There is one question that everyone is guaranteed
to get right – are cyberattacks on the increase?
In this blog, we will review some of the more significant cyberattacks over the last
year and look for any emerging trends in terms of cybercrime targets, as well as
the type of attacks. First, let’s make sure we’re all on the same page.
Cybercrime is an ‘umbrella’ term for lots of different types of crimes, which either take place online
or where technology is a means and/or target for the attack. One thing for sure, the overall costs
of cybercrime continue to grow year on year.
The global cost is already £1 trillion (that’s a lot of noughts) and expected to exceed £5 trillion by 2021,
according to the Official 2019 Annual Cybercrime Report by Cybersecurity Ventures.
One worrying trend we are seeing is cybercriminals increasing focus on small and medium sizes
enterprises (SMEs), as they look to identify and expose vulnerabilities. Hiscox, the insurance company,
has revealed a sharp increase in reported cyberattacks among small (from 33% to 47%) and medium
sized businesses (36% to 63%) across Europe.
Numerous reports indicate that SMEs’ preparedness for cyberattack leaves a lot to be desired. There
are a number of possible reasons for this, with SMEs operating on finer margins, i.e. less likely to have
robust security practices, a range of security personnel and training budgets.
Attacks against healthcare, government, transportation and education also continue to rise with more
and more sophisticated attacks. Over 80% of surveyed healthcare organisations said they’ve seen an
increase in cyberattacks over the past year and it is reported that Lancaster and York Universities
suffered data hacks this quarter.
So, with that background in mind, let’s have a closer look at some of the
cyber-related threats affecting businesses.
According to cyber insurance companies and law enforcement, the current front runner is business
email compromise (BEC). This is a type of scam targeting companies who typically conduct wire transfers
and have suppliers abroad, and where attackers rely heavily on social engineering tactics to trick
unsuspecting employees and executives.
Email messages typically contain words such as request, payment, transfer and urgent. There are
a number of variants, including Bogus Invoice Scheme (attackers impersonating suppliers requesting
fraudulent fund transfers), CEO Fraud (attackers pose as CEO or any executive requesting employees
in Finance to transfer money to an account they control), Account Compromise (hacking an executive’s
or employee’s email account to request payments are made to fraudulent bank accounts), Lawyer
Impersonation (making bogus requests typically through email or phone) and Data Theft (HR or Finance
employees are targeted to obtain personally identifiable information (PII) or tax statements of
employees and executives which can be used in future attacks).
To put the size and significance of BEC into context, in a recent attack, the University of San Diego’s
Finance Department was duped into redirecting a $ 750,000 payment for Dell computer equipment
and services to a criminal’s bank account in Minnesota.
Not all cyber threats are new, some are re-emerging ones, such as ransomware. Despite talk of a
decline in ransomware attacks, they are still hitting the headlines and certainly aren’t to be
ignored. On 25 July 2019, ransomware attacks prompted Louisiana to declare a state of
emergency, while another ransomware attack on the same day crippled a South African power
company’s entire network.
Microsoft’s remote access system, Remote Desktop Protocol (RDP), still remains the most common
threat vector. Even after seeing attacks cause havoc across the world, many organisations have still
not secured the RDP and, once it is compromised, attackers have complete control over servers and
Most recently, on 14 May, Microsoft issued a warning about the BlueKeep vulnerability affecting RDP.
In fact, ‘RDP shops’ are readily available on the dark web where criminals can purchase access to
vulnerable systems for as little as £3.
Another area of concern which has been around for a while and is increasing in prevalence is the
focus of criminals on the theft of personal information, which is used for identity theft or extortion.
Credentials, children’s data, social security information, passport details, medical records
are all targeted.
Where does all this leave us? What are the ‘musts’ we should be
doing to combat these emerging threats?
Number one, as ever, is training – all users and regularly. Only with regular training sessions
can we hope to keep up with ever-evolving threats. Stats support this too. With the phishing
threat, for example, research has shown that where organisations ran between 1 and 5
campaigns, there was a 33% phishing click-through rate.
However, this rate dropped to 28% with 6 to 8 campaigns and dropped to 13% with 11 plus
campaigns. The more training, the better – reinforcement is the key!
Passwords too are crucial. We need to move away from simple, straightforward passwords
and help our users to do so. With today’s sophisticated attacks we have to enforce both
password length and complexity.
Wherever possible, organisations should implement two or multifactor authentication (2FA / MFA).
Staying on top of patch management is an absolute ‘must-do’ too; updating everything at the earliest
possible opportunity. And whenever you implement a new solution, yes, you’ve guessed it, train
and test your staff!
WANT TO LEARN MORE?
If you would like to explore how URM’s consultancy and training services can
benefit your organisation, we offer a ‘no obligation’ discussion with a senior
member of our consultancy team. Please let us know the specific challenge
you are facing within our areas of expertise e.g. information security
(ISO 27001, PCI DSS), data protection (GDPR, DPA 2018), business continuity
(ISO 22301) and risk management so that we can arrange a discussion.