Assessing the threat risk of Cyber Crime – Cybersecurity in My Problem

Introduction

The problem with cyber crime is that everyone who uses the Internet are a target.   Cyber crime has no boundaries, the cyber criminals never rest and you are a target.

Cyber crime is no longer an IT problem.   This phenomena is a global issue with global business ramifications.   The only way to manage the problem is from the top down.   Board members, C level executives and managers and owners of all businesses and not for profit Organisations have to be willing to sponsor and manage the fight against cyber crime.   Everyone who is in business has a serious problem with cyber crime.

Investment in cybersecurity is a critical component of this fight against cyber crime.   Right now we are on the cusp of the fight, the eve of the war, on whether we will win or loose the right to use the Internet or whether it will be consigned to scrap head of history.

What is the threat

The cyber criminals have seen the capabilities and opportunities far before business and government have seen the business possibilities in what the Internet can do.   William Stirling was writing about cyber crime in necromancer in 1984.    He was the first in many who saw the possibilities of what a cyber world would be like.   Many followed, and we are seeing most of the fiction become fact.

In the 1980’s we had criminals using pagers well before they became main stream.   In the 1990’s we had drug lords in Mexico building complete mobile phone systems including phone towers, for the criminal Organisations.   In 2008 we had the terrorist use an operation centre to coordinate an attack on the Raj hotel in Mumbai.   As the special forces in every theatre know an operations centre is a force multiplier.    2 terrorist become 20, this was an exponential leap in the use of technology in their fight against their perceived enemy.

Meanwhile in cyber space, we had the launch of android and the android market place.   The cyber criminals were way ahead of everyone with this one.   They even created fake banking applications for people to download and use, all were malware.   As stated they have thought about ways to exploit new technology well before business have even heard about it.

In this world, the criminal Organisations have talent scouts looking for hackers.   Hackers and wannabes can post their resume on a web site and can show their bone fide cracking skills with a list of what they have done, who they have compromised and what they have stolen.   The these cyber criminal Organisations even have price wars, discounting and guarantees.   They apply main stream business principles to the criminal Organisations.   They no longer need guns, they can totally destroy their enemies with the click of a mouse.

If you think about it the new contact less cards being issued by banks have already been targeted.   These cards, have people thinking about RFID aware wallets and aluminium protection for them.   This is the problem with technology, once released into the wild to benefit business it also becomes a prime target for the bad guys.

How do we counteract it

The best way to think of cyber crime, is we are playing in their pond.   The cyber criminals are the biggest and ugliest Crocagator in the pond.   For us to live in the pond we have to protect ourselves against that ugly beast.   We have to protect ourselves from the blatant front attack, so we use technology (firewalls, VPN, secure wireless and encryption).   But what about the sneak attack, coming from behind?   Constant awareness, paranoia and common sense are your weapons of choice here.

How do we do it?   The first thing to do is think like a criminal.   What are they going to target?  Do I store account details of clients, do I have information and access to finances, do I have access to intellectual property that is crucial and critical to my business.   This information is the target.    This information is your intellectual property (IP).   Protecting this information is critical to your business.   Putting technology around this data, That’s your first line of defense.   The second is your people.    Here is where awareness comes into it.

Internal policies, procedures and processes are a critical component of a businesses cyber crime defence.   Without these as a line of defence you are only relying on the technology.   One point of failure with no backup.   You have to build resilience into your business systems.   Without resilience, one thing breaks and the business and organisation stops.

Planning – yes it will happen to you!

Today, a 12 year old with computer skills and an Internet connection can become a skilled cyber criminal.   These are the main problem.   They are the constant noise on the Internet. A slip in your business protection is where these “script kiddies” get in, and although they may not do any damage, they tell everyone that they have got in and the second tier bad guys are listening to this.   It maybe days, weeks or even months before a real bad guy acts on it but they will act eventually.

In the eyes of most cyber crime experts, most computer systems have been compromised in some way.   In some cases there is a constant leak of information to the cyber crime Organisations.    These advanced persistent threats can lay dormant for months even years and are only activated when and if required my their master.   These are targeting your system vulnerabilities.

In the mean time your cyber security plan may have fixed the problem with patching, updates and new purchases, so you may have dodged the bullet.   But you have to have some sort of plan.   You do have a plan, don’t you?

Your plan should include the following:

  • Passwords – they need to be complicated, more than 8 characters long, unique and changed regularly
  • Firewalls – get the best and highest you can afford.   The more you pay the better defence but also the better the features.
  • No admins accounts with email addresses – all administrators should have 2 log ins.   The first is their normal everyday use account, it has the same access as everyone else.   The second account is the administration account and is only used for system administration.
  • Application white listing – by whitelisting applications, malware and spyware cannot run because they do not have the authority to run.   This will protect the business.
  • Patching – every application and operating system has a process of patching.   This will ensure that the computer code is up to date and all problems have been fixed as they become known.
  • Applications and operating systems – always use the best and newest ones available.
  • Social media, BYOD, cloud technology ( things you have little control over) – make sure you have policies that manage these components.
  • Disaster recovery, business continuity, business resilience and going dark – always have a disaster recovery and business continuity plan and keep it updated with changes to the business environment.  In addition TEST IT.
  • Auditing and reporting – in most cases you need to have some capability to look at what is going on within your business.  This is done with some level of auditing and reporting.

Conclusion

This doom and gloom is only here to increase your business awareness.   Most businesses, do the proverbial ostrich, and bury their heads in the sand.   The constant call of “it will not happen to me” or “we are too small to be are target” are sounding very hollow in today’s cyber crime environment.   Yes it will happen to you and no one is too small to be a target. If you are on the Internet, using it in any way, then your only protection is awareness, paranoia, common sense and just plain good luck.

The more aware you are of the dangers the more you will be willing to protect yourself.   You cannot be paranoid when the truth is that everyone is after you.   Common sense is something that we all have but only a few of us actually use it when it comes to cyber space.   If we all say “cybersecurity is my problem” then we can all look forward to a more secure Internet.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply