Cyber security: What's important for your IT security

Protecting a company against cyber security attacks & threats doesn't have to be a mammoth task. In this aticle, we share important IT security insights with you and your employees.

The importance of cyber security is growing with the ever-increasing threat of cyber attacks. In Germany alone, the number of companies that were the target of a cyber attack was around 17.7 million in 2019 (published by Statista Research Department, Dec. 15, 2022). In the Allianz Risk Barometer, the threat of cyber risks has also ranked first for several years. There is no question, that cyber security has gained enormous importance.

At the same time, it is important to understand that cyber attacks and technologies are constantly evolving. While the basic concepts such as phishing, social engineering, and the like are here to stay, new "phishing schemes" or targeted attacks that take advantage of technological advances, for example in artificial intelligence (AI), are constantly evolving. Vishing, deep fakes and phishing emails generated via ChatGPT are just the beginning.

In this article, we will cover the basics of cyber security as well as key developments and evergreens in the field.

Cyber Security, IT Security, or Information Security?

The terms cyber security, IT security and information security are often used interchangeably but actually have different meanings.

IT Security 

IT security protects digital information in technical systems, in other words "everything that has a plug". Typical protective measures include virus scanners, firewalls, backups, e-mail encryption or multi-factor authentication. All these technical measures are designed to ensure that sensitive information does not fall into the wrong hands (confidentiality) and that IT systems are available when they are needed (availability).

Information Security

IT security is a subset of information security because, unlike IT security, information security is concerned not only with digital information but with all types of information, for example, including physical information (e.g., prototypes or printed documents) as well as the "spoken word" (in meetings, telephone calls, etc.). Information security is also more of a comprehensive risk management: Sensitive information is identified, potential threats are determined, and then the appropriate protective measures are derived and written down in security policies. The implementation of these measures in the technical IT systems is then the task of IT security.

Cyber Security

And cyber security? This is where it gets exciting. Cyber security is actually just a new word for IT security, but many people now equate it with information security, because a large proportion of attacks on information originate in cyberspace... and because it simply sounds much cooler. :-)

Attack Vectors in Cyber Security: People

Most of the attack vectors in cyber security mentioned below rely on humans as the gateway.

This is because even if a system is optimally protected (which it rarely is in practice), attackers can still penetrate systems by deliberately deceiving, manipulating or exploiting human vulnerabilities and spread ever further there by lateral movement.

That is why cyber security trainings and general awareness through security awareness campaigns are an elementary component of a security strategy.

Illustration of a phishing simulation

Most Common Attack Vectors via People:

  • Malware: 'Malicious software' is the generic term for all malware written by hackers to penetrate and damage and/or spy on other people's computers.
  • Viruses: A virus is malware that can infect a computer system and make changes to it on its own. Computer viruses, like real viruses, can spread to other systems without the user's intervention and thus cause enormous damage very quickly.
  • Trojan: A malware that disguises itself as useful software. When installed, the malware is secretly installed in the background. Most Trojans have a very broad set of hacking capabilities: they can steal or modify files, read messages and chats, turn on webcams and record all keyboard strokes to capture passwords, for example. Unlike viruses, Trojans do not replicate automatically.
  • Ransomware: A made-up word from the English 'ransom' and software. This malware encrypts computer systems and then extorts a ransom from victims to obtain the key. Ransomware is currently the biggest threat to virtually all businesses, especially APT Ransomware attacks.
  • APT Ransomware: A ransomware attack by highly professional criminals. They infect their victims with malware, then penetrate further into the network step by step until, within a few weeks, they have control over all of a company's important IT systems: Databases, backups, email systems, domain controllers. During this time, they steal data from these systems in parallel. When all important systems are under control, they encrypt them and ransom the company with sums in the millions. If they don't want to pay, the criminals additionally threaten to publish all captured data.
  • Social Engineering: Social engineering is the generic term for manipulating and deceiving people in order to obtain confidential data and information. Attackers pretend to be someone they are not in order to trigger actions in their victims, such as entering passwords, opening an attachment, or transferring money to a specific account.
  • Phishing: Phishing is a made-up word from "password" and "fishing", i.e. "fishing for passwords". This refers to all the fake websites, e-mails, text messages or the like that criminals use to impersonate a specific person in order to obtain a victim's personal information. Phishing is therefore a variant of social engineering.
  • Vishing: Vishing is a further development of the made-up word phishing when it comes to telephone calls, i.e. "voice phishing". Here, too, the aim is to obtain confidential information, but this time via the telephone.
  • Smishing: Smishing originates from "SMS phishing", i.e. phishing via SMS. So it's basically phishing, only that the communication channel is a text message instead of an email. Here, too, the victims end up on fake websites or triggered to install malware.

Most of the attack vectors in cyber security mentioned so far rely on people as the gateway. That is why cyber security training and general training through security awareness campaigns are an elementary component of a security strategy.

Attack Vectors in Cyber Security: Systems

Another attack vector in cyber security is attacks on IT systems, i.e. servers or applications, for example by hacking or exploiting zero-day vulnerabilities.

However, the widespread division into "attacks on people and systems" is misleading, since the systems are also developed and operated by people.

In fact, most successful attacks on systems are also the result of human error.

Cyber Security Qualification Matrix

Our day-to-day experiences often show us:

  • Systems that have vulnerabilities because they are not up to date (= patched).
  • Administrators who use the same password for different systems
  • Developers who do not check their software code for typical attacks like SQL injection

The exploited vulnerabilities in the systems are only rarely "unavoidable", such as when there is simply is no update (security patch) for a vulnerability yet. Much more frequently, hackers exploit vulnerabilities that could have been avoided, if developers and IT-Admins were more aware of security best practices.

Cyber security awareness is urgently needed in IT, perhaps even more urgently than for "normal users", because IT usually works with privileged rights and an attack can therefore cause significantly more damage than would be the case for a user with restricted rights.

Administrators and developers, however, require completely different content on the subject of cyber security. That is why there are two special training courses, Cyber LABs for Administrators and Cyber LABs for Developers, which address precisely these requirements and contents.

Find out more about the often forgotten target group of IT professionals.

IS-FOX Cyber Security Trainings

Our IS-FOX Cyber Security trainings have been developed by our in-house Cyber Security specialists. And this difference can be seen in the content. At least, that's what our customers say.

Our e-learning courses are suitable for small, medium and large companies and can be integrated into your own learning management system (LMS) or operated via our IS-FOX Cloud. Adapted to your company's guidelines and corporate design, of course.

Try a Cyber Security Training Demo by yourself?

Our content speaks for itself. That's why we show our demos completely without obligation and without annoying disclosure of contact details. For our interested parties and customers we also have a protected demo area with all content.

Laws & Regulations in The Cyber Security Sector

The Cyber Resilience Act (CRA) - What's it all about?

Technical and digital products used or manufactured by companies and distributed to end customers are part of supply chains. These, in turn, are popular and frequent targets of various types of cyberattacks, as it is not uncommon to be able to harm multiple parties simultaneously and thus capture more. Imagine tampered or insecure chips that end up being built into company computers and cell phones ... pretty nasty outcome.

For these products, the draft requires that appropriate cyber security measures, appropriate to the risk involved, be implemented as early as the design, development, production phases and also during commissioning and use. A distinction is made here between so-called low-risk and high-risk categories. However, we are still in the implementation phase here. The success of the CRA depends not only on its specifications being practicable and implementable, but also on whether a company is aware of its vulnerabilities and has the appropriately trained personnel available - including the indispensable cyber security awareness.

Cyber security Trends of growing relevance to businesses

Social Engineering

People are clearly at the center of this ever-increasing, though not new, threat. As the interface between private and professional information, they often offer a direct route to a multitude of data. This presents companies with a huge challenge, because it is not only systems and devices that need to be up to date with the latest security standards, but also their employees.

Illustration of a phishing simulation

Cybersecurity and Remote Work

The Covid 19 pandemic in particular has spurred a tremendous increase in remote working. Many businesses and households are challenged to bring their premises and equipment up to a cybersecurity level as quickly as possible to sufficiently protect them from internal and external attacks. As the trend of remote working continues, this protection must be provided not only in the short term, but also in the long term. This is often not so easy, especially when working from different locations with third-party Wi-Fi networks and the like.

Illustration of an e-learning environment

Infrastructures as a target of attack

As cyber criminals become more specialized and do not back down from virtual aggression, a stable and protected infrastructure is becoming increasingly important. This is not only the case in highly sensitive sectors such as medicine, healthcare and aviation security.

Politicians are largely aware of this and are working on new laws and regulations that companies must adhere to. In Germany, there is also the KRITIS umbrella law, which sets minimum requirements for critical infrastructure providers to make the overall system more resilient. For companies that want to have their information security certified, there is ISO 27001, for example.

Multi-Factor Authentication (MFA)

This is technology that companies can actively use to protect themselves and their employees, as it is currently considered the highest authentication standard. But even here, caution is advised: not all methods of MFA are equally secure. Program-based tools such as security keys and app-based variants have a higher level of protection than phone-based ones, as criminal actors can sneak in relatively quickly and easily here. This can have troublesome consequences, especially in online banking or cloud service sharing. Besides, a second factor also does not protect against social engineering or targeted phishing attacks. Here again, it is a matter of awareness among employees.

Rise of Phishing Attacks and New Phishing Verticals

Speaking of phishing: With an all-time high of around 300,000 attacks - in 2019 alone - phishing has become one of the most common forms of cyberattacks. So, it was only a matter of time before new variants would emerge here.

Smishing, for example, involves sending convincingly authentic-looking SMS and text messages from alleged postal services, for example, in order to trick potential victims into disclosing private information. Another new variant is vishing ('voice phishing'), in which automated telephone calls are made in an attempt to persuade the recipient to hand over access data, etc.

Even more perfidious: in spear phishing, cybercriminals even go so far as to enrich their email scam with publicly available information (e.g., from social media) in order to specifically target certain individuals for deception. This can even go as far as becoming a social engineering attack. The scams are on the rise, and so is the threat to all users.

Artificial intelligence (AI)

There's no getting around the current trend of artificial intelligence - and no discussion about it either. The debate is heated: Opportunity or danger? The same applies AI with regards to cyber security. Here, too, AIs can be seen both positively and negatively. Companies that use artificial intelligence to enhance the protection of their data, infrastructures and systems can fend off potential attacks in an automated manner, or at least detect them more quickly and mitigate them considerably in financial terms.

At the same time, of course, criminals have also jumped on the AI train and use it for their own purposes, such as datapoisoning and ransomware.

No matter from which perspective you look at artificial intelligence - one thing is certain: it will have a major impact on developments in cybersecurity in the future.

The 'Internet of Things' (IOT)

What about devices that are neither computers, phones, nor servers, but are still connected to the Internet? Just think of smartwatches, voice assistants, smart cars, smart refrigerators. They are all part of the rapidly spreading digitization, spurred by the work-from-home trend.

The endless proliferation of devices naturally increases the risk of cyberattacks, as they significantly increase the attack surface. To make matters worse, these devices have various vulnerabilities - for example, a lack of storage capacity that barely leaves enough room for firewalls and antivirus software.

Cloud Services

They have proven extremely useful - especially during the pandemic - as multiple users can access data from different locations. This makes the cloud efficient, cost- and space-saving. However, cloud services must be well configured.

But that's not all: employees must also be aware of which cloud services are allowed to be used. When users start using cloud software on the Internet themselves, insecure interfaces or incorrectly configured cloud settings can quickly become a gateway for cyber threats.

Implementing secure cloud protection measures is essential for companies and requires a certain level of IT know-how and an understanding of internationally varying legal requirements.

What now? Target group-oriented training as an all-purpose remedy in the future?

Technology and processes are only as good as those who develop, support and ultimately use them. While the initial focus was exclusively on broad-based training on cyber security awareness, the trend in the future will additionally focus on training for specific target groups and their needs.

After all, the finance department will need a different form of training than an IT admin or executive assistant, and they in turn will need a different one than production employees. 

Our conclusion

In the rapidly evolving and expanding world of cyber security trends and technologies, it's not easy to keep an overview - at IS-FOX, we've made it our goal to incorporate cutting-edge information along with exciting and easy-to-understand content into our online cyber security e-learning courses, and we make it a priority to ensure that the modules can be customized at any time to meet the needs of any organization.

This is the best way to determine which technologies best suit you and which trends you are most susceptible to. There is something for everyone in our training courses! :)

Demo? Prices? References?

Get a demo access and let us talk about your needs in a web meeting. We will show you what we have successfully implemented in comparable customer situations.