Cybercriminals: They’re Coming For You. They Will Act Unless You Act First.

Cybercriminals: They’re Coming For You.
They Will Act Unless You Act First.

The Present 

Cybercrime is no longer a new word. But it continues to make news. Daily. As our reliance on digital grows, so does our exposure to potential cybercrime. Truly it can be said that the inevitability of being affected by a cyberattack is nearly certain for those who venture out onto the web, use mobile devices, devices connected to a network, or indeed rely on anyone or anything that does. In short, every single living person on earth today will in some way be touched by cybercriminality. 

 

THE INEVITABILITY OF BEING AFFECTED BY A CYBERATTACK IS NEARLY CERTAIN… 

 

There’s been enough talk, the problem is not enough people are listening, or heeding the call to protect their own privacy, assets, workplaces, and ultimately even their identities. 

 
The most common excuse I hear for not updating cybersecurity measures are: “My IT guy is on top of things” and “Why would anyone attack us?

- Terry Cutler, Canadian Cybersecurity Expert, and creator of the Fraudster app 

 

Much more is at stake for business, governments, and financial, health care, and educational institutions. When an individual is attacked the damage is serious but limited. When a company is attacked, all its stakeholders may be impacted. From employees to suppliers, to distributors, and of course, eventual consumers at the end of the global value chain. 

 

60% OF CORPORATIONS SURVEYED SPENT MORE INVESTIGATING A CYBERCRIME THAN THE COST OF THE CRIME ITSELF 

 

Containing damage in the event of an individual attack is child’s play compared to the chain-reaction effect that an attack on a business entity is sure to have. The bottom line is threatened, and for those who sneer at capitalism, that bottom line is what decides if payrolls are met, first at the targeted enterprise, and then for all those earning a living off the pipeline, all the way down that pipeline. Socialists included. Megacorp may be the one being extorted by ransomware, but Sue’s Catering, a small Megacorp supplier, and Sue herself could have their livelihood threatened. There’s a reason it’s called the world wide web*, the nexus is infinite yet growing exponentially. No one is immune, no one is safe – if no one acts. 

 

CONTAINING DAMAGE IN THE EVENT OF AN INDIVIDUAL ATTACK IS CHILD’S PLAY COMPARED TO THE CHAIN-REACTION EFFECT THAT AN ATTACK ON A BUSINESS ENTITY IS SURE TO HAVE. 

 

Terry Cutler, a Canadian cybersecurity expert and ethical hacker, has seen it all. “Small and medium businesses are particularly vulnerable because malicious hackers know they don’t have the time, money or resources to deal with a cyberattack; therefore, they’re not equipped to handle an attack, and downtime for them can be lethal.” In our interview, he goes on to add that many business owners and managers assume their IT department is entrusted with all levels of cybersecurity, except the typical IT staff are digital infrastructure generalists and not necessarily trained to handle a serious cyberattack. “Think of IT as your family doctor. Typically, you wouldn’t ask your family doctor to perform laser eye surgery.” Terry’s right. 

 

100% OF GLOBAL VALUE IS 
AT RISK FROM CYBERATTACKS 

 

And what of those brazen attacks on health networks? Lives are at stake. Money can be replaced, eventually, but the first cyberattacks to cost lives are only a matter of time. USAID was the victim of such an attack in 2021, one that was clearly aimed at international development aid, and could have created the conditions for a cascade of events leading to deaths1. While there is no official record of a cyberattack directly causing injury or death, the one experienced at the Mobile Alabama Springhill Medical Center in 2019 may have caused the death of an infant2

 

This is serious stuff. We’re miles beyond the pimply teenager in his basement having a few script-kiddie kicks. 

 

Cybersecurity has added a thick layer of code to every facet of our digital lives. Buried within apps, mobile devices and their operational infrastructures, and just about anything that communicates with a network are contingencies designed to cope with the latest cyberthreats. 

 

Only those cyberthreats mutate over time, often more quickly that developers and cybersecurity experts and business can keep up. In fact, the rate of cyberattack acceleration is increasing. Think about that for a moment. 

 

CYBERTHREATS MUTATE OVER TIME, OFTEN MORE QUICKLY THAN DEVELOPERS AND CYBERSECURITY EXPERTS AND BUSINESS CAN KEEP UP. 

 

Those businesses for whom “good enough” represents the backbone of their cybersecurity efforts are most at risk. That doesn’t necessarily imply that small businesses who don’t have the financial resources to mount adequate defences experience the greatest vulnerability. Many large corporations decide to forestall implementation of cybersecurity measures either by lack of concern or cannot justify the cost/benefit ratio. Until, that is, they’re held hostage by ransomware, have proprietary technology stolen, essential databases corrupted, or privileged information released into the wild. It will happen because it already has. Every day. For years. 

 

Cybersecurity best-practices are counterintuitive to normal behavior where only what is broken is fixed. Cybersecurity is a job that’s never done.6 
- Pierre Moineau, Cofomo Cybersecurity Consultant 

 

Like seatbelts, cybersecurity serves no purpose until it does… And then it’s too late. 20/20 hindsight may be falsely reassuring, but it’s hardly restorative and certainly not preventative. 

 

So, what does the future hold? 

 

*“World wide web” is used as a catchall for the entirety of the digitally connected world, from cloud computing to the internet of things (IoT), to online gaming, the metaverse, and your Aunt Agnes playing solitaire on a casual game website. 

 

________________________________ 

 

The Future 

This article is not intended to serve as history of cybercriminality. Although that is a topic of great interest, it pales in comparison to the attention required to prepare for, let alone cope with the onslaught of what’s to come. The future of cybersecurity is what matters – and the future starts with the present. 

 

CYBERATTACKS COST CANADA AND CANADIAN BUSINESSES 
$244 per capita per year 
WITHOUT THE RIGHT CYBERSECURITY MEASURES, THAT’S ONLY GOING TO INCREASE 

 

We referred to script kiddies in the previous section. Those younger amateur hackers who copy-paste malevolent code hoping to gain bragging rights, much like graffiti artists and taggers. Rather than cause wide-spread damage or extort money, their intentions are nihilistic – it’s a thrill, something to talk about while drinking beer in a can out of a bag at the local park. They’ll always be a nuisance, but rarely more than that. Contrary to what a recent former President of the United States once claimed, it’s not a reclusive 400-lb teen inhabiting the dark corners of their parent’s basement that hacked the Democratic National Congress’ email server, and hence not where the attention should be focussed3

 

Today’s rogue actors are in a different league. Certain pariah states operate complex troll farms and cyberwarfare units not-so-cleverly disguised as seemingly benevolent internet research organizations. They’re generally heavily involved in cyberattacks and continuous probes of western digital infrastructures. 

 

One nation’s central government is understood to employ up to 100,000 in a dedicated hacker army4

 

Add to that openly hostile ones which are strongly suspected of engineering countless cyberattacks both to acquire technology, trade secrets, and perhaps most disturbingly, to extort money through ransomware attacks and infiltration of global economic interests. They’re not even bothering with the niceties of denial or deflection; they simply ignore the implications of their actions or the consequences. In turn fledgling nuclear weapons programs, military development, and commercial espionage are what are truly funded. Global instability fuels cybercriminality, and of the latter there is no lack of today. These players present a sizable threat that’s only growing. 

 

Protected by their states, cybercriminals and hackers act with impunity outside the long arm of law enforcement. As do those operatives our governments mandate to operate in the shadows, apparently, in our interests. 

 

Impartiality is warranted, so let’s not forget our CSIS, and the 1,200+ U.S. government organizations, and nearly 2,000 private companies spread out over 10,000 locations who are involved in counterterrorism and by association cybersecurity. Recent estimates place the number of personnel associated with the U.S. intelligence apparatus number over 850,0005. We hear little of their exploits. There’s no need to imply that our intelligence services are likely active and deeply embedded in foreign networks. Perception and objectivity dictate that we assume their activities are benign. We can only hope they are. The payback could be dear. 

 

HACKS WE HOPE TO NEVER SEE 

  • Self-driving car control and navigation 
  • Aircraft operation 
  • Supply-chain functioning 
  • Utilities (power, water) 
  • Nuclear arsenal control 
  • Mobile communications 
  • Remote medicine 

 

Then there’s organized crime. If there’s a buck to be made, there’s a crime waiting to be committed – and as larger, more sophisticated crime groups become involved, the exposure worsens. Add to that organized crimes’ tendency to work in cahoots with adversary states in their efforts to undermine our cybersecurity, and the perfect storm begins to brew. 

 

The point is not to ascribe blame or justify motives. The takeaway is simple, we live and work in a digital world that is becoming increasingly dangerous. If you’ve something worth stealing, someone will try. 

 

IF YOU’VE SOMETHING WORTH STEALING, SOMEONE WILL TRY. 

 

We both profit from and are held prisoner by technology. It’s no longer a choice. Technology is at the point where worldwide digital transformation is unstoppable. Our reliance on an interconnected, interdependent planet will grow considerably each year. 

 

Business will need to assume a defensive posture, all while not paralyzing consumers in a minefield of restrictions that will impede commerce. 

 

BUSINESSES WILL NEED TO ASSUME A DEFENSIVE POSTURE, ALL WHILE NOT PARALYZING CONSUMERS IN A MINEFIELD OF RESTRICTIONS THAT WILL IMPEDE COMMERCE. 

________________________________ 

 

Future-Proofing The Present 

Exercising vigilance and being proactive are the only proven ways to reduce the chances you or your business are targeted or affected by cybersecurity threats. 

 

Last year’s software and OS, last decade’s firewall, and even yesterday’s cybersecurity practices won’t do it. 

 

ALWAYS BE READY TO BE READY. 

 

Cybercriminals are already several steps ahead, busy finding workarounds to the most current measures and anticipating law enforcement and government’s next move, and business reaction to both. 

 

THINK YOU KNOW CYBERTHREATS? 


Here are a few you may never have heard of. Consult our informative PDF and learn about them before experiencing them firsthand.  

 

An in-depth cybersecurity risk assessment and a stress test are imperative for any business which may not have updated or evaluated its resources, followed by a strategic approach to implementing current ones, contingencies for dealing with emerging risks, and even protocols for reacting to all-new threat types. 

 

Always be ready to be ready. 

THE EASIER THE MARK, THE MORE LIKELY IT WILL FALL PREY TO AN ATTACK. 

 

FOUR THINGS YOU CAN DO NOW TO IMPROVE YOUR ODDS OF SURVIVING A CYBERATTACK 

 

  1. PASSWORD UPDATES
    Individual team passwords need to be changed regularly. Educate for the use of strong passwords and enforce their regular update. Keep them guessing… 
     
  2. SOFTWARE UPDATES
    No one loves old software like a cybercriminal. Older versions of oft used software are usually already subject to cracks, and the vulnerabilities well-known to criminals.  

  3. OUT WITH THE OLD
    Reduce exposure by removing all deprecated or outdated software and deactivate those features in current software which open doors to hackers.  

  4. EDUCATION, EDUCATION, EDUCATION
    Nothing beats awareness. Forewarned is forearmed, and this applies well to cybersecurity. Social engineering is responsible for 70-90% of all breaches7. Education is the most effective preventative countermeasure. 


Act Before The Attack 

This is our final word. All the worry in the world won’t protect business from a cyberattack – talking is a start, but while you’re mulling over how to put up better defenses, hackers have already breached your current ones. 

 

Cybersecurity competence is not a responsibility reserved for field specialists, it impacts all stakeholders and requires applied training. 8 
- Marc Vachon, Cofomo VP Technologies and Security, Customer Support 

 

Inaction is extinction. Beat the odds by beating them at their own game. 

 

There are only two types of companies: those that have been hacked and those that will be hacked.”
- Robert S. Mueller, former FBI Director, 2001-2013 

-----------------------

Information for this article were compiled from several sources:  

 

  1. https://www.reuters.com/technology/microsoft-says-group-behind-solarwinds-hack-now-targetting-government-agencies-2021-05-28/ 

  2. https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/ 

  3. https://www.theverge.com/2016/9/26/13068296/presidential-debate-2016-donald-trump-dnc-hack-russia-vs-nerds 

  4. https://en.wikipedia.org/wiki/Cyberwarfare_by_China 

  5. https://en.wikipedia.org/wiki/United_States_Intelligence_Community 

  6. (6&8) Interview with Marc Vachon and Pierre Moineau 

  7. https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks 

  8. Interview with Marc Vachon and Pierre Moineau