Press

Carelessness with consequences – cyber attacks in medium-sized businesses

Data theft – blackmail – system breakdown. According to the latest study of Bitkom e.V., the financial losses of companies mainly due to extortion and system breakdowns increased by 358% within 12 months. Jürgen Graf, head of the IT department of DPS Business Solutions GmbH (DPS BS) explains in this article how such attacks take place and where to find the critical points in the company.

A Monday morning in March. The employees of a medium-sized company in southern Germany start their workday and boot up their computers. An employee opens a file and an error message appears. Within seconds, access to all company data is encrypted. The CEO and IT staff are notified, but no one can access any data. An encryption Trojan has infiltrated the system unnoticed and was activated by opening the contaminated file. A hacker now has control over all company data. A ransom note promptly appears on the screen. The company finds itself in a highly critical situation: if there is no backup of the company data, the company has little choice but to pay the ransom, because even IT specialists cannot remove the Trojan once it has been activated. Even by paying the ransom, the affected company has no guarantee of receiving the promised decryption password.
Cyber attacks such as this one cause over 223 billion euros in damage to German companies every year.[1] It has long since ceased to be only large companies that come under fire from hacker attacks, as company size is no longer the sole criterion for the likelihood of an attack. Much more decisive is the company structure and the field of activity. In the case of small and medium-sized companies with more than one location or exports, the rate of being affected increases significantly [2]. For example, in the Bitkom Study 2021, 88% of companies with 10-99 employees were affected by theft, industrial espionage or sabotage [1]. The current DsiN practice report “Mittelstand IT Security 2020” emphasizes the topicality of the issue and proves that 46% of medium-sized companies were victims of a cyber attack in the survey period April 2019 to April 2020 [2]. The number of unreported cases is much higher, as extremely many attacks aimed at hijacking a company’s data go unnoticed in secret for a long time and are rarely detected immediately. This means that at least half of medium-sized companies have already had to actively deal with cyber attacks and take appropriate precautions. Measures to defend against and resolve an attack, as well as to restore manipulated, encrypted or deleted company data, devour considerable financial resources. Just how commonplace cyberattacks have become can be seen in the current case of the Microsoft Exchange server security breach, as a result of which email servers belonging to German companies and government agencies have fallen victim to hacker attacks. At present, it is still unclear exactly how many servers are affected. The German Federal Ministry for Security and Information Technology assumes that tens of thousands of servers have been affected (read more here).
Nevertheless, in a survey of 5,000 companies by the Hanover-based Criminological Research Institute, 69% of respondents estimate the risk of an untargeted attack to be low. The probability of a targeted attack is even considered low by 93% [3].

In the area of extortion and in the event of failure, theft or damage to information and production systems or operating systems, there was a 358% increase in losses within 12 months. (Source: bitkom 2021)

The growing danger of cyber attacks is therefore well known, but is nevertheless often underestimated. What is the reason for this? Many companies forget that as the level of digitization increases, the attack surface for cyberattacks and attackers grows. Unsecured tools unwittingly open the door to potential attackers. Especially during the Corona pandemic, many inadequately secured home office workstations or unsecured connections to the corporate network were made available. No matter how quickly processes are digitized, all measures should be accompanied by preventive IT security measures and employee training to ensure effective protection. This goes hand in hand with the clear regulation of responsibility for IT issues in the company. The majority of respondents to the DsiN Practice Report believe that responsibility for IT security lies with the management. The smaller the company, the more likely it is that responsibility lies with the management (in every second microenterprise) or even with the individual employees themselves.[4] What used to work well has now become a dangerous risk with the complexity of hardware and software. The issues surrounding IT security have become multi-layered and complicated due to new technologies. Without additional training or further education, prevention, detection and action are hardly possible for normal employees. Specialized employees or the support of an IT service provider are absolutely necessary for the integration and ongoing monitoring of systems that provide preventive protection against cyber attacks.

People as a risk factor

With specialized personnel and appropriate hardware and software, an important step has been taken. But even if the management of IT security is placed in the hands of specialists, a company’s employees still play a key role. After all, people are the greatest risk factor in cyber attacks. This is primarily because ¾ of attacks are due to phishing and other malware, and these are triggered by human intervention (e.g. opening a contaminated email attachment) in the first place [5]. In addition, another source of security vulnerabilities has emerged precisely because of the sharp increase in the use of home offices in the pandemic. Less frequent, but no less threatening, are attacks by spyware, manual hacker attacks or CEO fraud. If companies supplement the IT security systems they use with regular employee training and the integration of IT security guidelines into the corporate culture, at least the most widespread attacks can be prevented.

Awareness and prevention

In light of the sharp rise in cyberattacks, the most important message is that small and midsize companies in particular should not underestimate the danger. Preventive measures can effectively reduce the risk of a business-damaging attack. Companies that want to expand their IT security or put it to the test can get help from external consultants or IT service providers, but also, for example, from the “IT Security in Business” initiative of the German Federal Ministry for Economic Affairs and Energy. The offering is primarily aimed at small and medium-sized enterprises. Interested parties will find a wide range of information and assistance on the core topics of IT security. Further support is provided by the Deutschland sicher im Netz e.V. association, which offers extensive information materials as well as learning and hands-on opportunities for consumers and small businesses.

Sources:
[1] Bitkom e.V. study, 2021 and 2019.
https://www.bitkom.org/sites/default/files/2021-08/bitkom-slides-wirtschaftsschutz-cybercrime-05-08-2021.pdf
[3] [5] Cyber attacks against companies in Germany, Kriminologisches Forschungsinstitut Hannover e.V., 2018/2019 https://www.pwc.de/de/cyber-security/cyberangriffe-gegen-unternehmen-in-deutschland.pdf
[2][4] Deutschland sicher im Netz e.V., DsiN Praxisreport Mittelstand 2020, 2020, https://www.sicher-im-netz.de/dsin-praxisreport-2020-mittelstand-it-sicherheit