Is your business a target for cyber criminals? The short answer is yes – with a but.
In the wake of the latest well-publicised hack, Hold Security’s discovery that a Russian hacker had stolen the details of 272.3 million email account holders from Google Gmail, Yahoo Mail and Microsoft Hotmail, it might be time to work out whether you are next on the list.
Understanding how high your risk of cyber attack is is an important part of developing an overall cyber security strategy, impacting crucial decisions over budget and prioritisation.
When examining your own risk, a starting point is to ask why cyber criminals carry out attacks in the first place.
The fundamental answer is, of course, financial gain. As Tim Rains, Chief Security Advisor, Microsoft explains, there was a time when the main aim was notoriety. Then it moved to profit.
A large proportion of cyber attacks amount to stealing data and selling or using it to make money.
"You only need to look on the dark web to realise that there is a vast underground industry, invisible to most people, solely dedicated to buying and selling stolen data," says Steve Bell, Security Expert at Internet and Mobile security company, BullGuard.
Personal data has an inherent value, because it often provides access to financial assets. As Leo Taddeo, Chief Security Officer at Cryptzone, says "the most highly sought after data is personal information that can be used to commit financial crimes, such as identity theft, credit card fraud, and health insurance fraud."
A growing category is politically rather than financially motivated attacks, with an increasing number of attacks on companies originating from nation states or backed by them.
BullGuard’s Bell says that "well over ten years ago it was discovered that most hacks aimed at US and Western utility companies emanated from universities in the Middle East".
This kind of hack could focus more on espionage rather than data to be used for simple financial reasons
There are also ‘hacktivists’; for example, the much-publicised Ashley Madison attack was carried out by the Impact Team, who claimed moral motives. The hackers stole details of 37 million customers of Ashley Madison. They released a limited amount of data shortly after the hack was made public, threatening to release all of the data if the site was not shut down.
"You’ve got all of these groups all over the place and they’ve all got different motivations," says Microsoft’s Rains.
So how can you tell whether you are going to be targeted by any or all of these groups? The starting point is to assume that you are at risk of attack, even if you have no specific data that you think would be of value to an attacker.
As Ian Trump, Security Lead, LOGICnow, says, "every company has something of value, from Intellectual Property, access to a larger company’s infrastructure and items like payroll information and customer records."
Trump says that identities, banking information and the infrastructure itself can all be worth something to attackers, and that a small to medium business could be holding thousands of pounds of valuable information on servers and workstations that could be of value.
"Ultimately most customers are a potential target: they have information and that information will be of value to someone," says Stuart Aston, National Security Officer, Microsoft UK RE. "So whether it is a deliberate attack or a broad spectrum attack, everybody has to consider that they are potentially at threat and do what they have to to mitigate their threat environment."
Microsoft’s Security Intelligence Report found that 34 percent of cyber crime aimed at UK organisations related to theft of Intellectual Property in H2 2016.
But it’s not just the data that businesses themselves value most. According to Steve Mulhearn, head of enhanced technologies UK & I at Fortinet, basic information such as name, address and date of birth can be "easily monetised".
However, here comes the ‘but’: while your business is going to automatically be on the receiving end of cyber attacks, these will not necessarily be high-quality cyber attacks.
Cyber criminals have to work with the same rules as any other business. When their resources are limited, they will invest in cheap and simple attacks with a wide spread.
Phishing attacks are good examples of this, meaning an attack which tricks the recipient into giving up information or clicking a malicious link because it appears to be sent by a legitimate entity. Although attackers are using the vast quantity of information on the internet to personalise these attacks, phishing is fundamentally a quantity, not a quality-driven approach.
Every business will be a target of these broad-brush approaches, but to be hit by a more severe and targeted hack, there will have to be additional motives to justify the time and investment by the cyber criminal.
Since so much of cyber crime is about the data available, to attract a more advanced attack the value of the data will have to be higher.
As Darren Anstee, Chief Security Technologist at Arbor Networks, says, hackers are "looking to get ROI for the time and money they spend in a given campaign. As long as the cost of stealing data is lower than the value of the information stolen, then it is worthwhile."
So what types of data are of particular value to attackers? Ellen Derrico, Senior Director, Healthcare & Life Sciences at RES, says that healthcare is a key target.
"The data held by hospitals is exceptionally valuable – not just for its monetary value, but because of the fact it is very literally, used to save lives," says Derrico.
This explains why cyber criminals have made hospitals a major target in recent months. In February, the Hollywood Presbyterian Medical Center paid hackers a ransom of $17,000 in bitcoins to regain control of their computer systems after an attack. In March, Washington, D.C.-area hospital chain MedStar was hit by an attack.
Adrian Crawley, regional director for Northern EMEA at Radware, says that health care information is three times more valuable than any other type.
Aside from medical data, he cites government, financial and retail data as high value.
Most cyber security companies would say that there is no point in quibbling over whether you are going to be hacked: you are, and you need to be protected.
It is certainly true that every company should invest in protecting against the generic threats.
However, companies holding particularly valuable data need to realise they are in particular danger and go far beyond this basic level.