As technology continues to develop, the nation and its businesses become more and more reliant on the internet. This has become an even more worrisome issue as the development of the Internet of Things is leaving everyday essentials reliant on the internet, and their operation reliant on a business’s ability to protect themselves from threats and Cyber Disaster.
Ransomware has been a prominent problem amongst businesses for many years, targeting companies in all sectors. In recent years, the world has seen ransomware cause devastating problems across the board: from the Wannacry attack on the 12th of May 2017, that targeted the NHS, to the Badrabbit attack that hit Russian and Ukrainian businesses, including major Russian news outlets.
Both of these cases of ransomware attacks had one major thing in common, the demand for Bitcoin as payment. In the case of Badrabbit, this was 0.5 Bitcoin from each of the hundreds of victims that it targeted.
In the case of Wannacry, which was achieved through a vulnerability in Microsoft, each of the victims targeted were requested to pay in Bitcoin to the amount of a minimum of £228; achieving a total ransom of around £108,000
In response to this, businesses have already been seen to have been purchasing Bitcoin for the purpose of paying off potential attackers, when they are targeted. Whilst this is a reactive approach to dealing with hackers and the threat of ransomware, are businesses also being protective in the face of the growing threat?
Responding to a Growing Problem
Keeping private or sensitive information safe is something that all businesses have a requirement to do. To defend their systems and data, the first point of call for many businesses is understanding the threats, encrypting data, and securing their hardware.
There are many essentials that most businesses incorporate into their overall cybersecurity strategy. These include firewalls, restricted access controls, malware protection, secure configuration, and patch management. These also fall under the recommendations set out by the government in their Cyber Essentials scheme.
Recommended Schemes from the Government
Cyber Essentials was developed in 2014 and launched on the 5th of June 2014. By the October of that year, all companies that were responsible for handling data that was sensitive or that contained personal information, and that supplied to the Government, had to have a Cyber Essentials certificate.
The main aim behind the Cyber Essential scheme is to ensure that companies are able to protect themselves from common cyber-attacks and threats, and understand the risk that data is under.
There are two different forms of the scheme that companies can use to show that they’re protected, the Cyber Essentials security and Cyber Essentials Plus. The main difference between these is that a business performs a self-assessment themselves to get a Cyber Essentials badge, and the Cyber Essential Plus badge requires an independent auditor.
Whilst Cyber Essentials is both backed by the Government and supported by industries and has been developed to provide protection, it is not a comprehensive package – more of a platform to then start building a full protection strategy on top of.
To build on top of the protection that falls under the bracket of the Cyber Essentials badge and prepares themselves to pass the test, more and more businesses are turning to the services provided by a consultancy. Of these services, there are two key ways that businesses are better preparing themselves for cyber-attacks: penetration testing and IT health checks.
Penetration testing is a specialist test that is designed to exploit any vulnerabilities in a business’s protection. This helps to establish how much risk a business is at from unauthorized access and the potential of malicious actions within their system. Normally, a penetration test is both performed externally and internally; highlighting where there are weaknesses that can easily be exploited. Read here for more information on how the process normally works.
Are Businesses Doing Enough to Protect Themselves?
From the sheer amount of cyber attacks reported in the UK, it is not difficult to deduce that businesses simply aren’t doing enough to stand-up to this growing threat. According to the PwC’s Global State of Information Security Survey from 2018, upwards of a quarter of the organizations in the UK don’t know the number of attacks they were victim to in 2017, with a further third of the businesses having no understanding of how the attacks happened.
While there are ways out there to protect businesses, such as penetration testing and IT health checks, until every business takes a better look at their strategy for cyber defense, the risk of cyber disaster will only continue to grow.