As 2019 approaches, so too does an ever-evolving melee of cyber threats that could prove costly to business owners. In partnership with leading cyber insurer Hiscox, we look at some of the more prominent threats you can expect in the next year, and what protective measures you can take.
While business executives grapple with uncertainty over Brexit and the economy, there is also another looming threat - cybercriminals.
Cyber-attacks on UK businesses are becoming more frequent and increasingly costly. Companies now have an almost 50% chance of being attacked and the average cost of an attack for a company with over 250 employees jumped by over a staggering 500% between 2017 and 2018, according to the Hiscox Cyber Readiness Report 2018.
These are some of the threats that businesses should be prepared for in 2019:
Cybercriminals hacking into businesses’ email accounts or setting up fake accounts that look authentic has been the fastest-growing cyber-crime. This year, we’ve seen a big jump in the number of cases from clients who have had their business email compromised. This is not a surprise, as it’s such a lucrative scam which has estimated to have netted criminals over $5 billion between 2014 and 2017.
Cybercriminals send fake emails from a senior manager’s account to an employee instructing them to make a payment into a sham bank account. Or, they message clients and business partners telling them to pay money into an account they’re not familiar with.
A notorious piece of malware, called Emotet, has recently resurfaced in a much more sophisticated form. It was originally designed to steal victims’ email address books and download other malware onto their systems. But now it has been modified so it can copy the contents of your inbox from the previous six months.
What makes Emotet so dangerous is that it can evade most antivirus software and disable some programs’ security tools. Hackers can also use it to steal whole emails, rather than just email addresses. Affected companies are required to notify the Information Commissioner’s Office of the data breach under the new General Data Protection Regulation (GDPR). This could trigger an investigation and mean they need to inform affected clients – both of which can be complicated and costly.
It also means that hackers may use the stolen information to create even more convincing phishing emails. People have become much more aware of the danger of inadvertently clicking on links in fake emails, but they may be tricked into it if the message contains personal details that make them think the email is authentic.
Emotet shows just how sophisticated phishing attacks can be. They have come a very long way in the last few years. Now, scam emails look so much like the real thing that even experts have a hard time spotting them.
Phishing remains cybercriminals’ favoured method of attack because it’s such a cheap and effective way of reaching lots of targets. One billion Gmail account holders were targeted in a recent phishing attack. If only a fraction of these people fell for the scam, then that would still equal hundreds of thousands of victims.
Duping people into clicking on a link enables cybercriminals to deliver a wide range of malware onto victims’ systems, including the new threats of cryptojacking.
To protect your business from phishing attacks, the National Cyber Security Centre recommends a combination of good security and staff training to counter the phishing threat.
Tagging all the emails you receive from people outside the company with an identifier in the subject line, such as ‘External’, makes it easier to spot fake or potentially harmful emails.
Using two-factor authentication makes it much harder for hackers to break into your systems because even if they have stolen employees’ passwords, adding a second layer of protection will render these ineffective.
Your employees are your first line of defence, so it’s important to train them to be able to spot phishing emails. You should encourage a culture in which they feel they can question a senior manager, important client or key business partner if they feel something isn’t right.
It’s also important to create robust procedures on verifying and signing off new payments and money transfers to reduce the potential for fraud.
Supply chain compromises
Emotet’s resurgence shows how you need to be wary of clicking on any email, even those from trusted business partners. Cybercriminals are now looking to launch attacks against companies by exploiting vulnerabilities in their suppliers’ IT systems.
The growth in ‘managed service providers’ (MSPs), offering outsourced business operations, has also provided cybercriminals with a chance to access companies’ secure systems via a backdoor – their private network connections with their service provider.
In 2017, Chinese hackers were accused of compromising a number of global MSPs, while several legitimate software providers have also been targeted.
The hackers exploited weaknesses in their suppliers’ systems to launch ‘formjacking’ attacks on British Airways and Ticketmaster, in which hundreds of thousands of customers’ payment card details were stolen, according to Symantec. The cyber security firm reported a steep increase in the number of attempted attacks of this kind in August and September 2018. Hackers try to inject malicious code onto websites to steal payment card data and customers’ personal details from online payment forms. Any company processing online payments is a potential formjacking target.
Another growing threat is cryptojacking, the act of attackers secretly installing software onto victims’ computers to use their spare processing power to mine cryptocurrency. Cryptojacking malware can be downloaded through phishing emails or bogus websites, although coinmining code has also been added to legitimate sites. Most victims will not know anything is wrong other than their computers are working more slowly or their electricity bills suddenly increase.
The explosion in the value of cryptocurrencies – a £100 investment in Bitcoin in 2010 would be worth more than £12.5 million today – has made illegal coinmining a highly lucrative, and relatively easy con for criminal gangs. Symantec blocked more than 8 million attacks in December 2017 alone – this is an unbelievable 34,000% rise on the start of the year. If the cryptocurrency boom continues, cryptojacking could soon overtake ransomware.
Another potential weakness that cybercriminals are increasingly likely to exploit in future is the cloud. UK businesses are among its most enthusiastic adopters. Around nine in ten companies use at least one cloud-based service. But many firms are turning a blind eye to cloud security - less than half of all data presently stored in the cloud is accessed securely.
It is a tempting target for hackers, who will “take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored,” say the National Cyber Security Centre and the National Crime Agency. “This could lead to high profile breaches,” they warn.
The cyber threat is constantly changing. That’s why it’s important for businesses to combine good cyber risk management practices alongside cyber insurance that is flexible enough to protect your business against future threats, whatever they may be.
Help protect your business against data breaches, viruses and other attacks from hackers. Hiscox can help minimise any loss and possible damage to your business and its reputation, IoD members receive a 5% lifetime discount on policies.
0800 280 0354
Find out more