By now, we all know that cybersecurity is a fast-paced industry with lots of evolving threats and novel attack vectors. Every newspaper and social post has told us so.
In recent years, the news has been awash with worrisome warnings that artificial intelligence (AI) is proliferating threats at speed, as well as flashy headlines prophesying that hyper-realistic deepfakes will soon be here to infiltrate organizations with ease.
This paints a slightly scary picture for already time, budget, and resource strapped teams. Whilst these are legitimate threats that do deserve attention, the average organization is far more likely to be targeted by more ‘traditional’ means, like phishing and ransomware. Not least because it’s easier for hackers to do.
So, why are traditional threats still so prevalent despite little airtime? And how can organizations better protect themselves against the most basic threats?
Getting Into the Mind of a Hacker: Low Effort, High Reward
To understand why it’s so important to nail down the basics of cyber hygiene, we first need to get into the mind of a hacker. The bottom line is that new and sophisticated attack vectors often take much more time and effort to develop and deploy. In many cases, ‘off-the-shelf’ kits aren’t readily available online yet; if they are, they’re likely expensive. What hackers want is low risk and a high reward. Why go through extra effort when you don’t have to? It’s like trying to pick a lock when a window is already wide open.
What’s more, the dark web is littered with relatively cheap tools to help hackers infiltrate organizations with relative ease and little technical skill. In this case, AI has, for many, lowered the barriers of entry and helped cybercriminals speed up (and in some cases automate) deployment. Although AI may be used to speed up the process, the initial attack vectors (and the solutions) stay the same.
Take phishing, for example. Phishing remains one of the leading attack vectors for cybercriminals. On the dark web, a basic kit can cost around $25, with some more complex kits costing hundreds of dollars. Like any service or tool, the more you pay, the more you get. A more comprehensive kit could contain things like email templates, website builders, malicious scripts, traffic blockers, decent data collection tools, comprehensive contacts lists, and more. Phishing emails are pretty easy to deploy, with a relatively good success rate. This is because phishing plays on the human element of cybersecurity, often viewed as one of the ‘weaker’ links.
A phishing email can cause panic and distress, leading to an emotionally driven response (i.e., clicking on a link). Cybercriminals can also leverage AI to, among other things, write realistic emails, hyper-personalize malicious communications, and automate information gathering on potential victims. In the case of phishing, despite evolving tactics by cybercriminals, good cybersecurity awareness training and a solid security stack can reduce risks significantly.
The Rise of Infostealers
Additionally, recent research has shown that infostealers have become a new leading attack vector for cybercriminals, rising by 58% in 2024. Infostealers, which are mainly used to access corporate resources on personal devices, can efficiently manage, process, and sell large quantities of logs, serving as the first step towards huge corporate network breaches. Infostealers aim to exfiltrate credentials and sensitive data, which can then be sold on.
On the dark web, infostealers are often listed as malware-as-a-service (MaaS), where buyers receive regular updates, customer support, and documentation when purchased. Again, this lowers the barrier of entry for cybercriminals, making it a relatively easy attack to carry out. Notably, infostealer distributions often rely on a ‘spray-and-pray’ approach, as opposed to targeting specific organizations, highlighting the opportunistic side of cyber criminality. Some of these kits sell on the dark web for as little as $150 per month (Redline Stealer).
To target victims, hackers spread infostealer malware through creative means, including phishing emails, malvertising, deceptive adverts, counterfeit websites, and more. Evidently, despite being a novel tool, the initial attack vectors are relatively simple, and risk can be avoided by basic cyber hygiene, including awareness education and access controls and simple, tested, and reliable tools, like Endpoint Detection and Response (EDR).
Cyber FOMO?
So many new threats and attack vectors have, naturally, brought about lots of new tools and solutions to stop them and minimize risk. ‘Tool sprawl,’ the accumulation of multiple tools and solutions for the same purposes, has, in its own way, become a problem – and a costly one. In some cases, leaders feel pressured to take up new tools simply because they fear missing out – Cyber FOMO, if you will. The fanciest (and most expensive) of new tools may not protect against the most basic (and in many cases most relevant) issues.
Having said this, a good security stack should be comprehensive and scalable and able to stop today’s and tomorrow’s threats. But where should organisations start with securing the basics?
Where to Start? Nailing Down the Basics
It’s critical that basic cyber hygiene isn’t lost in the constant noise about the latest new and novel attack vectors.
Business leaders should map and monitor the attack surface and ensure that it encompasses all endpoints, on-prem and otherwise, especially in the era of remote work. This includes building strong Bring Your Own Device (BYOD) policies to mitigate the risk of information stealers. In addition, vulnerabilities must be regularly patched and monitored to avoid easy access to a system.
Organizations should consider implementing cyber policies and awareness training programs that highlight personal responsibility and best practices regarding cybersecurity. These should cover the basics, like how to choose a strong password, what a phishing email looks like, and why enabling MFA is critical. By empowering employees with the knowledge to protect themselves, both personally and professionally, a strong company-wide security culture emerges.
But nailing the basics also means thinking more strategically. Cyber resilience planning, the ability to prepare for, respond to, and recover from cyber incidents, is a core part of building a strong foundation. It ensures that organizations can bounce back quickly, even if defenses are breached. Similarly, tackling technical debt, the legacy systems, and outdated software that often fall through the cracks, can dramatically reduce an organization’s exposure to risk. The scale and scope of these actions will vary depending on the size and complexity of the organization, but every business can benefit from making them a priority.
Additionally, business leaders should consider consolidating tools to reduce noise. Focusing on quality over quantity makes it easier to ensure that the basics are covered when it comes to cybersecurity, leaving organizations stronger overall. Organizations should focus on scalable tools instead of chasing and collecting the latest tools for the latest threats.
The Future of Cyber Threats
The future ‘top threats’ will likely still include the basics. Why? Because it’s been that way since the beginning.
As previously mentioned, if people still get caught out by the basics (weak passwords, phishing emails), there will always be a market for it. Of course, cybercriminals will find ways to speed up processes and become more sophisticated in tactics, but the actual attack vectors used to infiltrate a system are often underpinned by basic cyber principles. By nailing the basics, security teams can focus on the more complex threats as and when they arise.
