Cybercrime will cost companies worldwide an estimated $10.6 trillion (£7.65trn) annually by 2025 – representing the greatest transfer of economic wealth in history. The cost of which takes into account: ransom payments, disruption of service, destruction of data, theft of intellectual property; and reputational damage, to name a few. Yet many organisations are still burying their head in the sand when it comes to cybercrime, ignoring online vulnerabilities and not taking recommended measures to protect their business more effectively.
In a similar vein to personal health, many businesses only take notice of cyber security once something goes seriously wrong. But they need to be more proactive to protect themselves from cybercrime, safeguarding their assets better and in turn valued stakeholders. So where should businesses start? One area is to gain an understanding of some of the different types of cybercrime, what can happen during attacks, and to learn lessons from others that have fallen victim.
This is where a computer system or network is infected with a virus or other type of malware, with criminals holding files to ransom and demanding payment to release them. But paying the ransom, often demanded in cryptocurrency to support anonymity, doesn’t guarantee return of data. In fact only 9% of retail organisations, that paid ransom in 2020, got all of their encrypted data back.
One of the most famous examples of a malware attack is WannaCry – which targeted a vulnerability in computers running Microsoft Windows. Kapersky Lab, a Russian multinational cybersecurity provider, estimated that 230,000 computers were affected across 150 countries – costing $4 billion (£2.9bn) in financial losses worldwide.
Russia, Ukraine, India and Taiwan were most affected by the attack, but the NHS was also hit. It was estimated to have cost the NHS £92 million, after 19,000 appointments were cancelled as a result of the attack. Whilst it’s unlikely that the NHS was specifically targeted for the attack, the organisation was vulnerable as it operates on old, unsupported software. The organisation remains at risk too, with NHS Digital finding that none of the 200 Trusts passed cyber security vulnerability inspections.
But what should an organisation do if they find themselves victim of a malware attack? Commenting in an article that looked at how the Italian Covid-19 vaccine booking system suffered a ransomware attack, Jaya Baloo, chief information security officer said: “when an organisation is hit by ransomware, the five steps to take would be to isolate the affected systems, identify and secure backup options, collect log information and conduct forensics where needed, attempt to identify the ransomware strain and see if there is a decryption key available, and contact law enforcement and decide on how to proceed.”
Having an agreed plan of action, that can be quickly implemented should a malware attack occur, can make a significant difference in how much data is affected. And with research from EY finding that more than three quarters (77%) of chief information security officers have seen a rise in disruptive attacks over the past 12 months – up from 59% the year before – it’s vital that businesses plan effectively for potential incidents.
Distributed denial of service attacks
A distributed denial of service (DDoS) attack is when criminals try to make it impossible for a service to be delivered, by drowning a system with requests for data. Devices, networks, and apps can all be targeted – with attacks sending so many data requests that systems crash under the demand. The result can be anything from customer annoyance about disrupted services, to entire business being taken offline.
One high profile example of a DDoS attack is when customers from six major US banks, including J.P Morgan and Citigroup, were unable to access their accounts and pay bills online. A hacktivist group had launched an attack, in a bid to get an anti-Islamic video removed from YouTube. And despite the banks having cybersecurity systems in place, none of them were ready to receive such an unprecedented amount of traffic – as botnets carried out the assaults.
DDoS attacks show no sign of abating – with Cisco predicting that the total number of attacks will double from 7.9 million in 2018, to over 15.4 million by 2023. What’s more concerning is that research by Deloitte, finds that the majority of IT decision makers are not fully confident that their company has the intelligence and expertise to protect against a cyber-attack.
There are many tactics that businesses can deploy to safeguard themselves from DDoS attacks, but one simple measure is to become familiar with usual website traffic – making it easier to spot an attack. But in the long-run, having a DDoS response plan, with a technologically competent team ready to leap into action, is crucial in stopping the attack from taking hold.
This is an attack method, carried out most commonly via e-mail, that tricks the victim into believing a trusted source needs something – such as money, identifiable data, or login credentials. Whilst it may be the oldest trick in the cybercrime book, it’s still effective – with the number of attacks increasing by 220% in 2020, during the pandemic.
The World Health Organization reported a five-fold increase in phishing attacks, with scam emails sent to staff and the public, in the first few weeks of the Covid-19 outbreak. Research by Interpol found that criminals took advantage of the pandemic, posing as government and health authorities, to gain trust amongst its victims and encourage sharing of personal data.
FACC, an aerospace parts maker, also fell victim to a “whaling” scam. This type of phishing attack is where communications appear to be sent from senior business leaders, to dupe victims into sharing sensitive information. In this case, hackers crafted an email, purporting to be from the CEO of FACC, asking employees transfer money to an account for a fake acquisition project. Although the company blocked €10.9million (£9.3m) in being transferred, the hackers stole around €50million (£42.8m). It was a heavy blow for the business, operating at a loss of €23.4million (£20m) that financial year, and the CEO was fired for “severely violating his duties”.
Whilst opening malicious e-mail attachments may be a simple method of attack, it keeps proving to be efficient. Organisations are increasingly aware that the human element of cyber security is the weakest link and one that criminals continue to exploit. Educating staff regularly in how to avoid phishing scams, looking out for typos and sender email addresses that don’t look legitimate, is an important method in avoiding attacks. So is having a clear process for flagging suspicious activity as soon as possible, to prevent others from falling victim.
Protecting businesses from cyber-attacks
So how can organisations protect themselves from attacks? We’ll explore this answer in greater depth in our next cybercrime series blog. But on the basic level, regularly updating software and operating systems, and backing up data using cloud technology are some of the most impactful solutions. So is regularly communicating with employees about how to protect the organisation more effectively – such as not clicking on suspicious links or downloading from untrusted websites.
Keeping one step ahead of cyber criminals, as attacks are becoming increasingly sophisticated and damaging, is a significant challenge for businesses and employees. Hiring quality cyber professionals or consultants is a crucial element in keeping businesses adequately protected – as they are able to identify specific vulnerabilities, providing the best course of action to ensure systems are up-to-date and effective.
With the value of cybercrime on a par with the largest economies globally, and the power to bring organisations to their knees, the lure for criminals is too great. Businesses need to be much more proactive in ensuring they have adequate protection to meet ever changing cyber demands, so that criminals don’t expose weaknesses.