Published On : 03 Nov 2022
While the NCSC is unaware of any current threats to UK organisations in relation to events in and around Ukraine1, business owners barely need a reminder that cyber security matters when high-profile attacks on critical infrastructure have rippled across the globe this year, leaving communities, corporations and countries without access to resources like gas, power and more. It is now more important than ever that steps are taken to improve cyber resilience in the event of an attack.
Cyber security company Proofpoint released its annual “State of the Phish” report in February 20222, revealing the impact of phishing attacks in 2021. According to its findings, 91% of UK companies surveyed experienced at least one successful email-based phishing attack last year – with 84% reporting email-based ransomware attacks. Almost 60% of those infected with ransomware paid a ransom.
Ransomware is the biggest cyber threat facing UK organisations, both large and small, and phishing is a common vector for cyber criminals to infect networks.
We know that phishing emails are getting harder to spot, but there is guidance available on what to look out for, and how to improve your organisation’s resilience. Raising staff awareness of the threat is also vital. We’d encourage all organisations to familiarise themselves with the NCSC advice on mitigating malware and ransomware attacks.
In a recent survey by the SANS Institute, around 40% of ethical hackers said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, in partnership with security firm Bishop Fox, was the first of its kind and collected responses from over 300 ethical hackers working inside organisations in different areas and experience levels of information security. The survey also revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours 3.
This year has been largely dominated by the Russia-Ukraine war, with major concerns about its impact on the cyber global threat level. However, it’s not only war-related cyber activity that has seen a sharp rise over the last few months, global attacks increased by 28% in the third quarter of 2022 compared to same period in 2021. The average weekly attacks per organisation worldwide reached over 1,1304, so there’s never been a more important time for SMEs to have the right cybersecurity strategy in place.
So what can UK SME’s do to protect themselves?
For many small to medium-sized businesses, it’s just not feasible to spend a significant proportion of their profit on a Cyber protection strategy that could withstand attempted breaches from hacker collectives or a rogue nation state.
However, you can:
- Educate your employees about cybersecurity; creating an environment where they take responsibility for safeguarding the company data and the integrity of the system. This includes only using secure systems for communicating with colleagues wherever possible, and not sharing information via personal email, as well as the obvious avoidance of clicking on links you’re not 100% certain about.
- Minimise the threats posed by malicious employees – from restricting access to sensitive data, banning the use of removable memory hardware and limiting bring your own device (BYOD) use.
- Keep your security software and operating systems up to date.
What about Cyber Insurance?
According to the UK Government’s 2022 Cyber Security Breaches Survey, only around 43% of UK businesses currently have a cyber risk management strategy in place, which includes having cyber insurance (either a specific or non-specific policy). This is despite 31% of the businesses surveyed stating they suffered an attack at least once a week, and the average cost of a system breach was £4,2005.
Here’s a sample of some of the reasons businesses don’t believe they need Cyber Insurance:
- We’ve never been hacked before
- We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
- We’ve invested in IT Security, so we don’t need Cyber Insurance
- We outsource IT, so we won’t be exposed to an attack
- We don’t collect or store any sensitive data, so Cyber Insurance isn’t necessary
- We’re too small to have a Cyber attack
- We’re already covered under other insurance policies
However, for many businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.
Cyber insurance is valuable tool to consider in your Cyber strategy; many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware. Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as advice on preventing further breaches.
For more information get in touch with the OAMPS team today.
1 NCSC advises organisations to act following Russia’s attack on Ukraine (2022), https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences
2 Proofpoint (2022), State of the Phish Threat Report, https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
3 SANS in partnership with Bishop Fox (2022), Inside the mind of modern adversaries, https://bishopfox.com/sans-hacker-survey
4 Check Point Research: Third quarter of 2022 reveals increase in cyberattacks and unexpected developments in global trends (2022), https://blog.checkpoint.com/2022/10/26/third-quarter-of-2022-reveals-increase-in-cyberattacks
5 Gov.uk (2022), Official Statistics Cyber Security Breaches Survey 2022, https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022
This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Pen Underwriting Limited and OAMPS, part of Pen Underwriting Limited, accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.