Cyber security is an IT (information technology) discipline based on ensuring hardware, software, and data security of computer systems and networks.
Although cyber-attacks became an agenda item in the late 1990s and early 2000s, during the infancy of the Internet, mostly because of pirated game and music files (our readers over the age of 30 will remember the Chornobyl virus transmitted from the pirated copy of Carmageddon 2 and various malware transmitted through the Limewire file sharing program) that contained viruses that damage individual computer systems and networks. Due to the increasing volume of trade and financial transactions over the internet, we observe that cybercriminals' interest is more oriented towards corporate targets with an appetite for mass access to financial data that can be exploited.
The most common cyber attacks are malware, ransomware, distributed denial-of-service (DDoS), phishing, and corporate account takeover (CATO):
- Malware: A general name given to malicious software that enters a system and prevents it from working properly, causing loss of hardware, software, and data. While some malware renders company computers inoperable, those known as spyware can spy on sensitive commercial and financial data by recording keyboard inputs and taking them out of the company.
- Ransomware: Ransomware, which has been on the agenda more and more in the last few years, is also a type of malware that aims to render IT systems inoperable by encrypting company data in an unbreakable form. These attacks, which are the product of an organized effort, are generally preferred by cybercriminal organisations demanding ransom in cryptocurrency.
- DDoS: Distributed denial-of-service, one of the more popular attacks of the previous decade, is basically carried out to render an organisation's computer systems inaccessible and unresponsive to the query requests of real persons by sending a number of queries far exceeding the server capacity.
- Phishing: Unlike others, phishing, which is a type of attack that is more likely to be carried out via social engineering instead of security vulnerabilities in software, usually occurs when attackers send a misleading e-mail to a user who has administrator authority in the system to leak login information.
- CATO: Attackers who take over a corporate account using malware or phishing can instruct banks to transfer money to their own accounts.
Although all of these cyber attacks exploit vulnerabilities in systems, these vulnerabilities may not always be software-based. In fact, the most effective method can be said to be social engineering attacks that exploit human weaknesses.
Levent Mükan, Cyber Risk Manager at Marsh, a global risk management company, states that social engineering methods are frequently used to ensure the success of ransom attacks against organisations:
According to IBM's 'Cost of a Data Breach' report for 2022, the average cost of data breaches in companies was $4.35 million per case. If this is a ransomware attack, the cost rises to $4.54 million - plus the ransom!
According to IBM's report, companies in the healthcare industry suffer the greatest financial damage from cyber attacks. This is followed by the finance and pharmaceutical industries. At the bottom of the list, where the technology sector ranks 4th, is the public sector. 83% of the companies in the report state that they have been exposed to multiple cyber attacks.
The human factor
Cybersecurity experts also recognize disgruntled employees as a potential security threat. For example, Palantir, which provides data infrastructure services to the UK's health system NHS, had to quickly shelve a plan to increase the pension fund deductions of long-time employees when it was met with a huge backlash from employees.
Mükan emphasized the importance of the human factor: "As with everything else, all cyber security measures are only as strong as the weakest link in the chain. When it comes to cyber security, the weakest link is considered to be humans. For this reason, attacks aimed at exploiting human errors will always remain one of the most common cyber-attack methods."
IBM's report confirms this. According to the report, companies that fully utilize AI and automation in cyber security procedures reduce the cost of an average data leak by $3.05 million. In other words, reducing the weight of the human factor saves 65.2 per cent. What's more, companies that use AI and automation diagnose and resolve data leaks (an average of) 74 days earlier: This means that it takes about 9 months to discover the leak instead of 11 months. These statistics also help explain why the use of AI and automation has increased by 20 per cent in the last 2 years.
According to 'The state of cyber resilience' report, prepared by Marsh in collaboration with Microsoft and 650 of the world's leading cyber risk experts, only 3% of companies describe their cyber hygiene as 'excellent'. Less than 1 in 4 companies state that their security against cyber risks is 'very good', while nearly half of cyber risk leaders state that their company's cyber security needs improvement.
- Cyber hygiene: Periodic practices to keep the users or accounts, devices, networks, and data of organisations and individuals safe and healthy (accurate, up-to-date, legally acquired, etc.).
According to both Marsh and Microsoft's reports, and reports prepared by other global companies that address cyber security, ransomware attacks stand out as the most dominant type of attack. It is stated that 71% of the cyber attacks organised on a global scale are of this type. In the European region, including Turkey, this rate is 79 per cent. Ransomware attacks are followed by personal data breaches and attacks through infiltrated suppliers or subcontractors (third parties).
Levent Mükan says, "Third parties pose the risk that I notice the most intensely here." According to Mükan, there is rising awareness and a roadmap for ransomware in the industry, but the security of these suppliers still poses an indirect threat, especially for companies that have to work with a large number of suppliers.
For example, global authentication giant Okta, a provider of secure login services to enterprises, was targeted by the Lapsus$ cybercrime organisation in the first quarter of this year, affecting one in every 40 of its customers - 366 corporate customers in total. After the attack, it was revealed that Lapsus$ had infiltrated Okta's systems through Sitel, a customer support services provider with weaker cyber security. Companies such as Microsoft and Roblox have also suffered similar attacks from third-party customer support providers.
'After the pandemic, many companies are either working hybrid or have completely switched to remote working. There are a number of risks that this poses. The most important of these is the security of devices that are normally expected to remain within the company - or at most an employee travelling to and from home. In this context, there may be inadequate measures against risks such as theft, forgetting or loss of devices.'
On the other hand, it is possible to say that critical sectors are relatively safe.
'Sectors such as banking, energy and electronic communications, which are strictly supervised by state regulatory and supervisory organisations, have to take more serious measures against cyber-attacks. The reason for this strict supervision is simply the seriousness of the problems that may arise if these sectors come to a halt. If a single bank's mobile application becomes inoperable, it can affect not only its customers, but also other people with whom those customers do business, their families, etc. Imagine a complete shutdown of a power plant or a single region covered by one of the electronic communication operators.'
Mükan states that not only the service provided by such critical sectors but also the data they hold is very valuable. For this reason, audits and regulations are made specifically for this data.
'The data belonging to companies are subject to different legislation according to their types (such as health data, financial data, banking data, personal data). For example, if we are talking about a bank, the regulations of the BRSA also come into play. In this respect, it can be said that the data of companies may be linked to more than one legislation. Companies have to take extra precautions on this type of data, taking into account the wishes of the legislator. Many companies pay attention to detect and close their vulnerabilities before the attackers by performing penetration tests within the scope and period ordered by such legislation. It is also worth noting that many companies are not satisfied with only the measures in the legislation and resort to extra measures.
The value of the data held by a sector is the most important factor that determines the intensity of the attack. It should not be forgotten that a considerable number of attacks are carried out with the aim of selling the stolen data on the dark web.'
State of the industry
With average cyber attack costs breaking records, 2022 is also being recorded as the year when publicly traded companies in the cyber security industry decided to 'cut costs'. The decline in the shares of technology companies and the halt in public offerings due to the deterioration in the markets seem to have deeply affected the sector.
Lacework, which received an investment of $1.3 billion at a valuation of $8.3 billion last year, announced that it would lay off 20% of its workforce, while Cybereason, which received an investment of $325 million last year, announced that it would lay off 10% of its workforce of one thousand people. Patreon, which is a subscription platform for content producers and stores members' credit cards for monthly payments, laid off its entire 5-person security team. Deep Instinct, which takes precautions against ransomware attacks using machine learning, announced that its sales team will downsize by 10% despite tripling its regular annual revenue.
Another major layoff recently took place at IronNet, which went public last year with a valuation of $ 1.2 billion. IronNet, founded by the former director of the National Security Agency (NSA), which was revealed to be illegally conducting mass surveillance as a result of documents leaked by the whistle-blower Edward Snowden, announced that it will lay off one out of every three employees this year, citing insufficient cash flow.
On the other hand, companies such as Snyk, Tanium and Illumio, which are not listed on the stock exchange, state that they have no layoff plans.
In the cyber security sector, where more than 400 companies operate, layoffs have affected 80 thousand employees worldwide as of mid-year.