Cybersecurity attacks and how to prevent them
Elena Soteriou and Andreas Costi 11:07 - 23 May 2023
Cyberattacks targeting both the public and private sectors, are observed to be on the rise in the past 12 months, according to surveys on cyber security performed by the Digital Security Authority of Cyprus.
The surveys covering 450 organisations showcased that approximately half of them (46%) fell prey to security breaches such as intrusion of systems and ransomware with an average of three to four attacks per month. Forty-eight per cent of the organisations that were targeted and breached, had financial losses of an average of 23.000 Euros. As expected, the most common attack used (36%) by threat actors to gain access to an organisation’s internal systems, is phishing emails, but also the lack of cyber security policies and procedures regarding patching of systems to stay up to date with the technological advancements and mitigate against recent exploits that were found in the wild.
Another significant attack surface is the targeting of individuals through social engineering attacks (e.g., phishing emails, malicious SMS messages, etc.), whereby out of 1025 individuals, 40% of them fell prey to such attacks, and 19% of them had average financial losses of 318 Euros.
The recent attacks targeting large Cypriot establishments in the private and public sectors showcase that such attacks (e.g., ransomware, spyware, phishing, account takeover or impersonation attacks), are slowly but steadily shifting towards organisations based in Cyprus, as evident by EU’s Eurobarometer SMEs and Cybercrime statistics, and as such proper education and awareness should be adopted by organisations to strengthen their cyber security posture, to be able to tackle this vast threat landscape attackers utilise to gain access to internal systems.
Further to the above, there are several factors that contribute to an attack occurring. One of the key reasons is the poor information security awareness culture of employees. Even if the management invests heavily in systems and automated controls the unintentional leakage of information, that may seem harmless at the time, can lead to serious implications. Having said that, the exact opposite, the lack of investment in crucial tools and skillful personnel and the reliance on employees to safeguard the organisations interest, also results in a poor security posture. Having adequate systems and controls based on the size and nature of an organisation can be a life saver and prevent or at least provide an early indication of an event or a malicious activity, thus allowing the organisation time to take necessary actions. Another key reason is that despite the numerous regulations and guidelines issued on 3rd party risk management, organisations (especially of small to medium size) have almost absolute trust in their vendors and do not deploy adequate internal monitoring controls. This leads to an increase of their threat surface and inherent risks, leaving them vulnerable to a larger number of attacks that may not be detected on time.
Actions that can be taken to strengthen the security posture of organisations is the proper and continuous training of employees via different methods. The traditional classroom training can be complemented by a number of interactive solutions build for this purpose accompanied by frequent newsletters with tips and relevant information of the current trends at each time. Additionally, to increasing user awareness the documentation and enhancement of ICT policies and procedures can support in the consistent and proper execution of controls as defined by each organisation with the objective of hardening the overall environment. The combination of manual and automated controls is proven to be one of the best approaches as not everything is black and white, and the human factor is always crucial.
Proactive actions via frequent reviews such as penetration testing activities, risk assessments and resilience testing of the overall technological environment as well as suitable monitoring tools can provide organisations peace of mind to the extent possible.
In conclusion, organisations can enhance their security posture and minimize security attacks by understanding and evaluating increasing security risks, and what they mean for each organisation individually. Ensure that cyber security has a place in their strategy and budget as the damages of not proactively investing in security have proven to be exponentially larger. Safeguarding of information and assets is only successful if it is a collective and multilayered effort. The continuous improvement of all aspects of an information security management system is mandatory in order to accommodate the constant changes in the technological section.
Elena Soteriou, Senior Cybersecurity Specialist, Technology Consulting, KPMG Limited
Andreas Costi, Cybersecurity Specialist, Technology Consulting, KPMG Limited