How to think like a cybercriminal
By Ross Allen
The old saying that the most dangerous part of a car is the nut behind the wheel has a subtler equivalent in enterprise network security.
By Ross Allen
Each employee in your business, whether working at a networked
keyboard, or answering a phone call or a letter, can be an attractive
potential target for cybercriminals aiming to penetrate your business
for their own illegal gain.
Undertrained, undersupervised, and unwary employees are ripe for the
picking by the new generation of socially and technologically adept
online thieves and fraud artists.
Understanding how to anticipate cybercriminals’ attempts to manipulate
your employees, suppliers and customers for criminal gain will help you
develop an effective strategy to make your business a “hard target” for
Cybercriminals use a mix of well proven social engineering tactics (con
artist psychology) and automated network intrusion tools to locate and
manipulate unwary targets.
Today’s cybercriminals often operate across international borders, to
frustrate the collection of court-admissible evidence, derail police
investigations and quickly hide the financial gains from their crimes.
The best defence against professional cybercrime is to build your
network security strategy as an integral part of enterprise best
practices, risk management, and employee training, and as a mission
critical part of effective supervision by management.
Cybercrime gangs now actively recruit skilled IT talent in many
countries outside North America to develop automated tools for probing
network security and executing theft, fraud and identity theft.
When a prospective target inside your enterprise is identified — for
example, by your employee responding to an automated email, letter or
phone call from a criminal posing as a customer, supplier or fellow
employee — the criminal will then directly attempt to get the employee
to perform an action that enables a crime to be committed.
The unwitting employee may give out personal information, issue a
payment or make a purchase, allow access to the company network, or
give out other sensitive information.
Cybercriminals in the past year have greatly increased the use of
“spear phishing”: customized fraudulent emails or phone calls that
often appear to be from a company colleague, or a legitimate supplier
If the targeted employee hasn’t been well trained and supervised, he or
she may be easy to fool. Cybercriminals increasingly build “virtual
twins” of legitimate websites that an employee trusts. So, the employee
may go to an apparently legitimate website of a customer, supplier,
financial institution, or a branch of their own enterprise and follow
the fraudster’s instructions, believing them to be legitimate
The results can range from a one-time theft, to a major breach of
sensitive information, such as customer information and credit card
databases, passwords, proprietary information, or links to supplier and
The potential damage to a company’s reputation, business relationships,
intellectual property, and legal liability can be immediate, and
Build a culture of consciousness
To reduce your enterprise’s vulnerability to cybercriminals’
activities, you may want to include a cybercrime-proofing program as
part of your HR, training, IT and management policies.
Working in conjunction with your network security solution provider/IT
system integrator, and as part of your overall risk management/
security strategy, include anti-cybercrime training as part of each new
employee’s training, managers’ responsibilities, and as a periodic
refresher for all employees, on both the evolving nature of
cybercrime’s threat to the enterprise, and on the skills and level of
awareness needed to counter it.
Above all, put yourselves in the shoes of the key categories of players
critical to preventing cybercrime. These include your employees,
customers and suppliers, and also the would-be perpetrators. With an
understanding of current cybercrime tactics, you can better understand
what you and your employees should be watching out for, reporting and
There is no such thing as perfect security, but if your enterprise
presents a difficult nut to crack, criminals will look elsewhere for an
easy score. There are still lots of soft targets for them, in the form
of enterprises that don’t take this problem seriously.
Ross Allen is the Canadian General Manager for McAfee Inc.