Operating 21st century equipment with a 20th century mindset could cost you your business.
If you’re a business owner or manager it’s likely the flux of high-profile intrusions over the last few years has you feeling a tad nervous. And rightly so. If companies like JP Morgan Chase, eBay, Target, Sony and Apple can be penetrated, then what’s to stop smaller companies from being compromised? (This pretty delightful visualisation of the world’s biggest data breaches is an attractive representation of some pretty devastating numbers.)
Now, admittedly, part of the reason bigger companies get attacked is because of their profile. A hacker isn’t entitled to the same bragging rights when he cracks Bob’s Conveyancing as he will for getting into Adobe. But the other reason—I’d argue the main reason—any network gets breached is simply because it can. And while big name companies might get you the kudos, small-to-middle weight companies often have more security flaws to exploit.
The first strike is the deepest.
Back in 2012, the Miami Family Medical Centre, was hacked. Russian cybercriminals held the Gold Coast clinic’s patient data for ransom. The information included patient’s full names, date of birth, email addresses and home addresses. Here a small Australian corporate entity was directly targeted by an international crime organisation. Why? Because the opportunity was there. Now, in these smaller ransom incidents the encrypted data is typically returned. These kind of external ransom attacks are destined to become more common in the future. However, at the time, the attack highlighted clearly that you didn’t need a big online presence to be considered a target.
Who knows your company better than everyone else?
Interestingly, though not surprisingly, the Achilles’s heel for most SMEs is often their strongest asset – your staff. When you’re a smaller scale company, your asset value is most known and appreciated by your employees. They also happen to be the people most likely to chance upon your security vulnerabilities. So while employees are often referred to as a company’s greatest asset, in certain circumstances, a once-valuable employee will make the conscious decision to spin an employer. It’s at this point the value of that asset suddenly becomes a liability as he or she breaches an employment contract and possibly the company’s intellectual property, ultimately setting up in competition and exploiting the known weak points of their former employer.
And don’t think it ends at the theft of some confidential information. Rogue employees have been known to engage in fraud, the bullying and harassment of other staff and the defamation or blackmail of colleagues or managers. Much of this can be carried out anonymously via email or social media. Yet, despite this being not at all uncommon most companies are still grossly underprepared to both mitigate the risk or kill the fallout.
Take one client email list. A former employee. A dash of scorn. And some colourful language.
A few years ago an international firm sought our help. Feeling jilted, an ex-employee had taken to emailing the company’s core clients with a litany of derogatory remarks about their former employer. There was no other option other than for them to take legal action and get right into damage control.But the situation that this firm faced was in no way extraordinary and there were actionable defences that would have greatly benefited them before the fact.
Penetration testing and risk monitoring can save you the pain of a hack.
It seems that despite most businesses running on 21st century software the mindset of owners and managers remains decades behind. Penetration testing, and network and human risk monitoring, are proactive solutions to minimising your IT risk. But complacency, or plain old naivety, means the majority of the work is reactive and that means having to get a computer forensic technician in to retrace the steps of the perpetrator/s in an attempt to identify both them and the initially exploited weakness.
These technicians are highly-experienced IT professionals accepted by courts as expert witnesses in the showing of digital evidence. So in the event of an IT breach every company’s first call of action is quarantining any device of network server of interest. From this point on, the computer forensic technician, and them alone, should be the only person poking around that device. Of course you’ll need to call your lawyer too. But few law firms are aware of the proper investigative approach requires to see these matters through to a fruitful conclusion.
The trinity of business defence: a private investigator, a computer forensics specialist and a very good legal team.
The new wave of computer forensics specialist are best equipped when partnered with an old school investigative team. At Lyonswood, the traditional skills of our private detective team sit right alongside the scientific know-how of our forensic technician—making for a well-rounded investigative approach. Because, while the case may start online, the perpetrator can only be summonsed once you’ve got them in person.
For example, in 2013 we had a client being blackmailed. Once the forensic technician had identified the subject, surveillance was carried out by our private investigators to ensure the culprit didn’t attempt to dispose of any digital evidence. Fortunately, in the course of a civil search order, evidence of blackmailing emails was found on a digital device in the blackmailer’s house. The evidence accrued by our team was essential to the successful resolution of this matter for our client in the Supreme Court of NSW.
It’s impossible to exhaustively outline the circumstances in which companies may benefit from the help of investigators and computer forensics technicians. We’ve dealt with employees sending themselves protected company data. Employees creating a spate of defamatory social media posts about the director of the company. Falsified emails. And recently finally wrapped a particularly nasty case where an ex-employee posted nude photographs of his ex-partner, a current employee of our client, online.
A computer forensic expert can also analyse portable devices such a smartphones and provide audio and video analysis of recordings that may be used in evidence.
The good news? There’s plenty of room for improvement
There is great scope for improvement in the protocols that companies have in place for managing digital risks, especially when those risks are internally-generated. The need for computer forensics work will only grow; especially while businesses cling to the 20th century model of risk management. Unlike the business manager I counselled who was surprised when told that serious, computer-related attacks were common, I’m surprised business leaders don’t recognise how common these issues are.
About the Author:
Lachlan Jarvis is the owner and operator of the international investigative firm, Lyonswood Investigations and Forensics Group. Alongside his staff of investigators and computer forensic specialists, Lachlan regularly oversees the deliberate breaking of business IT networks to identify and defend security weak spots. He’s been a contributor to discussions on The Project, Sunrise, The Sydney Morning Herald and Lawyer’s Weekly.