Phishing and fake emails are the biggest security headache for business and among the hardest to tackle. According the 2019 Cyber Security Breaches Survey published by the UK government, the most common type of cyber attacks are phishing attacks, whether through fraudulent emails, or being directed to fake websites.
Phishing emails – where attackers pose as trusted colleagues or other contacts to trick the unwary into handing over passwords or other details are easy to send and hard to combat. Many of the biggest data breaches in recent years – from the attack on Sony Pictures to the hacking of the Democratic National Committee to various attacks on banks have all started with phishing emails.
“Protection against these kinds of breaches or attacks requires both technical controls and good staff awareness. This includes non-specialist staff, who are typically the ones directly targeted in phishing attacks,” the report said.
As in previous years, sophisticated and technical attacks, such as denial-of-service, are relatively less common according to the report. It also said the proportion of organisations complaining of virus, spyware or other malware attacks has fallen, which suggests this type of activity is becoming less common or less visible, although it notes that denial-of-service attacks are more likely to hit communications and education firms, as well as large businesses in general.
As well as being the most common attacks, phishing attempts were also rated as the most disruptive breaches or attack. Where a breach has resulted in a loss of data or assets, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180, the report found.
The report also found that — as in previous years — the most disruptive breach or attack was more likely to be spotted by workers rather than being picked up by cyber security software. For 63 percent of businesss and 70 percent of charities the most disruptive breaches were reported directly by staff, contractors or volunteers. “This illustrates the importance of staff vigilance, as well as technical controls, in identifying breaches promptly.”
It may also suggest that companies are badly underspending on cybersecurity; the report said there were wild variations in how much companies spend on security, although analysts warn that only around two percent of IT budgets goes on security.
The report said that while the typical organisation is likely to only experience a handful of breaches a year, some will face many more. This, alongside the overall reduction in the number of attacks reported, suggests that attackers are changing their approach.
“Attackers may be targeting fewer businesses, but may be attacking these ones more frequently or substantively” it warned.
According to the report, 32 percent of UK businesses identified a cyber security attack in the last 12 months — down from 43 percent in the previous year.
While that might suggest fewer businesses are reporting breaches because they are more secure, the report notes that there are other explanations too. As mentioned, one possibility is that attackers are changing their behaviour, with more attacks being focused on a narrower range of businesses. This may explain why the number of businesses identifying breaches has dropped, but the number of attacks reported by companies that do identify them is up. Alternatively it may be down to the introduction of the General Data Protection Regulation (GDPR) in May 2018. “GDPR might have changed what businesses consider to be a breach, or led to some businesses becoming less willing to admit to having cyber security breaches,” it notes.
MORE ON CYBERSECURITY