Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The Top 5 Most Common Cyber Attacks and How to Prevent Them

Cyber attacks can take many forms and it’s a challenge, particularly for small businesses, to defend against them. The latest UK Government Cyber Security Breaches Survey from April 2023 gives an insight into the types of attack that organisations (and particularly micro and small businesses) within the UK are experiencing. This covers companies, charities and educational institutions of varying size but not the public sector. The results of the survey in the area of attack types is shown in the chart below.

Source: Cyber Security Breaches Survey 2023.

The chart shows eleven types of attack, with ransomware coming in at surprisingly low 4%. We’re going to focus on the five most common cyber attacks and talk about how you can defend your business against them.

Attack #1 – Phishing

The survey identified phishing as not only the most common type of attack, but the one that caused the most disruption to its victims. This is where an email, or similar kind of electronic communication, is received by a user and it contains a malicious attachment, or link, or asks the user to carry out some kind of action, usually urgently. This can result in a number of outcomes, including a virus being downloaded, the device taken over or login details being captured.

To defend your organisation against phishing attacks, the UK National Cyber Security Centre recommends that you take the following actions:

  • Block the emails from reaching your users in the first place by filtering out suspicious ones
  • Use available tools to configure your email servers to verify email addresses as valid
  • Train users to spot phishing emails and report them to the help desk
  • Protect your devices from viruses carried by phishing emails by using effective anti-malware software and patching software vulnerabilities in a timely way
  • Block malicious websites via features available within many browsers
  • Use multi-factor authentication (MFA) so that it’s not just a password that an attacker needs to access user accounts but a one-time code too
  • Use monitoring software to detect suspicious behaviour on your network
  • Have a plan to respond to incidents effectively if they happen

These controls are part of a multi-layered approach to defending your organisation against phishing attacks.

Attack #2 – Impersonation

Like phishing, impersonation is a type of social engineering attack which attempts to fool an unsuspecting user into taking some action that benefits the attacker, whether that it is logging onto a website, downloading a file or changing payment details. This may take place via a number of routes, with social media sites such as Facebook, Twitter and WhatsApp becoming increasingly popular. The person being impersonated is often a senior figure within the organisation, such as the CEO.

Because this attack works via persuasion rather than a technical means such as a virus, the main defence against it is awareness training of staff and careful design of procedures so that additional precautions are taken when doing sensitive tasks such as making payments. Everyone must be assured that following the established procedure even when someone they believe to be the CEO is giving them different instructions won’t result in disciplinary action.

Attack #3 – Viruses, Spyware and Malware

Often delivered via phishing emails, this type of software-based attack may result in a malicious program being introduced into the network which will then contact base and download further programs to consolidate its position on your device. In many cases the program is able to copy itself from device to device, so spreading its reach and providing more opportunities for the attacker.

In general, the main defence against such programs is anti-malware software which runs on each endpoint and detects suspicious activity, often quarantining programs it believes to be malicious. Patching operating systems and application software promptly will also remove many of the routes in for viruses and paying attention to the correct configuration of devices is also an effective control that should be applied.

Attack #4 – Hacking of Online Bank Accounts

For a small business owner, the thought of someone gaining access to their online business bank account is a nightmare scenario that may keep them awake at night. This type of attack was highlighted in eleven percent of businesses surveyed, making it a necessary priority to address.

Ways to protect against this type of attack include:

  • Making sure you have a strong password that is known by as few people within the business as possible and that it is stored securely (for example within a password manager)
  • Ensuring that MFA is turned on for all user accounts so that an authentication app (preferable) or a text message (second-best) is required to access a code to log on to the bank account
  • Using the controls provided by the bank to ensure that all changes to payees and transfers are correctly authorised, perhaps using a small calculator-like device in conjunction with a bank card and PIN
  • Understand the rules put in place by the bank for amounts that can be transferred on a daily basis, and setting any available options accordingly

Taking these actions will help to keep your well-earned funds secure.

Attack #5 – Takeover of User Accounts

Experienced by a similar number of businesses to the previous two attacks, user account takeover involves an attacker logging on as the user and either taking advantage of the access they have directly, or using it as part of a bigger fraud. Unfortunately, this is often achieved by simply guessing the password based on publicly available information or a list of commonly-used passwords. It could also be a follow-on from a successful phishing attack which has prompted a user to enter their logon details mistakenly thinking they were on a genuine website, where in fact it was one created by the attacker.

To lessen the risk of this attack happening, do the following:

  • Encourage users to create passwords of at least twelve characters in length, without using single dictionary words or any of the commonly-used passwords such as “Password1234”
  • Passwords should not relate to anything associated with the user, such as a pet’s name, which may be easily discovered from public sources such as social media
  • A different password should be used for each user account – this may necessitate the use of a secure password management program which stores and encrypts passwords
  • Use MFA wherever available, ideally with an authentication app such as Google Authenticator

By adopting these policies, you will frustrate the majority of attackers.

General Points

You will see that there are common themes in our descriptions of how to defend against the most widespread attacks, including password policies, use of MFA, awareness training and anti-malware software. Based on the idea that a small number of controls could defend against maybe eighty percent of the attacks, the UK Government created the Cyber Essentials scheme, which has the following as its five controls:

  1. Firewalls
  2. Secure configuration
  3. Security update management
  4. User access control
  5. Malware protection

This maps well onto the results of the survey. However only five percent of the survey respondents were adhering to the Cyber Essentials controls, showing that there is still some way to go in emphasising the need to protect small business in cyberspace.

But if you need to use your limited time and resources to maximum effect, the good news is that many of the big issues that plague small businesses in cyber security can be addressed by implementing a relatively limited set of controls.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

(Image by jcomp on Freepik)


How can CertiKit help?

The CertiKit Cyber Essentials Toolkit is designed to help implement the five key controls of Cyber Essentials quickly and effectively with much less effort than doing it all yourself. Our high-quality template documents and checklists come complete with 12 months of support and lifetime updates. Using the toolkit is the first step to securing your IT systems and will prepare your business for certification.

We’ve helped more than 7000 businesses with their compliance

Testimonials

The toolkit is well laid out, clearly written and easy to adapt. I like the fact that it is compliant to the standard as a start point. This is difficult to achieve considering the diversity of organisations it is covering.

SSTL
UK

View all Testimonials