We often take the things we do every day for granted. In the security community, we assume knowledge that’s the norm for us is the norm for everyone else – when it actually isn’t.
It often comes as a surprise when someone questions what we know to be true, or doubts that what we say is really true for them. I have noticed this in many areas of life and I suppose it’s just part of human nature. One specific area where I’ve observed it over the last few years is in the likelihood of a data breach. It’s easy to forget that other people aren’t reading the same breach notifications or stories that slide into my inbox daily.
I had one meeting recently where a client questioned the likelihood of a breach. It was during the presentation of an information security strategy, security maturity model and roadmap for them. It’s all too often that these sorts of questions pop up in those types of meetings, where we’re briefing C-level executives who aren’t monitoring the industry day in and day out.
So we went over cybercriminals, their motivations and their goals; we discussed nation states, hacktivists and espionage; we talked about how everyone is a target and we gave examples of how some breaches happened and the anatomy of a typical advanced threat. We even performed a live demo of how simple it is to use software – which is readily available on the internet – to exploit a vulnerability and steal all the information a user sees on their screen and inputs into their keyboard.
It really is scarily easy to carry out such an exploit. Often all you need to do it is get a user to click on a link or open an attachment.
After having gone through all that, a member of the audience asked, “In reality how likely is it to happen to us – why would we be targeted?” It’s a mindset I’ve seen before, time and time again; it’ll never happen to us. It’s the professional equivalent of the famous Irish saying, “Ah sure, it’ll be grand.”
I think the mindset comes from a detachment that we’ve been forced to develop in order to deal with the sheer volume of bad news stories that are coming our way in the modern world. This detachment prevents us seeing what is on the other end of the threat – the cybercriminals themselves. We tend to forget that it’s people on the other end of the cyber-attack – people who are determined to get what they can from us by any means necessary. These are people who don’t have the same principles of right and wrong as we do.
So back to the question at hand – what is the likelihood of a data breach happening to you? Who can say really, in the same way as we can’t say whether on any given day we are going to be robbed or have another car crash into us.
Instead, let’s look at what we do know. If you hold data on living people – and our client did – then you are a target. Perhaps not as big of a target as some other organisations are, but you might be seen as a low-hanging fruit by cybercriminals, precisely because you are unlikely to have the same level of protection as the Facebooks or Googles of the world. You need to ask yourself if your organisation is going to be easier to get data out of than they are.
Consider this: In 2018, there were 6,515 data breaches reported around the globe, according to research from Risk Based Security. These ranged from retail, to ticket sales, to dating apps and everything in-between. It shows that it’s not all about how important you view the data you have – it’s more so how important it’s viewed by a criminal. Personal data can be used for fraud and identity theft allowing anything from accessing or setting up bank accounts, to committing benefits fraud, ordering goods online or getting ahold of a credit card or passport, just to name a few examples.
You don’t have to be a specific target either – there are powerful scans that are continuously running and looking for any type of opportunity out there in cyberspace. They’re betting on the field having an exploitable vulnerability, rather than narrowing their view to one high-value target. They’re looking to see if you have a server infrastructure that could be used as part of a botnet or for cryptomining? They want to know if your servers could be turned into file stores for illegal material?
Who would be responsible for that activity if it took place? I’ll let you have a guess – it’s not the criminals.
Breaches don’t have to be targeted and you don’t have to be the final target – it could be one of your customers or your suppliers. Many of the threats are opportunistic in nature. The important thing is that we don’t leave those opportunities for criminals in the same way as you don’t leave your front door key under a plant pot… or do you?
Next time before you ask whether it’s likely a data breach will happen to you, remember all the news headlines of the thousands of companies who’ve reported data breaches. They asked that same question too.
This blog and its content is provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.