Online crime in 2023
You’d be hard pushed to have to search past page one of Google to find a cyber-related headline – whether reporting on extremely publicised infrastructure attacks to large-scale supply chain data breaches. These highly driven threat actors, whether working alone or in numbers, have never come out swinging the way they have over the last few years since the COVID pandemic.
Motivated by new vulnerabilities within the health sector, cyber-warfare and even capitalising on the spike in online shopping, targeting victims with delivery smishing and taking advantage of the higher numbers of those working from home and thus, weakening business system security, the opportunities have never been so plentiful for threat actors.
Cybercrime is not going anywhere. It is a dynamic space, one which evolves as applications and data evolve. It is also true to say that no organisation is immune from a breach. The latest Data Breaches Investigations Report by Verizon notes that this year ransomware has continued its upward trend with an almost 13% rise in attacks – which is an increase as big as the last five years combined.
Ransomware attacks are becoming increasingly complex, as threat actors find new ways to put pressure on organisations. The damage from ransomware is also on the rise, particularly across the healthcare, education and legal sectors due to the vast amounts of personal and financial data they process. It’s important to note that, while committing a ransomware attack is a criminal offence, paying a ransom demand is not against the law. Despite this, we still advise clients to avoid giving in to ransom demands.
It is reported that if cyber criminals continue operating at their current rate, then, by 2025, research indicates that global cybercrime costs will reach $10.5 trillion.
So, what exactly has happened in the last two years to see the exponential rise of online criminal activity? There are a few factors at play:
- The digital evolution works both ways: Just as businesses have embraced technological innovation, so too have cybercriminals. With the sudden influx of cyber security headlines and reports in recent times, it begs the question, are threat actors getting craftier at infiltrating our defences, or are cyber security teams getting more skilled at detecting a breach? The answer is most likely, “both.” The recent Cyber Security Breaches Survey 2022 results show that over the last year, 39% of UK businesses identified a cyber-attack. The survey also found that enhanced cyber security leads to higher identification of attacks. It could be argued, however, that organisations with less robust cyber defences may be underreporting and so these figures must be viewed with that in mind. As we have established, cyber threats are non-discriminatory and data breaches are now, more than ever, a concern for companies of all sizes. Nonetheless, no matter the industry, some sectors are still naturally more at risk than others and this boils down to the base fact that every organisation has a different level of maturity when it comes to cyber security measures and controls.
- The Covid-19 pandemic: The pandemic has been taxing for both businesses and individuals. In the last year, cyber criminals preyed on Coronavirus anxiety levels for their own benefit. The Council of Europe noted a rise in phishing scams, where cyber criminals impersonated official health bodies in a bid to steal sensitive data, as well as an increase in ransomware attacks targeting medical organisations. Further research shows that phishing attacks increased more than 660% from 2019.
- The changing nature of work: The pandemic accelerated the shift towards remote working and, with it, created a host of new cyber threats. Organisations world-wide are still supporting, on average, double the number of remote workers in contrast to pre-pandemic stats with no return to those levels in sight. The recent “State of Cyber Security 2022” survey by Splunk stated that organisations expect in a year’s time, 41% of their workforce will remain in remote roles. There are more endpoints to consider such as corporate mobile phones, tablets, laptops and computers, which each bring their own risk.
- The human factor: There’s a reason why phishing scams remain such a popular technique for cyber criminals: they rely on human error. A lack of knowledge and carelessness are often the difference between a successful or thwarted cyber attack. In fact, human error caused 90% of cyber data breaches in 2019, according to a CybSafe analysis of data from the UK Information Commissioner’s Office (“ICO”).
- Growing supply chain: Supply chain security has become ever more critical. Today’s supply chains are often opaque and complex, forming mass ecosystems of vendors, suppliers and partners connected by servers, web applications and the cloud. In turn, these organisations have their own suppliers, who also have their own suppliers and so it goes on. Without sufficient control and visibility into this extensive ecosystem, managing a complex supply chain can be a real challenge and one that should not be overlooked. It will come with little shock, then, that the SANS institute’s supply chain security webcast noted that if a company suffers a security incident, there is a 70% probability it will be through one of their suppliers. 2021 research indicated that 82% of a group of organisations surveyed in the UK, who had experienced a cyber security breach, stated that the breach originated from vulnerabilities in their vendor ecosystem. This is further evidenced by the several high-profile supplier security breaches of recent times, such as the Kaseya ransomware attack and the SolarWinds breach, which saw a widespread campaign of software attacks starting in 2020 and unofficially elevated the importance of supply chain security within the private sector. Since then, cyber security breaches have rarely been out of the news and only heightened by the ongoing threat of cyber warfare following the recent conflict overseas.
How do we prevent a cyber attack?
No organisation is completely safe from an attempted cyber breach. However, the success of a breach is dependent on an organisation’s cyber maturity. As Mimecast research shows, 79% of organisations suffered a data breach due to their lack of cyber preparedness.
The good news is that awareness of this risk is growing. PwC research indicates that 56% of UK organisations will increase their cyber budgets this year, although only 38% are confident their budgets are being allocated to protect against the most significant risks.
For businesses, what’s needed is a comprehensive risk management strategy, which incorporates the right security tools, incident response procedures and employee training to protect against the worst-case scenario.
Where to start in your cyber security strategy?
As a starting point for creating your strategy, we advocate the National Cyber Security Centre’s (“NCSC”) flagship standard, Cyber Essentials, which provides five foundational steps for effective protection. A step further would be to achieve Cyber Essentials Plus, which requires a qualified, independent assessor to validate that these five steps are in place.
For supply chain security, the NCSC offers 12 principles, designed to enable effective control of the supply chain. Other broad cyber security standards to consider, particularly in the case of large organisations or those who process a lot of data, are ISO27001 or the NIST Cyber Security Framework. We also offer a free guide to supply chain security.
Endpoint configuration assessments are necessary to identify and remediate issues relating to misconfigurations and a lack of security hardening. Common weaknesses identified in these tests include users having access to unnecessary applications, poor password policies and a lack of logging and backup settings.
Regular penetration testing should be considered standard practice, we have more information here on web app penetration testing, mobile app penetration testing, API testing or other types of pen tests.
If you would like guidance with improving your security posture, we are happy to help. From incident response exercises, supply chain assessments to implementation, we can help you to bolster your defences.
Securing your business can appear time-consuming and may be expensive, but as the old adage goes, ‘fail to prepare, then prepare to fail’. You may find it helpful to start with our advice on steps to take in the event of a cyber security incident.
Want to improve your organisation’s security posture?
We can help you assess and improve your security framework. Even if you just want some initial guidance then please do contact us.
"*" indicates required fields