It’s a familiar enough trope. Your mate turns up with a black eye. He will tell you that a group of heavies attacked him rather than admit a 9 stone teenager laid him out . The theme is that you must exaggerate the your adversary’s capabilities of if they’ve clearly defeated you. The alternative is to confess to your own weakness. Today, people tell the press that their systems were the victim of a sophisticated cyber-attack. Sophisticated cyber-attacks certainly do happen, so this may be true.
A less sophisticated cyber attack
Some of the time however breaches occur because a miscreant asked poorly trained user for their credentials via email. The user happily surrendered their access thinking they were logging into an approved service. Or they clicked on a link or opened an attachment. Enter a cybercriminal whose skillset is limited to operating tools written by others. They found that the user’s permissions were sufficient to allow them to gain complete administrative access over the company’s systems. All this without tripping up whatever monitoring may have been in place. That too will, likely as not, be reported as a sophisticated cyber-attack. By contrast how often do you hear the more honest “we did the bare minimum on cyber security so we could focus on growth, our core business or bonuses?”
Third party
Also, unless you’re Apple or another company that builds all your own hardware and writes all you own software, you will have bought some of that from someone else. Let’s call them a third party. We can pile as much blame on them as possible. Left sensitive info in a public S3 bucket; that’s an attack on a 3rd party file storage system. User opened a malicious pdf; that’s a sophisticated cyber attack that exploited flaws in 3rd party software. Note the missing the buzzword “zero day” thus telling the alert reader that if you’d simply patched to the latest version of Adobe Reader then the attack would have been prevented .
Customer data
Finally, don’t forget to reassure your reader that you have no evidence that the intruder accessed any customer data or PII. Best not to mention that you switched off all your logs rather than deal with the GDPR nightmare of securing them properly. Certainly, no need to elaborate that if every user account, email address, telephone number and MD5 password hash walked out the door in one massive file labelled DataExfiltration.rar then the first you’d know about it was when a customer asks why they found their details on HaveIBeenPwned.com.