Cyber attack as a business

people discussing business strategy illustrating cybercrime as a business

The stereotype of a hacker as a young man alone in his parents’ basement wearing a hoodie is commonplace. Most of the images illustrating articles about hacking conform to this stereotype.

As a result, most people outside the information security sector don’t realise that hacking can be big business, and runs in a similar way to most businesses you see around you.

The loner in the basement might be working for themselves (or just having fun), or they might be employed by one of these big cybercrime businesses, and working from home. Or, they might be employed by a business in the cybercrime supply chain. Yes, that is a thing.

Just like any business operating aboveboard, a cybercrime business will do some or all of these things:

  • Seek to maximise profit and minimise cost
  • Compete with others in the same market
  • Target their attacks, and hone their organisation for efficiency
  • Market their products and services to targeted groups of potential customers
  • Support their customer base (raise tickets; provide a help desk)
  • Provide call centres to help their victims pay the ransom
  • Conduct R&D to identify new, potentially more profitable markets and develop new products and new revenue streams
  • Hire specific expertise either as employees or as subcontractors
  • Pay top rates for excellent coding talent that can write and modify code, create and test exploits
  • Have multiple levels of management in different departments—or they may operate as a consortium, rather than in a hierarchical structure
  • Subcontract out non-core elements of the business
  • Pivot, if necessary, to a new niche
  • Consider new operating models, such as franchising or white-labelling products.

Not all cyber attackers are profit-oriented businesses, of course: some are individuals out for fun, for the experience or for revenge. Others might have political or military motivations, or be out to promote a particular cause.

Am I likely to be targeted by a cybercrime business?

It depends on the nature of your business, of course, and on the motivations of your attacker.

Some business sectors are more likely to be targets than others. The hospitality industry, for instance, holds a lot of personal and financial information on its customers, as does the legal sector and HR departments in general. The finance sector is an obvious target.

Manufacturing companies typically have valuable intellectual property, and many use software that can be difficult to update, which can make it easier to attack. Critical national infrastructure can be a target for politically motivated attackers.

But in general, your attacker is likely to go for easy targets, because they are quicker and cheaper to infiltrate, and to use tried and tested methods, to avoid wasted effort.

So, you are most likely to be attacked using one of the standard attack types, such as ransomware or phishing.

Phishing is common-place just because it is so cheap to implement. Many thousands of emails can be sent out at low cost, and it only takes a few unwary clicks out of those thousands to make it a good day at the office for the attackers.

Ransomware will make your data or your systems unusable unless you pay a ransom (and maybe not even then). And sometimes the attackers double-dip: demanding the ransom and also selling on the data that they’ve stolen.

What can I do to reduce my risk of being targeted?

There are a few things you can do to reduce your risk.

  1. Think carefully about your business information assets. What do you need to protect? What threats might they be vulnerable to?
  2. Consider the sector you work in. What are the most likely threats facing you, given your particular circumstances?
  3. Get the basics in place:
    1. Strong and unique passwords for every account
    1. Turn on two-step verification for every account you have that allows it
    1. Keep the software on all your devices up to date
    1. Password protect your mobile devices
    1. Don’t connect to unknown wi-fi hotspots
    1. Backup your data regularly—keep your backups away from your originals
    1. Install anti-malware and firewalls
    1. Train your staff in how to recognise phishing emails
    1. Make sure your staff feel able to alert you to anything suspicious.

Implementing these steps won’t guarantee protection from cyber-attacks, but they can reduce the risk of it happening to you. If you’d like help with reducing your risk of cyber-attack by setting up strong cyber defences—or if you’d just like an assessment of the risks you face—contact the Click and Protect team, or call us on 0113 733 6230