Digital Value is in the Eye of the Beholder

Criminals only want your passwords, social security numbers, credit card numbers, banking information, and personal health information, right?

Unfortunately, no…

Sometimes, the information that’s given away has more value to the recipient than it does to you. If you were presented with the following scenarios, your reaction and responses may be dramatically different:

Scenario 1:

A financial institution calls your business and tells you they believe that suspicious activities are occurring on your business bank account. The representative asks you for your full name, date of birth, and home address.

Is this malicious or harmless? Seems pretty malicious right?

Scenario 2:

A large private equity firm sends you an email stating that they recently viewed an article in a local business journal. This article was commending your business for its rapid expansion and market disruption. They would like to potentially invest in your business. A conference call is setup with your executive staff and board members to discuss the details. You are asked to bring sales forecasts and projections for the fiscal quarter. The private equity firm has stated they would like to decide to either invest or not. They have also requested that the previous year’s financial statements are relayed.

Is this malicious or harmless? Seems harmless right? Perhaps even a great opportunity.

Let’s break it down:

What if these scenarios were not what they seemed to be? In fact, the seemingly harmless scenario is malicious. Meanwhile, your financial institution is merely alerting you of suspicious account activities. This “private equity” firm is a group of well-trained social engineers and cyber criminals that have been contracted to infiltrate your asset management company. Their mission is not to steal your passwords, but rather your business!

Trade secrets, internal processes, client information, marketing plans, and even your employees’ W-2 statements can be valuable acquisitions for criminals and competitors alike. It’s time to look at your data through the eyes of adversaries and cybercriminals. The first step to understanding the value of your data can be accomplished by executing a data mapping exercise.

Are you only focused on protecting your social security numbers, credit card data, ePHI, and financial information? If so, it’s time to think about the other treasure troves of data within your organization. Billing information, invoices, W-2s, contracts, marketing materials, research and development, trade secrets, client and investor information, pre-press release information, and anything that gives your organization a competitive edge should be protected. If you’re not sure where to start in protecting that information, we can help.

The bad guys always know how to get in

Experienced criminals, con-artists and social engineers use pretexting to create scenarios where a person is comfortable releasing information that they normally would not (social-engineer.org). We wish that every cyber-attack was straight-forward, but that wouldn’t make hackers very effective now would it? Threat-actors are using subtle and effective techniques to gradually siphon information from you and your organization.

These small bits of seemingly unimportant information fit into their complex plans of hacking your organization, exploiting your weaknesses, exposing your business, or even stealing your competitive advantages. So how do you begin to understand where you might be exposed?  We can also help with that.

Rewriting the end to your cybersecurity story

While speaking at a cyber-security conference in 2016, the Chief of the National Security Agency’s elite counter-hacking group said our adversaries know your company and environment better than the people who built it and own it, before they attack. See the full presentation here. This means that even the data we deem to be worthless, is considered gold to our adversaries.

These attacks are not only being launched from across the globe, but right inside your own company. According to an independent security report, nearly 60% of organizations had security incidents that were caused by insiders in 2017 (IT Security Central). Whether malicious or unintentional, companies are giving away information that leads to massive data breaches every single day.

It’s time to rewrite the end to this horror story – by classifying your data, creating access boundaries, disposing properly of data, and training your workforce to think deep into the minds of the enemies. Every piece of your company information can be used to create a strategic map to exploit your organization. The next time you look at your organization, consider all types of data and how it may be used against you.

We must go beyond the firewall and antivirus and implement a layered cyber security defense and a cybersecurity governance program. This program must ensure that organizations are constantly and deliberately strengthening their security posture. A recent study showed the cyber-crime industry to be spending 1 trillion dollars per year on developing methods, technologies, and techniques to attack businesses versus 96 billion dollars that organizations are spending annually to defend themselves (ComputerWeekly.com). These numbers speak volumes and can be directly correlated to the successful data breaches that are plaguing businesses today. Creating a proactive defense and adhering to a cybersecurity governance program enhances the security posture and cybersecurity resiliency of organizations. Start now, act swiftly, and stay vigilant.  Or, keep calm and call Agio.