Over the past five years, we’ve been running a big research project to understand the evolving cyber threat landscape. Now, for the first time, we’ve put all this data together to produce our Five Year Cyber Threat Report, which details the changes we’ve in the threat landscape seen over that period of time and -crucially – explains how businesses of all sizes can best protect themselves.

To accompany the Five Year Cyber Threat Report, we asked four experts from the cyber security field to explain how cyber attacks have changed over time, what threats businesses should be most wary of, and the steps we should all be taking to stay protected online. A transcript of the video can be found below.

With contributions from:

– Sonia Blizzard, Managing Director, Beaming ISP

– Robert Nowill, Chair of Cyber Security Challenge UK

– Charlie Hosier, Edinburgh Napier University Cyber Security Society

– Jenny Radcliffe, Director, Human Factor Security

Robert Nowill, Chair of Cyber Security Challenge UK: The world of cybersecurity versus people wanting to exploit cyber is something of an arms race. Some people are making a lot of money out of exploiting the weaknesses in individuals or systems and networks.

Sonia Blizzard, Managing Director, Beaming ISP: Businesses are always playing catch up. As technology improves cyber criminals take advantage of it. I think that cyber criminals are the best users of technology unfortunately.

Charlie Hosier, Edinburgh Napier University Cyber Security Society: The rise of cyber attacks is so much easier now because everything’s online. Everything now is cloud, every business operates with some form of technology.

Jenny Radcliffe, Director, Human Factor Security: Everyone’s worth hacking; everyone’s got something – a piece of information, a contact – that can lead to a bigger more blended attack.

SB: Cybercrime has doubled in the last five years. Automated attacks mean that you can target many many more companies than previously. Many more small businesses have gone to cloud and that creates uncertainty in the way that systems should work for a period of time and that’s where they’re being exploited.

RN: The threat landscape has got wider and more complex. We haven’t seen any particular let up in the most sophisticated attacks, indeed they get more and more sophisticated. At the middle and the other end is a sheer volume thing, so the majority of attacks on small businesses and individuals – consumers – are instigated through very simple methods.

CH: You don’t have to have some specialized attack on a particularly big business. You can target a very small business who has recently put all of their stuff online and because they’re new to it, it might not be as [secure], It’s an easier way for an attacker to gain data and essentially make money. That’s why we’ve seen attacks increase.

RN:  It’s about risk management; how much is one prepared spend, how much pain is one prepared to take? Small businesses have to move on year on year. If it hasn’t done anything in that five years

other than tread water on its IT and its capabilities and its security, it will be very very vulnerable. Things like keeping your system up-to-date, patching it, doing your updates, having sensible passwords, having policies around it for data protection, with what staff can actually do with the data that’s on the system. All of those sort of things, the hygiene factors need attending to.

CH: It’s not overly difficult to do the basics correctly. Having a password policy for example, so if all your employers have a strong password then it’s less likely for someone to get into their accounts. With WannaCry acouple of years ago the only reason that was so successful is because so many devices were un-patched. It wasn’t as though  it was some new exploit. So I think just make sure that small businesses are doing the basics correctly, they’re aware that these cyber attacks happen, you’re up to date with what’s going on in that world and if a new vulnerability exists then make sure you do patch your systems.

SB: I think what’s been interesting or what has been of note across the last five years is at the beginning it was very much about the hardware and talking about the defenses and the perimeter and how to maintain your-keep your data safe in terms of firewalls and actually as time has gone on it’s all about the people now. So you have to educate yourself on what best practice is, measure your own business against that, put steps in place to bring yourself up to a standard or a level of risk which you’re prepared to take and then it becomes a matter of putting those the controls in place and then educating the staff as to what they need to do.

JR: Businesses need to make sure first of all that everyone in the business is aware of the fact that this threat is out there. And then just really enabling people within their own role to be able to feed back easily into the business so it’s not just that if you have security in your job title it’s your job – it’s elective – no it’s everybody’s job. Everyone’s a target. You know your role well, you know your function well so if you’re informed of the way people try and get into the business then what do you think about your role might be vulnerable? And what it does it just keeps the conversation going, it hands that security culture back to employees and that’s something that costs nothing and but it’s very effective in just keeping that awareness going.

RN: Predicting future in technologies is not an easy thing.You look back five years and say where would we be now and we wouldn’t be where we said we were going to be, so it’s a question of keeping up, having professional advice, working with well trusted outsourced suppliers if you’re outsourcing your IT and data storage or having great professionals on the team if you’re doing it in-house.

CH: We’re always going to see these attacks but I think if more and more people become aware and we sort of push this  through business; a good security maturity throughout the entire business, I think we’ll potentially see less businesses getting popped and it would be more individuals.

SB: I don’t have a crystal ball but I do think there’s a lot of focus on cybersecurity at the moment. There has been a huge change in attitude towards remote working, companies that would have implemented plans across two years have had to do it in a matter of weeks but that will have its challenges. It could cause a great deal of difficulty in the cybersecurity world or it could be that this is the time when companies take that very very seriously.

JR: This is a growing threat, it’s an evolving threat it’s not like there’s an easy solution; we can’t press one button to make this thing go away because the criminals are always evolving and changing their attacks. But one of the things we say to clients is that there’s more of us than there are of them you know, and if you talk we communicate and share best practice we’re doing the best we can do and at the end of the day what you’re trying to do is make yourself a harder target.