Prime Targets for Cyber Criminals

In partnership for our May Blog Series, we have joined forces with Cyber SC! Every Wednesday, in an effort to learn more and speak more on the topic of Cyber-Security, we will be sharing a blog from their archives. As experts on the topic, we thought it would be a great opportunity and focus as we head away from COVID-19 and back to some semblance of reality. With things at a vulnerable state, the topic is more important than ever, so, we hope you enjoy! And, a huge thank you to Dominic Vogel and his team at Cyber SC for making this possible!

The following is written by Dominic Vogel

Today’s cyber criminals now have access to advanced tools and sophisticated strategies. Arguably though, their most powerful weapons are patience and persistence to mount a sustained attack on your organization if you end up in their crosshairs. If they want to access the data in your network, they will find a way. Their motivation, in most cases, is the revenue they can generate from your sensitive information. But who are their prime targets and what makes them so appealing to cyber criminals? Three common targets for cyber crime are: Law Firms, Financial Services and Brick-and-Mortar Businesses. Within each of these categories, here is what cyber criminals are after:

Law Firms

Cyber criminals are looking for valuable, juicy details hidden inside client files. If they find their way into the network of a law firm, they are not going to be disappointed. They will obtain data that they can directly monetize or that can be used for a broader social engineering campaign later. Law firms have all kinds of sensitive financial information (account numbers & other sensitive account information, credit card information), personal information about themselves and their clients and business insider information. Cyber criminals can find out about a pending business deal and then: a) impersonate a party in a deal to another party or b) blackmail an individual or company with that information. Cyber criminals can monetize any sensitive data either directly or indirectly in a targeted fashion.

Financial Services Providers

It almost goes without saying (but we’re taking it upon ourselves to say it) that when clients of financial service providers give their personal details to their advisors, they expect that information to be safeguarded to the highest degree. Who among us would not insist on the highest standard of cyber security for their private investment or bank account information? Professional services are given financial information, social security numbers, sensitive businesses information and private family and health information. Cyber criminals can directly monetize this information if they sell it on the black market or if they gain access to those accounts. Alternatively, they can send out phishing emails impersonating financial institutions and investment management companies saying that they need to ‘reset their password.’ Now cybercriminals have access to your account. In a less direct manor, the information can be aggregated to tell more about a person and that information can subsequently be used in an attack. There’s no end to how creative a determined adversary can be in getting their hands on your valuable information, whether directly or indirectly.

Brick & Mortar Businesses

Particularly of interest to cyber criminals that target Brick-and-Mortar businesses are things like the financial information of their customers, customer lists, company account information, business processes and plans, lists of company suppliers, and intellectual property. Vendors and business partners can have login credentials into your networks which can open up a significant entry point for a carefully crafted cyber attack. Even seemingly innocuous data can be used against the company. These professional cyber attackers scan for something they can use in a phishing attack to make the attack sound more legitimate and then, after getting into an organization’s network, they will monetize the data indirectly.

The three categories we have explored in this article are just the tip of the iceberg. The list of professional services, from mortgage brokers to business consultants, is extensive. Accounting firms, for example, have extensive business and personal financial records and hold similar information to law firms. Brick-and-Mortar business is another broad category which could be anything from restaurant chains to manufacturers to retail stores. From hotels to insurance brokerages, the list of prime targets for cyber criminals is long with many subcategories. 

Cyber criminals are doubling down on attacks during the COVID-19 situation. They are sharks smelling blood or a hunter chasing a wounded animal. They know how thinly stretched small/midsize organizations are right now. As many organizations go into “survival mode” they must plan for how they will maintain a resilient cyber security posture. Even during cost cutting times organizations must focus on the cyber security basics and ensure that they are doing them well. Do not become an easy target for cyber criminals during this time! A data breach is the last thing an organization that is barely surviving needs to deal with!

Practical Advice

If you are concerned about the possibility of a cyber attack on your organization, here are six fundamentally important steps you can take:

1. Do an inventory of all your valuable assets (intangible assets that you need to protect)

2. Create your risk register

3. Select which risks should be treated and in what order the risks should be treated in

4. Select risk treatment options (controls) for each risk in the following categories:

a. People

b. Processes

c. Technology

5. Implement the controls

6. Regularly monitor and review the effectiveness of your controls

Completing these action items with get you started on building your cyber risk management framework and hardening your cyber security posture. In order to successfully manage your cyber threats, you need to do the basics well.