We've experienced a sobering introduction to 2021, with the news of another national lockdown, and all our hopes pinned on tools such as vaccines to prevent worse symptoms emerging.
With our businesses, like many others, being dispersed to a full remote working model for a second time, the cyber-criminal community of bad actors is settling in for another lucrative round of fun at the expense of the unprepared and unsuspecting business.
The Unsuspecting Carriers
It struck me that the parallels between Covid-19 and today’s cyberthreats were spookily common. Just like Covid symptomatic people, todays cyber criminals are busy infecting our systems anonymously, unannounced, and more often via an unsuspecting “carrier” that has no idea they are transmitting the virus themselves.
Just like the Covid Pandemic, cyber threats spread quickly around the globe with as much ease as infected people moving between countries on aircraft, bringing the pandemic ever closer to home.
The Take Over
And just as sinister as Covid-19, cyber criminals rely on people’s ambivalence to identify that they could be infected or at risk. With the guard down, the virus and the cyber criminal? Well, they’re in.
The Blissful Ignorance
Once in, just like with the Covid-19 virus, the unsuspecting recipient can be blissfully unaware that they have a problem, which in the case of Covid can incubate for around 10 days. The cyber version of the infection is a little more advanced – it’s down to the cyber criminal when to strike. Sounds like a movie script and not real life, doesn’t it?
You may have recently read about “the biggest hack in history” against SolarWinds and FireEye, two leading security companies with plenty of resources and money. The primary activity of both companies is to develop and sell cyber security products, but in 2020 both were significantly disrupted by planned and sophisticated attacks now known as “Sunburst”. The original hack was focused on SolarWinds, but the targets were much wider.
The attack inserted obfuscated code into the SolarWinds product, which went undetected by the company. SolarWinds customers who downloaded products and patches unknowingly inserted the threats into their own networks. The following official guidance was released:
“If you fall into that category, the wisest course of action is to proceed as if you were compromised. Take offline, update and contact SolarWinds”.
All services these customers had running needed to be taken down to mitigate the fact their systems were infected. A prudent course of action following this would have been a complete review of patching and systems integrity. The cost to unsuspecting businesses – undefined but no doubt substantial.
Following the attacks, the *Cyber Defence Magazine made a chilling statement:
“The lesson from this series of high profile attacks is that you can do everything right and still be compromised.”
– Cyber Defence Magazine
So what are you and your company doing to combat these threats?
Let’s consider the lessons we are learning from the pandemic. We now know that people’s behaviour has a net effect on the case numbers. Ignoring the advice provided by the government and national health advisors, continuing to practice close contact with strangers, and avoiding preventive measures like masks and hand sanitising will significantly increase the case numbers and your own chances of contracting the virus.
Compare this to the world of IT security and there is still a worryingly high proportion of companies that ignore the warnings, the guidance, and continue operating while blissfully ignorant to the threat vectors that their online activity is attracting. Without any knowledge of IT in house, some companies simply don’t know about the steps they should be taking.
It’s not just a handful of examples either, according to the *cyber security breach report 2020 found on the UK government website, almost half of UK businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%).
The cost of Not Acting
According to Real Business Magazine, the number of SME’s in the UK that are exposed to a cyber attacks each day is an astonishing 65,000.
4,500 of those attacks are successful.
Some businesses will suffer from the disruption of systems immediately, while others spend time in the infection phase before the destruction of their systems. Covid-19 has accelerated these figures. The cost is measured not only in the clean-up, and possible ICO (information Commissioners Office) fines for data breach, but also the cost of repair and lost operation.
The unspecified damage will be in areas such as the company’s brand reputation, after the company has to take down systems or report data loss or access. The Real Business Magazine survey found that 44% of the public indicated they would not use the brand again if they were responsible for a data breach continuing their data. You’re playing a high stakes poker game if you choose to do nothing.
Incredibly, 48% of UK companies have inadequate cybersecurity in place to support home working, which has increased exponentially during lockdown and which now presents as the easiest of targets for the criminals.
Tonight, when you watch the news report detailing the numbers of infected people with Covid, think also about the unseen cyber criminals who are using sophisticated techniques to hunt out and target those systems that are lacking the defence required. Ask yourself – are they yours, and are you doing enough to not be the next statistic?
Vissensa is offering FREE IT ADVICE to companies during the pandemic. If you’re worried about your security, give us a call.
*Read the full Cyber Defence Magazine article
*Read the Cyber Security Breach Report 2020