IT security plays a far greater role for companies than many believe. A new study reports on current cyber attacks, outlining what the consequences are and what countermeasures you can and should take.
Despite an increasing number of cyber attacks, some companies still do not take IT security seriously enough. Small and medium-sized enterprises (SMEs) in particular often assume that they are too small to be a lucrative target for cybercriminals. Unfortunately, the exact opposite is true.
At 57 percent, more than one in two medium-sized companies with 50 to 250 employees has already been the victim of a cyber attack at least once in the past ten years, HDI insurance reports. On its behalf, Sirius Campus has also surveyed more than 500 SMEs in Germany about their cybersecurity (PDF). 37 percent of the smaller companies with 10 to 49 employees have reported being victims of a hacker attack at least once and up to multiple times. In addition to those statistics, 31 percent of companies with a maximum of nine employees have reported at least one attack as well.
SMEs are becoming the entry point for supply chain attacks
“The frequently expressed view that smaller companies are not interesting for cyber attacks is simply not true in the real world," said Christian Kussmann, divisional board member for Companies and Independent Professions at HDI Insurance regarding the results of the study. Kussmann also warns against a current trend: Smaller companies are increasingly drawing the attention of enterprise-level criminal operations as larger companies are doing more to protect themselves against cyber attacks. SMEs, on the other hand, often have weaker defenses than larger companies. Some attackers are even exploiting smaller companies as an entry point for further attacks on the more larger companies. Many SMEs are also service providers with connections to larger companies and are vulnerable to being exploited in this way. Security experts refer to this strategy as a "Supply chain attack”.
Cyber attacks can cause immense financial damage. Almost 20 percent of the companies surveyed reported financial losses of more than 100,000 euros. Whereas 40 percent reported a loss between 25,000 and 100,000 euros, and just under a third (32 percent) of surveyers reported losses below these amounts. On average, damages caused by successful attacks amounted to around 95,000 euros, according to HDI insurance reports.
Remote working, Bring Your Own Device (BYOD) and cloud services have created new attack trajectories that cybercriminals are trying to exploit with increasingly sophisticated methods. This is also confirmed by techconsult, which belongs to the renowned Heise publishing group. On behalf of its partners, including NCP, the analysts carried out a study on the current situation of IT security in Germany from a company perspective. In the past twelve months, more than half of the companies surveyed were affected by cyber attacks. Nearly a quarter of these companies were affected by cyber attacks more than once.
Although 42 percent stated that they had not been targeted by a cyber attack at all, it is questionable whether this is actually true. Analysts often warn about the accuracy of these figures as successful attacks often remain undetected. The number of unknown cases is therefore difficult to estimate. Additionally, techconsult found that phishing, ransomware, insider attacks and the Business Email Compromise (BEC) are among the biggest threats for companies. However, Denial of Service (DoS) attacks and cloud account compromise continue to pose a significant threat as well.