How cyber criminals penetrate businesses - and how to stop them

Following the high-profile cyber attacks on Marks & Spencer, the Co-op and Harrods, you might think attacks are confined to the big companies. But you’d be wrong. Just because the big guys make the headlines, it doesn’t mean the problem is solely at top level. In reality, all businesses are targets.

In today’s hyperconnected world, cybercrime is no longer the domain of lone hackers in hoodies. It’s a global, organised, and evolving threat targeting businesses of every size. Whether you're a startup or an established enterprise, the reality is the same: you are a target.

Cyber criminals use increasingly sophisticated methods to breach networks, steal data, or extort money. But businesses are not helpless. Armed with the right knowledge and defensive practices - such as those provided by the National Cyber Security Centre (NCSC) - you can significantly reduce your risk.

How Cyber Criminals Attack: Methods and Tactics

Cyber criminals don't always need brute force. Often, they rely on exploiting human behaviour, misconfigurations, or unpatched systems. Here are some of the most common tactics used:

1. Phishing and Social Engineering

Attackers send fraudulent emails that appear to be from legitimate sources, tricking employees into clicking malicious links or revealing sensitive information. This can lead to:

• Credential theft

• Malware infection

• Unauthorised access

• 
  

Example: An employee receives an email pretending to be from the finance department, asking them to review an invoice - the link installs spyware instead.

2. Malware and Ransomware

Malicious software can be delivered through infected attachments, links, or compromised websites. Ransomware, in particular, encrypts a company’s data and demands payment to unlock it.

Example: The infamous WannaCry attack crippled the NHS in 2017 due to outdated systems and lack of segmentation.

3. Exploiting Software Vulnerabilities

Unpatched software and outdated systems are prime targets. Cyber criminals scan for known vulnerabilities that haven’t been fixed.

Example: Remote Desktop Protocol (RDP) and VPNs left unpatched during the pandemic surge were heavily exploited.

4. Credential Stuffing

With billions of stolen credentials from previous breaches available on the dark web, attackers attempt to use these combinations on other systems, banking on password reuse.

5. Insider Threats

Sometimes the danger is internal - disgruntled employees or careless contractors can leak or abuse access.

Defending Your Business: Best Practice Advice from the NCSC

Fortunately, the NCSC offers clear, practical steps businesses can take to improve their cyber resilience. Here’s how you can fight back:

1. Use Strong Passwords and Enable Multi-Factor Authentication (MFA)

• Use unique, complex passwords for all accounts.

• Encourage the use of password managers.

• Implement MFA across all critical services.

  
  

Tip: The NCSC recommends using three random words for passwords – e.g., "OrangeTableRocket" – and turning on MFA wherever possible.

2. Keep Software and Systems Updated

• Apply security patches promptly.

• Use automatic updates where possible.

• Ensure firmware, plugins, and operating systems are regularly reviewed.

  
  

3. Implement the Principle of Least Privilege

• Give users access only to what they need.

• Review admin accounts regularly.

• Disable accounts when no longer needed.

  
  

4. Backup Data - and Test It

• Regularly back up important data offline or to the cloud.

• Test recovery processes to ensure backups are usable during a crisis.

  
  

The NCSC advises using the 3-2-1 backup strategy: 3 copies of data, on 2 different media, with 1 off-site.

5. Use Antivirus and Firewall Protection

• Ensure all devices have antivirus software.

• Set up firewalls at the network and device level.

• Monitor logs for suspicious activity.

  
  

6. Train and Educate Staff

• Run regular phishing simulations and awareness training.

• Make cyber security part of your onboarding process.

• Encourage a culture of "stop and think before you click."

• Security Awareness Training is a service we offer to businesses. Find out more here.

  
  

7. Create an Incident Response Plan

• Have a clear plan for what to do in case of an attack.

• Define roles and responsibilities.

• Ensure contact details for cyber response partners are up to date.

  
  

Final Thoughts

Cyber criminals are persistent, but most attacks succeed not because of complex hacking techniques, but due to basic security failures. The good news? These failures are preventable.

By following the NCSC’s best practices, businesses can strengthen their defenses, reduce their attack surface, and build resilience in the face of evolving threats. Remember, cyber security is not just an IT issue - it’s a business survival issue, and it’s everybody’s responsibility.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).