Your Cyber-Enemy May Not Be the Person You Suspect
Your worst nightmare might not be launched from an Eastern European boiler room full of cybergeniuses wielding stolen NSA exploits. It could come from the desk of a teenager in middle America -- and she might cause more damage to your company than you imagined possible.
Attacks can come from anywhere, at any time. How can you know if you’re deploying the right defenses? The most important question to ask may also be the simplest: Who poses the greatest real risk to my business?
Think beyond traditional threats.
Conversations about cybersecurity tend to focus narrowly on technical attacks, such as zero-days or high-end exploit kits. But these represent only small portion of the spectrum of risk. What about the damage to reputation, intellectual property and revenue that can result from cyberbullying, doxxing, trolling and other activities? They may not fit the classic profile, but the threat they pose can be just as real. As Facebook CSO Alex Stamos points out, the line between online harassment and hacking is blurring rapidly.
Employees can be doxxed or harassed outside of work, on their personal email, on social-media accounts or during face-to-face situations. These interactions seek to pressure them into activities that compromise your security or expose sensitive information. Even without such coercion, employees can leak intellectual property out of spite or to win friends on the dark web and private forums. Maybe they want to embarrass a boss or coworker. Other team members might disable security tools out of frustration with a poor user experience or inadvertently undermine safeguards, not realizing they've accidentally left the the company open to risk.
IP and financial data aren’t the only assets prized by hackers. Enterprising cyberthieves also can sell and resell corporate employees’ personal information. According to Keith Collins of financial-news site Quartz, the cost of an individual’s entire digital identity as of 2015 is approximately $21.35. Are you safeguarding your human-resources databases -- and controlling their access -- as diligently as you protect other areas of the business?
Don't downplay antisocial media.
Social media can do more than degrade productivity. Hackers feed on excessive posts of personal or corporate information on Twitter, Instagram, Facebook and LinkedIn. Online criminals can use unsecured private information to unlock access to a target's accounts. People who post their pets' names, first concert attended or link to several family members' accounts make it easier to answer password-recovery options ("mother's maiden name," anyone?). And vacation pictures posted on Instagram can yield convincing anecdotal details for hackers who are working on spear-fishing emails to a user's corporate network.
Overly friendly or naive social-media fans also invite threats by accepting Facebook friend requests from people they don't know. Even the most scrupulous user can accept friend requests from “spoofing” accounts that imitate real contacts. Often, the people behind these accounts are bad actors trying to gain unauthorized access to accounts.
Additionally, fake social personas are becoming an increasingly popular mechanism to collect information on people’s personal and business relationships. Facebook took down tens of thousands of fake accounts before the German election. Advertisements leveraging social-media information also have been used in efforts to influence voters.
Anticipate the attacker first -- then the weapon.
Your reflexive reaction to this expanded spectrum of threats might be to try to be everywhere at once. Don’t sound the alarm just yet. In all likelihood, the actual risks you face will be more selective. Instead of being distracted by the most prevalent, sensational or novel threat in the environment, focus your efforts where they’ll do the most good: Identify and isolate the types of threats that pose the greatest practical risk to your business.
This risk profile is different for different kinds of businesses:
- Media companies lose sleep over the possibility of stolen pre-release assets that can be held for ransom or leaked to (or by) fans.
- A social-media network can lose its appeal if members are subjected to an organized campaign of cyberbullying or if its platform is exploited by users that mainstream consumers find repugnant.
- A law firm can be flagged by hacktivists when it takes on a controversial client or matter, and so can its software vendors and other solution providers.
- Major corporations can offer ripe targets for everyone from industrial rivals to the radical fringe.
Traditional security measures remain essential for every business, of course. But as you develop your security program, ask yourself who is most likely to target your business -- and why. Will it be the stereotypical Eastern European criminal seeking financial data or an overzealous fan who can’t wait for the next episode to drop? Has your brand drawn the wrong kind of attention from activists? What about your business partners?
Next, think about the types of tools available to these actors. A cybercrime ring might use very different methods than a disgruntled former (or current) employee, smear campaign or trafficker in stolen media. Narrowing down your list of realistic suspects will help you align your countermeasures appropriately. You'll want to define and document security technologies, employee and partner education campaigns, crisis communications plans and whatever else the situation may call for.
Aspiring to employ a uniform, comprehensive protection across every imaginable type of threat is an understandable instinct. It’s also inevitably futile and counterproductive. Instead of spreading your finite resources thinly across the entire spectrum, start by identifying the greatest business risks you face Then implement security measures designed to prevent those attacks.