Recklessness promotes cyberattacks

Phishing attacks are particularly popular among cybercriminals. They try to obtain confidential and sensitive data by deceiving or misleading their victims. This type of attack can be classified as social engineering. In addition to e-mail attacks, this also includes USB dropping, fake text messages via SMS, or fictitious telephone calls. In the case of e-mail traffic, the mail contains a malicious attachment or link to a "fake" site. Profits or inheritances are promised, but it can also look like a legitimate offer from a known supplier or customer, so that the inhibition threshold for interaction by the potential victim is as low as possible.

Weakest link

Ultimately, the human factor is the decisive point. If employees, as the supposed last line of defense, do not question the email addressee or content but interact with it, the risk of a successful attack is extremely high.

Such attacks can ultimately lead to enormous financial and reputational damage for companies. A possible loss of trust among customers and partners, costs for the outflow of data and knowledge, the elimination of consequential damage, possible production downtimes or order cancellations are just a few of the possible consequences that could arise in the event of a successful cyber attack. 

In the case of encryption, the encryption technology used in each case, which has been adapted again and again, is usually not easy to break in order to regain access to the data. Companies that have not backed up their own data regularly and explicitly protected it should nevertheless not pay the ransom demanded under any circumstances and instead seek advice from experts on how to deal with the situation further. After all, it is questionable whether the systems will even be decrypted after the ransom is paid. 

Cybercriminals will continue to resort to phishing attacks in the future, as the already existing technical security of many systems reduces their attack possibilities and, as a result, humans can now be considered the weakest link in the chain. Moreover, such attacks can be carried out with significantly less know-how and on a larger scale than classic hacker attacks. Ultimately, the success rate is decisive: regardless of the size of the company, one distracted or careless employee is enough to trigger serious consequences for the company. In percentage terms, for example, one person is enough for
1000 employees (= 0.1 percent) falling for the phishing mail. Such a high probability of success hardly exists in any other attack scenario and is accordingly underestimated - especially in the SME sector, where funds and resources for IT security are often scarce and sufficient know-how is not available.

Regular trainings

The decisive keyword is: awareness. Repeated, well-constructed awareness measures for employees that are adapted to the current security situation are the key to taking the wind out of the sails of phishing attackers. After all, without human interaction with the compromised mails, there is usually no increased risk - provided the company's technical measures correspond to a currently required security level. In addition, awareness training is inexpensive when compared to the recovery costs after a cyber attack. However, this type of awareness training must take place regularly and always adapt to the current security situation.