On the 22nd October 2018, I attended a Cybersecurity conference. One of the speakers was Detective Chief Superintendent Aaron Duggan, Head of Crime at Cheshire Police. During his presentation he quoted the frightening fact that out of all reported crime, 42% has a cyber element to it.
That 42% of crime represents the whole spectrum of cybercrime from racist abuse on Twitter and cyber-bullying, right through to the type of hack against British Airways that saw the culprits (the threat actors, in cybersecurity parlance) make off with the personal data and credit card details of 380,000 British Airways customers.
That’s a very wide range of threats and crimes. How do you know which attacks are likely to be used against a business like you? To do that you need to have some understanding of the threat landscape and the different types of threat actors.
What the BA attackers pulled off was a specific, targeted attack against the British Airways ticketing website. They hacked the website, gained access to the back-end workings and studied them. They analysed how it functioned and where they could insert custom-written software to allow them to siphon off a copy of the data as it passed through the BA systems. Effectively, they put a wire-tap in the website’s backend. This allowed them to collect a copy of the user data whilst the website still behaved as normal. Ticket purchases still worked, so there was no sign of a breach nor of any suspicious activity.
That type of sophisticated, tailored attack requires a significant level of IT knowledge and skill. It also requires coding expertise and web developer experience, as well as a criminal act of will.
Are the threat actors who have that powerful skillset going to deploy it against you? Are they going to target you when they could be targeting BA, Equifax and other big-payoff targets? No, almost certainly not. But does that mean you have nothing to worry about, and that you are threat-free? No, most definitely not.
Most of the threats and attacks that the average SME faces can be perpetrated by anyone with an inclination to do so, regardless of their level of IT knowledge. If you can follow instructions, you can raise an attack. If you can’t be bothered to follow the instructions, you can pay someone else to conduct the attack for you. As unbelievable as it might seem, there is a service industry springing up to assist the would-be cybercriminal. The highly-skilled hacking groups might not target a business like you, but there are many other threats that you must combat.
Right now, at the close of 2018, the most common attack vector is email. That is, most of the attempted attacks will arrive at your business as an email. They fall into three main types of threat:
Read our sister post to this to learn about these three email delivered threats.
Other common threats include Dos, DDoS, Drive by downloads, Cross-site scripting, SQL injection attacks and password attacks.
For more information on how to protect your systems and safeguard your data, and for further updates on cybersecurity please visit our website again soon. We’ll update this blog frequently.
Does GDPR play a part in any of this? Well, there are confidentiality breaches (unauthorised or accidental disclosure of personal data), availability breaches (loss of access to, or destruction of personal data) and integrity breaches (unauthorised or accidental alteration of personal data). A successful ransomware attack will count as an availability breach. This means the Information Commissioners Office (ICO) will need to be notified, and, we would suggest notifying the National Cyber Security Centre (NCSC) as well.
If you’d like to discuss any aspect of your IT security and preventative measures, please contact us and we’d be delighted to assist. We can test your security, improve your security and provide staff awareness training.