A small business guide to cyber attacks

A cyber-attack has the potential to cause significant financial and reputational damage, undoing years of hard work building up a loyal customer base. And it’s not just huge corporations that suffer - small businesses and sole traders bore the brunt of £17bn in total UK losses from cybercrime in 2018.Here’s all you need to know about cyber-attacks, along with how to prevent cybercrime and what to consider when choosing cyber liability insurance.

We’ve broken it down into the following sections so you can quickly find the information you need:

What is a cyber attack?

A cyber-attack is a malicious and deliberate attempt by cyber criminals to breach a computer system, network or application. The attacker can steal, destroy or hold data to ransom, or use a breached computer as a launch point for other attacks. It’s important to know how to recognise different types of cyber-attacks on businesses, how to prevent cybersecurity attacks, and what to do if you fall victim to cybercrime. 

Types of cyber-attacks

The nature of cybercrime is constantly evolving as hackers look for new ways to attack, either to take advantage of network vulnerabilities or exploit human nature. Cyber-attack examples can range from assaults on individual computers, networks or cloud systems, to inducing people to give theirs or their company’s details via a fake website.

Here are our top 10 cyber threats for 2022:

Phishing and spear-phishing attacks

Phishing accounts for the vast majority of cyber-attacks, and aims to trick people into giving their personal data or downloading malware onto their computer. Hackers send an email or text message containing a link that appears to be from a trusted source, but instead directs you to a fake website. Spear-phishing is a more targeted form of phishing, with attackers taking the time to research their potential victim and sending what appear to be personal and relevant messages.

Read more: What is a phishing attack?

Denial-of-service attacks

A denial-of-service attack aims to crash an online operation by overwhelming a system’s resources so it can’t respond to service requests, bringing your business grinding to a halt. A distributed-denial-of-service (DDoS) attack is launched from a large number of other host machines that are infected by malicious software controlled by the attacker.

Read more: What is a DDoS attack?

SQL injection

SQL injection has become a common form of attack on database-driven websites. It occurs when hackers input SQL queries into a website data field, for example, instead of a password or username.

A successful SQL injection can extract sensitive data from the database, issue instructions to delete or amend the database, or even issue commands to the operating system.

Read more: What is an SQL injection attack?

Malware

Malware is short for ‘malicious software’ installed into your system without your consent, including viruses, worms, Trojans, spyware and ransomware, which locks your files until you pay a fee for a release code.

Man-in-the-middle (MitM) attack

An MitM cyber-attack happens when a cyber-criminal inserts itself between a trusted client and a server, intercepting conversations, transactions and data transfer. It can come in the form of session hijacking, IP spoofing, and replay attacks.

Read more: What is a Man-in-the-middle (MitM) attack 

Password attack

Cracking passwords is one of the most common methods criminals use to access information systems. They use a variety of methods, from phishing, gaining access to a password database, or guessing based on a user’s personal information or by using a dictionary of common passwords.

Eavesdropping attacks

Eavesdropping is when a criminal intercepts network traffic to obtain passwords, credit card numbers and other confidential data.

Drive-by download attack

Drive-by downloads are when you unintentionally download malicious code onto your computer merely by accessing or visiting a website - you don’t even need to click on anything to unwittingly download the code.

This type of attack can be used to steal personal information, inject Trojans, or install malware.

Cloud-jacking

Cloud-jacking, or cloud account hijacking, is where a business’s cloud computing account is stolen, hijacked or taken over by an attacker. It is a rising threat because of businesses’ increasing reliance on cloud computing, and most of the successful breaches are caused by the misconfiguration of settings by the user.

Social media attacks

Cybercriminals can use social media to launch attacks on businesses by mimicking legitimate organisations and directing people to malicious websites under false pretences, either by using shortened URLs or inducing people to enlist for bogus webinars or seminars. 

Cybercrime statistics UK

It’s easy to think that online attacks only happen to big businesses or government departments, but the crimes that make the news barely scratch the surface of the wider problem.

The truth is that small businesses combined, because of the sheer number of them, suffer the heaviest burden of losses. 

How likely is a cyber-attack on your business?

According to specialist internet service provider Beaming, UK businesses were subject to an attempted attack, on average, every 46 seconds in 2020.Research from SonicWall Capture Labs showed a 20 per cent increase in ransomware attacks worldwide in the first half of 2020, with 5.9million individual attacks in the UK, while a further study from Check Point showed an 80 per cent rise in the third quarter of the year.

Meanwhile, the results of a UK government survey published in March 2020 revealed that nearly half (46 per cent) of all businesses reported cyber security breaches or attacks.

A third of those reported a cyber breach at least once a week, up from nearly a quarter in 2017. 

How much do cyber-attacks cost UK businesses?

The good news is that many attempted attacks or breaches do not result in any loss of assets of data.

Overall, however, cybercrime costs small business and sole traders an estimated £13bn of the UK’s total of £17bn.Where there is a material loss from an attack, the average cost to small businesses of all cyber security breaches was estimated at £3,230 in 2019. 

Most common cyber-attacks

Among businesses identifying security breaches in the government's survey, there was a steep rise in those experiencing phishing attacks (up from 72 per cent to 86 per cent), and a fall in viruses or other malware (down from 33 per cent to 16 per cent).

Of the attacks investigated by police, data showed that phishing via email or social media accounted for 53 per cent of attacks in the year to September 2020.

Scams caused by the hacking of computer servers was the second most common type of cybercrime against businesses. 

Examples of recent cyber-attacks

It’s all very well reading up on the theory of cybercrime, but what does it look like in the real world? Here are four recent examples of cyber-attacks in action.

South and City College Birmingham ransomware attack

In March 2021, South and City College Birmingham’s server was hacked in an apparent ransomware attack.

All its systems and files were encrypted, meaning staff could not access email, finance and human resources functions, with 13,000 students told via social media not to come to college for a week.

Read more about ransomware: What is ransomware?

World Health Organisation (WHO) phishing attack

In March and April 2020, top officials at the WHO were targeted by hackers as they tried to deal with the coronavirus pandemic.

Employee’s email passwords were leaked online, while WHO staff were targeted by phishing attempts to lure them into clicking a malicious link in an email.

There was also a sustained attempt to computers operated by a team of four WHO employees in South Korea.

Capital One cloud breach

Between March and July 2019, financial institution Capital One suffered a breach of its cloud-based data storage system.

Criminals stole personal information of people who had applied for credit cards, affecting more than 100million people in the USA and Canada. Capital One was fined $80m by regulators.

Citrix password breach

In March 2019, networking software giant Citrix was alerted by the FBI that hackers had infiltrated its internal network for five months, accessing personal and financial data on employees, contractors and job candidates.

Investigators believe cyber-criminals broke in using “password spraying” to access employee emails, files and business documents. 

How to prevent cyber-attacks on businesses

It’s simply not possible to prevent all of the varying types of cyber-attack, but there are some fairly simple steps you can take to make it as hard as possible for criminals to impact your business. A cyber security audit would identify any problems help you to resolve them. 

Cyber-security staff training

Train all staff who use computers on basic cyber-security principles, such as double-checking links in emails before clicking, locking computers when away from the desk, using secure passwords and regularly changing them.

Data encryption

Data encryption is a security method that encodes the information held on your network, making it unreadable without the correct encryption key.

Bring your own device (BYOD) security

Many companies now allow employees to use their own devices to access work systems, which presents a different set of risks to using company-owned devices. Ensure you have a rigorous BYOD policy and ensure the devices have adequate security in place.

Anti-virus and anti-spyware

Ensure anti-virus and anti-spyware software is installed and regularly updated, and use firewalls for your internet connection.

Patch management

Establish a system to patch any vulnerabilities in any software you use to prevent attacks which exploit software bugs.

User access control

Ensure each employee has their own unique user account and password to access your computers and network, and limit authority to download software and access sensitive data to those who need it.

Secure configuration

Restrict the functionality of each device, operating system and application to the minimum needed for the business to function.

Strengthen your Wi-Fi security

Make sure your Wi-Fi uses a strong password, and use a virtual private network (VPN) when using public Wi-Fi, which will encrypt all traffic leaving your device until it arrives at its destination.

Reduce the volume data you store

Don’t collect information you don’t need, reduce the number of places data is stored, and purge data once it is no longer needed.

Have a breach preparedness plan

Establish a breach preparedness plan so that you can take immediate action when a breach occurs to minimise its impact. Ensure the whole management team knows what action to take.

Read more: Guide to cyber security incident response planning

Keep up with legal changes

It’s important to keep up to date with legal changes around cyber-security. Although companies are not penalised for falling victim to cybercrime, you could be fined for failing to implement measures to safeguard systems and data from attackers.

Principal laws governing data include the General Data Protection Regulation (GDPR), the Network and Information Security Regulations 2018, the Computer Misuse Act 1990, Communications Act 2003.

Does your business need cyber insurance?

Cyber insurance can’t prevent you falling victim to hackers, but if your business suffers a material loss from an attack it can help with the costs of:

• The interruption to your business

• Data restoration

• Breach investigation

• Damages for losing third-party data, infringement and virus transmission

• Crisis management and PR to repair your reputation

For more information about cyber insurance, take a look at our article: What is cyber insurance?