When it comes to cybercrime, protecting 100 clients should be no different from protecting 1,000,000

cybercrime - putting the pieces togetherThe bulk of cybercrime and cyber events in the news are focused on large multi national organisations and government departments.   Newsworthy events are in fact always newsworthy.

These are the organisations we hope and believe are focused on protecting the information that we unwittingly give them through our interaction.

An attack on them makes for great copy.   But, the overall problem with cybercrime and cyber events is not the big fish.   The big fish are known to have millions of records that should be protected from a cyber attack.   Not protecting them reflects in spectacular thefts and large scale reputation failures.   Newsworthy events!

The biggest problem is not the theft of 1,000,000 records or more, although this will be pretty damaging in itself, the real big problem is the theft of 100 or 1000 records.

Large organisations have the expertise, the finances and the understanding that they have to protect their clients information in the best way possible.   SME’s do not!

Large organisations have the technical skills to not only protect the information but also the expertise to forensically dissect an attack and find out what happened, how they got in, where they went and what did they have access to.  SME’s do not!

Large organisations have the ability to test their environments through penetration tests and vulnerability scanning as well as the understanding that education is really important when it comes to a cyber event.   SME’s do not!

How many SME’s have gone out of business after a cyber event is unknown.   Some of the statistics are available, but not many are focused on whether it was poor management and cash flow or a cyber event that damaged their business to a point where it was unrecoverable.

Did it put them out of business?

One of the things I discovered a couple of years ago is the way the cyber criminal works.

There are 3 types of cyber criminal, 5% are hackers (criminal group or nation state), 10% are hacktivists (nation states and concerned citizen?) and about 85% are what we call script kiddies.

The script kiddies are the 12 – 30 year old who are interested in how things work, what they can do and how much damage can I do.   What I like to call the EGO warriors.

There is a large correlation between the script kiddies and the true hackers, one that is not really known, but every now and then becomes visible.

The internet is a great resource.   It is a great resource for us but it is an even greater resource for the budding cyber criminal.   The internet can put the budding script kiddy in contact with the true hacker.   That contact can be very problematic for SME’s.

For example, I am a hacker, and I develop an automated system for checking vulnerabilities of connected devices on the internet.   I do not want to or want to be seen running that automated system so I ask a couple of thousand script kiddies to do it for me.

I now have an army of automated systems, run by my ego warriors, that are testing the internet, the whole internet, for those vulnerabilities.   My automated system feeds back to the ego warriors with information about vulnerable systems (SME’s) and puts that information into a file that they can use to attack those systems.

There are even legitimate cyber protection businesses using this strategy.

But, it is also sent back to me when the automated system is run.   I can now pick and choose an attack vector as well as pick my targets.

For instance, there are ongoing vulnerabilities in Microsoft Remote Desktop Protocol (RDP), a system that is used a lot by SME’s.   A large multi national organisation will use virtual private network access (VPN), a SME will not.   They will expose that protocol port to the internet to make their lifes easier not realising that they are susceptible to an attack.

What are my targets, after a little research – SME’s with access to trusts, intellectual property, large amounts of cash or the new one, critical infrastructure.

These targets have reduced business intelligence, lack complex systems, lack digital expertise, but more importantly have a blaze attitude to security.

You know the attitude well – it will not happen to me, we have nothing worth stealing or she’ll be right.

Will an SME survive having its trust fund drained – probably not!

Will an SME survive having all of its research and development stolen – probably not!

Will an SME survive the reputation hit of having its customer database stolen – probably not!

Will an SME survive the compromise of its website / eCommerce site – maybe but probably not!

Will an SME survive a cryptovirus attack – again maybe, but probably not!

Protecting our digital assets is no longer a multi national organisations problem, it is everyone’s problem, everyone with a digital device has the problem and has to be part of the solution.

The solution is a change of attitude.   Changing our attitude to:

  • it will happen to us so we better do something to protect ourselves,
  • we have something of value worth stealing so we better protect it as well as possible and
  • there is no such thing as she’ll be right because when it comes to a cyber event, it will happen.