How hacker attacks affect the security needs of companies
The BSI has identified an “increased threat situation”, but 70% of all companies do not feel threatened at all. This is a dangerous fallacy, as small and medium-sized companies in particular are increasingly being targeted by attackers. Basic cyber hygiene could already prevent 80 percent of all hacker damage here.
The Russian attack on Ukraine also marks a turning point for IT security. In its “Update of August 3, 2022”, the Federal Office for Information Security (BSI) continues to identify an “increased threat situation for Germany“. To date, IT security incidents in this context have only had an isolated impact. However, since the end of April 2022, the BSI has repeatedly observed distributed denial of service (DDoS) attacks by hacktivists on targets in Germany and internationally. Two recent studies also show how critical the situation is for small and medium-sized enterprises.
Why cyberattacks threaten even the smallest companies
Pandemic, skills shortage and energy shortage? For most companies, these factors pose comparatively minor risks. According to the “Hiscox Cyber Readiness Report 2022“, the greatest business risk lies in cyber attacks. According to the report, almost half of the companies surveyed (48%) stated that they had been affected by at least one cyberattack in the past year. According to the report, cloud servers and business emails are the most popular gateways for attackers, while DDoS attacks are used less frequently.
It is particularly interesting that small and medium-sized companies in particular are increasingly being targeted by attackers. The results of the study show that the average number of attack attempts detected per year at companies with 250 to 999 employees rose from 45 incidents in the previous year to 69 in 2021. For companies with ten to 49 employees, the number of cyberattacks climbed from 31 to 56 incidents. The year-on-year comparison is even more devastating for micro-enterprises with fewer than ten employees: Here, the number of cyberattacks almost quadrupled (40 instead of eleven in the previous year).
A development that is hardly surprising: While larger companies are increasingly better at protecting themselves against attacks, the security hurdles for small and medium-sized enterprises are often much lower. In addition, as software and IT service providers, SMEs are often the ideal entry point for attacks on downstream large companies in the value chain. Experts have long seen these attacks on supply chains (also known as supply chain attacks) as the next big trend.
How fatally wrong the perception of current cyber threats is
Despite all the warnings and facts, the seriousness of the threat situation is often slow to penetrate the minds of those responsible. The “CyberDirekt Risk Situation 2022” study, for which the Düsseldorf-based market research institute Innofact surveyed 511 decision-makers in German SMEs, reveals a lot about the current perception of cyber threats:
- 69.5 percent of companies wrongly do not currently feel threatened.
- Almost 42 percent of the companies surveyed have not yet sufficiently addressed their own cyber risk.
- 26.6 percent of companies have been the victim of a successful cyberattack at least once in the past two years.
Risk management is correspondingly high: SMEs see weak passwords as the greatest source of danger in the working environment, which is why 50.9% of companies use regular password changes as a preventative measure. However, strong two-factor authentication (41.9%) is in eighth place among the protective measures, just ahead of active patch management, which is used by just 35.8% of the companies surveyed.
“The study on cyber security in German SMEs shows above all that, despite the high level of risk and media coverage, the topic has not yet been fully taken on board,” says Ole Sieverding, Managing Director of CyberDirekt, explaining the results of the study.
Why cyber hygiene prevents 80 percent of all hacker damage
Both studies make it clear that SMEs need to implement more preventative measures. “Regular patching, multi-factor authentication, employee training on information security and efficient crisis planning are essential for good cyber hygiene,” emphasizes Gabor Sas, Senior Underwriter Financial Lines at AGCS Austria, in the “Allianz Cyber Report 2021“. Around 80 percent of all ransomware damage could be avoided in this way.
Clean password hygiene plays an essential role in this. However, this is precisely where there is still a lack, as a recent study by Beyond Identity shows. The survey of more than a thousand German employees once again shows IT managers the most common mistakes made when using passwords:
- One in three people write their work passwords on a piece of paper.
- One in four people always use the same personal passwords.
- 14 percent share their passwords with colleagues.
- One in nine (eleven percent) has never changed their work password.
- Eight percent even send passwords by e-mail.
It is therefore hardly surprising that 42% of respondents have already had their password compromised more than twice. This can have serious consequences, because according to the “Verizon 2019 Data Breach Investigations Report“, 80 percent of hacker attacks can be traced back to weak and compromised passwords.
How two-factor authentication works in practice
However, strong passwords are only half the battle. Only the combination with two-factor authentication (2FA) ensures sufficient cyber hygiene. Google, for example, shows what a comprehensive effect the mandatory introduction of secure 2FA logins can have. The cloud giant automatically activated two-factor authentication for over 150 million users and over two million YouTubers at the end of 2021. In February 2022, Google announced that a 50% reduction in compromised accounts had been observed following the changeover. Extensive use of time-limited TOTP one-time passwords and the elimination of smartphone apps that can be compromised would certainly improve this rate even further. This is because a hardware authenticator such as the REINER SCT Authenticator does not use online services and works without an internet connection. Real-time transmission of sensitive authenticator data by smartphone malware is therefore impossible.