Cyber crime is on the increase. Since the onset of the COVID-19 pandemic, cyber attacks on businesses have surged, and a UK Government survey found that a shocking 39% of businesses came under attack in the first quarter of 2021. Even more worryingly, attackers are starting to move away from large corporations to focus on small businesses, which are seen as softer targets, but in many cases find it more difficult to recover from an attack.

With cyber attacks on the rise, many executives ramped up their cybersecurity spending in 2021. However, research by cyber security specialists FoxTech has found that numerous industries are still at a significant risk of cyber attack. CTO of FoxTech Anthony Green explains why:

“Unfortunately, money spent on cybersecurity is not always spent in the right places, due to a lack of knowledge around the issue. This has left many companies who have invested in security measures, still vulnerable to attack.”

To help combat the problem, FoxTech has put together a guide to the top three cybersecurity problems they see in the companies they work with.

Buying products and forgetting the people to run them

Many business owners believe that the best ways to protect themselves against cyber attack is to buy and install the latest security products. However, far from offering infallible protection from cybercrime and malware, products such as endpoint detection, firewalls, and anti-virus software should be thought of as tools which can be utilised by your security team, rather than an end in themselves.

Anthony explains:

“You can have the best cybersecurity and compliance products money can buy, but without the staff and expertise to run them you’re wasting your money.”

With Cyber Security specialists in high demand, it is not practical for the typical SME to have this expertise in-house – which is often why they are drawn to expensive cybersecurity products, when they could significantly improve their security using the basic products they already have, if only they had the skills and knowledge to configure them appropriately.

The UK DCMS 2021 report found that while 83% of UK Companies have up to date anti-malware software, only 29% have all the NCSC’s recommended “Cyber Essentials” in place to protect themselves from the attacks every organisation faces. Most commonly missing are simple things like installing software updates and securely configuring laptops.

Many UK small and medium sized businesses could make significant improvements to the security of their system by engaging a cybersecurity firm as a trusted advisor, rather than relying solely on expensive software. Getting an expert on side can help companies discover where their current security controls are lacking, and develop the tools and business processes to put them right.

Lack of education around email protection

Email is the number one initial attack point for malicious cyber activity. Every company uses email, and many do not have sufficient email security set up, meaning attackers can easily gain access and send phishing emails, with the intent to steal your company’s information and carry out further attacks via ransomware, trojan horse installation or credential theft.

Alarmingly, only a single employee has to fall for a phishing email for an attacker to gain access to your company’s email. It is therefore essential for every business to take simple steps to reduce the risk of phishing and business email compromise:

Security Awareness Training for staff
Two Factor Authentication on email accounts
Secure configuration of your email service

Only 14% of UK companies perform security awareness training even though the NCSC provides free security awareness training available here: https://www.ncsc.gov.uk/training/top-tips-for-staff-scorm-v2/scormcontent/index.html

What if a malicious email still gets through? Anthony provides some reassurance:

“If one of your employees falls for a phishing attempt, there is still time to avoid significant financial damage. Email accounts are often compromised weeks or months before the damage is done – with compromised accounts being traded on the black markets to the highest bidder who can monetise your account through ransomware, or impersonate your CEO to redirect a large payment.

Careful monitoring by cyber security experts can stop the kill chain before the final payload is delivered – turning what could be a major disaster into just a minor incident.”

Not knowing your company’s vulnerabilities

Of all the threats to the cybersecurity of businesses, the biggest is a lack of knowledge about vulnerabilities in their systems. “It’s not that businesses don’t take their cybersecurity seriously” says Anthony, “but that they don’t realise their current strategy is inadequate, until it is too late.”

One of the only ways to learn exactly where the weaknesses are in your system (places where hackers could gain a foothold) is to get a cyber security assessment done by an independent cybersecurity specialist, who can scan for the same weaknesses that hackers are looking for. Identifying where you are vulnerable, before implementing a strategy to secure your IT systems, process and procedures from attack is the most reliable way to protect your business as we go into 2022.