Major Cyber Attacks in 2023 – A Wake-Up Call for SMEs in 2024

Major Cyber Attacks in 2023 aside, the world feels unsettled for many at the moment.  With political destabilisation and threats to peace across the globe. Unfortunately, the online world is no different, with hacks and ransomware a constant threat to businesses large and small.

The UK government’s National Security Strategy Committee released a report laid bare the consequences for national security, of Cyber Attacks.  The Committee described some of the most serious attacks as follows:

“Victims included the UK’s NHS, US FedEx, Deutsche Bahn, Honda, Nissan and LATAM Airlines.  Many including the NHS were not targeted specifically, but were hit in opportunistic attacks due to software vulnerabilities.  The British Library experienced a major ransomware attack in November 2023.  In the days before publication of the report, London’s King Edward Hospital was attacked with threats to leak members of the Royal Family’s medical records.  There were also reports that Sellafield, the UK’s most hazardous nuclear site had been hacked into by cyber groups closely linked to Russia and China.”

They go on to describe how “swathes of UK critical national infrastructure (CNI), remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems”.

In early in 2023, anyone trying to send a parcel overseas will have been all too aware of the cyber attack on Royal Mail.  This brought their international postage system entirely to a halt.  Printers in a distribution centre in Belfast started printing the attackers’ demands.  Royal Mail confirmed it to be a ransomware attack by someone using LockBit encryptors.

This was not a quick fix. Royal Mail announced the hack on 11th January 2023 and it was only on 2nd February 2023 when things were mostly back to BAU.

On 8th August 2023, the Electoral Commission announced that there had been a gigantic data breach the previous October.  This had given hackers access to “the name and address of anyone in Great Britain who was registered to vote between 2014 and 2022.  The names of those registered as overseas voters during the same period, and the names and addresses of anyone registered in Northern Ireland in 2018” were also compromised.

Most Small Businesses (SMEs) aren’t dealing with issues of national security.  However, we’ve all got responsibilities under GDPR.   We’ve got responsibilities to our customers, partners and colleagues.  Also, we don’t want a data breach to damage our reputation, our finances or our standing in the community.

SMEs shouldn’t wait for trouble with their cyber security.   It could mean systems are interrupted or need repair, or you may have to deal with a crisis.  Also, we don’t want the infrastructure our businesses rely on – or provide – to be compromised.

It’s expensive, too, as HM Treasury can fine your business for failing to adequately protect itself against cyber threats.

Businesses can be fined up to £17.5 million or 4% of annual global turnover under UK GDPR legislation.  For the most serious infringements, for companies like Meta (fined €1.2billion and €390 million), TikTok (fined €345 million and €12.7 million) and Spotify (fined €4.9 million) all found to their (extensive) cost in 2023.

Even the Cabinet Office got an eye-watering £500,000 fine in 2021 for a GDPR breach, though the Information Commissioners Office later reduced this to £50,000.

The National Security Strategy Committee report mentioned above concludes that the government is not doing enough.  Its chair, Dame Margaret Beckett saying, “The UK has the dubious distinction of being one of the world’s most cyber-attacked nations.  It is clear to the Committee that the Government’s investment in and response to this threat are not equally world-beating.  Leaving us exposed to catastrophic costs and destabilising political interference.”

So it falls to us, as small business owners, to take every possible step to prevent and avoid cyber attacks.  Rather than try to deal with the fall-out if (or when) our website or database is the unlucky recipient of intruders.

Astonishingly, at the time when the Electoral Commission’s hack gave 45 million people’s personal data to hackers, the Commission had failed its Cyber Essentials audit.  This was due to “outdated software on around 200 staff laptops and the use of unsupported iPhones”, according to a whistleblower.  Cyber Essentials is a certification that shows an organisation is taking precautions to protect themselves against the most common threats.

As of May 2023, 35,434 UK organisations had been awarded Cyber Essentials certifications awarded in the previous 12 months.  8,407 of which were for Cyber Essentials Plus, which assesses for more stringent criteria.  Joining those organisations and getting certified is a vital step to make sure your SME is knowledgeable about your cybersecurity and equipped to reduce the risk of hacks and attacks.

What can SMEs do to prevent cyber attacks in 2024?

Get on top of your password security.  As sophisticated as some cyber attacks are, some are as simple as exploiting  peoples use of really common passwords.  Responsible password management can be a quick and easy fix for your organisation

Don’t use ancient and unsupported software and systems.  If your computers are running on Windows 98 or you’re using software that hasn’t been supported since 2014, your business is at serious risk.  Update your drivers, download the most recent versions of your software, and update your website’s CMS, too.  There are people whose job it is to constantly update these systems against all the newest threats, so take advantage of that by staying up to date

Even if you’re overwhelmed, you need to know that somebody in your organisation is taking responsibility for data and online protection.  If that’s not you, make sure you know who it is and that they are on top of their brief.  If there’s nobody who understands the details, get an outside IT Support service who thrive on the complexities of cybersecurity.

Sign up for Early Warning.  “Early Warning is a free National Cyber Security Centre service designed to inform your organisation of potential cyber attacks.  The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources.  It also includes several privileged feeds which are not available elsewhere”.

Get certified! Cyber Essentials and Cyber Essentials Plus are reliable ways to make sure you’re doing everything you can to protect your company data.