The estimated annual cost of cybercrime worldwide is expected to rise again in 2024, from the current annual cost of £27 billion.
The consistent annual increase in costs is due to attackers becoming more proficient and an increase in tools becoming available to assist them. The staggering number of successful attacks reflects the growing need for organisations to prioritise cyber security and mitigate the chances of an attack on their business.
With this in mind, we are looking further into the cyber security trends and attacks that we believe all organisations need to be on high alert for.
AI: a very hot topic right now
Cybercriminals’ use of AI technology for attacks is not as new as you might believe. A case from 2019 saw criminals use commercially available voice-generating AI software to impersonate the Chief Executive of a parent company that owns a UK-based energy firm. They deceived the energy company’s CEO into believing he was speaking with his boss and, by requesting with urgency, convinced him to transfer $243K.
When ChatGPT and other AI tools became available, there was concern that robots using AI would replace us in our current roles and impact the future of our careers. However, recently it’s become more apparent that it will not be a robot that takes our jobs, but a human leveraging AI.
Attackers come in 3 forms, which are:
- White Hat: ethically simulating attacks, with permission to identify vulnerabilities and advise organisations on how to mitigate them.
- Black Hat: a malicious attack for personal gain.
- Grey Hat: a little bit of both. They will attack without permission, but will not complete a direct malicious attack. They are known to contact organisations to notify them of vulnerabilities and offer to fix the vulnerability for payment.
All of these attackers are now using AI in their tool kit to reach their goals.
Social engineering attacks
As organisations have strengthened their technical controls to prevent attacks, social engineering is becoming the method of choice for cybercriminals. The attacker will use psychological manipulation to get the target to reveal specific information or perform an action for an illegitimate purpose, for example, a Phishing attack. This allows the attacker to completely bypass security and technical controls.
Phishing is not a new trend; it occurs when an attacker sends out a mass email in an attempt to obtain sensitive information such as passwords and bank details, or to directly deploy a cyber attack such as ransomware. More recently, Smishing uses texts and WhatsApp messages, while Vishing uses voice calls to obtain the same information.
A method that is growing in popularity is Spear Phishing. Instead of casting a wide net, the attacker will target one individual. They will spend time researching and gathering information, mostly from open sources, such as social media and Google, and then design a tailored attack to obtain the information they seek. They will often impersonate a trusted individual, use the information to make it appear even more legitimate and create a sense of urgency to push the victim to act.
In 2023, UK companies reported an 18% success rate for phishing attacks, while spearfishing had a 53% success rate, making the method more appealing to criminals.
Misspellings, bad grammar, and other signs indicating that an email was a scam are long gone. Not only have criminals gotten smarter, but they are also using AI language models to reduce their chances of making mistakes.
If you are ever in doubt, feel pressured or concerned about a call, email or text message, stop, think and conduct checks. Your Chief Executive will understand if you want to double-check before taking action. Check all of the details, and contact the alleged sender via a different method, for example, if you received an email requesting a transfer, give them a call to confirm it is them.
If you take the action and then suspect something is wrong, report it immediately. Contact your bank if you have made a payment, contact IT for everything else. The quicker you report this, the better chance you have of stopping any further damage.
You can take the following steps to reduce risk within your organisation;
- Add a report phishing button on your email system, the easier the reporting method the more likely the employee is to report it.
- Provide continuous training to all employees, including phishing simulations.
- Ensure you have a zero-blame culture, if the employee fears any kind of repercussion they will not report and worse will hide it!
Human behaviours and risk
Humans can be the weakest link in your security, but with the right education, they can be your greatest ally. After technical controls, they are the final line of defence to protect your organisation.
In the 2023 SotP report; 71% of employees admit to engaging in risky behaviour, with 96% of them aware that it was risky.
Insider threat is real, and it is not always due to a malicious act of an employee. Despite widespread awareness of cyber threats, the second most common form of risky behaviour from employees is sharing and reusing passwords.
The top five most common risk behaviours frequently engaged in are:
- Using a working device for personal use.
- Sharing passwords.
- Connecting without a VPN.
- Responding to messages from unknown people.
- Accessing inappropriate websites.
The most common reasons for this risky behaviour are:
- To save time.
- For convenience.
- To meet a deadline.
- To save money.
52% of the employees questioned in the SotP said that they weren’t aware that they were responsible for security.
As a business, you can take the following actions to reduce the risk of cyber threats caused by human behaviour:
- Make security easy – 94% of users are asking for this.
- Train your employees – 88% of users are asking for this
- Reward your employees – 87% of users are asking for this
Range of attack types
The top 3 attack types for 2023, which will carry into 2024 and beyond are as follows:
- BEC – email compromise – 74% success.
- Ransomware – 81% success.
- Supply Chain – 67% success.
Ransomware has only moved by 1% since last year, but it is worth noting that:
- 63% of organisations said they had paid the ransom.
- 34% said they got all the data back after payment.
- 46% paid more than one ransom.
- 17% said they paid and got nothing back.
You can learn more about ransomware in our blog post.
Supply chain risk
Cyber risk through a supply chain first surfaced in 2022 and persisted through 2023. This is currently regarded as a high risk that organisations need to be on alert for in 2024.
Most organisations are dependent on their suppliers to deliver products, systems, and services. Therefore, an attack on your supply chain could be as damaging as a direct attack on you.
Risk can be difficult to identify as supply chains can be large and complicated, it can also take different forms; inherent, introduced or exploited risk.
Inherent Risk
This is a vulnerability that is present in your supply chain regardless of any actions you may take. Examples include:
- Dependency on your vendors and suppliers.
- Lack of visibility and control over the SC network.
Introduced Risk
As the title indicates, this risk is introduced to your supply chain through various factors, including human error, negligence or malicious actions. These can come from both internal and external sources. Examples include:
- Unsecured data sharing sensitive information.
- Insufficient security measures in place, leaving vulnerabilities that could be exploited.
- Use of compromised or counterfeit components or products.
- Failure to perform due diligence.
Exploited Risk
This is an instance where a vulnerability is taken advantage of to launch a cyberattack or to compromise the confidentiality, integrity or availability of business-critical systems or data.
Examples include:
- Your supplier’s infrastructure is used to indirectly attack your systems and data, most likely to occur through email.
- Unauthorised access to your systems and data that the supplier hosts/manages on your behalf through compromised credentials.
- Insider threat, for example, an employee or a supplier taking deliberate actions against your systems and data, collaborating with external attackers.
In 2023, the 10th annual SotP report shared that 67% of UK organisations have been subject to a targeted attack through their supply chain.
A business’s supply chain can become its greatest vulnerability. Once inside your supply chain, an attack can take many forms, including; service interruption, data theft, a stepping stone to directly access your systems and infrastructure, or to launch a cyberattack.
An attack can come by direct target or chance.
- A direct attack is where the cybercriminals have identified a particular business as their primary target. They have identified their defences are too great to break so need to take a different approach. They will then review your supply chain and find the weaknesses to exploit this.
- A chance attack is where the supplier has been successfully compromised, the attacker then casts a wide net through the supply chain to see where else they can get lucky.
Whether you are a direct target or become a target by chance, cybercriminals are using your supply chain as a vector of attack. By coming through your supply chain, the attack can be incredibly difficult and sometimes impossible for employees to detect.
It has long been recognised that email is the most serious threat and the most common method of launching an attack in the UK. The type of attack can vary significantly, but email scanning, antivirus technology, and firewall controls have done a good job of keeping these attacks out.
However, if someone in your supply chain (customer or supplier) has been compromised and the criminal has access to their email, standard prevention and detection controls may be ineffective.
In this case, authentication, authorisation and signature-based detection have all been compromised. Combined with the insider knowledge a hacked email account can provide an attacker, the communication patterns will not flag up anomalies.
Think about it, if you receive an email from a trusted source that you regularly communicate with, would you think twice about opening a document, clicking a link, or adding your user credentials to access a file? This is what the attacker is banking on.
To avoid this kind of attack, you need assurance that your supply chain is serious about cyber security. One way to do this is by ensuring they hold accreditations such as Cyber Essentials, Cyber Assurance and ISO27001.
What if they don’t hold these certifications?
Here are some tips to help you manage your supply chain and mitigate cyber security threats.
- Know your supply chain, not all suppliers are equal.
- Rank your suppliers, based on the criticality of service and access to your systems and data.
- Include cyber security in your contract process.
- Set minimum cyber security requirements (ensure they are justified and achievable).
- Complete due diligence.
- Request evidence from your suppliers on their approach to cyber security.
- Perform regular reviews, a lot can change over time.
SME’s
HMRC reported (Oct 2023) that SMEs in the UK make up 99.9% of the business population, and it is growing. By default, this means that the UK supply chain has SMEs at its core. Therefore, when we are talking about supply chain risk it is twofold for all SMEs.
As an SME you need to protect your business to ensure it continues to operate, you need to protect your place within the supply chain and protect your customers. Both can be equally catastrophic to your business and could result in your inability to continue to operate.
The best form of prevention is certifications such as Cyber Essentials and Cyber Assurance, as well as investing in training and awareness for your employees.
Risk assessment and managing supply chain risk are the same for businesses of all sizes.
We hope you found this information useful and will be alert for potential cyber security attacks in 2024.
If you have any questions or would like to better understand how to mitigate the chances of a cyber attack on your business, contact a member of our team today.