The same cyberattack can mean different levels of severity for different businesses. It boils down to each company's level of security. Amidst the many headlines warning of the power of the hacker, what's often overlooked is just how much power an individual enterprise has to weather the storm of a hack. The reality is that cybercriminals are not all-powerful and all-knowing. More often than not, they're just opportunists looking for weaknesses. And they typically don't have to look very hard.
The cyberattacks that get a lot of press are the well-orchestrated ones that run like a movie bank heist - seamlessly, with expert skill. Yet the majority of hacks out there are about as sophisticated as a thief swiping a wallet. Why? Because the wallet is easier to access than the bank vault. It's less guarded.
Far too many companies out there have a wallet in the back pocket approach to enterprise security. It's what makes them such easy targets. As Computer Weekly has pointed out, small and medium-sized businesses are most frequently hit by unsophisticated cybercrime — the kind that could be kept at bay with very simple security steps. To illustrate how significantly enterprise preparation can determine the outcome of a cyberattack, we've devised a hypothetical cybercriminal scenario alongside with three different companies, each of which have different levels of cyber preparedness. Let's see how these three different businesses fare when hit with the same attack. We'll start by introducing the companies.
Business 1: The administrators in Business 1 decided that due to the company's relatively small size and the fact that it wasn't in a big-money industry, it was unlikely to be a lucrative target for hackers. Unfortunately, Business 1's executives never read the Identity Theft Resource Center's 2014 Data Breach Report, which revealed bank/credit/financial breaches only accounted for 5.5 percent of breaches in 2014, with the rest spread out among industries like medical/health (42.5 percent) and education (7.3 percent). But because Business 1's leaders didn't know this, they chose to take money that could have gone toward enterprise security and funnel it into the marketing budget. In this way, Business 1 is like many organizations out there: unprepared and overconfident.
Business 2: The leadership of Business 2 paid careful attention to all the cybercrime news in 2014, and therefore decided that they'd spare no expense in guarding the business' computers. They made sure that every computer in the office was equipped with top-tier authentication solutions including two-factor authentication. There's only one problem: late in 2014, Business 2 rolled out a bring-your-own-device policy allowing employees to work via their mobile devices. But when they implemented BYOD, they didn't hold these mobile devices to the same security standard as the computers in the office. Also, they didn't train their BYOD employees in best practices for mobile security. Business 2 isn't unique in this way: 2014 was a record year for mobile security attacks, which were only exacerbated by enterprise shortcomings. According to one study, 50 percent of organizations polled lacked any budget for their mobile app security. "Given the strategic importance that the mobile computing platform, and specifically mobile applications, presents for ... organizations, there is clearly a large misalignment in the allocation of resources needed for mobile security," stated industry expert Mark Noctor about the study's findings.
Business 3: This business hasn't looked for any reasons not to prepare for an attack. Instead, they've mounted the most comprehensive and powerful enterprise security infrastructure possible. In addition to strong authentication and computer security, the business has mobile security for all the connected devices in its network. This is a company that has done its reading about the hundreds of breaches that occurred in 2014, and doesn't want to become yet another victim of cybercrime. Therefore, it's deployed some of the most cutting-edge authentication technology out there.
The cyberattack: This isn't a cyberattack of the wallet-swiping variety. Instead, it's a pervasive intrusion that can take several forms and wreak havoc on an enterprise system. First, it attempts to gain access to business networks, usually via a phishing email containing a corrupted PDF attachment. Once it has found its way onto the system, it systematically commandeers everything in it, blocking all users from accessing its contents and demanding a ransom in exchange for restored access. Some of the time, though, the criminals behind the attack don't restore access even after a ransom is paid.
The hackers behind this attack have three targets in mind: Businesses 1, 2 and 3. Tune in to part two of this piece to see how each business responds to the attack.