Cyber crime, cybersecurity and the everyday business.

Introduction

I find it really interesting that a large numbers of today’s managers, board members and C level executive do not consider cyber crime their problem.   When it comes to risk management, cyber crime has to be one of the biggest risk components of a business going forward.   It is also the least understood as well as the one that has the least support at this level of a business.

Recently we held a cyber security breakfast, we invited 200 senior managers, CEO’s and board members to attend, in the process of following up the initial invitation I was constantly told that cyber security and cyber crime is not my problem, it it the ICT departments problem.

Today’s business is faced with problems that have never happened in the past.   This situation arises with the fact that 90% of today’s business processes uses technology to do their business.   If you think about it even restaurants and building contractors use technology to create bills and invoices and for tracking their expenditure.   In addition to that, senior management have problems understanding the technology itself.

What is cyber crime

Lets clear the air a little.   Cyber crime is any crime where the primary component is a computer of some type.   Since mobile phones, tablets and laptops are all classed as computers then anything and everything that happens to your computer in ripping you off in some way is cyber crime.   That includes the blatant theft of information and money to the loss of productivity from a virus or worm.   Cyber crime is rife within the business world that we all live in today, but it is never looked at as a management or whole of business problem.

With that explanation, comes the realization that cyber crime can have a drastic and marked effect on your business, especially in regards to damaging your business.

Here is a hypothetical – a business can invest millions of dollars in the research and development of a product or widget.   That product sale price will always reflect the investment.   You invest $2 million in R and D for a widget, the business will expect to get it back in eventual sales by adding the cost as a component of manufacture.   What happens if your widgets blueprints are stolen and the thief now manufactures and sells the widget for 20% (the cost to manufacture plus a little profit) of what you intend to sell it at.   Not only have you lost your investment dollars but most probably you will also get a bad reputation for shoddy workmanship and not even be the first to market with your own product.   In addition to that if you intend to litigate then you have more problems.

The chance that the blueprint was stolen through cyber crime would be a good place to start.   Protecting that information is critical for all businesses.   To protect the information the first thing that needs to be done is to find out what the information is and who has access to it.   Once you define the critical information you can now work out what needs to be done to protect it.   The risks are there, they have to be managed and they cannot be managed by a department who is invariably under staffed, under trained and under funded.

What is the risk it will happen to me?

A 12 year old with a little computer knowledge and an Internet connection can cause havoc with your business.    They can download and install software that will automatically go off and find any vulnerable Internet connection.   These are the most dangerous and prolific problems that are out there.  The Internet is rife with them, to the extent that they have price wars and quarantines and sell the information that they gleam on web sites like silkroad.com.

Because of them any Internet connection is a target, but they are not the worse.   The worst ones are the true hackers.   The “black hats” the one who are specifically out there to steal your information and your money.   So the chance that it will happen to anyone and everyone are pretty high.

As a business, how do I protect myself

Cyber crime and cyber security is not a one off process.   It is a holistic attitude to how you protect your business.   From the expensive front facing Internet protection systems to training your staff, from business continuity to building the right culture within the business they all have a part to play.

By investing in the next greatest, biggest and expensive piece of firewall kit you are not protecting your business.   Yes, they are an important part of the security envelope but it will not protect you from the senior sales person connecting to your network on an insecure wireless connection or the DBA from opening a specifically targeted malicious email because he is too lazy to use an account with less access.

We find that the human element are normally the most targeted and because of that, training is a good solution.   It is not the be all and end all of the cyber problem but increased awareness combined with technology and adaptability make a more secure environment for any business.

Humans are notorious for learning something then forgetting it.   So in addition to increased awareness there is the problem of constantly reminding everyone of the dangers.    This additional push can be achieved in a number of ways, constant reminders of the dangers, making the education a game also has bill results.

Conclusion

Cyber crime is out there, and it is only a matter of time when 100% of all businesses will report that something has happened to them.   From getting a virus to having a full blown cyber attack from anonymous we are all targets.   All of them are classed as cyber crime.

I find the best defence is paranoia and common sense.   I hope that it is yours.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply