Getting cyber security right

February 2018

Cyber criminal depictionGavin Russell, CEO, Wavex, posits the view that organisations need to be more proactive in the field of cyber-security if they are to protect themselves from the growing number of cyber threats.

Cyber-attacks have become unavoidable. A 2017 report1 conducted by the UK Government found that just under half (46 per cent) of all UK businesses detected at least one cyber-attack of some sort within the last 12 months - a figure which rises to two-thirds among medium firms (66 per cent) and 68 per cent among large-sized firms.

Even more worryingly, the report found that of these businesses that detected an attack, 37 per cent said they experienced breaches on a monthly basis, while well over one in 10 (13 per cent) said that they were suffering from attacks every single day.

Not only are these attacks becoming a more persistent threat to businesses, but there’s also an increased awareness of them among the general public. Almost every day we read stories in newspapers and on websites about companies that have suffered serious consequences for not taking cyber security seriously enough.

In April of last year, the payday loan company Wonga was subjected to a significant online data breach2 that saw the personal information of around 270,000 customers compromised. Immediately after the attack, the brand’s ‘buzz score’3 (a measurement used to determine the general public perception of brands) fell from minus 13 - a less than desirable score to begin with - to minus 24, its lowest score in years.

This indicates a serious dent in its reputation, and that’s before you even start to consider what becomes of all the personal customer data that is now out of their control.

There’s a reason why - despite the widespread awareness around cyber security - cyber attacks are still so effective: as businesses improve their security measures, hackers continue to stay one step ahead. Attacks are always increasing their sophistication, and there are now dozens of different ways that hackers can attempt to get their hands on the data they desire.

One of the most popular tactics used by online criminals is what’s known as ‘malware’, which also covers the likes of viruses and ransomware. Malware is essentially a malicious link or item that might appear in the form of a curious-looking pop-up screen in your internet browser or an attachment within your emails, and is designed to mislead the user into thinking it is genuine. Once the user is fooled and clicks on the malicious item in question, the hacker has successfully gained access to the IT system and is able to wreak havoc in any way they see fit.

Another popular method is a ‘distributed denial of service (DDoS) attack’, which involves flooding a server with so much website traffic that it is no longer able to cope and crashes under the strain. Once a DDoS attack has taken place, users will no longer be able to access the affected websites until the issue has been resolved.

Although this method doesn’t enable hackers to access any internal IT systems, it still has serious consequences for the victim in terms of lost revenue and website traffic, and is also commonly used as a tactic to distract businesses while a more serious attack takes place.

Then there’s a ‘password attack’, which is as self-explanatory as it sounds. While the first two methods lean towards the more technical end of the cyber-attack spectrum, a password attack simply involves a hacker trying to gain access to a system or platform by cracking a user’s password.

While there is software that hackers use to try and successfully crack passwords, it is often the case that these passwords are accidentally exposed online and then leaked across the internet (such as the above Wonga case, for instance), which gives criminals free rein to do as they wish.

This might involve stealing and leaking personal data, planting malicious lines of code or software inside the system or changing the log-in credentials so that regular users are no longer able to gain access.

This is to name but a few of the different cyber-attack methods that keep IT managers awake at night. The threat is immense, and while the fight to eliminate it entirely is futile, there are measures that businesses can take to ensure that they remain sufficiently protected at all times.

However, before these measures are put in place, it is imperative that businesses adopt a proactive approach towards cyber security. It wasn’t too long ago that many could afford to sit back and wait for an attack to present itself before considering how to deal with it, but that simply isn’t possible now: the threat is too great and the consequences too severe.

Instead, all businesses - no matter their size or sector - need to transition from an ‘if’ to a ‘when’ mindset, which involves proper preparation and comprehensive planning for all potential scenarios.

Reassuringly, we are already seeing a notable change in attitude. The same 2017 government report found that almost three-quarters of UK businesses consider cyber security to be a very high priority for their senior management teams, and three in five (58 per cent) have already sought information, advice or guidance from IT experts regarding the specific threats they face.

One of the most effective ways for businesses to implement this proactive approach into their day-to-day operations is through a cyber security strategy - a comprehensive set of best practices that covers every eventuality and is distributed to all employees across the company, raising awareness of the issue and the correct steps that should be followed in the event of an attack.

However, for these strategies to be truly beneficial, each one needs to be specifically tailored to the nature and needs of the business it intends to protect; simply taking someone else’s strategy and swapping the names around will not yield any positive results. Instead, businesses need to ask themselves several questions.

Firstly, does it have employees that are regularly working outside of the office, and if so, what security risks might this present?

Secondly, what back-up processes are in place and how could they be improved?

Thirdly, how often is the business asking employees to change their passwords to prevent password attacks? There are obviously many more areas that should be covered as part of a full cyber security strategy, but answering these three questions alone could help to significantly strengthen existing defences.

Even for those who are fully aware of the cyber threat and ready to put together a cyber security strategy, it can often be an intimidating process to get started with, either due to the sheer scale of the task or because of a lack of IT knowledge. As a result, many turn to specialist IT providers for guidance and advice on the specific types of attack they should be looking out for and how they can most effectively mitigate the associated risks. By working with the right IT provider, businesses can also benefit from an increased agility in responding to any attacks.

Certain IT providers can also help businesses in keeping all their IT-related data in one safe and secure location. This means that instead of rooting through numerous folders and picking up separate data files along the way, the relevant individuals can find everything they need as quickly as possible, which could prove to be the difference between staying protected and falling prey to a fatal attack.

As the cyber threat continues to grow and catch unsuspecting businesses by surprise, there’s never been a better time to start strengthening your defences than now. While the threat can’t be put to bed entirely, there are numerous ways of effectively fighting back and showing hackers who’s really in control.