Your Cyber-Enemy May Not Be the Person You Suspect

The less-obvious risk often is the most dangerous. Protecting your company and personal assets starts with understanding real versus perceived threats.

Grow Your Business, Not Your Inbox

Stay informed and join our daily newsletter now!
Will be used in accordance with our Privacy Policy
Your Cyber-Enemy May Not Be the Person You Suspect
Image credit: Bill Hinton | Getty Images
Guest Writer
VP of IT Security of Turner; CSO of Signal Sciences
5 min read
Opinions expressed by Entrepreneur contributors are their own.

Your worst nightmare might not be launched from an Eastern European boiler room full of cybergeniuses wielding stolen NSA exploits. It could come from the desk of a teenager in middle America -- and she might cause more damage to your company than you imagined possible.

Attacks can come from anywhere, at any time. How can you know if you’re deploying the right defenses? The most important question to ask may also be the simplest: Who poses the greatest real risk to my business?

Think beyond traditional threats.

Conversations about cybersecurity tend to focus narrowly on technical attacks, such as zero-days or high-end exploit kits. But these represent only small portion of the spectrum of risk. What about the damage to reputation, intellectual property and revenue that can result from cyberbullying, doxxing, trolling and other activities? They may not fit the classic profile, but the threat they pose can be just as real. As Facebook CSO Alex Stamos points out, the line between online harassment and hacking is blurring rapidly.

Related: How Vulnerable Are You to Cybercrime?

Employees can be doxxed or harassed outside of work, on their personal email, on social-media accounts or during face-to-face situations. These interactions seek to pressure them into activities that compromise your security or expose sensitive information. Even without such coercion, employees can leak intellectual property out of spite or to win friends on the dark web and private forums. Maybe they want to embarrass a boss or coworker. Other team members might disable security tools out of frustration with a poor user experience or inadvertently undermine safeguards, not realizing they've accidentally left the the company open to risk.

IP and financial data aren’t the only assets prized by hackers. Enterprising cyberthieves also can sell and resell corporate employees’ personal information. According to Keith Collins of financial-news site Quartz, the cost of an individual’s entire digital identity as of 2015 is approximately $21.35. Are you safeguarding your human-resources databases -- and controlling their access -- as diligently as you protect other areas of the business?

Related: Don't Let a Data Debacle Like Facebook's Happen at Your Company

Don't downplay antisocial media.

Social media can do more than degrade productivity. Hackers feed on excessive posts of personal or corporate information on Twitter, Instagram, Facebook and LinkedIn. Online criminals can use unsecured private information to unlock access to a target's accounts. People who post their pets' names, first concert attended or link to several family members' accounts make it easier to answer password-recovery options ("mother's maiden name," anyone?). And vacation pictures posted on Instagram can yield convincing anecdotal details for hackers who are working on spear-fishing emails to a user's corporate network. 

Overly friendly or naive social-media fans also invite threats by accepting Facebook friend requests from people they don't know. Even the most scrupulous user can accept friend requests from “spoofing” accounts that imitate real contacts. Often, the people behind these accounts are bad actors trying to gain unauthorized access to accounts.

Additionally, fake social personas are becoming an increasingly popular mechanism to collect information on people’s personal and business relationships. Facebook took down tens of thousands of fake accounts before the German election. Advertisements leveraging social-media information also have been used in efforts to influence voters.

Related: Why Annual Social Media Policy Reviews Are Necessary

Anticipate the attacker first -- then the weapon.

Your reflexive reaction to this expanded spectrum of threats might be to try to be everywhere at once. Don’t sound the alarm just yet. In all likelihood, the actual risks you face will be more selective. Instead of being distracted by the most prevalent, sensational or novel threat in the environment, focus your efforts where they’ll do the most good: Identify and isolate the types of threats that pose the greatest practical risk to your business.

This risk profile is different for different kinds of businesses:

  • Media companies lose sleep over the possibility of stolen pre-release assets that can be held for ransom or leaked to (or by) fans.
  • A social-media network can lose its appeal if members are subjected to an organized campaign of cyberbullying or if its platform is exploited by users that mainstream consumers find repugnant. 
  • A law firm can be flagged by hacktivists when it takes on a controversial client or matter, and so can its software vendors and other solution providers.
  • Major corporations can offer ripe targets for everyone from industrial rivals to the radical fringe.

Traditional security measures remain essential for every business, of course. But as you develop your security program, ask yourself who is most likely to target your business -- and why. Will it be the stereotypical Eastern European criminal seeking financial data or an overzealous fan who can’t wait for the next episode to drop? Has your brand drawn the wrong kind of attention from activists? What about your business partners?

Next, think about the types of tools available to these actors. A cybercrime ring might use very different methods than a disgruntled former (or current) employee, smear campaign or trafficker in stolen media. Narrowing down your list of realistic suspects will help you align your countermeasures appropriately. You'll want to define and document security technologies, employee and partner education campaigns, crisis communications plans and whatever else the situation may call for.

Related: 3 Technologies That Could Win the Battle Against Cybercrime

Aspiring to employ a uniform, comprehensive protection across every imaginable type of threat is an understandable instinct. It’s also inevitably futile and counterproductive. Instead of spreading your finite resources thinly across the entire spectrum, start by identifying the greatest business risks you face Then implement security measures designed to prevent those attacks.

More from Entrepreneur

Get heaping discounts to books you love delivered straight to your inbox. We’ll feature a different book each week and share exclusive deals you won’t find anywhere else.
Jumpstart Your Business. Entrepreneur Insider is your all-access pass to the skills, experts, and network you need to get your business off the ground—or take it to the next level.
Create your business plan in half the time with twice the impact using Entrepreneur's BIZ PLANNING PLUS powered by LivePlan. Try risk free for 60 days.

Latest on Entrepreneur

Entrepreneur Media, Inc. values your privacy. In order to understand how people use our site generally, and to create more valuable experiences for you, we may collect data about your use of this site (both directly and through our partners). By continuing to use this site, you are agreeing to the use of that data. For more information on our data policies, please visit our Privacy Policy.