned that cyber criminals would thrive on new vulnerabilities and unfamiliar working conditions. However, few would have expected just how severe the threat would be.
A Software Advice report has found that 62% of UK-based SMEs experienced an increase in cyber threats in the last two years.
Cyber attackers were most likely to target organisations with phishing emails, with 57% of incidents involving scam messages. Malware was another common threat and was found in 54% of cyber attacks.
It’s not just how cyber attacks occur that should be cause for concern, though. The report also contains worrying findings about what organisations are doing – or, rather, not doing – to prevent attacks.
According to the study, 48% of executive managers said that employees had received no cyber security training in the last two years. Meanwhile, 32% said they didn’t have a cyber security programme within their organisation and only half of organisations have a formal cyber security incident response plan.
Studies have repeatedly shown that the faster an organisation can respond to a breach, the smaller the costs will be.
Incident response plans are essential in this regard, as they provide a plan of action for when organisations suffer a disruptive incident – whether that’s a cyber attack, a loss of power or another disturbance.
According to IBM’s Cost of a Data Breach Report 2021, the key timeframe for incident response is 200 days. Organisations that can identify and contain an incident within this time frame reduce their cost by $1.26 million (about £940,000).
Without a plan, business leaders will spend crucial time deciding what steps are necessary and how to execute them. But with a plan, you already know the steps required to contain the damage and the instructions to be given to relevant employees.
The threat within your organisation
An extraordinary number of respondents admitted that their staff have too much access to company data.
One in four respondents said that employees can view information that isn’t necessary to perform their job, indicating that the organisation’s access controls aren’t tailored to specific job roles.
Meanwhile, 23% said that they have no access controls at all, meaning employees can view all corporate data – from intellectual property to financial records.
Despite this, 61% of managers said that they are worried about their organisation’s ability to protect customer data. This indicates that senior decision-makers are unwilling to invest in stronger defences or that they don’t understand that the lack of access controls is a contributing factor to effective security.
There are two ways that access controls can protect an organisation. First, they mitigate the risk when an attacker compromises an employee’s account, which is most likely to happen through a phishing attack.
With access controls in place, the attacker will only be able to view information that’s relevant to that employee’s job role. Data will still be compromised, but you greatly reduce the risk of an attacker accessing highly sensitive information.
Access controls also protect organisations from insider threats, whether that’s someone in your organisation acting negligently or maliciously.
Without restrictions, any data breach – from an employee losing their laptop to a developer accidentally deleting a database – could have catastrophic consequences. Likewise, any current or former employee who holds a grudge against the organisation could cause havoc by sabotaging systems.
It’s impossible to prevent employees from making mistakes or going rogue, but you can limit the damage. This is the most you can expect of organisations in an era where the threat of cyber crime is omnipresent and data breaches make headline news.
Why aren’t organisations doing more to protect themselves?
The biggest barrier to more comprehensive protection is money, with 38% of respondents saying they didn’t have the budget to address cyber security. A related issue is the lack of skilled IT personnel, with 33% of organisations citing this as a problem.
Commenting on these findings, Software Advice’s content analyst Sukanya Awasthi said: “As many small businesses don’t have the resources to invest in [cyber security], they become an easy target for a [cyber attack]. Additionally, as technology evolves and hackers develop new ways to infiltrate into company systems, small businesses are the most at threat.”
She adds that, whereas cyber criminals are willing to invest in new tools, organisations have been reluctant.
However, the weaknesses addressed in the report aren’t high-tech, complex solutions. Access controls, for example, are an inexpensive and common practice for protecting sensitive information.
Meanwhile, other defences are simply a matter of education and effective management. Password security, another issue that respondents said they struggled with, can be addressed with staff awareness and password managers, such as 1Password and LastPass.
Cyber threats in 2022
Although the pandemic, which one hopes will subside this year, has contributed to an increase in cyber threats, there’s no reason to expect a significant drop-off in 2022. Criminal hackers will be emboldened by their recent efforts and have the resources to invest in increasingly sophisticated attacks.
We expect phishing to remain a major threat, along with malware. A particular kind of malware, ransomware, exploded in popularity in 2021, accounting for 32% of all publicly disclosed data breaches.
And with many employees in the UK soon returning to the office on a part- or full-time basis, organisations must consider the risks this introduces. Have employees been warned about the possibility of data breaches when taking laptops and sensitive information into and out of the office? Have you considered the ways scammers might take advantage of the situation?
Now is the time to review your priorities, and decide what changes are necessary to ensure that you function safely through 2022 and beyond.
If you’re looking for advice on how to do that, IT Governance is here to help. We have a range of solutions, including staff awareness e-learning courses, documentation toolkits, security testing solutions and consultancy packages.
We also have a selection of free resources to help you understand the threats facing you and tools you can use to protect yourself.