In the Crosshairs: 4 Principles for Assessing the Likelihood of a Cyberattack
You’ve heard it before: cyberattacks are on the rise. But what is the likelihood that you’ll be attacked? How can you reduce that likelihood? And how should you deal with the bad guys?
To be honest, there is no single way to answer these questions. Your actions always depend on various attributes of your business and your industry, plus the evolving threat landscape. But there are beneficial ways to approach them, especially if you understand a few key elements.
Welcome to the first installment of our three-part series, “In the Crosshairs!”
In the Crosshairs, the Series
In this series, we focus on cybercriminals, for they are the largest and most well-known threat bad actor type. We lay out a straightforward framework for how you can ASSESS the likelihood that cybercriminals will attack your business, LESSEN that likelihood, and how to ENGAGE cybercriminals to win the cyber war. Here are the highlights and links to the other articles:
Tip #1: Don’t shout about your $100 million funding.
Tip #2: Collaborate in the cybersecurity space.
Tip #3: Audit, secure, and reduce your attack surface.
Tip #4: Add a cybersecurity expert to your board of directors.
Technique #1: Staff your board of directors and leadership teams with cyber experts from industry and government
Technique #2: Ensure your CISO reports to your CEO
Technique #3: Build a cybersecurity team with experienced experts — even reformed cybercriminals
Technique #4: Rebuild your legal department, this time with former prosecutors
Technique #5: Develop a strong public-facing cybersecurity reputation
Technique #6: Build strategic relationships with law enforcement
Technique #7: Explore the dark web and approach cybercriminals
Technique #8: Never pay a ransom, period
In the Crosshairs, Part I - ASSESS
In this first article, you’ll learn how to assess the likelihood of a cyberattack on your business. Our goal is to help you clearly and systematically consider how susceptible you are to an attack and act on that knowledge proactively and proactively.
Sounds good?
Great, let’s dive in!
What is a bad actor? In this series, we focus on cybercriminals
There are many types of bad actors (those who wish to harm others) with several motivations. Some typical categories (along with their motivations) are:
Nation-state - Geopolitical
Cybercriminals - Profit
Hacktivists - Ideological
Terrorist Groups - Ideological Violence
Thrill-seekers - Satisfaction
Insiders - Discontent
In this article, we focus on cybercriminals, which are arguably the largest and most well-known threat actor type. According to IBM’s X-Force, “where a threat actor could be identified, cybercriminals were the leading source of attacks [comprising 97% of all attacks].”
Your value in the eyes of a cybercriminal: Money, data, and access
A business can be many wonderful things: a place to work, a way to earn an income, a chance to create a community, and fulfill personal and professional goals. Unfortunately, while you’re focused on operating and growing your business, cybercriminals are sizing you up in three ways:
Money: This can be literal or electronic payment method details, including bank account numbers, credit card details, crypto wallets, etc.
Data: This takes many forms, including your intellectual property, customer data, etc.
Access: The difficulty of accessing your money or data.
Cybercriminals don’t care about the joy your business brings to your customers and employees. They care whether your business contains enough valuable treasure and weak cybersecurity defenses that attacking it will be worth the effort. In the cyber game, this gives them a massive advantage.
To understand the cyber playing field, you need a clear view of your value in the eyes of a cybercriminal. But this can be an art as much as a science.
For instance, the most valuable company in the world (when this article was written, it was Apple Inc.) might have such strong cyber defenses that some cybercriminals might never attack it. Even if they could hack into Apple Inc., it would cost them so much time and resources that it wouldn’t be worth the effort. So in that situation, the bad actor will have massive upside potential for money and data, but access would be minimal (if not non-existent). So much so that the “juice wouldn’t be worth the squeeze.”
But what if it wasn’t Apple Inc., it was Apple Construction Company? Now the playing field has changed. The cybercriminal might have far less upside potential for money and data but higher access potential. The juice might be worth the squeeze, especially if the squeeze was easy to do.
In both examples, the companies have value in the eyes of a cybercriminal, but in different ways. How does your company compare to those in our example?
To start figuring out how much value your business has to a cybercriminal, ask yourself questions like:
Concerning money: “How much money do we have, where and how is it stored, and how many systems does it flow through? “
Concerning data: “What kind of data do we have, how much do we have, where does it live, and what happens when it moves?”
Concerning access: “How strong are our cybersecurity measures… wait, do we even have any? How do we control access to systems and deploy role-based access control (RBAC), meaning, do we assign permissions to users based on their role within an organization?”
Finally, what are your cybersecurity measures (assuming you have them) where your money and data exist?
In this article, we’ll break down the three elements of money, data, and access. But first, let’s establish three ground rules for thinking about cyberattacks in general.
Ground Rule #1: Cybercriminals like a big payout
You’re highly likely to get attacked if you're a big business. You’re rich, visible, and on the radar of cybercriminals. When they size you up, they don’t just see a big payout — they see prestige, as a successful attack will lead to public visibility (like big headlines) and validation/respect within their community.
What if you’re a small company with inroads to a lot of money or data (aka…a big payout)? Think of a regional bank with well-known customers or a cleared defense contractor with clients like the US Department of Defense.
Can you stop them in their tracks?
Sure, if you have the budget, team, strategy, and technology, but most small companies don’t dedicate the appropriate resources to cybersecurity; thus, they can’t stop ALL attacks. This fact keeps the cybercriminals coming. Remember, the stakes for a mistake on your end are high.
Bottom line: If you’re a company that can lead to a big payout, you will be attacked.
Ground Rule #2: Cybercriminals like a big payout, but they like an easy target even better
You're unlikely to get attacked if you’re a small company with minimal access to money and data. The big question is, what is your digital exposure to the internet? Let’s look at an example.
Company A - You're invisible to a cybercriminal if you own a single-location, lunch-only diner in a small town with zero online presence, have a handful of employees, and run a cash-only business.
Company B - Now, you are a target if you’re a tiny high-end Hollywood psychologist and operate on cash but ALSO have an open (meaning no access controls or security setup) MongoDB database with your customers’ data. I don’t think Tom Cruise wants the world to know what he dreams about at night.
In the last example, the open database makes you an easy target. If you think about it, since you are cash only, you might not have any payment details tied to your customer data, but it is just too easy for a cybercriminal to pass up. With a few clicks, they are in your database. Once they are in, they will monetize what they find, even if they are vaguely legible digital notes of conversations about dreams.
Opportunity is what cybercriminals are genuinely seeking. You want to strive not to be an easy target for them!
But suppose you deploy modern cyber basics on your financial tools (like your point-of-sale system and business bank accounts) and your data (like online databases and websites). In that case, you should be able to sleep well at night… if you keep waking up from data breach nightmares, call us, and we’ll talk it through!
Bottom line: Cybercriminals will target you if you have inadequate access controls, even if you’re a small company with minimal access to money and data.
Ground Rule #3: Most businesses are somewhere in the middle (between a big payout prospect vs. an easy target, hopefully, you’re not both)
One thing that makes this topic so interesting — and critical — is all the nuance. Most companies fall into a massive middle ground of neither a big payout prospect nor an easy target. But even for these companies, there is no single protocol or framework for assessing the likelihood of a cyberattack.
For instance, imagine a business analyst comparing two organizations (Company C and Company D) that seemingly have the same profile: same industry, same specialty, same employee range, same revenue range, same customer base, and clientele. Does this mean they have the same cyber risk profile? Maybe, maybe not.
Now imagine a cybercriminal sizing up the same two businesses (Company C and Company D). With their expertise and desire to steal from the businesses, they will quickly determine which is like an impenetrable fortress and which is like an unlocked jewelry shop.
To better understand how they will attack, let’s refer to the MITRE ATT&CK® matrix. The cybercriminal might deploy serval reconnaissance measures (not limited to):
Actively scanning both companies’ internet-facing assets, looking for a vulnerability in their attack surface.
Sending phishing messages to elicit sensitive information that can be used during targeting, looking for ways to deceive targets into divulging information, like credential details (username and password).
Searching websites owned by the victim for information that can be used during targeting, looking for names of business units, physical locations, and data about critical employees.
Assuming they deploy all of these techniques in both instances, they learn the following:
Company C - There are no known vulnerabilities found. They get a few people to respond to their phishing emails, but the respondents are entry-level employees with, likely, minimal access. Company C made very few accusations.
Company D - There are 20+ known vulnerabilities found. They got several people to respond to their phishing emails, including some high-level employees, possibly with admin access. Company D made many widely publicized accusations, including one with high-profile customers and a highly porous attack surface.
Given this intelligence, it is easy to see who the cybercriminals will target, Company D (as they might be both a big payout prospect and an easy target).
Bottom line: If you’re like most businesses – neither a big payout prospect nor an easy target, assessing the likelihood of a cyberattack is crucial (especially if you are concerned you might have both in play).
Read this next section, and if you fall subject to ANY of the three guiding principles, you are more likely to deal with a cyberattack. But if you answer, “No, no, no,” you are likely good to go! Bear in mind that this is a guide, not a guarantee. Cybercriminals can be wildly unpredictable. The fourth guiding principle is something to always remember.
Now, without further ado, here are our guiding principles for assessing the likelihood of a cyberattack.
Guiding Principle #1: Do you have a lot of money? If so, you need to protect it!
Let’s start with an analogy. If you live in a multimillion-dollar estate and you put a big sign on your lawn that says, “I have a ton of expensive stuff inside, and I am on vacation for three weeks,” do you think a thief is more or less likely to try to break into your house?
Ahh… very likely. Hell, I might be tempted by that sign. Where do you live again?
Unfortunately, the equivalent happens all the time in the business world. Sometimes it’s unavoidable because you’re a famous, successful private company that’s a household name. Sometimes it’s unavoidable because you’re a $10 billion public company with well-documented intellectual property (IP). Sometimes it’s unavoidable because you’re a top-tier defense contractor with a bare-bones website that is easily searchable online. And sometimes it’s unavoidable because you’re a startup with negligible revenue but a $500M Series C round that’s been written about in TechCrunch.
Money attracts attention, good and bad. If you have it, there is no way to completely hide it, at least not for a business in the digital universe. Even if your cybersecurity defenses are top-of-the-line, you must understand that you will be attacked eventually.
Bottom line: The more money you have, the more likely cybercriminals will try to take it. You will deal with cyberattacks.
You must grapple honestly with the fact that you will always be under some sort of attack. Try not to brag about your riches, but don’t think that not bragging puts you in the clear. A megamansion without an “I’m wealthy, steal from me” sign is still a megamansion that thieves may consider a prime target.
Guiding Principle #2: Do you have a lot of data? If so, you need to value it properly to determine the appropriate level of protection it requires.
Money is an objective store of value — you either have it or don’t. It has an agreed-upon value. Data is different. You can have a ton of it, but volume alone doesn’t make it valuable. Data must be unique and intrinsically valuable to cybercriminals, such as intellectual property (like highly-sensitive source code, as it holds immense value to the company). Another large category of valuable data is personally identifiable information (PII). PII is data that can be used to identify an individual. Let’s look at some PII examples and their possible value to a cybercriminal:
Social security numbers (SSNs) - Very valuable, for in volume, they can command a large sum of money on the dark web.
Email addresses and phone numbers - Valuable as well, but not as beneficial as SSNs.
Physical addresses - Less valuable as they are generally public info.
Someone’s cat's name - Minimal value, but it could be used to answer security questions for accessing a sensitive account, like an online bank account.
Data tracking (collecting, identifying, and classifying individual data points so they can be used to build an ad or marketing campaign on you) - Marginal (in any) value to cybercriminals, but for Meta and Google, a lot, but that is another conversation.
What if you have all the above-referenced data? That is a different story. In the aggregate, the aforementioned PII is extremely valuable and will command a higher price point for a cybercriminal.
As a business person, you need to understand what data you have and what value it has.
If you’re a big business with millions of customers and have a significant role in storing PII, you need to defend that info as much as you need to defend your bank account.
If you’re a small T-shirt company and all your customers’ credit card info is stored and governed by PayPal, you might not have to worry as much. If a cybercriminal were to steal your limited PII (such as email addresses, phone numbers, and physical addresses), it would hold minimal value to them. They are aware of this, which may result in them ignoring you as you might not be worth their time.
IMPORTANT NOTE: From a public relations, customer success, and compliance standpoint, losing any customer PII you collected is terrible for business, but this article is focused on a cybercriminal’s point of view.
Another way to consider the value of your data to a cybercriminal is to assess how much you pay to obtain, store, maintain, and use that data; how many people you employ; and how many processes you’ve developed to keep it safe and secure. For instance, do you gather it as a byproduct of your business model, and it sits in a Google Sheet that you and your intern access? Or is it a critical feature of your business, and you keep that data in a server farm in an undisclosed desert location with military-grade security?
Bottom line: The more data (specifically high-value data) you have, the more likely cybercriminals will try to steal it. You will deal with cyberattacks.
Data can be as valuable as money, sometimes more. But you have to understand how valuable it is to a cybercriminal. Once you understand its value, you can assess how much you have to protect it and the likelihood of being attacked.
Guiding Principle #3: Are you an easy target? If so, you will likely be attacked, which isn’t good for everyone.
At this point, if you realize that your business has the money and data to make a cyberattack likely, get ready for the next article in this series about how to lessen the likelihood of an impending attack.
But let’s say you’ve determined the opposite — that your business doesn’t have the money or the data to be worth any cybercriminal’s time. No reason to worry about a cyberattack, right? No reason to invest in cybersecurity. Right?
Maybe… or maybe not.
The issue is we’re all connected
When thinking about how easily a cybercriminal could access your networks and systems to steal your money and your data, remember this: in the digital world, everything is connected and accessible. The internet has made it possible for someone in Europe to break into a business in the Americas by going through a network in Asia or Africa. Think about that for a moment. Until the last century, a thief may have wanted to steal from a company halfway across the world, but they had absolutely zero way of doing it unless they were physically onsite. Now, that thief can attack from a computer in their basement while eating breakfast. For cybercriminals, fantasy has become a reality.
As I noted in my previously mentioned Pro-Tip, cybercriminals target unprotected computer systems via automated vulnerability scanning campaigns. If you are operating unprotected systems, they will find you.
Bad for you and everyone
Why does this matter in terms of assessing the likelihood of a cyberattack? Because it means that, in some way, every business is always vulnerable to an attack. If your systems are vulnerable, a cybercriminal might use them as a hop point, a way to hide their identity by tunneling through your network and “looking” like you. They could launch attacks from your network, mine data, or even use a computer(s) to mine cryptocurrency. The sky is the limit! And since they are using your network, the attacker will appear to be you! “What?” Yeah. That might be a problem for you to litigate.
Every software system you manage and operate interconnected to another organization’s network increases the other organization’s attack surface. These systems are part of the supply chain, which isn’t a linear chain but an interconnected web of systems. If one is compromised, the others might also be subjected to compromise; think of the Solar Winds compromise.
Just bad for you
They also might use access to your network and attack you. They might launch a:
Business email compromise campaign: taking over an email account and pretending to be you to trick others (think your investors, suppliers, customers, etc.) into redirecting money to them, the cybercriminal.
Ransomware attack: encrypting sensitive files or systems until you pay the cybercriminal a ransom to unencrypt said files.
Both are ways to get money from you, even if it is a “small” amount, like $5,000. It is easy to do and wildly successful. These are two of the most common and costly cyber attacks used today.
Bottom line: The more insecure your network, the more likely cybercriminals will find and exploit it.
If you make it easy for cybercriminals to attack you, they likely will, for it has value. No business does cybersecurity in isolation. Could your business be attacked because one of your suppliers is compromised? Absolutely. Your business is part of a community; for cybersecurity to work best, everyone must be secure.
Did you answer yes to any of the above guiding principles? If so, you WILL BE ATTACKED. There is no “if.” It is a matter of “when.” In this case, our In the Crosshairs series is perfect for you!
Did you answer “No, no, no?” If so, you are likely good to go! No need to read the rest of the series unless you want to be prepared for the possible. I say that mainly due to the fourth guiding principle.
Guiding Principle #4: Cyber threats and cybersecurity are constantly evolving cat-and-mouse games
What works as a defensive measure today will be outdated in a few years. The cutting-edge solution you deployed last year is effective… until it’s not. Cybercriminals get excited about inventing tools to break through your defenses. Their strategy is to wait until your system develops a bug, or they find a crack and pounce on you. Either way, they’re always looking to best your latest and greatest defensive methods.
With phishing emails, for instance, many companies have the tools to stop those messages from reaching inboxes. If one sneaks through, employees can be trained to identify it quickly. But what about as time goes on? What do you do when you fail to update your anti-phishing software for longer than advised because it’s inconvenient for business reasons or because you don’t have the IT personnel at the moment? That shortcoming and a cybercriminal’s ingenuity could be the difference between clean and clear inboxes or ones filled with dangerous phishing emails.
Let me share a real-life situation with you. A sizable international hospitality organization suffered a massive data breach approximately seven years ago. I was able to speak with one of their executives shortly thereafter. They said something that I found to be highly problematic and inaccurate. It was something to the effect of, “Now that we have dealt with and remediated this data breach, we will NEVER have to deal with one again.”
This person clearly didn’t understand their adversary. As I noted, cybercriminals will evolve. Fast forward approximately five years later, that same organization was hit with another data breach.
Bottom line: If you don’t keep up with evolving cybersecurity threats and solutions, cybercriminals are eventually going to succeed in exploiting your vulnerabilities.
It’s frustrating, but you can’t fight it — the reality is that no cybersecurity defense lasts forever. Strong defenses stymie cybercriminals momentarily because, like it or not, many are highly skilled professionals who understand how to find their opponents’ weaknesses and inevitably attack them. This has always been the case and may become increasingly critical in the Artificial Intelligence arms race, where defenders and aggressors constantly invent new ways of securing and exploiting systems.
Conclusion: The bottom line is your bottom line(s)
Most of you reading this article will have likely fallen prey to one of the first three guiding principles, meaning you will deal with a cyberattack; however, if you are one of the lucky few who answered, “No, no, no,” you are likely good to go! With that said, this is a guide, not a guarantee.
Remember that your organization has various objectives or bottom lines, and being compromised isn’t one of them. A severe enough attack could destroy your organization. But cybercriminals don’t care about your bottom line(s). In my years of investigating, interrogating, and studying cybercriminals, I know enough about their motivations and actions to know that they don’t care about their negative impact on your business. They see you as an opportunity to make money without leaving their computer or suffering consequences.
But you have bottom lines. You have to sell products, provide services, and make payroll. If you want to stay in business and enjoy the benefits of your organization, then you need to protect your bottom lines. Unless you fall on the extreme ends of the spectrum, you’re likely to be attacked at some point — and for that, you need to be prepared. Being proactive is the only surefire way to address a cyberattack.
Realizing that you’re likely to be attacked? Check out the next In the Crosshairs series, “4 Tips for Lessening the Likelihood of a Cyberattack.”
What we’ve got here is a failure to communicate… the importance of sharing epic articles like this one with everyone we know!
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD