Newsrooms around the world are finally coming to terms with the latest big hack, Yahoo, where a staggering 500 million accounts were compromised. If we simplify and assume each account was to registered to an individual then it is valid to state that this hack affected 11% of the Earth’s internet users[1][2].

Needless to say this is an attack of unprecedented scale; in a ‘single incident’ a significant proportion of users across the face of the earth have been affected,

Global firms are compromised, nation states stand impotent and the hackers are seemingly beyond the reach of the law – If even the largest of organisations are vulnerable, what chance does your business stand?

This is the message being received by business leaders the world over.

It’s worth taking a moment to pause and reflect on the threats facing us. One cannot afford to give in to blind fear and fail to produce a calibrated response. Rationalise the problem. If you were to consider your business solely in terms of its physical property and imagine the hackers of the world can only strike by physically entering your office it is foolish to suggest that your office is impregnable; hypothetically even if it could be made so, it would not be financially viable to do this.

We all sit comfortably in our offices despite knowing that a dedicated criminal with access to the right resources, can definitely compromise our security. In this respect the task at hand is to take appropriate measures to protect your assets: make it difficult enough for attackers that the reward is not worth the risk. Fort Knox is not necessary to defend your employee data but a locked room is prudent. Digital threats are no different in principle, you must defend against them with the same degree of measured precaution and much like the physical world there is no way to fully safeguard against the most determined and talented of attackers.

The faceless and technically intimidating nature of cyber-attacks can create an unsettling psychological disposition in people: that the attacks won’t happen to them and if they do they won’t be preventable. Such thinking will only serve to obfuscate the nature of the problem. It is however imperative that modern businesses views cyber attacks as entirely analogous to traditional physical security, and implement the same manner of calibrated, effective measures.

The analogy begins to break down when we examine how easy it is to avoid accountability in a cyber attack. It’s simply a fact that it is significantly easier to steal and extort over the internet. This applies to technical hacking or the confidence trickery of phishing emails where staff are encouraged to reveal sensitive information or download dangerous files.

The key thing to appreciate is that common sense security principles still apply: take extra effort to protect what is valuable.

Case-in-point – if you have business critical files then you should back them up periodically or you risk losing them (ransomware – see here). If areas, information, or systems don’t need to be accessed by a staff member then they shouldn’t have access (access control – see here). If there are certain sums of money that when lost would be crippling to your company, put in place policies demanding controls such as double checks on transfers above certain amounts.

All these actions fall under the remit of a risk analysis – the first step toward a secure company. You should get departments to assess what is business critical, or if you are a smaller company go through it yourself – remember small companies are easy pickings as they are more likely to have less investment in security than larger firms[3].

The final challenge is to realise that the enemy here is a criminal industry, it’s projected damages are expected to reach $2 trillion by 2019[4]. This is not a few people in a dingy basement, there is specialisation – those who access data and sell it on, those who process and identify lucrative targets, those who initiate scams by phishing emails or malware.

As a business, the best way to protect your assets is to make yourself unprofitable to attack. There are many companies, some have excellent information security practices, some have none. Successful businesses take the path of least resistance to profit – so do these attackers.

Don’t be the low hanging fruit.

If this article has raised an issue you are interested in come talk to us at – hutsix.io

Richard@Hut Six

linkedin.com/in/rdp-east

[1] 2016 World Population Data Sheet”. Population Reference Bureau. Retrieved September 15, 2016.

[2]ICT Facts and Figures 2005, 2010, 2014, Telecommunication Development Bureau, International Telecommunication Union (ITU). Retrieved 24 May 2015.

[3] PWC (2015), 2015 INFORMATION SECURITY BREACHES SURVEY.

[4] juniperresearch