Top 5 cyber security risks for businesses

IT Governance identified more than 1,200 publicly disclosed data breaches in 2021, while another report found that security incidents cost almost £3m on average.

These numbers are on the rise, demonstrating the growing importance of effective cyber security. The key to preventing attacks is to understand how they happen. In this blog, we look at the top five cyber security risks facing businesses and explain how you can avoid them.

1. Poor patch management

Patch management is an essential part of cybersecurity. A patch is an update to an application or piece of software that fixes vulnerabilities and bugs. When a new patch is released, organizations must apply it immediately. This is because the vulnerability is then made public, giving cybercriminals the opportunity to exploit the weaknesses.

To ensure that patches are applied promptly, organizations typically establish a patch management program. This process ensures that the person responsible for managing the application or software is notified of a patch release. When creating a patch management program, organizations should follow the best practices outlined in Cyber ​​Essentials or ISO 27001.

Cyber ​​Essentials is a UK government scheme that outlines five key controls, including patch management, which can prevent up to 80% of cyber attacks. Meanwhile, ISO 27001 is an international standard that describes best practices for information security management. Annex A.12.6.1 of the standard deals with technical security flaws and fixes.

2. Phishing

Phishing is the most cost-effective and technically simple way to compromise sensitive data. It is a type of scam and starts with a malicious email that looks like a real message from a trusted organization.

The emails lure people in – often claiming that the recipient has won a prize or that there is a problem with their account that needs to be resolved. The message then prompts them to follow a link and provide their personal information. Although email systems are becoming more adept at detecting malicious emails, cybercriminals' tactics are still evolving. Therefore, fake news regularly finds its way into people's inboxes.

When this happens, organizations must rely on people's ability to recognize the signs of a phishing email. Organizations can also protect employee accounts by implementing MFA (multi-factor authentication). This is a security mechanism that requires people to enter additional information in addition to their passwords in order to log in.

This will usually be a one-time code sent to their phone, but more advanced authentication systems require people to provide biometrics such as a fingerprint or retina scan.MFA authentication can also be used to protect organizations from another risk on our list.

3. Weak passwords

Despite all the improvements organizations have made to secure their systems, password practices remain a major concern. Most accounts are only protected by a username and password, and if a malicious actor can crack those details, it can wreak havoc. Passwords are usually compromised in one of two ways. The first is phishing scams (which we'll explain above), and the second is brute-force attacks, where cybercriminals guess people's passwords through trial and error.

Sometimes brute force attacks occur when people use a password that is related to their personal life, such as the football team they support or their child's name. Attackers can guess these details if they know the victim personally or if they are able to find the information online (for example, by searching for it on a social media site).

Although this information is not readily available, cybercriminals know that these types of personal information are among the most common passwords. So they can constantly guess popular names, football teams, and other such details. Thanks to automated password cracking machines, fraudsters can guess thousands of passwords every second. This guarantees that any credentials that are not obscure or complex can be cracked in minutes.

Cybersecurity experts traditionally advise people to create passwords that combine letters, numbers and special characters. However, this usually results in standard passwords with a string of characters at the end, which reduces the effectiveness of this advice. More recent guidelines suggest that passwords can be strengthened simply by making them longer. The more letters in a password, the more potential combinations there are. A series of three unrelated words of at least six letters is safer than a single word next to numbers and special characters.

4. Ransomware

Ransomware is the fastest growing threat facing organizations. It is a type of malware that encrypts files and prevents victims from accessing their systems. The attackers then send a ransom demanding money – usually in bitcoins – for the return of the information. These types of attacks are very popular among cybercriminal gangs because malware is cheap to purchase and can be easily placed on organizations' systems through phishing emails and exploiting system vulnerabilities.

Another advantage for cybercriminals is how willing most victims are to comply with the ransom demand. You can see the victims' reasoning: they need access to their files to work, and if they can't access those files, paying is the easiest way to get back to work. However, experts urge organizations against it. As they explain, there is no guarantee that the attackers will keep their word and return the data once paid.

Plus, paying only solves one part of the problem. The organization still faces several days – if not weeks – of disruption as it recovers its systems and is still subject to its data breach notification requirements. To mitigate the risk of ransomware, organizations must address both preventative and reactive measures. By implementing controls to protect against phishing and system vulnerabilities (using the advice we've discussed in this blog), organizations can mitigate the risk of ransomware infection.

However, no defense is foolproof. Organizations should therefore regularly back up their sensitive information and store it on an external server. This ensures that in the event of a ransomware attack, an organization can recover its information without having to deal with criminal hackers.

5. Malware

Although ransomware is the most talked about form of malware, there are plenty of other types that organizations need to be aware of. Malware comes in many forms and does a variety of nefarious things. Some forms are relatively benign. For example, adware displays pop-up ads on the victim's computer while bots drain the infected device's resources to perform automated tasks.

In contrast, the spyware monitors a user's Internet activity and collects inputted information such as usernames and passwords. The person responsible for placing the malware can then sell this information on the dark web, resulting in compromised user accounts.

Similarly, viruses copy themselves and spread through devices undetected. They connect to programs, files, and scripts with the intention of stealing information. Again, a criminal hacker can use this information to sell on the dark web. Organizations must implement anti-malware software and run regular scans to prevent malware from infecting their systems. Malware often gets into people's devices through poisoned attachments. Therefore, employees should undergo employee awareness training to help them understand the risk of downloading files from untrusted sources.

The fight against computer crime

The risks we have listed in this blog are only a starting point for cybercriminals. They have a lot of tricks up their sleeves to outsmart organizations and their techniques are constantly evolving.

If you want to fully protect yourself from cyber security risks, you need professional support. The new IT Governance service, Cyber ​​​​Safeguard, can help with this. Through a combination of consultative support, vulnerability scanning, and employee awareness training, our experts ensure your organization stays one step ahead of criminal hackers.

The service also comes with cyber insurance of up to £500,000. The policy provides organizations with essential support not covered by standard business insurance, including assistance with public relations, forensics, and legal advice.