Is Cybercrime a ‘Houston – we have a problem’ problem?

bigstock-Lifesaver-floating-in-a-binary-12120092“Houston, we have a problem.” When an Apollo 13 crew member said those words in 1970, he likely didn’t know how memorable his words would be. Commander Jim Lovell’s classic understatement is now used when a situation arises that requires courage, fortitude and level-headed thinking to overcome. The oxygen leak that nearly crippled Apollo 13 was no ordinary “problem”—it left three astronauts 200,000 miles from home, with dwindling air and power supplies and little hope of rescue.

We all know how it ended. It was thanks to ingenious action from the astronauts and scientists back home that the crew made it back to Earth.

In today’s digital world we have a problem of similar magnitude: The rampant cybercrime that makes the internet one of the planet’s most dangerous places. As with the Apollo disaster, a successful return to a cybercrime-free world sounds impossible. And unlike at NASA, clear-headed thinking is in very short supply.

Cyber criminals have put ordinary users in a perilous situation, and most of us don’t even realize it. The statement from The Usual Suspects–“The greatest trick the devil ever pulled was convincing the world he didn’t exist” –is a perfect summation of what the cyber criminals and social media moguls have done. Before you know you’re being targeted, the bad guys can take your identity, your money, your IP, your customers’ personal data, and ultimately, your business’s credibility.

In my business we often hear statements like “it will not happen to me. We are too small to be a target. We don’t have anything that they would want to steal. It is someone else’s problem.” In other words, small business owners and managers don’t know they have a problem. So what’s wrong with those four statements?

It will happen to you. With all the automated systems, malware, spyware, remote access Trojans and SPAM that abound on the Internet, you have a better chance of winning the lottery than not being targeted by at least one of these systems.

That’s not even accounting for the possibility of a targeted attack from a dedicated hacker or the loss of business information from a trusted insider. The idea that you’re somehow safe from threat is about as misguided as it can get when it comes to the digital world.

The only thing that is protecting people at the moment is that the amount of data and information these systems collect cannot be processed in real time. There is always a delay between gathering the information and the criminals using it. When the criminals embrace big data and the analytics within it, that’s when we will have major problems.

You’re not too small to be a target. You may have minimal staff and budget, but there’s no such thing as “small” information. Every business has three types of valuable data.

Personal Identification Information (PII): Whether it is about you or your clients and staff, we all collect personal data. Financial Information: anything to do with money, access to bank accounts, and credit card numbers of both you and your clients. Intellectual Property (IP): what you do, how you do it and what you have developed that gives you an edge over your competition.

If that information is in a digital form, you are no longer a “small” target. You are just a target!

You do have stuff they want to steal. Just because you’re not Microsoft or Boeing doesn’t mean they’re not interested. To do business you have to create revenue and, hopefully, profit. How you do that, who you do it with, and how much you charge is all valuable information that the automated systems and cyber criminals would love to get their hands on.

It’s not someone else’s problem. Most organisations play the blame game. “It is not my area in the business, it is X’s problem”—whether X is the accounts department, legal, IT, data entry, management, or some guy whose niece taught him computers. The buck has to stop somewhere, and it shouldn’t be only the top level in the cross hairs.

Starting from the top, management, board and C level executives have to understand that cybercrime is a risk to the business, and that risk HAS to be mitigated for the business to survive. Mitigating the risk means increased awareness, using the right technology, creating resilience within the organisation, and complying with all of the required regulations on data protection.

It’s not some other department’s issue—it’s every department’s issue. For the ICT area it is a technical and awareness issue. Get the right technology and increase the awareness of your users, and you are slashing the risk of a cybercrime happening. At this level it is also about policy and procedures, patching, reporting and training. Your business needs training aimed at both the ICT department—best practices for technology—and other users.

Responding to the problem does not stop there. It is the responsibility of every person in the business to protect themselves. This protection comes from complex and unique passwords, being aware of social media, understanding that common sense is your best protection, and always being PARANOID. Employees should protect themselves at home, too—malware picked up at home can easily infect an entire company. The flow-on effect of protecting home computers gives the business an added level of protection.

When a big problem is looming, there’s no room for complacent or reactive people. So until we all realise that it will happen to us, we are not too small to be a target, they do want to steal whatever they can from us, and it is our job to protect ourselves, we will continue to have a problem—and it will only get worse.


Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.