Cyber risk is much more than just hacking. It involves internal and external risks, product risk, third-party risk and aggregate risk, such as service provider and supplier failure, human error, software obsolescence, and upstream internet and network interruptions.
The scale and sophistication of cyber crime continues to grow, and SMEs are a prime target for highly organised criminal gangs as they are seen as more resource limited and with less technically-aware employees than larger enterprises.
The cyber risk ecosystem is pretty complex and involves many players and aspects. Organisations of all sizes have been or will be impacted by cyber risks, and whilst this threat is well publicised, it is not always well understood. All businesses are connected to the internet: emailing customers, searching the internet or paying suppliers are just some of the ways businesses interact online.
According to the latest Cyber Security Breaches Survey, a quantitative-qualitative survey carried out by the UK Department for Digital, Culture, Media & Sport, 32% of businesses have faced breaches or attacks in the last 12 months.
The most common types are:
- phishing attacks (80%)
- others impersonating an organisation in emails or online (28%)
- viruses, spyware or malware, including ransomware attacks (27%).
Other interesting resources and official statistics on cyber security can be found on the Gov.uk website.
Below is a list of widespread or emerging types of cyber risk:
Nowadays, it is very common for us to connect our devices (tables, smartphones, PCs) to public Wi-Fi hotspots in bars, on public transport, at airports, etc. However, data sent through public Wi-Fi networks can easily be intercepted, putting the security of your data at risk, as well as your digital identity and money. What’s more, if there is no security or anti-malware software on your devices or computer, the risks are even higher. This is social engineering which starts at home or in public areas, but which people bring to the workplace.
System Failure and Networks
Use of the internet and connections by businesses, their employees, suppliers and customers increases the potential targets open to cyber risk, such as the manipulation of IT systems, cyber attacks on company websites, etc. To avoid IT system failure and protect communications networks, it is important to have good cyber security management, with regular updates of IT networks and computers, downloading the latest operating system releases and installing software patches. If these good housekeeping practices are ignored, they might expose your organisation to a security risk or potential cyber attack.
Data breaches refer to security incidents where sensitive, protected or confidential data are consulted, copied, transmitted, stolen or used by unauthorised subjects. Incidences are increasing in most countries, and the size and cost of successful breaches is increasing. In most cases, data breaches occur for 2 main reasons:
1. Data breaches due to employee negligence (e.g. sending data to the wrong person)
2. Data breaches organised by hackers, leveraging vulnerabilities or through hacking activities.
Attackers often target individuals responsible for sending payments and requesting money transfers, tax records and/or other sensitive data (e.g. passwords).
Other attacks focus on the content of the recipient’s inbox, harvesting client and employee information, including personal data. They may also target confidential corporate information motivated by monetary gain. Very often human error and behaviour is a significant driver for data breaches, for example, it is still very common for employees to use weak passwords or the same passwords across multiple applications.
Malware and Malicious Software
Malware that can replicate and spread through communications networks has been one of the longest-standing cyber threats. Recent events have shown that malware remains a powerful trigger for data and financial loss. Recent widespread cases like WannaCry and NotPetya showed that contagious malware is able to scale and to cause systemic loss to thousands of companies.
Cloud computing is being adopted increasingly rapidly. The failure of a cloud service provider, while very unlikely, represents a potential cyber vulnerability. Failures of individual services or availability regions have the potential to cause losses to thousands of users.
Distributed Denial of Service (DDos)
Distributed Denial of Service attacks continue to be a major component in the cyber risk landscape. According to a recent survey, a third of all organisations have reportedly experienced DDoS attacks, twice as many as a year ago. This growing probability of attack is likely to continue across sectors, geographies, and activity areas as attackers’ techniques evolve and as they seek out new targets.
Through phishing activities, hackers try to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging, and often misleads users to enter details on a fake website which looks very similar to the legitimate one.
Commonly, the fake website requests personal information, such as login details or passwords. This information can then be used to access the individual's account on the real website. By leveraging a victim's trust, phishing can be classified as a form of social engineering.
Many organisations are reporting a growing volume of ransomware attacks and sophisticated phishing scams using coronavirus references as bait to induce employees to click on email links or attachments infected with malware. The World Health Organisation has warned that criminals may be sending phishing emails that appear to be from the WHO and which ask recipients to give sensitive information such as usernames or passwords or click on malware-installing links or attachments. Cyber criminals have also been using the name of the US Centre for Disease Control and Prevention and aping domain names in phishing emails similar to those flagged by the WHO.
Organisations must be vigilant and in this challenging environment adopt a heightened state of cybersecurity and robust data management processes.
Smishing stands for SMS Phishing. Like phishing, an urgent message is sent to the user asking for something specific. The text message usually asks the user to call a telephone number or go to a website to perform an immediate action. The telephone number often answers through an automated response system. The user is asked to provide personal information such as passwords or credit card information.
Ransomware is becoming increasingly targeted and disruptive, affecting business interruption costs. Ransomware is a subset of malware where the data on a victim's computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access is returned to the victim. Payment is often demanded in a virtual currency, such as Bitcoin, so that the cybercriminal's identity remains unknown.
Ransomware malware can be spread through malicious email attachments, infected software apps, infected external storage devices and compromised websites.
Citing a well-known targeted attack, a Norwegian aluminium smelting giant fell victim to a difficult-to-detect strain of ransomware known as “LockerGoga”, through which cyber criminals gained access to the company’s networks. The company was forced to stop production at many plants across Europe, causing severe business interruption losses. The decision about whether or not to pay a ransomware or extortion demand continues to be influenced by how well an organisation has backed up its data, and the potential business interruption that may result.
Intellectual property (IP) is considered highly desirable for sophisticated cyber criminals. While hacks targeting credit card information, consumer health information and other personally identifiable information (PII) will tend to attract the most media attention, (regulations require that PII compromises be reported), IP theft is emerging as a cause for concern in corporate boardrooms.
IP can be any type of financial, business, scientific, technical, customer or engineering information that is deemed proprietary.
Many organisations fail to understand the value of their IP and how much of their company’s overall value derives from it. The two forms of IP most frequently involved in cyber crime are copyrighted materials and trade secrets.
Internet of Things [IoT]
The IoT poses emerging security challenges. Between 50bn and 100bn devices are expected to be connected to the internet by 2020 according to an Oliver Wyman report.
Many of these devices will be smart devices which lack strong security features and often do not have regular product support or updates, making them vulnerable to attack. The new connectivity that comes with smart devices can see an organisation exposed to new threats that have not been considered or mitigated. Companies that design and manufacture or service IoT devices face a variety of cyber exposures, as do companies that deploy IoT devices.
The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, was developed to give people control of their personal data and create a high, uniform level of data protection across the EU that is ‘fit for today’s digital age’. Combined with the backdrop of the GDPR regulatory environment, the cyber landscape is also rapidly evolving, with cyber criminals becoming ever more sophisticated in identifying new ways of penetrating IT infrastructures.
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million (or equivalent in sterling) for organisations that infringe its requirements. Nevertheless, not all GDPR infringements lead to data protection fines. Supervisory authorities, such as the UK’s ICO (Information Commissioner’s Office), can take a range of other actions, including warnings, reprimands, temporary or permanent ban on data processing, etc.
According to the National Cyber Security Centre (NCSC), SMEs face a 1 in 2 chance of experiencing a security breach. So, what can SMEs do to reduce the risk of becoming victims of a cyber-attack and prevent unauthorised access to the personal information they store online and access via digital devices? It stands to reason that the better controlled and monitored the IT infrastructure is, the less likely the business is to become a victim of cyber crime.
Global events like coronavirus presents increased cyber and data security risks as cyber criminals develop tactics to opportunistically profit from the emerging environment and the large numbers of organisations adopting home working policies.They will seek to exploit the sense of urgency and panic surrounding the pandemic and leverage any security weaknesses that may arise within an organisation’s systems and procedures. Companies should be mindful of these increased risks and take prompt, practical steps to mitigate them. However, this can be even more challenging at this time due to reduced IT staffing and in many cases, a focus on supporting remote access for workers.
The National Cyber Security Centre [NCSC], part of GCHQ in the UK, has seen an increase in the registration of webpages relating to the Coronavirus. The Centre has taken measures to automatically discover and remove malicious sites which serve phishing and malware. These sites are using COVID-19 and Coronavirus as a lure to make victims ‘click the link’. These attacks are versatile and can be conducted through various media, adapted to different sectors and monetised via multiple means, including ransomware, credential theft, bitcoin or fraud.
In tandem, many organisations are reporting a growing volume of ransomware attacks and sophisticated phishing scams using coronavirus references as bait to induce employees to click on email links or attachments infected with malware. The World Health Organisation has warned that criminals may be sending phishing emails that appear to be from the WHO and which ask recipients to give sensitive information such as usernames or passwords or click on malware-installing links or attachments. Cyber criminals have also been using the name of the US Centre for Disease Control and Prevention and aping domain names in phishing emails similar to those flagged by the WHO. Trojan and worm viruses have also been identified in word processor documents, PDFs and video files purporting to contain virus protection instructions or threat updates.
Is it possible to identify cyber risk before a cyber attack, data breach or business interruption actually happens?
Unfortunately, many businesses are still unprepared to manage cyber risk and understand their vulnerabilities. But there are tools available on the market which are affordable and can help an organisation rapidly identify cyber risk vulnerabilities.
In this age of digital disruption, there is a clear need for businesses to look out for cyber threats on an ongoing basis. Recognising this need, CRIF Decision Solutions has developed CRIF Cyber Check, powered by KYND, a proactive response to cyber management in 4 simple steps.
Resources & White Papers on Cyber Risk
Cyber risk continues to evolve at speed, but as a relatively new risk there is very little data available to build defences against emerging trends (intellectual property, IoT).
What are some of the new emerging threats to UK businesses?
General Data Protection Regulation, a year on. The GDPR was generated to give people control of their personal data and create a high, uniform level of data protection across the EU that's ‘fit for today’s digital age’. What about compliance, data protection and risks?
The recent SME Insurance Risk Survey commissioned by Crif Decision Solutions in partnership with Post has revealed some surprising findings. It would appear that many insurance providers and brokers are not equipped to accurately assess and subsequently price small to medium-sized enterprise cyber risk.