Cyber Criminals: A dangerous misconception

When you hear the term cyber criminal, what is the first image you picture in your head? Is it either:

  1. An underground bunker full of high tech equipment, armed guards and computer masterminds using huge screens with code that looks like something out of the matrix, or;
  2. An inexperienced teenager, sat in his bedroom, with access to an online tutorial on hacking?

Most people would picture the first; however the reality is usually the latter. The first option may have been true at some point, perhaps 10 years ago or in a Die Hard movie, but technology today allows anyone to be a cyber criminal.

Just because your organisation isn’t a multi million pound company with thousands of employees, doesn’t mean you’re not a target from cyber criminals; in fact you’re actually more at risk. Let me explain: imagine you’re learning how to hack and you want to practice your newly found skills, which do you go for?

  1. Attempt to attack a large organisation in a bid to get access to their website and upload an offensive picture. Their site is most likely almost impossible to penetrate, and even if you were successful – they have the funds to find you.
  2. Attempt to attack a small organisation (whose website is most likely unsecure) and upload an offensive message, which you can then show off to your friends. This organisation will never know how to find out who did the damage.

All daredevils aside, I’m sure you’d decide on option 2 and so would they. Why? Because it’s easier, and the risk is much lower. Attacks on these smaller organisations happen every day (in 2011 there were 44 million cyber attacks in the UK), and it’s important to remember that they’re not necessarily carried out by experienced criminals.

Hacking software and tutorials are available online, giving anyone the capability to hack a website, install malware on a computer, crack passwords and many more malicious activities. New recruits are going to want to put their skills into action and cause as much damage as possible, whilst keeping the risks of being caught to a minimum.

This is why SME’s make the perfect target, because the amount of damage which a cyber-criminal can create will be reasonable, whilst the risk and difficulty will be low. Attacks which create a visual change on a website may not appear damaging to an attacker, but they’d be wrong. An attacker doesn’t need to access to your bank account to create financial ruin.

For instance, imagine a small e-commerce company who sell cakes online. They bring in about £2000 a day, and their website is their only source of income. After a slow day of sales, somebody decides to make sure the website is working but unfortunately, it’s not. Instead all that’s displayed on the website is a single message ‘we make our cakes out of dog hair’. Panic kicks in and the company have no idea what to do. Fast forward a week later and the site is fixed, yippee right? No.

That’s 7 days of no business, and as mentioned before they bring in on average £2000 a day. So there goes £14,000. Next, there is the cost of extra staff hours needed to bring the site back to life –  they had no backups of their data and the attack deleted all of their data. This meant that the website had to be made again, from scratch. These extra staff hours cost £1,000. That’s £15,000 in damages, caused by a teenager with no knowledge of how he done what he just did, other than using password cracking software he found online and reading a basic HTML tutorial.

Imagine if that company spent just 2 hours every 3 months, creating a new and stronger password – that would be £15,000 saved just by completing a simple routine. Using standard equipment, a 6 digit lowercase password takes 3 hours to crack, whereas a 7 digit password with lowercase and uppercase letters takes 3 years to crack. Not enough? An 8 digit password with lowercase, uppercase and numbers/symbols takes 463 years to crack.

A strong password doesn’t mean that you’re immune to cyber-attacks but if that cyber-criminal is inexperienced and is using an online tutorial or automated software – chances are they’ll move on.

This misconception that cyber criminals only attack large organisations by using well engineered tactics is incredibly dangerous. The majority of cyber criminals aren’t experienced computer genius; they’re inexperienced and looking to learn a ‘cool skill’ and proceed to practice on weak targets.

The True Cost of Information Security Breaches and Cyber Crime pocket guide provides an incredible insight into information security breaches and cyber crime. Find out more information >>