Cyber-attacks during lockdown: small/medium companies most vulnerable

We have previously written on the topic of cybersecurity risks during the COVID-19 pandemic and the likelihood that mass working from home would make companies more vulnerable to, and prompt an upswing of, cyber-attacks. That this turned out to be the case is relatively old news. A survey by VMWare consultancy in July stated that 98% of respondents had experienced increased volumes of attacks, 99% said their business has suffered a security breach in the last 12 months, and 96% said attacks have become more sophisticated.

This surge appears to be continuing, and reflecting the changing patterns of life prompted by the pandemic. For instance, the UK's National Cyber Security Centre has today (17 September 2020) issued an alert to the education sector following rising ransomware attacks on academic institutions as students return to schools and vulnerabilities are perceived to have increased.

A flurry of recent reporting has revealed further interesting trends, particularly in relation to the distribution of attacks. Specialist insurer Beazley has recently published a Breach Insight Report noting a significant jump in the proportion of attacks being directed at 'middle market' companies (defined as over $35m in annual revenue) as opposed to large enterprises, attracting 60% of all reported social engineering attacks in Q2 as lockdown and mass working from home was put in place around the world (up from 46% in Q1) and 55% of reported fraudulent instruction attacks (up from 24% in Q1). Within that market segment, healthcare, financial institutions, manufacturing, real estate and education were the most targeted industries.

All told there's a clear trend towards increased volumes of attacks (and increasingly sophisticated attacks) being targeted at smaller institutions and companies that generally have less developed security measures and might previously have believed there was some protection in relative anonymity.

One final part of the picture, however, does not seem to have yet emerged. We have not seen any indication that the surge in the number of attacks has led to a commensurate increase in the number of personal data breach reports being made to the Information Commissioners Office (as is mandatory under the GDPR). Indeed, the ICO's 2020 Annual Report suggests that the number of such reports actually fell in the year to July 2020. We don't know the reason for that fall in reporting, but it is not unreasonable to suggest that an increased proportion of attacks targeting smaller organisations with less developed compliance systems and potentially less awareness of their regulatory obligations might play some role.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.