Maksim Kabakou - Fotolia

Security Think Tank: Hooded hackers? More like ruthless competitors

The traditional picture of a hacker is of a script kiddie in a hoodie hunched over a computer keyboard, but this stereotype is stale and outdated. Is it time to move away from a fear-based approach to security?

Let me tell you a story. James had just finished his working week and retired home to enjoy a well-deserved weekend with his family.

However, it was not to be. James, a director of cyber security for a medium-sized hotel chain, received a call from his boss, the CIO, informing him that the company’s online booking system had been taken down due to a security compromise.

And just like that, the idea of a peaceful weekend evaporated, instead replaced by a nightmare of a cyber security breach. The investigation revealed that the hotel chain’s online shopping systems, and specifically the payment page, had been hacked by the Magecart group, which had modified just one JavaScript file, adding 10 lines of code that had been stealing customers’ payment details.

Unfortunately for James’s company, this modification was not detected until an official breach notification from its card processor. The resulting fines, class action, remediation work and lost customer confidence cost the company half of its annual revenue. It almost went bankrupt!

Considering this fictitious story, I want to concentrate on the user and business leader perception of a cyber criminal.

Most people, when told about a cyber attack, imagine a hooded scruffy teenager sitting in a smelly loft of his or her parental house. One only needs to watch the Amazon series Mr Robot to understand why the image holds such sway over the imagination.

But not so fast, please. That is not how most perpetrators of cyber crimes look in reality. It is far better to think of a cyber criminal simply as a white-collar criminal, one who is most likely part of a wider group and motivated by profits.

The stereotype of a hacker is a hooded teenager hunched over a computer keyboard, but that is not how most perpetrators of cyber crimes look in reality

For them it’s a business – a criminal business, but a business nonetheless. One can easily see an analogy to a normal legal business setup: a back-office team, outsourcing of tedious tasks to other criminal businesses, budgeting and calculating return on investment, internal cyber security delivering essential operational security. Imagine a well-oiled machine with an efficient management structure that many enterprises would envy.

With all that in mind, the forward-thinking businesses will do best by thinking of cyber criminal gangs simply as ruthless competitors. Ones trying to disrupt business operations or steal a valuable customer database or intellectual property information.

Such a change in thinking will shift the focus in business employees and management to implementing appropriate processes, technology and training.

Simply put, nothing focuses the minds of business users as much as a ruthless competitor threatening to put them out of business for its own competitive advantage.

Read more on Security policy and user awareness