Cybersecurity and data loss threats for businesses
In our previous post, we explained the essential cybersecurity measures UK businesses should take to stay safe from the growing threat of cyber attacks. However, we didn’t get to delve deeper into the methods and why it’s so important you understand them.
Remember, cyber threats cost UK businesses millions of pounds every year. Quoting Sun Tzu’s “The Art of War”: “Know your enemy and know yourself, and you can fight a hundred battles without disaster.”
In this article, we cover the typical attack methods used by cyber criminals (in layman’s terms!) and give examples of UK businesses that were affected and the outcomes (ouch!).
💡 Key takeaways:
- Phishing: This is reported as the most common type of cyber attack on UK businesses, and only 19% of businesses are prepared.
- Insider threats: Sometimes, your own partners and employees can pose a threat, as was the case in Morrison’s supermarket in 2014.
- Malware: Malware remains a problem; the NHS was subject to a Zero-Day exploit that cost around £92 million!
In total, we cover 10 cyberattack ‘vectors’ (methods or threats), beginning with the most familiar and going into the more obscure methods as we go along.
Malware
Most of us remember the age of Norton or MacAfee antivirus, the must-download to keep your PC safe from the potential malware brought in from your LimeWire downloads. While times have changed and these anti-viruses have diminished in relevance, malware is still out there, infecting business networks daily.
Malware includes various forms of malicious software like viruses, worms, and trojans, that infect systems to make them unusable, to steal valuable data, or even hold your business ransom. We explain the difference between these three types here.
NHS (2017)
In this infamous global malware attack, 200,000 computers across 150 countries were infected with the WannaCry Trojan through a Zero-Day Exploit on older versions of Windows. Unfortunately, this included a third of NHS trusts in England, leading to the cancellation of approximately 19,000 appointments and operations.
The ransomware encrypted data on infected computers, demanding a ransom payment for its release, which the NHS did not pay. Still, the estimated cost of the attack on the NHS was around £92 million, which included the cost of IT support, restoring data and systems, and the lost output due to disrupted services.
Ransomware
Ransomware is a subtype of a malware attack where a business’s data is encrypted by malware, and ransom payment is demanded for its release. Ransomware attacks can disrupt business operations and lead to significant financial losses.
This attack begins with a system infection, either through phishing emails with malicious attachments, drive-by downloads from compromised websites, or exploiting software or network security vulnerabilities.
In practice, once the ransomware encrypts the files, a ransom note is sent or programmed to appear on the victim’s screen, providing instructions on how to pay the ransom and obtain the decryption key.
Victims are usually instructed to pay the ransom in cryptocurrency, such as Bitcoin, to anonymise the transaction and receive the decrypting key.
Travelex (2020)
A notable example is the 2020 attack on Travelex, a foreign exchange company. The ransomware group known as Sodinokibi, also known as REvil, targeted Travelex on New Year’s Eve, encrypting their systems and demanding a ransom of $6 million.
The attack led to significant disruptions, with Travelex taking down its websites in multiple countries and resorting to manual operations in its branches.
The company reportedly negotiated with the attackers and paid a reduced ransom to regain access to its systems, although the exact amount was never disclosed publicly.
Phishing
Cybercriminals use fraudulent emails or messages to trick employees into revealing sensitive information, such as passwords or financial details, or to install malware for ransomware on their devices.
Attackers choose their target and craft a convincing message that appears to be from a legitimate source, such as a bank, a well-known company, or a government agency. Messages are designed to create a sense of urgency or fear, prompting the recipient to take immediate action.
The phishing message is typically delivered via email, but it can also come through other channels like text messages (smishing), phone calls (vishing), or social media like Instagram, Telegram or Signal. Typically, the message will link to a fraudulent website or an attachment containing malware.
Royal Bank of Scotland (2020)
A notable example of a phishing attack in the UK involved RBS customers. In 2020, attackers sent out emails claiming to be from RBS, informing recipients that their accounts had been compromised and urging them to click a link to verify their details.
The link led to a fake website that stole login credentials and personal information. Although the attack’s consequences are unclear, it emphasises the importance of being vigilant and verifying the authenticity of messages before responding or clicking on links.
💡 The Cyber Security Breaches Survey 2022 conducted by the Department for Digital, Culture, Media and Sport found that 83% of UK companies reporting a cyberattack identified phishing as the most common type of attack. Alarmingly, only 19% of these businesses had a formal plan in place.
Data breaches
These are cybersecurity incidents (for example, phishing, ransomware or insider attacks) in which unauthorised individuals access, disclose, or steal sensitive, protected, or confidential data. They can have severe reputational and financial consequences for a business.
Data breaches can involve a wide range of information, including personal data (e.g., names, addresses, national insurance numbers), financial data (e.g., credit card numbers, bank account details), health information, intellectual property, and trade secrets.
The impact of a data breach can vary depending on the type and volume of data involved, the nature of the breach, and the affected organisation’s response.
British Airways (2018)
In 2018, hackers accessed the personal data of approximately 500,000 BA customers. The breach included names, email addresses, and credit card details.
British Airways was initially fined £183 million by the UK Information Commissioner’s Office (ICO) for violating GDPR, but the fine was later reduced to £20 million due to mitigating factors, including the impact of the COVID-19 pandemic on the airline’s finances.
Virgin Media (2020)
Virgin Media suffered a data breach to the record of 900,000 customers, which remained compromised for nearly a year. This included customer names, addresses, emails and phone numbers, which were sold illegally for marketing purposes.
The breach resulted from negligence by an employee in charge of configuring the database. Currently, Virgin faces a lawsuit totalling billions of pounds to pay the affected customers.
Other telecom companies like TalkTalk have also been affected by similar breaches, but Virgin’s remains the most high profile.
Insider threats
Insider threats are security risks that originate from within the organisation, such as employees, contractors, or business partners who have access to sensitive information and systems.
These threats can be intentional or unintentional and can result in data breaches, intellectual property theft, sabotage, or other forms of damage.
Detecting insider threats can be challenging due to the legitimate access insiders have to the organisation’s resources.
Morrison’s (2014)
In 2014, An employee with a grudge against the company leaked the personal details of nearly 100,000 staff members, including bank account information.
The data breach resulted in Morrisons facing legal action from affected employees and highlighted the importance of addressing insider threats as part of an organisation’s cybersecurity strategy.
In the end, the UK Supreme Court ruled that Morrisons was not vicariously liable for the actions of the rogue employee. However, it hurt the reputation of the company.
Advanced Persistent Threats (APTs)
These are sophisticated, long-term attacks by well-funded adversaries, often targeting specific organisations like corporations and government and defence agencies for disruption, espionage or data theft.
Users of these strategies launch persistent attacks using various methods, including phishing, ransomware and DDOS. They do this stealthily and avoid detection using encryption and obfuscation.
Iran’s nuclear program (2000s – 2010s)
The US and Israel implanted a malware called Stuxnet that targeted the Siemens industrial control systems used in Iran’s nuclear program. It exploited various zero-day vulnerabilities on Windows to gain access to the control systems.
As such, it caused the centrifuges used for uranium enrichment to spin out of control while simultaneously hiding their activities by sending normal operating signals to the monitoring systems. It took three years before it was discovered.
It is estimated that Stuxnet infected more than 20,000 devices in 14 Iranian nuclear facilities and ruined around 900 centrifuges.
Denial of Service (DoS/DDoS) attacks
DoS and DDoS attacks aim to overwhelm a business’s network or website by spamming it with unnecessary traffic, rendering it unavailable to users. They can result in significant downtime, financial losses, and damage to an organisation’s reputation.
The only difference between them is that DDoS targets several systems simultaneously, while DoS focuses on a single one.
Mumsnet (2015)
Online forum Mumsnet was hit by a DDoS attack in August 2015, which made it difficult for users to access the site. During the attack, it received about 17,000 requests per second, compared to its normal hit rate of 50 to 100.
Access to the site was restored by the following morning, but a group calling itself DadSecurity claimed responsibility on Twitter for the denial-of-service and threatened further attacks.
Supply chain attacks
Supply chain attacks, or ‘third-party’ or ‘value-chain’ attacks, occur when attackers infiltrate a system through an outside partner or provider with access to the systems and data of the target organisation. These attacks exploit the trust relationship between the organisation and its service providers.
These attacks can be aimed at the software used by suppliers, the hardware used in a business’s devices, cloud service providers, etc.
Zellis (2023)
Last year, a group of hackers named the Russian Clop ransomware crew exploited a vulnerability in a document-transfer app used by Zellis, the largest payroll services provider in the UK.
The group injected malicious code within the app to gain unauthorised access to company databases, leading to information theft from some customers, including British Airways, The BBC, and Boots.
Zero-Day Exploits (ZDEs)
These are attacks that exploit previously unknown vulnerabilities in software or hardware before developers have the chance to patch them. It happens even on robust software such as Microsoft Windows, especially on older versions no longer supported.
While much rarer than active types of attacks, businesses can do little to protect themselves besides promptly updating software and hardware with the latest releases and getting cybersecurity insurance like that offered through the Cyber Essentials certification.
The WannaCry exploit is a prime example of this kind of attack on UK institutions, and we cover it here.
Credential stuffing
Credential stuffing is a cyber attack method where attackers use automated tools to try large numbers of stolen username and password combinations on various websites, hoping that users have reused their credentials across multiple services. The goal is to gain unauthorised access to users’ personal and business accounts.
To avoid this attack vector, businesses must encourage employees and partners to use strong, unique passwords for each service and enable multi-factor authentication.
Deliveroo (2016)
In 2016, some Deliveroo customers reported unauthorised food orders being placed on their accounts. The company concluded that attackers had used credential stuffing to access accounts where customers had reused passwords from other compromised services.
While Deliveroo never had its own systems breached, it still had to use resources to patch and report the issue as cybersecurity regulations require. It highlights how B2C businesses also benefit from prompting their customers to use unique, strong passwords for different online accounts and use 2FA.
Business cybersecurity threats – FAQs
Our business broadband experts answer commonly asked questions on business cybersecurity and data loss threats in the UK.
What’s the difference between a Trojan, virus and worm?
Trojans, viruses, and worms are all types of malware but differ in their behaviour and propagation methods. Trojans deceive users into installing them, viruses replicate by attaching to files or programs, and worms autonomously spread through networks without attaching to a host program.
Once they propagate or infect a system, they can perform various malicious activities, such as stealing data, deleting or corrupting files, logging keystrokes, creating backdoors for further attacks, and disrupting system or network operations.
Can a cyberattack come from my business broadband provider?
Yes, a cyberattack can potentially originate from your business broadband provider, although this would be rare. The attack could be as unpredictable as a Zero-Day exploit on their software or hardware or a phishing attack from fake emails from your provider (especially if that provider has experienced a data breach!).
To mitigate this risk, it’s essential to compare business broadband deals from reputable providers with robust security measures, including regular security audits, encryption of data in transit, and prompt patching of vulnerabilities.
A leased line broadband also adds another layer of security by providing a business with a dedicated telecommunications line and forcing remote employees to log in using VPNs.
Note that your connection type has minimal effect on the typical attack vectors covered in this article. Whether your business is connected using full fibre, satellite, cable, or 5G private networks, it doesn’t matter.