Cybersecurity: Not all Attacks are Equal

By moving a growing part or their entire business online, companies’ vulnerability increases exponentially. Still, only a fraction are prepared to fend off potential cyberattacks. To be precise, 64% of leading European businesses think it is possible that their company has been hacked without them knowing, according to the latest study by RSM, prepared for the European Business Awards.  

The research surveyed 597 business decision makers across 33 European countries. Considering that 80% of them say digital transformation is a current strategic priority, the ratio is worrying, to say the least. Worse, a fifth of them don’t have a cybersecurity strategy in place and of those who do, only 48% believe that it will be able to protect them from a breach.  

It may provide reassurance that not all breaches end in a successful attack. “In fact, breach itself is a vague expression”, says security specialist Boldizsár Bencsáth, CEO at Ukatemi Advanced Threat Mitigation Technologies Hungary, and assistant professor of the Budapest University of Technology and Economics.  

“Breaking into a front-end system, such as a webpage, which shows the data of a company, is not in the same category as client data or credit card theft,” he explains.  

Blind Attacks

“A hacker attack happens every 39 seconds – that is true. But the fact that a computer is attacked doesn’t necessarily mean it is a targeted attack,” he goes on. And even if an attempt is successful (for example, hackers manage to gain access to a secretary’s computer by sending a fake conference invite, that contains malware, to her boss), there is no certainty they can proceed if the rest of the system is isolated.

Targeted attacks usually follow a pattern: a hacker enters the system by spearphishing, also known as watering hole attacks. After their foot is in the door, comes the lateral movement phase, where they try to get from, say, the secretary’s computer, which may be the least protected, to the developers who have access to servers. These phases are more or less the same everywhere, though the tools used may be different.  

“The reason why we are explaining the entire circle is because an attack can be stopped at each phase,” Bencsáth says.  

According to the study, almost half (46%) of successful attacks target under-trained employees via emails, with 22% of businesses still providing no cybersecurity training to their staff, the survey finds.  

Boldizsár Bencsáth

Most Vulnerable

“Attackers usually look for the most vulnerable point in a system which are under-trained employees,” Bencsáth agrees. Therefore, companies should hold security awareness training for all their employees, he adds. This may not provide 100% security but it is still useful; following such training, employees are better able to spot an attack and thus become more conscious of what they are doing.

What also works in favor of companies is time, as the lateral movement phase usually takes much longer than is depicted in movies, where hackers enter a system in just a few minutes. In real life, hackers run several attacks.   

Another little-known aspect of cyberattacks is that most remain unknown. The European General Data Protection Regulation (GDPR) requires firms to report certain types of data breach within the first 72 hours of detection, yet 75% of hacks never become public knowledge and only 23% of businesses informs the regulator following a breach.  

“Many don’t even recognize they have been attacked. And when they do, they still consider it a risk to their reputation, and financial risks may also be involved,” Bencsáth notes.  

Reputation

Reputational damage is a key concern for respondents, although genuine confusion appears to be driving the lack of transparency, according to the study. A third of businesses admit that they do not understand the circumstances in which they would need to report a breach.

Despite all the risks, middle market businesses remain resilient in the face of cyber risk. Of those surveyed, 86% say that the increased risk of cyberattacks has not dissuaded them from investing in digital transformation, the study says.  

Some 29% of businesses expect their revenue to grow as a result of digital investments, with cloud technology the biggest area of focus. “Exposure is a complex question,” Bencsáth says. “If the question is: ‘Is there is a chance of getting involved in a more or less successful attack?’ then the answers is yes. But do companies feel cyberattacks pose a significant risk on their business?: They don’t.”  

If companies were to spend roughly 2% of their revenue on security – both cyber and physical – that would be a reasonable rule-of-thumb figure, the cybersecurity expert says. What they chose to spend it on can varies: they may choose to hold training, buy software, or even hire external services.  

It is unrealistic to expect a company to be fully resilient and up to date in most cases. There are exceptions, the bank sector being an obvious point in case, but most businesses still have a lot to do to improve cybersecurity.