What SMBs can learn from big breaches

Case study: World Health Organisation

The World Health Organisation (WHO) is an international agency responsible for public health. The WHO was a vital source of advice and research during the 2020 COVID-19 pandemic, which put them at the forefront of the public eye, and sadly of hackers’ eyes too.

What happened?

The WHO were a target for a significant amount of cyberattack attempts, and unfortunately as part of this series of attacks, a data breach occured. Email addresses and passwords of employees, and others working in response to the pandemic, were leaked online. But how did it happen?

Cyber criminals were able to access the data thanks to social engineering techniques. Hackers built a fake site that impersonated an internal WHO email system. Many of the techniques used against the WHO were in fact phishing attacks, which is where hackers trick employees into clicking malicious links subsequently downloading malware onto their systems. All it takes is a single person to respond or engage with a malicious phishing email, and the hackers have their access. Phishing attacks are all too common, and in fact there was an increase of 350% in 2020, which makes them a severe threat.

What can we learn?

To help avoid the same misfortune for your business, make sure you have secure authentication systems in place. Remote working has also made phishing attacks far more successful, so ensure you proactively train your staff to spot them with a cyber awareness training course. Your staff are one of your best defenses against cyberattacks, if they know what to look out for!

Case study: Zoom

Video calling is nothing new, but thanks again to the COVID-19 pandemic, Zoom was a brand put at the forefront of the public’s attention. With this came a data breach of over half a million account credentials.

Frustratingly, against common best practice advice, people often re-use their login details across various online sites and apps. But what they don’t realise is that by doing this, even if one of those companies has a breach, your credentials have fallen into the hands of hackers to use on other accounts too.

What happened?

For Zoom, hackers used a method called ‘credential stuffing’, which works brilliantly against those who re-use their passwords. Hackers gained access to hundreds of thousands of credentials from an existing data breach, tried them on other platforms, and those that successfully worked on Zoom were sold on.

What can we learn?

The good news is that it is pretty easy to avoid this for your business. Yes, it’s a nuisance, but make sure your staff use unique, secure passwords for every account they have. Therefore, even if one of their personal accounts is compromised, their professional accounts should remain secure. You should also encourage that two-factor authentication is turned on wherever possible, as even if a hacker gets access to a password, it’s highly unlikely they also have access to your employee’s personal device to authorize the login.

Case study: Magellan Health

We’ve all heard tales of businesses being hit with ransomware. It can be nasty, as hackers encrypt your device and charge you to recover your data. But there is no guarantee they will release your data after a ransom is paid, or that they won’t grab a copy of your data.

What happened?

Magellan Health is a healthcare insurance provider, who in 2020 lost confidential information of over 350,000 people thanks to the work of cyber criminals. The hackers used social engineering to impersonate a client of the insurance provider and successfully installed malware onto the firm’s systems. They were able to obtain login credentials and access databases that contained information such as taxpayer identification numbers and social security numbers. This data was presumably sold on, and the ransomware held against Magellan provided the hackers with a further revenue stream.

What can we learn?

The lesson for your business is to know that anyone can be a target for hackers, no matter what industry you operate in or the size of your company. Cyber criminals don’t have morals when it comes to picking targets and making money. Make sure you have some cybersecurity basics in place – Cyber Essentials or ISO 27001 certifications are a good place to start. You can also help prevent social engineering by training your staff. A good cyber awareness training course can keep your staff clued up on cybersecurity best practices, and ensures they’re working with precaution to avoid interacting with anything malicious, such as phishing emails.

Case study: The NHS

As we learnt from the above case study, successful ransomware attacks can really devastate businesses with sky-high ransom payments, not to mention the loss of trust from customers as a result of a data breach. Another well known example of ransomware is the WannaCry ransomware of 2017 that got the NHS.

What happened?

The NHS was brought to a standstill after a hacker exploited an unpatched Microsoft Windows vulnerability in their systems and infected it with malicious ransomware. The NHS didn’t pay the ransom of the hackers, but that doesn’t mean it didn’t face huge disruptions. Not least to a disruption of services, but also an estimated financial cost of over £90million.

What can we learn?

All of this because of a missing patch in their systems. Which makes our advice for your business easy - patch, patch, patch! Patching involves updating software to include the latest bug fixes and security updates. So always ensure you’re running the most up-to-date and supported versions on your systems to avoid having vulnerabilities for hackers to exploit.