Automated cyber attacks set up by criminal organisations mean no business is immune to data theft, IDC's IT Security Conference in London has heard.
Businesses following a risk-based approach to security tend to assume that if their risk profile is low, they are unlikely to be targeted, said James Lyne, senior technologist at security firm Sophos. "This is not true because an increasing number of automated attacks target any business they can, irrespective of the company profile."
Although cyber attacks have become increasingly targeted, the use of automated search engines to look for vulnerabilities in web applications means that no business can bank on being overlooked, Lyne said.
A comprehensive security plan to mitigate these and other web-based attacks is important for all organisations connected to the internet, he said.
"Threats are increasingly becoming invisible, such as those carried out using PDF documents that are used and trusted by most businesses," said Lyne. In reality, PDF documents are easily exploited by cybercriminals, who can take control of a computer in an organisation simply by inserting a Java script into a PDF document, he said.
An increasing number of legitimate websites are also being exploited by cybercriminals to carry out attacks using SQL-injection, which is also invisible to end-users targeted by these attacks.
Cybercriminals are focusing on stealing information, which can be done by planting malware on legitimate websites, include those routinely visited by companies under standard business processes, he said. According to Lyne, up to 70% of legitimate websites are routinely targeted by cybercriminals for information such as log-in credentials, intellectual property and financial information.
"Cybercriminals are outsourcing information captured in this way to specialists in various industry verticals who can make sense of the data and sell that intelligence to other criminals," he said.