Cyber Security: 10 tips to effectively protect your company from cyber attacks

What do companies like Jobrad, Deutsche Leasing, United Hoster, Badische Stahlwerke, Bayerischer Rundfunk, Flughafen Hamburg, and Sky Deutschland have in common? At first glance, not much. What unites them is that they all became victims of cyber attacks in 2023. The consequences: operational disruptions, revenue losses, high costs for data recovery, and reputational damage.

In 2022, 81 German companies were victims of a cyberattack, although the number of unreported cases is certainly much higher. The perpetrators did not differentiate in the selection of their victims according to the size or prominence of the companies. Every company has data that is interesting for hackers. Therefore, you must also take measures to ensure Cyber Security.

What is Cyber Security?

Cyber Security refers to the measures and technologies that companies employ to protect their systems, networks, data, and digital assets (such as photo, video, audio, and graphic files) from unauthorized access, data loss, theft, and other threats. It encompasses a variety of areas, including network security, data security, information security, access controls, and incident response (detecting cyber threats and responding to them).

Why is Cyber Security so important?

As mentioned earlier, no company is immune to becoming a victim of a cyber attack. In 2017, the financial services provider Equifax had the personal data of around 145 million US citizens stolen, including the crucial Social Security numbers. In 2019, Facebook had over 533 million records stolen by hackers, including users’ phone numbers and email addresses. However, the record-breaking breach occurred at Yahoo, where the data of 3 billion user accounts was stolen.

If you’re thinking that your company doesn’t have that many customers and is therefore not likely to be targeted by hackers, you’re mistaken. Even small and medium-sized businesses regularly fall victim to cyber attacks. This can result in significant financial losses, damage to reputation, and the loss of trust from your customers.

What types of cyber attacks and threats are there?

Cyber attacks can occur in various forms. The most common ones include:

Phishing

Phishing is a form of fraud in which attackers use fake emails, websites, or messages to obtain your personal information. These deceptive communications can appear convincingly genuine and attempt to deceive you into disclosing sensitive data such as usernames, passwords, or credit card information. For example, you may receive an email that appears to be from Amazon, claiming there were payment issues with your recent order and requesting you to provide your account details again.

Malware

Malware is an abbreviation for “malicious software.” It includes viruses, Trojans, ransomware, and other harmful programs that are installed on your devices without your knowledge. This malware can steal your data, block your computer, or grant unauthorized access to your system. The most common type of hacker attack nowadays is through ransomware. Ransomware refers to malicious software that encrypts the computer or server owner’s data, denying them access and usage. The hacker then demands a payment to restore access to the encrypted data, although there’s no guarantee that payment will result in data recovery. For example, in 2017, the WannaCry ransomware spread globally on the internet, infecting systems running unpatched older versions of Windows. The Deutsche Bahn was also affected by it.

Anyone who saw this on their screen in 2017 had to fear for their data.

Denial-of-Service (DoS)-Angriffe

In a DoS (Denial of Service) attack, attackers attempt to incapacitate a server, website, or network by overwhelming it with excessive traffic. They send a large volume of requests to the target, causing it to be unable to handle the influx of traffic and thus becoming inaccessible to legitimate users.

Man-in-the-Middle attacks

In a Man-in-the-Middle (MitM) attack, an attacker positions themselves between two communicating parties who believe they are directly communicating with each other. The purpose is to intercept and manipulate the traffic flowing between them. The attacker can, for example, steal confidential information such as passwords or credit card numbers, or alter the content of messages. It is like a form of eavesdropping, where the attacker intercepts and can even control the conversation.

Social Engineering

Social Engineering refers to attacks where attackers attempt to exploit human vulnerabilities instead of overcoming technical security measures. This can be done through manipulation or deception of individuals to gain access to sensitive information. For example, victims can be persuaded via email, phone calls, or even in-person interactions to disclose sensitive data such as bank details.

Zero-Day Exploits

Zero-day exploits are security vulnerabilities in software or operating systems that are not yet known and for which no patch or fix has been released. Attackers can exploit these vulnerabilities to gain unauthorized access to systems before developers can address them. Such security flaws can, for example, lead to the deployment of ransomware, as seen in the case of WannaCry.

Insider Threats

Insider threats occur when someone with authorized access to systems or data intentionally or accidentally causes harm. This can be an employee stealing confidential data or unintentionally causing security breaches through careless behavior. It can also occur when a hacker gains access to the system using stolen employee credentials or when former employees still have valid access credentials and maliciously misuse them.

10 important tips for Cyber Security in companies

1. Raise awareness among your employees. Train your employees regularly on current threats, fraud schemes, and best security practices. Awareness is the first step in strengthening cybersecurity.
2. Prepare for potential cyber attacks to be able to respond quickly. Conduct drills and simulate possible attack scenarios. Discuss and establish roles and responsibilities, such as who has the authority to shut down the web server or take specific network segments offline. Ensure that someone is always available for emergencies, even outside of office hours and without a functioning network.
3. Regularly update your systems. Keep operating systems, applications, and security software up to date to address known vulnerabilities. Also, encourage your employees to perform regular updates on their computers.
4. Establish password policies in your company to ensure that your employees use strong passwords and change them regularly. Additionally, it is recommended to utilize multi-factor authentication and password vaults.
5. Protect your networks from unauthorized access by utilizing firewalls, intrusion detection systems (IDS), and encryption mechanisms.
6. Secure your data. Perform regular backups and store them in a secure location. Encrypt sensitive data and use appropriate access controls.
7. Implement strong email security. Utilize filters and spam detection to identify and block phishing attacks. Train your employees to distinguish phishing emails from genuine ones and avoid clicking on links or disclosing important data without caution.
8. Establish authorization and access controls. Grant employees only the necessary access rights to systems and data. Monitor access and employ strong authentication methods.
9. Train your suppliers and partners. Extend your security measures to external parties who have access to your systems or data to minimize potential vulnerabilities.
10. Engage in information exchange about threats and security measures within networks. Consider joining UP KRITIS (Critical Infrastructure Protection Association) or the Alliance for Cyber Security for collaboration and knowledge sharing.

Stay informed

If you follow all of our tips for Cyber Security, your valuable company data will be well protected. However, these measures do not provide 100% protection. Hackers seeking to steal company data are persistent and resourceful. Therefore, remain vigilant and stay updated on the latest threats and security tips.