This year is set to be one of the most interesting for cybersecurity professionals and small businesses in the North East, Yorkshire and Humber region. Cyber attacks are becoming more sophisticated and small businesses need to be prepared.
Our cybercrime and prevention experts here at the NEBRC, along with our Board and Cyber Essentials Partner organisations have collaborated, to create the 2024 cyber threats for SMEs report. This report predicts expected cybersecurity issues which are set to grow over the next year and beyond. In addition, experts have provided recommendations on how to best prepare for and prevent such threats.
It is often mistakenly assumed that cybercriminals will only go after large corporations however, small businesses are at considerable risk. According to Hiscox’ latest cyber readiness report (2023), there has been a “rise in the proportion of the smallest businesses being targeted”. Up by half in the past three years alone, the percentage of attacks is now 36%1. With many smaller businesses tending to have tighter margins and fewer resources to combat threats, any successful attacks are likely to have an immediate and critical impact.
To help prepare your business, read our predictions and tips from industry experts including, senior members of the UK’s cybercrime police, ethical hackers, chief technical officers and more.
1) Deep learning systems capable of extracting sound data from keyboard inputs
Martin Wilson, Head of Student Services
Prediction:
Researchers have crafted a deep learning system, a type of artificial intelligence (AI), capable of extracting data which uses keyboard inputs. Essentially, this AI can predict typed content by interpreting the sound of your keystrokes. The ramifications imply that sensitive information like passwords or private messages could potentially be accessed. It is important to stress that this is just a theoretical finding at this stage, but it is a useful case study to demonstrate the importance of a wider point of some simple remote working precautions
Guidance:
Always remain mindful of who is around during meetings or in your vicinity, and use privacy screens where possible. Exercise caution in your surroundings while conducting meetings.
Additionally, adopting alternative authentication approaches like biometrics or password managers, along with multi-factor authentication (MFA), can offer heightened security measures. This is the type of threat which may need factoring into your remote and flexible working policies in future, to ensure staff are aware and taking any appropriate precautions.
2) Supply chain cyber threats to move from emerging risk to a current and prevalent risk
Debra Cairns, Managing Director at Net-Defence and Advisory Board NEBRC
Prediction:
Supply chain risk has moved from an emerging risk to a current risk in the last 12 months and will continue to be a threat as we move into 2024. Most organisations are dependent on their suppliers to deliver products, systems and services, meaning that an attack on your supply chain could be as damaging as a direct attack on your business.
Once inside your supply chain, an attack can take many forms, including; service interruption, data theft, a stepping stone to directly access your systems and infrastructure or to launch a direct cyberattack. By coming through your supply chain, the attack can be incredibly difficult and sometimes impossible for the employee to detect.
However, if your supply chain has been compromised (customer or supplier) and the criminal has access to their email, your standard prevent and detect controls can be of little or no use. Authentication, authorisation and signature-based detection have all been compromised. Combined with the insider knowledge a hacked email account can provide an attacker, the communication patterns will not flag up anomalies.
Guidance:
The world now agrees that cyberattacks are inevitable, it is no longer if they will happen but, when. The best form of prevention is through certifications such as Cyber Essentials and Cyber Assurance, as well as investing in training and awareness for your employees. Humans will always by nature, be the weakest link in your security!
Ultimately you are looking for assurances that they take their cybersecurity as seriously as you do. One way to get this assurance is if your suppliers hold accreditations such as Cyber Essentials, Cyber Assurance and ISO27001. In addition, here are some tips to help you manage your supply chain,
- Know your supply chain, not all suppliers are equal.
- Rank your suppliers, based on criticality of service and access to your systems and data.
- Include cyber security in your contract processes
- Set minimum cyber security requirements (ensure they are justified and achievable)
- Complete due diligence.
- Request evidence from your suppliers on their approach to cyber security.
- Perform regular reviews, a lot can change over time.
- Note that managing supply chain risk is the same for all sizes of businesses.
3) AI social media information gathering will make phishing attacks almost undetectable
Martin Hart, MD at CyberShelter
Prediction:
AI is developing at a rapid rate, being applied to existing cybercriminal tactics. We expect to see AI being used to gather much more personal and business information from social media, enabling phishing attacks to become even more difficult to spot and almost undetectable. The days of grammatically bad phishing attempts are coming to an end. This can become an issue for businesses, as collecting social information is just step one. Once credentials have been exfiltrated then further, monetised attacks can start to happen.
Guidance:
To avoid falling victim, always confirm even slightly suspicious emails that ask for any data somehow, ideally with a phone call or using multiple sources. SME’s will usually be more at risk than larger corporations due to the lack of available investment in protection-based technologies but, regular training can help your teams spot the warning signs and look after their data more effectively. Encourage your team to take a moment to stop, think and check before they click.
4) Increased uptake of two-factor authentication to reduce risk from AI threats
Marcus Dempsey, Director at InfoSec Governance and CE Partner NEBRC
Prediction:
This year there will be increased uptake of two-factor authentication within businesses, to reduce the risks posed by cybercriminals who are leveraging AI within attacks. This new and heavy reliance upon artificial Intelligence, as well as increasing phishing, requires additional layers of protection. Businesses are already fighting a losing battle against cyber-related attacks, the use of AI is only going to make discovering attacks harder.
Guidance:
Awareness and training are the two best ways to combat this. Businesses should create and employ best practice when it comes to password security. People need to be made aware of what to look out for and what not to click on. Using password best practices such as the NCSC’s recommended three random words and secure internet presence are your first line of defence and the importance can’t be stressed enough.
5) More opportunistic ransomware attacks aiming for data theft and exfiltration, rather than solely data encryption
Annie Miller, Marketing Manager at NGS
Prediction:
Ransomware will continue to wreak havoc this year but, in more sophisticated and opportunistic ways. By rapidly weaponising newly discovered vulnerabilities within hours, ransomware threat actors are gaining more substantial resources and aiming for data theft and exfiltration, rather than solely data encryption.
Data exfiltration allows victims to maintain the facade of data confidentiality, as threat actors can portray themselves as involuntary penetration testers. These cybercriminals exploit the victims by convincing them to pay the ransom to avoid fines, which is not only costly but time consuming to solve. In addition, employees are often told to keep cyber attacks quiet, but often the media can find out and report on them, causing harm to a brand’s reputation.
Guidance:
There are a few ways businesses can prepare and protect against these growing threats. From security posture reviews to awareness training, leveraging free resources and expertise, alongside regular housekeeping such as patching and updates.
- Security Posture reviews- these are a detailed assessment of your full security posture, covering policy, processes, and technology platforms
- SME’s are particularly vulnerable, due to having less resource to spend and allocate to cyber defences. Using free resources available from NCSC, NEBRC and the Cyber Security Information Sharing Partnership (CiSP),to name a few, can help provide advice and keep companies up-to-date with the latest threats.
- Security Awareness Training- whether you outsource or create a training program internally, this reduces the number of human-related incidents, ensures employees understand how to responsibly handle data and combat data breaches
- Regular patching, updating systems, up-to-date antivirus and anti-malware software may seem obvious, but keeping up with the cyber best practices is essential.
6) A pronounced shift towards passwordless authentication
Garry Brown, Managing Director at Bondgate IT and CE Partner at NEBRC
Prediction:
There will be a pronounced shift towards passwordless authentication in 2024, propelled by a surge in new members aligning with the FIDO Alliance.
We have gone through iterations of increased user authentication security, with complex passwords and MFA becoming more commonplace, however, these protection mechanisms no longer offer the highest level of protection. The biggest challenge service providers face is validating that we are who we say we are and that the individual requesting access is genuine.
2024 will herald the gradual obsolescence of conventional passwords, with passkeys or biometrics combining with time-based-one-time passwords used to authenticate users, replacing traditional passwords and SMS or e-mail based MFA.
Guidance:
Businesses and stakeholders must recognise that the journey of cyber security is continuous, requiring sustained adaptation to stay ahead of evolving threats. Organisations must remain proactive, what served as effective protection in the previous year may inadvertently become a vulnerability in the current landscape. Embracing innovation and the evolution of passwordless authentication can help mitigate the risks that emerge in today’s rapidly evolving threat landscape.
When it comes to accessing systems or sensitive data, prioritising the most secure method is paramount, irrespective of any potential inconveniences or complexities. While more secure methods may require additional steps or processes, heightened security measures are a prudent and necessary safeguard against the potentially devastating impacts of unauthorised access and compromised data.
To avoid falling victim to cybercrime, SMEs should proactively allocate a substantial budget specifically for cyber security, on top of their usual IT budget. It is crucial to shift the mindset and understand that cyber security is an essential aspect for every business, regardless of size, dispelling the misconception that it is exclusive to large corporate entities.
7) Voice AI used within phishing and impersonation scams
Joe Cockcroft, Ethical Hacker, Service and Technology Supervisor at NEBRC
Prediction:
As a key theme in this year’s predictions, AI has already been incorporated into phishing emails, removing the usual tell-tale signs such as poor spelling, and advertising has seen the use of AI to impersonate celebrities. This will be seen increasingly, however, in 2024 in connection with voice impersonation. Typically a phone call can be used by businesses to confirm an invoice, or voice verification used in places such as network providers and banking, so it won’t be too long before AI is being used to exploit these as well, if not already. I’m sure 2024 will see a rise in scams utilising voice AI to impersonate others, whether directly to the victim or as an impersonation of the victim.
Guidance:
If you are uncomfortable with using voice verification, consider asking the organisation offering this whether they support multiple factors for this purpose, for example having a code sent to you in addition to using your voice. Technology in this space will continue to improve, and it is likely that there is already work taking place to separate real voices from AI-generated ones. If you receive a phone call that you aren’t sure about, you should hang up and ring them back using a number you have obtained from a verifiable source.
8) Browser security innovation is going to be a focus for many IT and security vendors
Ray Stone, Chief Technical Officer at Data Connect Group and CE Partner at NEBRC
Prediction:
Browser security innovation is going to be a focus for many IT and security vendors. One particular angle will involve browser isolation technology, which contains web browsing activity inside an isolated environment (either locally or remotely on a server), like a sandbox or virtual machine. This is to protect computers from any malware the user may encounter.
Though this technology has been around for a while, it is expected to become more mainstream as key players start to amalgamate it into their standard web security offerings. The world has changed since the inception of this technology and it has in the past been seen as more of a luxury or even an inconvenience. With the adoption of remote working and user devices falling outside the protection of enterprise firewalls, the security of end-user devices has never been so important. Browsers are the gateway to the internet and the perfect place to embed more controls over content being accessed online.
Guidance:
Various standards and requirements allude to better control of browsers. For example, the Centre for Internet Security (CIS) top 18 security controls mention browser protections and the UK Government’s Cyber Essentials Plus requires testing of all browsers independently as protections between browsers can differ.
Anyone using Windows 10 or Windows 11 will be afforded some protection by Microsoft Defender, built-in to Edge, so ensure this is enabled. On top of that many anti-virus solutions will offer some form of web protection to prevent users from visiting known, “bad” categorised sites.
There are also both free and commercial tools which can be used to better control and monitor internet access. Some tools operate at the DNS level preventing access to malicious sites before the browser even tries to connect and others more traditional like proxies do this as the browser connects. You should review your current business needs, to find which innovations will best work for your team.
9) More believable ‘lookalike’ domains that play on human error
Jamie Robson, Professional Services & Cyber Security Manager, Aindale and CE Partner at NEBRC
Prediction:
There will be an increase in the sophistication of cyberattacks including more believable ‘lookalike’ domains. Leveraging AI, domains will be created which are, visually, indistinguishable from genuine domains to deceive people using methods like the use of ‘Homographs’, ‘Combosquatting’ and ‘Typosquatting’. These exploit slight oversights in varying digital interaction methods and with the increase in sophistication, this will result in greater success for the attackers.
These attacks don’t just impact the organisation at the time of the breach, there is potential downtime whilst remediation is completed. Most phishing attacks are targeting monetary gains directly and indirectly by persuading your clients to pay into incorrect bank accounts etc.
They can also have a damaging effect on your brand reputation and can negatively impact consumer and partner trust. Where personally identifiable information (PII) is involved, this will need to be reported to the ICO and could result in a fine being issued. Furthermore, any breaches will likely result in an increased insurance premium for the organisation upon renewal.
Guidance:
User awareness is of paramount importance, as users are the first line of defence from these attacks. Enhanced training to combat this new information and streamlined processes for reporting and removing potential threats from a user’s environment.
Secure technical controls will minimise the reach of the compromise should it occur. Ensuring that all avenues are as secure as possible from all attack vectors, such as Email Security, DNS health checks, system hardening on devices, principle of ‘least privilege’ when applying permissions etc.
10) SMEs will increasingly be targeted and many losses set to remain under-reported
Rebecca Chapman, CEO and Director at NEBRC and ex-police superintendent
Prediction:
The prevalence of attacks will continue unabated against all sizes of companies both through phishing and malware. An increasing number of smaller businesses will identify one or more breaches in their security, without having the correct measures in place to deal with them.
It is worrying that businesses won’t report these breaches to the authorities and many will go unrecorded. This then limits police intelligence which is needed to help allocate resources to this ever-growing area of crime.
Many SME’s believe that cyberattacks will not happen to them because they are too small, insignificant or not “cash rich”. Yet cybercriminals don’t differentiate based on this and often the attacks are automated, casting a net far and wide. So these facts are irrelevant. If you are a small business that relies on a computer for stock ordering, invoices or even a diary system for customer appointments, these systems can be rendered useless should an attack happen. The average cost to an SME is around £3k, with some estimating that this number is even higher. This is a huge amount of money to lose in a small business.
Guidance:
There are a few simple steps that can help reduce these risks and the NEBRC free core membership sets these out, to help protect small businesses from the majority of online crime.
A key prevention tactic is to create a business continuity plan, to become more resilient and bounce back after an attack with minimum disruption.
Businesses can find protection measures that are easy to act upon within our little steps programme, which includes best practice regarding, passwords, backing up data, patching, multi-factor authentication, phishing, access controls, disaster recovery planning, anti-virus/firewalls and more. All of which can be implemented without employing a cyber company.
11) Ransomware attacks will diversify, quishing and Business Email Compromise will evolve. Human risk management will progress with human risk professionals finding a seat at the leadership table.
Liz Murray, Enterprise Customer Success Manager at CybSafe and Advisory Board NEBRC
Prediction:
In 2024, we will see ransomware attacks diversify, with quishing (QR code phishing) and business email attacks becoming more common and requiring human risk management to become mainstream within the business and cybersecurity space.
In work, and in everyday life, everybody needs to be able to identify and know how to report cyber threats. QR Code phishing, which involves placing QR codes that point to fake or duplicate websites designed to harvest credentials and steal money, is a growing trend. To combat this workers and the public need to be more vigilant, checking the websites these codes take you to are legitimate. It is far better to do an internet search and verify that you are accessing real websites for legitimate companies. The same can be said for email, messenger app, and SMS based attacks (phishing and smishing).
Guidance:
The evolution of ransomware attack delivery methods means that all businesses need to help their employees spot and prevent cyber attackers from penetrating their business systems and data. All sizes of business also need to have a rehearsed contingency plan in place just in case a ransomware attack proves successful.
Understanding, measuring and addressing the risk held, informing and educating all employees, whilst maximising technical protection, are key enablers in strengthening supply chain resilience.
SMEs are often third, or fourth, party suppliers to large complex organisations. Being able to demonstrate that the SME understands the risk, and takes actions that keep all elements of that supply chain secure, will increase the business that an SME is able to then win.”
12) Employee cyber training to become more comprehensive to combat emerging 2024 trends
John Hay, Head of Information Security at Net-Defence and CE Partner at NEBRC
Prediction:
Keeping employees interested and informed is increasingly challenging but, training will play a crucial role to prevent attacks in the year ahead. This is especially important given the new and evolving threat landscape, with new and complex threats emerging.
In addition, organisations’ employees are busier than ever working on core business areas, however, it is when this happens that cyber security can fall by the wayside, training becomes deprioritised and human error becomes more likely.
Despite cutting-edge technological solutions, the human element remains a critical factor in cybersecurity. Small businesses often lack the extensive resources of larger enterprises, making them particularly vulnerable. Cybercriminals recognise this vulnerability and increasingly target employees through sophisticated social engineering attacks.
Guidance:
The best way to reduce this cyber risk is by empowering your workforce through comprehensive training. As threats evolve, so will your business’s cyber security needs, making training a strategic imperative. Cyber risk training should be included within new starter onboarding, plus regular training refreshers and updates must be a requirement for staff at all levels.
What’s clear from these trends is that cyber risk is evolving at a fast pace with the increased threat of AI and more sophisticated attacks that are difficult for humans to identify. These threats are as valid for large organisations as they are for small businesses and demonstrate a clear need for training and continuity planning.
Don’t think because you are small that you are at a lower risk. Be prepared and train your staff, however few, on what to look out for. If you want any further advice please contact us at [email protected] or sign up for affordable cyber services and police-led advice through our FREE core membership.
References:
1) Hiscox, Cyber Readiness Report 2023 – https://www.hiscox.co.uk/sites/default/files/documents/2023-10/Cyber-Readiness-Report-2023-UK.pdf
2) Bleeping Computer, New acoustic attack steals data from keystrokes with 95% accuracy –
https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/