Cyber attacks: what are the current trends?

Today, the question is no longer whether you will be affected by cyber attacks, but rather when and what impacts that will generate. As proof, nearly 8 out of 10 companies have been affected at least once in the last 12 months, and this is not likely to be reduced.

In addition, these cyber attacks are increasingly harmful and influential on business. Indeed, in 2019, 60% of attacks have directly impacted the business of companies: production slowed down (even completely stopped), unavailability of the website, delay in planned deliveries,… Not to mention the financial impact, certainly not negligible but nevertheless often not very well known by those responsible for information security.

In view of this observation and on the occasion of Cybersecurity Week, we want to make you aware of different possible attacks, because it is in the interest of any company to follow and catch up on the trends of these attack vectors, in order to protect oneself at best.

Human error

Have bad password practices (the famous post-it on the screen), communicate or use the same password for all applications, get trapped by possible attacks, use unsecured personal devices in the professional environment, install applications or connect a USB key found without verification,… There are many human errors regarding information security. To address this, employees training and regular tests enable to sharpen their vigilance and develop reflexes of information hygiene, and thus avoid and/or detect in time the potential attack.

Phishing, emails are no longer the only vector

The purpose of phishing is to motivate victims to reveal their personal information. To do this, the hacker sends malicious emails seem to come from reliable sources. These emails send victims to a deceptive website, asking them, in most cases, to enter their credentials or bank details.

Emails remain the most popular vector but phishing increasingly involves sms (“smishing”), communications on social media platforms, and phone calls (“vishing”). It should be noted that 78% of cyber-espionage incidents involve phishing and decoys are increasingly realistic and credible, causing a sometimes long detection time.

Targeting local administrations and companies by ransomwares

This type of virus encrypts data, making it inaccessible. Following this, the hacker contacts the user and invites him to pay a ransom in order to recover a key to decrypt his data.

These attacks affect fewer and fewer consumers and more often target administrations, organizations or companies, for which blocking their data causes a greater and more visible impact: impossibility to work, provide and deliver services, freeze on operation means (for example: transport, parking access, production line,…),…

This is clearly an extorsion attempt and in these circumstances, with a complete stop of activity, the probability of giving in to blackmail is strong! It is therefore vital to protect oneself against this kind of threat.

Mobile devices, often forgotten but to manage absolutely

Everyone has a mobile device at its disposal and uses it daily, both for professional and private use, mixing on a same equipment professional communications and personal applications (utility, instant messaging, social network, payment,…). It should be known that smartphone cyber attacks have doubled in 2018, leading to 116.5 million the number of mobile malware attacks.

On the other hand, the grand-ducal police recovers every year more than 1100 mobile phones lost or stolen in Luxembourg, the question of the level of security set up to prevent access to data on smartphones arises naturally.

It is therefore essential that these devices meet security requirements (management of access authorizations, identification, localization software, remote wipe, application control,…).

Operationalizing the cybersecurity underpinned by the GDPR

The GDPR regulation has considerably changed the landscape of data protection, imposing control along several axes: treatment, confidentiality, information protection.

Far from any attack, this regulatory obligation makes it necessary to address related issues such as encryption, access security, authentication, traceability, protection against data leakage or data wipe in the context of right to erasure.

First checks have been made and although there are no statistics on the compliance rate of Luxembourg companies, it is likely that for the majority of them, the road is still long, and these points will be addressed.