Artur Marciniec - Fotolia
Why businesses must think like criminals to protect their data
Cyber criminals use three main methods of operation to steal commercial data. Understanding their mindset can help organisations put the right defences in place
A jeweller’s most valuable items aren’t left in the window – they are stored in a vault behind several levels of security. To protect their most valuable data in the same way, businesses first need to know what cyber criminals most want to steal.
Data is valuable and businesses need to do everything they can to ensure it is all highly secure. To secure the data a business holds properly, managers must understand what is most valuable to criminals and prioritise their protection accordingly.
In the simplest sense, there are three main ways that cyber criminals use stolen data to make money.
The first is the classic data heist. By stealing huge quantities of data, hackers can sell large packages of information very quickly to the highest bidder.
Those who buy their cyber loot will then unpick the package and use it in different ways, often alongside other stolen information, to build sophisticated frauds.
But because thefts of large amounts of data at once are often quickly identified, the shelf life of the stolen information is very short – often just a few days.
As well as making it as difficult as possible to steal information on this scale, businesses also need to raise the alarm quickly to stop the data being misused. This, in turn, limits the value of the heist and businesses with a reputation for acting quickly become significantly less attractive targets.
As the heist suggests, there is a black market for data whereby criminals are happy to pay for information they can use to create more sophisticated frauds. This is the second common way of making money out of stolen information.
Lie in wait
By stealing passwords and other security details, criminals can break unnoticed into other businesses’ systems and simply lie in wait for someone to share bank details, or to reveal information that could be used to create false identities.
This allows them to divert payments or apply for fraudulent loans.
These crimes leave less of a footprint, so the stolen information can often retain its value for several months before the alarm is raised. Businesses can respond, for example, by using multi-channel security systems that cannot be accessed simply by stealing a password.
Finally, there are the low-and-slow fraudsters whose primary aim is to avoid detection for as long as possible.
One example would be cyber criminals who target retailers by diverting small numbers of deliveries from real customers to themselves.
As long as they steal only a small number of deliveries, the “lost” items are not enough to raise the alarm and the criminals can carry on stealing undetected for many months. Simply by identifying this as a threat, would-be victims can set up alerts to spot the fraud earlier and intervene.
In each case, the data that criminals want to steal, and the warning signs that businesses are looking for, are very different.
Better protection
So how do businesses use this knowledge to protect themselves better?
The first step is for managers to understand what data they hold is most valuable.
For some, this might be the passwords consumers use to log in to their site, knowing that people often use the same passwords elsewhere.
For others, the invoice data and bank details they hold for clients might be significantly more valuable.
Knowing how criminals make money out of the type of data you hold is a good start, but developing detailed and sophisticated priorities might require more specialist advice.
The second step is to understand that cyber crime is not a problem that firms can fix with one IT update, or by revisiting security every time data breaches make the news.
Cyber criminals are constantly working to outwit their victims, and so businesses need to see this as an ongoing battle where security is under permanent review.
With that approach, and by knowing what is most valuable to criminals, businesses can prioritise their resources to ensure that the crown jewels of data they store are not only heavily protected, but under constant guard.