Cybercrime is on the rise – and it’s not just big corporate operations that need worry. Particularly in the wake of the COVID-19 pandemic, small businesses need to up their protection against a new wave of clever hackers.
In March of 2021, Microsoft announced that several vulnerabilities in its Exchange Server allowed hackers to freely access email accounts, exfiltrate data, and install malware.
This sort of breach is called a ‘zero-day’ (or 0day) attack, a name that refers to the lack of lead-time to prepare it (because, at the time of the breach, the vulnerabilities the hackers exploit are unknown to the attendant cybersecurity team).
According to reports, at least 7,000 businesses were affected in the UK. But this 0day attack had a global impact. Some businesses, such as the computer giant Acer, were hit especially hard; its data was held to ransom for $50M (£38M).
But the hefty cost of cyber-attacks is not limited to big companies. Official statistics from the UK reveal that, last year, 4 out of every 10 businesses had been the victim of cybercrime during the previous 12 months.
There are new kinds of threats, and more of them than ever. But while this may seem a bleak picture, there are effective measures any business can take to protect itself.
We want to access business data from anywhere. But this desire has rendered traditional IT, perimeter security measures no longer as effective as businesses need them to be. Basically, as workforces have become more mobile, there has been a rise in cyberattacks against businesses.
Employees using apps and services not sanctioned by the company’s IT department – called ‘Shadow IT’ – is often to blame.
In fairness to employees, the most common reason they download unsanctioned applications is in a sincere effort to do their job productively. Common culprits of Shadow IT include free PDF-to-document converters, or downloadable jpeg image vectors. But while these online tools may offer a quick fix, they are also often laced with malware deep in the code, so employees unwittingly onboard a hacker.
But there are other new points of vulnerability, too.
Today, there are 14 billion connected devices, and that figure is projected to nearly double in the next five years.
Most of us would not think twice about our work phone connecting to our Bluetooth speaker. But even the most seemingly benign objects – like a coffee machine – are potential points of vulnerability when they connect to the internet.
"The sophistication of cybercrime is not in the individual. It's in the platform,” says Brett Johnson, a prolific hacker turned white-hat expert.
He suggests that ninety percent of all attacks use known exploits, like unsuspecting Bluetooth devices.
There are swathes of instructional how-to guides online. Cyber criminals understand the power of networking. If the data needed to carry out an attack isn’t instantly available, they will turn to forums to get what they need.
“You will never plug every single vulnerability that your company has. That's a fact,” adds Brett.
80% of IT organisations found IoT devices on their networks that they did not install, secure, or manage; there is an attempted hack on IoT devices an average of 5,200 times per-month.
Part of the problem is that this technology is still in its infancy. Without the bandwidth for encryption, most IoT devices are inherently insecure, and so cybercriminals use them to leapfrog into the real target. Without the right protection, something as innocent as connecting your work mobile to that new air purifier you bought could cost you.
It could cost you a lot.
Last year, the average cost of a data breach in the UK increased, from £2.98m to £3.59m. A considerable chunk of this cost comes from lost customers. In a typical data breach, 38% of the total figure (£1.21m) is down to fleeing patrons, a damaged reputation, and technical dysfunction.
Of course, these figures are small compared to what IBM calls a ‘mega-breach’. When between 50-65 million records are tapped into, the average price tag costs a huge £306m.
"If you’re deploying ransomware, it typically means some sort of social engineering attack," Johnson explains. According to him, from a black-hat perspective, it is surprisingly easy to break into many organisations online.
“Why would I try to brute force my way past an industrially approved firewall, if the only thing I need to do is send an email to someone sitting behind that firewall?”
The hefty expense of security breaches is also the result of lost time and resources. When a cyberattack happens, especially on a large network, rooting out the malware takes months.
According to IBM, the average number of days elapsed before a data breach is contained is 287. To put that in perspective, if your business fell victim to a cyber-attack on the 1st of January, then it would not be contained until the 14th of October.
This timespan can increase when employees work from home. The same IBM report found that businesses with more than half of their workforce remote took 58 days longer to identify and contain breaches than those with most employees in the office.
So, the takeaway here is that no matter the size or nature of your company, the possibility of a cyberattack is high, and so are the consequences. The value of the data you hold is just as important as your local gardening company or e-commerce start-up.
Investing in devices with zero-trust security and regularly updating them against the latest threats is vital to protect your business from mobile malware and data theft.
Choosing devices and systems that are easy for employees to use is also essential to clear confusion and eliminate the need for people to download external server add-ons.
With these precautions in place, devices with built-in security can help with protecting systems and company assets from cybercriminals.
Available Monday to Friday, 8am-6pm, our friendly team are here to provide guidance and support on the topics that matter to your business.