Updated: Feb 27
2019 was a record year for cyber attacks. 2020 will probably be another record year. Cyber risks aren't going to go away. It's likely they'll become more sophisticated and widespread as time goes by.
What can you expect in 2020? We'll be seeing more of the same threats we've seen in the past year. We predict at least one or two new, unexpected cyber threats will hit the world's networks hard. There's no doubt we'll see some major data theft scandals. And cyber attacks on small businesses are so common that it makes more sense to expect one and prepare well than hope it doesn't happen.
Luckily it isn't all gloom and doom. Despite the advances made by criminals, a decent level of employee cyber security awareness remains your best weapon. Here are the main cyber attacks to expect in 2020, and how to avoid them.
Cybercrime stats for 2019
First, let's look at a few recent cybercrime stats. Thanks to Varonis for these facts, which prove how important it is to be ready.
Worldwide, 4.1 billion records were exposed by data breaches in the first half of 2019
71% of breaches were financially motivated, 25% by espionage
52% of breaches involved hacking, 28% malware, 33% phishing / social engineering
The top malicious email attachment types are .doc and .dot at 37% each, the next highest is .exe at 19.5%
The number of passwords used worldwide will grow to 300 billion by 2020
Top cyber attacks to expect in 2020
Ransomware is a kind of malware. Ransomware attacks rely on the fact that businesses need to access their digital files to operate. If it can't access data and software, the business stops dead. It's tempting to pay a ransom when the criminal isn't asking for a vast amount of money, it could cost you more to get expert help, and you need to get back to work fast. On the other hand if you've planned ahead and can put those plans into action, the criminal loses. You don't need to pay, you'll be back up and running in no time.
Adware, Spyware and Viruses are classed as malicious software, in other words chunks of code planted on computers and networks. Some are designed to make money, for example Adware, whose pop-up ads are designed to generate cash via clicks. Spyware monitors the activity on an infected device. Viruses attach themselves to programmes, files, documents and more, tasked with spreading themselves far and wide. Some cause serious damage to systems and data, like the notorious viruses from the past Code Red, Conficker and Zeus.
When your employees know how to avoid this type of cyber threat, the risk of infection plummets. It isn't always a case of expensive software, tools and advisors. Great cyber security begins with well-trained, well-aware people.
Social engineering involves imitating someone legitimate, or pretending to be a reputable organisation. They're designed to gain people's trust and trick them into handing over something of value, whether it's their own financial details, the password for their system at work, or sensitive data. Some attacks simply persuade people to download a malicious attachment or click on a malicious link.
Most of the time it's a matter of phishing, sending spam emails, texts or instant social media messages containing urgent enquiries about passwords, other login details, even 'late' invoices to be paid. Some contain malicious attachments. Sometimes the messages look extremely convincing, other times they're easy to spot because of spelling mistakes and poor quality graphics.
Once you know what to look out for, it's actually easy to spot anything but the very best phishing scams. And that puts the power back in your hands, out of the hands of the criminals.
DDoS attacks or distributed denial-of-service attacks happen when criminals compromise a network of computers to make a botnet, which then spams a target website with traffic. When the site isn't designed to process such large amounts of traffic, it crashes. This type of attack is more about disruption than damage, and for that reason they're often personal, carried out by someone with a grudge.
Now and again a DDoS masks something more sinister. While you're busy dealing with the denial of service, hackers are breaking into your system from another angle. When you're prepared and understand the risks, you can assess the damage after a DDoS attack to make sure it isn't hiding something deeper and darker.
Whoops - Employee error
Untrained employees can make all sorts of mistakes. No wonder staff are one of the leading causes of breaches. They send emails to the wrong people or copy recipients in my mistake. They forward sensitive information without thinking about it. They forget to update their software, they use insecure passwords, they leave their login details on scraps of paper for everyone to see, they use their personal devices for work and vice-versa.
Again, none of this is the end of the world. Good quality training plus top-up training to keep their knowledge fresh is the best way to tackle these threats. In effect you create a cyber secure culture, where it's natural to make all the right moves because everything you do is informed by digital security.
Common sense actions to help keep a small business cyber secure
As a small business, what can you do to help yourself? Plenty, actually.
Take a business-wide view of data protection
Make sure every new technology, policy and process is crafted with digital security in mind
Align with best practice
Make the right risk assessments, evaluate the threats you face, make a gap analysis and fill those gaps
Test system security regularly
Ensure every IT systems and software are up to date – create a solid patch management programme
Set up a reliable security regime including vulnerability scanning and penetration testing
Plan what to do if there's an attack, namely find out what has happened and why, identify how to fix it, pin down who is responsible for each task, formalise how to communicate with employees, customers, other third parties and regulators
Most important of all? Get rid of the skills gap
Get staff training first, before spending good money on technical solutions. You can invest in all the tech you like but if your people don't understand how to stay safe, your business won't be safe. Focus on employee awareness, enrol everyone on a government cyber security training course, and make plans for a worst case scenario. Now you're ready.
Here's wishing all our customers a safe and secure festive season and a profitable 2020!