Maksim Kabakou - Fotolia
Let me tell you a story. James had just finished his working week and retired home to enjoy a well-deserved weekend with his family.
However, it was not to be. James, a director of cyber security for a medium-sized hotel chain, received a call from his boss, the CIO, informing him that the company’s online booking system had been taken down due to a security compromise.
Unfortunately for James’s company, this modification was not detected until an official breach notification from its card processor. The resulting fines, class action, remediation work and lost customer confidence cost the company half of its annual revenue. It almost went bankrupt!
Considering this fictitious story, I want to concentrate on the user and business leader perception of a cyber criminal.
Most people, when told about a cyber attack, imagine a hooded scruffy teenager sitting in a smelly loft of his or her parental house. One only needs to watch the Amazon series Mr Robot to understand why the image holds such sway over the imagination.
But not so fast, please. That is not how most perpetrators of cyber crimes look in reality. It is far better to think of a cyber criminal simply as a white-collar criminal, one who is most likely part of a wider group and motivated by profits.
For them it’s a business – a criminal business, but a business nonetheless. One can easily see an analogy to a normal legal business setup: a back-office team, outsourcing of tedious tasks to other criminal businesses, budgeting and calculating return on investment, internal cyber security delivering essential operational security. Imagine a well-oiled machine with an efficient management structure that many enterprises would envy.
With all that in mind, the forward-thinking businesses will do best by thinking of cyber criminal gangs simply as ruthless competitors. Ones trying to disrupt business operations or steal a valuable customer database or intellectual property information.
Such a change in thinking will shift the focus in business employees and management to implementing appropriate processes, technology and training.
Simply put, nothing focuses the minds of business users as much as a ruthless competitor threatening to put them out of business for its own competitive advantage.