Increasingly organised and sophisticated, cybercriminal networks thrive without borders and launch formidable attacks, to which SMEs remain largely vulnerable. Laura Peytavin, a CISSP-certified pre-sales consultant at Proofpoint, shares her analysis of the changing nature of cyber threats and her advice for business leaders.
What is your assessment of the cyber threat to businesses, especially SMEs?
This threat, which is at an all-time high, represents tens of billions of dollars a year in financial losses for businesses. With such gains, it is understandable that cybercriminals are prospering and becoming more professional: they are no longer isolated individuals but real industrial ecosystems with channels, specialities, stolen databases that are sold… For these organised systems, borders do not exist. This is the reason why Governments are getting worried, and explains their willingness to help managers protect their companies as they have become aware of the extent of the threat. Today, the question of cybersecurity is not whether I will be attacked but when. Although SMEs may be attractive targets to a greater or lesser extent depending on their turnover, the possession of innovations through patents, or particular technologies, they are nonetheless prime targets: for most, the technological resources allocated to their cybersecurity are rudimentary and rarely go beyond simple antivirus software.
But although attacks are becoming more and more sophisticated, the cybercriminals’ primary mode of attack is still human – in concrete terms, deceiving someone into clicking or downloading – and hackers therefore continue to use human cues: provoking a sense of urgency or seriousness, preferably at times in the late afternoon when employees are more stressed. At Proofpoint, we see hackers using hacked email exchanges to place the elements of impersonation within a business setting. They then send the most personalised message possible through all existing digital channels – by email of course, as it has the greatest anonymity and is almost free – but also by SMS or phone calls. Cybercriminals have become professionals who analyse their target, launch a multi-channel attack and then do an ROI analysis.
Do these cyber attacks come from specific entities or organisations?/strong>
Hackers are above all digitally literate individuals. We are dealing with real talents who know exactly how the hardware and software layers of digital systems work and are on the lookout for the slightest vulnerability. Some are based in Europe and North America, others in Russia, China for the biggest contributors, the Middle East, South East Asia, and some countries on the African continent which have a real talent pool in this area. As I said, these are networks that know no borders… but they still need to be anchored in the country they are targeting: to deceive a French manager, for example, it is necessary to rely on local know-how, mastering the language and cultural codes.
It is important to understand the breakdown of cybercriminals’s income: half comes from attacks with malicious content, typically ransomware, which has been the most widely used tool since it emerged in 2014. Companies whose data is held will eventually pay, because the cost of their losses is too high for them – it is these much talked-about billions that allow the hackers to thrive, pay for their network and invest in technological tools. The other half is obtained through fraudulent messages, by impersonating people known to the target in order to get them to make a financial transaction at their expense. Where previously we had “silo” attacks, mainly by email – phishing – we now have smishing – by SMS – and vishing – by phone call. In particular, the three converge to increase the channels used for the same attack.
How can SMEs protect themselves or at least reduce the level of risk?
As we can see, the methods used by cybercriminals are increasing in number and their sophistication is remarkable! and this applies to their attacks too. Small entities, SMEs and SMIs, are far from being equipped with sufficient tools or software to respond to the scale of the threat, and this explains the ROI of cybercriminals: the vulnerability of companies sustains the profit of hackers, which in turn sustains their rise to power… A vicious circle that must be broken. The French Government is aware of the situation and the need to protect the vital fabric of its economy: there is aid available to companies to strengthen their resources and training to raise awareness of the correct procedures to adopt. Patches, updates and regular revisions of the software infrastructure are essential.
But it must be borne in mind that the primary source of vulnerability is and remains human. Managers must therefore train their employees, exercise vigilance and appoint a Data Protection Officer – a measure imposed by the GDPR – even if the company has only five employees. In view of the presidential elections, CESIN recently made a series of cybersecurity proposals*: the eighth consists of the obligation for companies to carry out an annual cybersecurity flash diagnosis. These are all reflexes that are becoming economically vital for companies to integrate, in view of the new world of work, between the cloud and teleworking; in a word, with more open systems and, therefore, a potential attack area which is even more open.