The Webroot 2021 threat report has highlighted that in 2020, ransomware, phishing and business email compromise (BEC) attacks are still the biggest threats to businesses.
As more companies moved online due to the pandemic, the frequency and innovation of these attacks have only increased.
In the face of these rising threats, it’s time for business owners to ask themselves, am I fully prepared?
Even if you are, there are areas in your business that may not be. Your security is only as good as your weakest link, meaning absolutely everyone in your organisation from your top to bottom performers need to understand the risks.
How can you do this?
By developing a security-first mindset in your business.
The biggest risk for a business when it comes to falling prey to ransomware, BEC or phishing scams are its employees. By giving all your staff security awareness training you can help reduce the risk of a breach happening and help your colleagues identify threats before they grow.
This is one example of having a security-first mindset.
Another is through following essential checks and balances in your business, like ensuring you verify and authorise all payments through proper channels instead of via ad-hoc text or email, which will help safeguard your business against phishing.
Other examples of this include adopting robust disaster and backup recovery plans, to keep your business resilient and mandating specific password protocols to keep password behaviours hygienic and secure.
Business owners can mitigate their risks by developing this security-first mindset.
Reports like this from Webroot help to keep companies on their toes about current security risks, and highlight how you can best protect your business and staff.
They also critically highlight how specific types of cyber criminality, like ransomware attacks, phishing and BEC attacks are on the rise.
Webroot reported that business email compromise attacks (BEC), which exploit trusted relationships between employees, colleagues and customers, grew in 2020.
BEC attacks typically target commercial organisations through impersonating a senior colleague, trusted customer, IT team leader or vendor. They will contact the victim typically to request money, release private data or provide credentials.
With the number of payment requests and invoices, your average business gets, fraudulent requests can so easily blend into daily operations. Making it extremely easy for a criminal to sneak a fake request in.
BEC is an extremely lucrative activity and can range from an attacker asking for a few £100 gift cards all the way to the impersonation of a legitimate-looking vendor with an invoice for £10,000.
The FBI is reminding organisations of the serious threat posed by BEC scams, declaring that it caused over $1.8 billion worth of losses to businesses in 2020.
Meanwhile, when it comes to ransomware there has been a rise in data extortion, led by the attacks of the Maze ransomware group.
Data extortion not only involves encrypting businesses data and holding it for ransom but also threatening to expose the compromised data if the victim refuses to pay.
This new business model specifically targets sensitive data to increase the likelihood of payment. A strategy that is often successful considering targeted businesses don’t want their data misused or disclosed publicly.
The consequences for exposure could even include costly fines for violating GDPR. They also include fallout costs, downtime, time to recover and reputation damage among customers.
The third and final form of attack is phishing, which remains the most popular way to get ransomware and malware onto a business network. According to Webroot 54% of phishing sites in 2020 used HTTPS, which means checking for the lock icon in your browser’s address bar is no longer an adequate way to gauge if a website is legitimate or not.
These phishing attacks are getting sneakier and more sophisticated, and like the other two categories in 2020 have heavily revolved around the pandemic. According to Webroot’s report, criminals have pretended to offer information on tracking, protection measures, PPE and more, under the guise of being the NHS, WHO and CDC.
The first step to developing a security-first mindset and being able to mitigate your business security risks is through understanding them. Which is why we recommend every business leader reads the Webroot 2021 cyber security report.
Photo by Waldemar Brandt on Unsplash