Thomas Polk, CISSP, HCISPP — Chief Information Officer at Midwest Eye Consultants.
“Nothing personal; it’s just business,” is a quote often attributed to Otto Berman, an accountant for organized crime in the early 1900s. Cybercriminals are motivated by various factors, but the predominant one is simply money. Cybercriminals do not care about the good your company does, the impact their actions will have, or the fact that what they are doing is illegal and immoral. They have justified their actions and just want to extract as much money from the event with as small an investment as possible.
According to a 2018 Bromium (now owned by HP) report by Dr. Michael McGuire, criminals generate at least $1.5 trillion per year from cybercrime. To put that in perspective, if cybercrime were a country, its economy would be larger than Australia’s, and it would be one of the 15 largest in the world, according to World Bank findings.
So, how do you deal with this issue?
Security Is An Attitude, Not A Checklist
Security is not a task that can be completed once and never thought of again. It is not a process of “We’ve done all these things, and now we are all secure; thus, we no longer have anything to worry about.” Security must be handled as a continual process and positioned as a state of mind. It always needs to be evaluated and addressed at all levels of the organization. Security must be everyone’s responsibility, not just a function of the information technology department or chief information security officer (CISO). Security needs to be part of the evaluation process for all systems, regardless of use or department.
Do not think that your organization is “too small” to be attacked. Cybercriminals are interested in return on investment. Again, think about potential attacks or exploits against your company without moral filters — “Let’s compromise some medical equipment, and if they don’t pay, let’s make it all unusable. They would pay then. Let’s see what the limit of their cybercrime policy is.” Do not underestimate the lengths criminals will go to get money.
There should be some sort of organized, ongoing security evaluation in the environment. There are several ways for this to be done, but one of the easiest initial processes looks at two distinct areas: likelihood and impact. Every system, function and area should be evaluated. Establishing a scoring system (e.g., level 1: low risk, level 2: medium risk or level 3: high risk) is a good starting point.
This element looks at how easy of a target the system or item is. Is the system connected to the public internet? Does it require staff to make specific decisions all the time? Is it based on or contain older operating systems or ones with known security issues? Evaluate all these areas, and then come up with a score, thinking in terms of “easiness.”
Impact looks at what occurs if something happens to this system. Will this cause regulatory or public relations issues? Will it impact your cash position? Could it even lead to loss of life of staff or the public? In this area think, “How big of a deal would this be?” But you must be careful about hidden risks. For example, the Target credit card breach occurred because of an HVAC vendor that shared the same network as the credit card processing network. So, the impact of hacking the HVAC system was much greater than it first appeared.
From these two evaluations, create a ranking by multiplying likelihood times impact. Then rank them from highest to lowest. This becomes your target list for now. Every change, update or system addition should go through this process and, in turn, be updated on the list.
Cybercrime is big business, and there needs to be a shift in executives’ attitudes from “Security is something we pay staff for,” to “Security is everyone’s responsibility — from the top down.” The criminals will not stop or give up — the money is just too easy. The best that you can do is to make your organization too expensive of a target so that they move on to easier prey. As my late brother would say, “You are not paranoid if they really are out to get you.”