“We don’t store anything locally,” She said. “All the applications we use are on the internet,” she continued. What happened next would shock her. More on that in a minute.
Every day, I speak to business owners. My primary job is to educate them on cybersecurity, even in a small business. Once they get over the shock that they are not too small to be a victim, the next hurdle is that they have something the criminal wants: Data!
Let’s define this mysterious word “Data.” What is it? Simply put, data is documents, spreadsheets, text files, emails, databases, and PDFs.
Let’s quickly define the goal of a cybercriminal or hacker. Like any other criminal, the goal is to make money by stealing stuff, whatever that “stuff” might be. Of course, do it without being caught!
Now that we have everything nicely defined, we will answer the next logical question: are you ready? Do you know what that question is? Right, How can they use my “DATA” to achieve their “GOALS”? That is an excellent question, and thank you for paying attention.
As I mentioned previously, data is everything; in a particular light, it is like the chicken and the egg. Hackers steal data to sell the data to other hackers to steal different data. Confusing right? Here are some ways Cybercriminals or Hackers can use the stolen data.
Direct Monetization of Data
- Selling Personal Information: Cybercriminals often target personal data, such as names, addresses, social security numbers, and credit card information. This data can be sold on the dark web to other criminals who may use it for identity theft, applying for loans, or making unauthorized purchases.
- Ransomware Attacks: In these attacks, cybercriminals use malware to encrypt a victim’s data and then demand payment for the decryption key. Businesses, especially those that rely heavily on their data for day-to-day operations, are often willing to pay significant sums to regain access to their information.
- Banking and Financial Fraud: With access to banking details, cybercriminals can directly transfer funds from victims’ accounts or make fraudulent transactions. This can also include the creation of fake accounts or the cloning of credit and debit cards.
Indirect Monetization of Data
- Credential Stuffing: By obtaining usernames and passwords from one breach, criminals can attempt to access accounts on other platforms, exploiting the common practice of reusing passwords. This can lead to unauthorized access to valuable services or sensitive information.
- Phishing Campaigns: Armed with personal data, cybercriminals can craft convincing phishing emails or messages that trick recipients into providing further sensitive information, such as login credentials or financial information, under the guise of security alerts or other pretexts.
- Corporate Espionage: Sometimes, data stolen from businesses can be sold to competitors or used to gain a competitive advantage. This can include trade secrets, client lists, or upcoming business strategies.
Now, back to the story. After telling me everything was in the “Cloud,” she was confident that there was nothing on her system to be stolen since those cloud solutions have their own high-tech security(more on this later). We always recommend doing a cybersecurity risk assessment. It’s a powerful business tool for the business owner. It uncovers hidden risks and vulnerabilities that the business owner wasn’t aware of and allows them to make informed financial decisions on how to protect and manage their risk. Confident we couldn’t find anything, she allowed us to perform the assessment. A few weeks later, we presented our findings.
Our Process:
We Identify five key elements that allow the business owner to see where there are gaps in their business and what that financial impact can be.
Team: How likely will your employees click on a phishing email that can cause damage to your business? Phishing emails are becoming more sophisticated. Are your employees adequately trained in what to do when an email looks suspicious?
Data: Earlier in this article, we defined what data was. We aim to determine where it is, who has access to it, and how vulnerable it is.
Applications: What applications do you “think” you use to do your job, and what applications are being used? More importantly, what vulnerabilities does this software have?
Network: What is the state of the computers and network equipment, what vulnerabilities do they have, and how can they help advance a cyber threat?
Total Financial Impact: We tie it together to give you a clear picture of financial impact. Based on everything we have uncovered, what would that financial impact look like if you were a victim of a cyber incident?
Our Findings:
Once we completed our assessment, we presented our findings to the owner. Here is our conclusion:
Team: Based on a series of phishing tests, we determined her team was very susceptible to phishing attempts. We sent out a total of 12 emails.
- 4 Were Opened – this is bad because cyber criminals are embedding malicious code written in the body of emails
- 1 Clicked a Link – This is bad because the link can take you to a malicious website that can download some virus
- 1 Submitted Data – The worst outcome; we can do this credential harvesting. The end user submitted some credentials or sensitive information. It’s enough that it could have launched a wire fraud or worse.
Data: We found over $200,000 of data sitting unencrypted on their computers. This is significant because it’s the reason WHY you are IMPORTANT to a cyber-criminal. From the beginning of the article, they did “EVERYTHING” in the cloud, yet this data sat on their local computers.
Application: Despite having a few line of business applications in the cloud, we found several freeware and old, outdated applications on their computers. Many of them had unpatched vulnerabilities that were years old. This is significant because it’s HOW the criminal can exploit your computer in the first place to get further into your environment.
Network: Several of their computers were older than 5 years and had outdated system-level patches. For the same reason as applications, this is another HOW. The older a computer gets, the less supported they are, and system-level vulnerabilities are not patched.
Total Financial Risk: We determined, based on the risk factors above and the annual revenue and payroll information, that a single cyber event would cost this business owner around $607,000. How could your business survive?
Want to know more about our process, give us a call today at 570-243-9205 or book a no-obligation consultation at https://underdog.contact
