A recent study analyzed more than 14 million websites around the world to determine the current state of cyberspace, and the findings are more than worrying. Among them, it is estimated that there are currently 4.1 million websites currently infected with malware. But one figure appears even more worrying: twice as many cyber-threats were recorded in 2021, compared to 2020. The reasons for this acceleration of online insecurity are multiple, but we can cite among them the global pandemic as well as the rise in telework, which has revealed many weaknesses in terms of cybersecurity, or even the current geopolitical context. Ransomware, phishing, account hijacking and other cyberattacks, aimed at stealing user and company data, are therefore very likely to increase in the coming years.
But a paradigm shift is beginning to take place among these growing cyber threats. Indeed, we are increasingly facing a phenomenon of automation and industrialization of online attacks. The preferred targets? According to ANSSI, VSEs, SMEs and ETIs are the first entities affected, and represented 34% of victims in 2021 in total. So why are we increasingly ineffective against hackers, and especially SMBs?
Small businesses, more fragile than ever
First of all, let’s remember that websites are attacked on average nearly 63,000 times a year, 172 times a day, or 8 attacks per minute worldwide. Figures that once again make CIOs pale! Among these companies affected, SMEs have indeed been identified as being the most fragile, but are not necessarily always aware of this. Indeed, attacks against SMEs increased by 53% in 2021 compared to the previous year. Yet for the time being, nearly half of SMEs believe that they are too small targets to be attacked, while half of them have already been victims of attacks…
And the consequences can be serious, handicapping these companies in the short term as well as in the long term, even forcing them to go out of business. Beyond the damage caused by the attack itself, such as the loss of sensitive data or intellectual property for example, there are many other negative externalities. First, the breakdown or even the unavailability of the SME’s site, making any digital interaction with its prospects or customers impossible.
Then comes the loss of time and the drop in productivity affecting employees deprived of their work tools and/or having to quickly manage an unprecedented crisis situation. Finally, the most obvious but also the most difficult to manage: the deterioration of the reputation and trust of customers, ultimately leading to a loss of revenue, or even the complete closure of the company. The French social landlord 1001 Vies Habitat testified in 2021 following a devastating cyberattack, from which the company had still not recovered almost a year later. Indeed, it still has to juggle between rebuilding its IT infrastructure, but also the impatience of its suppliers and tenants, and the weariness of its teams.
In this context, it is interesting to note the high vulnerability of sites managed using CMS (Content Management Systems) such as WordPress, even though these are widely acclaimed by SMEs. Easy to learn, requiring little or no special knowledge in website development, CMS offer the perfect solution for small businesses looking to quickly have an online presence (blog, showcase site, contact form, etc.) , and at a lower cost. But the other side of the coin shows a completely different reality… Thus, websites managed under WordPress are 39 times more prone to attacks than other websites.
In addition, plugins, these tools allowing to add additional functions to websites, also have an impact on the vulnerability of the CMS. For 5 plugins installed on a website, the risk of attack is thus almost doubled! The major risk being a plugin infected with a “bot” or malware, providing a backdoor to access site data.
The inexhaustible growth of bots
If SMEs are indeed still too poorly armed to defend themselves and therefore constitute the ideal targets of hackers, it is interesting to observe more closely how these attacks are carried out. Indeed, we have gone from attacks carried out rather in a manual and targeted way to more sophisticated attacks, even totally automated. If the more artisanal attacks are less numerous, they are also more dangerous because the hacker generally attacks a very specific target. The main culprits of new attacks in large numbers are bots, pieces of code generated by hackers and performing repetitive tasks. Make no mistake, the problem remains the same, because behind every bot is a malicious actor.
This tool can become an ultra-powerful vector, because bot automation really makes it possible to multiply the force of an online attack, and to industrialize attacks on a format never seen before. Thus, hackers have a whole new arsenal allowing them to carry out various types of attacks, from simple phishing by email allowing easy recovery of passwords to denial of service (or DDoS, a technique consisting in saturating a service/website).
And the numbers don’t lie. In 2021, SMEs received traffic from bots which represents 5.5 times more visits than the traffic generated by real Internet users, i.e. more than 2,300 weekly visits per site concerned! For example, with just one simple bot, a hacker can hit thousands of IP addresses. Finally, according to a study conducted by CyberArk (2022), 68% of bots have already had access to sensitive data and assets. A trend that should be confirmed with the rapid development of new technologies born thanks to AI.
The attacks will therefore intensify and their ingenuity will continue to multiply. Tomorrow, it will be more and more complex to differentiate human traffic from that of the bot. Beyond the implementation of traditional weapons to counter them, such as updating certificates and automating cybersecurity systems, it becomes imperative to take the bull by the horns. In this sense, the provisional agreement recently obtained by the Council and the European Parliament on the NIS2 directive is excellent news! Indeed, Europe intends to considerably increase its investments devoted to cybersecurity, to reach an envelope of 4.5 billion euros.
The objective: to improve cooperation between States and accelerate on various subjects to better protect companies and organizations, from training in cybersecurity, to the use of cryptography, through the implementation of policies and procedures. in terms of risk assessment and management… To be continued!