Cyber-warriors also target small and mid-size businesses because they tend to have weaker defenses than critical government or military organizations. Business systems now connect with partners of all sizes, so a mid-size or small business network may provide the opening that offers cyber-attackers a path into a business partner’s networks, either immediately or in future. According to Gary Loveland, a principal in Pricewaterhouse Cooper’s Consumer, Industrial Products and Services group, “Today’s hackers are farsighted and more tenacious now when it comes to midsize and smaller companies. They might hack a high-tech startup, thinking, ‘When you get bought by a big company, the first thing you’ll do is connect to their networks, and then, bam! I’m in.’ You don’t want your company to be that conduit.”[2] Smaller organizations can also hold personal data on customers or employees that could be used to coerce individuals into revealing security codes and other sensitive information. For example, if medical records revealed an official in a key position had an alcohol problem or financial records revealed a gambling problem, that person might be coerced into revealing industrial plans, network passwords, or other sensitive information.

When you conduct your risk analysis, think about how your organization might be targeted. Consider which employees, customers, or business partners might have access to particularly sensitive data and which might be most vulnerable to coercion, and capture that information in your risk profile. (For example, staff members who has access to network passwords should always be considered as potential targets.) Identify the data that might be targeted for cyber-espionage and figure that into your spending priorities for security programs. Because most cyber-espionage attacks are multi-stage, you need awareness programs and training programs to help employees and possibly customers avoid becoming victims of social engineering, and you should keep them informed about new social engineering scams. And finally, figure cyber-warfare into your incident response plans, as you would for any other breach risk. What partners and agencies would need to be brought into an investigation, and which should notified right away? How can you protect breached individuals against coercion? How can you mitigate damage from stolen information. These can be tough questions, and the answers won’t always be obvious, but the threats are real, and national security and your organization’s survival may rest on them.

[2] PwC. “Cyberattacks on the rise: are private companies doing enough to protect themselves?” www.pwc.com/gyb.

%d bloggers like this: