6. The main sources of cyber attacks
Once again the validity of the? Pareto law? Is confirmed, effectively addressing the main threats drastically reduces the risks for the Company.

The ways of attacking cybercriminals are numerous and continue to increase, the Fractional CISO has among its duties to keep up to date on cyber threats and the most efficient methods to counter them.


However, it is important to know that all the statistics agree that beyond the 95% of the attacks carried out successfully are attributable to:


to. social engineering

b. logins with stolen credentials

c. systems exposed on the internet with outdated software


The available controls are different and complementary to each other.


Administrative checks - (threats a. and b.)

1. Continuous staff training, (of all staff without exception) on the Safety And Awareness of IT risk, adapted to the different company roles, with the aim of raising the level of attention in particular on:

- to. Correct use of company tools and software

- b. Use of login credentials

- c. Use of e-mail (phishing)

- d. Sharing of information inside and outside the company

- And. Common forms of Social Engineering

- f. Periodic tests and measurement of results


2. Regulations for the acceptable use of company tools

3. Procedure for handling suspicious emails

4. Password management procedure

5. User life cycle management procedure

(provisioning / deprovisioning)


Technical / Logical Controls - (threats a. and b.)

1. Endpoint Protection System

(Anti-malware / EDR / Web Browser isolation)

2. 2-factor authentication

3. Security configurations of the e-mail service

4. Phishing awareness management and control system


For the third threat (c.) Instead:


Administrative checks

1. Vulnerability management regulations and procedures and software updates


Technical / Logical Controls

1. Periodic vulnerability tests of exposed systems

2. Periodic penetration tests

3. Update in controlled mode of the sw with vulnerabilities