It is very tempting when creating a cyber security strategy to fall down a rabbit hole of stolen customer data, fears of reputational damage and planning your PR response should things all go horribly wrong. In doing so, our efforts become focused on pulling up the drawbridge to protect our network from the risk of a cyber incident – making sure every person and process is primed and ready to deflect the first hint of a breach. This is, up to a point, a valuable and useful exercise. However, without a proportionate amount of outward-looking behaviour, focusing solely on what’s going on within your organisation could be viewed as ‘navel gazing’.
What’s wrong with being inward looking?
By taking an ‘inside-out’ approach, we risk missing vital cyber vulnerability indicators and forget to ask ourselves the following important questions:
· What is it about our organisation that could make us attractive to a cyber criminal?
· What profile of cyber criminal might our organisation be vulnerable to?
· What data assets do we possess that a cyber criminal might want?
· If a cyber criminal got hold of our data – what would they do with it?
· What indicators do cyber criminals look for – and is our organisation displaying them?
In this article, the third in our Cyber Security Series, our aim is to help you get inside the mind of different cyber criminal profiles and start a more ‘outside-in’ conversation within your organisation.
What makes your organisation attractive? Uncovering the method
If you’ve got a passing interest in theatre and film, you’ll be familiar with method acting (and if you’ve got five minutes, you can see a list of its most famous proponents here) and we advise getting ‘under the skin’ of a cyber criminal as being a valid exercise for all business leaders to undertake. After all – if you can’t imagine the scenarios under which someone might want to attack your organisation, how can you adequately defend yourself? So, if you’re ready, here’s a few cyber criminal profiles for you to try on for size.
The ‘Accident Waiting to Happen’
The ‘Accident Waiting to Happen’ might not be a cyber criminal as such, but it will be a person not thinking clearly about the information that they’re sharing. For example – an organisation that announces in a case study that it’s about to upgrade to Windows 10 is also telling the known universe that there’s a whole swathe of their estate that’s still running an old (and quite possibly out of support) operating system. Cyber criminals only need a tiny hole to get in – in this instance the case study has become the organisations equivalent of leaving the front door wide open.
Something to watch out for – make sure all departments are clear on what information is valuable to cyber criminals. An innocent oversight on one person’s part could become a costly mistake.
The Insider’s motivation is to get their own back. This is typically evidenced by wilful or neglectful behaviour – from downloading and selling company data to changing their password to ‘1234’ on their last day.
The trick for you is to make sure you attribute the same value to your electronic assets as you do the physical assets that person is going to hand in. Communication between departments here is key – if someone is exiting the business then HR may wish to advise IT in advance who can then gradually withdraw privileges up to the day of departure.
Something to watch out for – some criminal organisations purposely scan social networks for job change announcements. If a former employee’s email account hasn’t been properly deleted / secured, you’ve left a hole in your network that’s just the right size for a cyber criminal to get through.
The Hacktivist wants to further their own cause, ideally whilst humiliating your organisation. Whilst their acts are often associated with an ideology or creating social change (although the term ‘hacktivist’ in itself is viewed as contentious), organisations that may not consider themselves a target can find themselves unwillingly on a hit list.
Pharmaceutical, defence, government and chemical industries are all common targets. If you supply to any of these industries, then you should count yourself as at risk from this threat vector.
Something to watch out for – if your network is compromised by hacktivists as a means of nothing more than ‘creating mayhem’ that’s not the end of the matter. It’s also signalling to profit-minded cyber criminals that your defences are porous, exposing you to greater risk of future attack.
Let’s start from the position that spying on one another is nothing new. In discussions about the morality of spying on our friends and allies (and let’s be honest, who doesn’t have a little look at what their friends are up to on social media rather than giving them a call…), the following Lord Palmerston quote from 1848 is often cited: “We have no eternal allies, and we have no perpetual enemies.” Or, in other words, everyone is definitely spying on everyone else.
For commercial organisations, state-sponsored attacks could present more of a risk than you’d initially think. Imagining a nuclear power station attack is very Hollywood but a more probable attack would be disruption to supply chains and communications networks. Whilst KFC running out of chicken was caused due to a switch in delivery provider, it serves as a perfect example of what could happen if a distribution network were attacked – issues included reputational damage, loss of revenue and loss of income for workers and franchisees.
Something to watch out for – make sure you have a Plan B. If one part of your process breaks down – what’s your fall-back position? Can your business still operate if one link in the chain is broken?
Any organisation that produces tangible goods will be invested heavily in protecting their IP and trade secrets. Counterfeiting is prolific across all industries including some that might make you think twice before you visit the dentist – the MHRA seized more than 1,900 counterfeit and non-compliant dental devices in one year alone.
The critical point for organisations to recognise is that whether it’s a customer list, patent applications, or investment records – if it’s something of value to your business, then a cyber criminal will find a way to monetise it.
In a word – prolific. If you thought that your organisation was agile or nimble, it’s likely that it won’t be as agile or nimble as an organised crime network. What may surprise you is that they will be using tactics that are, at their base level, not too dissimilar to those operated by many businesses. Indiscriminate emails that we might mark as ‘spam’ are the equivalent of their mass-mailer – a phishing email sent to a million consumers with a hit rate of 1% is well worth the short amount of time it takes to create and send. They’re also increasingly into customer service too – in an example of what’s termed the ‘professionalisation of cyber crime’ an entire town in Massachusetts was given FAQ’s and access to a helpdesk by the cyber criminals who were holding them to ransom to make payments easier.
Something to watch out for – don’t take it personally. Organised cyber crime syndicates will exploit your network vulnerabilities for the same reason that George Mallory famously said he wanted to climb Mount Everest – “Because it’s there.”
Taking a balanced view
In considering the distinct types of threats and the people behind them, it’s possible to take a more balanced view on how to construct your cyber security strategy. In a future post we’ll be looking at how you can use this kind of information to calculate an acceptable level of risk, but in the meantime, if you’d like to pick our collective brains on any of the points raised in this article, please comment below and we’ll get in touch, or contact our Security Solutions Architect, Iain Marsh, at email@example.com.
‘Cyber Security – Stop Navel Gazing is the third in a series of articles designed to encourage debate and action in organisations who want to take a positive approach to cyber security. Our recommendations are based on the experiences of our customers, the knowledge of our cyber security team and analyst insights. To discuss any aspect of this article, please comment below and we’ll get in touch, or contact our Security Solutions Architect, Iain Marsh, at firstname.lastname@example.org.