Cyber security for businesses is a critical topic in today’s digital landscape, and it’s a concern for organisations of all sizes across every sector. It involves protecting computer systems, networks, and data from unauthorised access, theft, damage, and disruption.
Implementing robust cyber security measures is essential to safeguard sensitive information, maintain customer trust, and prevent financial losses.
Most organisations use online management software, also known as Software as a Service (SaaS) and communicate internally and externally through the internet. Therefore, a cyber attack is something we should all be prepared for.
As with many organisations, at Praxis42, clients often ask us what measures we have in place to help guard against online attacks and how we prevent and manage this risk. Firstly, like all organisations, we have safeguards to protect our business and internal systems. Secondly, as a specialist offering compliance, our clients often ask questions about the controls and systems we have in place to protect their data, software and interfaces from an attacker infiltrating their systems via our SaaS.
As part of the procurement process, organisations now require detailed assurance about cyber security from the businesses they deal with. This has given rise to a range of SaaS solutions which help assess, rate, and manage suppliers’ cyber security management.
The National Cyber Security Centre (NCSC) has created The Cyber Assessment Framework (CAF) which provides guidance for organisations to check their resilience against cybercrime.
But even the most cyber-confident organisation should regularly review their security measures. Cybercrime continually evolves and becomes more sophisticated, so security systems must be continually updated.
In this article we discuss the types of cyber-attack organisations need to be aware of, and how to implement effective cyber security for businesses.
Why would your business be attacked?
No organisation should consider itself outside the scope of a cyber-attack. Every organisation has information that cyber criminals could use, either to defraud money directly, or to get closer to larger targets.
There are many reasons that your organisation could be attacked, but the three main ones are:
1. Access to information
Data itself is a very valuable commodity. Most organisations store information about clients and employees. Attackers may use this data themselves to steal identities or sell it on to other criminal organisations on the dark web.
2. Access to other organisations
Supply chain attacks are currently a huge concern, with attackers using an organisation’s supply chain as a jumping-off-point to target other client and partner organisations in the chain. If your organisation is successfully breached, then every aspect of your supply chain could also be attacked.
3. Financial gain
The most obvious goal of an attack is to defraud or extort money, with hackers looking to gain control of financial assets.
Who might attack your business?
This is the most common type of attacker. They might be an enthusiastic hacker looking to exploit their technical skills for personal gain, or a disgruntled employee, or they might be part of an organised group looking to extort money or steal data on a large scale.
Hostile foreign governments
This group is determined, organised and technically advanced. They are less likely to be looking for financial gain. Instead, they will be looking to steal sensitive information or intellectual property that can give them a social or commercial advantage, or they may want to test your defences, perhaps to destabilise the economy.
When the Russian war in Ukraine began in 2022, the NCSC urged organisations across all businesses and public sectors to be particularly vigilant against cyber-attacks from Russian state-sponsored attackers. They were advised to bolster their online defences and to ensure that response plans were in place in the event of a breach.
This warning was no doubt partly motivated by memories of the NotPetya malware attacks of 2017. These have since been blamed on Russia and although they primarily targeted Ukrainian businesses through a tax-preparation programme, they also caused damage and significant financial loss to businesses throughout the world.
So, although your levels of protection may already be high, certain world events should trigger a higher level of awareness in cyber security across your organisation.
Activists could attack your organisation to make a political point, usually to highlight a cause they believe in, or to discredit a practice they are opposed to.
Terrorists are likely to be less technically advanced than other groups. Their motivation will be either to raise funds or to spread propaganda to gain support for their cause.
This final group includes disgruntled ex-employees or current employees. They may wish to cause damage to your organisation for personal satisfaction, or to carry out corporate espionage to help their new employer.
This group is different from the others as they may have intimate knowledge of your systems and how to navigate them. Detection is often difficult until it is too late.
What are the latest cyber security threats?
The way cyber criminals attack organisations continue to evolve as they try to stay ahead of defences. You can stay up to date by visiting the National Cyber Security Centre’s website.
These are the current cyber security threats for businesses to know about.
Phishing attacks and email modification fraud
We still see phishing attacks and email modification fraud. This is where cyber criminals try to trick individuals into clicking on an external link by making it look like a trusted or familiar link. The link may be in an email that appears to be from a bank, perhaps requesting that the recipient updates their personal details. The attacker behind the email may be attempting to steal bank details.
Employees’ digital footprint helps attackers to make phishing activities look realistic. So, it’s important that everyone is cautious about the information they share on social media.
One example is an email that appears to be from a CEO instructing their employee to purchase Amazon vouchers. Another example is an email that looks as if it’s from a Managing Director instructing the Finance Manager in their company to pay an enclosed invoice urgently. In both these examples, names and roles were displayed on social media for the hacker to use once they had unlocked access to the email accounts.
Phishing is just one of many forms of attack where attackers aim to manipulate a person into enabling a security breach. This kind of social engineering often relies on the attacker gaining access to your systems and staying hidden like a predator stalking its prey. They watch and learn the way the organisation operates, while staying undetected by disabling firewalls and other security software.
This kind of attack is a long-term operation. The dwell time may run into hundreds of days. During this time an attacker can learn all they need to about potential targets. This can lead to fake (but seemingly authentic) emails being sent out to extort money.
Supply chain and service provider attacks
System infiltration, as described above, can also lead to another form of attack: supply chain and service provider attacks.
An attacker may use your systems to gain access to all your client or partner organisations. Whether their aim is to extort money, to steal data or to hold every part of the chain to ransom (see below), an attack like this can have far-reaching financial and reputational consequences.
Recently, the most common methods of extracting data are through ransomware and wiperware.
Ransomware and wiperware
Ransomware is malware which once inside your system, locks you out of it. The software might deny you access to everything or just to key sets of data, and then demand a ransom be paid in exchange for a key to unlock your data.
Wiperware is similar to ransomware, but instead of locking your data away the software threatens to delete all the data unless a ransom is paid.
Why people install ransomware and wiperware
Often ransomware presents as very user friendly and helpful, with advice on setting up accounts, illustrations of how much interest you will accrue if you don’t pay immediately, and other seemingly helpful guides.
How ransomware and wiperware attack
In the majority of ransomware and wiperware attacks, the initial infiltration is through phishing (as above) or vulnerability exploitation.
Vulnerability exploitation is when a known security weakness in a piece of software or hardware is exploited, or access is gained through an unsecured wireless access point. Unsecured wireless networks are often available in public places where connection is free. Sometimes people choose to use these networks because they offer a stronger internet connection than they currently have on their device.
Ransomware and wiperware attacks can also happen when a victim connects an external device such as a USB stick. It sounds like a spy film, but it can be hard to resist putting an unmarked USB into a machine to see what’s on it.
Once someone has connected to an external device or unsecured network the malware will attach to their device. When the malware has initial access, an attacker will deploy additional tools to take control of the device they have compromised. This may be a slow process, with the attacker remaining hidden whilst they take over, escalating privileges and moving not only across the initial system but into new ones too.
The final stage is to steal sensitive data, destroy backups and deny the user access by encrypting (or erasing) systems and data unless an escalating ransom is paid.
However, paying the ransom is never a good idea. If a ransom is paid once, then criminals believe it will be paid a second time, or a third. In many cases, organisations that have paid a ransom have been attacked again within months. Additionally, paying a ransom is no guarantee that you will be given access to your systems again. Often organisations remain locked out of their data even after a ransom is paid and their details are still shared for gain on the dark web.
With ransomware and wiperware, it’s often the case that the attackers will leak certain subsets of data that they have access to. This adds a new level of damage to the attack: not only has your security been compromised with financial implications, but also sensitive data is now in the public domain, potentially damaging your reputation.
How to implement cyber security for businesses
The approach to cyber safety and to health and safety is similar when assessing risk to an organisation. Organisations have limited resources and fortunately it is not necessary to bring in every technical security measure available to guard against every eventuality. Instead, apply a cyber risk modelling process for your organisation.
Cyber risk modelling identifies:
- Potential threats and where they are in your organisation.
- What security is already in place.
- Pragmatic controls for your cyber security management system.
Sensible questions to ask in the process include:
- What areas of the organisation are most likely to be targets?
- Why could these areas be targets and what would be the consequence of a breach?
- Is the supply chain large?
- Do we hold lots of sensitive data on clients?
- Does our organisation see a lot of money move through it?
- What controls exist?
- Are controls effective and have they been tested?
You should prioritise risks, then document your findings and controls, and evaluate your available resources. Work on the most critical risks you have identified first and ensure that all the stakeholders buy into the decision-making process.
Depending on your risk profile, you could consider obtaining ISO/IEC 27001 Information Security Management Systems (ISMS) certification or the NCSC Cyber Essentials and Essentials Plus to aid developing an ISMS and provide assurances internally and externally.
Supply chain security
All organisations have a supply chain, and you should map it out to identify any weaknesses which could be exploited or are vulnerable and subject to cybercrime.
Cyber security must form part of your tender, supplier evaluation and contracting processes, with specific questions to understand your suppliers’ and partners’ level of cyber security management and resilience. As a client you can set minimum requirements of cyber security management either based on your own policies and procedures or using recognised standards such as ISO 27001 or Cyber Essentials for example.
Consider offering partners support to help them get to the level your organisation requires. This could simply be a checklist of things you require them to implement, or it could be more practical support to help them reach the level you need. This kind of collaboration will also help to ensure that they are an active and engaged part of your cyber security measures.
Make people the strongest link, not the weakest
Most security breaches occur because a person decides to click on a link, to share some information, to connect an unauthorised piece of equipment, or they fail to report unusual activity on their device.
With a considered programme of engagement and training, you can build security that protects your organisation, employees, customers, suppliers, and partners. This should start at the top, so everybody throughout the organisation understands the importance of cyber security both for the business and their personal protection.
Make sure there are advocates for cyber security at every level of responsibility in the business, and that they understand the purpose of technical security and the essential role people play in supporting it. The tone from the top is a very familiar concept in health and safety management and it’s no different when developing, implementing, and maintaining your ISMS. See our eLearning course, Cyber attacks and strategic cyber planning for managers.
Cyber security training and information updates should happen regularly, but in small, bite-sized pieces that can easily be taken onboard. It’s much more important to have an ongoing, low-level conversation than to have an in-depth, once-per-year session.
In many cases, attacks are thwarted because somebody has questioned something unusual which has raised the alarm. Let employees know that their vigilance is a key part of your ISMS. Most importantly, make it clear that if they have done something they shouldn’t have, they must report it. Often, if an employee makes a mistake, they’re afraid to report it in case of any repercussions. But a swift report can help to avoid or limit any damage caused, and this should be a message that’s communicated regularly.
Checks, verification, and testing are powerful feedback mechanisms to provide assurance that your ISMS is working. Typically, this involves using an external provider to test and observe behaviour in the organisation by, for example, sending dummy phishing attempts and seeing what happens. They can then provide reports to help improve awareness or prompt changes to controls.
Manage and protect your assets effectively
It’s key that every organisation has in-depth knowledge of all the data and systems that it is managing and how they connect to other organisations and individuals. This knowledge is vital in the event of an attack or attempted cybercrime.
Any data should be protected and backed up, both online and offline. It’s worth noting that not all data has the same value. There’s no need to spend more on protecting data than it is worth. But the GDPR is very clear about the protection of personal data.
In most systems, assets are changed or replaced often. You should keep just the data you need, and securely delete the rest, sanitising any storage media it was on. Long-forgotten data that’s no longer used or cared for by an organisation can still be of value to an attacker. The same is true for old equipment, this also needs to be disposed of securely, making sure it’s certified when you get rid of it.
Secure by design
If your organisation builds solutions or systems, then security should be built into the architecture rather than something that’s added once functionality has been established. The two need to go hand in hand, so that the security aspect works in harmony with what the system or solution is designed to do.
By taking this approach, you make it harder for an attacker to compromise the system. You can also build in ways that limit the damage an attack can cause by segregating parts of the system from others.
Identity and access management
Every organisation must have ultimate control over who can access its data and when. There needs to be multiple layers of security, with a range of established protocols to limit and monitor access.
- Single sign on (SSO).
- Multi-factor authentication, where more than one device is needed to verify a user’s identity.
- Password management solutions, where secure passwords are created and managed for each account.
Logging and monitoring
Your systems will ideally have security monitoring programmes, which will log and identify suspicious or anomalous behaviour, and either flag it up and/or temporarily lock out that user until the activity or user has been verified by a decision maker.
This is an area in which it is easy to get carried away and set your system up to log everything that’s going on. Instead, try to streamline logging so that it provides insight, reporting only on anomalous behaviours. You can lose sight of the important reports amongst the mundane ones if your system is constantly logging every activity.
Being prepared to deal with an attack is essential to every organisation, but so is planning your response to a successful breach or near miss.
Integrating breach planning into your business continuity management (BCM), incident management or emergency preparedness has several benefits, in particular that key stakeholders will be identified.
A response plan for individuals to refer to is helpful. Ideally this should be split into small, concise playbooks. But the response should not stop there. Everybody involved, from the board down, should regularly rehearse what to do in the event of an attack, so that everyone is aware of their role and has practical experience of carrying it out.
An effective response plan will be tailored to your organisation and include how you will communicate the breach to others. This could include your employees, clients, partners, and shareholders. Depending on your organisation, it may also include the press. All these aspects should be considered in advance so that in a worst-case scenario, nothing is being created in the midst of a crisis.
Investigation findings and recommendations follow a very similar methodology as an incident and accident investigation. Finding and establishing the immediate, basic, and hopefully root cause is the aim to learn and prevent a reoccurrence.
Keep your systems protected throughout their lifecycle
As the kind of attacks on systems evolve, it is important to regularly review your equipment and cyber security systems to ensure they continue to protect your business.
One of the simplest ways to do this is to ensure that the software your organisation uses is up to date. This means your SaaS or bespoke software as well as your dedicated security software.
Whenever a piece of software is exploited by an attacker, the developers of that software write a patch to permanently close that method of entry. This is released as part of an update for that software (Patch). Therefore, one way to help guard against attacks is simply to ensure that all your software applies the latest patch. The best way to do this is to turn on automatic updates if available.
When it becomes impossible to keep older devices and systems up to date, you should take steps to segregate them away from the rest of the network, so they cease to be a risk.
If you are unsure of your own software or those systems that you have procured, then checking and gaining assurance that vulnerability and penetration testing has been performed is a good practice.