A Guide to Cyber Security

By Luke Watts // 14th November 2019

Like eating your 5-a-day, we all know that we should be keeping our Cyber Security in check, but for many, it often falls under that all too familiar ‘I’ll start on Monday’ ethos. However, cyber threats such as phishing attacks are more prevalent than ever.

At RoundWorks, you could say we know a thing or two about Cyber Security. So, join us as we walk you through some of the most common cyber threats to be wary of and how to stay properly protected!

Graph showing an increasing number of cyber attacks against businesses

What are Cyber Attacks?

By definition, cyber attacks are malicious actions that seek to either damage or steal data and generally disrupt general operations. With endless access to online channels, technology and other useful tools and resources, it’s only natural that we harvest these in everyday life. However, with great leaps forward, it has also opened doors to areas of vulnerability.

Types of Cyber Attack

Cyber attacks can come in many different forms, whether this be in the form of dangerous code or through attackers using various forms of social engineering to access the information that they want. Here are a few of the more common types of cyber threat that you and your business may be likely to encounter.

Malware

Malware is a type of malicious code or computer programme that is designed to interrupt the way your computer operates. It works by either inserting or attaching itself to a legitimate programme or document. Computer viruses have the potential to corrupt data beyond repair and damage the computers system and software. Viruses can spread through emails, text messages, downloadable files and even social media scam links.
There are many different types of malware such as:

Ransomware Ransomware is a form of malicious software that is designed to block computer access while also threatening to publish users’ data until a ransom is paid in full. Ransomware can be spread through phishing emails, downloading content from an unreliable source or simply visiting an infected website.
Spyware Spyware is malicious software that is designed to infiltrate your device and gather data about you, this is then sent to a third-party without your consent or awareness. Spyware can leave you open to potential data breaches and data misuse; the software also impacts how your device performs. The main goal of spyware is to obtain a user’s credit card details, banking information and website passwords.
Viruses A computer virus is a type of malicious code or program that is designed to alter the operation and performance of your computer, a virus is designed to spread from one device to another. Computer viruses have the potential to cause unexpected damage such as system corruption, destroying personal and device data, slowing down the system and even logging keystrokes.
Trojans A trojan or trojan horse, is a form of malware that looks legitimate but can take control of your computer. The trojan is designed to damage and disrupt performance, steal data and even produce harmful action on your network. A trojan is a trick and scammers can replicate emails that appear legitimate, when in fact, they are designed to install malware on your device which is unbeknown to you.
Worms A computer worm is another type of malware that produces and spreads copies of itself from computer to computer, a worm can replicate itself with no human interaction after breaching a system. A worm can be attachments in spam emails, once opened, the worm automatically downloads and begins to infect the device without your knowledge.
Keylogger Keyloggers or keystroke logging, is designed to create records of everything you type on a computer keyboard, they are used to quietly monitor your computer activity while you use device as normal. Hackers use this to acquire people’s personal information, the data recorded is logged and sent to a server where cybercriminals can begin to make use of the sensitive information collected.
Adware Adware (also known as advertising supported software) is software that displays unwanted and annoying pop-up adverts which appear on your device, it can even change your browsers homepage and add spyware to your device. Adware is not quite a virus but all the code that its users on your browser can cause longer term problems for your computer such as performance decline and consistent crashing.
Rootkit A rootkit is a type of malware that gives hackers access and control over a target device, they can even disable security software installed. The majority of rootkits affect a computer’s software and operating system but some can infect the devices hardware and firmware. Rootkits are adept at hiding their presence but remain active, once installed on a device a rootkit is used to steal personal and financial information.
Ghostware Ghostware is a type of rootkit and is designed to keep the hacker and malicious code hidden while breaching your devices security measures. Hackers use Ghostware to seize full control of your computer, they can easily transfer sensitive files and confidential login information all while your security software reports no errors.

Phishing Attacks

Phishing is a type of cyber attack that typically disguises itself as a trusted entity in order to steal sensitive information such as bank details. Phishing attacks are typically spread through email or text message and are often difficult to distinguish. Always directly check with the individual or organisation before unexpectedly disclosing sensitive information.

Types of Phishing Attack

Social media phishing

Social media phishing refers to an attack which is executed on a platform such as Facebook, Twitter, Instagram & LinkedIn with the purpose of stealing personal data or gaining control of your social media account. Social media phishing comes in various forms such as links in posts which appear legitimate, fake accounts which could even be of people you know, fake recruiters on LinkedIn who may send malicious documents that you download and fake log in pages that are designed to steal your account details.

Vishing

Vishing, also known as voice phishing, is the use of phones to conduct phishing attacks. These attacks are from people saying they are from reputable companies such as banks and phone providers, they will try and access your accounts by asking security questions or asking you to provide log in information so they can ‘fix’ your account, when in fact, they are compromising your financial details. Vishing attacks can also arrive by text with a fake one-time verification code.

Spear phishing

Spear phishing is an email that appears to be from a trusted source, when in fact it’s from a scammer pretending to be the company you think it is. Cybercriminals use these to obtain financial and personal information or to install malware on your device. Always check the email for any signs of spear phishing such as misspelling and odd-looking URL’s before clicking any links within the email.

Whale phishing

Whale phishing is targeted towards CEO’s and business owners, common whale phishing examples are emails requesting payments and pretending to be a client of the business to gain access to personal and financial information. Whaling attacks are specifically aimed at people with high authority within a business, these staff members are more likely to pass the request down to other staff members who are not likely to suspect any criminal activity while executing the orders of staff members above them.

Smishing

Similar to vishing, smishing is the practice of sending fraudulent text messages pretending to be from reputable companies in order to gain personal and financial details. Common acts of phishing are one-time passcodes you didn’t request and fake parcel delivery texts which require a payment.

How to Spot Phishing Scams

Being able to spot a phishing scam is important for your own privacy and security. When receiving an email that you may be unsure about, always check the email address of the sender to be sure that it is legitimate and matches the address of previous emails or records.

Within the email, checking over contact information is good practice to spot any potential spoofs such as name, email address, phone number and address. If a new email is received from a client requesting an unknown payment for example, be sure to contact them by phone before completing the payment to ensure it’s legitimate.

As phishing emails may contain URL’s, always check these before clicking to ensure they are legit. Look for any spelling mistakes, odd URL structure or any kind of tracking code that may be at the end of the link as this may be fraudulent. Grammar and spelling errors are common across phishing emails, a quick proofread for any stand out errors will help you determine whether the email is harmful or safe.

As malware and malicious code can be shared via documents attached in emails, scan attachments before opening to find anything that seems off such as a file name, code in the file name and be cautious of attached documents that have no relation to either party or email chain.

DoS/DDoS

A Denial-of-Service (DoS) attack is a cyberattack this is designed to shut down a machine or an entire network, making devices inaccessible for users. DoS attacks work by overloading the target with traffic or sharing information that causes the machine to crash or shut down completely.

There are two main types of DoS attacks which are flooding and crashing. Flooding takes place when the system receives too much traffic for the server to digest, causing the device to gradually slow down and eventually stop running. Crash attacks are where an input is sent that takes advantage of bugs in the target and causes the device to crash to a level where it can’t be accessed and is unusable.

A Distributed Denial-of-Service (DDoS) is where an attacker floods a server with internet traffic to prevent users from accessing connected online services and sites. DDoS attacks use multiple infected computer systems as sources of attack traffic (known as a Botnet) which sends requests to the affected server simultaneously, causing it to overload or temporarily crash, causing a denial-of-service for normal traffic.

Because each device attacking the server is a real internet device, separating attack traffic from normal user traffic can be difficult and time consuming.

Exploits

A computer exploit is a piece of code that takes advantage of a software or security vulnerability which causes unanticipated device behaviour, usually exploits take place without the user’s knowledge. Attackers exploit vulnerabilities in a network or IT system to get remote access to a network, give themselves higher level access and either manipulate or steal information.

Why Do Cyber Attacks Happen?

While most cyber attacks are criminally or politically motivated, some cyber criminals simply enjoy the thrill and sense of achievement that comes with breaching a computer system or network. However, when it comes to why they can occur, the answer lies within the vulnerabilities of the system or network itself.

When looking to breach a system, hackers will often look for those that have poor security with outdated software or operating systems. The reason that this happens is that older, more outdated systems will not have as much support as newer systems meaning that exploits and backdoors into them are more common.

Human error also plays a big role in the causes of cyber attacks, whether this be through lack of training or lapses in judgement. If a user is unaware of what to look out for then it can be likely that they may click a link or install and email attachment that contains malware, therefore, infecting their PC.

How Common are Cyber Attacks?

Cyber attacks are likely more common than you might think. According to the Department for Digital, Culture, Media & Sport, Four in ten businesses (39%) and a quarter of charities (26%) in the UK report having cyber security breaches or attacks in the last 12 months.

Unfortunately, the cyber threat is only becoming greater. Data from ONS suggests that crimes relating to computer-misuse have increased by 85% since 2019, with “Unauthorised access to personal information (including hacking)” increasing 162% in the same period of time.

However, some industries and businesses are more at risk of a cyber attack than others. CyberEdge Group’s 2021 Cyberthreat Defence Report found that education is the most at-risk industry with 92.3% of educational institutions reporting at least one attack in the last 12 months.

Graph showing the percentage of organisations that were compromised by industry

How Can Cyber Threats Be Managed?

Now that we have outlined some of the most common threats and how they could affect your daily operations let take a look at some ways you can keep both yourself and your business protected from unwanted breaches.

Practice Good Password Management

It may sound simple, but it’s often the shortest hurdles that can trip us up in the sprint towards success. If you are notorious for using the same password for every account or simply choosing easy-to-guess passwords, then you are quite simply playing with fire.

Eight characters are simply not enough in this day and age. Utilising tools which automatically generate strong and unique passwords is essential.

However, if you decide to manage passwords yourself, here are some basics that must be followed:

  • Opt for long passwords, ideally with at LEAST 20 unique characters.
  • Use a mix of letters, numbers and symbols.
  • Do not use the same password for various accounts.
  • Do not share your password.
  • Change your password every 3-6 months.

Invest in IT Security Systems

When it comes to IT Security, many individuals automatically just think about anti-virus. I mean how much more could there be to IT Security, right?

You may be surprised to know that IT Security expands much further than just a simple anti-virus software. Dependant on your business’ needs and requirements, you may need a little more security than you thought.

Here are some of the services you could expect from a fully comprehensive protection package:

  • Managed Security Firewalls-as-a-Service
  • Managed Email Filtering & Security
  • Managed Web Filtering
  • Managed Full Disc Encryption

Implement Robust Backup Processes

When things are ticking along nicely, it can be difficult to consider what eventualities lie ahead if the worst were to happen. But should disaster strike it is imperative to have the correct processes in place to help you get back on your feet quickly and with as little disruption as possible?

Take a look at our full Disaster Recovery Plan Guide for a full step-by-step guide.

Keep Your Software & Operating Systems Up to Date

We’ve all postponed an update or two in the past. Whether it’s been on our mobile phones or computers, they always seem to crop up when you’re busy.

But did you know that by delaying an update, you are actually putting your business in harm’s way?

Postponing essential security updates and bug fixes could, in fact, leave your network vulnerable to a whole host of cyber-attacks. Keeping your system in shape could be the difference between experiencing detrimental downtime or not, so ensure you’re always up-to-date.

How to Identify Cyber Attacks

In the case of cyber attacks, a good offense is the best defence. Ensuring that your staff are appropriately trained and understand what to look out for goes a long way in identifying and preventing cyber attacks.

Ensuring that your systems have adequate security and are regularly updated will also help you steer-clear of any cyber threats. However, here are some things that you should look out for if you’re still worried about a cyber attack:

  • Unusual password activity
  • Suspicious popups
  • Slower than normal network speeds
  • Mysterious emails

What Data Should You Protect?

As a business, you should protect all information that could be deemed identifiable. This includes:

  • Names
  • Addresses
  • Emails
  • Telephone numbers
  • Bank and credit card details
  • Health information

In the UK, there are a number of pieces of legislation that are in place for data protection. The two main piece of legislation is the Data Protection Act 2018. The Data Protection Act outlines how data should be stored, transferred, and maintained. If you’re found to be in breach of this legislations, you and your business can face hefty fines!

Need A Hand with Cyber Security?

Stumbling through the dos and don’ts of cyber security can be a stressful and time-consuming task.

If you’re concerned about your security hygiene, or simply want to have a natter about your business’s requirements, get in touch with the RoundWorks team today. An expert advisor will be sure to walk you through some cyber security basics.

Get in touch today or visit our Cyber Security service page where you can learn more about what we can do for you.

RoundWorks IT

Follow Us