The basic answer, unsurprisingly, is anything that can be used.
All information has a value to someone, and industrial espionage is a great motivator for the wily cyber criminal. Commercial information, intellectual property, customer lists, details of negotiations, business and commercial strategy, financially sensitive information… Criminals can sell all this information to your competitors, and often for a cut of the profits they will make at your expense. And if your competitors won’t cooperate, the criminals can hold them to ransom or just steal from them as well.
The example of Barclays Bank’s data breach earlier this month is just the latest in a series of high-profile attacks.
Imagine if you’d been working for months on a large deal only to lose all the details of your bid to your competitor at the last minute. Think what would happen if you were in the midst of developing a new product, and its details were sold to another company which then rushed out a cheaper version ahead of you. Such cases are not as rare as you may think.
What happens after vulnerabilities have been exploited?
In a successful phishing attack a criminal will send speculative emails purporting to be from someone else and persuade someone within an organisation to download malware, often just by clicking a link or opening an attachment. That malware will enable them to take control of a system.
All systems are riddled with vulnerabilities, too. Coding is never perfect, and there will always be exploitable areas which a hacker can take advantage of. IT Governance’s Penetration Testing service compiles statistics of vulnerabilities discovered during routine testing. On average, over the last six tests carried out, we have found:
- 19 high-level threats (i.e. ones which a hacker could exploit to gain control of the system or application);
- 26 medium-level threats (i.e. ones which a hacker could exploit to gain access to data); and
- 34 low-level threats (i.e. ones which a hacker could exploit to gain information about the system which could be used to facilitate further access).
As well as stealing information, the criminal can follow a different route: it’s not uncommon for criminals to gain control of a website and take it offline till a ransom is paid. The majority of organisations are entirely unprepared to deal with this sort of low-level blackmail and often find the easiest response is to pay up, and then implement a rigorous series of security updates.
What the criminal can do with your personal information
More broadly usable data assets have an obvious value too: banking and credit card details, payment information, and personally identifiable information can all be used by criminals for various nefarious ends. Apart from selling it on, cyber criminals have other uses for your information. We all know of someone who has had their debit card cloned or found that their credit card has been used to pay for something they haven’t bought. The more information a criminal has, however, the more they can do with it. Identity theft is a serious problem: if someone commits fraud in your name it can take years for you to recover your reputation and repair your credit rating, and often all it takes is an opportunistic attack on your email account for the criminal to get all the information they need.
Cyber Health Check
Assess the state of your vulnerability to attack with IT Governance’s Cyber Health Check, a two-day service that combines on-site consultancy with remote vulnerability assessments to assess your cyber risk exposure. The four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.