2023 has kicked off with a flurry of high-profile ransomware and cyber-attacks targeting sensitive and personal information, including Royal Mail and JD Sports.
It shows that even large, well-known businesses are unnervingly vulnerable and struggling with the basics of cyber security – phishing, weak passwords, out-of-date systems.
Too many firms get bogged down in their own processes and don’t realise the impact of a large-scale cyber-attack, especially the downtime it can cause and damage to reputation. The cybercriminals generally don’t care too much who they hack into, they’ll be looking for the low-hanging fruit that allows them to get a foothold. Once they’re in, most firms have no ability to detect them, which makes their job trivially easy.
The huge amount of money that can be made from ransomware attacks, often in the millions, means that the criminal gangs can afford to spend significant time and effort to plan and execute their attacks.2
Frustratingly, many firms are just making it too easy for them and ignoring the basics:
- MFA on every public-facing system (most organisations have some that don’t support it or they have forgotten about).
- Patched systems (again, companies forget or have legacy systems they can’t/won’t update).
- Strong passwords for all staff, not shared with the same one(s) they use in their personal lives (>14 characters).
- Detection systems on the internal network and cloud services (MDR).
- Security awareness training for staff (mostly to help prevent phishing attacks and to reinforce password advice).
- Penetration testing of key systems.
These aren’t complicated and don’t have to be expensive – and are certainly far cheaper than being hit by a ransomware attack.
