Most of us have heard the quote about cyber breaches, “There are two kinds of companies — those who know they’ve been breached and those who don’t.” And while this line is quickly moving into the realm of cliché, its core message unfortunately rings truer than we’d all wish. What’s also true is that, despite the fact most CEOs and Boards are now meaningfully ramping up investment in cybersecurity, the frequency and severity of attacks continues to increase.
To best equip businesses to operate in this environment of elevated risk, it is helpful to first create awareness around what one means by a breach.
Cybersecurity incidents are often thought of monolithically, but at Infosys Consulting we find it instructive to view breaches through the lens of the different things bad actors are attempting to accomplish. Often, this is one of two things: stealing information or extorting money. Understanding how each of these could play out at your organization has meaningful implications to both upstream prevention and downstream consequences.
Information theft can come in various forms, but generally entails either the acquisition of personal (e.g. credit card data) or competitive data (e.g. engineering designs). In these breaches, bad actors often gain access to a network and quietly lurk, acquiring data over a long period of time in the form of hijacked email communications or batch data downloads.
Naturally, the companies most at risk of these attacks are those storing competitive or personal data, with medical and financial data topping the list. With that said, many companies underestimate their risk level relative to these incidents. Information that most firms possess, such as employee passwords and SSNs, are valuable to bad actors who can monetize this information on the deep and dark web.
The second attack objective – extorting money – has become something of a favored pastime among groups such as the Russian mafia. In these scenarios, attackers gain access to the network, encrypt operational data (e.g. databases, app servers, file servers) and, when possible, delete all backups. They then contact the company with a ransom note and a demand to be paid in bitcoin in exchange for a decryption key, a demand most businesses comply with.
Unfortunately, the list of companies this risk vector applies to is exhaustive – it’s a rare business indeed that does not run on a foundation of software applications today. And because this has proven to be a profitable business for organized crime, the level of sophistication of these groups continues to rapidly improve.
Step one to counteracting these threats is awareness: companies need to acknowledge that they’re at risk and that everyone who works at a company is a potential threat vector. Because of this, everyone at companies should play an active role in breach prevention, something I’ll explore in my next post.
Partner & UK Country Head
Andrew is a life-long consultant with a very successful and diverse background, having served in MD or CEO roles for several technology and services companies. Andrew has over 25 years of technology leadership experience at an executive level, with a strong client background in the consumer, financial and professional services sectors. He’s lived and worked in Europe and North America and has built high-performing teams that have consistently achieved double-digit revenue growth. Andrew possesses a proven track record in the delivery of large-scale operations and technology transformation agendas across the B2C and B2B space. Andrew has also participated in numerous speaking roles over his career, most recently for Private Equity International, as well as the Business Forum at the Commonwealth Heads of Government Meeting.