Cyber ​​threats, digital habits and investments: Companies err on the side of overconfidence

In Tunisia, we see a real gap between awareness of cyber risk and the action taken to mitigate possible risks… Companies know that cyber security is an important subject, but they struggle to make informed decisions.

How do Tunisian small and medium-sized businesses approach cyber security? Do they feel exposed to risks? What advice can we give to companies for better resilience in terms of cyber security? It is these questions and many others that the latest study carried out by the world leader in cyber security, Kaspersky, focusing on the maturity of Tunisian SMEs in terms of cyber security, attempts to answer.

Entitled “Cyber ​​threats, digital habits and investments: what maturity for Tunisian companies?”, the study surveyed 300 Tunisian companies, employing 10 to 250 employees, in order to better understand their perception of cyber security, their level of knowledge, but also the actions deployed in their company to fight against cyber threats.

764,015 malicious files in five months

The observation is there and it is very bitter: companies remain lucrative prey for cybercriminals who continue to target them by using all kinds of sophisticated methods and persisting in their efforts to infiltrate these companies.

Among the methods used, we cite in particular the exploitation of vulnerabilities, the use of phishing emails, deceptive SMS messages, even seemingly harmless YouTube links, etc., all with the aim of obtaining access not authorized to sensitive data.

This worrying trend highlights the urgent need to strengthen cyber security measures to protect SMEs against relentless attacks from cyber threats as, internationally, the report reveals that the total number of detections of these files malicious attacks targeting SMEs, during the first five months of 2023, reached 764,015.

“Vulnerability exploitation has been the most widespread threat to SMBs across the world, representing
63% of all detections in the first five months of 2023. These malware target software vulnerabilities, allowing cybercriminals to execute malware, escalate privileges, or impede the operation of critical applications without warning. “No user interaction is necessary,” the report emphasizes, while adding that phishing and scam threats also represent a significant risk for SMEs.

In this same context, the Kaspersky report draws attention to a method frequently used to infiltrate employees’ smartphones, called “smishing”, a cunning combination of SMS and phishing. This technique involves sending the victim a text message containing a link, distributed through various platforms such as SMS, WhatsApp, Facebook, Messenger, WeChat… If the unsuspecting user clicks on the embedded link, their device becomes vulnerable to downloading malicious codes, which compromises its security.

What is the situation in Morocco?

For Morocco and Tunisia, the figures are quite suggestive of growth in the digitalization of SMEs, on the one hand, but also of the attractiveness of businesses for cybercriminals. According to the document, for these two neighbors, the trend is unfortunately increasing between the first half of 2022 and the first half of 2023, both in the number of attacks detected, in the number of employees directly targeted and in the number of malicious files. unique.

In Morocco, in the first half of 2023 (from 1^is January to June 30), 324 types of malicious files targeting SMEs were detected by Kaspersky tools. These targeted 430 unique employees and were detected and blocked 4,176 times, meaning each malicious file was propagated numerous times. It is interesting to note, not without concern, a strong growth in the threat in the month of June 2023. Indeed, over this single month, 84 unique malicious files were detected, targeting 158 unique users and spotted 1,771 times in total. across the Kingdom.

In comparison, in 2022, over the January-June period, 165 malicious files targeting Moroccan SMEs were detected. These files had been encountered by 90 unique employees and detected more than 2,212 times over the same period.

The situation is a little different in Tunisia

For Tunisia, the figures are also increasing between the first half of 2022 and the first half of 2023, regarding the number of malicious files spotted and the number of individuals targeted. On the other hand, the number of attacks per file was much higher in 2022, reaching nearly 10,000 occurrences blocked by Kaspersky, compared to just over 2,000 in 2023.

According to published figures, in 2023, no less than 340 types of malicious files targeting SMEs were detected by Kaspersky tools. These targeted 342 unique employees and were detected 2,362 times, meaning each malicious file was distributed numerous times. In comparison, in 2022 over the January-June period, 103 malicious files targeting Tunisian SMEs were detected. These files were encountered by 99 unique employees and detected more than 9,647 times during this period of the year.

During the month of June 2023, we see in Tunisia, as in Morocco, a strong growth in the threat compared to the rest of the year with 66 unique malicious files, encountered by 44 employees and detected 621 times.

67% of companies believe they are well protected

The report finds that Tunisian companies are quite confident about the risks of damage that a potential cyber-attack could cause to their business.

On the one hand, only 20% of responding companies consider themselves personally exposed to cyber risk and 63% do not consider themselves at all concerned. On the other hand, when asked about the consequences of a potential cyber-security incident, a small proportion of them perceive the risks of loss of customers (14%), loss of money (16%), or loss of sensitive data (21%), as probable.

One in five businesses (21%) consider the risk of espionage from hackers or third-party actors likely, and roughly the same number consider it possible that ransomware could block access to data and cause a decline occasional activity. Only 17% of respondents believe that a cyber attack can cause physical damage. As for the loss of reputation and the departure of employees, they only worry 19% and 20% of responding companies respectively.

These figures may make sense in Tunisia since 67% of companies believe they are well protected against cyber threats. 68% of respondents also believe they understand all aspects of cyber security and 72% say that all strategic company decisions are made based on cyber security considerations.

From a practical point of view, when Tunisian decision-makers are asked whether they are certain that former employees of the company no longer have access to old company files, 77% respond that Yes. 78% of businesses are also sure they know who to contact in the event of a cyber attack. So, on paper, Tunisia is a country where SMEs are rather aware and seem mature in terms of cyber security.

“In Tunisia, businesses err on the side of overconfidence. A significant number of them are convinced that the simple fact of installing a firewall or an antivirus protects them from all threats. In any case, Tunisian companies are aware of the need to protect themselves. However, like many countries, the problem lies in the use of information and data provided by technological solutions. The latter often cannot be done correctly due to lack of time or skills,” comments Pascal Naudin, Head of B2B Sales for Kaspersky North, West and Central Africa.

Only 20% have an enterprise security solution

In terms of habits and practices adopted within companies, 45% of respondents say they have a strong password policy correlated with frequent backup strategies. If this figure is promising, because the approach is indeed important, we are entitled to wonder: what about the 55% who say they do not have this policy? Put in parallel with the 60% of respondents believing that they are not exposed to cyber risk, or the 66% attesting to knowing all the ins and outs of cyber security, this raises questions!

The study indicates that only 20% of respondents have an enterprise security solution, allowing the IT manager to manage all security updates and patches.

Among the other worrying responses in terms of protection against cyber threats, we can note: 21% of respondents emphasize having a perfect understanding of their IT ecosystem and are capable of mapping their network, 10% advocate anticipation and invest in threat intelligence and, finally, 15% of them do not have a cybersecurity strategy, because they do not feel exposed.

“Moreover, these figures echo the reasons why managers do not invest more in cyber security: 42% of respondents believe that they have never been victims of cyber attacks and therefore that investment is not It’s not worth the effort. 32% justify their lack of investment because they are not exposed,” underlines the document, while adding that in Tunisia, we see a real gap between awareness of cyber risk and the action taken to mitigate possible risks, as companies know that cyber security is an important topic, but they struggle to make informed decisions. In this regard, the need for awareness is still great.

What are the barriers to investing in cybersecurity?

When asked about barriers to investing in cybersecurity, only 22% cite the lack of internal resources while 17% believe they lack knowledge on the subject. For the most part, they do not invest because they do not feel exposed (41%) or because they have never experienced a cyber attack (27%).

According to Pascal Naudin, “the first barrier linked to investment in cyber is the lack of knowledge of cyber risks by company managers. As long as they see cyber security as a cost line item on a balance sheet, they will not be fully aware of the risks involved.

We regret that CISOs (responsible for information systems security) cannot deploy the solutions they want to protect their company due to lack of financial or human resources. Ultimately, in the event of a serious cyber-attack, the amounts spent to remedy it are far greater than the budget that would have had to be invested to prevent the incident from occurring.”

In this regard, the problem encountered on the market, on multiple occasions, revolves around the unsuitable nature of the solutions adopted by companies. Indeed, these are adapted neither to the size and real exposure of the company, nor to their capacity to exploit said solutions. This is an additional complication, because companies do not exploit its full essence. Furthermore, an inadequacy of the solutions deployed is always a failure. If they are oversized, the cost will be too high for the real exploitation of the solution’s opportunities and the ROI (return on investment) will be poor.