Cyber threats - an introduction
Content Summary
Cyber-criminals may access your business’s data to:
- sell it to the highest bidder (or use it themselves)
- hold your business to ransom by preventing you from accessing your own data
- threaten to damage your technology
- threaten the business’s reputation by releasing sensitive commercial information.
- Cyber threats come from diverse sources including criminals, past or present clients, competitors, or current and former employees.
- Cyber-criminals look for access to information relating to your business, employees, and/or customers. Cyber-criminals will attack where they are likely to make money and will do whatever works.
Popular methods of attack cyber-criminals use include:
- theft or unauthorised access of hardware, computers, and mobile devices
- infecting computers with malware (such as viruses, ransomware, and spyware)
- attacking your technology or website
- attacking third party systems such as suppliers connected to your system
- spamming you with emails containing malware
- accessing your information through your employees or customers.
As well as attacks that exploit ineffective (or missing) technology, cyber-criminals might take advantage of other weaknesses in your cyber security preparations. Some cyber threats target weak processes or careless or naive employees or suppliers. Often the weakest link is not the technology but is instead the people and the processes they follow in using the technology.
Examples of cyber-attacks
| Technology-focused cyber-attacks | People-focused cyber-attacks |
| Denial of Service (DoS): Intentionally paralysing a computer network by flooding it with data sent simultaneously from many individual computers. | Phishing: Scam messages aiming to trick you out of sharing personal, commercial, or financial details. |
| Distributed Denial of Service (DDoS): As with DoS, but with a network of ‘zombie computers’ co-opted into conducting the attack – computers that have installed malware that allows the cyber-criminal to conduct the attack. |
Identity theft: Aims to collect personal data for impersonation to obtain benefits or harm users. These attacks use different avenues, such as when users share account details with others, download malicious apps, or implement low privacy settings. |
| Defacing: An attack that focuses on changing websites and other public-facing information for a company or organisation to damage its reputation or ability to operate. | Sybil attack: Creating and using multiple sham identities and contacting legitimate users to collect personal data intended to be accessed only by close contacts on a social media platform. |
| Inference attacks: Using data mining mechanisms to collect sensitive information by analysing available and authorised non-sensitive data to then draw inferences from the data about sensitive issues. | Ransomware: A particularly nasty type of malware that encrypts the files on a computer so that they are unusable without the payment of an unlocking fee as a ‘ransom’. These attacks usually spread through phishing attack. |
| Malware: Malicious software – usually, a virus or a ‘Trojan horse’ program where seemingly legitimate software includes a hidden program that attacks your systems – that is used to steal confidential information, hold your data to ransom, or to install damaging programs. |
Different types of cyber threats
Targeted threats
A targeted cyber threat aims at a specific, identifiable business. Traditionally, a targeted cyber threat is a direct attack on the business with the aim of obtaining immediate access to its systems. For example, a cyber-attack might start by scanning a particular business’s firewall to identify gaps in cyber defences and then install malicious software to compromise its information.
A Denial of Service attack might work in a comparable way but with the goal of disabling a specific business’s computers.
These attacks are tailored for a specific business and are based on technological weaknesses.
Targeted threats can also exploit mistakes made by people. Examples include a spear-phishing attack that might use scam emails tailored personally to the people that work in an organisation. Such emails might be sent to, for example, a finance officer and pretend to be from a major supplier. These emails aim to trick the finance officer into changing the banking details for future payments. In this way the cyber-criminal circumvents the technological barriers in place, but the effect is the same.
Another important category of targeted cyber-attacks are those businesses that are on a ‘sucker list’. When a ransomware attack is successful – for a cyber-criminal this means that the ransom was paid – the details of the company that paid the ransom may be circulated widely on the dark web. The victim becomes known as a target that pays up.
Untargeted threats
Many victims of cyber-crime are not targeted but rather are victims of opportunistic attacks. Malware, viruses, worms, trojans and phishing attacks are common approaches. In the case of a phishing attack, it is easy for someone receiving many emails during the day - or in an inattentive moment - to accidentally click on a malicious link. These attacks can be avoided with a little thought, but this requires positive acts by end users. Mistakes are easily made if the end user is under pressure and is not aware of the ‘red flags’ showing they are under attack.
This means that employees need to be aware of the potential for ‘scattergun’ phishing attacks, and to always be sure of any link before clicking. Developing a ‘don’t just click on that’ culture where employees are suspicious of emails from unknown senders is an important way of ensuring that cyber-attacks are unsuccessful.
Downloading software from unconfirmed developers and websites should similarly be avoided. Even though anti-virus software may be in place, it is best not to test its effectiveness on potential new threats if it can be avoided.
Unfortunately, users are not particularly good at correctly identifying phishing emails. Participants in a 2022 experiment correctly identified phishing attacks only 42 per cent of cases – but identified genuine emails as phishing attacks 31 per cent of the time.
Similarly, very few users looked to confirm that a URL in an email was valid even when they knew they could simply hover their mouse pointer over a suspicious link without fear of consequences.
Organisations should support end users by ensuring that all emails received are filtered for spam and that effective policies regarding the responsible use of email and internet are in place and enforced.
A key business objective should be to make it as difficult as possible for the cyber-attack to succeed, and as easy as possible to recover if it happens. Technological solutions are not enough on their own. Effective cyber security requires well-trained and engaged people across the business that securely use technologies to access the business’s data. At the centre of effective cyber security is the protection of business data.
Discover more
Online proctored exam
Online exams can be taken from home in a suitable environment, and are supervised remotely by a proctor
- Education
Professional tuition
We've partnered with approved providers to deliver face-to-face tuition for candidates who thrive on direct teacher contact
- Education
Section 1: Principles underlying accreditation
The professional bodies are committed to ensuring excellence in accounting education through effective cooperation with higher education providers via the process of professional accreditation
- Education
My Online Learning
Our online education platform gives you access to all of your learning materials and study resources in one place
- Education
Section 5: Frequently asked questions
Learn more by reading our FAQs - frequently asked questions relating to the requirements, process and changing a professional accreditation.
- Education
You're a CPA
Congratulations, you’re now a CPA.
- Education