Ian Glover, president of CREST, discusses what CIOs can learn from cybercriminals when it comes to mitigating risk and how CMOs can pick up some marketing tips.
It is very difficult for CIOs to accurately replicate any approach taken by cybercriminals, because they must operate within legal frameworks and ethics. Despite this, there are similarities in methodologies and techniques that can be studied and learnt from. One of the main objectives of any cybercriminal is to persuade individuals to provide them with their or their company’s private information, open a malicious document or click on the link to a rogue website. And importantly, they want to maximise hit rates to scale-up their operations. This most certainly feels very similar to the remit and goals of any modern marketing department.
Just like savvy marketers, the cybercriminals have become more cunning. Most of us are aware of the stereotypical badly designed ‘dodgy’ emails, complete with poor English and spelling mistakes that we automatically assume is a phishing attempt from old-school cybercriminals. Now, at the other end of the scale, when we receive a slick email that is perfectly designed with no mistakes, we are also suspicious. Can marketeers really be that good?
Worryingly, this points to the fact that cybercriminals are honing their skills and investing in creative marketing and design. In addition to this, they are also looking at other forms of marketing including the use of artificial intelligence and big data analytics to target individuals on a mass scale to provide real and justifiable reasons for more of us to open an attachment or click on a link.
In addition to this, legitimate organisations are spending vast sums of money to gain credible endorsements from celebrities and people in a position of trust to encourage potential customers to look at their products and services. The cybercriminal has also embraced this approach to endorse their malicious activities – but they are not restricted by laws, permissions or ethics. They simply use more and more sophisticated fake news and fake endorsements to do the same thing. The difference is that they can use anyone they want without permission or legitimacy and invest the money they have saved paying large celebrity fees, to invest in the complex technologies that allow them to impersonate real people in a position of trust and authority and even news sources.
This means that organisations and the public in general need to become even more alert and establish new ways of checking that the facts presented are true and the source of the email is real.
In short, cybercriminals are simply harnessing the skills and expertise of the best marketing departments and copying legitimate techniques and approaches. But as marketing best-practice evolves so will the threats from cybercriminals. The real danger is when they start to utilise new and more innovative disruptive marketing techniques. Cybercriminals have masses of data, good technical capabilities and are well resourced. The likelihood therefore of them utilising new technologies is extremely high and even if this knowledge is shared with legitimate businesses, their speed to market will be faster, because there is no need to consider ethical or legal consequences.
So, what can CISOs learn from this? The answer is not to ignore ethical and legal restrictions. However, they must look much more widely within their own organisations, beyond the security or audit departments to explore the market creation and revenue generating areas of their businesses. The CIO needs to understand what these departments are doing or planning to do and then to play this scenario against how you might utilise the tools and techniques if you were a cyber-criminal. At that point they can start to plan against the next generation of attacks, not just the current ones.
CREST is a not-for-profit body representing the technical information security industry that provides internationally recognised accreditation for organisations and certification of individuals providing penetration testing, cyber incident response and threat intelligence services. www.crest-approved.org
Image under licence from iStockPhoto.com, credit Triloks