Not intended as a complete ‘how to’ guide, but more of a guide to a normative approach to cyber threats.
Threat: Malicious attack / Blackmail / Ransom
Sectors: Public sector, third sector, corporations, controversial sectors, charities, animal related including farming, meat production, sex / gender related.
Sony found themselves on the wrong end of what could genuinely be called an attack, in retaliation for a film parodying the North Korean leader. This was an attack, in so much as it was a deliberate and sustained act of malicious activity designed to inflict harm. But that’s at the top end of business and global politics, not really relevant to your dating website company, right?
Ashley Maddision was penetrated in an attack designed to collapse the company, either by the directors closing it according to the ransom, or through reputational damage from the exposure of the users on the public web. Coupled with this the exposure of AM’s own rather underhand practices of creating female accounts in bulk in house to balance out the gender gap. The company technically survived, its reputation in tatters, CEO gone. Hmmmm.
Brian Lord told us of a charity recently fined quarter of a million pounds for their data breach. They operated an invaluable service to support women in their extra-ordinarily difficult decision making process regarding unenviable life choices about childbirth. Ahhhh.
Questions: Could we be severely provoking any individuals or groups? (This is not the same as doing anything wrong.) If the answer is yes, and they are likely to feel justified in attacking you, if you offend their morals, ethics, religion, or politics, you may want to think about this threat in a way a florist probably doesn’t need to. The information you hold might not be valuable in the same way credit card details are, but may be excruciatingly sensitive.
Threat: Theft*: All information has some value. All. If someone else had it, how much would you care?
*Theft used to mean you no longer had something. Now it means you have it, and so does someone else.
Sectors: Most sectors, but some much more so than others. From law firms holding IP and contract information to anyone holding payment info, contact details, even email addresses. The more comprehensive the data, the more valuable. Email addresses alone are of small value, add a bank name and it becomes much more valuable, a home address, more, account numbers, even partial, more, and so on. The more specific the information, the more valuable. Client X is negotiating a merger with Y and will accept Z pence per share. Multimillion pound information in the right / wrong hands.
Questions: Imagine all your information was in paper form in filing cabinets. Which of those cabinets would you really not want photocopying and distributing to the public? Which contains your organizations information, and which your customers information? Which do you protect more? How are these filing cabinets labelled? Do you have one labelled “Extremely Valuable: Do Not Photocopy”? Is that the best label for it? Do you have a system admin account named “Sysadmin”? Is that the best name to call it? Think about whether you would leave a sign outside your house with an arrow saying “Spare Key under this Plantpot – once inside follow the arrows to the safe”.
Risk analysis should be undertaken to understand what information you hold and the potential value it has, generically, and perhaps very specifically. You may find the process itself rather useful.
Threat: Data Manipulation
Sectors: All fintech + others
This may become much more of a problem than data theft. It may already be so.
In 2013 a large bank robbery involved digitally removing the withdrawal limit on pre paid debit cards and then cloning them. It resulted in a loss of over £20 million in cash. Cash! Taken from several thousand ATM machines in multiple countries in just a few hours. Changing information may be more valuable than ‘stealing’ it.
Questions: What information do you have that could be manipulated or changed within your system? Credit limits, for example. Or account balances? Do you have checks and measures to prevent this? Or a procedure to notify admin of sensitive changes? Response time?
The targeting of specific individuals within an organisation at specific points in time, to achieve a single target aim. Either to elicit the individual to directly disclose some information, or carry out an act, such as making a false payment or to encourage the individual to open a folder or go to a website that will automatically download malware for other criminal purposes.
Example: a sales contract has just completed. Payment is due. The account manager receives an email from the customer thanking him for the excellent service, wonderful delivery of product, we’ll be sure to use you next time, and one last point, could the balance of payment be made to a different account number. Have a great day.
Sectors: Many, including manufacturing, export, but especially non-end to end digitised companies, as this type of fraud involves ‘social engineering’, or more accurately, individual to individual deception. Questions: Does everyone in the company know this kind of fraud exists, and are aware of the variations of it? Are there procedures in place to double check account changes, specifically payment transfers, in a non-digital way? Like a phone call?
Threat: Downloading / installing Malware: Could be anything, from ransom-ware that encrypts your computer to spyware that facilitates spearphishing.
Sectors: Everyone, including individuals. Example: you all get an email. Redundancy notices for 2016. See attached list. What percentage of employees open it? You go to an event. You are given all sorts of goodies, including promotional USB sticks, perhaps from another visitor who you also give your business card to? And so on.
Questions: Is everyone in the company aware of these risks? Without being paranoid, are they being conscious and careful. If you don’t know the person, probably better not to put it in your computer?