How the Cyber Criminals decide to attack us!

One of the biggest problems that SME’s face when it comes to cyber security is that the bad guys discuss their attack methods between themselves.  This is not to say that they are all cooperating—in the criminal world, everyone is looking after number one.  But much of the time they are communicating with each other, and sharing the strategies they use to target a business. 

There have been a number of high-profile attacks on large organisations that have shown how well the attackers communicate.  The attacks on Rolls Royce and Target are just a couple of examples.  The codes and security that the criminals employ are often pretty close to military grade.  While many online attacks are random, in the case of large organisations, the bad guys are after a specific target or type of information within the organisation.

Vigilance is a critical component of all businesses and organisations.  Most business owners and managers know this, but many don’t understand how to focus their resources when it comes to protecting them from cyber incursions.  And a momentary lapse in concentration can be devastating.

To demonstrate the persistence of the cyber criminals, we just have to look at some of the attacks that have happened over the last 12 months.  Target, New York Times, The Wall Street Journal to name a few.   In most cases the attacks were coordinated, and the attackers took their time.  The bad guys were inside the organisations for months, gathering information and intelligence:  Where is the most important information, who has access to it, can we compromise the user or the system, and if so, what are we going to use to do it? This is a small sampling of the questions that they ask when designing their attacks.  In most cases, they were totally invisible prior to the removal of the information that they were targeting.

The bad guys have the time and resources to breach most systems, and they do that through communication.  The bad guys will get on a chat room and recruit the best and most devious of hackers to achieve their target.   To some hackers it’s the fame, to others the money and to others it is just the pure joy of being able to destroy someone else’s property.   They are all individual with their own reason to attack others and in most cases that is what the organisations use to attract the top end talent.  They will compartmentalise the attack, they will discuss the operation in code, and they will carry out all discussions in encrypted transmissions.  They treat all attacks like a military operation. 

Hackers recently stole $45,000,000 from Indian credit card companies and Middle Eastern banks.  Investigators determined that the thefts had been accomplished in 48 hours.  The build-up took 18 months.

So once again, we are all playing catch-up.  Criminals use the accumulated know-how of their peers to make themselves more effective; the good guys need to do the same.  By deploying good technology, using good management practices, making the organisation adaptable and using the right compliance requirements, you can protect your business.  Cyber security has to be looked at like any other insurance policy; the difference is that rather than just mitigate the consequences of an attack, you can reduce the risk you’ll be attacked in the first place.

How?  By making an attack on your organisation so difficult, time-consuming and annoying that the criminals will go elsewhere and pick an easier target.  The right cyber security framework can make this possible.  For more information, follow this link

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.