11th September 2021
As much as we try to avoid them, cyber attacks are a fact of life. There’s no doubting that the internet brought about heaps of benefits for both our personal and business lives, but it also created significant risks. All too often businesses small and large have struggled to protect their data from hackers, or haven’t paid enough attention to their security at all. Breaches can cause severe disruption for businesses though – with financial losses, fines and damaged reputations an all too frequent occurrence. In this post, we’ll look into the stories behind some headline hitting hacks to show you lessons that can be learnt, as well as some simple measures that will keep your SME business protected against a similar breaches.
1. Case study: World Health Organisation
The World Health Organisation (WHO) is an international agency responsible for public health. The WHO was a vital source of advice and research during the 2020 COVID-19 pandemic, which put them at the forefront of the public eye, and sadly of hackers’ eyes too.
The WHO were a target for a significant amount of cyber attack attempts, and unfortunately as part of this series of attacks, a data breach occured. Email addresses and passwords of employees, and others working in response to the pandemic, were leaked online. But how did it happen?
Cyber criminals were able to access the data thanks to social engineering techniques. Hackers built a fake site that impersonated an internal WHO email system. Many of the techniques used against the WHO were in fact phishing attacks, which is where hackers trick employees into clicking malicious links subsequently downloading malware onto their systems. All it takes is a single person to respond or engage with a malicious phishing email, and the hackers have their access. Phishing attacks are all too common, and in fact there was an increase of 350% in 2020, which makes them a severe threat.
What can we learn?
To help avoid the same misfortune for your business, make sure you have secure authentication systems in place. Remote working has also made phishing attacks far more successful, so ensure you proactively train your staff to spot them with a cyber awareness training course. Your staff are one of your best defences against cyber attacks, if they know what to look out for!
2. Case study: Zoom
Video calling is nothing new, but thanks again to the COVID-19 pandemic, Zoom was a brand put at the forefront of the public’s attention. With this came a data breach of over half a million account credentials.
Frustratingly, against common best practice advice, people often re-use their login details across various online sites and apps. But what they don’t realise is that by doing this, even if one of those companies has a breach, your credentials have fallen into the hands of hackers to use on other accounts too.
For Zoom, hackers used a method called ‘credential stuffing’, which works brilliantly against those who re-use their passwords. Hackers gained access to hundreds of thousands of credentials from an existing data breach, tried them on other platforms, and those that successfully worked on Zoom were sold on.
What can we learn?
The good news is that it is pretty easy to avoid this for your business. Yes, it’s a nuisance, but make sure your staff use unique, secure passwords for every account they have. Therefore, even if one of their personal accounts is compromised, their professional accounts should remain secure. You should also encourage that two-factor authentication is turned on wherever possible, as even if a hacker gets access to a password, it’s highly unlikely they also have access to your employee’s personal device to authorise the login.
3. Case study: Magellan Health
We’ve all heard tales of businesses being hit with ransomware. It can be nasty, as hackers encrypt your device and charge you to recover your data. But there is no guarantee they will release your data after a ransom is paid, or that they won’t grab a copy of your data.
Magellan Health is a healthcare insurance provider, who in 2020 lost confidential information of over 350,000 people thanks to the work of cyber criminals. The hackers used social engineering to impersonate a client of the insurance provider and successfully installed malware onto the firm’s systems. They were able to obtain login credentials and access databases that contained information such as taxpayer identification numbers and social security numbers. This data was presumably sold on, and the ransomware held against Magellan provided the hackers with a further revenue stream.
What can we learn?
The lesson for your business is to know that anyone can be a target for hackers, no matter what industry you operate in or the size of your company. Cyber criminals don’t have morals when it comes to picking targets and making money. Make sure you have some cyber security basics in place – Cyber Essentials or ISO 27001 certifications are a good place to start. You can also help prevent social engineering by training your staff. A good cyber awareness training course can keep your staff clued up on cyber security best practises, and ensures they’re working with precaution to avoid interacting with anything malicious, such as phishing emails.
4. Case study: The NHS
As we learnt from the above case study, successful ransomware attacks can really devastate businesses with sky-high ransom payments, not to mention the loss of trust from customers as a result of a data breach. Another well known example of ransomware is the WannaCry ransomware of 2017 that got the NHS.
The NHS was brought to a standstill after a hacker exploited an unpatched Microsoft Windows vulnerability in their systems and infected it with malicious ransomware. The NHS didn’t pay the ransom of the hackers, but that doesn’t mean it didn’t face huge disruptions. Not least to a disruption of services, but also an estimated financial cost of over £90million.
What can we learn?
All of this because of a missing patch in their systems. Which makes our advice for your business easy - patch, patch, patch! Patching involves updating software to include the latest bug fixes and security updates. So always ensure you’re running the most up-to-date and supported versions on your systems to avoid having vulnerabilities for hackers to exploit.
5. Case study: easyJet
The pressures of the Coronavirus pandemic on airlines didn’t hold back hackers from spotting the opportunity. Similarly to the 2018 breach with British Airways, which affected over 400,000 individuals and lead to a fine of £20million, easyJet were hit with a cyber attack.
Back in 2020 over 9 million of easyJet’s customers had their data stolen, some of which even included payment card details and their CVV number. Whilst the specifics of what caused the easyJet attack have not been released, it was likely due to a lapse in their security posture somewhere.
What can we learn?
To avoid being the subject of such a sophisticated attack yourself, there’s one key security tool you can implement in your cyber security strategy – penetration testing.
Penetration testing is a great way of discovering your vulnerabilities before a hacker does. By using the remediation advice offered from a penetration test, you can significantly reduce your cyber risk by resolving your vulnerabilities and protecting your business data. This can therefore help you to avoid the reputational and financial repercussions of a data breach, like the aforementioned airlines.
How can your business stay secure?
All too often businesses don’t pay attention to their security until it’s too late and they’ve been hacked. When it comes to cyber attacks, your best way to be prepared is not to think about ‘if’ one was to happen, but to plan for ‘when’ one happens. Most attacks come from phishing emails, so training your staff is one of your best lines of defence.
Hackers have many other tricks up their sleeves, so you should also look into security certifications like Cyber Essentials and ISO 27001. Then use penetration tests and vulnerability scanning to identify your technical vulnerabilities, as well as ensuring that you are patching your systems regularly.
A data breach can be extremely harmful to organisations both big and small. The sooner you start implementing cyber security best practises the better, as you don’t want to have a ‘too little too late’ approach. You don’t need to be a cyber security expert to have strong defences, leave the hard work to us. Defense.com™ has all the tools you need to protect your business and avoid breaches like those mentioned in this blog.