Analysis: HR, Finance, Operations, Sales & Marketing – hackers are building their own ecosystem in which to maximise profits.
Two things happened on Thursday 16th June. Firstly, the country came to a halt due to a certain football match between two close neighbouring countries, and secondly HPE descended on London to host Protect 2016.
Football and cyber security – a perfect pairing for many a tech professional.
Kicking off the event(pun intended) Brett Wahlin, HPE VP & CISO, made a short but succinct introduction into current industry trends and data protection concerns. The key issue raised by Wahlin is that cyber security is much more than technology, and must take into account the very important factors of people and process.
Although his appearance was brief, Wahlin’s sentiments were echoed by Tim Grieveson, HPE Chief Cyber & Security Strategist, who pressed the issue that security is not just a technology problem. Indeed, Grieveson urged the need for a change in mindset, a change which is needed as hackers themselves are switching from APTs to social techniques and attack methods.
Brett Wahlin, HPE VP & CISO
Grieveson moved on to the one question plaguing businesses and consumers – ‘how do we protect ourselves?’ A question which is becoming harder to answer according to Grieveson thanks to three key factors.
Firstly, there is the advent of new exposures – technologies like the Internet of Things and the shift to an all-mobile world where consumers access data on the move creates new exposures, weak points, challenges. Secondly, Grieveson pointed to the complexity of regulation, which in his eyes is good for knowing what a business needs to do and how to operate, but doesn’t make you more secure. Lastly, Grieveson pointed the finger of blame squarely at the ‘bad guys’ for the final factor in why protection is becoming increasingly difficult.
The bad guys are becoming much more sophisticated, with a shift being seen in the market. Grieveson said: "It’s a very lucrative market now for the bad guys. Traditionally they used to hack for glory – often a lone wolf in their bedroom attacking something just for the glory. What we are actually now seeing is them professionalising their organisation."
It is a lucrative market for the bad guys as they are getting massive returns on small investments. All the while cyber security spend is set to hit a trillion dollars by 2020.
Using business terminology such as ‘markets’ and ‘investments’ is apt in describing what is actually happening – hackers are building their own companies, setting up their own corporations. As Grieveson said, "they are actually becoming very much like your organisation, my organisation. They are moving on from one or two people to really setting themselves up like any other organisation."
The bad guys are mirroring the organisational structure of legitimate businesses in order to seize upon the lucrative market of stolen data.
Grieveson said: "They are building an ecosystem – they have human resources, recruiting the right people with the right skills and training; they have operations, making sure that the money flows around their organisation; and they’ve got logistics, making sure they can get their wares out to market quick and fast to the right customers."
The bad guys have excelled at getting a good route to market, having built a reputation on getting their wares, be it stolen personal information, credit card data or healthcare records, to a market of consumers. And that’s called sales and marketing in any other business.
Tim Grieveson, HPE Chief Cyber Security Strategist
Grieveson highlighted the ease at buying stolen data, relaying a train journey in which he did a quick internet browse and found credit card information for £8 and denial of service attacks for $50.
However, there is one department of Hackers Incorporated which excels past the others – R&D. Hackers are building new techniques, new technologies and businesses have to keep up with what is an ever shifting market. Combining this R&D department with Sales & Marketing, HR, Operations and Finance means Hackers Incorporated are an organisation not to be underestimated.
"It’s not just an adversary", Grieveson said of the bad guys, "but a competitor in the market. The bad guys are stealing our data, maximising their margin or their profit but minimising their risk."
The change in mindset not only has to do with people and process, but also how companies need to be looking at how the bad guys are organising their ranks and coming to market as a competing enterprise, be it an illegal one. As for protecting against this threat, Grieveson stressed the need for businesses to look at their assets and decide what is valuable, as the strategy should not be to try and protect everything. Businesses need to understand what they need to protect, with the emphasis on the data not the device.
Following Grieveson and a host of other speakers, HPE did have the good sense to show the England vs. Wales match. The anticipated match finished 2-1 to England, but unfortunately there will be no final whistle in the match against business and the bad guys. The bad guys have their own line-up of attack, defence and midfield – and they are soon to prove a match to any business or corporation in the market.