Online cyber risk has become an ever-present part of our lives, both personally and professionally. For UK organisations, especially high-profile, large corporates, they are being constantly attacked, and the risks associated with one of these attempts succeeding are huge, not only financially but reputationally too.
The recent breaches involving M&S and Co-op are a testament to the risks. With its online ordering system taken out of action for 6 weeks, M&S estimated that the breach had reduced profits by £300m – a third of its profit margin. While Co-op admitted recently that the data of all 6.5m of its members had been stolen.
These attacks are now thought to have been a single event, with the same party responsible for targeting both organisations. It is rumoured, and widely believed, that this multi-pronged attack was proliferated using social engineering, where cybercriminals steal the identities of actual staff, which they then use to convince other staff members and third-party suppliers to grant them access to secure systems and databases.
These types of attacks are one of the most common, and the feeling within the sector is that they are going to become increasingly prevalent. But why are they so popular, and damaging?
The human element in cyber
Over the last 10 years, businesses have finally realised how critical cybersecurity is to their organisation. While large corporates have been investing heavily in cyber for a longer period, SMEs have recently begun to follow suit. However, no matter how much you invest in security, the biggest risk to your operations isn’t because you don’t have cutting edge offensive cyber protections in place. It is almost always your people.
Recent reports suggest that the percentage of attacks which succeed due to human error is as high as 95%. This is a vast figure, and one you cannot afford to ignore. The reason the human factor is the leading cause of most attacks is because these breaches are so effective. With attackers being able to masquerade as a real employee, their colleagues are more likely to trust the user and follow their instructions; particularly if the stolen credentials are those of a superior.
Also, human-targeted attacks are the easiest to undertake. The latest Government Cyber Breaches Survey found that phishing remains the most common and disruptive type of breach or attack (experienced by 85% of businesses). A phishing campaign simply needs an off-the-shelf malware, an email database and someone to draft the email – or at least this used to be the case before AI.
AI associated risks
Unfortunately, AI is making the attackers’ job much easier. They are now able to automate attacks, analyse their results, and strategise new approaches using the technology. It’s also creating a bigger headache for staff. Malicious actors are taking advantage of rapid AI developments to generate highly realistic phishing content that replicates the tone and phrasing of legitimate brands or individuals, significantly increasing the difficulty of detecting scams.
On a more sophisticated level, AI is advancing deepfake technology, making it ever harder to tell what’s real and what’s fabricated. This tech enables threat actors to impersonate others and use social engineering to manipulate people into weakening an organisation’s defences, for example, generating AI -powered deepfake voice messages of senior leaders instructing staff to make IT changes that grant attackers access.
These dangers are ever-present and growing, and UK organisations across all sectors need to take action to mitigate their risk of a crippling cyber-attack.
Mitigating risk
Ultimately there is little organisations can do to prevent being targeted. However, there are steps they can take to minimise risk, especially when it comes to preparing their people.
Three steps every organisation should take:
- Consider processes – the most critical part of cybersecurity is verifying users. If you know that the user is truly who they say they are, you’re far less likely to make a mistake. Processes such as Multi Factor Authentication (MFA) or biometric verification can improve your stature in this area.
- Train your staff – there is no point investing in state-of-the-art cyber protection if you aren’t going to protect your most valuable asset: your people. By training them, you can help them to identify potential attacks, uphold and follow security processes, and move quickly if things do go wrong. Even basic cyber hygiene training can stop most attacks before they escalate.
- Minimise your attack surface – the issue for the Co-op, and many other organisations which fall foul to breaches, was that its data likely wasn’t secured inside its digital environment. The attackers were clearly able to either access all of the data in one place, or move laterally across the entire network to collate the member data for 6.5m people. By separating out your data, you ensure that if a breach happens, it can’t all be taken in one sweep. But you need to couple this with permissions policies. Only give people access to what they need to do their job and no more. This means if a user is compromised, the attacker can’t just access whatever they want to.
The risk of cyberattacks is not going away, and with organisations becoming increasingly digital, the opportunities for malicious actors are growing at pace. Every organisation with a large online presence will at some point be targeted, most likely via their employees. It’s crucial that they are ready to ward off these advances, especially with AI and automation powering these attacks.
