35 percent of all companies that count as critical infrastructures (CRITIS) have fallen victim to an attack from the Internet in the past twelve months - in some cases with serious consequences for their operations. One in three attacks even posed a significant threat to third parties. The most common type of attack is phishing. This is the result of a recent study by the research and analyst firm techconsult. The study is supported by Rohde & Schwarz Cybersecurity. The survey involved 200 decision-makers from CRITIS companies with more than 250 employees. Another finding: many CRITIS companies lack basic or suitable protective measures against attacks from the Internet.
Munich, November 3, 2021 - Almost half of the companies surveyed rely on the caution of their employees when it comes to defending themselves against malicious links and attachments in emails. Accordingly, they were advised not to open any attachments as a matter of principle. At the same time, according to the study, the most common attacks on CRITIS companies are phishing attacks (56 percent) - i.e., a type of attack designed to trick employees into opening infected attachments or links. One in three companies said that clicking on such an email had already resulted in a security incident. In the healthcare, finance and insurance, and media and cultural institutions sectors, this was the case for as many as seven out of ten respondents.
"A reference to not opening attachments is a completely inadequate protection against cyberattacks," warns Peter Burghardt, managing director of techconsult. "Humans make mistakes and such mistakes can have serious consequences. This is especially the case with critical infrastructures. After all, a failure or severe impairment of grocery stores, hospitals, banks or energy suppliers can lead to disruptions in public safety or supply shortages." Dr. Falk Herrmann, CEO of Rohde & Schwarz Cybersecurity, advises CRITIS companies: "To protect themselves from malicious attachments or links in emails, these companies should instead use appropriate technical means."
Unsuitable protective measures
Surfing the Internet also poses major risks for CRITIS companies. Most study participants are aware of this: only four percent of the companies surveyed take no measures at all to protect themselves against attacks from the Internet. But the means chosen for protection are mostly inappropriate. For example, more than a quarter of the companies restrict the possibilities for employees to use the Internet by not allowing active elements such as Flash, ActiveX and JavaScript. Such measures have significant consequences for productivity. 40 percent of participants who have blocked active elements stated that they can now only use a fraction of the Internet pages relevant to their work, which is accompanied by a considerable loss of information.
Herrmann warns: "Restrictive measures in Internet use are a danger to a company's competitiveness. Such restrictions on Internet use not only make for ineffective work, but also cause frustration among employees. CRITIS companies should instead use technical means to be able to use the Internet securely - the most suitable is a virtual browser."
Virtual browser protects against Internet threats
A virtual browser allows users to surf the Internet without hackers gaining access to corporate networks. R&S®Browser in the Box from Rohde & Schwarz Cybersecurity, for example, closes the "Internet" security gap by enabling a "digital" quarantine for hacker attacks. Complete isolation takes place at the computer level, so that malware is kept away from the rest of the user's PC. In addition, at the network level, access to the Internet is separated from the intranet. The internal corporate network (intranet) is thus completely separated from the Internet. This mechanism also protects against attacks via email attachments or during web conferences with microphone use and webcam support.
The level of security risk varies widely across industries. While a total of 35 percent of the CRITIS companies reported being have been affected by successful cyberattacks, more than half of all companies in the transport and traffic and water management sectors have suffered an attack. In the food sector, as many as 80 percent have been affected.
Browser is gateway No. 1
In the past twelve months, companies in the transport and traffic sector in particular have been attacked by malware that was smuggled in via the web browser. More than half of the companies surveyed from this sector experienced such a drive-by download attack. In this attack method, malware is unintentionally downloaded by the user via the web browser, simply by calling up a web page that has been prepared for this purpose.
"The browser is the No.1 gateway for malware to enter corporate networks," Herrmann emphasizes. "The study clearly shows: there is an urgent need for action among CRITIS industries to close this gateway to the highly sensitive corporate network to cybercriminals.
Click here to download the study (available in German only).