Prime Targets for Cyber Criminals
Today’s cyber criminals now have access to advanced tools and sophisticated strategies. Arguably though, their most powerful weapons are patience and persistence to mount a sustained attack on your organization if you end up in their crosshairs. If they want to access the data in your network, they will find a way. Their motivation, in most cases, is the revenue they can generate from your sensitive information. But who are their prime targets and what makes them so appealing to cyber criminals? Three common targets for cyber crime are: Law Firms, Financial Services and Brick-and-Mortar Businesses. Within each of these categories, here is what cyber criminals are after:
Cyber criminals are looking for valuable, juicy details hidden inside client files. If they find their way into the network of a law firm, they are not going to be disappointed. They will obtain data that they can directly monetize or that can be used for a broader social engineering campaign later. Law firms have all kinds of sensitive financial information (account numbers & other sensitive account information, credit card information), personal information about themselves and their clients and business insider information. Cyber criminals can find out about a pending business deal and then: a) impersonate a party in a deal to another party or b) blackmail an individual or company with that information. Cyber criminals can monetize any sensitive data either directly or indirectly in a targeted fashion.
Financial Services Providers
It almost goes without saying (but we’re taking it upon ourselves to say it) that when clients of financial service providers give their personal details to their advisors, they expect that information to be safeguarded to the highest degree. Who among us would not insist on the highest standard of cyber security for their private investment or bank account information? Professional services are given financial information, social security numbers, sensitive businesses information and private family and health information. Cyber criminals can directly monetize this information if they sell it on the black market or if they gain access to those accounts. Alternatively, they can send out phishing emails impersonating financial institutions and investment management companies saying that they need to ‘reset their password.’ Now cybercriminals have access to your account. In a less direct manor, the information can be aggregated to tell more about a person and that information can subsequently be used in an attack. There’s no end to how creative a determined adversary can be in getting their hands on your valuable information, whether directly or indirectly.
Brick & Mortar Businesses
Particularly of interest to cyber criminals that target Brick-and-Mortar businesses are things like the financial information of their customers, customer lists, company account information, business processes and plans, lists of company suppliers, and intellectual property. Vendors and business partners can have login credentials into your networks which can open up a significant entry point for a carefully crafted cyber attack. Even seemingly innocuous data can be used against the company. These professional cyber attackers scan for something they can use in a phishing attack to make the attack sound more legitimate and then, after getting into an organization’s network, they will monetize the data indirectly.
The three categories we have explored in this article are just the tip of the iceberg. The list of professional services, from mortgage brokers to business consultants, is extensive. Accounting firms, for example, have extensive business and personal financial records and hold similar information to law firms. Brick-and-Mortar business is another broad category which could be anything from restaurant chains to manufacturers to retail stores. From hotels to insurance brokerages, the list of prime targets for cyber criminals is long with many subcategories. We will be diving deeper into these and other key cyber targets in future articles and videos.
If you are concerned about the possibility of a cyber attack on your organization, here are six fundamentally important steps you can take:
1. Do an inventory of all your valuable assets (intangible assets that you need to protect)
2. Create your risk register
3. Select which risks should be treated and in what order the risks should be treated in
4. Select risk treatment options (controls) for each risk in the following categories:
5. Implement the controls
6. Regularly monitor and review the effectiveness of your controls
Completing these action items with get you started on building your cyber risk management framework and hardening your cyber security posture. In order to successfully manage your cyber threats, you need to do the basics well.