Cyber threats are growing year on year, so it follows that 2019 brought the most threats ever for businesses. As the year draws to a close, we’re reflecting on the top cyber security threats that we observed, and we’ve included some tips on how SMEs can protect themselves.

#1 Confusion from users / human behaviour

For businesses, the vast majority of cyber breaches happen when an employee clicks on a bad link. Unfortunately, automated email protection is improving, but the solutions still aren’t perfect; they don’t and can’t pick up 100% of the spam containing dangerous links.

Proofpoint’s Annual Human Factor report found that 99% of email-based cyber attacks use macros that require a human to click on a link.

Solution: Companies should ensure that every employee has basic training in cyber security. We offer a popular training course for non-technical employees – which gives employees the knowledge and insight they need to protect themselves and the business. Training can help administrative or finance staff members, for example.

NSCS’s free online workshops, Exercise in a Box, can also help companies to audit their human factors in cyber security.

#2 Business email compromise

For bad actors, corporate email systems are an entrypoint for an attack. Oftentimes, we’re seeing that companies are allowing weak passwords to be used, leaving corporate emails vulnerable to attack and impersonation for invoice redirection and other fraud. Also, companies might lack a system for effective multi-factor authentication.

Solution: Two-factor authentication should always be used where possible and practical – there are guides available for the majority of services at https://twofactorauth.org/. As we explain below, it’s also sensible to make sure that users understand how to create and store effective passwords.

#3 Cloud infrastructure

Every year, more business processes are being pushed into the cloud. 2019 was very much the year of serverless technology and cloud infrastructure. AWS and other cloud service providers offer security at the infrastructure level, as part of their customer contracts. But security at the application level is still the responsibility of the customer.

Basic issues of security are sometimes not discovered because, while in the cloud, they are less visible than on-premise technology. In 2019, a McAfee study found that only 26% of companies had the ability to audit their use of the cloud.

Solution: We are one of Belfast’s only AWS Select Consulting Partners that specialize in cyber security. We offer complete cloud infrastructure penetration testing. For AWS customers, they should make themselves aware of the terms of the Shared Responsibility Model.

#4 Password misuse

Sharing passwords amongst multiple external systems – this common, but troublesome behaviour means that, if hackers determine your password, they can try it successfully with all of your external systems.

Solution: In our view, the most important password anyone owns is their email account – if hackers can get into your email, they can use password reset functionality and start to gain access to many of your other systems.

The introduction of password managers will help ensure your team members start to use individual & strong passwords for each service and system they have access to. Last Pass or Dash Lane are two recommended password managers.

#5 Security flaws with online systems

We’ve also seen many instances this year of applications not going through appropriate testing. Basic problems can be missed if web and mobile applications aren’t tested for security. We work with companies of all sizes, and have found that most suffer from flaws that should be picked up earlier.

Solution: Penetration testing for web and mobile applications. Our human-focused approach means that analysis & reports are written for humans, by humans.

BONUS: Lenovo hard-drive vulnerability

At the start of 2019, our researchers discovered a vulnerability with Lenovo hard drives that left SMEs all over the globe open to attack. Lenovo issued a patch following our responsible disclosure of the fault with our partners at Whitehat.

Solution: Always patch your devices. Be aware of when your devices have last been updated, and turn on automatic security updates. With very old devices, you may need to contact the manufacturer to check the current security requirements.