Cyber Crime Part 1: Think you’re too small to be a target?

In spite of overwhelming evidence to the contrary, many people still seem to think that cyber crime is something that only happens to large organisations and that general warnings of increasing cyber threats amount to nothing more than hysterical scaremongering.

They are wrong.

Cyber crime isn’t a threat that only affects other people. It isn’t even a threat that you will face in the future; it’s a threat that you face right now. We all do. If you have an online presence, you can be certain that you’re going to be the victim of an attack. Indeed, it is highly likely that you’ve been attacked already and don’t know about it. (The statistics aren’t favourable: Verizon’s 2013 Data Breach Investigations Report found that 66% of data breaches took months or more to discover, and that 69% of incidents were discovered by a third party.)

Automated attacks are indiscriminate

The reason for this is that hackers go after known coding vulnerabilities, not specific companies. If, for example, there is a known vulnerability in a specific type of shopping cart used by numerous websites, a cyber criminal can (and will) automate an attack on those types of shopping cart regardless of the ecommerce sites that use them. This is often much easier than attacking a single large ecommerce site which will not be using off-the-shelf shopping cart software, and whose security systems will be much more robust.

Think of it as akin to an actual mugger attacking you on the street. It’s all very well pointing out that you’ve only got fifty quid on you and that there’s a millionaire not far off whose assets would make your attacker rich beyond the dreams of avarice; any ne’er-do-well would take one look at the prosperous plutocrat in his big, secure car with his burly attendants, glance back at you as you stand there sweating with a knife under your gullet, and say, “If it’s all the same to you I’ll take the half a ton.” If he does that a few times he’s got enough to keep himself comfortable for days, and with much greater ease than if he went after the bigger target in the first place.

Hacking is easy

Top vulnerabilities are listed online on sites like OWASP, SANS and the CWE for the benefit of security professionals and are therefore available for hackers too, online tutorials exist which can walk a criminal through the entire process of hacking, and there are even malware toolkits available online to do all the difficult stuff for them: there is no need for any coding knowledge whatsoever.

Whatever the size or sector of your organisation, you are vulnerable in some way or another. Even household appliances are increasingly becoming hacking targets: as more and more goods are equipped with chips to enable Internet connectivity (the so-called ‘Internet of Things’), so the number of potential targets for cyber criminals is increasing.

Cyber Health Check

Assess the state of your vulnerability to attack with IT Governance’s Cyber Health Check, a two-day service that combines on-site consultancy with remote vulnerability assessments to assess your cyber risk exposure. The four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.

Read Cyber Crime Part 2: No one controls the internet