As we move into the new year, it’s important to be aware of the potential risks that could compromise your business’ security. By being prepared, you’re more likely to avoid any problems.
Below are 10 threats to look out for in 2020.
1. Attacks will focus on SMEs
In 2019, many smaller organisations were victims of cyber losses, and the trend is set to continue into 2020.
This has a serious consequence – businesses who’ve been hacked will fail any test to see if they’re ‘cyber ready’, which means they could lose existing contracts or be unable to win new clients.
Media, telecoms, manufacturing and technology industries have had their supply chains compromised, and as a result, companies are carrying out quarterly reviews of their systems and asking their partners to do the same. Unsurprisingly, this has resulted in an increase in spending to improve those systems whenever necessary.
Cyber criminals are targeting SMEs because they’re perceived as being more vulnerable than the larger companies, who can afford to invest in good security measures. Protecting from an attack is vital for all businesses, and a multi-layered strategy is recommended.
Related content: Why is a cyber security risk assessment so important for SMEs?
2. Business email compromise to rise with advanced phishing
When it comes to email attacks, cyber criminals are becoming increasingly inventive, and their efforts are paying off – users are tricked into opening emails containing malware or a virus.
Among the threats are phishing campaigns, CEO fraud, ransomware and impersonation tactics. Account takeovers are common, especially as more businesses are now using cloud services such as Office 365.
Employees receive emails from a genuine email address which they have no reason not to trust, but which phish their credentials to allow access to the configuration of their email account and emails so that they can launch further attacks such as sending fake invoices to your customers or changing bank details on requests for funds.
To protect against this you can:
Enable multi-factor authentication
If an attacker manages to get your username and
password they won't be able to login unless they have your 2fa code (usually generated by an app or by SMS message).
Enable alerts on your email system
If attackers gain access and start making changes your IT department or provider will be aware. We’ll be covering how you can improve the security of your office 365 setup in a future blog but for great advice look at Microsoft Secure Score.
Related content: How to protect your business from phishing attacks
3. Mobile malware
The rollout of 5G will introduce new vulnerabilities for mobile users, as will the increase in IoT (internet of things) connected devices, and a general rise in the volume of data used.
Phishing attacks and ransomware are becoming more common, as are malicious apps posing as authentic ones.
To protect against mobile malware ensure that you are using genuine apps from trusted app stores and that you are using the latest operating system from the manufacturer.
We’re aware that often it seems like nothing has changed, or worse breaks the device when you update! But they are important to patch security issues.
Related content: Mobile Device Management
4. Password reuse will continue to be a major issue
We’ve looked at the importance of password security, and the problems that weak passwords can cause to a company’s server. 65% of people in 2019 used the same password on all or most of the accounts that required them to log in.
Using the same password everywhere means that people are choosing something that’s easy for them to remember. Unfortunately, that means that they’re likely to be easy to guess, too.
Most importantly, if you are using a password in one place, let's use MyFitnessPal as an example as they had a breach in 2019, everywhere you use that password is now vulnerable to an attack from criminals as they know your username and password.
Password breaches accounted for 81% of data compromises in the US in 2018, so it’s clearly a major problem for businesses around the globe.
Nobody can remember 100s of complex passwords off the top of their heads. Use a password manager, they will create and remember your passwords for you so you don’t have to. Personal services such as LastPass are great, alternatively, for business use we have a fully managed solution to protect your business.
Related content: Modern Password Guidelines
5. Cloud services compromised
Unfortunately, it’s not just by guessing passwords that hackers are able to get into emails and systems. A recent phishing attack was able to access users’ Office 365 accounts through the Microsoft OAuth API.
By posing as the Microsoft log-in page, the fake OAuth asks users to grant permission to a third-party tool or software. Once the user name and password has been submitted, their data can be accessed remotely and compromised.
As with email compromise, hardening your Office 365 and ensuring you have good alerting will help prevent these types of attacks.
You should also be training your staff to spot these types of attacks and what they can do if it pops up.
Related content: Scale SME to Global Enterprise with Cloud
6. Ransomware as a service to rise
Ransomware as a Service (RaaS) is a particularly worrying new trend, as it offers services to cyber criminals.
In much the same way as SaaS (Software as a Service) gives a done-for-you service, RaaS sells malware to criminals, saving them the time and effort of having to build it themselves.
RaaS providers operate as a business. One person (the aggregator) builds and sells scalable, easy-to-use malware kits to anyone looking to carry out a cyber attack (known as ‘ransomware operators’). These operators don’t require technical know-how, just the desire to cause damage to a business in return for money.
We’ve written many guides on protecting your business against ransomware. Here’s our top 10 tips.
7. Risks related to IoT devices
As we’ve mentioned, the use of IoT devices is on the rise. In fact, it’s estimated by 2025 there will be more than 75 billion of them. Keeping them secure is hard and they are particularly vulnerable to hacking, particularly if there’s no security at all.
There are all kinds of ways a hacker can compromise an IoT device – via your central heating thermostat, by taking control of firmware in your smart car, via a baby monitor or even a child’s toy with a Bluetooth device which can be manipulated to function as a recording device. All of these things have happened, so it’s important to be aware of IoT device use.
In your business ensure you check devices and the provider before you allow them to your network.
- Do you need smart devices on your business network?
- Could they go on their own segregated wireless?
- Are you keeping them up to date with security patches?
These devices should be seen as another computer, not just a device you stick in the corner.
Related content: 4 ways IoT will change business and create more challenges
8. Apple malware
Traditionally, Apple products, including Macs, have been known as being less susceptible to malware. This is for a variety of reasons (fewer people have Apple machines and they are locked down to specific app stores etc).
However, in 2019 there was a surprising increase in attacks on Apple machines. Adware called ‘NewTab’ uses Chrome extensions to alter the information shown on web pages, and also pretends to be apps, including email, maps or flight trackers.
Although there hasn't been a serious ransomware incident affecting Mac, security researchers believe it to be a real possibility.
Users have also noticed a range of potentially unwanted programmes installing themselves on their machines. Known as PUPs, the hacker will often trick the user into purchasing the programme even if they don’t want it.
Related content: Know these types of malware to stay protected
9. AI will help criminals
As with every area of technology AI is being used to make tasks quicker and easier. AI is designed to learn and adapt and to mimic what humans do, which can be exploited by hackers.
For example, malware that uses spam-phishing, sending convincing, targeted emails to users who click on malicious attachments, giving access to systems. AI could make these emails even more convincing and more successful.
AI can also make malware harder to detect, as it blends into the background.
Related content: Prevent Cyber Security Incidents: Use this staff training checklist
Deepfake technology uses AI to create or alter videos to show a scenario that actually never happened. By using two AI systems, the deepfakers can create increasingly more convincing videos – one AI creates the videos and the other reviews them, allowing the creator to learn as it goes how to fake a video well.
The consequences of this are massive, as people can create a video to suit their own agenda and to share their message. While most SMEs won’t be directly affected by deepfake videos, it’s good to be aware of them, as they could have an impact on your employees, clients or partners.
Ultimately, of course, we can’t really be sure which, if any, of these threats will pose the greatest risk to your business. It’s also possible that there is a new, sophisticated hacking technique that we don’t know about yet, and we may only become aware of it when someone is a victim of it.
Working with an IT support partner who has the expertise to help you mitigate cyber-attacks will help and ATG take pride in doing that for their clients.
If you have any questions relating to the security risks discussed in this post, why not give one of our experienced team members a call? We are always on hand to help with your cyber security needs.