Back in a hedonistic time before we were all confined to our homes, CSS Platinum enjoyed a lively panel session at an international industry event in Cortina d’Ampezzo in February, when an Italian the business owner approached us with an interesting question:
“Are cybercriminals really targeting us? Could they actually do all the things you just described? The thing is I am just not hearing about these attacks occurring.”
A fair question, to which our team at CSS Platinum enquired:
“If your business had suffered a cyber-attack,
who would you have told?”
“As few people as possible,” he responded instantly.
Herein lie the reality and the problem. In the competitive business environment, where purchase decisions are made on relationships and trust, cyber-attacks are not reported for fear of the damage it will have on a company’s reputation. The difficulty is that because attacks are not being actively reported, those businesses yet to experience the embarrassment, pain, distress, worry and damage of a cyber-attack do not perceive it a problem.
Right now, businesses are being actively targeted by opportunists and highly sophisticated criminal networks across the globe. Businesses can be the subject of “target packs” compiled on them by numerous international criminal groups.
These are not tin-pot criminal opportunists; these are well-financed, highly organised criminal businesses with business plans, budgets and resources available.
The five personas of Cybersecurity:
- Those that appreciate the risks and proactively do something about it.
- Those that have been hacked, never want to experience the pain again and do something about it.
- Those that may appreciate the risk but consider cybersecurity “techy”, complicated and easier to ignore than try to understand.
- Those that may appreciate the risk, but do not like the thought of a cyber company crawling unfettered across their devices and networks. So, ignore the issue. N.B.: this is not how cyber companies work by the way.
- Those that have no idea that they are vulnerable.
Unfortunately, cybersecurity is here to stay and is no longer something to be ignored. Technology and artificial intelligence continue to evolve at an alarming rate and show no signs of slowing down. This evolution coupled with the reduction in component prices and the prospect of greater connectivity and data transfer rates promised by 5G technology will result in more “things” becoming “smart”, digital and automated and joining the realm of the Internet of Things.
Smart things require connectivity to a network to enable them to be controlled remotely by devices. Any network connection presents an access point for a cyber-attack.
Across the globe, doors and windows of homes are locked every night to provide security and prevent uninvited criminal intruders. We are at the beginning of an age where this same approach to security must be the standard for your digital environment.
Why do criminals target individuals, businesses and their supply chains?
It does not matter whether you are an individual or a business. The motivations and tactics employed by cyber criminals are exactly the same.
Consider, what could I do if I have access to your personal or business information networks? What could I do if I can access your photo library, your emails, your Microsoft365 account, your CRM (customer relationship management) system?
The answer? A lot of really worrying and scary stuff. But why would I want to do this?
In all likelihood, it is because a criminal organisation wants to steal stuff from you for their benefit or someone else’s.
This is not a problem that affects individuals and business elsewhere in the world. This is a clear and present threat to the residents and businesses in our community today. As a spokesperson from the Royal Gibraltar Police confirmed: “Cyber criminals are actively targeting individuals and businesses here in Gibraltar. The unique opportunities that Gibraltar presents to individuals and businesses makes them attractive targets to cyber criminals. Businesses and residents alike, must be aware of the cyber risks they face, how and why they are being targeted and should, as far as possible, mitigate those risks by making themselves #hardtohack.”
Let’s assume I’m a criminal…
- I want to steal things: money;
- I want to steal personal information, either your own or your customers/clients, for extortion purposes or to enable me to criminally target them;
- I want to steal commercial information and/or intellectual property for commercial espionage;
- I want to steal and sully your reputation to give me, or a competitor, an advantage.
- To steal, I need access: this might be digital access to electronic files or emails or bank accounts, or this might be physical access to your home or business premises. With so many systems now being controlled digitally and by networks, I can use a cyber-attack to provide access to:
- Your personal devices and emails to steal personal information, or opportunities to divert payments, or lock your devices and blackmail you to regain access.
- Your business CCTV cameras, conference facilities cameras and microphones to listen for and steal privileged commercial information, or to access your network and steal files, or to lock your network with Ransomware and blackmail you to regain access.
It is essential to understand that a cyber-attack is not the end goal; it is a tool to achieve a goal. My goal might be theft of intellectual property or personal information or images: access is provided to me via a cyber-attack that enables remote access to your business or home network / devices. Think of it as a metaphoric digital crowbar or rock through a window.
If I’m a cybercriminal, I can use a cyber-attack in many ways and forms to give me the access I need, when I want it, where I want it, to achieve the conditions I want. Throughout history, military commanders have sought to fight at a time and place of their choosing to ensure they triumph on the battlefield; cybercriminals are no different.
How do criminals target businesses, their owners and their wider supply chain?
Criminals seeking to target individuals and businesses are cunning, clever and capable of implementing an elegant, elaborate and elongated strategy to achieve their ends. They are patient and, like a chess player, are capable of planning many moves ahead; with multiple contingencies should situations not unfold as they intend.
To do this effectively however, they need to gather useful information to formulate a winning plan. As a result, criminals will target as many potential sources of information associated with an individual or business to build the fullest picture (or target pack) of an opportunity. This will include friends, family, staff, customers, suppliers, insurance advisors, legal advisors, and any other individual or company who connects and holds information on an individual or business.
Think of it as peeling back the layers of an onion’s skin to get to the centre: the target, the goal. Once individual/s have been identified, the criminal will seek to gather information innocuously or coerce the individual directly into passing information or conducting an act that enables further information to be gathered. For a business, this could be access to the business’ network and/or in time, the owner’s business or personal emails and files.
To find the right individual to trick or coerce, criminals use the internet to identify individuals, businesses and supporting suppliers and target their cyber unpreparedness and weakness. Poor cybersecurity, online security or habits and/or misfortunate circumstances can inadvertently offer an opportunity for an individual to be targeted and/or subverted. These circumstances can include:
- Social media security settings not applied, meaning posts are available for all to read or view.
- Poor and/or naïve electronic device usage which presents a cybersecurity risk by navigating to risky or insecure sites, clicking on unknown links, not regularly updating software and application update patches.
- Large debts, addictions or inappropriate use of illegal or socially taboo sites that may result in a family member or staff member being bribed and/or coerced into providing information on an individual or business or carrying out an act that enables remote cyber access.
- Not knowing that personal data may have been hacked already and is for sale on the Dark Web which can enable further targeting and even identity theft.
Once the cybercriminal has the access or information, they require they will apply strategic patience and wait until the conditions are right and the opportunity justifies the risk.
Cyber security is a clear and present threat to the individuals and their businesses. Regretfully, for most, it is not a case of if a cyber-attack will occur, but rather when. Addressing cybersecurity can be an intimidating prospect, but when vulnerabilities are addressed proportionately and coherently and governed effectively the result is that individuals, businesses, their owner and those that support them will be #hardtohack.
About CSS Platinum
CSS Platinum are international cybersecurity experts. Our ex-military and US Government executive team has over 50 years’ experience in the security and protection of high value corporate and top-secret intelligence data across the MOD, NATO, MOJ, UK/US Government, and leading Fortune 200 and FTSE 150 companies. Further information on the service we provide is available at https://cssplatinum.com, including video content and various whitepapers.
For a free 1 hour consultation about your cyber concerns and
becoming #hardtohack, get in touch: firstname.lastname@example.org
The Royal Gibraltar Police have a variety of cyber security resources online: https://www.police.gi/information/cyber-safety