The Cabinet Division has released a cybersecurity advisory highlighting how most cyberattacks in 2024 were a direct result of poor digital practices and user negligence. The advisory is based on findings from the Cisco Talos Annual Cybersecurity Attack Report for 2024, which analyzed key vulnerabilities exploited by attackers during the year. It urges both public and private sector organizations to implement strict cybersecurity practices to prevent unauthorized access and protect digital infrastructure.
According to the advisory, a significant number of breaches in 2024 were enabled by the lack of multi-factor authentication (MFA), use of insecure VPNs, and reliance on weak identity management systems. Attackers frequently exploited stolen or leaked credentials, taking advantage of users who failed to adopt basic protections. The report emphasized that many incidents could have been avoided with the adoption of simple security measures such as strong passwords and proper access controls.
Users were specifically warned against using predictable credentials, including dates of birth or vehicle numbers, and were discouraged from configuring official emails on personal mobile phones or storing work-related data on personal devices. These practices, the advisory warned, exposed sensitive data to unauthorized access and created unnecessary risks for both individuals and organizations.
The Cabinet Division strongly advised encryption and password protection for all email attachments. It recommended that passwords be shared through secure, separate channels like SMS or encrypted messaging services, instead of embedding them in the same email. Two-factor authentication (2FA) was identified as a minimum requirement for all critical systems and services. Additionally, users were advised to use licensed antivirus software and install firewalls and effective anti-spam tools, rather than relying on built-in filters from free email services like Gmail or Yahoo.
Cloud-based storage platforms and document-uploading tools were also flagged as areas of concern. The advisory cautioned against uploading official documents to third-party services and warned that messaging apps such as WhatsApp or Telegram, which are hosted outside Pakistan, should not be used to share confidential material. Officials were advised to use only secure, hardened devices and avoid installing pirated software or unverified third-party applications that could introduce malicious code into government networks.
Additional warnings included avoiding the use of public Wi-Fi for sensitive tasks, as such networks are more vulnerable to credential theft and interception. Users were reminded to regularly install security patches for operating systems and applications. Organizations were urged to share sensitive data with external vendors only when absolutely necessary, and to use obfuscated formats when doing so to minimize exposure.
The advisory reflects the growing emphasis on digital responsibility and internal safeguards in Pakistan’s cybersecurity landscape. It reiterates that many of the major breaches in 2024 stemmed not from highly sophisticated attacks but from everyday oversights and a lack of adherence to basic cyber hygiene protocols.
