This is one of the most frequently asked questions during the security incidents and crises I have been involved in: "Why my organisation?". Why were these affected organisations attacked and could they have prevented the attack? Every day I advise and support companies that have become victims of cyber criminals. In this blog, I would like to take you along in answering this question.
How does an attack take place?
There is not just one way that attackers use to hack into organisations. The attackers have different motives and use different methodologies. The time it takes to perform a successful attack varies. Sometimes it is a matter of minutes and in other cases it is months. The longer attackers go undetected, the more successful the attack is likely to be.
Yet there are patterns to be recognised in the way attackers operate. This also applies to the way attackers launch an attack and gain initial access to an organisation's IT environment. These are four examples:
- the attackers send a phishing email containing a virus to organisations that ultimately give them access to the environment;
- the attackers send a phishing email to companies to retrieve the login details of the employees;
- the attackers scan for vulnerabilities in externally reachable infrastructures and exploit them;
- the attackers guess (brute-force) passwords or use leaked passwords.
Once the attackers gained access to the organisation's IT environment, they can further explore the environment and take actions to achieve their goals. Organisations that are sensitive to this type of attacker are organisations that have not taken the right measures against the above actions.
What can I do?
If a customer asks me "but Lisa, we have set up the correct security measures, how could the attacker still get in?" the answer is mostly: your basic measures were not in order. Examples of this are:
- multi-factor authentication is missing on interfacing accounts;
- updates and patches are not (timely) executed;
- the e-mail environment is not properly secured, e.g., an anti-phishing solution is missing;
- employees are not trained in recognizing and acting on phishing emails;
- there is no anti-virus solution with behaviour-based monitoring (EDR) installed.
In addition, the advice is always to take measures at several layers within your organisation, such that the damage can be limited even after initial access.
But why?
“My organisation will not be hacked, as we are not interesting enough for attackers”.
But is that really the case?
Currently, 80% of the cyberattacks are caused by external actors*, such as criminal groups, script kiddies and hacktivists. These attackers are often looking for a financial gain.
For example, the attackers ensure that:
- an affected organisation transfers an amount to the attackers' bank account number by adjusting invoices;
- affected organisations cannot (easily) restore their environment after a ransomware attack and hopefully pay the ransom fee;
- they steal information from the organisation and sell it on the dark web to other criminals.
The faster and easier money can be earned by the attackers, the better. So, you could say that you are interesting for these attackers if your basic measures are not good enough. And vice versa; the better your basic measures, the less likely you are to become a victim of a cyberattack. I regularly compare this with running a marathon: if you walk too slowly, you will be picked up by the sweeper.
At the same time, other motives of attackers are also conceivable. For example, attackers can also be after interesting information, such as intellectual property or sensitive company information. The attacks that are carried out for this are often aimed at a specific (interesting) organisation. In general, these types of attacks require more time and money and are more sophisticated.
Depending on the type of attack you have been affected by, I can tell you "why your organisation". But I would rather make sure you do not become a victim and I do not have to answer the why-question.
Lisa de Wilde advises and supports organisations that would like to prepare for security incidents and crises and/or that have become victims of cyber criminals.
* = According to the Data Breach Investigations Report 2022.