The majority, 80 percent, of cyberattacks happening right now are opportunistic crimes perpetrated by attackers who are simply taking a chance because they can.
This is according to principal security researcher at Kaspersky David Emm who spoke at a briefing the cybersecurity firm held in Johannesburg this week. The researcher was giving attendees an idea of what sort of threats locals and especially businesses face.
While opportunistic crime makes up the majority of attacks, targeted attacks and advanced persistent threats are causing concern as well.
A major area of concern for both governments and businesses should be these advanced persistent threats (APTs) as the actors behind them can be state-sponsored and their danger lies in the fact that they can spend ages in a network and avoid detection and removal. Attackers could be looking to conduct espionage and steal trade secrets or conduct business email compromise to siphon funds and information from a target.
If you want to learn more about APT groups, we highly recommend this resource compiled by Mandiant which helpfully outlines active groups and what threats they tend to deal with.
“It may be very small in percentage [0.1 percent] but it’s huge in terms of significance because they [APT groups] tend to be focussed on government agencies, critical infrastructure, a big focus on cyber espionage and also just disruption and so on. Its impact on cyber infrastructure can be huge,” Emm explains.
Cybercriminals are ramping up their attacks against businesses because they are a lucrative target. Kaspersky notes an increase in web threats targeting corporate users of 24 percent and phishing attacks targeting corporate users have increased 134 percent just between Q2 and Q3 2023.
One of the stats that should be a concern in Africa is the rise of attacks targeting Industrial Control Systems (ICS). Kaspersky notes a 31 percent increase in ICS attacks throughout Africa in Q3. These attacks tend to target manufacturing operations. This figure is lower, 22 percent, in South Africa which is below the global average but the fact that attacks are climbing should ring alarm bells for industrial business owners.
Keep your house clean
As Emm lays out, APT groups aren’t just blindly targeting businesses. The spray-and-pray approach to cybercrime can work but over the years criminals have learned that being more fussy about who is attacked can be quite lucrative.
Spear-phishing, where a specific employee is targeted, gathering information about employees on social media and even just dropping USB drives in the parking lot are all viable ways attackers can compromise an employee and gain access to a business.
Of course, attackers can just take advantage of vulnerabilities in software a business might use. Kaspersky reports that Microsoft Office accounts for 70 percent of vulnerabilities exploited, with browsers a distant second with 12 percent of attacks.
Cybercriminals are well aware of the vulnerabilities that exist in popular software and while Microsoft might move fast to dispense patches, companies tend to be slow in applying those updates. Even ordinary non-business users drag their feet in applying patches and updates that could prevent compromise.
Education about cybersecurity is key to addressing the growing threats we face online. When asked when we should be starting to educate people about cybersecurity and the threats online, general manager for Kaspersky in Africa, Andrew Voges was quick to say as early as possible.
For instance, Voges notes that incorporating cybersecurity education into schooling from an early stage is a great idea as a roadmap to upskilling folk. This roadmap is particularly important to address the lack of cybersecurity skills in the working world.
One other important point Emm tacked on to that statement is a focus on the ethics of cybersecurity. It’s not enough to just tell youngsters about cybersecurity and threats but we need to focus on why unethical hacking is bad. Stories like Marcus Hutchins’ serve as a great way to showcase how unethical hacking can land you in big trouble, especially if you one day decide to use your knowledge for good.