Throughout history people have
sought the help of advisors. Lawyers,
accountants, wealth managers and consultants all have a key role to play as
experts in their field to help guide their clients through the murky waters
before them. Yet, the very people called
on for assistance could also pose the greatest business risk.
Cyber criminals love advisors, not
because they guide them through legal issues or help them hide their ill-gotten
gains, but because of all of the cyber criminal’s potential targets, advisors
present the best value for money.
The psychology of a
Cybercriminal
Cyber based crime has different
motivators, different methodologies and different targets. Whilst the media likes to use the word Cybercrime
for every computer based attack, the term Cybercrime is really about profit
motivated attacks. Cyber Espionage, Cyber Warfare and Cyber Activism have
different motives and thus different targets.
Cyber criminals are financially
motivated fraudsters who use the Internet to access data and facilitate their main
objective: to make a profit.
Although cyber criminals may view
themselves as smart business people who “work smarter not harder”, the reality
is that cyber criminals are lazy.
As personal cyber security
systems have become more robust and user friendly it has become harder for
financially motivated hackers (FMHs) to collect the data they need. Targeting one individual at a time, breaking
through each unique security system and then committing a fraud on that one
target with no guarantee of success is not a good return on investment or time.
FMHs like volumes of data from
which they can attempt mass fraud schemes, tweaking each attempt as they launch
to ensure the highest level of success.
As well as holding large volumes
of data, the ideal target will also have limited cyber security, system users
who demand full access with little awareness of data protection and IT support
staff which are, just that, “support” rather than security focused.
Such a target exists and it is
called the professional services firm. FMH’s target lawyers, accountants,
consultants and wealth managers amongst others, because each have all that is
required to facilitate a fraud: volumes of data often stored in an organised
manner with little protection.
Professional Services: The
perfect target
By gaining access to a lawyer’s email
accounts not only can the hacker read about upcoming transactions or litigation
but they can also impersonate the victim’s lawyer or gain enough personal data
to effect wire transfers, property sell offs or any other manipulation available
to them. The same can be said about the
accounts of wealth managers or accountants.
Such attacks are not
sophisticated hacks. Most involve a
simple password collection made when the adviser logs onto a free Wi-Fi spot or
clicks on a link in a spear-phishing email that “requires” or automates a software download before
viewing a file or a video that has gone viral.
Spear-phishing emails are tailor
made for a specific person or professional group with the focus on getting that
person or group to click a link and install hidden malware. Professional services advisors are profiled
by the attackers utilizing social media, standard media, client inquires and
public records to determine their likelihood of having access to the data
required by the cyber criminals.
That profile is used to tweak the
attack and then launch it. Ever wonder
why you get so much spam or why you have so many new Facebook, Linkedin or
Twitter followers? Even friendly emails
with sugar-coated offers to win an iPad if you click a link and fill in your
details could pose a risk.
Complacent thinking
Cyber criminals rely on
complacent thinking. The belief that if your email was compromised you would
notice if emails were being sent and received by someone other than yourself. Unfortunately, once a hacker has access to
your email account they can set up filters to forward certain mail messages
away from your inbox to folders or even to reply and then delete before you see
them.
Even in rare cases where the
fraud is discovered halted in time, the cyber criminals will have already
stolen your information and can use it against you in a future attack or to
make a profit. The financial value of confidential data cannot be
underestimated. If it is sensitive, it is likely that there will be someone
willing to pay to obtain it.
Protecting yourself from
working for a hacker
The reality of the risk posed is
visible when two key questions are considered; If you discover a compromise on
your system do you have any way of knowing what was viewed, modified or
taken? What would be the impact to your business if
it became public that client data was stolen and potentially misused?
In the past year Kroll has been
engaged on more than 25 such matters for large professional services firms. The message behind this trend is clear: why
attack on a one-on-one basis when a single targeted attack can get you 1000 or
more?
The damage to firms in the
professional services sector is equally multiplied. Success in the sector
relies on trust and the belief that client information will be protected.
The assumption is often made that
there is nothing of value that cybercriminals could want, therefore it is not a
concern, but the truth is that cybercriminals do not discriminate, they want a
lot of data, some which to others may seem irrelevant. A personal credit card
number is just a small piece.
Businesses need to understand
what data they hold, why it is important or attractive to cybercriminals, how
is it protected and who has access to it.
A proactive understanding of the threats leads to proactive mitigation.
The next time you are “inconveniently”
forced to change your password due to some internal policy understand that this,
as well as other requirements, could be the difference between money in your
hands and money in the cyber criminals’ hands, it could be the difference
between working for your client and working for a hacker.
No comments:
Post a Comment