Cyber security is rarely given the respect it deserves, especially in smaller businesses. Business Technology’s resident U.S. blogger Keil Hubert shares a conversation he had with a small business owner who mistakenly thought his company was immune to cyber crime.
Through sheer happenstance, I met a fellow this week that exemplifies why so many business have relatively awful cyber security programmes. It wasn’t the fellow’s fault; he faithfully believed everything that television news and popular culture had taught him about ‘hackers’ and assumed (quite logically) that his company was effectively invulnerable to the threats that plagued large companies. I had a little bit of fun puncturing that treasured illusion.
Bob [1] is an older fellow. That is to say, ‘older than me’ (and I’m a curmudgeonly forty-something). I ran into Bob down at my local on a Thursday evening. I’d been busting my tail all week putting in the spadework needed to get my first book published [2] and I decided that I needed a break. Since my local is less than ten minutes from the house, it seemed a good a place as any to get some fresh air and escape for a spell. Bob happened to be seated at the table next to me, and when our server came by to take our pint orders, we wound up comparing notes on the local’s new selections.
Once our pints arrived [3] Bob told me that he ran a growing business here in town that manufactured accessories for pickup trucks. I shared in turn that I’m a cyber security consultant. Bob laughed. He told me that I didn’t have anything worth offering for a company like his. I hid my smirk behind my beer and asked Bob what he meant by that.
‘We don’t have to worry about cyber security,’ he said. ‘We don’t have anything at all that a hacker would want.’
I nodded encouragingly, and asked him why he felt that way.
‘We don’t handle credit card numbers,’ he said smugly. ‘We sell our products to resellers on contracts. Don’t have to keep a bunch of financial information around to tempt a thief.’
I told him that made sense, and asked if he had anything else that might be valuable to a cyber criminal. He thought about it, and shook his head.
‘We don’t have any trade secrets or anything that foreign spies would want to steal,’ he said confidently.
I nodded my agreement, and asked him how many computers he had throughout his business. He thought about it for a few seconds, and then said that he probably had around two hundred.
I nodded again and asked if he had any servers or big data storage equipment. Bob’s chest swelled with pride as he described how his IT guys had recently virtualized their main server room and had implemented a ‘private cloud’ solution with a big EMC SAN cabinet.
I toasted him on his success, and told him that that was what his company had that a cyber criminal would want to steal. He stared at me like I’d suddenly burst into flames and started singing ABBA tunes. I won’t type what he said, but you can probably imagine what sentiment he tried to convey.
‘Let’s look at this from a theft of resources perspective,’ I said. ‘I don’t necessarily want anythingfrom your business; I want to steal what your business has. You have two hundred PCs. If I’m a cyber criminal, those machines can be pretty darned valuable to me in and of themselves.’
Bob challenged me to defend my point. I obliged him.
First, I explained how every one of his employees was likely using their company PC for personal affairs – legally, above-board, and only when on breaks. That’s what people do: they shop online, they pay their bills, etc. If I (the nefarious bad guy) planted a quiet keylogger app on each of Bob’s 200 office PCs, I could probably harvest hundreds of user IDs and passwords for shops, bank accounts, and the like in just a few weeks. I only needed one affluent user’s banking credentials to steal thousands of dollars in a single afternoon. What that a lucrative enough reason for a criminal to target his company?
Bob consulted his pint, lost in thought.
If I were a more ambitious criminal, I went on, I might plant a rootkit on his company PCs for future use. Later on, I could use all of those enslaved machines as ‘zombie PCs’ to carry out money-making activities like paid-for Distributed Denial of Service attacks against some third party site, or for sending out horking gobs of spam. From a cyber criminal’s perspective, I said, it’s always better to use someone else’s equipment to conduct your nefarious deeds. Why not a small manufacturer in Texas, several nations removed from the attacker’s legal system?
Bob’s expression started to grow dark so I signalled our server to refresh his pint on my tab. I wasn’t about to let up on him, though.
‘Let’s talk about your server room while we’re at it,’ I said. I pointed out that he had probably managed to achieve remarkable resource optimization by virtualizing his servers. He nodded, not liking where I was probably going next.
‘So, you have some powerful hardware hosts running all of your VMs,’ I said. ‘Most of the time, those hosts are idle, and have tons of processing cycles to spare. In fact, when your business is closed, those machines are pretty much bored with nothing to do. Could that be valuable to a cyber criminal?’
Bob took a long pull on his beer and muttered something dark that I took for his agreement. I gave him a short tutorial on BitCoin mining and bulk password cracking. Credit where it’s due, Bob got the concepts immediately; he worked though the potential gain for a hacker ‘borrowing’ his servers at night – and made the logical jump to how he’d be paying more for power and cooling as a result of underwriting some hacker’s illicit activities.
Cheered, I went easy on him when it came to storage risks. I simply pointed out that all that unused space he had on his SAN constituted a rich resource for a data pirate. Compromise one file server, and a cyber criminal could safely host his collection of cracked software or… other content [4]… on Bob’s drives. The bad guy could then sell access to his online stash, and Bob would be the host providing it to the hacker’s clients. If the criminal activity were ever discovered by law enforcement, Bob would be left holding (hosting) all the contraband. In fact, Bob might be found liable in court by his owners or stockholders for having failed to adequately keep the baddies out of his servers.
By the time we were done kicking the issue around, Bob’s perspective on his exposure to risk had swung a hundred and eighty degrees around. I could hear it in his tone. Over the course of our twenty-minute chat in a tiny little neighbourhood pub, Bob’s understanding of cyber security changed permanently. I felt mildly vindicated.
I don’t fault Bob for his initial feelings of smug invulnerability. He’d hired himself a half-dozen IT techs to manage all of his IT kit. His sysadmins were probably very good and conscientious folks; they just didn’t have a security background. [5] They weren’t cyber criminals themselves, and so didn’t perceive their environment the way a criminal would. Bob himself was lulled into a false sense of security by the 24-hour ‘news’ programmes that he watched that focused mainly on large credit card theft incidents like last year’s breach at retail giant Target. Bob didn’t see any common ground between his little company and a huge retailer, so he assumed (reasonably, but incorrectly) that his company wasn’t vulnerable.
I’ve found that Bob’s starting position is pretty darned common among small and medium business owners. Most of the folks that I’ve spoken with don’t place much (if any) emphasis on security because they don’t perceive that their business might be a target. They don’t think like a criminal because they’re honest folks. Unfortunately, they rarely evolve their perspective until it’s too late – they don’t prioritize security measures until after they’ve been caught flat-footed and compromised.
In many larger companies, many CIOs and CTOs that I’ve met claim to support cyber security, but their implementations fall short. I’ve been to several decent-sized corporations where the so-called ‘security department’ was a small shop whose remit was limited to data network equipment only. The InfoSec crew was responsible for (and limited to!) maintaining network firewalls, content filters, and maybe some intrusion detection/prevention gear; they didn’t have the critical cross-functional perspective that an effective security team needs – or a political mandate to cover all of the areas of cyber security that matter.
Many years back, when I was completing the Chief Information Officer program at National Defense University’s Information Resources Management College, the mantra that the faculty tried to drum into us was that security should be ‘baked in rather than bolted on’ as if IT solutions could best be visualized as… cake. While I don’t much like the tortured analogy, I agree with the point that the professors were trying to make: IT projects must have security experts involved throughout their lifecycle, from the initial concept phase, through design, deep into implementation and sustainment, and clear on through retirement. A cynical and clever bastard from the security team needs to consider all of the different ways that a solution might be attacked by a baddie – from code exploits to setting off the server room’s fire sprinklers – and then propose reasonable measures to mitigate each threat, proportional to the threat’s probability.
When I left the local that evening, I didn’t have any reason to believe that Bob would be hiring a dedicated cyber security expert for his truck accessories business. On the other hand, I felt confident that he would at least be thinking about his risk exposure in a new light. Maybe he’d implement some pragmatic changes. At the very least, I’d given him a fair, fighting chance to address his issues.
As a consultant, that’s often the best I can do for a client. I can’t make you secure, but I can help you understand where and why you’re at risk and arm you with practical ideas on how to strengthen your defences. After that … it’s all a mater of how important you feel security is to the survival of your business, and how far you’re willing to go to protect it.
[1] Not his real name, as per standard operating procedure.
[2] Why Are You Here?: A Curmudgeon’s Guide to IT Interviewing, available at Amazon’s Kindle store. Free if you’re an Amazon Prime member, two quid otherwise.
[3] Neat thing about our local… The server brings your drinks to you wherever you are in the establishment. It’s small enough that everyone’s visible to everyone else, and that encourages folks to be social.
[4] I didn’t say ‘pornography’, but Bob made the logical leap.
[5] That was a logical inference on my part, because anyone with a semblance of enterprise cyber security training would have already raised these points to Bob. Since they hadn’t…
POC is Keil Hubert, keil.hubert@gmail.com
Follow him on twitter at @keilhubert.
You can buy his books on IT leadership and IT interviewing at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.
