Security breaches and cybercrime incidents hit the headlines in 2016, as high-profile news of data breaches, malware, DDoS attacks and compromised systems became mainstream news.
The news reports inevitably focused on cyber-attacks on major corporations, such as the data thefts from TalkTalk, Three and Tesco Bank, as well as the extraordinary autumn story of the attack on Dyn, which made use of IoT-enabled household devices, such as fridges and toasters, to form a botnet that successfully brought down an enormous number of websites, both large and small.
Whilst the past year was eventful, to say the least, in terms of cybersecurity threats, it’s likely that cyber-related incidents will continue to grow in 2017, both in the sheer number of attacks and the level of sophistication used in those attacks.
It’s therefore vital that business owners take steps to educate themselves, and their workforce, on the type of threats they could potentially experience. In this article, we examine some of the key trends for 2017 in the cybersecurity / small business world.
Most SME owners naively believe that ransomware is something that could only happen to a huge corporate. After all, surely the cybercriminals would want to target companies that could afford to pay out a ransom of £1million or more?
Whilst it’s true that many of the more widely-publicised cases have involved larger businesses, ransomware is a threat that can affect a business of any size. It may well be highly lucrative to target a FTSE-100 company, but it’s actually much easier for a cybercriminal gang to attack a huge number of small companies than it is to successfully gain access to a corporate system.
By attacking hundreds or even thousands of small businesses, and demanding smaller ransoms, the financial rewards for the hackers are just as great as if they had pulled off one major hack.
Phishing attacks have been around for some time now, and most people are familiar with the concept. The victim receives an email, often purporting to come from the victim’s bank, asking them to click on a link and enter their bank details.
Historically, victims have tended to be older or more vulnerable people, who may not have much experience online, and who are therefore much more trusting. Phishing emails have often been easy to spot, with spelling errors and poor attention to detail in the email content.
All of that is likely to change, however, as criminals become ever more sophisticated in their approach. One recent Phishing news story reported that UK students were being targeted. The Phishers sent out very convincing emails claiming to be from The Student Loans Company, which stated that bank login details were required in order to release the final instalment of the student’s loan for that year.
It’s likely that Phishing specialists will continue to find smart ways to fool even the most experienced web users, and Phishing scams that expressly target SMEs with lower security protocols than their larger brothers and sisters are defiantly one avenue that these criminals will continue to explore in 2017.
3. Internet of Things
October 2016 saw an unprecedented DDoS attack on Dyn, the DNS provider. The attack took down many websites and platforms across Europe and the US, for a sustained period.
It is thought that the attack was made possible because hackers were able to create an extraordinary ‘botnet’ of Internet of Things (IoT) connected devices to generate the unparalleled attack. Household items such as printers, fridges, and baby monitors were all targeted to become part of this vast botnet, because of their weak to nonexistent internal security.
Whilst providers of IoT-enabled devices will undoubtedly put much more effort into securing those devices, it’s likely that the use of IoT devices will become much more widespread in cyber attacks.
Business owners should be diligent on this, as IoT technology is not just restricted to domestic appliances. Office equipment such as printers, scanners, and barcode readers are all likely to become IoT-enabled over time.
4. Mobile cyber-attacks
Whilst cyber-attacks have, to date, tended to be directed to computer servers or to individuals through phishing emails, it’s likely that smartphones will receive increased interest from cybercriminals in 2017.
Most of us are conscientious about anti-virus software on our PCs but take a much more relaxed attitude when it comes to smartphone security. We also use our phones when we’re out and about, making use of insecure WiFi and not giving emails and texts our full attention.
All of these things make smartphones an easy target for criminals. Whether it is contactless payment fraud, identity theft or smartphone viruses, 2017 is likely to see a huge rise in smartphone cybercrime.
5. Cloud-based cyber threats
Businesses of all sizes have been moving closer to ‘the cloud’ for some time. Storing data in the cloud, and accessing SaaS business applications are both becoming the norm for many organisations.
The cloud clearly brings with it many advantages – from costs and expansion potential to the knowledge that the bulk of the responsibility for security in the cloud lies with the cloud-based provider.
Whilst it is true that switching to cloud-based technologies can bring better security, it can also increase a firm’s vulnerability to attack. Businesses using cloud technologies within their organisation should educate themselves on the risks and should have a clear operational risk strategy in place.
6. Vulnerability exploits
The growth of open-source software has been a real enabler for many SMEs in recent years. Platforms such as Magento, the world’s most popular e-commerce application, have allowed companies to take their businesses online and to reach new markets, competing with organisations many times their size.
The open source nature of these platforms has undoubtedly been central to their success and their widespread take up, but it is also the thing that makes them so exposed to vulnerability exploits.
For Magento, 2016 has been the year of the security patch, with one vulnerability after another being identified and subsequently patched.
2017 will perhaps be the year when SME owners finally accept that it isn’t acceptable to bury their heads in the sand when it comes to online security and that they need to have procedures in place to handle cyber threats if, or perhaps when, they arrive. From operating systems to server software, e-commerce platforms to CRM databases, 2017 will see an awful lot of security updates and patching.
7. Advanced persistent threats
Compared with phishing, malware and identity theft, the general public is, at the moment, far less aware of the concept of Advanced Persistent Threats, or APTs. The purpose of APTs is not to bring down a website or to dramatically and publicly compromise a business. Instead, the strategy with APTs is to infiltrate a web server unnoticed, and to remain in place for a prolonged period of time, stealing data without trace.
One example of this is the increased use of steganography techniques for criminal purposes. Steganography involves concealing data inside other text or images, and is being increasingly used to compromise e-commerce transactions.
Using this technique, hackers can record credit card details during online transactions, and store them inside legitimate images which are stored on the compromised web server. The image remains exactly the same to the ordinary eye, and no trace of the concealed data can be seen. The hacker leaves this data in place on the compromised server for some time, then returns at a later date to ‘harvest’ the data, either to sell on or to use in fraudulent purchases.
It’s clear to see that we have, to date, seen only the tip of the iceberg, in terms of cybercrime. Cybersecurity has never been more important, as is shown by the changing data on this graphic, and 2017 looks set to be the year when companies of all sizes begin to take the security of their business systems much more seriously.
From basic anti-virus protection, password policies and staff education through to comprehensive operational risk assessments and cyber insurance, it has finally become imperative that every business sits up and takes notice of the very real threats posed to all companies, regardless of their size or the nature of their business.
About the author
This article has been written exclusively for ByteStart by Cheeky Munkey, the Hertfordshire-based IT support company. If there is anything cybersecurity-related your business needs help with, do visit the Cheeky Munkey website for expert advice and consultancy.
ByteStart is packed with lots of help and great advice on all aspects of running your own business. Try some of our most popular guides and articles for starters;