Indirect attacks are an increasingly prevalent and dangerous type of cyber attack. Though the name might imply that such a breach might be less significant, it's critical that businesses—and IT professionals—are aware of the potential damage.
What is an indirect attack in cyber security?
As the name suggests, direct cyber security attacks directly target data. Because many businesses have advanced security measures in place that can deflect, if not prevent, direct attacks, cyber criminals sometimes attack indirectly -- going after parts of the infrastructure that aren't subject to as much security scrutiny.
An indirect attack in cyber security cyber attack might not appear serious at first. It might be a brief system failure in disguise or a compromise in the software controlling server cooling equipment. But during indirect attacks, cyber criminals layer tactics to steal, disrupt or destroy data through intermediary sources. It’s like a stepping stone on the path to a successful cybercrime.
The business impact from an indirect attack can mainly be measured in cost. When companies budget for cyber security, they usually focus on the data and the things that directly protect it—in terms of firewalls, anti-malware and training materials for employees. When considering indirect attacks, the radius to protect should extend to include the operations infrastructure and diagnostic analysis.
What is the risk in failing to distinguish between attacks?
Failure to identify an indirect attack in cyber security could lead to long-term equipment damage, such as in the breach of the data center cooling system. You could encounter speed-to-market challenges if your intellectual property lands in the wrong hands during what you assumed was a system failure, causing security to temporarily shut off so that the system could be repaired.
Preventing the indirect attack
The best practices for increasing security measures will depend on your business or industry. Smaller organizations that don't keep sensitive data might be willing to accept the risk of an indirect attack. The ramification might not be as severe—there could be a dip in productivity or a bit of lost revenue.
Large entities that process a lot of sensitive data, such as government agencies and healthcare facilities, might want to consider extending their security measures to cover indirect targets. Doing so could help them avoid insurance claims, privacy violations, intellectual property theft or damage to their reputation. As seen in the 2021 Data Breach Investigations Report, personal data has been a point of interest for cyber attacks over medical data in the healthcare sector.
As with any other protection against a threat, implementing the infrastructure and processes to prevent an indirect attack is an investment. Businesses with inadequate security investment or without the in-house expertise to deploy these measures should look into outsourcing their defense to a managed services partner. A consultant-level firm can provide state-of-the-art knowledge and prevention tools that protect your company from the newest and most advanced cyber attack vectors.
Learn how Verizon's security and protection solutions can keep cyber threats at bay.