Introduction to cyber security and cyber risk

In today’s digital landscape, the term ‘cyber’ is still popular and well-used globally. Businesses all over the world rely on cyber technology to effectively run their operations, enabling businesses to reach larger audiences, and allowing them to grow and develop at a faster rate. However, cyber attacks have increased dramatically in recent years, causing many businesses to suffer financial losses and tarnished reputations.

In this article, we will look at how you can use cyber security to prevent successful attacks. We’ll also cover common cyber incidents, cyber risks, and effective ways to respond to an attack.

What is cyber?

According to the dictionary definition, cyber refers to anything of, relating to or involving computers, the internet and information technology. This includes collecting, storing, processing, transmitting, accessing and linking data. Cyber by itself describes all actions we complete on our business and personal electronic devices.
When it comes to cyber in business, there is one primary focus: security. Ensuring cyber and information security throughout your business operations is critical to preventing sensitive information and financial assets from being compromised or falling into the hands of malicious individuals. We’ve defined cybersecurity and information security below.

Cyber security

• Cyber security is defined as the precautions taken to protect against internet-related crime, particularly unauthorised access to computer systems and data connected to the internet.

Information Security

• Information security is defined as the design and implementation of protocols to prevent unauthorised access,
  modification, or destruction of confidential data (in any format). This covers more than just cyber-attacks.
  The core principles of this cyber and information security are to prevent, detect and respond, helping to mitigate the chance of potential cyber-attacks and threats to your IT infrastructure.

What is a cyber attack?

A cyber attack refers to any malicious attempts to access your business or personal computers, mobile phones, gaming systems or any other internet-connected or Bluetooth-enabled device.
There are many different types of cyber attacks, including but not limited to:

• Malware – An attacker uses a file or code to infect a network and perform any action they want, whether that be stealing data or disrupting or damaging a computer system.
• Phishing – An attacker uses social engineering methods to steal data, such as sending fake emails to obtain login credentials and financial information.
• SQL injection attack – An attacker will inject malicious code into systems by exploiting application vulnerabilities, allowing them to modify database information and access sensitive data.
• Cross-site scripting (XSS) – An attacker will inject malicious executable scripts into the code of a trusted application or website to steal data, such as credentials and financial information.
• Denial of service (DoS) – An attacker attempts to overload a website, network, or machine in order to degrade its performance or render it completely inaccessible.
• Session hijacking and man-in-the-middle attacks – An attacker positions himself between two communicating parties in
  order to intercept and/or alter the data being transmitted between them.
• Credential reuse – An attacker obtains valid credentials for one system and then attempts to use those credentials to
  compromise other accounts/systems

Cyber Risk

The term cyber risk is defined as any risk of financial loss, disruption, or damage to the reputation of a business from some sort
of failure of its information technology systems. Cyber risk can originate from anywhere, including a direct attack, third-party vendors/suppliers with poor security, or internally from a rogue employee, an accident, or a failure to follow security best practices. These types of attacks can lead to the loss of confidentiality, integrity or availability of your system.
There are many methods to reduce the cyber risk level that threatens your business. We have detailed these further below:

Risk assessment

The CIA Triad is the globally recognised industry standard for risk assessment of IT systems and applications. It involves three
key concepts: confidentiality, integrity, and availability. This comprehensive information security strategy includes policies and
security controls to reduce threats to the three critical components.

Confidentiality (Access Control):
The CIA triad begins with confidentiality. This encourages you to ensure that your information is only available to those
authorised to access it. The goal is to prevent unauthorised access to your systems, allowing you to keep sensitive business
data and information private and secure.
Integrity (Accuracy):
The next element of the CIA triad is integrity. Integrity refers to maintaining the consistency, accuracy and trustworthiness of
your business data. It involves steps to ensure that your data is secure and cannot be tampered with by an unauthorised person,
ensuring that it is authentic, accurate, and reliable.
Availability (Accessible):
The final aspect of the CIA triad, availability, refers to the reliability that systems, networks, and applications function and are
available to authorised users when required. It also examines the ease of access to systems, ensuring that authorised users do
not have to wait an excessive amount of time to gain access.

Risk can either be; accepted, mitigated or transferred. Every organisation faces risks, some more familiar than others, such
as health and safety and financial risk. In a world where data is king, and protecting it is critical to your ability to continue
operating, information security risks cannot be ignored.

Probability & who is at risk?

In the field of information security, the focus has shifted from “if” to “when” an attack will occur.
Cyber attacks are unavoidable for businesses in all sectors; however, some industries are more likely to be attacked than others
due to the nature of their operations.
To help you understand a cybercriminal’s mindset and reasonings behind their attacks, we’ve detailed below who they are, why
they attack, and the aims of their attack.

Who are cyber criminals?

Cyber criminals are individuals or teams of people who use technology to commit malicious acts on digital systems or networks
to steal sensitive company information or personal data. There are three main types of cyber criminals:

• State-sponsored threat actors – these attackers are often funded by hostile foreign governments with the intent of
  stealing sensitive, confidential information or disrupting another government’s infrastructure.
• Hacktivists – these attackers are motivated by political causes, often looking to draw the public’s attention to a topic and
  create an agenda that advances social or political goals.
• General hackers – these attackers are often individuals or teams of cyber criminals out for personal gain, whether that is
  through financial means or the destruction of a company’s reputation.

Why are they attacking?

Cyber criminals may be motivated to commit cyber attacks for a variety of reasons, including those listed below.

• Financial gain
• Data theft
• Large-scale service interruption
• Raise awareness of social and political issues
• Individual kudos

Typically, cyber criminals will hack businesses to gain access to one or more of the following:

• Business or customers’ financial information
• Sensitive personal data
• Customer or staff email addresses and login credentials
• Customer databases and client lists
• IT infrastructure
• IT services (e.g. the ability to accept online payments)
• Intellectual property (e.g. trade secrets or product designs)

Current reporting highlights the following sectors remain at the greatest risk of a cyber attack:

• Health, Wellbeing and Social Care
• IT & Telecommunications
• Legal
• HR & Recruitment
• Manufacturing & Utilities
• Finance

UK 2023 statistics

In March 2024, Proofpoint, a leading cybersecurity and compliance company, released its tenth annual State of Phish report. The report surveyed users and security professionals across 15 European and Middle Eastern countries to assess risky actions, real-world threats, and user resilience to cyber security.

The report revealed that over the past 12 months in the UK:

• 91% of businesses experienced at least one successful phishing attack
• 82% of businesses faced at least one email-based ransomware attack
• 74% of businesses faced one or more business email compromise (BEC) attacks
• 62% of businesses dealt with at least one ransomware infection
• Of these, 63% opted to pay at least one ransom, showing a high willingness to pay

UK organisations had the highest rate of repeated ransomware infections. Approximately 14% of businesses dealt with ten or more infections, compared to 5% globally. This demonstrates that paying ransoms does not guarantee immunity from future attacks, and may in fact encourage them.

Most at-risk sectors

The healthcare industry is regarded as one of the most vulnerable to cybercrime. Between October 2021 and September 2022, healthcare organisations around the world experienced a huge number of cyber attacks, including network, application and malware. This sector has had the highest average data breach cost in recent years, at around £8.5 million. The NCSC has also raised concerns in the construction sector, as they are embracing new technology and digital ways of working they are seen as an easy target. Many have a complex supply chain that includes multiple suppliers and contractors, as well as a large volume of payments and cash flows, making this sector a worthwhile target. Although some industries are more vulnerable to cyber attacks, no sector is completely safe. Even charities and non-profits are targets, with 32% of third-party organisations in the UK falling victim to cybercrime in 2023. The good news is that, contrary to popular belief, cyber and information security are neither complex nor expensive. Preparation and prevention are your strongest allies in this battle.

How to prepare for a cyber attack

The most effective way to prepare for a cyber attack is to create a business continuity plan (BCP) and a disaster recovery plan (DRP). A BCP is a document that contains the critical information an organisation requires to continue operations in the event of an unforeseen incident, such as a cyber attack. They are intended to protect personnel and assets while also ensuring that business operations can resume as soon as possible after a disaster strikes. A DRP is a formal document created by an organisation that includes detailed instructions on how to respond to an unexpected incident. It outlines steps you can take to mitigate the effects of a disaster, such as a cyber attack, and quickly resume critical functions. DRPs are part of the overall BCP. With both of these plans in place, your business will have a clear strategy and steps to take, ensuring that you are prepared to act if an attack occurs.

How to prevent a cyber attack

Risk assessments and action plans are the most effective methods for identifying and mitigating risks. This can be accomplished through the Cyber Essentials Scheme and IASME Governance Certification. These are government, GCHQ, and NCSC-backed schemes designed to protect organisations from the most common cyber threats and loss of IT.

What can you do to avoid becoming another statistic in the next report?

• Invest in information security awareness training so that your employees can be your best line of defence if your IT systems fail to detect the threat
• Use simulated phishing and other email-based attacks to test and educate your employees
• Put information security incident response protocols in place, such as reporting and issue handling

There are some simple steps you can take today to ensure you are better protected against the current heightened threat and any new threats that may emerge. These have been listed below:

• Check your systems for patching and updates
• Review and verify access controls, in particular admin and privileged users
• Test and review your current defences
• Review your monitoring
• Review and test your backups and recovery
• Information Security and Phishing training for all employees

These steps are included in the Cyber Essentials scheme. This is an effective, government-backed scheme that will assist you in protecting your organisation, regardless of size, from a wide range of the most common cyber-attacks.

Risk acceptance

With any risk, you have 3 decisions to make, accept, mitigate or transfer. If you choose to accept risk without first assessing it, you are exposing your business to several potential problems. These are listed below:

Loss of ability to operate
The average downtime following an attack or hack is reported to be approximately 21 hours. If this is the result of ransomware, it will most likely be days rather than hours. Not being able to operate for this length of time could have serious consequences for your business, including revenue loss, customer dissatisfaction, and irreversible damage.

Loss of reputation
Irreversible damage to your reputation can happen at the click of a button.
A data breach can cause significant reputational damage to a business. Cyber attacks can compromise sensitive customer data and erode consumer trust, resulting in customer and sales losses.

Financial penalties
In the last eight months, the ICO has issued fines totalling just under £40 million for failing to protect customer information. This can also result in private claims from customers or employees whose data was not protected.

Failure to win new business
More and more organisations are required to have accreditations and certifications, and those that do not may be excluded from tendering and bidding entirely. This could prevent you from growing your business, resulting in missed opportunities for partnerships and financial gain.

If you did not prepare for an attack, we have outlined the proper response for your business below.
When responding to an attack, both identification and resolution should be prioritised. The following list shows potential indications that a cyber issue may be occurring:

• Your computers are running slowly
• Users being locked out of their accounts
• Users becoming unable to access documents
• People informing you of strange emails coming out of your domain
• Redirected internet searches
• Requests for unauthorised payments
• Unusual account activity

Identification
The first step is to understand what is happening. As soon as you suspect something is wrong, you must gather information, log everything that occurs, and share it with your IT team.

Here are ten important questions to ask yourself, investigate, and log in the event of an attack:

1. What problem has been reported, and by who?
2. What services, programs and/or hardware aren’t working?
3. Are there any signs that data has been lost? For example, have you received ransom requests, or has your data been posted
   on the internet?
4. What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
5. Have your customers noticed any problems? Can they use your services?
6. Who designed the affected system, and who maintains it?
7. When did the problem occur or first come to your attention?
8. What is the scope of the problem, and what areas of the organisation are affected?
9. Have there been any signs as to whether the problem has occurred internally within your organisation or externally through
   your supply chain?
10. What is the potential business impact of the incident?

How to prevent the incident from getting worse
First, take a look at your security software. Make note of any antivirus alerts as well as server or audit logs to determine the specifics of the attack to see if you can identify the potential cause. If you know the device that has been affected, take this offline and run your antivirus programme to complete a full scan. Be sure to take notes of the results it gives you. In the event of an internet outage, contact your ISP first; most will have pages dedicated to service availability.

Resolution
Next, use the information you’ve gathered to seek advice online from reputable sources such as police or security websites. Take extra precautions to ensure that any advice comes from verified and trustworthy sources only. Below we have detailed ways to resolve issues following a cyber attack with your IT team, whether they’re external or internal to your business.

Externally managed IT
If your IT is managed externally, it is critical that you share all the information you have identified with the external team and work together to resolve the issue. Also, you should check your support contract to see what the external team are responsible to action and in what time frame they should be expected to complete the job.

Internally managed IT
An internally managed IT team should be completing a variety of actions to resolve the issue. This includes replacing the infected hardware, restoring service and business operations using backups, cleaning infected machines and changing passwords for all accounts across the system. If you lack the internal expertise to handle complex incidents, consider hiring a Cyber Security Practitioner. However, if you do decide to seek assistance from a professional outside of your business, you must ensure that they come from a reputable organisation and have the necessary credentials, such as Cyber Essentials and ISO.

Risk mitigation

The key to surviving a cyber attack is being prepared for it. Cyber risk mitigation can be achieved by implementing policies, technologies, and procedures that reduce the possibility and consequences of a successful cyber attack. As previously mentioned, the best way to prepare for a cyber attack is to implement a business continuity plan (BCP) and a disaster recovery plan (DRP), both of which will ensure that you are ready to respond if an incident takes place. BCP plans should contain details about the planned team to handle the cyber attack, any key contacts, whether they are internal or external, communications protocols, a threat analysis, supplier and merchant contact information, recovery phases, and a DRP that will include a CIA triad risk assessment. They should also include information on your business’s recovery time objective (RTO), which is the amount of time that operations must be restored after the incident, as well as your recovery point objective (RPO), which is the maximum amount of data that can be lost following an incident.
Other methods to mitigating cyber risk. As previously mentioned, there are several training courses that a business can take to improve its chances of successfully mitigating a cyber attack. These include:

Cyber Essentials
The Cyber Essentials Certification gives you confidence that your defences will protect you from the most common types of cyber attacks. Attackers generally look for targets with no Cyber Essential technical controls in place; therefore, this accreditation is guaranteed to successfully mitigate the chances of an incident.
Cyber Essentials provides the additional reassurance of an independent assessment. It covers:

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Security update management

IASME Cyber Assurance
The IASME Cyber Assurance was developed over several years as part of a government-funded project to create a cyber security standard that would become a more affordable and achievable alternative to the international standard, ISO 27001. This standard enables small companies in a supply chain to demonstrate their level of cyber security at a reasonable cost, indicating that they are taking appropriate steps to protect their customers’ information.
It covers:

• Risk assessments
• Backup
• Policies
• Incident management
• Data protection
• Operation management

Risk transference

Risk transfer is the process of shifting the potential impact of cyber risks to a third party, such as an insurance company, using specifically tailored insurance policies. This is a popular option for businesses that lack the resources or expertise to manage these risks internally. However, changes to the UK Data Protection Act in 2018 have limited the ability to transfer risk. Furthermore, as the number of cyber attacks has increased significantly in recent years, insurance companies are conducting more thorough risk assessments before making decisions on whether they should insure a business. Like any insurance, the cost and coverage are determined by the controls and security measures in place. If you do not meet these expectations, you may be unable to obtain insurance or renew an existing policy. Marsh, the world’s leading insurance broker and risk management firm, reported that insurance costs have also increased, ranging from 25% to 400%. Insurers and brokers are now looking for a lot more information during their due diligence before making any policy available. Generally, cyber insurance will protect businesses financially and payout for any malicious action or accidental cyber incident involving an organisation’s digital systems, data, or technology. However, when it comes to payouts, an insurer will always assess the impact of an event and the preventative measures your business has in place before determining how much coverage they can provide. They will consider the following:

Non-physical impact
The insurer will investigate how the cyber incident compromised the confidentiality, integrity, and/or availability of your company’s digital systems, data, or technology.

Physical impact
The insurer will investigate any property damage, bodily harm, and injury caused by a cyber incident.
After this, the consequence of an incident is reviewed. This can include:

• Loss of income
• Extortion/ransom demands
• Fines and penalties
• Negligence
• Shareholder litigation
• 1st party costs (insurance)
• 3rd party liability (if the organisation is sued)

The due diligence process includes a review of 12 key information security controls; while they have been in place for several years and are considered best practices, many organisations have yet to implement them.
The insurer will assess your business to see if you have the following controls in place:

• Multifactor authentication
• Endpoint detection & response (EDR)
• Privileged access management (PAM)
• Email filtering & web security
• Patch & vulnerability management
• Cyber incident response planning & testing
• Cyber security awareness training and phishing testing
• Hardening techniques including remote desktop protocol (RDP)
• Logging and monitoring
• End-of-life systems replaced or protected
• Vendor/digital supply chain risk management

Whether you need insurance or not, ensuring that your organisation has the 12 controls in place is the most effective way to improve your information security posture and resilience.

How Net-Defence can help

With so much information available, it can be challenging to determine where to look and which solution is best for your business. At Net-Defence, we strive to make cybersecurity affordable, attainable, and accessible to all.
We have developed several programmes that provide the systems, policies, mechanisms, processes and certifications needed to provide certainty, confidence and trust that your IT infrastructure is secure, reliable and protected. As well as this, as mentioned throughout this article, we provide Cyber Essentials, Cyber Assurance and ISO 27001 Certification training.

Contact us today to learn more about how we can assist you in taking the necessary precautions to protect your business from successful cyber attacks.