For many individuals and groups around the world, cyber crime is a full time job. According to Verizon, about 97% of all data breaches are financially motivated. Cyber crime is a very lucrative business model for many people, and coupled with many organization's lack of security controls, can also be an easy job. However, that doesn't mean there isn't strategy involved when determining which businesses to target and how to implement an attack. In fact, many cyber criminals operate similarly to investors. They conduct research, are patient, and know just when to strike to create the biggest return on investment. Continue reading to learn more about how cyber criminals may be "investing" in your business.
An analogy that describes this cyber criminal mindset is that of a day trader versus a long term investor. A day trader is someone who targets stocks, options, or currencies and sells them within hours. They usually only hold onto these stocks for a single day (hence the name "day trader"). The goal is to make a quick profit off of short term positions in the market. Unfortunately this strategy isn't very profitable as only about 1% of day traders consistently turn a profit over a period of five years. While day trading may be profitable for a lucky few, the amount of risk it requires is typically not worth the return.
Conversely, an investors goal is to accrue wealth over time by investing in stocks, bonds, or assets and holding for long periods of time. These investments are held for months or years at a time rather than mere hours or seconds. Investors take advantage of interest, dividends, and market changes over the years and are typically able to ride out downtrends with the expectation that they will eventually recover. While risk is always a factor when investing or trading, the risk is often less dangerous for long-term investors who can wait out the downtrends. Traders may make a bad trade and end up losing money in a matter of seconds. While trading may work for some individuals, long-term investing is typically seen as more profitable in the long run for a larger amount of people.
So what are cyber criminals? Traders or investors? Cyber criminals would best be described as long-term investors. The strategies used in infiltrating a business often require an immense amount of patience and research. The cyber kill-chain is a model used to outline the steps cyber criminals take when conducting an attack. The first step is usually defined as "reconnaissance".
Before any attack is implemented attackers will spend time harvesting login credentials, looking for potential backdoors, rooting out vulnerabilities, and gaining useful information to use in a phishing attack. This may also involve gathering social media or personal contact information for the uses of social engineering. In a sense, investing requires a certain amount of "reconnaissance". Investors will research the companies they plan to invest in, keep to up to date on business decisions that may impact the market, and keep an eye out for shifts in position. Like investing, cyber criminals will do the necessary research involved to maximize potential profit.
Additionally, a cyber criminals goal is to remain undetected for as long as possible. The term for this is called "dwell time". The dwell time of an attack is how long it takes for a breach to be discovered after the initial infiltration. On average, it takes about 287 days for an organization to detect a data breach. This means that for many businesses, cyber criminals are in their systems for over 6 months! This gives attackers ample time to steal and encrypt data, elevate privileges, and learn how to slow or shut down business operations. For ransomware gangs, it's important to gather as much information as possible in order to extort a business for exorbitant amount of money.
Cyber criminals are very patient people, like investors, they are able to wait and "hold their position" in order to maximize profit. This dwell time also gives attackers time to learn more about your supply chain. If you work with other companies, are a vendor, or intake data from elsewhere, you can be used as a foothold into another organization. These are called "supply chain attacks" and can have devastating impacts on hundreds of businesses.
How can you ensure that cyber criminals aren't "investing" in your business? For many organizations, a breach isn't detected until it's too late. The first step in securing your business from external attackers is to know where your gaps lie.
A security assessment can help you identify where your weaknesses are and what vulnerabilities can be exploited. This allows businesses to strengthen their overall security posture and prevent successful attacks in the first place. Security assessments can also give you a baseline understanding of what a secure environment should look like. This way, it is easier to spot something out of the ordinary and detect potential threats. I
t's also important for organizations to consistently scan for vulnerabilities. This includes having a vulnerability and patch management solution ready to address any updates or configuration changes.
Lastly, enlist the help of a managed service provider (MSP) to ensure your business has the necessary resources and tools to defend against the most sophisticated cyber-attacks.
CorpInfoTech offers security assessments, vulnerability scanning, firewall management, and more to ensure that SMBs are equipped to protect their data from bad actors.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.