When it comes to Cybercrime Risk and hacking, many Board members and their advisors find it difficult to relate to. Often the subject appears to be complex, and probably not relevant to their company; this coupled with other factors of little known regulatory, compliance, legal issues and a poor understanding of how criminals have turned to computer based crimes, makes the topic remain undiscussed.
The situation has not been helped by hyped marketing and misleading promises from security product vendors. I often hear ‘I have anti-virus, firewalls, and we have moved a lot to the cloud, so we are as secure as we can be, besides, we have nothing to fear, we do not have anything anyone would want to steal’. Sound familiar?
The ‘Cyber Security’ Industry does not help by the language it speaks, full of jargon, techno babble and terms which frankly leave most Board members and advisors scratching their heads!
What I am hoping to start with this blog is to help Board members and advisors understand the situation better, and therefore able to at least have a quick discussion and come to a good decision on whether the topic is relevant to their organisation or not.
Firstly, change the term Cyber Crime to a terms that a Board understands - Risk Assessment of Crime and impact on a business. Cyber Crime is simply that, a crime, it is only different in that it involves computer systems. So what are those crimes in layman’s’ terms? Simple, either Theft, Extortion or Vandalism.
We all make judgements on business and personal risks every day and decide to either do nothing or do something to avoid them.
Criminals, terrorists, activists and mischief makers love the crimes they can commit using computers, they are very lucrative, relatively easy to carry out and assist them being caught. You do not have to even live in the same country or even know who your potential victims are. If you wish you can pin point a victim on the other side of the planet and carry out your crime or act of vandalism without leaving the comfort of an arm chair, or even a deck chair.
You must look beyond your own organisation, we are often a link in a chain which connects many businesses together, what impacts on us may impact on others, and vice-versa. Also you must consider the trust element; we often under value trust, how trust is given to us, how we implicitly trust others, and how a breakdown of trust can dramatically affect a business when it is broken.
Vandalism to our computer systems can occur in many ways, and can be totally random or a very deliberate action manifests itself in the following ways: Lets look at Website’s;
Website defaced. This is where your wonderful looking website is either:
- Replaced with derogatory content and messages
- Taken totally offline
- Malicious software implanted spreading viruses to anyone who visits the site, your staff, your customers, your suppliers or even those looking to do business with you.
- Or it could be flooded with activity bringing your web site to a halt - a DDOS attack
As with any crime, we have to look at motives:
- Financial reward, either directly by holding you to ransom and demanding money to restore things back to normal. Usual currency is Bit Coins, making it very hard to find the perpetrator
- Activism, the perpetrator has an axe to grind, they want to smear your reputation
- Drive your visitors to another site, you have great rankings, high visitor count, providing a great place to piggy back onto.
- You have so many visitors, you make an ideal place to distribute the latest virus.
- Many advantages to someone who wants to make a name for themselves in the criminal world, if they can show the vandals they are a perfect partner to carry out such acts
- A botched job. This is where a criminal was trying to do something on your systems, such as see if there is any data to steal, but he made a mistake and crashed or damaged your system. IT guys often miss this, they either re-boot or re-build and put it down to one of those ‘glitches’.
Who would do such a thing?
You will have either been targeted, or subjected to a purely random act. Targeted are the easiest to assess the risk of this happening. If reputation is important, then you will as a business already be dealing with this, so you will be able to quantify it. If you rely on systems to be up and working all the time, then you will also understand the risk. However, if you have a high volume of visitors, then it is likely that you have not considered being used to distribute viruses or being piggy backed.
Random is hard to assess, but are on a rapid increase, criminals use machines to randomly find and attack systems, all they need to do once they find one is work out who to send the ransom note to, and for how much.
The next step is to ask the business questions, always looking for worst case scenario, the impact and the likely hood of it happening. Once you have, then you can make a real sensible decision on whether or not to do anything. The chance of a random attack is very hard to work out, so the best approach is to work on the impact of one happening
If any of the above attacks occurred, what impact will it have on:
- Financial, income and profits?
- Reputation with customers, suppliers, partners, and even investors? It could be a radical terror group, and your name could be all over the press.
- Disruption, would it take up time, money and people to sort the problem out?
Also, would your organisation be able to answer the following?
- Have we anything in place to prevent this happening?
- Has this happened to us? If so do we know about it?
- If it happened, how would we be made aware of the problem, and how quick could we re-act?
- Has anyone actually checked to see that we are doing our best to avoid this happening? If so, how often do we check everything is in order?
- Do we really believe our web designer or company are really security experts? Criminals love websites, they are often weak, and so easily exploited.
- If we did suffer from an act of vandalism on our websites, how have we prepared and provisioned for it?
- How aware are our staff, partners, and other stakeholders of our stance and risk assessment? Is it important to involve them?
- If we have measures in place, are they good enough, can we do it for less money?
- Can we turn this into a commercial advantage by proving we are better to do business with than our competitors?
- Will it win new business and we are trustworthy, and not going to cause problems and disruption to others.
I hope this beginning to the series has helped many of you start to understand how simple assessing the risk of crime using computer systems can be at board level. We have a way to go in the up and coming blogs. You can find us on twitter (@securitydialog) where we pass on crime trends, events and tips, our monthly news letter which has a summary of the cybercrime world and interesting articles.
You can also contact us directly, we are happy to help you formulate the questions you need to ask, or help you understand the topic better. For more information on who we are and what we do, please visit our website www.securitydialog.com