Rudimentary cyber attacks – such as intrusion attempts, information gathering and policy violations – pose the greatest risk to small businesses, according to a new report.
Experts from eSentire said that cyber criminals are moving away from high-risk, high-cost attacks to lower-level campaigns that can be prevented with basic security precautions.
Attacks using automated tools and templated, one-size-fits-all malware like ransomware are on the rise, they said, because they allow hackers to extort money and data from businesses without spending time identifying and stealing information in specific, tailored attacks.
“In 2016, the eSentire SOC detected almost five million attacks across hundreds of primarily small to medium organisations, spanning multiple industries,” said Viktors Engelbrehts, director of threat intelligence at eSentire.
“Cyber criminals are attracted to easy targets because they are low-risk, high-reward, and require little effort to execute. However, available evidence suggests that the majority of opportunistic cyber attacks against mid-sized businesses can be prevented by applying basic best practice security principles.”
March to April and September to October were the most intense periods for threats in 2016, with March being the most active month and June and July being the least active.
Intrusion attempts, information gathering and policy violations represented 63 per cent of the threats observed by eSentire’s analysts during the year. Of those, intrustion attempts were the top-ranking category, accounting for 30 per cent of all threats.
The top attack methods in the intrusion attempts category involved exploiting a Shellshock vulnerability and represented around 60 per cent of all intrusion attempts.
The researchers said that web-based attacks and network scanning were on the rise because the tools available allow cyber criminals to take “a hands-off approach”.
They added that the data shows that organisations can use seasonal threat trends to align security efforts to their advantage. For example, security awareness training is most effective when carried out between December and March, preparing employees ahead of the busiest time for threat activity, which was between March and April.
For the full report, see the eSentire website.
Matt Smith | @MattCASmith