Essential 8 is more than just a checklist of cybersecurity controls. Here’s how it can help your business get on top of your cyber risk and stay that way.
What is Essential 8?
Essential 8 is an Australian Cybersecurity Centre-developed cybersecurity framework, proven to mitigate online threats and improve organisations’ defences. It focuses on eight key controls that are crucial for preventing cyberattacks.
Essential 8 has three maturity levels and organisations must achieve each to reach full alignment. The three steps to full maturity are:
Maturity level one: partial alignment
Maturity level two: substantial alignment
Maturity level three: full alignment
However, full alignment is considered the ‘optimal’ security level, with all Essential 8 controls set up, and it’s what you should ultimately be aiming for.
How Essential 8 can help your business manage cyber risk
Make your business more secure
The most important benefit of Essential 8 is also the simplest. Essential 8 is proven to help businesses establish a strong security foundation. Provided you properly implement its security controls, your business will be better prepared to identify, prevent and respond to threats.
Reduce the risk of breaches
Essential 8 focuses on the critical security elements most likely to prevent a breach. For example, its controls include regularly patching applications and setting up multi-factor authentication (MFA). These simple but effective strategies dramatically reduce the risk you’ll be breached.
Protection from financial damage
Full disclosure, getting aligned with Essential 8 isn’t cost-free. However, the outlay is minimal when compared to the potential price of a breach. The average cost of a data breach in Australia has skyrocketed by 32% in the last 5 years, reaching $4.03 million.
Of course, this number is skewed by Australia’s biggest businesses. However, the picture isn’t much better if you’re a small business. Recent data reveals that even small businesses can expect an average loss of $46,000 per attack.
Essential 8 can help you develop a security baseline to prevent a breach from happening in the first place. And this could save you a lot of money in the long run.
De-risk incidents
Every business hopes to avoid ever being breached. However, if it does happen, how you respond in those crucial early minutes and hours will often determine the success of your recovery.
By working through the Essential 8 Maturity Model, your business will develop a cast-iron incident response plan. This not only means you’ll be able to respond quickly and effectively but also recover well, making minor security incidents far less risky to the overall health of your business.
Building on Essential 8
Essential 8 can help you lay the foundations of effective cyber risk management. But, cybersecurity is about consistency. There’s little to be gained in setting up effective security, only to let it lapse once the maturity process is complete.
How do you ensure that the Essential 8 controls are in place year-round? This is where cyber risk management tools like CyberSmart Active Protect can help. Active Protect provides always-on device, user and application vulnerability scanning – ensuring the controls you’ve put in place remain so 24 hours a day.
And, Active Protect goes beyond technical controls. Having confidence in your cybersecurity requires building a secure culture, so we help you build it with bite-sized cybersecurity training for your stuff and a policy creation and management tool.
CyberSmart and HAT distribution approach Essential 8 assessment differently. We offer unlimited support, an easy-to-use assessment platform and round-the-clock protection from our risk management tool, CyberSmart Active Protect. Get in touch to find out more.
The Essential 8 maturity model is fast becoming the baseline standard for Australian cybersecurity. But do you need to do it? And which sectors is Essential 8 mandatory for? Read on for everything you need to know.
What is Essential 8?
Essential 8 is an Australian Cybersecurity Centre-developed cybersecurity framework, proven to mitigate online threats and improve organisations’ defences. It focuses on eight key controls that are crucial for preventing cyberattacks.
Essential 8 has three maturity levels and organisations must achieve each to reach full alignment.
Which industries are Essential 8 mandatory for?
Federal Government
Essential 8 is mandatory for all government entities, departments, and agencies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA). The same is true for any business that works with the Australian government. So, if your business is a supplier to the federal government, you likely need to adopt Essential 8 controls.
Industries
Essential 8 can also help businesses in some industries meet regulatory requirements. For example, while Essential 8 isn’t mandatory for financial institutions, many of its controls meet industry regulatory requirements, making it an easy way to remain compliant.
The same is true for industries such as healthcare and defence. Although it’s not yet mandated, most regulatory bodies expect member organisations to complete Essential 8 or have equivalent controls as a minimum standard.
What if Essential 8 isn’t mandatory for my organisation?
What if your organisation isn’t among those listed above? Is Essential 8 still worth doing?
The short answer is yes. Every organisation, whether large or small, could benefit from implementing Essential 8 controls. The Australian Signals Directorate (ASD) endorses it as the cybersecurity baseline for every organisation. And, even if your sector doesn’t mandate it, it’s well worth doing to ensure your organisation is well protected from cyber threats.
What are the benefits of Essential 8 compliance?
You’ll be more secure
Essential 8 helps you put a strong security foundation in place. When its security controls are properly implemented, your organisation will be far better prepared to identify, prevent and respond to attacks.
Reduced risk
Essential 8 focuses on critical elements of your security like regularly patching applications and implementing multi-factor authentication (MFA). These and other controls dramatically reduce the risk of a breach.
Cost-effectiveness
Although getting fully aligned The Essential 8 requires some investment, it pales in significance compared to the potential cost of a breach. KPMG estimates that the average cost of a cyber attack for Australian businesses is $276,323, with 53% of this spent on detection and recovery.
You might think that only applies to large organisations. But, sadly, the picture isn’t much better for small businesses. Recent data reveals that even small businesses can expect to suffer an average loss of $46,000 per attack. Putting in place proper security controls can help prevent a breach in the first place, saving your organisation money in the long run.
Assure customers and partners
Cybersecurity and data protection have never been more important to potential customers. Research shows that 60% of men and women are more concerned about their personal data than a year ago and this figures into decisions about who they do business with.
Being fully aligned with The Essential 8 can help assure potential customers and partners that your business is safe to work with.
Better response to incidents
Every business hopes to avoid ever being breached. However, you need to be prepared
should the worst-case scenario happen
By working through the Essential 8 Maturity Model, your business will develop a cast-iron incident response plan. This means you’ll be able to respond quickly and effectively after an attack.
How do you go about achieving Essential 8 maturity?
First, find an assessor to take you through the process. Essential 8 is an assessment process with a question set for each maturity level. You’ll need to answer and provide evidence for each of the questions as you progress through the maturity levels.
We recommend reading this resource from the ASD to get an idea of the evidence you’ll need to be able to provide.
If that sounds a little scary, it doesn’t need to be. Most of the controls included in Essential 8 are very easy to set up and maintain but it’s worth going for an assessor that offers support alongside the questionnaire.
CyberSmart and HAT distribution approach Essential 8 assessment differently. We offer unlimited support, an easy-to-use assessment platform and round-the-clock protection from our risk management tool, CyberSmart Active Protect. Get in touch to find out more.
The Essential 8 maturity model is a set of cybersecurity steps or ‘controls’ designed to help organisations create layers of protection for their data. These essential strategies make it much more difficult for the bad guys to compromise your systems and steal data.
Essential 8 has three maturity levels (more on which later) and organisations must achieve each to be considered ‘fully aligned’ with its security controls. Read on for everything you need to know about Essential 8 and why you need to implement it.
Why was Essential 8 created?
Cybercrime is rising in Australia, with 94,000 reports made to law enforcement in 2023 (or one every 6 minutes). To counter the growing cyber threat, the Australian Cyber Security Centre (ACSC) published its Essential 8 list in 2017.
And, much like Cyber Essentials in the UK, the model focuses on the baseline cybersecurity controls and techniques organisations need to protect themselves from most cyber threats. Think of it as ‘cyber hygiene’ – the things your organisation needs to have in place to ensure its ongoing security health.
What does the Essential 8 maturity model include?
We’ve tackled why Essential 8 was created, and now let’s look at the controls included.
Application whitelisting
This is key in preventing unapproved or malicious programs from running.
Patching applications
Regularly applying updates to operating systems and applications can protect you from known vulnerabilities.
Configuring Microsoft Office macro settings
Blocking unauthorised macros(automation of a repetitive computing task) prevents cybercriminals from executing malicious code.
User application hardening
This configures web browsers to block or uninstall Flash, ads, and Java, reducing the risk of cybercriminals being able to launch an attack through malicious code.
Restricting administrative privileges
Restricting admin privileges ensures that your people only have access to what they need to do their job, reducing the damage a cybercriminal can do should they get past your defences.
Multi-factor authentication (MFA)
MFA adds an extra layer of security would-be-hackers have to get past, better protecting sensitive data.
Daily backups
Daily backups do exactly what it says on the tin. Backing up regularly ensures you can still access crucial company data post-incidents like ransomware attacks. It’s absolutely essential to getting your business back up and running after a breach.
What are the three levels of maturity?
As we mentioned earlier, getting to Essential 8 maturity is a process. The three steps to full maturity are:
Maturity level one: partial alignment
Maturity level two: substantial alignment
Maturity level three: full alignment
However, full alignment is considered the ‘optimal’ security level, with all Essential 8 controls set up, and it’s what you should ultimately be aiming for.
Why should your business achieve Essential 8 maturity?
The Essential 8 helps your organisation put in place the core strategies to protect itself from cyber threats. It’s crucial in defending against threats like ransomware, phishing and malicious insiders.
It will help you safeguard customers’ sensitive data and comply with Australian government regulations – more on which in the next section. But these aren’t the only benefits, reaching Essential 8 maturity demonstrates to customers and partners that your business takes security and data protection seriously – potentially giving you an edge over competitors who don’t.
Is Essential 8 mandatory?
Essential 8 is a compliance requirement for some industries, such as financial services, defence and healthcare. It’s also mandated by the Australian Federal Government for all departments, alongside extra requirements laid out in the Protective Security Policy Framework Directive.
For any organisation outside of those listed, Essential 8 isn’t currently mandatory. However, the Australian Signals Directorate (ASD) endorses it as the cybersecurity baseline for every organisation. Therefore, even if you’re not part of a sector that mandates it, it’s well worth doing to ensure your organisation is well protected from cyber threats.
How do you go about achieving Essential 8 maturity?
First of all, find an assessor to take you through the process. Essential 8 is an assessment process with a question set for each maturity level. So, you’ll need to answer and provide evidence for each of the questions as you progress through the maturity levels.
We recommend reading this resource from the ASD to get an idea of the evidence you’ll need to be able to provide.
If that sounds a little scary, it doesn’t need to be. In reality, most of the controls included in Essential 8 are very easy to set up and maintain but it’s worth going for an assessor that offers support alongside the questionnaire.
CyberSmart and HAT distribution approach Essential 8 assessment differently. We offer unlimited support, an easy-to-use assessment platform and round-the-clock protection from our risk management tool, CyberSmart Active Protect. Get in touch to find out more.
Malware-as-a-Service and the rise of DIY cybercrime
Cybercriminals are always looking for the next sophisticated method to target businesses. And as a small business owner, it can sometimes feel impossible to keep up with the latest developments. However, knowledge is power, which is why we bring you regular updates. Let’s explore the latest trends in DIY cybercrime and Malware-as-a-Service, and how to mitigate them.
What is Malware-as-a-Service?
Malware-as-a-Service (MaaS) is a business model used by cybercriminals known as MaaS operators. MaaS operators lease their software, hardware, and related infrastructure to others for a fee. This enables malicious criminals to distribute pre-made malware, even with minimal coding skills.
You might’ve heard of similar terms like a Software-as-a-Service model, where an end-user purchases a pre-made software solution for their business or personal use. MaaS is the same concept but with malicious software. MaaS operators distribute the software on the dark web and sometimes even provide customer support to nefarious clientele.
DIY cybercrime, or do-it-yourself cybercrime, is where a cybercriminal uses a pre-made solution to execute malicious activity. For example, they purchase ready-to-use Malware-as-a-Service, quickly get it up and running, and then use it to distribute malware to their target.
The worrying thing about DIY cybercrime is that anyone can purchase and use an off-the-shelf tool. It has never been easier for criminals to distribute malware, engage in phishing, and more.
At this point, you might be shaking your head and thinking, ‘D-I-WHY?!’ But don’t worry, all is not lost. You can dramatically reduce the threat to your business by putting the correct cybersecurity solutions in place.
Malware-as-a-Service examples
ZeuS/ZBOT
ZeuS, or ZBOT, is a MaaS package that runs on Microsoft Windows. It was designed to steal sensitive information like banking credentials. First detected in 2007, it has successfully targeted large organizations like Amazon, Bank of America, and NASA.
SpyEye
SpyEye is a computer program that infects victims’ devices and steals sensitive data. In a rare case of justice, the creator of SpyEye was caught and sentenced to nine and half years in US federal prison. However, this hasn’t stopped the presence of SpyEye across the internet.
Blackhole Exploit Kit
Released on an underground Russian hacking platform, Blackhole Exploit Kit made up 29% of all web threats in 2012, making it a significant threat. Since then, the exploit kit model has continued to transform and is still widely used by cybercriminals.
How to prevent Malware-as-a-Service attacks
Like all criminal activity, MaaS isn’t a threat that’ll soon disappear. But there are several simple steps to protect your business. Here’s what we think you should prioritise.
Educate employees
Most people don’t have in-depth knowledge of malware and DIY cybercrime. Due to the ever-changing nature of cybercrime, your employees must play a part in protecting your business. Make sure people know how to spot a malware attack in your business and provide them with training and resources so they stay informed.
Complete a cybersecurity certification
A cybersecurity certification, like Cyber Essentials, is an excellent way to quickly implement robust security measures in your business. This is because the steps to qualify help you attain certification status and proactively mitigate against malware.
Additionally, many companies find that the steps help them identify overlooked vulnerabilities in their business that they might otherwise be unaware of. It covers a broad range of factors like:
Certification is a great starting point for putting in place the right defences and building your cyber confidence. However, cybercriminals won’t only attack on certification day, so you need a way of monitoring your defences year-round. You could approach this manually, but beware it’ll be time-consuming and require familiarity with cybersecurity best practices.
An alternative is to use a cybersecurity monitoring service, like CyberSmart Active Protect, which checks for vulnerabilities around the clock and ensures everyone in your business is working safely. Likewise, a vulnerability management tool can help you get ahead of the latest developments in cybercrime.
Want to know more about the threats facing small businesses like yours? Then have a read of our SME cost of living crisis report. It’s packed full of insight into how small businesses are defending themselves during an economic downturn.
For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different. According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?
How a spear phishing attack works
Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting. A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.
Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access.
We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:
1. Goal setting
The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.
2. Picking the target(s)
This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?
These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.
3. Building a profile of the victim(s)
By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims.
Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.
4. Initiate contact and use social engineering techniques
Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.
The most expensive spear phishing attacks of all time
1. Google and Facebook
This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms.
Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum.
2. Ubiquiti Networks
In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack.
3. Colonial Pipeline
Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat.
The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network. Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting. We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.
Spear phishing affects small businesses too
Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth. According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise.
Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target. SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence. Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.
How to protect your business
There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected. 1. Use a VPN
A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter.
Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).
2. Staff training
As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.
3. Patch all software
Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.
4. Deploy MFA
Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
5. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
Install a network firewall to filter network traffic
Use a VPN to encrypt network traffic
Segment your network to eliminate single points of failure
Regularly update your router’s firmware
6. Always use back-ups
If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.
7. Limit user access
Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.
8. Tie it all together
If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence. However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help. Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.
Zeus, SpyEye, Emotet. What do those names mean to you? As much as they sound like Marvel supervillains, they’re all examples of high-profile banking trojans.
Emerging in the mid-noughties, banking trojans have morphed into one of the most dangerous SME cybersecurity threats. But what are banking trojans? And how can you protect your business from them?
What is a banking trojan?
A banking trojan is a particularly nasty form of trojan horse malware that aims to give cybercriminals access to networks and confidential information stored in online banking systems.
Banking trojans typically come in two forms:
Backdoor trojans: Use backdoors in your system to circumvent security measures and gain access to your computer.
Spoofers: Steal user credentials by creating a fake version of a financial institution’s login page.
How do banking trojans work?
A banking trojan works in much the same way as the mythological wooden horse from which it draws its name. A typical banking trojan looks and behaves like legitimate software until you install it. Once it’s on your device, it shows its true colours.
Banking trojans are a particularly hazardous form of malware for several reasons. Firstly, they’re usually well disguised as legitimate software, which makes them difficult to detect for anyone who isn’t a cybersecurity expert.
Secondly, they cause significant damage. In a worst-case scenario, a banking trojan can give cybercriminals total access to your bank accounts, which could spell financial ruin.
How do you know when you’ve been hit?
Although it can be challenging to spot a banking trojan, it’s not impossible. Like any malware attack, there are a few telltale signs to look out for:
New or unexpected forms appearing in your bank accounts
It’s important to note that none of these are conclusive proof that someone’s successfully hacked your system. Think of them as signs that suggest something isn’t quite right. So, if you’re in any doubt, it’s time to call the professionals.
What can you do to protect your business?
Thankfully, protecting your business against banking trojans and similar forms of malware is relatively straightforward. Beyond investing in reliable threat monitoring software, we recommend following these six simple steps.
Use multi-factor authentication
Multi-factor authentication (MFA) is a security measure that requires you to provide two or more verification methods to sign into an application. Instead of asking for your username and password, MFA demands additional information such as:
A randomly generated PIN code sent by SMS
A piece of memorable information known only to you
Your thumbprint
The idea behind MFA is simple: the more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and some cameras to keep the bad guys out.
Train staff how to spot the signs
Human error is responsible for as much as 90% of cyber breaches, and it’s easy to see why. Few of us are cybersecurity experts, and if you aren’t aware of what a cyber threat looks like, you’re much more likely to find yourself on the receiving end.
Cybersecurity training can bridge this knowledge gap. Training helps staff recognise, understand, and mitigate the threats they face. What this training looks like depends on your business and the knowledge within it. For some, it’s a case of starting from scratch and covering the basics; for others, it’s about addressing specific weak spots.
Patch software regularly
Patching your software is the simplest way to improve your business’s cybersecurity. Even the best software can develop vulnerabilities, suffer a breach, or become outdated. Software developers release security patches to ensure cybercriminals don’t have an easy route into their clients’ systems.
It’s easy to install these patches. You can check your system for updates every few days or activate the auto-update setting on all company devices.
Use a password manager
Many banking trojans use keyloggers – programs that record your keystrokes so cybercriminals can steal your PIN or password. Using a password manager, which doesn’t require you to type anything, instantly overcomes the threat of keyloggers.
Only download files from trusted sources
This might seem obvious, but if you’re unsure about the origin of a file or piece of software, don’t download it. Set clear rules throughout your business to ensure people only download software from trusted sources, such as Microsoft, Google, or Apple stores. This helps to minimise your exposure to compromised software and malware.
Use all the security features offered by your bank
Banks offer a range of security features. Use them! If your bank provides MFA for sign-in (virtually all of them do), use it. Many business-oriented banks also have app stores full of free or low-cost cybersecurity features. Use them, too. These little extras are often the difference between cyber safety and falling victim to a banking trojan.
Banking trojan examples to watch out for
Zeus
Active since 2007, cybercriminals use Zeus to target Microsoft Windows and steal financial data. It quickly became one of the most successful pieces of malicious software in its class, affecting millions of systems worldwide and giving rise to a host of similar threats. After a brief lull in 2010, when the creator reportedly retired, we’ve seen an uptick in Zeus variants since the source code went public.
SpyEye
Once touted as the successor to Zeus, SpyEye established itself as one of the most dangerous banking trojans in the early 2010s. SpyEye enabled its creators to steal sensitive information from its victims’ bank accounts, including account credentials, credit card information, and PIN numbers. Its Russian creator was sentenced to nine-and-a-half years in prison in 2016.
Emotet
Emotet is a banking trojan that spreads primarily through email. These emails often use familiar branding and convincing wording to trick the victim into clicking on a malicious link. Emotet has gone through a few iterations since emerging in 2014, in an attempt to circumvent modern detection methods.
Don’t suffer the same fate as Troy
Understanding the threat banking trojans pose and adopting appropriate countermeasures are integral to safeguarding your financial information in today’s digital landscape.
Simple, inexpensive malware prevention tips – like updating your software regularly, using a password manager, and educating staff – help protect your business against banking trojans and other malware strains, too.
We live in a time of increased international tensions. You can scarcely open a newspaper or browse a news site without being greeted by conflict, both in the real world and online. We’re only two months into 2024 and the National Cyber Security Centre (NCSC) and its international partners have already issued a public warning about state-sponsored attackers. However, for the average small business or individual, this can seem very distant. Reports on the machinations of states and their security services can all feel ‘a bit James Bond’. Nevertheless, cyber warfare affects everyone. In this blog, we look at cyber warfare and why you should care.
What is nation-state cyber warfare?
Nation-state cyber warfare is best defined as:
‘Cyberattacks launched by one nation-state against another, targeting critical infrastructure, government agencies, businesses, and individuals.’
Nation-state cyber-attacks are often distinctive. The techniques employed are advanced, with highly skilled hackers tasked with executing bespoke malware. These operations are often phenomenally well-resourced, with money no object, and executed over long periods, often years.
There are several reasons why countries engage in cyber warfare, from its use as an extended theatre of war to attempting to exert influence on rivals’ internal affairs.
Military operations
Cyber warfare can act as a further weapon in support of traditional methods, as we’ve seen in the current Russia-Ukraine conflict.
Sabotage
Another motivation is simple disruption, whether to send a message or destabilise an enemy. We’ve seen plenty of attacks on critical infrastructure such as power grids, financial systems, and transportation networks. Perhaps one of the most famous examples of this (although never directly attributed to any one state) is the Stuxnet worm that disabled the Iranian nuclear programme.
Espionage
Espionage is probably the most common goal of nation-state cyber warfare. State-sponsored actors might attempt to steal military intelligence, intellectual property, personal data or other sensitive information from government bodies or their supply chains. Another common use is to spy on journalists, politicians and others in positions of influence.
Spreading misinformation, propaganda, or sowing discord can be used to destabilise a target nation. The most infamous examples of this are perhaps the 2016 US election and the UK’s Brexit referendum, with both being targeted by outside influences. And this is likely to become a live issue again as both the UK and US go to the polls in 2024.
Stealing funds
Nation-state attacks aren’t always for political gain. The past few years have seen the rise of nation-state actors simply stealing funds. For example, groups associated with North Korea, have stolen an estimated $2 billion (£1.6 billion) from at least 38 countries in the past five years.
Why does this matter to you?
Nation-state cyberattacks are a big deal, even if they don’t target you personally. For those of you who have seen ‘Leave The World Behind’ this film brings home the chilling reality of what a significant cyber attack upon a nation could look like.
What’s more, this isn’t all the work of Hollywood screenwriters. Statistics show that in 2021, 21% of nation-state attacks targeted consumers – ordinary people like you or me.
The impact of these attacks can be significant too. Imagine no water or electricity because hackers targeted power grids. Or worse still, a hacked nuclear system and the apocalyptic consequences that could entail.
Interestingly, between 2021 and 2023 we have seen a significant increase in nation-state cyber attacks against schools. Between July ‘22 and June ‘23, schools were the most targeted sector, with 16% of all such attacks being directed at them.
The same report highlighted that 11% of attacks were directed at think tanks and non-government organisations – groups that will have some part in shaping elections.
So while you might not be the direct target, the impact can be felt by everyone.
Nation-state attacks in the real world
We mentioned some of these in passing earlier, but let’s dig into some of the most famous examples of nation-state cyber warfare.
Stuxnet (2010)
We almost always assume that the attacker is going to be from one of a few countries, but this nation-state attack was launched by the US and Israel. The target was an Iranian nuclear plant due to the simmering tensions between the Iranian and US governments over the former’s atomic weapons programme.
We recommend reading about this in more detail (it’s well-documented and very interesting) but, in summary, malicious software in the form of a worm was used to specifically target Siemens-made equipment used in the nuclear power plant. This caused an estimated 1,000 centrifuges within the plant to fail, temporarily neutralising the Iranian’s nuclear programme.
2016 American election (2016)
In 2016 we saw Russian interference in US elections. The Russian government utilised thousands of fake social media profiles that purported to be Americans, spreading disinformation. This attack also targeted American politicians directly, hacking and stealing data from senior members of Hilary Clinton’s campaign committee and leaking this information online.
And one fresh off the press…
In February 2024, globally renowned cloud services provider Cloudflare reported unauthorised access to its internal systems by an unknown attacker.
Although we don’t know anything for certain yet, Cloudflare suspects a nation-state actor was behind the incident. The attack involved stolen credentials being used to gain access to an Atlassian server containing documentation and a limited amount of source code.
Unfortunately, these examples illustrate that the attacks will keep coming, which poses the question, what can you do to protect yourself or your business?
What should I do to protect myself?
Though few of us will be directly subjected to a nation-state attack, it’s feasible that our organisation or someone that we work with could be.
What can we do as individuals?
Start by practising good cyber hygiene, like using strong passwords, setting up multi-factor authentication, and being cautious of suspicious emails and links. Alongside this, it’s important to stay informed about emerging threats and best practices for preventing them.
What should businesses do?
Organisations need to implement good cybersecurity practices such as vulnerability management, incident response plans, and employee training. If you’re unsure where to begin, accreditations like Cyber Essentials can give your business a solid grounding in the fundamentals of cybersecurity.
What should we expect from governments?
Apart from ensuring they have the best possible cyber defences in place, governments must also develop international norms and frameworks to promote responsible state behaviour in cyberspace.
The EU has taken a significant step towards this in agreeing to the European Cybersecurity Scheme on Common Criteria (EUCC). This is the first scheme of three and targets IT products such as hardware, software and components.
We can’t stop nation-state activity and, individually, we can’t significantly influence it. But, we can ensure that we are informed about these threats and influence those closest to us, be that family, friends, the leaders within organisations that we work for or the businesses we buy from.
With AI quickly imposing upon our lives and a general election later this year, security is everyone’s responsibility and we must take this seriously.
Malware is almost as old as the first personal computers. And like anything that’s existed for a long time, it’s easy to become complacent about it.
However, if your business has ever fallen victim to a malware attack, you’ll know how damaging it can be. The repair costs alone can set you back thousands; then, there’s the indirect financial impact of prolonged business disruption, data loss, and reputational damage.
Yet, it’s not all doom and gloom. Armed with a little understanding, you can prepare your prepare your business and stay safe online. To help you do this, we’ve put together this short guide to help you get your head around the stages of a malware attack and how they work.
But first…
What is malware?
Malware is the umbrella term for malicious software that damages, disrupts, or gives cybercriminals access to a computer system.
Cybercriminals typically disguise malware as legitimate files, links, or attachments on a web page or email. The goal is to trick the victim into downloading the malicious program onto their device, where it can:
Steal corporate information or sensitive customer data
Delete or encrypt data
Disrupt business operations
In some cases, malware can exploit vulnerabilities in your cybersecurity to spread to other connected systems in your network.
Malware is a pervasive threat. The AV-TEST Institute registers 450,000 new types of malware every day, contributing to the estimated 1.5 billion malicious software programs and potentially unwanted applications (PUA) in the world today.
Cybercriminals and threat groups are responsible for billions of malware attacks every year – there were 5.5 billion in 2022 alone. Cybercrime, including malware, costs UK businesses an estimated £21 billion every year.
UK businesses are on the frontlines of the malware threat. 84% of UK Chief Information Security Officers (CISOs) say UK organisations are at the highest risk of material cyberattacks, with ransomware among the most common. For example, 66% of businesses fell victim to one or more ransomware attacks in 2023, marking a 44% increase from 2020.
Meanwhile, public administration experiences more malware attacks than any other sector. Public sector bodies reported 488 separate incidents between November 2021 and October 2022.
The 5 stages of a malware attack
Infected websites, email attachments, and removable media are the most common means of malware attack. But whatever the approach, they all follow a similar five-stage pattern.
Stage 1: Entry
The victim inadvertently visits a compromised website by:
Visiting a trusted website that a cybercriminal has hijacked
Clicking on a link (often embedded in an email) that redirects the victim to the compromised website
Cybercriminals can compromise a trusted website by exploiting vulnerabilities in its servers or content management system (CMS) or using stolen credentials to inject malicious code. When the victim visits the compromised web page, the malware automatically downloads the code onto their systems.
Stage 2: Distribution
After bypassing the victim’s cyber defences, the malware redirects to an exploit kit hosting site. Cybercriminals typically use hacked traffic distribution systems (TDS) to create multiple redirections, which help to conceal their activities and the identity of their exploit kit hosting site.
Traffic distribution systems use a combination of traffic filtering and fast-flux networks to hide the host site from search engines and security scans, making them harder to track down and blocklist.
Stage 3: Exploitation
The hosting site installs an exploit kit onto the victim’s system, which loads it with malicious files, including:
HTML
Java
Flash
PDF
These files probe the victim’s system, looking for vulnerabilities they can exploit to gain access to or control of the target computer. And the worst part? The technical barriers to entry for launching malware attacks get lower each year. Cybercriminals can create homemade exploit kits or, if they don’t have the coding skills, they can purchase them cheaply on the dark web.
Stage 4: Infection
Having successfully infiltrated the victim’s system, the malware delivers its harmful payload. This could be anything from ransomware to trojan horses or worms that operate silently in the background.
Stage 5: Execution
Now, the malware gets to its dirty work. Depending on the cybercriminal’s goals, this could be stealing or encrypting sensitive data to ransom back to the victim, disrupting business operations, or infiltrating other connected systems.
Malware attack examples
Malware affects everyone. Even global brands and government organisations with robust cybersecurity tools, practices, and policies have fallen prey to malware over the years.
These examples of recent high-profile attacks illustrate the extent of the threat.
LockBit (ransomware)
One of the most active ransomware strains, LockBit has affected over 1,500 businesses at a total cost of over £72 million since emerging in 2019. The Royal Mail is among its most high-profile victims. At the start of 2023, LockBit caused severe disruption to Royal Mail’s overseas delivery service after it affected one of its back-office systems. The attack lasted two months and cost over £10 million to rectify.
Conficker (worm)
One of the largest and most notorious worms in history, Conficker has infected tens of millions of computers in over 190 countries since its discovery in 2008. Its long list of victims includes government agencies (including the UK parliament), businesses, and home computers, and remains an ongoing threat. To date, it’s caused £7 billion in damages.
Emotet (trojan horse)
First discovered in 2014, the Emotet trojan has wreaked havoc on businesses and government organisations, especially in the United States. According to the Department of Justice, the trojan has infiltrated over 1.6 million computers and caused £2.5 billion in damages.
Prevention is the first step to protection
It’s not always easy to spot a malware attack. Cybercriminals use sophisticated tools and techniques to conceal their activity from victims, so it could be days, weeks, or even months before you realise something’s wrong.
Preparation is the key to protecting your business, suppliers, and customers from malware. At the very least, we recommend regularly updating your systems and software, installing a network firewall, and teaching staff cybersecurity best practices.
If you want to go one step further, consider getting a cybersecurity certification. Schemes like the government-backed Cyber Essentials are quick, easy, affordable, and effective.
Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023 with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers. In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.
How does a remote access scam work?
A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials. Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams. Typically, a remote access takeover works in one of two ways: 1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access. 2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s).
In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated.
As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023.
This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023.
So the problem is real, which begs the question, what can you do to protect your business?
How can you protect your business?
The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.
Don’t give out digital banking details
This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam.
Never install any remote access software as a result of a call
Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately. Verify telephone numbers
If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.
However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.
Just hang up
Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up. Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.
Put processes in place
Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier. Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point. Educate your staff
Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training. What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket. Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.
The most elusive of all malware; fileless malware is a threat you can’t afford to let slip off your radar. It accounts for 40% of global malware, according to research from Arctic Wolf Labs. And attacks increased by an eye-watering 1,400% between 2022 and 2023.
The next time you’re assessing cybersecurity priorities, keep protecting your business from these furtive attacks front of mind.
What is fileless malware?
Fileless malware is malicious code that’s written to your RAM or legitimate system tools rather than your disk (SSD or hard drive). Essentially, it uses your system’s software, applications, or protocols to launch an attack. Technically, it’s not actually fileless, but the name comes from where the code is stored and the fact it uses what already exists in the system.
The hacker will use the malicious code to gain access to your systems, execute the code by piggybacking on legitimate script, and steal credentials, encrypt files etc. – whatever they’ve set out to do as part of the attack. Because code is stored in memory, it generally disappears when you reboot your system (unless the hacker uses more advanced tactics to make the malware stick around on restart). This makes the virus incredibly difficult to spot, meaning security teams and antivirus software may not notice or find out what caused the problem.
LoLBins primarily refer to pre-installed Windows binary tools used for default system operations. PowerShell, a Windows scripting language, is an example of this. However, hackers can take advantage of them to launch attacks and avoid detection.
Memory code injection
A memory code injection inserts malicious code into a computer’s memory.
Fileless malware examples
Operation Cobalt Kitty
OceanLotus Group, who also go by APT32, targeted an international company based in Asia. The long-term attack compromised more than 40 computers and multiple servers.
They used the Windows PowerShell configuration management tool as an entry point for malicious code. It manipulated network management services so it would stay on systems rather than getting deleted on start-up. The group managed to penetrate the organisation via spear-phishing emails to senior employees that encouraged them to click on malicious links or download weaponized documents.
Fritz Frog
Fritz Frog is a fileless and serverless peer-to-peer botnet and worm that uses brute force to access secure shell (SSH) servers.
In January 2020, the cybercriminals behind it launched an attack that lasted for eight months, affecting 24,000 SSH servers from government, education, healthcare, and private enterprises.
Once the malware had successfully compromised a server, it would replicate and spawn threads to achieve different goals, e.g. one would use brute force to access more targets while another deployed the payload. It did this so it could run a cryptocurrency miner to process and steal cryptocurrency transactions from Monero.
Code Red
Identified as the first-ever fileless attack, Code Red spread worldwide in 2001 and affected more than 300,000 servers.
The worm exploited a Windows vulnerability and affected users of Windows NT, Windows 2000, and Microsoft IIS web server software. It caused websites using the webserver to display incorrectly.
According to a Sophos threat researcher, Microsoft released a patch to protect against the vulnerability just a month before the attack, showcasing the importance of updating software as soon as patches are available.
How to protect your business
Fileless malware is particularly tricky to detect because it’s written into memory or trusted, legitimate code. That means standard antivirus software doesn’t always detect a problem. And, in cases where the code is written to memory and wiped on restart, there’s no trace of the malicious code to work from.
However, there are some steps you can take to look after your cyber hygiene and give your business the best defence against malware in general, including fileless malware.
Patch your systems
Just like Code Red, unpatched vulnerabilities in operating systems, browsers, and software are a breeding ground for cyber threats. To counter this, install patches and security updates as soon as they’re available to give your business the best protection.
Continuous logging and monitoring
It’s important to stay on top of any security incidents so you have a full understanding of your IT infrastructure. It’s also important to monitor your systems for any unusual activity so you can respond to potential threats quickly and limit the damage. This can be difficult to do in-house unless you’re a very big business with lots of cybersecurity experience, but there are many options for third parties to monitor your security for 24/7 protection.
Education
To avoid threats, your people need to understand them. And the same is true for fileless malware. So, make cybersecurity training regular, bitesize, and as fun as possible. It’s not about fearmongering, it’s about arming your teams with knowledge.
Endpoint protection
An endpoint is a device that connects to and exchanges information with a computer network. Endpoint protection includes measures such as device encryption, perimeter security on cloud storage, network access control, anti-malware, and more.
Get Cyber Essentials certified
Cyber Essentials is a government-backed scheme with a simple framework based on five technical controls. Many of these controls include actions that overlap with our other tips in this section, so you can tick more off your to-do list in one go.
Secure configuration
Malware protection
Network firewalls
User access controls
Security update management
It’s a great starting point for businesses looking to improve their cybersecurity credentials before moving on to more complex and costly certifications like ISO 27001. And, if you’re unsure which option is best for you, start by reading our free guide to certifications in the UK.
The fight against fileless malware
Hopefully, these tips help you to feel more confident about protecting your business against fileless malware.
However, as with all threats, fileless malware is ever-evolving. One way to ensure you stay cyber confident is to keep updated with information on new threats. Our report on SMEs and the cost of living crisis tells you everything you need to know about how small businesses are tackling cybersecurity during an economic downturn. Read it here.
