Cyber attacks a risk factor for businesses

With the "digital transformation", opportunities are increasingly coming to the fore. These include embedding computer technology in existing workflows as intuitively as possible. In many areas, for example, companies can no longer afford to communicate with customers without modern tools such as online appointment calendars and ticket systems for inquiries.

Even for their own employees, the information technology they use is by no means a mere means to an end. Company smartphones and laptops from certain manufacturers have long since become a kind of status symbol, just as company cars used to be.

The growing importance of information technology increases the dependence on it. The sudden failure of one or more IT devices may now be one of the more dreaded scenarios in day-to-day business. Not to mention, of course, the leakage of sensitive customer data or the complete malfunction of information technology. Those responsible should therefore address these risks in good time. They should also be aware that there is no such thing as zero-cost protection against cyber risks.

Cyber risks from which no company is safe

Of course, it is still possible to download viruses or Trojans onto a PC by carelessly surfing dubious sites on the Internet and indiscriminately installing software from unknown sources. PC users are now sensitized to such "old-style" cyber risks in both their professional and private lives. It can be assumed that there is hardly a criminal left who plans to distribute malware to companies in this way. Attacks are much more targeted and subtle.

The problem is exacerbated by the fact that the perpetrators make considerable profits - while the risk of detection is low. Financial demands in extortion, for example, are usually demanded via Bitcoin. Their payment channels are usually untraceable. This calls for copycats. In its Security Situation Report 2020, the Federal Criminal Police Office even mentions the possibility of ordering cyber attacks from the darknet. In reference to the term for legal cloud services (software-as-a-service), the authors present this manifestation as cybercrime-as-a-service. In addition, necessary malware, for example to carry out an attack with an encryption Trojan, can be purchased there. The availability of such programs to less tech-savvy criminals increases cyber risks immensely.

The German Federal Office for Information Security is constantly addressing current cyber risks for companies, government agencies and other organizations. Its annual report addresses the following forms of attack, among others:

1. Ransomware: a large number of companies and public authorities have now fallen victim to attacks using encryption Trojans and subsequent extortion. Ultimately, a combination of different attack methods is used. First of all, internal company information is spied out through publicly accessible sources and social engineering techniques. For example, the names of superiors and departments can be obtained by fictitious phone calls or e-mail inquiries. Such information is then needed to trick an employee into opening the attachment of an e-mail. If it is supposedly from a superior and has the name of a current project in the subject line, the threshold for employees to have reservations about opening attachments usually drops enormously. By means of the attachment prepared with a macro virus, software such as Emotet is installed, for example. This provides the attacker with extensive functions in the company network. One possible attack is the encryption of all accessible files with a Trojan such as Ryuk. This also specifically attacks back-ups. Once the encryption is complete, the criminals contact the company management and offer to decrypt the files for a fee.

2. Data theft: targeted data theft also often involves the Emotet infection described above. The aim is to collect and leak sensitive information. Among other things, the Trickbot software is used for this purpose. This is optimized for espionage and sabotage in corporate networks. The benefit of such an attack can be, for example, blackmail with the announcement that company secrets will be made public. Another form of attack is access via poorly secured online access points. If an intranet can be accessed, for example, by simply logging in from the Internet, there is always a risk that authorized persons will use weak passwords to undermine the security concept.

3. Computer sabotage: Aims to disrupt the functionality of computer systems. One variant of these cyber risks are so-called distributed denial of service (DDoS) attacks. For example, the attacker takes control of a large number of computers belonging to uninvolved parties. These are often poorly secured PCs belonging to private users. The criminal can then send simultaneous requests to a company server by remote control. With a sufficient number of computers in use, almost any server can be temporarily disrupted in this way. The criminal can combine this form of attack with blackmail. However, revenge or commissioning by competitors are also conceivable motives.

4. Computer fraud: this category includes the use of banking Trojans. Transaction data is spied out in various ways. Examples include keyloggers that record keystrokes or the use of malware to steal access data. Companies often transfer large sums of money, so this process is also a worthwhile target for criminals.

5. Social hacking: this form of attack is usually used in conjunction with one of the aforementioned methods. In this case, criminals try to trick company employees into making mistakes. In addition to executing malware in attachments to e-mails, this can include giving out access data. The attacker often exerts pressure on the persons. For this purpose, he uses, for example, fictitious cover letters from a superior via e-mail, which indicate a particular urgency. Exploiting stressful situations is also a conceivable variant. For effective protection against cyber risks, the "human" point of attack must not be overlooked under any circumstances.

Medium-sized companies in the focus of criminals

The German Insurance Association (GDV) estimates that only about 28 percent of SMEs see a high risk of falling victim to a cyber attack. Even though the names of SMEs are mostly not known nationwide, the exposure to cyber risks remains undiminished.

There are two reasons for this:

1. Small and medium-sized enterprises use common specialized software and hardware products from large platforms. If security vulnerabilities become known here, their networks are also vulnerable to attack. Cyber criminals literally scan the Internet for hardware and software in use with known vulnerabilities. Since such searches can be automated to a certain extent, it can be assumed that every computer accessible from the Internet is regularly tested for vulnerability. Moreover, protection against cyber risks does not have the same priority at every company. For example, the late application of updates or patches can become a real problem.

2. Companies and organizations can usually be very well scouted through so-called OSINT searches. This means that information can be gathered from freely available sources and combined to form a kind of profile. Here, it's the mass that does it for the criminals. The more potential attack targets they find, the higher their chances of actually carrying out successful attacks. Since victims of cybercrime come from any industry, your company can become the focus of an attacker just by searching a keyword and a place name.

Therefore, at the end of the day, almost every commercial business, as well as organizations and government agencies, are at risk of becoming a target of cyber criminals. For this reason, you should give protection against cyber risks the necessary priority.