Cyber-attacks are no longer exceptional crisis situations. Today, they are part of the daily reality for almost every organisation.
This blog is based directly on the analyses of our Incident Response team, which is called in every day to handle security incidents across organisations in a wide range of sectors. By systematically examining these incidents, clear patterns emerge:
in the methods and techniques attackers use,
in the consequences organisations ultimately experience,
and in who tends to be targeted.
Based on this experience, we explain how the most common cyber incidents occur today, and above all, how organisations can better prevent them.
SummaryWhat are the most common cyber-attacks affecting businesses? Which organisations are most at risk of cyber-attacks attacks? |
This refers to HOW attackers gain initial access. This does not automatically result in an incident, but it forms the starting point.
The most common entry methods are phishing, password stealers and malware, and unpatched servers.
Phishing remains the most widely used attack technique. It increasingly involves targeted messages that pretend to come from trusted suppliers, partners, colleagues, or internal departments such as finance or administration.
Via malicious email attachments or downloads, attackers attempt to install malware that captures login credentials, steals session tokens, or establishes persistent access.
Attackers continuously scan the internet for vulnerable VPNs, remote access gateways, outdated appliances, and unpatched web services or servers.
This phase describes when an attempted intrusion turns into a real incident and WHAT the consequences are.
Phishing, malware and unpatched servers can all lead to these.
When a vulnerability is successfully exploited (for example in a VPN, appliance, or web service), attackers immediately gain direct access to a system or network.
This is a critical tipping point: the vulnerability existed, was exploited, and now provides a foothold in the environment.
From there, attackers often take over Microsoft 365 accounts, abuse VPN or cloud access, or move laterally within the organisation.
Just like phishing is the most common technique, identity compromise is often the main goal.
In BEC attacks, mailboxes are taken over and used for direct financial fraud. Attackers impersonate executives or suppliers to send payment requests or modify bank details.
Ransomware is often the final stage of an attack. After stealing credentials and compromising systems, attackers encrypt data and systems in exchange for big financial compensation.
These attacks often also cause major operational, reputational, and legal damage.
👉 These examples below illustrate several attack paths. Click to enlarge.
Based on our incidents, there are no strictly targeted sectors.
Most attacks are opportunistic. In practice, this means attackers focus on environments with a large attack surface or easy access, for example when:
mailboxes are insufficiently protected, they are abused;
MFA is missing, access is taken;
systems are unpatched, they are attacked;
awareness is low, users are exploited;
However, we do see that certain profiles are more frequently targeted, such as finance, accounting, HR, IT, and executive roles, because they have broader access to sensitive information, and often greater impact within organisations.
Because different attack techniques can lead to the same outcome, the biggest gains are achieved by:
blocking access from non-relevant locations;
enforcing MFA on all accounts, without exceptions;
minimising and hardening exposed VPNs, appliances, and web services.
Since identity compromise is the structural breaking point in most attacks:
awareness around phishing and social engineering remains crucial;
critical profiles (finance, HR, IT, management) deserve extra attention;
identity security must be continuously monitored and improved.
Many incidents exploit known weaknesses. Therefore, it remains essential to:
systematically patch systems;
regularly review the attack surface;
actively maintain detection and monitoring.
Cybersecurity is not a one-time project, but an ongoing process.
Preventive measures make a real difference, but even with strong basic security, preparation remains essential.
Cyber incidents often consist of multiple linked attacks rather than a single event. By clearly distinguishing between attack techniques and their outcomes, organisations gain clearer insight into where they can intervene.
Most cyber-attacks do not start with advanced techniques, but with simple shortcomings such as missing MFA, insufficient awareness, or unpatched systems.
Organisations that limit their attack surface, secure identities properly, and work with informed users prevent the majority of incidents from ever having a real impact.
Our incident response experience also shows that preparation is crucial. When an attack does succeed, a clearly defined Incident Response Plan often makes the difference between chaos and control.
Organisations that decide in advance who takes which decisions in which scenarios significantly limit the impact when every minute counts.
👉 Learn more about our Incident Response team and how we can help prepare your organisation.