The question “Am I a target?” or it’s cousins “Am I really a target?” and “Would hackers want to hack me?”, will always be answered by security professionals with “Yes”, but sometimes it can be a bit challenging for non-security people to understand why. And when security people try to explain, it can sometimes come off a bit technical or seem like a scare tactic in order to sell a product (not denying that some salespeople within the industry rely on that, but most professionals genuinely just want to help).
As a person who has had to deal with several salespeople preaching doom and brimstone and executives downplaying the importance of security (often after hearing about the cost), I have started to notice how the two groups rarely speak the same language and get further polarized with each interaction. Now, it is not on me to fix the salespeople of the industry, that is an industry problem. However, I can make an effort to explain to the executives (and you as a private individual) why you are a target and how to properly assess what would be considered reasonable measures.
Before we can assess the proper measures that need to be taken, we need to determine the risks posed to either the business or to us as individuals. If you have never done a risk assessment before, you might be wondering how to determine risk. To put it simply, risk can be determined by looking at the probability and the consequences of an event, then giving them both a rating. The unit you use for rating these isn’t important, but it is common to use a 1-10 rating. Once you have given both a probability rating and a consequence rating, we multiply the two to get the risk rating (this is slightly oversimplified, and most risk management professionals will argue that there are more accurate ways of calculating risk, but for the purposes of this article this way will be enough).
The risk rating serves as an indicator of how priorities should be set, giving us a better overview of what needs to be dealt with first. Then we can start taking measures to reduce risk by lowering the probability of the event or limiting the consequences of the event. There are various ways of doing this and I might do an article about risk reduction one day, but in this article, I want to focus on why many might underestimate their risk rating, and why salespeople in the industry might overestimate.
The unknown factor
To understand why there is a gap between salespeople and executives in the cybersecurity conversation, we need to look at the unknown factor. The factor that should have been included in an assessment, but was left out due to the assessor not having enough knowledge to identify it. In cybersecurity, this is all the more present and all the more dangerous. And this is not helped by the salespeople in the industry who should be focusing on helping executives identify the real unknown factors and not focusing on this year’s buzzword (I am looking at you 0-day exploit).
To help better this, I want to address some of the more common factors that executives and regular non-technical people overlook or aren’t even aware of.
Factors in business
Let’s start off with the factors that mostly concern businesses (if you are more interested in what would affect you as an individual, you can skip to the next section).
Business relations can also be a factor in rating both the consequence and probability. This stems from the fact that while your company might be low value on your own, your customers or suppliers might be high-value targets. Ie. One of your salespeople get their e-mail credentials stolen, the hackers identify that there is an ongoing negotiation between you and a big prospect, they send your prospect a malware hidden in a document looking like something that has previously been part of the conversation. Now either the prospect detects the malware before anything could happen on their end or they end up with their account compromised. Either way, your reputation will take a big loss and the contract might go to someone else. This is why one needs to assess not only one’s own company value but also the value of any business relations the company has.
Lateral social movement is similar to the previous factor but will look for people inside your company to move to. We usually tell people not to open attachments from people we don’t know, but if a co-worker sends us an e-mail with an attachment, we often don’t think twice before opening it. This is why even if a person with little access or authority within the company gets breached, their account might be leveraged to spread to others with more access or more authority. Therefore securing everyone within your company is equally important within IT security, not just the CEO.
Passive monitoring could be something to consider. The hacker could be content with monitoring the behavior of the system or user for years while waiting for the opportunity to strike. Your company now might be worth more in a year or two, therefore they can wait and spread while you have no idea that everything that is communicated is being monitored.
Resell value going off the previous factor of passive monitoring, the hacker could also decide to simply sell off the access to a third party, cashing in. While the transfer by itself isn’t something that changes the risk, it is a factor to consider that even the most “boring” and transparent companies can be targeted simply because their hardware can be used for other means.
Factors for individuals
Now that we have the business-related factors out of the way, let’s consider what factor you as an individual might not consider when making your internal risk assessment.
Being a proxy is one factor you might not have considered and is a factor that most people don’t really realize until they have experience with cybersecurity. Everyone faces this factor because the attacker might just see you as a potential proxy for further attacks. Since they have no interest in any value you have by yourself to them, they are more interested in using your machine or just your identity to try attacking someone else. An example of this is bot-nets, which in case you haven’t heard about, are networks of computers that have software running on them that enable the hacker to remote control them as a fleet.
ID is more valuable than cash in the world of cybercriminals. Quick cash is relatively easy to come by, but having a real identity can generate a lot more cash than the bank account alone. Now you might think it will be impossible for someone to impersonate you, and that it will be simple to prove that someone isn’t you. This is where the trap is. Consider all your interactions in the modern age is through digital means, your communication with the bank, credit card agencies, insurance, taxes. Then consider your last interaction with any phone or chat-based support agent, what questions did they ask you to verify who you were? And if you didn’t exactly know your account number or social security number, what would their second question be? Would the answer to that question be on any social media page you have? Many sites use 1-3 “security questions” to verify your identity if you have lost your password and/or access to your e-mail. Consider what you have answered those questions with and what is on your public Facebook profile. With access to your personal information, they could start convincing the bank that they are you, after all, they know the name of your pet.
Selling on fear
Now let’s turn to the other side of the coin and look at why many cybersecurity salespeople will overestimate risks. Because while it may seem to be a means to just sell their product, many do bring valid points to the table. And just to get it out of the way sooner rather than later, there is no product that will guarantee the cyber safety of your business. The phrase in the industry is “There is no silver bullet”.
So why do many, even the most well-meaning, salespeople overestimate the risks and spread fear? Because it might be the only thing that will make people take action. It really is an unfortunate truth, the alternative would be to spend days explaining the technical nature of cyber threats until executives and individuals truly understood what dangers are out there.
Now using fear as a sales tactic is a double-edged sword, and we are starting to feel that other edge now as businesses and people are tired of being scared into buying things they seemingly never had a use for. Which will always be a problem with products that are designed to prevent or avoid. We don’t need that bicycle helmet until the day we fall, but many will go ages without falling or ever needing it. Which makes them feel like they don’t need a helmet. But in my opinion, that helmet is worth the extra safety.
A (sort of) solution
So now that I got the scaremongering out of the way, many would expect me to tell you to just disconnect from the internet and live in the wilderness. And while that would make it hard for someone to hack you, it isn’t really something everyone wants to do with their lives.
Instead consider just making sure you a bit harder to hack than your “neighbor”. Because most hackers will not target you specifically, they cast a wide net and will look for the lowest hanging fruits. So if a hacker considers you too much effort in relation to most people, then they will most likely move on to the next. This will also apply to businesses, while you most likely don’t need to have someone monitoring the internet traffic 24/7, just make sure you do just a bit better than most other businesses with the same risk profile as you.
This does take one assumption, that you are comparing yourself or your business to others within the same risk profile. I would argue that Bill Gates has a much higher risk profile than you or me, therefore he will need to take extra steps to ensure his security. And this is why making yourself aware of what factors affect your risk rating (and thereby your risk profile) will be important for you to be able to understand who to use as your “neighbor”.
In summary, there are a lot of factors most people don’t consider when asking themselves if they or their business is a target for hackers. To give the short answer to the question “Am I a target?”: Yes, you and everyone else. But that just means you need to make sure you do just a little more than most people to secure yourself. Think of the internet as a virtual street, does the burglar go for the house with the simple alarm system or the house without? Oh, and don’t just leave your door open and the alarm off every time you leave the house, just because it is convenient for when you get back home.