Facts and Facts and suggestions case by case

Video of Mobire Estonia AS, car rental company

• Digitisation involves hidden risks that must be acknowledged.
• Attacks through service providers are a persistent risk that also affect customers.
• Safe development principles must be followed when developing software or digital services. This significantly reduces business risk.
• Continuous security monitoring and surveillance of digital services help companies quickly identify attacks and minimise possible damage.
• Security testing of business applications helps boost confidence on both sides – clients as well as business partners.
• Every month, Estonian companies fall victim to invoice frauds, ransomware attacks and other cyber schemes. In the worst cases, a company can lose tens or even hundreds of thousands of euros.
• Criminals exploit technological vulnerabilities as soon as they find them. These vulnerabilities allow unauthorised access to companies and business applications. Access is often gained through outdated software.
• Unpatched software creates favourable ground for attacks. Therefore, it is very important to regularly update software.
• Weak, missing or easy-to-guess usernames and passwords are easily avoidable risks. The use of factory passwords also poses a great risk.
• It all starts, of course, with the user and cyber hygiene. The easiest thing to do for the attacker is to use social manipulation. Attackers can simply direct the user to click on a suspicious link or enter their data.

• Trained and informed employees
• Well-managed office and work tools
• Securely developed software

Video of EstHus, manufacturer of wooden houses

• Most first-time attacks and information collections are communication attacks. They attempt to gather technical information either about digital protection or the company’s network structure.
• A communication attack can be, for example, a phone call, SMS or email conversation.
• Attackers can pose as clients and refer to a previous conversation with a partner or an employee. For instance, an attacker can take over the conversation and turn to an employee for additional information.
• The employee sees that the conversation has indeed taken place, lending it legitimacy. The primary goal here is to build trust to enable information phishing.
• A social communication attack can also be masked as a “survey”. If the attacker has a budget, participating in the survey may even be rewarded with a small gift. The purpose of the survey is to get answers on topics that the attacker is interested in.
• Usually, the goal of a physical attack is to gain unauthorised access to office premises and plant a “bug” either in a computer or in the office.
• A physical attack can be, for example, copying the office door card.
• A physical attack can also be unknowingly carried out by an employee. For instance, a criminal might “forget” a USB stick, CD, etc., in the restroom or car park, and the finder inserts it into their computer in good faith. These can infect the computer so that it can be remotely controlled later to bypass digital protective barriers.
• A physical attack can also be more complex. For example, by installing a Wi-Fi network with the same name near the office, it is possible to hijack the company’s computers, as the users assume they are connecting to the right network.

• Safe working practices in the office, as well as home offices
• Trained and informed employees
• Well-considered information exchange with partners

Video of Finants ja Marketing OÜ, accounting, marketing

• Estonian companies lose about 1 million euros per year to cybercriminals.
• Cybercrime poses tangible business risks.
• Smaller companies are increasingly targeted due to their perceived vulnerability.
• The company’s annual report can be a source of information for malicious attackers.
• The ransom is usually 5-10% of the company’s turnover from the previous year.
• Publicly available data on company employees on social media and elsewhere on the internet aids attackers in gathering information and strategising attacks.
• Preparation for a ransomware attack can begin 2 weeks to 2 months before the actual attack.
• Accessing a small company’s computer network can help gain access to a larger partner company and serve as a springboard for a larger attack.
• Cyber hygiene is essential, regardless of the size of the company.

· Trained and informed employees
· Competent IT managers
· Cyber-conscious clients and partners