9 key cyber threats to CIS business: from phishing to attacks on industry

We analyze the cyber threats CIS companies face in 2024–2025: from phishing and DDoS attacks to account compromise and attacks on OT systems.

Based on current statistics and incidents, practical recommendations are given for protecting business, including patching vulnerabilities, network segmentation, contractor control, and implementing multi-factor authentication.

This material is intended for IT directors, executives, and cybersecurity specialists seeking to reduce operational and reputational risks.

Every three minutes, a hacker can breach your company's security system.

In 2023–2024, CIS companies lost 1 trillion rubles due to cyberattacks.

Almost every business day brings a new incident. The result: downtime, direct and indirect losses, loss of trust and reputation.

Roskomnadzor recorded 259 new database leaks — hundreds of millions of records.

In CIS, over 750 attacks on financial institutions were recorded.

More than 31,000 attacks were carried out against CIS customers.

CIS leads in the volume of leaked data: 200.5 million rows of users' personal information.

The average global cost of a data breach for a company is $5 million.

39.2% of attacks begin with the exploitation of public vulnerabilities.

The share of incidents involving compromised accounts grew from 20.3% in 2023 to 31.4% in 2024. 37% of successful attacks begin with the compromise of logins and passwords. 38% of incidents fall on industrial and fuel and energy enterprises, 15% on the public sector, 13% on finance, and 11% on transport / logistics.

The motivation of 35% of attacking groups is espionage.

The number of phishing sites grew 2.3 times over the year. Let's look at how hackers exploit vulnerabilities and how to protect yourself.

When compromised, an attacker logs into corporate systems — email, CRM, accounting, or cloud services — posing as an employee or partner.

It looks legitimate — and that is the most dangerous part.

Processes break, data leaks, work grinds to a halt.

How this hits the business: loss of confidential data — trade secrets, customer databases; financial fraud in employees' names — scams, money transfers; broken partner trust and regulatory penalties; hard to detect — "legitimate" access looks like normal employee activity.

Make multi-factor authentication the standard.

Add a second login factor — SMS, app, or hardware key — for all critical systems.

Manage the account lifecycle.

Revoke access immediately for departed and temporary staff, and limit contractors' permissions.

Enforce the principle of least access like budget discipline.

Set up monitoring: if an employee logs in at night from another country, the system must flag and respond to it.

Train your staff. Explain what phishing looks like and why passwords and tokens must never be forwarded.

Run simulated attack drills once a quarter and assess readiness.

Segment access and automate the granting of permissions.

Use privilege management systems so employees get access on request and only for the duration of the task.

This minimizes damage even if a single account is compromised.

Manage access like finances: set rules, enforce compliance, review reports.

This reduces the likelihood of an incident, increases the trust of clients and partners, and strengthens market positions.

Social engineering is any manipulation of people to gain access, data, or money.

In phishing, an attacker mimics trusted channels so that a person voluntarily reveals their passwords, payment details, or downloads a malicious file.

Commonly used tactics: an email asking to urgently pay an invoice or confirm access; a fake government services or marketplace site where employees enter their logins; a call from a "manager" or "counterparty" using a spoofed voice; phishing for documents, QR codes and tokens on social media.

Why this threatens business: the number of phishing resources and mailings grew by 30-70% in 2024.

These are not isolated cases but a widespread practice.

Social engineering is the cheapest attack method: the attacker doesn't need to break systems, they get an employee to "open the door" themselves.

One in two companies faced phishing attempts over the past year. In 60% of cases a successful attack leads to a data breach or direct financial loss.

Filter emails, verify domains, and hunt for fake websites.

Train employees to recognize traps.

Work on this systematically: show real examples and run phishing simulations with reports for management.

Set up multi-factor authentication.

Even if a password is exposed, a second factor stops the attack.

Employees must not have access or the ability to make payments without verification.

Dual approval and limits are a simple way to reduce the risk of financial loss.

Prepare instructions: where to report suspicious emails and how to block compromised accounts.

A zero-day is a vulnerability that the software developer does not yet know about or has not had time to fix. "Zero days" means the business has no time to prepare.

A targeted exploit is a tool written for a specific organization or system to break into that exact target rather than attacking broadly.

Why this is critical for business: zero-days are rarely used, but their result is intrusion without any warning.

Vulnerabilities like these were behind the highest-profile cyber-espionage cases and attacks on critical assets. In 2024–2025, researchers found that 31% of high- and critical-severity vulnerabilities were of this type.

Consequences of targeted exploits range from theft of trade secrets to data tampering or knocking out IT services.

The fewer unnecessary services and legacy systems exposed externally, the harder it is to exploit new vulnerabilities.

Deploy layered defenses. A zero-day can't be prevented with a patch, but its impact can be contained.

Segment networks, limit user permissions, and monitor anomalies to turn a "direct breach" into a contained incident.

Use threat intel and Bug Bounty programs.

Subscribe to current reports and join vulnerability hunting programs to learn about issues sooner.

It is an investment in early warning.

Monitor program behavior. Systems that track application behavior detect suspicious activity even when the vulnerability is unknown.

Develop response playbooks.

A ready response plan for a new threat — isolate the segment, revoke access, notify the vendor — cuts both time and damage.

Choose reliable providers and lock requirements into contracts.

Include clauses on information security, transparency, and incident notification in your SLAs.

Use VPN, TLS, and end-to-end encryption for all critical communications.

Then, even if the channel is intercepted, the data stays inaccessible.

Critical processes must not depend on a single route.

Separate production and office traffic, and keep a backup communication channel.

Verify the integrity of updates.

Use digital signatures, hash verification, and trusted update sources.

Watch for anomalies in network traffic.

Deploy systems that notice unexpected route changes, DNS spoofing, or "extra" packets.

Run expert-led corporate training.

Trained employees can spot suspicious certificates or unusual warnings, which helps detect an attack earlier.

Manufacturers have operational technology (OT) alongside regular IT systems: control lines, industrial control systems, SCADA, sensors, controllers.

In industrial cyber espionage, attackers secretly gain access to these systems to steal technology secrets, plans, and production process parameters.

OT attacks go a step further: not just data theft, but interference with equipment, up to shutdown or sabotage.

Why this is a serious risk: in 2024, on 7.5-7.8% of industrial computers in

Malicious activity was recorded in CIS every quarter.

This is one of the highest rates in the world. In the fourth quarter of 2024, 107 cybersecurity incidents in industry were publicly confirmed.

Business consequences range from leaks of know-how and trade secrets to direct equipment downtime and regulatory fines.

Separate production and office networks: distinct domains, one-way gateways.

Account for and control every device.

Compile a full inventory of every controller, sensor, and piece of software on the production network, including firmware versions.

Manage updates and vulnerabilities.

You can't just "apply a patch" to OT, but you can schedule update windows, use virtual patches, and isolation.

Deploy systems that understand how the operational network should behave and detect deviations.

Control your contractors and supply chains.

Many attacks start through contractor engineers.

Review their access rights, train them on security rules, and include this in contracts.

Write playbooks: what to do when interference with the production process is suspected.

Once an attacker gains initial access — through phishing or a vulnerability — they try to avoid installing obvious malware and instead use your own built-in tools: Windows system utilities, PowerShell, and native administration services.

This way the attack looks like the routine work of an employee or administrator.

Why this is a serious risk: according to Kaspersky Incident Response investigations, Mimikatz was used to harvest passwords in 21.8% of incidents, and PsExec for remote execution in 20%.

These are built-in or open-source utilities, not "hacker software."

Once access is established, the attacker moves quietly across the network, escalates privileges, and prepares the main attack unnoticed by standard antivirus.

Such intrusions are hard for businesses to detect, while leaks and sabotage preparation can run for weeks.

Clearly restrict who actually needs administrative tools and on which servers.

Separate the administrator account from regular ones.

Use a dedicated management server for critical operations.

Implement monitoring of administrator actions.

Privileged Access Management (PAM) systems log every action and block suspicious commands.

This reduces the risk of abuse and attacks.

Monitoring systems detect not only viruses but also abnormal use of legitimate utilities.

Run regular drills and checks. Test how your team responds to "stealth" attacks — for example, the sudden launch of an unusual PowerShell script.

In a DDoS attack, attackers send a massive volume of requests to your website or service in a coordinated way.

The service can't cope and stops responding to customers or partners.

Why this is a serious risk: it is not a data breach but the paralysis of a business — your website, online banking, CRM, or call center become unavailable at peak load: promotions, sales, reporting periods. In 2024, CIS companies faced 508,000 DDoS attacks — nearly double the 2023 figure.

Peak capacities of up to 1.2 Tbit/s were recorded. DDoS traffic grew 53%, to 1.56 million requests per second, and attack duration reached 49 hours.

Companies suffer direct and indirect damage: lost revenue and reputation, plus fines for SLA breaches.

Make DDoS protection part of your core infrastructure.

Contract an anti-DDoS provider or choose a cloud-based filtering service.

Plan and test response scenarios. Security and IT must have clear steps: how to switch to a backup channel, whom to notify, and how to inform customers.

Run monitoring and early warning. Systems that track traffic let you spot an anomaly in advance and enable filtering before the service goes down.

Distribute loads and replicate services.

Use a CDN, backup sites, and load balancers so the service doesn't depend on a single channel.

This lessens the impact even during a powerful attack.

Transparent communication during an incident helps preserve trust and avoid panic.

Treat security not as a set of separate "boxes" but as a process of managing supply-chain risk.

Add cybersecurity requirements to contractor agreements, audit their access, and segment partner connections.

Integrate technical and organizational measures.

A single tool will not stop a hybrid attack.

Use a combined stack: antivirus + EDR + training + MFA + segmentation.

Continuously gather threat intelligence. Threat Intelligence reveals real attack patterns in your industry, so you can defend yourself in advance.

Run drills on "hybrid" scenarios: phishing, a contractor leak, and DDoS all at once.

This rehearses coordination between departments.

Cyber threats are a full-blown operational and strategic risk for business.

Systematic IT security helps reduce it: asset inventory; vulnerability prioritization; multi-factor authentication; network segmentation; contractor oversight; staff training; ready-made response playbooks.

Cybersecurity is an investment in resilience, customer trust, and competitive advantage.