NEW FIVE MIN READ – ‘I am not a target’

News and information from the Advent IM team.

Advent IM security blog
  • by Olivia Lawlor-Blackburn
  • General

A 5-minute security read, with thanks to Ellie Hurst, Head of Marcomms and Media @ Advent IM.

I have lost count of the number of times I have been told that someone believes their organisation is, ‘not a target for a cyber-attack’. This statement is always delivered with the utmost sincerity and I generally imagine this conversational close down is because the speaker is concerned about being baffled into buying some cybersecurity snake oil or that I might terrify them with things they don’t want to hear. I never do the former and the latter is hard to avoid given the pervasive nature of cyber threat but I try to avoid FUD (Fear, Uncertainty, Doubt) as much as I can. It’s frustrating if it closes off the opportunity to challenge their assumptions. So, I am forced to blog about it instead, in the hope that if even one person who has ever made that statement, reconsiders it, it will feel like a win.

None of this is judgment by the way, the way breaches are often reported would lead many organisations to feel that ‘no financial information is believed to have been lost’ means that if they don’t have a merchant site or they don’t collect payment in cyberspace, that they would not be a target. Things have moved on so much and nothing has moved faster or more efficiently than cybercrime. It has self-financed its way into a well-oiled machine under the control of some very well organised criminal groups.

Even the label, ‘target’ is misleading. It implies that you were sought out and attacked. And there is another misleading term, ‘attacked’. Again, it implies that you were singled out and an active offense was taken against you. So, let’s start with these two terms. According to Collins English Dictionary, as a noun: A target is a result that you are trying to achieve. Or… A target is something at which someone is aiming a weapon or other object. As a verb; To target a particular person or thing means to decide to attack or criticize them. Or…If you target a particular group of people, you try to appeal to those people or affect them.

All of these definitions describe a definite singling out and an end result or objective being achieved. But we know with many cyber-attacks and subsequent data breaches it is not always the case. Your organisation may simply be a useful conduit through which an attack on an onward point in your network is facilitated.  And so when people say, ‘I would not be a target for cyber criminals’ I may well agree with them, I do not, however, agree with the commonly resulting assumption that therefore they could not be affected by cybercriminals, or used by them for their actual objective or target.  They may still suffer, loss, disruption, and possible legal ramifications if harm befell data in their care. An example of this might be supply chain security incidents we have heard so much about in the last few years.  Supplier of software ABC, is compromised and their code infected so subsequent downloads by client(s), XYZ are effectively now malware that can take command and control, cover their tracks and patch themselves to do whatever the criminal desires them to do in the network of clients, XYZ.  ABC, was the conduit but terrible harm has been done to their reputation and business as they are used to infect the actual target or objective, clients, XYZ.

Now let’s look at ‘Attack’, again this is a noun or verb that implies a personal relationship of some kind with the object. As a noun it would mean someone mounting aggression specifically toward you, in real life imagine a face slap. If, in the execution of swatting a fly, you slapped someone’s face, didn’t mount an attack on them. So, when we read about infections that had given rise to breach or other damage to an organisation, not every advent of this is an attack. Sometimes you are the fly, sometimes you are the face that was in the wrong place at the wrong time. Both eventualities have risks that need mitigation but it’s wrong and misleading to call every security incident an attack.

So again, if someone were to say they were an unlikely target of a cyber-attack, I may agree with them but once again, I would not necessarily agree with the commonly resulting assumption that therefore no harm could befall them as a result of someone else’s slap…

The dangers in my opinion are;

  • The assumption that being a target is the only vulnerable position, is still prevalent.
  • The assumption that you know what any attacker or would-be attacker wants, is widespread.
  • The misuse of the words, ‘attack’ and ‘target’ are enabling ‘blinkers’ for some businesses, leading them to assume that they are safe or not vulnerable to security incidents and failures that could in fact, impact themselves, their reputation and their clients.
  • Its hard to challenge this thinking, as an arm’s length approach to security means that awareness levels are not as high as they need to be and arm’s length is still very much the distance that many business leaders, the people who really drive culture change, choose when interacting with security.

 

Share this Post