ENISA and BKA report on cyber­se­cu­ri­ty: over­view of the big­gest threats

ENISA and BKA have published seve­ral reports in recent weeks on the sta­tus of cyber­se­cu­ri­ty in Euro­pe and Ger­ma­ny. In addi­ti­on to cur­rent thre­ats, the­se reports address the impact of the coro­na­vi­rus pan­de­mic on cor­po­ra­te cyber­se­cu­ri­ty, as well as new cyber­crime busi­ness models. Com­pa­nies should take the­se publi­ca­ti­ons as an occa­si­on to revi­se their own IT secu­ri­ty pro­ces­ses in order to adapt to the­se new thre­ats. It is also incre­asing­ly important for com­pa­nies to con­sider legal aspects when defen­ding against cyberattacks.

The Reports in Particular

ENISA Thre­at Land­scape 2020

The ENISA Thre­at Land­scape 2020 ana­ly­zes cyber­th­re­ats in the peri­od from Janu­ary 2019 to April 2020. The Thre­at Land­scape con­sists of 22 indi­vi­du­al reports in all, inclu­ding detail­ed infor­ma­ti­on about each of the top 15 thre­ats iden­ti­fied by the agen­cy. The report includes seve­ral info­gra­phics, con­tai­ning infor­ma­ti­on e.g. about how cyber­cri­mi­nals are ope­ra­ting during the coro­na­vi­rus pan­de­mic. Based on ENISA’s ana­ly­sis, the fol­lo­wing are the main cyber­th­re­ats facing com­pa­nies today:

  • Mal­wa­re, in the form of encryp­ting Tro­jans (ran­som­wa­re) or cryptominers
  • Web-based attacks, e.g. through mani­pu­la­ted web­sites or bru­te force attacks
  • Phis­hing, par­ti­cu­lar­ly by sen­ding our e‑mails with mali­cious attach­ments or links to frau­du­lent websites
  • Web appli­ca­ti­on attacks, e.g. using SQL Injec­tion or Cross-Site Scrip­ting (XSS)
  • Sen­ding of SPAM, which has rea­ched a new high during the coro­na­vi­rus pandemic
  • DDoS attacks, which inter­fe­re with the avai­la­bi­li­ty of sys­tems and services
  • Iden­ti­ty theft through the ille­gal use of per­so­nal data
  • Data brea­ches through unaut­ho­ri­zed access to data
  • Insi­de thre­ats, e.g. from insi­ders who abu­se their authority
  • Bot­nets, which allow cyber­cri­mi­nals to syn­chro­ni­ze their attacks over a lar­ge num­ber of devices
  • Phy­si­cal mani­pu­la­ti­on, dama­ge, theft and loss
  • Infor­ma­ti­on leaka­ge, which may occur e.g. due to poor­ly con­fi­gu­red systems
  • Ran­som­wa­re, to which a sepa­ra­te report was devo­ted in addi­ti­on to the No. 1 thre­at (mal­wa­re)
  • Cybere­spio­na­ge and espio­na­ge by govern­ments and other actors
  • “Cryp­to­jack­ing” attacks using mal­wa­re desi­gned to gene­ra­te cryp­to­cur­ren­ci­es (“cryp­to­mi­ning”); also the sub­ject of a sepa­ra­te report in addi­ti­on to the No. 1 threat

BKA’s Cyber­crime 2019 Sta­tus Report and Spe­cial Report on “Cyber­crime during the Coro­na­vi­rus Pandemic”

BKA’s Cyber­crime 2019 Sta­tus Report is much more com­pact than the ENISA Thre­at Land­scape 2020, but is no less infor­ma­ti­ve. It reports that cyber­crime is beco­ming incre­asing­ly pro­fes­sio­na­li­zed, and that more and more cri­mi­nal value chains are emer­ging. The grea­test thre­at to private-sector com­pa­nies, accor­ding to BKA’s fin­dings, are ran­som­wa­re attacks. In this, BKA’s assess­ment is lar­ge­ly in agree­ment with ENISA’s ana­ly­sis, as well as with our own expe­ri­ence advi­sing com­pa­nies. At the same time, BKA reports a rapid increase in the num­ber and inten­si­ty of DDoS attacks. In gene­ral, the per­pe­tra­tors of the­se attacks have glo­bal con­nec­tions and ope­ra­te on an inter­na­tio­nal sca­le with divi­si­on of labor. The best defen­se against cyber­at­tacks, in BKA’s view, are sen­si­ble inter­net users who are capa­ble of iden­ti­fy­ing and defen­ding against the­se attacks. In addi­ti­on to its state­ments about attack sce­na­ri­os and the num­e­rous examp­les it pro­vi­des, BKA’s fin­dings with regard to cri­mi­nal net­works, the so-called “under­ground eco­no­my,” are espe­ci­al­ly inte­res­t­ing. Spe­cial men­ti­on is also devo­ted to the prac­ti­ce of indus­tri­al espio­na­ge by means of cyber­at­tacks, which BKA regards as “a key method of infor­ma­ti­on gathe­ring for for­eign intel­li­gence ser­vices” as well. In addi­ti­on to its Cyber­crime 2019 Sta­tus Report, BKA also published a spe­cial report on “Cyber­crime during the Coro­na­vi­rus Pan­de­mic.” Accor­ding to BKA, the pri­ma­ry thre­ats within the con­text of coro­na­vi­rus are fake web­sites, phis­hing and mal­wa­re spamming. But at the same time, BKA also stres­ses the risk of DDoS attacks for employees working from home.

Assess­ment and Options

The fin­dings repor­ted by ENISA and BKA are not sur­pri­sing and pro­vi­de a com­ple­te pic­tu­re of the cur­rent thre­at sta­tus in gene­ral and the chan­ges brought by the coro­na­vi­rus pan­de­mic in par­ti­cu­lar. As the eco­no­my beco­mes incre­asing­ly digi­ti­zed, it is to be expec­ted that the increase in cyber­crime will con­ti­nue. Accor­din­gly, com­pa­nies will have to con­ti­nue to devo­te a gre­at deal of atten­ti­on to cyber­se­cu­ri­ty and respon­ding to cur­rent thre­ats. In par­ti­cu­lar, com­pa­nies should be pre­pared to deal with ran­som­wa­re and DDoS attacks.

Not only is this neces­sa­ry from the view­point of IT secu­ri­ty, but it may be a legal requi­re­ment as well, e.g. within the con­text of appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res in accordance with Artic­le 32(1) of the GDPR. One must also not over­look the fact that cyber­at­tacks have legal impli­ca­ti­ons. This may be the case in respon­se to such attacks, such as e.g. duties to report the attack to the data pro­tec­tion aut­ho­ri­ty or the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty, in the case of tho­se ope­ra­ting cri­ti­cal infra­struc­tu­re, or to noti­fy data sub­jects. But com­pa­nies should also devo­te more con­side­ra­ti­on to the legal aspects of cyber­se­cu­ri­ty befo­re an attack occurs, e.g. by making con­trac­tu­al arran­ge­ments with ser­vice pro­vi­ders which are spe­ci­fi­cal­ly devo­ted to the hand­ling of cyber­at­tacks (“inci­dent respon­se”). Such con­trac­tu­al arran­ge­ments, which may include e.g. docu­men­ta­ti­on requi­re­ments, may pro­ve hel­pful when it comes to defen­ding against pos­si­ble dama­ge claims from data sub­jects or see­king recour­se against ser­vice providers.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.