Understanding the business model behind cybercrime can be a helpful thought experiment to help CFOs allocate appropriate resources to cyber defenses.
Modern cyberattacks—such as sophisticated phishing attempts utilizing phony emails that look quite real—can be profitable even with a success rate as low as 1%. The cost of launching these attacks is low, and a single successful cyberattack can yield thousands or even millions of dollars in revenue.
Having a proven, predictable business model has enabled cyber- criminals to scale and attract partners. They share a portion of the data they obtain through hacking (or the profit from selling stolen data) with individuals or entities interested in getting a piece of the action while minimizing their exposure to prosecution.
A successful cyberattack is usually monetized either through stealing data and selling it on the black market or holding data hostage and exacting ransoms. The second scenario is a great revenue stream for hackers because it doesn’t require a buyer. Ransoms are typically paid in bitcoin, which most companies don’t have on hand. To facilitate the process, many of these gangs now offer customer service to provide assistance in paying the ransom.
Most hackers are very clearheaded and rational. They are as organized as and your competitors. Such predictability means the threat they pose can be coldly and rationally managed.
The Value of a Company’s Data
At the user level, that means “exercising judgement and prudence while dealing with unknown data,” such as emails, attachments, PDFs, and JPEGs. At an organizational level, it means ensuring every user “is running the most up-to-date (operating system) versions and that incoming and outgoing data are properly vetted using state-of-the-art security procedures.”
Any item a company devotes resources to insuring or securing typically has
a known value attached to it. In order to guide a sound cybersecurity strategy, it’s important to take stock of how much the organization’s data is worth, both to you and to others.
In addition to the well-established marketplace for stolen personal information, consider the value of your company’s data if it were obtained by competitors. Play out a hypothetical scenario in which your company’s trade secrets, client list, or proprietary information is made public and how that would affect your business in the long term.
The best-case scenario is that the company has a robust backup system and is able to restore its data in less than a day. The worst-case scenario is that no backup is available, so a ransom is paid, but the hackers still do not unlock the data and it is lost permanently. Consider the cost to your business of each of these possibilities and everything in between.
Assessing Risk, Preventing Loss
A common rule of thumb is that at a minimum, businesses should invest at least 3% of their total IT capital expenditures in cybersecurity. Industries with particularly valuable data such as finance, health care, and manufacturing require a greater investment.
This budget is usually applied to a combination of technology and training, because hackers achieve their success rate most often through user error someone inadvertently letting them into the system—rather than technological failure alone.
Since the threat of cyberattacks is relatively new, it can be overwhelming to determine an appropriate course of action. A good starting point is the understanding that cyberattacks on businesses have been increasing year over year this entire decade not because of some spontaneous crime wave, but because cyber criminals are essentially the new mafia.
Looking at your company through their eyes and evaluating the overall situation with the same detachment they enjoy puts you on more even footing.
Having a backup architecture that involves making multiple point-in-time copies of data across geographies provides protection against such eventualities. Moreover, the backup architecture must be smart enough to make copies of not just the date but the metadata as well. An organization that was backing up data and metadata in this manner would have been impervious to all the recent ransomware attacks.
As a Microsoft Gold Certified Partner, Accountnet helps companies get up and running with Microsoft Dynamics. We don’t just install and configure the software—we train your accounting staff to use it to create the reports – so they can analyze data as needed. Our solutions give both technical and non-technical employees the information required to do their jobs well—wherever they are, in whatever application they choose to use. Take the next step toward growth with Microsoft Dynamics GP to gain simplicity, value with Microsoft Dynamics GP. Contact us at Accountnet to learn more (212) 244-9009.