The exposure to cyber-threats and cyber-risks on the part of companies, it is still there and will never cease to exist, increasing enormously every day, in terms of volume of cases and in terms of disparity in techniques, objectives and complexity.
For this reason, it is important to know what the cyber incidents most common in companies today, with the aim of being able to establish a list of specific prevention priorities and measures to implement as soon as possible.
In general terms, the cybersecurity remains a challenge for companies of all sizes and sectors. The cyber incidents vary in nature and can include everything from attacks of phishing, until exfiltration large-scale data.
By reviewing just some of the main reference reports in the sector, we can have the first brushstrokes of that canvas of cyber incidents O cyber risks corporate.
More than 50% of companies have suffered at least one attack ransomware, while the attacks of phishing are the main safety concern for the 57%, according to him Security Threat Report of Cisco.
The attacks of phishing and the configuration errors generally caused by people (which represent the 74% of the cyber incidents), already represent more than 50% of the data breaches, according to him Cybersecurity Report and the DBIR (Data Breach Investigation Report), of Verizon.
The problems of cybersecurity in companies, can be attributed to the human factor, at people, in it 95% of the cases, according to the informe Global Risk Report of the World Economic Forum.
During the last year, the cyber attacks on web applications have increased by a 21%, while the credential theft cyber attacks they have done it in a 22%, according to him Internet Security Threat Report of Smart.
As an example, a button. These are just a few examples, but there are many more, which evolve over time and, unfortunately, not always to improve the statistics or the situation.
This being the scenario, currently, some of the cyber incidents The most common are the following, or are due to the following causes (the main ones, sticking to existing studies, reports and analyses):
- attacks social engineering, attacks on people, al human factor, or attacks of any other type, which begin with a knock action social engineering, which, in most cases, arrive through phishing in any of its variants (smshing, wishes, qrshing, spear phishing, etc.) or other channels, media, or tactics employed by cybercriminals. These types of attacks usually target employees within companies and, almost always, very specific employees (managers, accountants, purchasing staff, VIPs -Very Important People- I VAPs -Very Attacked People-), who are tricked into revealing private and confidential information, or into downloading and running malware without being aware.
- The attacks of phishing in themselves, whether they are identity fraud (type BEC - Business Email Compromise) or not, in any of its modes of delivery and “flavors” (by email, by SMS, in a call from telephone, by WhatsApp, when reading a QR, etc.).
- The previous two (social engineering and phishing of all kinds), among other types of attacks, in turn produce data exfiltration, O data and information breaches. This is a very serious problem since customer data, personal information, or legal, industrial or financial information of the attacked company is exposed.
- The cyberkidnappings the attacks of ransomware, whose number of cases increases considerably as time goes by, becoming more and more sophisticated, being more harmful and targeting companies of all types of sectors and sizes (businesses, self-employed, micro-SMEs, SMEs, large companies, multinationals). These attacks encrypt information and documents, blocking access to data and systems, demanding a ransom to restore access, and decrypting them.
In addition, there are other types of threats to which companies are also exposed, although not in as much quantity as the previous ones:
- He malware in general (virus, trojans, worms, botnets, spyware, etc.), which reaches the company (its perimeter, internal and external devices, corporate network, new, infrastructure, etc.) through different channels (email, phishing, downloads, USBs, etc.) and carries out the malicious activity, illegal or harmful for which it is programmed. In many cases, there are variants or samples of malware still unknown (recently created) that can be used to attack and infect. These types of attacks are often known as attacks Zero Day, 0-Day, that of Day zero.
- The vulnerability exploitation It involves attacking the weakest points detected in any of the applications or software for corporate use, as well as its network, hardware architecture, infrastructure, cloud, the organization's computer systems, and even devices (IT, OT, IT/OT It is IoT). In many cases, there are vulnerabilities still unknown that can be exploited by those who have detected them before anyone else. This type of attack is also known as Zero Day, 0-Day, that of Day zero.
- The denial of service attacks (DoS / DDoS), carried out achieving alignment, in a way simultaneous, massive requests from a multitude (thousands, hundreds of thousands, millions) of points or devices, to a single common element (web server, database, access system, data entry form, API, etc.), which saturates, collapses and leaves Out of service to that system, without the need to infect it or perform any other type of action. They can be of type DoS (Denial of Service attack) the type DDoS (Distributed Denial of Service Attack) and are generally launched from a BotNet (a network of computers, known as zombies, that have previously been “captured” to take control over them and be able to request them to perform certain actions, such as connecting all at the same time and on a recurring basis to a web service to cause a Of the, and DDoS, and cryptocurrency mining, etc.).
- Attacks to (or from) the Internet of Things (Internet of Things - IoT) It is corporate infrastructures They are also common, especially in companies in industrial environments. In this case, they take advantage security holes and settings incorrect data of devices such as cameras, printers, PLCs, smart appliances, etc.
- The code injection, O SQL injection, which consists of attacking a service web (usually through a form with fields for data entry), introducing SQL code in vulnerable fields where possible, to achieve access databases and extract their information.
- The APTs O Advanced Persistent Threats, considered some of the most evolved attacks, which adopt more sophisticated, complex and targeted technologies, mechanisms and strategies. In this case, it consists of cases of hacking that are carried out continuously on an organization to gain entry and stay in it for a long time, carrying out its harmful activity.
Of course, there are many other types of cyber threats, cyber risks and cyber attacks to companies, such as:
- Those who attack their cloud infrastructures, internal or external from a third party and the applications existing therein. In this case, for example, we could talk about shadow IT or infrastructure risks that are not controlled by the organization's IT department (such as cloud infrastructures contracted from cloud providers).
- Related to the previous point, especially due to the increasing dependence on third-party services, one of the most common risks, which is less taken into account but which is gaining special relevance and attention, is that of supply chain. That is to say, those risks that, not being own or inherent to the company as such, can affect it since they are risks of a third party in which its services are hosted or with which it collaborates for something specific, including partners. , partners, etc.
- Insiders or internal threats who, as internal users of the organization's systems (whether they are employees, suppliers, collaborators or partners), intentionally or unintentionally, can carry out harmful and harmful actions due to their lack of knowledge and training, laziness, carelessness, incorrect configurations, cessation of access, credentials and permissions, use and connection of external devices to the corporate network, etc.
- Direct attacks on their information assets, such as databases (or elements containing information) of clients, suppliers, partners, users, collaborators, or the organization's own (intellectual property, patents, legal, corporate, financial, etc.), with private and confidential, which can produce, in addition to information leaks, important problems for the company in terms economic, of normative compliance, legal, and of image, reputation, brand and business continuity.
- He unsafe development of corporate software and applications, which do not have a philosophy of cybersecurity by design, incurring bugs, security breaches and vulnerabilities that can be exploited by third parties. To correct it, a model of Secure Software Development Cycles (SSDLC).
- The lack of technical adequacy for the due normative compliance (lack of compliance) is another factor to take into account. In this case, failure to comply with certain defined cybersecurity and legality standards and frameworks, with certain rules, regulations and laws, can lead to serious problems. No longer for not complying and sanctions O fines what this can entail, but also for the security holes and the lack of quality protection What will it mean to fail to comply with them?
Among all this tidal wave of risks, threats and the chances of suffering cyber incident, there are underlying aspects (motives), not always technological, that, if they do not directly cause them, perhaps they are determining factors in many cases and a breeding ground for them to materialize. Some of them could be:
- The lack of awareness, training and training of the employees.
- The continuous evolution of technology and digitalization that require constant and almost immediate updating. And, in the same way, the evolution (lagging behind) of the new legislation, regulations and norms that try to regulate it and "establish a certain order of conduct", with a vision that is as holistic as possible, in a multitude of countries with characteristics common or not.
- The economic, financial, investment and resource capacity within the organization. An organization may have certain knowledge and skill to carry out its own cybersecurity strategy, But it is not usual. If this is not your core business or your IT area does not have those capabilities, resources or time, what is normal and advisable is turn to external experts and the acquisition of software, applications, tools and services cybersecurity.
These may be the main challenges that companies must meet in order to begin to adapt, adequately protect themselves, prevent and comply.
In a world where technology is omnipresent, cybersecurity It becomes essential for the sustainability and growth of any company. The risks and challenges in this area are constantly evolving, requiring a continuous commitment to solid cybersecurity strategies and one proactive mindset to face these threats effectively and efficiently.
Is your company prepared and free of cyber-threats and cyber-risks?
Maybe you need the help of professional cybersecurity services like the ones we offer in Zerolynx: Cybersecurity Services.
If you prefer, contact us and we talked.