Cybercriminals will always try to find ways to make money without having to do any of the hard work that comes with that. This occurs offline as well as online, and B2B (Business-to-Business) organisations are under constant threat of cyber-attacks. Some of these threats originate from sophisticated hackers determined on stealing your information. Other risks are focused on an Elimination-like effort to create chaos, and then there are the threats like hacktivism and identity theft that can threaten the people within the organisation as opposed to the company itself.
According securenetmd.com 53 per cent of companies are experiencing an increase in cyber-attacks, and the Gartner group estimated that global spending on cybersecurity is predicted to reach $124 billion in 2019. To further highlight the seriousness of the issue to individuals, businesses and government, The World Economic Forum’s 2018 Global Risks Report pointed to cybersecurity as the third most significant risk in terms of livelihood apart from extreme weather and natural disasters, and—after all—it’s people who make up B2B (Business-to-Business) companies.
With each passing year, cyber attackers are becoming more sophisticated in their attack methods, and data breaches have cost organisations $50 billion in the last five years. With this alarming statistic, protecting your network, valuable company information, personnel, and other assets should become a top priority if it’s not already.
Here are the ten security threats every business should know about and how to protect against them using today’s ever-improving cybersecurity tools and technology.
1. Email Fraud and Deception
The FBI has a name for threats to businesses via email channels, which they call “Business-Email-Compromise” or BEC. The tactics BEC attackers use are incredibly simple, in most cases.
For instance, criminals can scam employees by posing as higher-ups, even going so far as to create an email address using the CEO’s identity. Using this email address, scammers can trick employees into divulging intimate details about the company, including its financial operations. Criminals can even hold data hostage and demand a ransom to be paid. This an example of how email can be used for corporate espionage and criminal activity and employees should remain vigilant against such tactics.
With security awareness training, employees of the organisation can be taught to verify the person’s identity and email address carefully before revealing private or personal information, downloading files, or clicking on links. Making a phone call to verify the legitimacy of the email quickly is a simple enough tactic that can save the company money and personnel immense amounts of stress.
2. Spear Phishing Scams
Spear phishing is email spoofing attack that targets a specific organisation or individual, seeking unauthorised access to sensitive organisation information. Here are a few samples of regular spear-phishing emails you have may have seen.
- There is a proposal waiting for your urgent review, could you please log into your file sharing account to review it.
- An issue has been detected with your social media account. Please follow the attached instructions to fix the problems as soon as possible.
- We have detected unauthorised activity on your bank account. Click here to login and fix the problem.
Phishing isn’t a new cybercriminal method, but it’s showing no signs of slowing down. A 2017 survey of 263 IT professionals reported that 74 per cent of the cyber threats they dealt with over the past year originated from email attachments and links. Moreover, Webroot found that scammers created an enormous 1.4 million unique phishing websites in the first half of last year alone.
Usually, phishing scammers will send a fraudulent email to the victim that appears legitimate. An example might be an email that seems to come from within the company, the corporate office, or a familiar brand the company regularly do business with, such as a partner firm. The email might include a download that will infect the computer with a virus or malware, and in some cases, the person can be phished and tricked into giving up their login information for the company’s mainframe or financial data.
To control spear-phishing attacks, security teams must first train users to recognise, avoid and report suspicious emails—it is essential for every employee to realise that their roles grant them access to different data.
Once again, urge your employees, clients and partners to take the time to verify the legitimacy of emails and ensure the email address only comes from the company in question, and not some email address with the company name as a subdomain, which is another common tactic used by scammers to avoid detection.
Even employees that have gone through cybersecurity training occasionally fall victims for phishing attacks, but ongoing training can help immensely against these types of attacks.
3. Malware Infections
Malware, short for malicious software, is not only annoying, frustrating but it can also have devastating consequences both for companies and individuals. The common symptoms of malware infection are, often slow running computers, reduced bandwidth and mass email spamming. In severe cases of malware infection, cybercriminals can make changes to a company’s website, database, purchase orders, and a lot of other segments of its digital footprint that can wreak financial havoc and harm brand reputation.
Malware is delivered in the form of worms, viruses, and Trojans. Companies can protect themselves from malware attacks by employing an endpoint protection solution that offers instant and automatic security updates. Furthermore, employees should be educated on when they should avoid spam emails or links from unknown sources or users, such as when a hidden popup occurs onscreen from a browser.
4. Intellectual Property Theft and Corporate Espionage
Most IT security pros must cope with the large group of malicious hackers that steal intellectual property from organisations or perform outright corporate espionage. Their method is to compromise the organisation’s IT assets, and over time, take gigabytes of confidential information: such as organisational patents, new product ideas, top military secrets, financial information, business plans and so on. This stolen information is often passed to the criminals’ customers for economic gains, and they can stay hidden inside as compromised network for as long as possible.
To reap their rewards, they eavesdrop on essential emails, raid databases, and gain access to so much information, to the point that many have begun to develop their malicious search engines and query tools to separate the hay from the more valuable organisation business secrets.
This sort of attack is known as an advanced persistent threat (APT) or determined human adversary (DHA).
5. Sophisticated Ransomware Attacks
Ransomware is said to be one of this year’s most significant security concerns, according to Stephen Gates, the chief research intelligence analyst at NSFCOUS. An online form of extortion, this type of malware infects computers and “hijacks” data until a financial ransom is paid, or the hackers claim the hijacked data will be lost forever.
According TechRepublic Ransomware attacks targeting businesses increased 90% last year, and the attackers are getting smarter with their methods of attacks.
The tech and finance industries tend to be the ones most heavily targeted by ransomware attackers, but companies that deal with trade secrets and intellectual property that fill supply chains are currently being aimed at alarming rates.
To protect against this form of attack, regular threat intelligence checks, auto security updates, and daily backups can protect data, but once again employee awareness education is vital to protect all computers and data from being held against the company’s will.
6. Weaponised AI
The cybersecurity industry is turning to artificial intelligence (AI) to provide better security solutions, but meanwhile, cybercriminals are also using AI for evil purposes — and avoiding those very solutions that have been designed to thwart their efforts. According to Gizmodo, in a poll of attendees at the Black Hat USA 2017 conference last July, about 62 per cent of the respondents said they believed terrible actors would try to use AI in the coming year. Additionally, TechRepublic reports that a 2017 poll by Webroot found that 91 per cent of information security professionals are concerned about hackers using AI in cyber-attacks.
In just one of many examples, researchers from security vendor ZeroFox demonstrated how a spear phishing Twitter campaign used AI for automation and to increase attack success rates. As cybercriminals evolve and innovate, it won’t be long before they adapt machine learning to create ever more effective new threats.
7. Mobile Malware
Data collected from 850 organisations from a Check Point study found that every single one of the organisations had faced an attempted mobile malware attack in the past. The report further noted that a whopping 94 per cent of security practitioners expect the number of mobile malware attacks to continue to increase. Most of that malware comes from third parties, but it has also been found embedded in apps sold through legitimate mobile application stores.
The growth of mobile malware has continued year on year, which poses a real challenge for most organisations. This growth includes Trojans, ransomware and keyloggers. Attackers don’t always exploit vulnerabilities to infect mobile devices — but often, unsuspecting users involuntarily give access permission to the malicious apps, like embedded adware, when they install what they think is a legitimate mobile application.
8. Internet of Things Botnets
In 2016, a distributed denial-of-service (DDoS) attack on Dyn illustrated the potential for weaponising the internet of things (IoT). Because they often lack embedded security features, some IoT devices can be cracked in two minutes, according to IT trade association giant CompTIA.
According to Cisco, there will be 30 billion IoT devices by the year 2020 — a number nearly four times larger than the world’s population. While organisations are very keen on adopting IoT technologies, many are not aware of the extent of vulnerabilities in the IoT ecosystem. Also, because they often lack visibility into their ecosystems, it would be easy for them to lose track of data that flows through their corporate networks and not even realise that they’d been hacked.
9. Ransomware Attacks in The Cloud
There is no to the evolution of ransomware. The next probable step is that cybercriminals will aim ransomware attacks at cloud services as the adoption of cloud computing continues to grow unabetted.
Cloud providers are an attractive target because they store massive amounts of consumer data and have a large number of enterprise customers. However, because big providers make for tough targets, hackers looking for easy victims are more likely to attack smaller cloud service providers.
10. The threat of Hacktivists
IT security pros must contend with an increasing number of loose confederations of individuals dedicated to political activism, like the infamous Anonymous group. Politically motivated hackers have existed since hacking first started. Society is currently acknowledging this as an acceptable means of channelling a political cause or grievance.
Political hacking groups often communicate, anonymously or not, in open forums announcing their targets and hacking tools ahead of time. They gather more members, take their grievances to the media to drum up public support, and act astonished if they get arrested for their illegal deeds. They intend to embarrass and bring negative media attention to the victim as much as possible, whether that includes hacking customer information, committing distributed denial of service (DDoS) attacks, or directly causing the victim company further discord.
Political hacktivism is most often intent on causing financial pain to its victim to change the victim’s behaviour. Individuals can often become victims in this political fight, and regardless of whether one believes in the hacktivist’s political cause, the intent and methodology is a criminal activity.
It’s not a matter of if an organisation will suffer a cyber-attack, but it’s instead a matter of when, and your organisation and your partners must have a solution in place to remain cautious against all incoming and persisting attacks. As you can see, many attacks are made with simple tools like email and spoofed websites. Therefore, education is the key to defeating or minimising it. Still, it remains necessary to employ the latest in IT security in the fight against these forms of security threats.
Some excellent resources for businesses include Stay Safe Online, which is powered by the National Cyber Security Alliance and is packed full of tools and methods for protection against cyber threats and attacks.
Another freely available resource is HTTPS Everywhere, an extension for Firefox, Chrome, Opera, and Android web browsers released by Electronic Frontier Foundation, can encrypt communications while surfing significant sites, all the while filling in the gaps and ensuring that all web browsing is secure always.
Social-Engineer.com is another excellent resource that helps organisations pinpoint risk assets and vulnerabilities that hackers can use to infiltrate corporate network infrastructure and cause disorder.
Finally, you should investigate and consider a security platform that provides threat intelligence and monitoring, fraud detection, and transaction monitoring among other essential security services.
These are some of the solutions available to B2B companies bent on keeping hackers at bay while fortifying against attacks and theft. With the Internet of Things (IoT) making things more convenient for businesses and decision makers, criminals will always find a way to compromise any flaws for illegal financial gain.
With proper user awareness education, the right security tools, and extra vigilance for shoddy practices in all business transactions, your organisation should stand well against cybercriminals going into the future.
Do you have challenges in defending your valauble organisation assets against these threats, or do you have something to contribute? Please join the debate by commentingh below. To contact the author of this article, please send an email to firstname.lastname@example.org or call him directly on +44 (0) 7540 460322