The following is adapted from Fire Doesn’t Innovate.
For as long as people have had possessions, other people have tried to steal them.
Up until recently, if someone wanted to steal something from you, they had to physically take it from you. In business, theft meant someone stole boxes off your company’s delivery truck while the driver was distracted, or an insider embezzled money by altering financial records, or a cashier stuffed cash in their pocket while no one was looking.
Times have changed. Criminals don’t need access to your delivery trucks to steal from you anymore. They can now steal your digital assets over the Internet. Digital assets have completely changed the nature of possession and theft as we know it.
Imagine someone breaks into your building and steals a physical file out of your office, which is full of bank statements and other sensitive information. Assuming you don’t have any copies, you’ve now lost that information. However, if someone steals a digital copy of your sensitive data, you still have your data, but someone else does too.
What that means is that rather than being stolen once, your data can be stolen many times. Once someone steals a copy of your data, that copy can be copied repeatedly with all of the fidelity of the original. Instead of being a photocopy of a photocopy, which becomes blurry and difficult to read, a copied digital asset is an exact duplicate.
This is a completely new paradigm of theft. Instead of being stolen once, your assets can be stolen and traded an infinite number of times. If we’re wondering what kind of digital assets cybercriminals might be after, here’s a list of popular targets:
- System administrator accounts
- Cash and investments
- Payroll data
- Credit card data
- Electronic health records
- Unpublished financial results
- Business intelligence
- Business strategy
- E-commerce systems
- Industrial control systems (such as air heating/cooling systems)
- Building video surveillance systems
What Happens to Your Digital Assets?
Once your sensitive information is stolen, it’s often traded on the Dark Web, which is a portion of the Internet that is unreachable through conventional means such as a search engine or common hyperlinks. You have to take deliberate actions to get to it.
Imagine a dark alley where illicit goods and services are traded away from the prying eyes of authorities. That’s the physical version of the Dark Web. Unlike the dark alley, the Dark Web is scaled globally and has millions of participants.
To access the Dark Web, a person must not only manually enter a specific web address, but they also have to use a special piece of technology.
The same way you use a browser, such as Google Chrome or Firefox, to access the Internet, people use a special browser to access the Dark Web. The TOR Browser uses the TOR network, which is short for The Onion Router network.
Interestingly, TOR was originally a creation of the US government, the same people who brought us the Internet. They made TOR as a means to place confidential information on the Internet while still making it restricted to the public.
However innocuous its original intentions, TOR protocol has been hijacked for more sinister purposes. Anyone can access the TOR network, meaning anyone can access the back alley of the Internet: the Dark Web. People sell everything on the Dark Web, from stolen credit card information and company payroll information to weapons, drugs, gambling, and illicit personal services such as murder for hire.
Don’t Be Scared – Be Prepared
Most companies are woefully unprepared for a cyberattack. Executives have no way of knowing when a foreign government or lone cybercriminal will release a cyberweapon.
Therefore, you have to prepare for the possibility of attack the same way you prepare your business for other unexpected events, such as hurricanes and earthquakes.
You can’t predict when a natural disaster will strike, nor should you live in fear of their occurrence. Your best practice is to be proactive in creating a cyber risk management program so that when disaster strikes, your company is still in business.
The US government recognizes that the Internet is becoming increasingly dangerous for everyone who uses it due to the activities of organized crime and foreign nation-states. They also recognize that they can’t be everywhere to protect everyone, so they created the NIST Framework that any person or business can use to be more prepared for cyberattacks.
The NIST Framework is a great starting place if your business has never thought seriously about mitigating the threat of cyberattacks. Even though this problem speaks to technological issues, don’t forget that cybersecurity is a business issue.
To learn more about the NIST Framework, visit: nist.gov/cyberframework
For more advice on securing your digital assets, you can find Fire Doesn’t Innovate on Amazon.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).