Bart Holzer recently joined Affinity Technology Partners as fractional chief information security officer. He also owns Overt Channel, LLC, working as a fractional or virtual chief security officer and chief information security officer for mid-size firms and nonprofits. A former federal law enforcement engineer, Holzer advises clients on security strategy, risk management, security program development and incident response.
Why would a hacker care about a small business or local nonprofit?
Simply put, smaller organizations are not staffed or equipped to withstand modern cyber attacks, and quite often they can be victimized for substantial amounts of money. Financially motivated hackers make a living by fraud and extortion. Consider them criminal-business owners. Like any business owner, a hacker must make the strategic decision to target either large organizations hoping for a big payday or smaller organizations at scale. A hacker who finds that large organizations are just too difficult or time-consuming to hack may focus on small businesses and non-profits. Opportunistic hackers may choose to cast a wide net and find that smaller organizations end up getting caught more often. Either way, hackers are drawn to smaller organizations because they can achieve success against them.
What should small organizations without the resources to hire full-time cybersecurity staff do to protect themselves?
If you are a small business owner and you cannot afford badge readers, high-definition security cameras and motion sensors, do you throw up your hands and leave the front door to your business unlocked when you leave at the end of the workday? No! The truth is, security fundamentals still work, and the fundamentals do not cost too much. The first step small organizations need to take to protect themselves from cybercrime is to make security and privacy a priority within the organization. This starts at the top, where leadership communicates and demonstrates the priority by example. The next step is improving internal processes. For examples: The finance person can work to improve accounts payable processes, preventing fraudsters from redirecting funds; the HR person can improve recruiting, where candidates are screened, references checked and background checks performed. The third step is where IT systems are secured. There is an abundance of online resources available for the IT person to leverage. Consider the Center for Internet Security’s resources, including the 18 Critical Security Controls. Any organization can use the CIS resources for free, starting with a baseline assessment of their cybersecurity posture. The strategic plan for any organization should be a fully functioning security program, but small organizations can follow the three steps above to get started.
What is the cybersecurity skills gap and what is causing it?
The cybersecurity skills gap is a severe shortage in skilled professionals to fulfill rising employment needs. A recent study showed that there are 715,000 unfilled cybersecurity positions in the U.S. alone. The rise of the internet and online commerce, coupled with the move to cloud computing environments, created an environment where cybercrime could thrive and big data could create new privacy concerns. Along the way, relatively few techs were drawn into securing the new environment. Now that the need for security-minded technology professionals with good communication skills has spiked, universities, certification organizations and trade associations have risen up to begin producing “cybersecurity people.” But no school or organization can bequeath a decade or two of experience to a student. The skills gap is increased as cybersecurity professionals, in general, have done a poor job in recruitment, diversity and mentoring – perhaps because cyber is one of the most stressful careers. Now, companies are navigating difficult waters trying to recruit specialists in a complex field. Organizations are finding that they cannot afford the top tier talent, and they are placing undue expectations on entry-level candidates. Perhaps the best position to be in today is a mid-level cybersecurity professional!
What do hackers consider valuable?
Small business owners may not think they have anything a hacker could want, not realizing that their organization is in the crosshairs. Hackers operate based on a variety of motivations. Some hackers are full-time employees of a nation state and hack for their nine-to-five jobs. This set of hackers may target a small business to gain another step on their way to a bigger target. Other hackers are financially motivated, and they will steal data to later sell on the dark web or take control of computers for ransom or cryptomining purposes. Financial fraud can be perpetrated by non-technical people who specialize in social engineering – tricking, not hacking, people into giving away their data or money. Some hackers hack simply to show their prowess. Some hackers hack for a cause. Some hackers hack to wreak havoc, causing disruption and mayhem. And some hackers hack just because they can. With some understanding of their motivations, one can see that hackers value bandwidth, data, skill, and money… and some hackers value nothing at all. A small business owner may see hackers as some far-flung risk only big organizations face; a hacker may see the small business as low hanging fruit.
Are there any types of people or businesses that are more at-risk than others?
Cybersecurity professionals have seen attacks come in waves, crashing against certain industries over the course of a few years. Real estate, for example, saw an uptick starting five or so years ago. While a major industry, many realtors, title companies and attorneys are small business owners who regularly participate in large financial transactions. During the closing on a residential property, homebuyers themselves enter the transaction. Hackers saw the vast attack surface in the real estate industry and took notice, targeting everyone in real estate transactions. A hacker only needed to find success with one person in the transaction to be able to redirect funds via fraud. Nonprofits were similarly targeted in a recent wave of cybercrime. Some simple scams were pulled, such as donating via credit card, requesting a refund, then challenging the charge. To many industry insiders, it appears the next wave will be against companies involved in the supply chain. One supply chain target today is managed service providers and the tools they use. An IT management tool may serve hundreds of companies, so hacking one tool could provide a hacker with access to all those companies. The next wave may be against the Internet of Things, where every home appliance and consumer device is brought online … and made available to hackers.