The Most Common Cyber Attacks
In the last three years, reports of UK data breaches reported to the Information Commissioner’s Office have increased by 75%, according to research by risk solutions expertd at Kroll, but just 12% were the result of malicious attacks.
Cyber attacks are certainly on the rise and over 32% of businesses identified attacks within the last twelve months and 22% of charities report having cyber security breaches or attacks in the last 12 months.
Protecting Your Organisation
Cyber-attacks can cause significant disruption and damage to even the most resilient organisation. For those that fall victim, the reputational and financial repercussions can be devastating.
Employees are your weakest link: In fact, human error is to blame for 88% of data breaches in the UK according to research by Kroll. Companies living in fear of a data breach need to look closer to home after new research shows that 88% of UK data loss incidents are caused by human error, not cyber-attacks. The research showed that while data breaches are generally associated with the actions of malicious criminals, this is very rarely the case.
The most common error was to send sensitive data to the wrong recipient: This was the cause of 37% of reported data breaches, with the majority being sent my email. Other common errors included the loss or theft of paperwork, forgetting to redact data or storing data in an insecure location, such as a public cloud server.
The Cyber Essentials Scheme
From 1 April 2020, the five current Cyber Essentials accreditation bodies will be replaced with one Cyber Essentials partner, the IASME Consortium, in order to standardise the certification process. IASME will take over running the Cyber Essentials scheme on behalf of the NCSC (National Cyber Security Centre) and will be responsible for the delivery of the scheme, as well as revising and improving it.
The NCSC is encouraging organisations to continue with their plans to certify or re-certify with their existing certification bodies until 31 March 2020. Organisations that renew within this time frame will have until 30 June 2020 to complete their certification.
Phishing
There are many types of phishing, including:
- Vishing: Voice phishing or ‘vishing’ is a type of phishing conducted by phone. Most vishing attempts try to get the victim to reveal information like PINs, payment card details and passwords. Criminals then use those details to access online accounts to steal information or money.
- Smishing: SMS phishing or ‘smishing’ is becoming a more popular form of phishing, partly because we increasingly rely on smartphones in both our work and personal lives.
- Spear phishing: Spear phishing is a targeted form of phishing attack, usually conducted to seek financial gain or obtain insider information, where cyber criminals adapt their methods to reach a specific victim. Spear phishing attacks are rarely random, instead, they are most often conducted by perpetrators seeking financial gain or insider information.
DDoS Attacks
What is a DDoS Attack?: A DDoS (distributed denial-of-service) attack attempts to disrupt normal web traffic and take a site offline by overwhelming a system, server or network with more access requests than it can handle. DDoS attacks typically serve one of two purposes:
- An act of revenge against an organisation.
- A distraction that allows cyber criminals to break into the organisation while it focuses on restoring its website.
How to Prevent DDoS Attacks: The reputational and financial damage as the result of the service unavailability inflicted by a successful DDoS attack can be severe. Therefore, preventing or at least quickly countering DDoS attacks can be critical for your organisation’s survival.
Regularly testing your IT infrastructure is paramount to keeping your systems secure, and is something any organisation should consider as part of its cyber security strategy.
Computer Viruses
A computer virus is a type of malicious code or program written to alter the way a computer operates. Much like a flu virus, it is designed to spread from one computer to another (but without the user’s knowledge) by:
- Opening an infected email attachment;
- Clicking an infected executable file;
- Visiting an infected website;
- Viewing an infected website advertisement; or
- Plugging in infected removable storage devices (e.g. USBs).
GDPR
GDPR has played a large part in these changes. Three in ten businesses (30%) and over a third of charities (36%) say they have made changes to their cyber security policies or processes as a result of GDPR. Recent findings suggest that GDPR has encouraged and compelled some organisations to engage formally with cyber security for the first time, and others to strengthen their existing policies and processes.
However, the qualitative findings also highlight that GDPR has had some unintended consequences. It has led some organisations to frame cyber security largely in terms of avoiding personal data breaches. These organisations were less focused on other kinds of breaches or attacks, and typically had a narrower set of technical controls in place.
GDPR appears to have had a positive impact on cyber security to date, but to make progress organisations may need to think more holistically about the issue.
There is still more that organisations can do to protect themselves from cyber risks. This includes taking important actions that are still relatively uncommon, around board-level involvement in cyber security, monitoring suppliers and planning incident response.
ITGovernance: Decison Marketing: ITGovernance: Gov.UK:
You Might Also Read:
A Guide To Preventing Charity Cybercrime: