Throughout my career, I have heard the same message again and again. “I am not a target”. What has, however, become more and more apparent to me and the organisations that consider themselves to be under the radar of an attack, is that they are not under the radar at all, and are in fact, very much a serious target.
So why is this?
Let’s look at the basics to understand why this is. Every organisation, regardless of size has some common aspects. They have assets & liabilities, products and services, clients and relationships. They all use technology to support their business, whether it is to help with the accounts or engage with their customers, and for the most part they all have, or at least intend to have, a profitable status.
So with this commonality comes the levelling of the playing field, between large and small. Small companies think that the bad guys will only target large companies, because “they have all the money”, but bad guys know that large companies can and do invest in protecting themselves from attack, so it’s easier to attack the small companies where they don’t invest in protection but still have money to take.
“But I don’t have anything of value”
It’s an interesting statement in itself, as again, I hear it a lot and have to point out the obvious. If you have nothing of value, how come you’re in business? The reality is that every business, regardless of what it does and how it does it has valuable assets. Those assets come in all sorts of shapes and sizes, but anything you can leverage in a market to make profit, a bad guy can as well.
Let’s look at some case study examples:
Case Study 1
Widget Engineering Limited is a small engineering company that makes a spindle; the spindle is very useful in things that go round and round really fast, like an engine. One of Widget Engineering’s customers, in fact its biggest customer, is Ultimate Turbines PLC who make turbines for high power jet engines.
Ultimate Turbines PLC makes a specific Jet engine for the latest generation Euro Jet Fighters for the Ministry of Defence. This is a top secret project and the government has invested in significant security measures for its endeavours and its primary suppliers such as Ultimate Turbines PLC. Widget Engineering Limited has no idea how its spindles are used by Ultimate Turbines PLC, and largely doesn’t care, it’s just happy that the order book is full and that business is good.
One day Widget Engineering gets a phone call from Ultimate Turbines PLC asking for an urgent meeting. When the MD arrives he is greeted by a room full of Ultimate Turbines PLC board members, as well as representatives from the Ministry of Justice. They inform the MD that they have come across foreign intelligence showing detailed specifications of the engines parameters and the operating tolerances of the new jet fighters that is a threat to national security. Their investigations have established that the leak has occurred through Widget Engineering Limited’s systems.
The foreign intelligence agency had hacked into Widget Engineering Limited, who “are not a target” and extracted the specifications for the spindle. From this they were able to extrapolate the turbine specifications that Ultimate Turbines PLC would put around it and from this, determine the operating tolerances of the Jet fighter.
Ultimate Turbines PLC lost the contract and sued Widget Engineering Limited for its full loss.
Case Study 2
Services Co. is a service provider offering all sorts of personal and business support services to suit any budget. They are a flexible organisation that prides itself on its ability to be agile and aligned to the customer’s needs, whether it’s a personal concierge service for those that need a little extra support in their life, or a full outsourced back-office for a company, they can help. Services Co. has hundreds of clients ranging in size and is doing well, they have a great success rate and attrition is low in the organisation.
One day, Services Co gets a phone call from one of its customers who state that they have been defrauded and that the police had contacted them. The Police stated that their investigations had led them to Services Co and that they needed to investigate the company to understand the extent of the issue. The police investigation was very disruptive and highly embarrassing for Services Co who could not keep the information out of the local press.
Services Co’s clients started to look at their own finances for issues and several of them discovered they had also been the subject of fraud and contacted the Police to join the investigation. The story was front page news and the majority of Services Co’s customers were now looking to end their contracts for fear of financial loss.
The Police investigation established that one of Services Co’s employees had stolen the payment database from the insecure internal systems and had sold this information on the black market before they left the organisation. This information was then purchased randomly by various bad guys and used to extract money from accounts using traditional fraud methods.
The Police notified the Information Commissioner of the data breach who levied significant fines and sanctions against Services Co. This combined with the significant loss of customers and the massive reputational impact caused Services Co to wind up the business and cease trading.
These two case studies are just brief examples of how your business assets can be leveraged against you. There are literally hundreds of different ways to make money from your data, however, you’re probably only doing the one your business was designed to do. The bad guys can find more ways to leverage what you have for profit.
So in answer to the question “who would want to attack me?” the answer is simple. More people than you give credit too! As for the statement “I am not a target”, If you really think about it, you will realise you are very much a target just for being in business.
In these times of economic strain, the bad guys are looking for every opportunity to make money, just like you, the difference is, they don’t have to deal with morality, ethics or legalities.
Don’t become a victim, get proactive, get secure.
Web: www.justasc.net
email: consulting@ justasc.net
Tel: 08456 437406